2009-03-31

All your base64 are belong to us

Base64 Encoding is a MIME content encoding scheme. Its mechanics are described in Wikipedia.


Basically, every 3 bytes (octets) becomes four Base64 Characters. Those 64 Characters are: ALL THE UPPERCASE LETTERS, all the lowercase letters, 0 through 9, + and /. Occasionally, Base64 strings end in one or two = signs. This makes Base64 pretty easy to spot if you're looking for it.

Base64 is very useful, and it has a few cousins (such as uuencoding). Command-line tools for encoding and decoding Base64 exist for almost every platform. Try installing the package named "base64" (OSX: from Darwinports, Linux: apt-get or yum, BSD: pkg_add or use the ports tree) if you don't have it installed already. Also, the leetkey plugin I discussed in the FireFox plugins article can encode and decode Base64 on the fly!

Base64 was originally meant to help transfer binary data across platforms (such as between mail servers on different architectures) without any corruption or data loss. Different platforms handle line-breaks and character encoding differently, but the subset of characters listed above remains consistently the same on all major operating systems.

Since us mortals are generally bad at binary math and array indices, Base64 also gets used to obfuscate things like passwords. Okay, the fact that the algorithm is well known also has a little to do with it. This has been done for a very long time. I first started tinkering with Base64 way back in the day when I was trying to figure out how to "decrypt" passwords that I was seeing with rudimentary network sniffers. Here, you can see HTTP Basic Auth at work. This was a capture from WireShark (click to enlarge)


The Base64 string is "dGVzdDp0ZXN0aW5nMTIz" - Decoding it:
echo -n "dGVzdDp0ZXN0aW5nMTIz" | base64 -d
test:testing123
I used echo -n because it supresses the newline character. Since Base64 encodes everything, it will even catch the newline. This isn't as important during decoding as it is encoding. The -d flag on Base64 simply tells it to decode. Encoding is base64's default mode of operation. As you can see, the Base64 string decodes to a username and password separated by a colon. We don't actually have to go through this hassle, though, because Wireshark will decode it right there for you. I simply suppressed that line in the screenshot above.

By the way, even SSL/TLS connections pass HTTP Basic Auth this way, but most SSL sites (and other sites in general) are using vanilla form posts. In reality, this kind of obfuscation is tantamount to plaintext.

Let's look at another ridiculous use of Base64... the ncftp bookmarks file
-bash-3.2$ cat .ncftp/bookmarks
NcFTP bookmark-file version: 8
Number of bookmarks: ??
aix,aix.labs.h-i-r.net,axon,*encoded*
Z3JyQHU=,,,I,21,1238536534,-1,-1,-1,1,192.168.0.56,,,,,,S,-1,
What's that I see? No, That's not my real password anywhere. Although the base64 version wouldn't make a horrible password in its own right. For what it's worth, at least the permissions on that bookmark file are decent, and ncftp doesn't store the password by default unless you tell it to do so.

I suppose it doesn't hurt that Base64 is used like this, but it really amounts to security through ignorance obscurity. It shouldn't be relied upon as the only method of protecting sensitive data.

One great example of something using Base64 practically is GnuPG, when you use ASCII-armoring for things like sharing your public key or for the output file. GnuPG data is binary, but ASCII-Armoring provides the binary data in Base64 (with a checksum at the end as part of an implementation called Radix-64). This is the kind of situation where Base64 truly shines! The resulting output of GnuPG is a block of encoded data like this (which is my public key, feel free to use it to contact me):
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.8 (OpenBSD)

mQGiBEekLI4RBACmr4BQRpNLefun1GQ9+n6R/FUUBRm8t3JRSQMnMo71ED+31gbN
tJEQJVbvPDcTAoA2rib21N5i7ijDqoO3ge+kb47YaRPwstMYpJf6OfhLRA3X/pfP
6rIawkbEMAQXM5ZP95GYeNXOWKlHBu0nDAka3PV6kZIa5WCDcHgMbryQUwCgtgNj
ckovho5yFEm+NgmYsifueOMD/37pMDNWSEStEAkG616dZA4aaNpzY0BxJoGdweOi
dvYr3/LfczJPVEbPb1jnprlBDb3NYDFHpqe9b7gOopVzNvF4EjQo+UO9ouQH7eQn
DPRNBvtrEu4R/by9Z+Ra9YEsGV9hJNugk9KZOJx60/jRYaFlDEOKtUC8DeGGn9od
uoGuA/42SdEHzxN7tY3T7blKK48XthutWYzHdcK9g99t/sLnTRk5/pKcShTd2nVE
FSYIV5KGYb0jGDR2oADbm9LdeNl0nhGPcRSjmyfC6hMMAOnps5Cu1DS8m/FFUc4y
mBBPlIvilYgxmcUm1JKEli3u+PMw7oWLsbFxORhA80TuuQF+NLQfYXgwbkBoLWkt
ci5uZXQgPGF4MG5AaC1pLXIubmV0PohgBBMRAgAgBQJHpCyOAhsDBgsJCAcDAgQV
AggDBBYCAwECHgECF4AACgkQr8ciJ3FEwJ8ORACfRcVrwwZ7jgcx9owJ5eRevj50
obYAn0LPRZCa0tlL17M9ukpKCnTFNqpfuQINBEekLI4QCADqqYCTgA0i584jlsfZ
y5WRpUiLqCQ+9dA3gN+S15J2lpm+/XPU2VQafhc9rnQCB2XPHGxOWqdRhZ3uBkcD
LRAP5Sg0l6kKSfp+TM89XACJMzyqYFlSS5jP1U+ZPoR0OQhwMj7Tzq6BfN5/D8Xj
J92rXvyxKgu99+qMPAkYV6+ZxErR/+kbeS7Btik9frVFwztEGvRjv+h7FGEr2syo
vYu7unXvMMgK97V8XrQsJ9Qde7dcbP1YUlEJPaEUf9MbEf749I1o+CDKl3KyWl12
V6N/21di6IYYnKt5ay2wn6YlozjKPAqSBRFTctiZ6mxQ/ylKm0qg1QrRyHDaZW20
1PzzAAMFB/9opsz5ST20NxTHUyE/4BMYgkI2eX18z6NrMvUnPs+XN1VIwpZVdePB
1K6jhqP74Qjs0VYXLgkrZ6qFFZQFb/F+aqMMu5SU30/PZTClDInzKo3kQh7QaTV5
WeOnHkTKDtq4+IMZT1K0d46tFfS9SVkHF28disYtJXzKIXg1XijIZgBUHBPbMu4s
NH3DCBZw+5AdUR7jxKs/TvOsj02I1QoihoBNNoB1lvhoes7vIAPXmt+bp35pJfUK
IFc9Fx0lkH5VcehloDARiNE+1fyuxLNNdwxLlyLFaiW10rA+3MK5oFu+ke5EPPxI
qB1wNOT4/wsED1s/1HYH1XNBfNDDDP/fiEkEGBECAAkFAkekLI4CGwwACgkQr8ci
J3FEwJ/LPwCdEbmoA7z8NgEYEFmPKkDOkOD5kHsAnAtBE9BhCdjlST1WwS0bppWz
fsCY
=WF4H
-----END PGP PUBLIC KEY BLOCK-----

2009-03-26

Lever Lock Guts

This lock had to be destroyed during replacement because the key was lost. I've already removed some of the levers from this lock. In total, there were 10.


8 of the lever tumblers are configured like this. There are two peices with teeth to join them together. This way, you can re-key them however you want. There are 7 different positions that are usable in this design. The Cut-out on the right side that's surrounded by two sharp points is the slot where the lever lock's gate is supposed to go. Until all of these are lined up perfectly with the gate, the lock will not open. The sharp points are there to make it difficult to pick or impression the lock, because they'll catch on the gate, making you think that you've picked this lever properly when in fact you may not have. It also makes it difficult to maintain tension on the bolt or gate to keep the lever in place while you work on other levers.


Not shown: Between each of the above levers, there's also a thin metal shim. This keeps the levers from rubbing against each other, but also makes picking difficult regardless of bitting patterns.

The remaining two levers are shaped like this. They're not able to be re-keyed, but you can stack them wherever you want in the lock. The oblong pivot hole (on the left side) also prevents one from using gate tension to hold it into place. This tumbler will simply fall past the gate once you stop manipulating it. Since there are two of these levers in this lock design, you would in theory have to pick both of them at the same time, and you'd have to do it only after all the other levers are perfectly aligned and held in place by lock tension. This design is also such that if you hit the upper or lower part of the slot, it will jam the lock and you'll have to release some tension and try again.


Here's the broken lock, mostly disassembled.


Here are all the guts. You can see the pile of shims in the lower left corner of this photo.


Unfortunately, the main part of the bolt including the gate were snapped off, so this lock is completely useless for practicing on or using. It did give me a look into some fairly advanced security features I'd never before seen in lever locks before, though.

Locks of this variety are most often found in safe deposit boxes. As you can see, it's often easier to simply use destructive force to open them if you don't have the key.

2009-03-21

Silence - Short Speculative Fiction

Along with my technical passions I've also done literature. I've done creative writing courses with stories & poetry, and edited a college literary mag. Here is a short form speculative fiction story I wrote recently, in under 750 words. Comments and criticism of all sorts greatly appreciated.

Silence
Jon Pruente
Copyright 2009
Written 1-March-2009

The thump came through the floorboards first. The lamp shade rattled and the cabinet doors started a deep, low, buzz. Slowly the thump grew into a consuming sound that filled the room. She waited by the door trying to be patient. She knew the drills by heart and anticipated the next step. There was always a next step in the drills, but her father had taught her to be ready for the step that didn't come. As she waited she pictured what she might do if this next step didn't come.
The thump grew beyond sound into a pulse of pressure that shook the whole house. Everything on the shelves vibrated in place and the leaves on the fake flowers waved as if in a slight breeze. The wall shook as she leaned against it, watching out the narrow window. She was tense with anticipation.
"You must remain calm. Any time you can not remain calm you will make a mistake and it will consume your concentration. You will make mistakes, but you must overcome them and be ready for what is next," her father's voice spoke from her memories.
She breathed, for the first time in many seconds. She fought the urge to gulp air and forced herself to breath in deep and measured breaths. Every time her lungs filled she felt the thump inside like a pump jetting pulses of air against her diaphragm. It overpowered the beat of her own pulse in her ears.
"You can control yourself, given a proper goal. For your control to be effective you must have a secure knowledge how to complete your goal. Without that knowledge your will flounder and your actions may not further your goal. Your goal should always be to preserve your life," her father's voice intoned.
The thump drove its rhythm further into her body. She watched out the window, her hand poised near the doorknob. The door rattled in the frame and the vibrating window glass distorted the tangled lawn she could see outside. Peering through the glass she felt consumed by the pulses. And felt the tempo of the beat slow. The intensity of the pulses perceptibly weakened with the tempo, quickly dropping. Breathless seconds again passed as she considered the sudden change, and then came another thump. Not the thump of the rotors but the sickening sound of the metal body colliding with the earth. And with that final gasp the pulse gave way to near silence. Still breathless she heard only the wet flow of her pulse surging inside.
Tentatively she turned the knob and inhaled smoothly. The air of the house reeked of dusty abandon recently disturbed. The door pulled free and swung open with a squeal. She stepped onto the porch and breathed the sweet night air she had last tasted what seemed so long ago. The next step, she decided, had changed.
Down the steps and along the path to the street she saw the shadowy over growth and trees in the moonlight. At the street she turned and ran down the pavement and noticed the street light at the corner was out. She passed it and turned down the block. She saw deep shadows under the boughs down the street and turned in a circle looking down each roadway; all were in darkness, save what moonlight filtered through the high treetops. She ran along the street and stumbled as it rose into a hill. Nearing the top she turned and looked to the horizon over the trees and saw only the moonlit treetops. Natural darkness consumed the landscape and she began to panic.
The crash with no explosion, the darkness, the silence. They were well prepared, they were clean.
She struggled to keep breathing in the panic and she felt painful flutters in her chest. She turned back and ran on. The flutters stopped and her panic deepened as she realized her pulse had as well. She knew the shock normally would come but also knew that now it wouldn't. Everything electrical around her had failed as far as she could see, and so had everything electrical inside of her. So she ran with only the sound of her breath inside of her, futile gasping, waiting to be slowly consumed by the silence. She tried to savor each step she took, and to be ready for the one that didn't come.

2009-03-17

Trends keep trending...

Engadget spy photos are out for a Lenovo netbook/ultra-portable. It sure looks like my non-pundit punditry is shaping up.

Thanks ax0n for the linkage!

2009-03-15

Ganz Dome Security Camera Refurb

One of the things I found in the dumpster at the same time as the Schlage/Recognition Systems Handkey II was a Ganz ZC-D5212NHA security camera. It was packed away neatly in its original box -- which was, as you can see -- labeled "BaD" - In other words "Fix Me, Please!"


The clear dome was still plastic wrapped as shown in the photo below. The box contained all the original stuff as well -- install cutting/drilling templates, mounting hardware and all that. Obviously, this camera was never installed.


You can see a capacitor that had broken from the backplane in the above photo. My best guess is that the installer broke it off accidentally while messing with the camera pivot, then discarded it.

This electronics repair task is pretty straight-forward. These are chip-base electrolytic capacitors with surface mount tabs instead of the more common through-hole electrolytic caps. Soldering this one back on was a little tricky because I had to take care not to overheat the capacitor. It was by no means impossible, though.


Once re-assembled, this camera works just like any of the other CCTV Cameras I've played with in the past. The monitor below is displaying the video feed (upside down) from the camera. It works fine and can go fish-eye wide-angle or up to 4x zoom. It also features a really crisp sensor that works very well in low-light conditions. Boots is wondering if his hijinks will be caught on video now.


I haven't completely decided what I'll do with this one yet. If CCCKC needs more security cameras, I'll probably donate this one. Otherwise, I'll probably sell it. I have plenty of security cameras around, and don't need any more. I could use the extra cash, though.

I decided I'd take the next step and clean up the box and re-package the camera like it was when it was new, just in case.

I don't have any dry-erase markers at home to do the permanent marker removal hack, but 91% Isopropyl rubbing alcohol should work fine in this case as well.




And just like that, it's as good as new. Retail value is about $230. Not a bad find.

2009-03-14

Recognition Systems Handkey II

I had a good dumpster diving haul last night. I scored a dome camera (which needs some electronics repair, should be easy) and a Recognition Systems (now owned by Schlage) Handkey II biometric hand scanner. I found one exactly like this several years ago, but ended up refurbishing it and selling it on eBay. Only a small group of people know where I get this stuff.


On the back of the HK-2, a wiring diagram is provided. This device can be used in a network with other HK-2 machines (in slave or master mode), in conjunction with other access controls (badge/card reader and a centralized "brain"), or in standalone mode. The wiring on the back allows you to hook this up to an electronic door latch, magnetic lock or anything else that can be controlled by a relay.


In the lower left corner, there are some DIP switches. As my HK-2 was already configured, I was unable to use it even though it powered on and seemed to be working fine. In the instruction manual (included in the box I found this in!), I found out which switches to flip in order to reset its memory back to default. This allowed me to set it up from scratch just as if I'd acquired it from the manufacturer.


Once it's back to factory mode, setup for standalone mode is a breeze. Users are "enrolled" by providing a user ID number (from 1-10 digits long) and then they're asked to scan their hand three times. It takes only a few seconds per user, so enrolling a fairly large number of people when deploying this solution isn't going to take forever. It is possible to enroll users by their left hand if, for example, they do not have a right hand.

It's worth mentioning that when these devices are used in stand-alone mode, they don't provide that much security. A chintzy, 4-pin cylinder lock holds this device to the wall. If you can pick it (or if you tug hard enough), the HK-2 will flop open and give you access to the wiring and the DIP switches. From there, you can attempt to trip the door relay yourself (using the exposed wires) or you could even de-program the HK-2 and add yourself as the new administrator. Of course, This method would get noticed quickly, as everyone else would be denied access.


The HK-2 uses an array of six very bright Infrared LEDs to cast light onto your hand. The platen is reflective and contains a digital pattern. Also, there is a mirror on the left side of the platen, and a reflective strip to the right side. As far as I can tell from my testing, the HK-2 only concerns itself with the outline and the cross-section of your hand. It does not appear to make a heat map of your hand and blood vessels or anything of that nature.


Once you enter your user ID number, it prompts you to place your hand on the platen as shown in the diagram. All the points lit up with LEDs need to be touched by your finger. Again, if the user enrolled with their left hand, the diagram won't look right but it's still possible to use it.


If the hand placed on the platen is a close-enough match to the enrolled hand, it verifies the hand and grants access. The number below tells you how close of a match your hand is to the enrolled profiles. Smaller is better. If you notice this number getting bigger, you may wish to have the administrator re-enroll you. This can be due to weight gain or loss, growth, or the addition of a ring.


I may have some more to write about this in the future. I'm still tinkering with it for now.

2009-03-07

Retro-Computing Presentation and notes

Frogman and I talked about Retro Computing for the CCCKC Grand Opening. Ours was more of a demonstration, but we did hit quite a few points worth noting. We didn't have slides for the demonstration, but we threw these together today.


Operating Systems:
Puppy Linux
Damn Small Linux
TinyCore Linux
NetBSD
OpenBSD

Install Tools:
Smart Boot Manager
UNetbootin

Thin Client Software:
RDesktop (RDP Client for Linux/BSD)
TightVNC

Text-Mode Applications:
Links Web Browser
Finch (Part of Pidgin IM Client)
Midnight Commander File Manager
StarTTY Text-mode information service

Fon presentation and notes

Here were the slides from the presentation this evenin... err... yesterday! It was a late night!


Wifi router firmware links:
OpenWrt
DD-Wrt
Jasager

Tutorials
Enabling Redboot
Unbricking a bricked Fon and installing OpenWrt
Darren Kitchen's Jasager Howto

Tools to help install:
Tftp server configuration tool for OS X
Redboot.pl - a perl script to help automate redboot access (Linux/BSD/Mac)
Freifunk AP51 EasyFlash tftp gui for Linux/Win

Hardware Hacks:

If we think of more, We'll leave it in the comments. As for me, it's time for sleep (finally)