Friday, May 28, 2010

Inside the RFID 'virus' that 'infected a man'

Earlier this week the BBC reported on a man who had 'infected' himself with a computer virus. The story, of course, is rubbish. The man wasn't 'infected' with anything, he had simply reprogrammed a chip that had been inserted under his skin and then stated that the code in the chip could 'infect' a machine.

There's nothing at all surprising in this. The idea that one machine could infect another is just the run of the mill virus story. The idea that a piece of data (for that is what is stored in his subcutaneous chip) could cause a machine to misbehave is nothing new either: many, many attacks are based on subverting the difference between data and code to take control of machines.

So, the BBC should never have run with the story since it was sensationalist bollocks.

The story states: "In trials, Dr Gasson showed that the chip was able to pass on the computer virus to external control systems. If other implanted chips had then connected to the system they too would have been corrupted, he said." So what is this virus? I tried emailing the scientist involved, Dr Mark Gasson but have not received any response.

For coders the BBC did happily show two screen shots of the 'virus':

The top shot shows that ASCII version of the virus, and the bottom the hex. If we concentrate on the top shot we'll see that the contents of the virus on the chip are (I used § to indicate a character I can't read):

7220476173736§§§',NewProfile =(select SUBSTR(SQL_TEXT,1)FROM v$sql
WHERE INSTR(SQL_TEXT,'<script>window.location=""

So what you have is a SQL injection attack (note the first ' mark) which then executes a SQL statement (against an Oracle database because it's using the special v$sql table). The SQL itself is rather odd because it's looking for a piece of JavaScript <script>window.location=""</script> in the currently running database query and then returning the query.

Since I don't have access to the machine that is running this code this is where a guess is needed, but it look like he's causing the machine to insert JavaScript that will force a web browser to visit a site he owns

So, in summary, the sum total of this is that the RFID scanner has a SQL injection vulnerability. Big deal. SQL injection is everywhere, it hardly takes a 'researcher' to realize that unchecked input from the user (in this case in the form of a passive RFID tag) could have a consequence.

The entire demonstration stinks, and worse the BBC has reported on this type of vulnerability (the data in an RFID tag could corrupt a host system) four years ago in a sensible and calm manner. A quote from that article:

In their research paper Mr Tanenbaum and his colleagues Melanie Rieback and Bruno Crispo detail how to use RFID tags to spread viruses and subvert corporate databases.

"Everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software and certainly not in a malicious way. Unfortunately, they are wrong," wrote the trio in their research paper.

The researchers showed how to get round the limited computational abilities of the smart tags to use them as an attack vector and corrupt databases holding information about what a company has in storage. To test out the theory the group created a virus for a smart tag that used only 127 characters, uploaded it and watched it in action.

The sensible article which the BBC is talking about back in the 2006 is The Evolution of RFID Security.

PS Eagle eyed ASCII loving readers may have wondered about the block of hex code at the start of Dr Gasson's RFID tag: 4120 7§§§ 676e 206f 6620 7§§§ 696e 6773 2974 6§§§ 636f 6d65 202d 2§§§ 7220 4761 7373 6§§§. If, like me, you think this looks a lot like English text in ASCII you'd be right. It reads "A sign of things to come - Dr Gasson". So, Dr Gasson signed his 'virus'. All he needs is a leet h4x0r name to complete his transition to script kiddie.

Now script kiddie might seem a bit rude until you go back and look at the virus above. It's using a technique called "self referential SQL queries". Their use in 'infecting' RFID systems is detailed here and also in the 2006 paper Is your cat infected with a computer virus?.

So Dr Gasson's virus looks less and less clever: he used a four year old technique to infect a machine and got himself on the telly because he 'infected himself' (an audible gasp from the audience).

There's a nice description of how the attack works here. Notice the incredible similarity between Dr Gasson's 'virus' and the code on this page.

Oh, and by the way, v$sql isn't accessible unless the user is a database administrator. So you need a machine running as database administrator, and a SQL injection vulnerability to make this happen.

PPS What annoys me most about this story is that Dr Gasson didn't invent the clever bit (the self-referential SQL query), he just got himself on the telly with a bit of grandstanding four years after the original, interesting report on the subject.

Friday, May 21, 2010

Naming competition: The London 2012 Mascots

Here are the hideous London 2012 Mascots:

They are officially called Mandeville and Wenlock, but I bet we can find better names... such as Nick and Dave, or Mandleson and Hemlock. But given that apparently their single eye represents a TV camera that records everything they see perhaps they are best named CC and TV.

PS Is it just me or does the one on the right look like they might have peed in their pants?

Thursday, May 20, 2010

British Computer Society Pioneers vote is easily defrauded

Last night I was sitting looking at the BCS Pioneers page when I noticed that the voting for Hedy Lamarr was coming in thick and fast. As I refreshed the page I could that many, many votes were coming in for her. I hopped over to Twitter to see if there was an organized vote happening and there was nothing obvious.

That got me wondering just how hackable the vote is. It turns out that the BCS has done almost nothing to prevent vote fraud. The only protection is a cookie set in your browser. Turn off cookies and you can vote as often as you want. Even more interesting is that it's possible to completely automate vote fraud since the BCS doesn't even insist on a POST, doesn't appear to be rate controlling IP addresses, doesn't require the cookie to get set, isn't checking the page referrer, ... In fact, the only sensitive think is the User Agent string which needs to make it look like a real browser is being used.

For example, it would be trivial to make you vote for Alan Turing. Here's the code to do that (I modified this very slightly so that it won't actually work). I could embed that 'image' in this page and everyone reading this would be voting for Alan Turing in the background.

<img src="

In fact, that makes the vote security for this poll a total joke. Using a simple script containing the following I bumped up Alan Turing's percentage of the vote by a few tenths of percent as a test. If I'd left the script running I could have had him beating Hedy Lamarr within minutes.

wget --user-agent='Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5;
en-US; rv: Gecko/20100315 Firefox/3.5.9' -S`cat post` -O vote -d

So, what should the BCS have done? They could have used Flash Cookies to set a much more persistent cookie, they could have forced users to register and confirm an email address to vote, or they could have asked users to fill in a CAPTCHA to vote. As it is the current voting scheme is so open to fraud that the results are likely to be meaningless.

PS I emailed this blog post to the BCS and they replied:

Thanks very much for your email and blog post. We will be responding officially with a post on our blog shortly, but I just wanted to let you know that we have raised this issue with our site designer, and are looking at ways to change the voting system to keep it easy for people to vote and interact while preserving the vote's integrity.

Tuesday, May 18, 2010

Make friends with Porgy

I've set up a Facebook page for Alan Turing's teddy bear Porgy.

If you want to friend Porgy then the page is here.

Monday, May 17, 2010

Talking to Porgy

If you're a computer programmer you might have found yourself describing a particular problem you are having to a colleague. Many times you'll never even finish the explanation, or get any feedback before you uncover the solution to your problem. I've found that a colleague is not even necessary: you can talk to anything as long as your verbalize your problem.

While working on my book I would frequently describe out loud the scientific sections I was writing to make sure that I understood what I was explaining. To feel a little less ridiculous I used to do this while talking to my cat. The cat didn't understand what I was talking about, or at least it never said a mumblin' word, but speaking aloud helped me enormously.

I also find myself talking directly to my computer while debugging. And there's something in speaking out loud a problem that makes cogs in my brain mesh and a solution propose itself.

In Coders a Work Joe Armstrong (who created Erlang) describes a similar situation with a "useless" colleague:

I worked with this guy who was slightly older than me and very clever. And every time I'd go into his office and ask him a question, every single question, he would say, "A program is a black box. It has inputs and it has outputs. And there is a functional relationship between the inputs and the outputs. What are the inputs to your problem? What are the outputs to your problem? What is the functional relationship between the two?". And then somewhere in this dialog, you would say, "You're a genius!" And you'd run out of the room and he would shake his head in amazement--"I wonder what the problem was, he never said".

Unfortunately, talking to animate objects is often seen, by the general public, as a sign of insanity. I only talked to the cat when the rest of my family were out of the house. But speaking out loud seems to be helpful because it forces you to explain clearly your problem, it forces you to find hidden assumptions, and it makes different bits of your brain work.

Since the thing you are talking to knows nothing of your problem you have to explain it clearly and in detail, as you go into detail you are forced to uncover parts of the problem you hadn't thought of. And, by speaking out loud you use the parts of your brain that form words, move your mouth, hear words and process them.

The Pragmatic Programmers call this talking to inanimate objects technique Rubber Ducking because they suggest placing a rubber duck next to your computer and talking to it. The Rubber Ducking page has stories of the different objects people to talk, and relates the story of a teddy bear at MIT that students were forced to talk to before bothering a member of staff.

The same sort of technique seems to have worked for Alan Turing. One of his nieces recalls Alan Turing having a teddy bear:

"It was called Porgy. He bought it for himself when he was an adult, and it used to sit in the chair when he was at Cambridge. He used to practice his lectures in front of Porgy."

The surviving Turing family were kind enough to send me a photograph of Porgy dressed in the little outfit that Alan Turing's sister made for it. You might like to print it out and post it near your computer. Next time you come up against a difficult problem, simply turn to Porgy and describe out loud the problem you are having. I'm sure Porgy can help.

PS. If you're on Facebook you can become a fan of Porgy here.

Friday, May 14, 2010

Would you pay for this service?

Here's a service idea that came up the other day on Hacker News: automatically labeling your mail in Google Mail.

I have quite a lot of experience in this area having created POPFile for this purpose and then sold a commercial version called polymail.

But with the rise of Google Mail, and with the safety of OAuth, I'm wondering whether there are people out there who'd pay some small amount of money per month to have their Google Mail automatically labeled.

The service would work like this: you'd sign up and give me OAuth access to your Google Mail. Within Google Mail you'd label mail as you see fit, but in the background service X would be watching and learning. As new mail arrived it would automatically label your Google Mail based on what it had learnt (imagine waking up to a mailbox full of pre-labeled mail).

If it made a mistake you would simply change the label on a message and service X would update its machine learnt view of your labeling habits.

So, would you use this? How much is this worth to you?

If you're going to search the web, make an intelligent guess first

Today, on Hacker News there was an irresistable question posed by a user: What format is this? with a snippet of some sort of computer code:

{D1531,1000,1501|} {C|} {U2;0130|} {D1531,1000,1501|}
{AX;+000,+000,+00|} {AY;+05,0|}
{PC000;0922,0555,15,15,H,11,B|} {RC00;LABELTITLE|}
{PC001;0865,0555,15,15,H,11,B|} {RC01;VOLTAGE|}

I looked at it and couldn't resist the challenge of figuring it out. Looking at it, it reminded me of the sort of code used to drive printers and plotting devices. There appeared to be references to labels and x and y axes. It made me think of the old Epson MX-80 command sequences, and Postscript, of Hayes modem commands and NMEA 0183, and other much more obscure things I've seen for talking to embedded microprocessors.

It looked like the structure was a sequence of commands enclosed in { } with a command letter or letters at the beginning.

But how exactly should you go searching for this sort of thing? Try Googling the first command {D1531,1000,1501|} and you'll find nothing of any use. So, this is where an intelligent guess comes in.

Of all the commands in the block given {AX;+000,+000,+00|} looked like the most findable to me. The others seemed to have very specific arguments to the commands that are unlikely to turn up, but I guessed that {AX;+000,+000,+00|} was something to do with setting an x coordinate or x axis to a default position of all zeroes. That seemed like a very common thing to do and worth a google.

The very first result is for a PDF from Century Systems, Inc. for a manual called the Century Eagle 4, Century Eagle 5 Basic Interpreter White Paper which shows a BASIC program outputting commands to a Century Eagle label printer.

Google "Century Eagle 4" and you get to the product page which contains a link to a PDF of the Eagle 4 Programmer Manual that details all the commands asked about by the original poster.

The key to this search efficiency is making an intelligent guess about what will be findable and what will be distinguishing. In this case, it's the findable that matters because the command sequences are so obscure that it's unlikely that you'll be wading through pages of almost, but not quite the right results.

In other cases, it's about both finding and distinguishing. But that's the subject of an older blog post of mine.

Thursday, May 13, 2010

Project Gutenberg shines on the iPad

One more for NewsTilt.

I’m sitting on a London bus that’s making its way up Sloane Street on its way to the historic central district of Mayfair where Lords and Ladies once entertained. I glance up from reading The Picture of Dorian Gray as I pass the Cadogan Hotel where the book’s author, Oscar Wilde, was arrested in 1895.

As the bus trundles along I return to the glowing screen of an Apple iPad where, in Wilde’s story, Lord Henry Wotton is entertaining in his Mayfair home.

I obtained the copy of Dorian Gray for free using Apple’s iBooks application; Apple in turn obtained the text from an almost 40 year old project to scan books that are no longer under copyright called Project Gutenberg.

The rest.