hack – Tech DC

February 16, 2012February 17, 2012

Sodastream Hack

Sodastream is great at making bubbly water. To save on the cost and time needed to switch out the CO2 canisters, I decided to hook up a regular CO2 tank instead of using the small canisters from Sodastream.

ITEMS NEEDED

1) FreedomOne+ adapter from CO2 Doctor on this order page. I ordered the model with 72H (meaning 72 inch length straight cable) and CGAWG (connector type for standard CO2 tanks, as opposed to PBWG for Paintball Tank connector). Other companies make similar adapters, but this one is well built and the company is helpful and responsive. With this modification from the CO2 Doctor, a 5 or 20 pound tank can be connected.

2) 5 lb CO2 tank that I fill at my local paintball store for $10. Gas companies also do refills. I consider myself a normal-to-heavy user of Sodastream with a few glasses/day. I make extra fizzy water (4-7 farts of the Sodastream, depending on mood). My pressure gauge still shows that I have a lot of CO2 left and I’ve been using the single 5 lb tank for over 6 months.

3) Sodastream. I liked the look of the Sodastream Pure model the most. It can hold only the smaller 14.5 oz cylinders which is fine because I’m not using the internal tank. I drilled a hole at the bottom of it and another hole in my kitchen counter to hide my large tank underneath (see pics).

VALUE

This isn’t cheap at $300 total: adapter from CO2 Doctor ($130), Sodastream ($80-130), CO2 tank ($65), and a single fill-up ($10). But any addict to carbonated water can easily spend this in under a year. And the ongoing cost or marginal cost per additional amount of carbonated water after the initial cost is almost nothing.

SODA

You can easily add syrups to make your own sodas. The Sodastream syrups don’t taste good to me and they contain Aspartame. Instead try the great syrups from Pittsburg Soda Pop.

January 12, 2010January 14, 2010

Google China to Stop Censorship

Google China Until now, Google has operated in China by not listing government-blacklisted sites in its search results (See google.cn search results for “Tiananmen”). This was controversial, but Google maintained that it was better to work within these restrictions than to have no presence in China.

After recent cyber attacks on Google, Google is changing its stance. This will be interesting.

Read the full Google Blog post:

A new approach to China

by David Drummond, Google’s SVP, Corporate Development and Chief Legal Officer
12 January 2010

Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident–albeit a significant one–was something quite different.

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users’ computers.

We have already used information gained from this attack to make infrastructure and architectural improvements that enhance security for Google and for our users. In terms of individual users, we would advise people to deploy reputable anti-virus and anti-spyware programs on their computers, to install patches for their operating systems and to update their web browsers. Always be cautious when clicking on links appearing in instant messages and emails, or when asked to share personal information like passwords online. You can read more here about our cyber-security recommendations. People wanting to learn more about these kinds of attacks can read this U.S. government report (PDF), Nart Villeneuve’s blog and this presentation on the GhostNet spying incident.

We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech. In the last two decades, China’s economic reform programs and its citizens’ entrepreneurial flair have lifted hundreds of millions of Chinese people out of poverty. Indeed, this great nation is at the heart of much economic progress and development in the world today.

We launched Google.cn in January 2006 in the belief that the benefits of increased access to information for people in China and a more open Internet outweighed our discomfort in agreeing to censor some results. At the time we made clear that “we will carefully monitor conditions in China, including new laws and other restrictions on our services. If we determine that we are unable to achieve the objectives outlined we will not hesitate to reconsider our approach to China.”

These attacks and the surveillance they have uncovered–combined with the attempts over the past year to further limit free speech on the web–have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

December 31, 2009September 14, 2010

12 Tips for Protecting Your Computer from Snoopers

In the DC area especially, there are people who have reason to be concerned about computer espionage, either for work (national or corporate secrets) or personal reasons (divorce or blackmail). Here are 12 tips to guard against intruders snooping on your activities:

Use decent passwords. The easiest way for someone to access your email and other information is if they know or can easily guess your passwords. It is estimated that 1 out of every 9 people use a password on the top 500 worst password list. Most passwords are “cracked” not through problems with the encryption itself, but with the password being poor. Don’t use dictionary words, the names of loved ones, the names of your pets, your birthday, etc. Longer passwords are better so government institutions often require at least 10-14 characters. Passwords should be random and use letters, numbers, and special characters.
Use different passwords for different things. If someone sees your computer login password over your shoulder, you don’t want them to then have access to your bank account because it has the same password.
Change passwords regularly. Government and corporate security protocols typically require that passwords be changed at least every 3 months.
Use a password manager. Seeing a theme here about the importance of passwords? If you have different random passwords and change them regularly, then you either have a memory like Rain Man or you keep track of the passwords somewhere. The most popular software tools to manage passwords are LastPass (Free or Premium for PC, Mac, and others), KeePass (Free for PC, Mac, and others) and 1Password ($39.95 for Mac). Password software allows you to keep all your passwords encrypted with one master password. It can autofill site information so that you only have to remember that one master password. It also has a Password Generator to create random strong passwords, a great idea. Without this, most people use passwords that are similar. To the extent that your passwords are similar, an investigator can more easily guess your other passwords. (Tip: use Dropbox to backup/sync KeePass or 1Password encrypted files. LastPass syncs automatically between computers).
Do not use personal information that can be guessed as the answers to your online secret questions. This is how Sarah Palin’s Yahoo email was “hacked” in September 2008 simply by someone guessing the answers to her challenge questions such as where she went to high school.
Tie your Yahoo or other login site to another email account or cell phone number. This will let you know of any attempted password resets and help if tip 5 doesn’t work.
Encrypt files. As we explained in our post Encryption on USB Flash Drive, TrueCrypt can be used to encrypt your important data. Remember that although TrueCrypt can not be cracked, someone could guess your password if you chose it poorly.
Remember that your router is a computer too. Your router manages all the data between your computer and the Internet. If your router software is compromised, you could be sent to a site claiming to be your bank but really being a completely different site due to website misdirection from a bogus DNS system used by your router. The router software should be checked, firmware reloaded, and the password on the router should be changed. Most people unknowingly leave the router login defaults. That is safe enough if your local network is not breached, your WiFi isn’t hacked, and your router is not remotely accessible.
Use strong WPA2 WiFi encryption. WPA2 is not easily cracked like WEP. Tools such as BackTrack and KisMAC can crack WEP in minutes. (See photo of “war driver” below hacking into a WiFi network.)
Turn down your WiFi antenna strength. Hackers can crack into a WiFi access from over a block away with directional antennas and a good line-of-site to their target. If you don’t need the extra signal strength, turn it down since a weak signal is harder to crack. This isn’t an option on all routers. If you want to take extra control of your router for this and other options, see if you can load the alternative DD-WRT firmware.
Check for keyloggers. Keyloggers will log everything you type. They can be in the form of software or physical devices that are attached to a USB port or between the keyboard and computer.
Wipe computer and start fresh. If someone has had physical access to your computer or if the computer is already compromised, all bets are off. Some experts and government institutions will simply decommission a compromised computer and trash it. But most people should be satisfied with wiping everything. The hard drive can be wiped and the operating system reinstalled. The BIOS (seen from the very initial startup) can be reflashed and checked. The computer can be opened and physically checked for modifications.

Let me know if you have other suggestions for keeping your computer information safe from surveillance.

January 6, 2009March 26, 2009

Old School Hacker

Most high profile hacking today is for profit. The Russian mob and other criminal gangs are often involved in taking over computers, stealing credit cards, and threatening websites with denial-of-service attacks.

That’s why it was somewhat refreshing to see what a hacker did to Twitter yesterday, breaking into 33 celebrity accounts to leave messages on their behalf.

Here’s what CNN’s Rick Sanchez got:

Fox News got “Breaking: Bill O Riley is gay”.

There may have been some profit motive, as President Elect Barack Obama’s account was hacked to have a link to a site that offered a $500 gas card for taking a survey. The Facebook page on Twitter had a link to a porn site. Both sites had affiliate links associated with them, meaning that someone would be getting a referral fee.

The break-ins were tracked down to someone called Gmz from a site called Digital Gangster. It is not yet known if Twitter will pursue the matter legally. If money was made from affiliate accounts, it should be easy to track the person down. A post on the Digital Gangster said:

“That guy [who hacked the sites] must have been a very generous individual. To hand out accounts rather than use that for profit. Could it be enough for respect or just enough for that user to be identified as an “idiot”?”

October 7, 2008March 26, 2009

Crack the Windows Login Password

Recently a Falls Church, Virginia customer called me to help them get into their computer after they forgot their Windows login. They were locked out of their own computer. Luckily for them (and unluckily for most people), the passwords can be found using brute force and dictionary cracking tools.

There are many programs to recover the Windows XP and Windows Vista passwords. My favorite is Ophcrack. Download the Live CD, burn the iso to disk (not as a file but as a disk image), and boot the computer off the disk.

Ophcrack will start automatically and typically take 5-30 minutes to determine all the passwords that it can. The shorter the password, the faster Ophcrack can find it. Unless there is a very long password (over 14 characters), Opencrack will be able to tell you what it is.