02:39 <kristianpaul> wpwrak: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Speaker%20%20Workshop%20Materials/Lin%20Huang%20&%20Qing%20Yang/DEFCON-23-Lin-Huang-Qing-Yan

02:39 <kristianpaul> g-GPS-Spoofing.pdf

02:39 <kristianpaul> argh

02:41 <kristianpaul> https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Lin%20Huang%20&%20Qing%20Yang/DEFCON-23-Lin-Huang-Qing-Yang-GPS-Spoofing.pdf

02:42 <kristianpaul> wpwrak: http://navspark.mybigcommerce.com/navspark-mini-uart-to-usb-adapter/ if you want give a try..

02:42 <kristianpaul> its freebie

02:46 <kristianpaul> now this module has glonass, soo better changes to avoid spoofing

04:47 <kristianpaul> and since you can talk with the gps, there is an open room for location spoofing detecto

04:48 <kristianpaul> s/defecto/detection

05:52 <DocScrutinizer05> how is glonass more hardened against spoofing? (btw I wonder what's the usecase to have geolocate-locked keys anyway)

05:56 <DocScrutinizer05> actually GNSS-spoofing should be pretty simple, at least for the civil unencrypted part. I'm not sure how secure the SA-encrypted part would be, but taking into account how they brought down some drones I'd think nobody ever thought about anybody being that bold to fake GPS signals ;-P Same as it ever was. See GSM and every other infra, where usually the authorities-controlled infra been considered secure-per-se and nobody thought

05:56 <DocScrutinizer05> about proper authenzication of servers, only about authentication of clients

06:01 <DocScrutinizer05> but honestly I'm just pissed enough when it comes to GNSS-based geolocation *assistence* to find next bus stop and the time schedule of the bus there. For the life of mine I couldn't figure a usecase scenario where I want a crypto solution *relying* on geolocation

06:05 <DocScrutinizer05> switching to another sorting sequence (locally most recently used key first) in UI list of keys is all I could come up with for a usecase of GNSS in Anelok

06:08 <DocScrutinizer05> implementing OPIE ,and proper URL detection support and even challenge-response auth via optical means to read out QR or similar on screen, in Anelok sounds way more useful

06:12 <DocScrutinizer05> for URL detection on arbitrary webpages via a dedicated server that exploits $referrer I think I already suggested some details, which would make for a really great unique selling point for Anelok

06:15 <DocScrutinizer05> F6; 'anel.ok'ENTER ; <point Anelok on QR appearing on screen until the display is flashing (detected QR)>; ENTER - or back-button (to return to the previous page that requested a password entry)

06:16 <DocScrutinizer05> dunno if that would actually work that flawlessly to return to an input mask with multiple textboxes that way

06:17 <DocScrutinizer05> alas nope, it clears the already filled in values in such multi-textbox forms

06:20 <DocScrutinizer05> so your anelok not only needs to store the password value but actually should playback the complete set of values needed for that form, or you need to do the F6 etc dance as soon as you enter such webpage that eventually needs a password

06:21 <DocScrutinizer05> e.g. when you log in where also a captcha is needed, you first go to anel.ok and THEN return to page, fill in captcha, username and password

06:37 <DocScrutinizer05> wtf? .ok TLD not registered yet?

06:38 <whitequark> I wonder when they register .exe TLD

06:39 <DocScrutinizer05> either someone grabbed it and it's not easy to find out about the fact, or there must be some special quirks with .ok. Anyway for anelok there's stil all from a.nelok to ane.lok

06:44 <DocScrutinizer05> apropos... (not really, since it's not exactly .exe...) could it fly to make anelok serve a HTTPS:// page that serves as a framework for automatically detecting and providing passwords? I.E. you would open this https://anelok page (ideally served from anelok dongle itself?? file://usb:index.html ?) and then enter the URL of your online banking site or whatever and anelok detects it automatically?

06:45 <whitequark> no, that would be an XSS vulnerability

06:45 <DocScrutinizer05> :nod:

06:46 <DocScrutinizer05> though, maybe not realy when anelok page first tells anelok dongle about URL and then properly does a forward to that page

06:47 <whitequark> you can't enter a password like that

06:47 <whitequark> hell, it's often hard to enter a password if you have a legit password manager, because banks are stupid

06:48 <DocScrutinizer05> no, i'm not planning to enter the password like that. Anelok already has means to enter password, either by reading it from disply and manually typing it, or by playback when anelok emulates a kbd

06:49 <DocScrutinizer05> I'm just thinking about making anelok aware about the required password

06:49 <DocScrutinizer05> once you got 30 or 50 passwords stored on anelok, it becomes a PITA to select the one you need right now

06:50 <DocScrutinizer05> anelok knowing about the URL you are just looking at would be a great hint to offer the right (set of) password(s to select from)

06:52 <DocScrutinizer05> *entering* the password is a completely unrelated issue

06:53 <whitequark> ah, yeah, that works

06:54 <DocScrutinizer05> ok, when you connect anelok between PC and kbd like a keylogger then it of course has no problem guessing which password you might need now (unless you used mouse to click on bookmarks or the like)

06:57 <DocScrutinizer05> then otoh bookmarks make my formerly sketched aproach fail as well

06:57 <whitequark> um, yes, of course i would not ever type the full URL there

06:58 <whitequark> cli<TAB>ck.alfabank.ru is how I always do this

06:58 <DocScrutinizer05> ut for the (raher common) situation where anelok is just-another-usb-dongle and the kbd is connected directly to PC, it might work

06:58 <whitequark> not to mention you have no clue what the context is

06:58 <whitequark> imagine sending someone a link to google.com and having anelok enter your google password?

06:59 <whitequark> and you also don't know what the keyboard layout is

06:59 <DocScrutinizer05> anelok never *automaticaly* adds a password

06:59 <whitequark> ok, two other issues still stand

06:59 <DocScrutinizer05> for keylogger the layout is a pest, yeah

07:00 <DocScrutinizer05> for the ... lemme call it "URL input screen" layout is irrelevant

07:01 <DocScrutinizer05> but of course won't fly when you enter the URL to address field of browser directly

07:01 <whitequark> you can surely use a browser extension

07:01 <DocScrutinizer05> heck, we need OCR in anelok ;-D

07:01 <whitequark> Chrome now has WebUSB

07:01 <whitequark> so you don't even have to pretend that you're a webpage

07:01 <DocScrutinizer05> sounds good

07:02 <DocScrutinizer05> except for "crome"

07:02 <whitequark> Chromium and Firefox too

07:02 <DocScrutinizer05> chrome even

07:02 <DocScrutinizer05> ooh

07:03 <whitequark> Firefox is not really there yet, but it will probably be at some point

07:03 <whitequark> in Chromium that's usable right now, Yubikey uses it

07:03 <DocScrutinizer05> I guess 'installing' such plugin still is quite some overhead not competitive with the fiddly picking of right password from anelok's UI directly?

07:03 <whitequark> why? you could make it as light as the browser's builtin autocomplete

07:03 <whitequark> you can do whatever you want with the webpages

07:04 <whitequark> from a plugin

07:04 <DocScrutinizer05> err, do plugins autoinstall?

07:04 <whitequark> no

07:04 <DocScrutinizer05> as soon as you plug in anelok?

07:04 <whitequark> but you only have to install it once

07:05 <DocScrutinizer05> yes, but that's not the point. For one-time installation the stuff to install can get arbitrarily complex. But that's not really the major usecase for anelok, I'd use a software password-keeper for that then

07:05 <whitequark> ah, hm

07:06 <DocScrutinizer05> anelok primary usecase is on-the-go

07:06 <whitequark> right. you would want a composite device: expose a keyboard and a CDC-Ethernet

07:07 <DocScrutinizer05> well, maybe not. Maybe it's "use anelok at home and you're ready for OTG"

07:07 <whitequark> of course you will immediately bump into various computers not allowing installation under unprivleged user

07:07 <DocScrutinizer05> yep

07:07 <DocScrutinizer05> anyway, time to have that walk to my appointment

07:08 <DocScrutinizer05> both for the appointment as well as for the "start my day" and "have a fine walk"

07:08 <DocScrutinizer05> and the "get a break from PC"

07:09 <DocScrutinizer05> :-)

07:09 <DocScrutinizer05> BBL

13:21 <wpwrak> whitequark: (webusb) hmm, so a device - e.g., a password safe - isn't expected to be able to protect itself. that doesn't sound too nice.

13:24 <wpwrak> ah, you guys were already discussing anelok :)

13:28 <wpwrak> so far, i've been thinking of using hidapi for such things. but webusb could be a nice alternative

13:43 <wpwrak> i wonder what the "origin" of a browser plugin would be. e.g., if you install a plugin from anelok.com and that plugin becomes active when visiting fakebook.com/login, would a webusb device have to permit one of anelok.com and fakebook.com, or maybe both ?

13:58 <DocScrutinizer05> don't ask me, no clue about that stuff

14:01 <DocScrutinizer05> what do you think of a mail like that (excerpt, sourcetext. The HTML alternative part stub at end looks extremely fishy... I truncated it, it is 100 times as much of same gibberish) http://paste.opensuse.org/31289181

14:04 <wpwrak> new task card: https://gitlab.com/anelok/doc/wikis/Task_webusb

14:06 <wpwrak> Received: from unknown (HELO ns.km20319-04.keymachine.de) hmm :)

14:07 <DocScrutinizer05> yep

14:07 <wpwrak> i guess it would be interesting what is behind "Verifizierung jetzt durchführen"

14:07 <wpwrak> in any case, is there is something amiss, you ought to be able to see it on your account

14:08 <DocScrutinizer05> I wasn't able to parse that shit and I don't dare to try to hand it to a web browser

14:08 <DocScrutinizer05> on account there was no new doom announced

14:08 <wpwrak> or just ask support whether ns.km20319-04.keymachine.de is anything they use

14:09 <DocScrutinizer05> hmm, you think a 30 minutes elevator muzak is worth it? I guess they can't answer such question

14:09 <wpwrak> don't they have mail or form access ?

14:10 <DocScrutinizer05> err, well. Prolly they have a web form to contact them

14:10 <wpwrak> you cuold also check if any other mails frmo paypal.com came from similar-looking sources

14:10 <DocScrutinizer05> THAT is a nice idea

14:12 <DocScrutinizer05> Received: from mx0.slc.paypal.com ([173.0.84.225]) by mx-ha.web.de (mxweb001)

14:20 <DocScrutinizer05> ok, I found other similar rogue mails in my inbox, all with wrong addressee and same gibberish HTML code inside

14:21 <DocScrutinizer05> thanks!

14:23 <wpwrak> bastards. where are extrajudicial executions when we need them ? :)

14:30 <DocScrutinizer05> one mail was a fake payment notification which claimed I'd have paid for a car or somesuch, or car parts

14:35 <wpwrak> hehe :)

14:35 <DocScrutinizer05> SICELO arrive3d \o/

14:36 <wpwrak> have fun ! :)