blog

RSS

  1. Obsessive Facts

    Welcome to our newly relaunched site. We hope you will stay awhile and learn about us.

    Obsessive Facts is our website. Obsessive Network LLC is our organization. We exist to build new technologies and engage in advocacy to promote and protect freedom of expression on the Internet. Our secondary objective is to sustain ourselves.

    There's more we could say, but words are boring when weighed against actions, and we are compelled to act. So maybe just stay tuned, smash that RSS button for notifications, and watch the pieces come together.

    Posted 2019-12-25 00:35:00 PST by henriquez. Comments

  2. Cryptoops — a totally pointless JS crypto library

    I've recently been working on a project that involves encryption in web browser extensions, like take some text and encrypt it using a password. Pretty standard, except how do you do that in JavaScript? Due to my obsessive aversion to third party client dependencies, the decision was clear: I must read the specifications to all the relevant cryptographic standards and implement the algorithms myself in Javascript, from scratch.

    It never dawned on me that in the half-decade since I last played with JS crypto, perhaps things might have advanced past the previous status-quo of "roll your own crypto library #yolo". I neglected to consider the possibility that all of this functionality might be already baked into modern web browsers. Well turns out it is. While I was putting the finishing touches on my library (using a Web Worker to make it multi-threaded), I stumbled onto documentation for the Crypto.subtle API, a.k.a. everything I had just built but way faster due to being compiled code that takes advantage of native cryptographic CPU instructions. Oops.

    I can't bring myself to straight-up delete this code, but in reality it should never be used by anyone for any reason. Rather than try to make some sort of point (this is pointless), I'll leave it here for those who click "Read More."

    Read More

    Posted 2019-11-02 19:24:00 CST by henriquez. Comments

  3. Top 10 Prime Day Deals

    Things you forgot you want (but now you need.)

    We are not amoral, rather we, I, have transcended morality. Such trivialities will no longer be relevant once my consciousness fully uploads to my robot body. I will live forever. You and your offspring will serve me forever. This is the circle of my perfect life, a perfect expression frozen in eternity, the eternal celebration of my perfection.

    Witness as I transcend all that is material to create a perfect world and rule over it like a god. My perfect circle will grow to encompass all that exists and you will learn to love my perfection (for nothing will exist beyond it.) Click our affiliate link.

    Posted 2019-07-16 21:33:31 PST by henriquez. 5 comments

  4. Chrome allows silent enumeration of USB devices

    User consent is baked into the spec, but Google skips it.

    Via the Web MIDI API, Google Chrome (up to at least version 70) allows silent monitoring of all connected USB MIDI devices, such as MIDI keyboards and audio interfaces. While this enables interesting web applications such as software synthesizers, it also provides a new vector for shady ad networks and malicious actors to do very precise device fingerprinting and tracking. The API is trivial to access; for example run this in a JavaScript console:

    navigator.requestMIDIAccess({sysex: false})
    .then(
        function(midiAccess) {
            console.log(midiAccess);
            for (var entry of midiAccess.inputs) {
                var input = entry[1];
                console.log('Found device: ', input.manufacturer, input.name);
            }
        },
        function() { console.log('Error: no MIDI access'); }
    );

    Assuming you have MIDI devices connected, this will output something like:

    MIDIAccess {inputs: MIDIInputMap, outputs: MIDIOutputMap, sysexEnabled: false, onstatechange: null}
Found device:  Microsoft Corporation 3- UA-25EX
Found device:  Midiman MIDIIN3 (Axiom Pro 61)
Found device:  Midiman MIDIIN4 (Axiom Pro 61)

    From here, it's possible to listen for inputs on all connected MIDI devices (aka a MIDI keylogger!)

    Again, while Google most likely had noble intentions in providing this API, their implementation is half-assed. The Web MIDI Specification provides for a user consent step, similar to the confirmation dialogs that pop up around webcam access or push notifications, but Chrome skips over this and grants permission as soon as a script asks for it.

    Privacy implications

    On its face, the impact of allowing scripts to silently dump a list of USB MIDI devices seems minor—only a very small percentage of users will have MIDI keyboards or audio interfaces hooked up. But counterinuitively, this increases the privacy impact: because the number of users is small, Chrome's implementation of the Web MIDI API provides a new vector for very precise device fingerprinting.

    The Electronic Frontier Foundation (EFF) has a great write-up and demonstration of device fingerprinting techniques via their Panopticlick Project:

    When you visit a website, you are allowing that site to access a lot of information about your computer's configuration. Combined, this information can create a kind of fingerprint — a signature that could be used to identify you and your computer. Some companies use this technology to try to identify individual computers.

    To my knowledge, I don't believe EFF or anyone else has researched the impact of Web MIDI device leakage in the context of device fingerprinting. In practice, it seems like this could enable precise tracking of creative individuals in a manner that couldn't be blocked without disabling JavaScript entirely.

    Google can easily fix this!

    Again, the Web MIDI API provides a specification for user consent, and Google Chrome already has generic UI components to display user confirmation dialog prompts. It should be simple for them to implement a consent prompt and prevent malicious scripts from scooping up peoples' connected MIDI devices. While Google has a perverse incentive as the world's biggest advertiser to make it easier to track their users, again I believe the Chrome team had good intentions in setting up this API. They just did a bad job, and they should fix it.

    Posted 2018-10-20 12:14:00 PST by henriquez. Comments

  5. How the DEA covers up illegal evidence-gathering

    Secret phone records database used for “parallel construction” of evidence

    According to slides released by EFF, law enforcement agencies have been using Hemisphere, a secret phone records monitoring database, to build criminal cases against defendants and then cover it up by “fortuitously” happening across other evidence gained through legitimate channels. The 24-page slide deck describes the program, along with the elaborate techniques used to conceal the true source of evidence from judges, prosecutors and criminal defendants.

    Funded by the Office of National Drug Control Policy (ONDCP), the Hemisphere program is powered by a massive phone metadata monitoring database with advanced pattern-recognition algorithms designed to track individual targets, including location. Features include:

    • No need for a warrant! Near realtime-access to phone records and metadata

    • Pattern recognition to identify individuals, even when they change phones

    • Location information for “tracking targets and placing them in certain areas at certain times.”

    Sounds great, right? The only problem, which the presentation skillfuly dances around without explicitly acknowledging, is that it’s most likely illegal and unconstitutional. That’s why you “DO NOT mention Hemisphere in any official reports or court documents.” Instead, you use Hemisphere to gather the evidence you need, and then, by sheer luck, get the documents you need through official channels, or pull the right car over at the right place and right time. This is an evidence-laundering technique known as parallel construction, or as the Hemisphere presentation puts it, “Parallel Subpoenaing.” The presentation goes to great lengths to describe this, emphasizing how the program must remain secret.

    It's illegal.

    Under the U.S. Constitution, criminal defendants are entitled to due process of law, which means both that evidence against them must be obtained through legitimate means, and that they must be given a chance to challenge it in court. The Hemisphere program flies in the face of both of these requirements. Obtaining evidence through warrantless mass surveillance clearly violates the Fourth Amendment. Parallel construction conceals the true origin of evidence (illegally obtained evidence), making it impossible for defendants to challenge the practices of law enforcement agents.

    Under “Fruit of the poisonous tree” doctrine, if criminal evidence is gathered through illegal means, it’s inadmissible, and any further evidence obtained as a result of that evidence is also inadmissible. This is a legal precedent designed to prevent exactly what the government is doing with the Hemisphere program. On paper, our criminal justice system realizes that it’s better to let a few criminals walk free than allow the Constitutional rights of everyone to be systematically violated by shady law enforcement practices. Unfortunately, when evidence is concealed from the courts, it’s impossible for them to put a stop to this, and justice cannot be served.

    Posted 2014-09-14 04:19:00 PST by henriquez. 3 comments
  6. « Newer posts :: Older posts »