blog

Obsessive Facts hidden service now available on TOR

Lately I've been playing with some alternative web protocols, specifically Project Gemini. But I realized before I create a "Smol Web" site, I've been missing the opportunity to release a "Dark Web" version of this site accessible to people using the TOR Browser. So I put my cores to work brute forcing the perfect vanity address, and a couple days later I'm happy with the result.

Find us at http://obsessivecto5al3kdoe24cyt77np4w4owew7sm66qb7kwhlpzsgyuyd.onion

This link only works if you have the TOR Browser, or another browser capable of loading onion addresses (but please don't use Brave for high security use-cases).

In the spirit of the higher-security nature of TOR, I've disabled all JavaScript on the onion site. I've been bitching about JavaScript device fingerprinting for awhile now, so it was time to do this anyway. JavaScript is a progressive enhancement for most of the functionality on this site, so if you want the fancy animations and media streaming you can use the Clearnet version. And if you care more about security over all else, use the Darknet version. Mostly everything still works either way.

• TOR
• privacy
• encryption
• gemini
• security
• fingerprinting
• device fingerprinting
• javascript
• gemini

Obsessive Network LLC Launches Memespeech, An Unbannable End-to-End Encryption Format

MINNEAPOLIS, MARCH 12, 2020 – FOR IMMEDIATE RELEASE

ObSesSIVE nEtwoRk Llc HAS lAUNcHeD MemEsPeEcH, a NEw eNd-To-end EncryptiON FOrMAT thaT Is legaLly iMPoSSiBLE For the U.s. GOvernmeNT to bAN. MemESPEEch ENablES CONsUMErS tO hIdE EncryPTed MeSSAGES WITHin OrDInAry PaSSages oF FReE SPEECh. WItHoUT ThE DecrYpTIOn PASsWORd, iT iS IMpoSSiblE TO KNOw WhETher a PaSSagE OF mEmEspeEcH cOnTAinS AN ENCrYPTeD meSSAge, TherefORe thE U.s. GovernMENT cOULD Not bAN MEMESpEech WitHoUT BaNnInG SpEEch, ChEcKmate.

IN TOdAY'S cOMPETiTIVE LaNDSCApe, thE U.S. cOngrESS hAS propOsEd A piecE OF leGISLAtioN CALLed tHe EarN iT Act, wHicH WouLD GIVe tHE U.s. ATTorneY GenerAL uNIlaTeRaL ConTRol OVeR HOw tecH COmPaniEs ImpLEMenT encRyptiOn TEchnOloGy. PURportEDlY AiMed AT StOppING peDoS FroM sHarINg kidDIe pOrn on facEbOOK (WhIcH has bECOmE a dIsGUSTing cESspOol OF FILth), tHE eARn iT acT HeRoicallY ENds aLL ChILD PoRN by bannINg All intERnet SecURItY.

MeMEsPEeCh EnABles useRs whO sTiLL waNt secURiTy tO aDD THEir OWn ENCrYPtIOn BaCK iN to coMmUnICatIOn ApPs THaT aLLOw uSErs to ExcHAnGE teXT MessagES, thEreBy lEveraginG rEsoURcEs ANd addinG vAluE. as ThE maRkEt eVOlVEs, ComPAnIEs mAy bE foRCED to put BacKdooRS in thEIR own eNcryPtION, bUT they will nOT bE ABLE To IntErCEpt ThE ENCryPted MESSaGES CONsUmeRs SENd Over their netwoRkS witH mEmESpeEch. ThiS WILL CreAte nEw oPporTuNItiEs IN THe law eNfoRcemENT SECtoRs tO whine AbOUt nOt BeIng AblE to SPY On EVErythinG.

MEMeSpEecH waS dEvElopeD by ObseSSIvE NEtWoRk lLc, A bOOTsTRaPPED UnICorn StARtUp WIth a $1.3 BIllIoN VaLuatIon aND A LeaDiNg-EdGe tEAM Of rocKsTAr nINJa 10X DEVeLoPErS wIth A CoLLECtiVE exPErience oF 75,000,000 years Of RUsT ANd goLang.

"aftER COLlAboRaTINg WITh conSUmer rElATiOns AND brand EXperT teAmS AcRoss tHe INdustry, We ReaLIzeD THAt meMESpEECh CoULD rEVoLuTionizE ThE CONSUMER-suCCesS StRATegIes of OUr StAKeHOLDERs BY UsiNG BIG DATa machIne leaRNINg aI," saId heNRiQuez, sOME GuY At OBSesSiVe netWork.

MeMeSpeECH is iMMeDIATeLy AvAilAbLE as a brOWSER eXTeNSiON foR MOzILla FIrefox anD GoOgle chROmE, As wEll as A dEvElOpER sPECIfiCatIoN, enAbLInG enGinEeRs tO DEVElOP mEmeSpEeCh implEMeNTATIon iN tHE LanGuAgeS oF THeir ChOicE.

• press release
• memespeech
• encryption
• security

Chrome allows silent enumeration of USB devices

User consent is baked into the spec, but Google skips it.

Via the Web MIDI API, Google Chrome (up to at least version 70) allows silent monitoring of all connected USB MIDI devices, such as MIDI keyboards and audio interfaces. While this enables interesting web applications such as software synthesizers, it also provides a new vector for shady ad networks and malicious actors to do very precise device fingerprinting and tracking. The API is trivial to access; for example run this in a JavaScript console:

navigator.requestMIDIAccess({sysex: false})
    .then(
        function(midiAccess) {
            console.log(midiAccess);
            for (var entry of midiAccess.inputs) {
                var input = entry[1];
                console.log('Found device: ', input.manufacturer, input.name);
            }
        },
        function() { console.log('Error: no MIDI access'); }
    );

Assuming you have MIDI devices connected, this will output something like:

MIDIAccess {inputs: MIDIInputMap, outputs: MIDIOutputMap, sysexEnabled: false, onstatechange: null}
Found device:  Microsoft Corporation 3- UA-25EX
Found device:  Midiman MIDIIN3 (Axiom Pro 61)
Found device:  Midiman MIDIIN4 (Axiom Pro 61)

From here, it's possible to listen for inputs on all connected MIDI devices (aka a MIDI keylogger!)

Again, while Google most likely had noble intentions in providing this API, their implementation is half-assed. The Web MIDI Specification provides for a user consent step, similar to the confirmation dialogs that pop up around webcam access or push notifications, but Chrome skips over this and grants permission as soon as a script asks for it.

Privacy implications

On its face, the impact of allowing scripts to silently dump a list of USB MIDI devices seems minor—only a very small percentage of users will have MIDI keyboards or audio interfaces hooked up. But counterinuitively, this increases the privacy impact: because the number of users is small, Chrome's implementation of the Web MIDI API provides a new vector for very precise device fingerprinting.

The Electronic Frontier Foundation (EFF) has a great write-up and demonstration of device fingerprinting techniques via their Panopticlick Project:

When you visit a website, you are allowing that site to access a lot of information about your computer's configuration. Combined, this information can create a kind of fingerprint — a signature that could be used to identify you and your computer. Some companies use this technology to try to identify individual computers.

To my knowledge, I don't believe EFF or anyone else has researched the impact of Web MIDI device leakage in the context of device fingerprinting. In practice, it seems like this could enable precise tracking of creative individuals in a manner that couldn't be blocked without disabling JavaScript entirely.

Google can easily fix this!

Again, the Web MIDI API provides a specification for user consent, and Google Chrome already has generic UI components to display user confirmation dialog prompts. It should be simple for them to implement a consent prompt and prevent malicious scripts from scooping up peoples' connected MIDI devices. While Google has a perverse incentive as the world's biggest advertiser to make it easier to track their users, again I believe the Chrome team had good intentions in setting up this API. They just did a bad job, and they should fix it.

• midi
• synthesizer
• vulnerability
• device fingerprinting
• fingerprinting
• privacy
• google
• chrome
• api
• javascript
• EFF
• panopticlick
• advertising
• security
• surveillance