Episode 8 of Mr. Robot’s final season was intense. We discussed zip ties, phone restoring, location trackers, mixers, Elliot’s sloppy Python script, and the final hack [SPOILERS, obvs]. (The chat transcript has been edited for brevity, clarity, and chronology.)
This week’s team of experts includes:
- Jen Helsby: SecureDrop lead developer at Freedom of the Press Foundation.
- Jason Hernandez: Solutions Architect for Bishop Fox, an offensive security firm. He also does research into surveillance technology and has presented work on aerial surveillance.
- Harlo Holmes: Director of Digital Security at Freedom of the Press Foundation.
- Trammell Hudson: a security researcher who likes to take things apart.
- Micah Lee: a technologist with a focus on operational security, source protection, privacy and cryptography, as well as Director of Information Security at The Intercept.
- Yael Grauer (moderator): an investigative tech reporter covering online privacy and security, digital freedom, mass surveillance and hacking.
***
Yael: I want to start out by saying that I agree Momofuku is good.
Micah: In the very first scene, in 1995, when young Elliot is playing hide-and-seek and hiding something in the Queens Museum, I thought it was cool that he was running past all this retro computer equipment from 1995.
Trammell: Getting to the Queens Museum from 2nd avenue is a long haul on the F to the 7. And isn't Krista's place somewhere in upper Manhattan?
Yael: During the cab ride, I couldn't believe they were still showing videos of Tyrell after he's dead. But I guess I can't say I'm surprised if they put a lot of money into producing it. I mean, it IS Evil Corp. Also, shoutout to Krista. She got KIDNAPPED and KILLED someone and was still counseling Elliot after all that. Talk about emotional labor. (Or don't, lol, Twitter is a mess.)
Micah: Yeah, Krista is quite the badass. I also liked that when they got to the police station and Elliot was like, "I can't go in there with you," she was totally fine with it.
Dom and Darlene’s Kidnapping
Yael: So the Darlene/Dom kidnapping scene reminded me of a conversation we had in a previous chat about duress, and how you can program stuff to lock you out, but if someone's gonna start offing people, maybe you don't want to. Also, how do you get out of zip ties?
Harlo: About a week ago, I did this kidnapping simulation, which was actually pretty harrowing. Before you go into the scenario, they try to prepare you by teaching you how to get out of zip ties, handcuffs, and duct tape. Brief detour: zip ties are fun. While you can definitely just bust them by bringing them down with enough force onto your hip bone, more substantial ones require a long enough shoelace, which you loop through the cuffs, tether to your feet, then flop over and pedal like you're on a recumbent bike to slice through the plastic. Super fun. Great parlor trick. But when I did the sim, it was tricky to feel confident and safe enough—and unsurveilled enough—to attempt the escape, even if you knew how to do it.
Yael: Timing is really important. I think Dom had the sustained training and probably experience to really use it to her advantage, in a way civilians probably don't.
Harlo: Also, kidnapping sims that you do after one day of training DO NOT ever bring in the "cuntstick" with a baggie full of different torture knives. That would absolutely dampen your spirit as far as escape is concerned.
Micah: I just wanna say that Dom is a fucking badass.
Harlo: Yeah, she fucking nailed it.
Micah: Pulling the knife out of your chest and stabbing someone else with it, then shooting your captors.
Yael: That was awesome. It was cool that Dom had a plan, too. I was pretty disappointed that she didn't before. And now the license plate thing makes sense whereas before I was like, of course Dark Army is surveilling you; they own you.
Harlo: I have a nitpick. In the scene where Janice calls her bang-bang-bois over Signal. Didn't Signal at the time NOT play the regular phone ringing tone? Instead, it was this kinda cool radar sound? It used to have this amazing submarine radar sound. Also, Dom and Irish bastard are not using Signal. They were using regular-ass phone. But whatevs. I feel like a fucking walking ad for Signal nowadays. I must be absolutely insufferable.
Yael: I heard something recently about how Signal wasn't secure for people in China who use an Android keyboard.
Harlo: It's because sometimes your keyboard is a snitch. It's not a Signal problem per se, but by default, you might find yourself typing secrets into Signal that are captured by your keyboard, and then, anything goes.
Yael: Well, maybe Signal shouldn't allow external keyboards, or not have them on by default, hmm...
Harlo: In settings: there is "incognito keyboard," and if that's in your threat model, turn it on.
Yael: Do you think Darlene giving up her brother's location was the right call? Or his phone's location? She's basically trading his life for (maybe) saving Dom's family members' lives.
Micah: I don't know... it's kind of impossible to decide between who should get murdered and who shouldn't.
Jen: Mr. Robot's version of the trolley problem. I mean, a bunch of kids were gonna get killed. Sad, but a reasonable call.
Yael: Janice could just kill them anyway, though. It was hard to tell whether Dom thought Janice was gonna kill her family or knew they'd have escaped. But I can see why Darlene did it. I was surprised she didn't do it after Dom got stabbed. I want to know whether it's advisable to tell your armed kidnapper to eat shit, then die.
Micah: She gets my respect for it.
Yael: I've had a crush on Darlene since Season 1. Even if she is a murderer.
Jason: I think it's hard to consider Janice a credible person to negotiate with. She seems unreliable... why would Darlene expect to survive, even if she does everything Janice wants?
Yael: Yeah, that's why I wasn't sure it was a good call.
Micah: Yeah, she's terrifying because she's an unreliable psychopath.
Harlo: There are different classifications of kidnappings. What we saw on Mr. Robot was NOT the most prevalent one, which is just about squeezing money out of someone whose family/loved ones might have it.
Phone Restore
Micah: I think when Darlene wiped her phone, she actually wiped it for good and didn't have a way to recover the data again.
Trammel: The secure element or TrustZone stores a key that is inaccessible to the user. If it gets cleared, then the Flash memory is as good as erased. How did she recover it?
Micah: I don't think she could have restored it, not without taking a backup of the phone first. But when you take an Android backup, the Signal app doesn't back anything up, so she would have lost Elliot's location even if she did restore a backup. I think instead she just installed her hacked Signal client again, and got pinged from Elliot's phone again. That's the only way I can see that working.
Harlo: I don't even think that Darlene would need her Signal mod; Elliot's was modded only to ping with his latitude/longitude periodically. So all Darlene needs is Signal.
Micah: True. Her hacked Signal client must not care about safety numbers—something we talked about last week. Elliot's Signal client could decide to not trust Darlene's number again if her safety numbers changed, but it looks like that wasn't the case.
Harlo: Yeah, I guess there was no safety measure like, "do not ping if safety number has changed" baked in; too bad!
Yael: Darlene got sloppy! Or maybe it was intentional, in case she had to ditch her phone.
Micah: It takes a lot of trust to put an app that tracks your location on your phone.
Yael: She grabbed Elliot's phone from his hand and put it on for him.
Harlo: Signal wasn't available as a plain old APK then… unless you built it from the source code. But it didn't look like Darlene had a computer with her.
Micah: She had a shortened URL to download her modified APK. Also, it's possible she just logged into a Google account and downloaded from the Play store.
Harlo: Ah, then that would be most expeditious. What I'm curious about is how she restored it. Like, if you need to use the Play store, you need a Gmail account. Or F-droid.
Location Tracking
Yael: I thought Janice had a good point when she said, "You didn't give me your brother's location; you gave me his phone's location." A lot of drone operators should learn the difference.
They seemed like they were outside of Krista’s house. How good is this geolocation tracking? Is it just a general location based on the device’s proximity to cell phone towers, or can it locate the exact floor in the exact apartment?
Jason: Geolocation on phones is flaky, especially if you're in an "urban canyon" like NYC where you don't have good line of sight to satellites. Phones also use Wi-Fi data and cell tower data to identify where they are, but it's not perfect.
Yael: Companies like Skyhook Wireless can provide very specific location data based on hotspot IP addresses. They have these huge databases that correlate hotspot locations with the IP addresses. They use a combination of direct hotspot scanning and the cooperation of app “partners” who pass along hotspot IP data from users as they connect. But I dunno if Darlene would subscribe to Skyhook; it's hella expensive.
Jason: Those location databases aren't super reliable. They'll give you a latitude and longitude that is precise but not necessarily accurate.
Micah: Android has two location permissions, "coarse" and "fine." I believe "coarse" location works without GPS and instead relies on Wi-Fi access points the phone can see, combined with Google's massive database of Wi-Fi access points it knows about, and "fine" uses GPS. I think she would use the phone's built-in location services.
Yael: How fine is fine?
Micah: I guess it depends on where you are, but if you take out your phone, open your maps app, and click the button to zoom in to where you are—that's how fine.
Jen: Kashmir Hill has done some nice reporting on some of the unfortunate situations that arise due to errors in those geo-IP location databases.
Yael: I was thinking about this recently with Protonmail. It has this new privacy feature that's supposed to remind your phone to wipe local data if you enter a certain area. But it looks like it would only work if you were right in the center of the country, and it seems like it’s hard to change the radius precisely.
Elliot’s Hack
Harlo: Elliot's stressed. Print twice?
`
``print out
Jen: Yeah, he had some syntax errors in that script. SyntaxError on line 16 (first line in the coinCoins() function).
Trammell: The main call is cleanCoins(), but his cleaning function that passes them through the tumbler is named coinsCoins. And since Python doesn't check that when it compiles code, it might cause a runtime error. Hopefully Elliot doesn’t lose all his coins, like when Sonic hits an enemy.
Harlo: I was totes gonna drag him for that, but I gotta check the tape again; perhaps cleanCoins is above the fold and we don't see it.
Trammell: Sonic collects rings, not coins. Please disregard my attempt at a nerd reference and deduct one from my score.
Micah: One of the print commands was Python 2. The other was Python 3.
Harlo: In 2016, he was probably not using Python 3?
Yael: Elliot has been through a lot. Or maybe there were different personalities typing.
Jen: Mr. Robot is Python 2, Elliot is Python 3.
Yael: What is little Elliot?
Jen: He's that programming language for kids.
Yael: I learned the little Python I do know from the Python for Kids book, by the way. "A resource for the rest of us"?
Micah: Also, why is he using both os.system() and subprocess.check_output()... to call curl? You can make HTTP requests directly from Python.
Jason: Yeah, he should be using requests.
Jen: TFW your TV show doesn’t get permission to use requests, so you gotta subprocess out to curl.
Harlo: lol, they can't afford the rights to show requests. Also!
Did y’all notice the autofill? _main_ (one underscore). Somebody's been writing some non-working code that they're hoping to deploy under duress… Also no pep 8, but hey, what are ya gonna do?
Micah: To be fair, he was in the middle of writing that script, and super stressed out, and clearly hasn't tried running it yet. So maybe we're not being fair. I have typos and broken stuff in my unfinished code all the time.
Jen: Yeah, we're just being annoying. It looks hackery enough for the show. We're just giving the readers of this article what they want: line by line code feedback. If I know anything about normal humans, they love Python programming.
Yael: I don’t think he’s slept in many episodes, either.
Jason: If he was doing real development, he'd have Stack Overflow up, and he'd be copy/pasting from it.
Harlo: Anyhoos, okay, we've got some curl with a cookie; and what are those other flags? Don't worry about SSL if it's not available? I forget…
[Python Image]
Yael: I just want Darlene to finish the hack because she "happens to be smart and good at things," as she said several seasons back. If this episode was Request Timeout, does that mean the next one is Conflict?
Oh, dumb question, but does Darlene actually need to find Elliot to finish his hack?
Micah: I'm not sure... I'm actually a little unclear on the details of the hack they're in the middle of doing, and how it works.
Trammell: Looks like the plan is to steal cryptocurrency and pass it through a tumbler to launder it.
Yael: Can we do an ELI5 about tumblers and mixers?
Jen: A coin mixer is a service you can move your coins through such that you can hopefully disassociate the coins with where they came from (which one would do if coins were illegally acquired). Like money laundering.
Trammell: The base64 doesn't decode to ASCII, unfortunately.
Harlo: What does it decode toooooooo? Shall I get out the CyberChef?
Yael: I don't understand how any of this works, tbh. Like, I know he's trying to steal crypto. CryptoCURRENCY.
Micah: This Python script that Elliot's writing isn't actually the full hack. It's not even exploiting anything. It appears to be laundering cryptocurrency. I think once they steal the money, this is how they're going to retrieve it without getting caught. But this script isn't actually stealing the money.
Jen: The other comment is valid. It looks like at some point he renamed a function during development and when the main() function runs, it'll crash with a NameError.
Micah: It looks like the final output of the script is a list of new wallet addresses that the money was ultimately sent to.
Jen: Presumably, he'd run this in test before moving millions of USD worth of coins through a mixer.
from VICE https://ift.tt/37yhxrf
via cheap web hosting
No comments:
Post a Comment