Mr. Shodan

Mr. Robot season 3 is off to a great start. As per usual, the episode features tonnes of Easter eggs for hacker nerds.

But I have to admit I was a little surprised to see a shodan.io cameo. Shodan is a search engine for things connected to the web that isn’t a web server.  Web cams, network equipment, industrial controls and other hardware that relies heavily on security through obscurity.

Here’s a fun video from Defcon 20 demonstrating what fun can be had.


Bonus: The search Mr. Robot performs org:”Evil Corp” product:”Apache Tomcat”,  returns real results with show relevant data.


Bonus Part 2:

The domain in question has an open SNMP (file sharing port).

No guest account unfortunately. If only I could remember some of the logins from the show.

The rabbit whole goes deep this season! Hack the planet.

What’s up with Face ID timeouts?

The Loop posted a great summary of Apple’s Face ID security whitepaper.

Two points about how the timeout works really baffled me. Face ID is disabled when:

  • The device hasn’t been unlocked for more than 48 hours.
  • The passcode hasn’t been used to unlock the device in the last 156 hours (six and a half days) and Face ID has not unlocked the device in the last 4 hours.

If the phone hasn’t been unlocked for 48hrs, it’s a good assumption that the phone has been lost or stolen. But why bother disabling Face ID? Is Apple nervous about it’s real-world effectiveness? Nervous that a thief may be able to unlock the phone with their face?

The second timeout seems more arbitrary. Why 156 hours? If I generally only use my phone once every 4hrs 5mins, then after 6.5days I will have to re-authenticate with my passcode? Why? It seems completely arbitrary.

Any smarter security minds out there have any thoughts?

Google Wave, The Quirky Future of Email

With the constant forward motion of tech, little time is spent on the past. A brief few years in the mid-00s – after the dot-com bubble and before the big winners of social were sorted out – spawned tonnes of interesting products and services, aka “web 2.0.”

Google Wave is one of those products that keeping bubbling up in my conversations with other old nerds. I think it’s a prime example of Web 2.0.


At Google’s second ever I/O conference – in 2009 – the team behind Google Maps their newest project, “Google Wave” a revolutionary new communications product. Its stated mission was to reinvent email, for the world of connected information services and social networks. A Web 2.0 take on a 30 year old technology.

The 80 minute I/O presentation is still available on YouTube and highly recommend watching this if you’re a fan of corporate cringe. At one point, Stephanie Hannon enters her Twitter password in a plain-text username box, for all the audience to see. Yup.

Unfortunately, Google Wave was never given the chance to gain any traction with a mainstream audience. It was kept in limited developer preview until late 2009. Google’s perpetual beta programs were the butt of many jokes at the time. But Wave continued with a more limited beta program and effectively shut down after 3 months of public release in mid-2010.

Wave lacked focus – both in UI design and in its feature set. It also lacked purpose, I don’t think Wave presented a single solution for a single real-world problem and it was entirely unclear when you would use wave instead of email or IM. In spite of Wave’s disorganized spaghetti-at-the-wall approach, it implemented a lot of tech that has only become common place in the past few years.

Google Wave was HTML5, build with the brand new Google Web Toolkit. Meaning it had a (mostly) javascript front-end, driven by AJAX requests and no page refreshes. It was perfectly cross-browser compatible and worked reasonably well on Android and iPhone OS. Incredible feats in 2009. The app also managed maintained synchronous state across sessions, in different browser, different devices and between users over the network – another amazing accomplishment, considering the internet infrastructure of the time.

The “Wave”

Google Wave was focused around the concept of a “wave.” An unholy union of email, message boards, instant messaging, group chats and word documents:

  • Users could add people to a wave, similar to how you might CC someone on an email. Later users could remove themselves or add others to the wave as well. While it’s technically possible to accomplish similar behavior with email. The email paradigm discourages messing with the CC list.
  • Waves were threaded, like a message board. A user could also start a thread at any point in the main wave text. So instead of quoting a portion of text,  like you would in email. A user could start an entire thread about a paragraph, right underneath the paragraph text. On paper, this is a huge improvement over reply-all soup that mass emails often devolve in to. In practice, it wasn’t really that much better.
  • Since Google Wave was a super responsive, real-time app, you could actually use sub-threads as a sort of makeshift instant messenger. I believe there was also Google Chat integration that sort of encouraged this behaviour.
  • Last but not least, much like your grandparents Christmas newsletters printed from Word, you could embed all manner of craziness into a “wave.” Photo galleries, polls, twitter streams, games of chess, you name it. Hell, they created a “robots” API to enable developers to write their own embeddable crazysauce.

Inside the wave client you would have seen number of active waves, presented and managed in chronological order, like an email client. If this is sounding a little strange, it was.

Real-Time Typing

I/O demo showing real-time typing

Have you ever tried to have a conversation inside a Google Doc?

One of Wave’s quirkiest features was that text entry. As a user typed anywhere inside the wave, any other user presently watching the way would see these edits in real-time, character-by-character.

Google claimed that this allowed readers to recognize and respond to text in a more natural way. Similar to how you can start to know what someone is saying after only a few words, the thought was that you could know what someone was typing after only a few words.

In practice, this feature exposed the poor typing skills of your fellow wavers. I have never seen any other IM client attempt to replicate this feature, with good reason. “Your friend is typing” works really well.

On the cooler side, waves could be spell-checked (revolutionary at the time) and Google Translated (still cool) inline, in nearly real-time.

Playback

A wave being played back.

Google thought that the ability to add members to a wave at any point in its lifespan might be problematic. From the I/O presentation, I gather that they were afraid that people would get lost if they jumped in at the end of a long conversation thread.

To solve this problem they gave Wave a “playback” feature. It allowed users play back or step through the revision history of the wave, one change at a time.

I have a hard time understanding the utility of this feature. Period. I just don’t get it. It feels like more of a tech demo than anything else inside wave.

Federated and Client-less

I/O demo of a crazy cool wave CLI.

Google Wave was designed from the ground up to be a federated service.

Just like email, any corporation and individual could set up their own Wave server. Just like email, you could include users from any Wave server using the conventional username@domain.tld format. Unlike email, messages bounced between servers in real time! Even the quirky real-time typing worked  across server and across clients. The gif above shows someone typing in the CLI client and having it displayed in the web. I have never seen anything quite like this in the eight years since wave.

Google also designed it to be an open protocol from the beginning. The main I/O demo, with its horrendous UI, is really just Google’s version of a Wave client. Just like email, anyone could develop their own clients for Wave. CLI, native app, whatever.

These two featured have me absolutely convinced that Google Wave was a real, concerted effort to reinvent email. Not just a crazy tech demo. At the time, Google did a poor job communicating this part of their vision. The tech press and power-users alike, got totally wrapped up in the unsuable feature soup they built.

As a privacy mined individual, federated messaging/social networking is a problem that I’d love someone to crack. I wonder where we’d be if Wave had gained a following.

Where Is It Now

In 2012, Wave was effectively donated to the Apache Software Foundation. Technically the project is still “incubating”, but there aren’t really any signs of life, the project page hasn’t been updated since 2014.


If you liked this post and want to see more like it, recommend something you’d like to see me do a deeper dive on. Leave a comment or a tweet.