I used to live a block away from a historical marker in the Dundee neighborhood of Omaha, Nebraska. It marked the site where one of these balloon bombs exploded (in the sky, harmlessly). It's crazy how far they could go.
I'd bet just about anything that Google uses machine learning to decide whether or not to trust a site for ads. It seems like the only solution that would work at a large enough scale to handle that kind of demand (versus more defined but more labor- and resource-intensive malware/fraud detections). I think that also explains why the review process seems so arbitrary and ineffective - in essence, not even Google knows why Google decided your site was bad. I used to help people with hacked websites, but eventually I had to refuse to work on projects where the only symptom was a Google Ads denial because it was such nonsense. In one case a guy completely removed his site and replaced it with a 0-byte page, and even after we saw Google-owned IP addresses doing a crawl in the site access logs, they still told him there was malware (including a list of infected URLs that no longer existed).
If I'm correct, changing your domain might help in that machine learning algorithms consume tons of signals and maybe altering that particular one would push your site under the "bad" threshold. But it might not do anything. It's a super frustrating problem. I hope you can stumble onto a solution or find someone at Google willing to help.
> It seems like the only solution that would work at a large enough scale to handle that kind of demand
It doesn’t work. These automated systems are flagging a (presumably) benign site and an article yesterday regarding their $5M lawsuit for running a scam ad on their SERP for “Coinbase support” suggest the automated systems can be bypassed too.
I’m not saying automated detection can’t be a part of it, but we shouldn’t accept companies automating away decision making as if computer-derived errors are acceptable.
The larger point is that Google isn’t exactly strapped for cash. They could hire an army of reviewers. They just don’t.
Point taken; it "works" for certain values of "work."
> They could hire an army of reviewers. They just don’t.
They may actually do that too, but perhaps there are thresholds that must be met for something to reach a reviewer. I have some sympathy for Google here as I work on email security in a high-volume environment. ML is one tool in the box, and human reviewers are another. Everything is a tradeoff between resources, false positives, and false negatives.
At least my organization's customers can contact support if something is going wrong, but for people trying to legitimately use Google Ads, it can be an extremely frustrating situation of shouting into the void. (And getting boilerplate support answers back from the void.)
Does }__ appear in your logs? All versions of all branches of Joomla prior to I think 3.4.6 had a problem with serialization that allowed arbitrary PHP execution.
The Dating Ring (YC in 2014) tried to do that. It didn't quite work out, at least not how they hoped. The second season of Startup Podcast was all about them.
I heartily recommend that podcast. Even if you're not all about startups, I think it's fascinating that they give you a first-hand look into the subjects' attempts to start their company, with recordings and interviews about things as they happen, rather than in retrospect.
I did a similar project with Simplisafe, but I went the SDR route and figured out their protocol, so I can forge sensor/keypad messages or decode PIN entries from keypads. (I'm in contact with the IOActive researcher, Andrew, to share this information.) It was a fun learning experience. My original goal was to just get the damn system to reach my detached garage (which is about 25 feet from my house).
In his blog post, Andrew said he didn't bother to reverse-engineer the protocol because if you can replay a "disarm" command with the correct PIN, that's everything you need. That's probably true, but it could also profit an attacker to record someone's PIN in case they use it for other things. And depending on the limits of the Simplisafe base station, you could potentially brute-force a "disarm" from every possible device ID - most likely, you'll eventually use the ID of a keyfob associated with the system, so it will disarm. Then you'd have control without the user ever entering their PIN.
These things are largely academic, I think. It's been known for a while that you can just jam the system by transmitting at 433MHz while you kick down the doors or whatever. Very cool anyway.
On the other hand, now I can build my own sensors and add them to my system, if I want. Or build a repeater so I can finally have a keypad in my garage. :)
Can you write more about how you reversed the RF protocol? I'd really like to hear more about it. I've noticed that virtually all major published vuln research targeting RF systems like this starts by hijacking and endpoint and turning it into a modem.
I think there are a lot of people interested in learning more about the process of attacking RF systems from an SDR.
I'd like to, but I'm not sure how to proceed. I don't know if I should try notifying Simplisafe, and/or give people more time to get rid of the system. I also don't have a good way to publish - I don't have a personal website or anything. Any suggestions?
Well, not that I want to steal your thunder or anything (I don't think I can: no matter how many times you write this, it will be interesting) but how about just start here?
What SDR did you use?
Did you reverse the hardware or the software on the endpoints to figure out how to configure the SDR?
Oh! I was thinking of a much more detailed writeup. I actually didn't reverse any hardware or software; I guess this was a SIGINT-only effort. Parts of my approach were inefficient or redundant, but that's because I knew next to nothing about radio, SDR, etc. when I started. I basically found out that SDRs exist and thought they sounded cool, and decided to try to use one to see what I could see around my house. In brief:
Like Andrew, I looked up the FCC ID to find the right frequency for Simplisafe. I used a RTL2832 USB device ($25, from Amazon) and SDRSharp on Windows to record the signals. I used Audacity to look at the raw recordings and figure out that it was on-off keying, with a pulse length of about 5 microseconds.
I fed those raw recordings into a Gnuradio program I built (on Kali - I had trouble setting it up on Ubuntu so I gave up and just used a Kali image). I realize now that Gnuradio can interface directly with an SDR, but at the time, I already had all the recordings saved, so I just worked with those. I wanted to use Gnuradio's fancy clock sync module to convert the pulses directly to symbols, but I couldn't get it to work. So I used a threshold detector instead, with a rate limiter, so the output consisted of strings about 120 1s or 0s per pulse. I wrote a Python script to convert those into a text representation with just a single 1 or 0 for each pulse.
It was easy enough to identify a preamble that comes with each transmission, and then most of my effort went into comparing like transmissions from different devices (e.g. "door open" from my three door sensors), or different messages from the same device (e.g. "door open" vs. "door closed" from the same sensor). If their encoding scheme is a standard or well-known one, I certainly wasn't able to find it. It took a lot of frustrating dead-ends to finally figure it out.
With that done, I wrote more Python code to decode a recorded transmission, or put together a transmission representing any device ID I want, any message I want, etc. I used an Arduino and a cheap 433MHz transmitter/receiver device ($5 from Amazon) to send my transmission, and my base station heard and acknowledged it. I haven't done much more with it since then.
It does illustrate (duh) that by not encrypting their wireless coms, their system is vulnerable to straightforward reverse-engineering of the RF protocol.
It also illustrates that this vector isn't much of a threat for your average burglar.
However, between the two threats, it wouldn't take a genius entrepre-thief to make a simple device and sell it to thieves (like the ones that exist for some cars).
In general, people are not going to get rid of systems. SimpliSafe is $15 a month after equipment. For some, it's the only security system they can afford, or it's as much as they want to spend on it (disclaimer: me).
So one way you can help their security is
1) Don't publicize easy to follow step-by-step ways of how to do this. There's a big difference between disclosing a security issue and giving non-technical people an easy way to bypass a security system. The fact that a security weakness is known and publicized doesn't help xx% of thieves who don't have the resources to implement it. It does help the aware customer to make changes to their security and demand a fix from the vendor.
2) Responsibly disclose to Simplisafe like the linked post did is best. If they don't respond, then post what you were able to do in a similar manner. Going through ioactive would be a great idea as they're familiar with this process.
1 sounds like security by obscurity and it sounds like prevent information being made public knowledge that should impact customers' choices and might lead to better locking down the system. While the ideal rational consumer would be just as impacted by a standard disclosure, I've never met an ideal rational consumer. People will be much more aware if you can show them a web page that gives a step by step guide how to destroy their security system.
To give a comparison, consider all the NSA spying leaks and then consider that show host (John Oliver I believe) who went around asking people questions in a way that made them much more informed of what the implications of spying was, and in doing so changed their reaction.
"I just can't imagine living in fear of some concealed-carry-permit holding goon deciding to shoot the place up."
You don't need a concealed-carry permit to carry a concealed gun; you just need one to do it LEGALLY. I would venture to guess that a person who carries concealed with the intent of committing murder will not have bothered to get a permit.
My reasoning for keeping a killing machine (it lies around either in a safe or on my person at all times) is because crime happens, and criminals are willing to do things like use force and/or weapons. Police can't be everywhere, and while their response time here is pretty good, it's generally more than enough time for the criminals to do what they want and escape. I'd be happy to go back in time and un-invent guns, but as it stands, I don't see any way to remove all of them from all criminals' hands. So it seems to me the only viable preventive measure is for citizens to defend themselves with the same tools the criminals illegally use to commit their crimes.
That's one side of it, and it's a pretty common rebuttal to hear. I have some thoughts on that.
If tomorrow all gun possession (except perhaps by LEO, but even that is debatable IMHO) was made illegal, then within one year i'm sure there would be many less guns in circulation (without considering who owns them). In my books this is a net win, because a criminal entering the scene at that point in time will arguably have a harder time sourcing a gun than is currently the case. Profit, i would say. Indeed the stable state of this system is, as you point out, that only non-law-abiding citizens will be in possession of guns, but that is collateral i'm willing to accept (as in the society where i currently live. Death rate per capita by guns is much lower here than in the US, see my linked article from The Guardian). The end game of your desired society seems to me that it's an arms race (excuse my wording): everyone who wants to be 'safe' should have a gun, therefore criminals have more incentive to have guns, etc.
The other question i have is how one explains the fact that in many societies where gun possession is not legal, the situation is far from the doom scenario where criminals with guns are rife. Of course, they exist, and of course shit happens, but it still seems that the evidence (just the statistics, no moral arguments) points to the desirability of outlawing gun possession.
And finally, no matter how carefully you treat and/or store your gun, it is still more likely (even if the likelihood is only epsilon) to accidentally go off or get played with by a child than my gun, which does not exist at all.
"Indeed the stable state of this system is, as you point out, that only non-law-abiding citizens will be in possession of guns, but that is collateral i'm willing to accept"
You have just described present-day Mexico. How much safer do you feel when there, versus when in the U.S.?
