As I was working on a project that makes use of the Sparkfun color LCD shield I noticed after running sample code that the back-light is not working properly. Adding to that, it was a bit challenging to find Arduino (v1.0) compatible libraries to make this shield work as it was intended. The solutions for these 2 problems are summarized below.
Credit is due where credit is due. The original hacker who, with a bit of research and reading a few comments on the product’s page, found the solution can be reached through this link. Although the description of the fix is quite straight forward, I though it could be simplified more.
The problem relies in a resistor on the board (R1) that was supposed to have the value of 15KOhm but was (for some reason) replaced with a 3.3KOhm resistor (as shown in the picture below).
In order to resolve this issue and provide enough voltage to activate the back-light, this resistor needs to be short-circuited by soldering the edges of 2 components as shown in the picture below. A small solder drop is enough to provide you with an elegant fix.
That should do it.
Libraries compatibility problems
I naively assumed that upgrading my Arduino IDE to version 1.0 would not break any existing library, however as it turns out it does. The libraries that enable the color LCD shield do not work with v1.0. The libraries that are available either use “WProgram.h” or “wiring.h” header files which have been merged in the new version of the Arduino IDE with the “Arduino.h” header file. In addition, replacing these header files with “Arduino.h” does not seem to fix the compilation error.
So in order to avoid hours of pain, Arduio IDE v0023 runs the LCD shield libraries perfectly well.
And the skiddies have done it again. But now they have evolved! Let me put this blogpost into a bit of context before I proceed.
What the heck is Phishing?
Well phishing is a method that hackers, well let’s use correct terminology, script-kiddies use to hijack accounts. They basically create a landinglogin page very similar to a popular web based service such as (Facebook, Twitter, gmail, hotmail etc…) and then they buy domain names that are also very close to the real service’s name such as (Fac3b00k.com, itwitterl.com, h0tma1l.com…) with small typos as you can see, that you wouldn’t even notice.
You are drive by your predisposed urge to enter your credentials whenever you see a login page, and BOOM! Your account is hijacked almost instantly. The password is changed (If the phishing page is good, automatically) and if the skiddy is not good or knows no programming language, heshe will change it manually at a later stage.
Let’s take an example. Today I got the following direct message from a friend:
and almost instantaneously I clicked on the link. It was a shortened URL so I couldn’t see the actual domain I was visiting. I landed on this page:
Now i’m confused, why is it asking me for credentials?! Since I have a little bit of hackingdeception background and I’ve played these games before, my quick reaction was… hehehe, nice try. I looked at the address bar and it said: http://itwitterl.com/session-timed_out/
Wow! Twitter have a new domain name!
I then entered false credentials and here’s where I landed:
Whether you put correct credentials or false ones you will always land on this page. Because this website is not the actual Twitter, and they cannot actually log you into the service!
Ohhhh… how can we tell the difference next time?
You can tell the different easily, as long as you don’t rush to put your credentials quickly whenever asked without checking the legitimacy of a certain website first.
Here’s the actual twitter page:
If you spend a second or two looking at both images you will see there is a lot of difference! The skids are not up-to-date!
Tips for not falling into this trap again, and what to do if you are a victim
Below are 4 tips of making sure the website you are logging into is legit:
1. Check the address bar, make sure the domain name is correct.
2. Check the title, many skids forget to fix the title of the page they created.
3. If you are logged into a service and you haven’t closed your browser it will not make you login again unless you’re changing critical information using their platform. They will notify you.
4. Check the favicon, some skids forget to update theirs as well.
I’m a victim 🙁
If you provided your credentials for this fake service, instantly go and change your password! If you were one of the few unlucky ones who have had their password changed for them. I’m sorry to tell you, your account is lost unless you still have ownership of the email address andor you still remember your secret question or answer. Then you can use the “forget my password” feature available for most if not all popular services.
In a study of the ethics of hacking, I had the idea of discussing a controversial dilemma which has been argued for ages. However, in this paper I’m going to argue this concept from the perspective of hacking. Is it morally justifiable to learn the skills of hacking and train to use these skills underground for the purpose of becoming more experienced white hat hackers, in other words, ethical hackers?
Why train underground on real targets?
Before taking this article into the subsequent phase, I would like to obliterate the confusion regarding some of the terminology I use (and yes I am a big fan of introductions). Hacker, in this article, is used to designate a person who is an online security expert. Some theorists, professionals, book writers, or just writers like to use the term hacker as a reference for programmerscomputer specialistsengineers who work on extending the functionality of a physical or a non physical object to bypass its original purpose or to enhance and optimize its efficiency and performance. Well in a way, online security experts do the same thing. For in order to be a good hacker one must master the ins and outs of the platform heshe is intending to break into in order to successfully gain access and maintain it. However, the above takes an article by itself to discuss and currently I’m going to leap directly to the point.
Why do hackers need to experience an attack on a real target? The answer is simple. If one does not experience the rush behind committing a crime, the motivation for being a thief and the thrill of attaining the grand prize, one will never acquire neither the patience nor the creativity to do hisher task well.
The rush, motivation and thrill are the essence of any worthy of admiration hacking attempt. I’m being amoral here, I understand, but reality is not always morally just. Hackers portrayed by the media are considered criminals who take pleasure in destruction. Sorry to disappoint you, but most of the talented hackers do it for the sole purpose of education. You’d be surprised at how many successful breaking attempts occur on a daily basis without destruction of property, theft of material and disclosure of private data. However, it is indeed a fact, that many professional black hat hackers do it for personal profit, but this is not the core of my discussion.
Therefore, for the sake of clarification and not restriction, any certified ethical hacker, security consultant, software developer and IT specialist must learn how to break into a protected system with the risk of being caught. The ethical hacking process does include a black box break in attempt, which in short, provides the hacker the legal ground to engage in an attack at any given date, time, system, and use any method or skill to achieve success, whether via social engineering, using an arsenal of tools, or by identity theft, with no prior knowledge of the network infrastructure or system to be tested. While to my humble opinion this is the most efficient of the numerous ways, it is still incomplete without the correct mindset.
There are indeed other methods to use which might guarantee the system’s security, but the efficiency of all these methods rely on attaining the above thinking prerequisites.
Is it unethical to train underground?
As in any discussion of a philosophical theoryconcept, the validity of the conclusion is based on the strength of the premises. In addition the soundness of the conclusion, as important as it is, is not the subject at hand. Being with or against the following point of view is left to your reasoning.
I would like to introduce an ethical theory called “Utilitarianism” and based on it I will try to draw a conclusion. Be advised that there are numerous ethical theories (Kantianism, Consequentialism, Deontology, etc…). My goal is shedding the light on the topic from an academic perspective and not drawing a firm, concrete hard conclusion.
Utilitarianism, in very simple words, is judging the moral worth of an act based on its consequences. The judgment follows a small set of rules which if respected will enable the portrayal of a, relatively, valid conclusion. The main aspect of a utilitarian act is to minimize the negative utility, such as personal gain, suffering, pain, personal satisfaction and maximizing the good utility such as generating more happiness.
Hence, logically, on one hand, underground hacking attempts on a potential target would cause pain and distress for a potential number of people. On the other hand, the experience gained from such attempts will be beneficial for a larger number of parties. Nevertheless, the amount of pain and distress for the attacked parties can be minimized to the bare minimum. To a point where the target might not even be knowledgeable of the breaking attempt, consequently no actual damage of property is caused. Of course many controversies will rise from what I’ve just said, but think about it, isn’t this type of reasoning similar to the meaning of sacrifice, wars, and many other world injustice induced each and every day?
Therefore, according to the argument above (as short as it is), undergoing an underground hacking training is indeed beneficial for a large amount of parties.
However, this article remains inconclusive and further discussion remains necessary.