Chief Delphi

Chief Delphi (http://www.chiefdelphi.com/forums/index.php)
-   General Forum (http://www.chiefdelphi.com/forums/forumdisplay.php?f=16)
-   -   Team 548 Einstein Statement (http://www.chiefdelphi.com/forums/showthread.php?t=107906)

ratdude747 22-08-2012 16:30

Re: Team 548 Einstein Statement
 
Quote:

Originally Posted by Alan Anderson (Post 1182690)
The number of driver station laptops in the pits capable of 5 GHz WiFi was vanishingly small. As a robot inspector, checking for wireless networking of teams' laptops was part of my job. I saw exactly zero with 5 GHz radios in three regional competitions and a championship division.

I find that hard to believe... In my house there are 3 Dell Latitudes with 5GHZ capability:

D400- My old laptop, has a Broadcom BCM4306 chip that can do WPA2 and B/G/A.
D800- My dad's laptop, has an older version of ^ that has the same capabilities.
D630- My current laptop. Used to have an Intel 3945 B/G/A, I later upgraded it to an Intel 4965 B/G/N/A.

I've seen those models in pits before... I've seen a couple D400s used as driver stations as well. Not every D400 has a dualband chip but the BCM 4306 was very common in the D_00 units (Dell offered it as a free upgrade from the base Intel B chip).

IIRC they make USB/PCMCIA/ExpressCard adapters that are dual band that one could hide and later plug in when nobody was looking.

EricVanWyk 22-08-2012 16:38

Re: Team 548 Einstein Statement
 
Quote:

Originally Posted by techhelpbb (Post 1182731)
I have both sorts of exploits and I have already disclosed this to FIRST 30 days ago so let's start with this:

For one the problem is the way the fields are laid out geometrically and the way areas of common play are positioned. I won't say why this is a problem I will say that a single WIPS sensor per field is not sufficient because of it.

There should be a minimum of 2 of those sensors per field diagonal from each other across the long dimension of the field. Take a good look at where the current AirTight sensor generally ends up and it's proximity to the Cisco hardware.

By the way, this was the very first thought to run through my head given the fact that one alliance or another seemed to be disproportionally likely to have issues.

Brian, please stop spreading FUD. I can already see the direction you are aiming, and quite simply physics does not work that way. You are simultaneously crying that the sky is falling and threatening to make the sky fall.

I ask you to consider why you feel that FRCHQ is unresponsive, and why others do not feel that way. Is it HQ? Is it the others? Or is it you?

Al Skierkiewicz 22-08-2012 16:38

Re: Team 548 Einstein Statement
 
Larry,
Not all devices that claim full 802.11 wifi can actually do 5 GHz. Most devices, phones especially, are very difficult to determine as to what frequencies they can operate at.

DMetalKong 22-08-2012 16:40

Re: Team 548 Einstein Statement
 
As far as I understand the extent of the problems, and as far as I understand the OSI model, the attacks that people are talking about are mostly happening on the network layer, which means that they would have to be resolved on the network layer or above. Since I doubt we will be moving away from 802.11 as the physical layer, and since I doubt we will be messing with MAC addressing and whatnot on the data link layer, this means that issues would have to be resolved at the network layer*.

So, possible solution time: what if FIRST developed custom firmware for the routers that would require a handshake using PKI in addition to the normal procedures for connecting to the field AP? Give every team a SD card or flash drive that contains a signed public-private keypair belonging to the team, as well as the certificate for the field APs. As long as every team's private key remains private, this would ensure that any request to connect to the field by a team would be irrevocably linked to that specific team (so no posing as team XXX trying to disrupt field communications), and any request to connect to the field that is not signed could safely be ignored. MITM should be mitigated in this scenario as well. Denial-of-service or other types of jamming would be possible, but I am assuming they would be more easily detected (because blocking out a user's communication entirely should require more bandwidth than simply impersonating them (I think? Even the FCA attack described did not stop communications on the physical layer, it only made the router ignore a valid connection attempt))*.

* I am by no means an expert, I am just spouting off from my understanding of a couple of networking courses in school.

techhelpbb 22-08-2012 16:45

Re: Team 548 Einstein Statement
 
Quote:

Originally Posted by EricVanWyk (Post 1182738)
Brian, please stop spreading FUD. I can already see the direction you are aiming, and quite simply physics does not work that way. You are simultaneously crying that the sky is falling and threatening to make the sky fall.

I ask you to consider why you feel that FRCHQ is unresponsive, and why others do not feel that way. Is it HQ? Is it the others? Or is it you?

Eric you did not address the point. You could have addressed the point but instead you went directly for me as the problem.

Yeap there's the response I already predicted in this very topic (look back page or 2 or ask me to quote it).

You are simultaneously saying you want help and information then simultaneously being highly selective of who offers that help without a second thought to the point they make or any proof they may offer.

I asked weeks ago for merely a description of the process for these additional concerns. None has been provided.
I asked again in this topic and none has been provided.

I asked why people that send e-mails to the designated address aren't even granted the courtesy of an auto-responder and got no response.

I asked people at FIRST and the mere response I got was they were 'looking into it' which is often the response I get when you're not getting a call back.

The argument you think counters my point isn't as strong as you'd like to believe.

Now what am I supposed to do to refute your commentary Eric? Show you this works publicly?
Then what? What's going to be the process then, demand I resign as a mentor, or go after the team I helped start?


Here's what I'm going to do for this forum. I'm not posting again in here today.
Come what may I don't play this contest to score the most points, so in the end the threat to my priorities is trivial.

I do this to help kids and to honor what I do for a living...whether or not we can score the most points has little to do
with that. Even the years with the worst robots the kids still come out the winners and that's fine in my score book.

Akash Rastogi 22-08-2012 17:32

Re: Team 548 Einstein Statement
 
Quote:

Originally Posted by techhelpbb (Post 1182742)
Eric you did not address the point. You could have addressed the point but instead you went directly for me as the problem.

Yeap there's the response I already predicted in this very topic (look back page or 2 or ask me to quote it).

You are simultaneously saying you want help and information then simultaneously being highly selective of who offers that help without a second thought to the point they make or any proof they may offer.

I asked weeks ago for merely a description of the process for these additional concerns. None has been provided.
I asked again in this topic and none has been provided.

I asked why people that send e-mails to the designated address aren't even granted the courtesy of an auto-responder and got no response.

I asked people at FIRST and the mere response I got was they were 'looking into it' which is often the response I get when you're not getting a call back.

The argument you think counters my point isn't as strong as you'd like to believe.

Now what am I supposed to do to refute your commentary Eric? Show you this works publicly?
Then what? What's going to be the process then, demand I resign as a mentor, or go after the team I helped start?


Here's what I'm going to do for this forum. I'm not posting again in here today.
Come what may I don't play this contest to score the most points, so in the end the threat to my priorities is trivial.

I do this to help kids and to honor what I do for a living...whether or not we can score the most points has little to do
with that. Even the years with the worst robots the kids still come out the winners and that's fine in my score book.

Brian,

Please take a step back from your own commentary as well. I am not sure how you came to some of these conclusions from Eric's post. If you two want to argue, carry it to a PM. Sometimes "we're looking into it" has to be taken as good enough. Please avoid drawing random conclusions from what others say on here. But yes, please do take a few days off from this thread.

Thank you,
Akash

Al Skierkiewicz 22-08-2012 17:32

Re: Team 548 Einstein Statement
 
David,
The specific phone attack only occurred when a 5 GHz enabled device attempted to connect to a robot. No data transfers took place, no handshaking, no virus like attacks, no special apps or software, no involvement with the FMS. Just the simple operation of attempting to connect to the robot access point.

DampRobot 22-08-2012 18:06

Re: Team 548 Einstein Statement
 
Quote:

Originally Posted by techhelpbb (Post 1182742)
Now what am I supposed to do to refute your commentary Eric? Show you this works publicly?
Then what? What's going to be the process then, demand I resign as a mentor, or go after the team I helped start?

Someone needed to say this (although perhaps a bit less vehemently). There needs to be an official route for security holes that simply does not exist now. I understand that the good folks at FRC have a ton on their plate already, but there is no incentive structure that exists to make sure these types of problems get reported and solved before they cause havoc at the world championships.

This is what I was getting at with my question about institutional knowledge. Either someone at FIRST knew about this hole, and there was an error in communications, or no one found out about this, because there was no reason for someone outside the small FRC team to go an official route.

I think there needs to be an official way to report bugs and to encourage people to report this type of exploit. An official FRC award for work in security, where as part of the submission process there would be a demonstration of the exploit discovered, would help these problems come out officially rather than being used maliciously. Instead of trying to fight "hackers" by ignorance and fear of persecution, give them a reason to strengthen the system, not destroy it.

linuxboy 22-08-2012 18:35

Re: Team 548 Einstein Statement
 
Quote:

Originally Posted by Siri (Post 1182656)
I certainly don't take T14 to be the only allowable interaction (having talked to enough FTAs in my day), but it is the only guaranteed interaction. While I've never done it on Einstein, I head refs--even busy ones--seem listen to polite students in the box. I think you'd be hard-pressed to find a ref that wouldn't listen twice to "I know what's wrong; please let me show you how anyone in the stadium can shut down any robot on this field". As I understand it, the demonstration is rather quick (pull up the network list and show you can send a client authorization). If so, the student could show this directly to the ref for added clout.

Thanks, this is pretty much what I meant to say. While it is totally valid to talk to the other volunteers, the "official" route for raising an issue is in the question box (and after a match with connection issues, FTAs tend to get to the person in the question box just as soon as the head ref in my experience).

EricH, While it seems that going to the head ref could have yielded the same result, I think its just as likely that the ref (along with the FTA) may have chosen to hear the student out and see a demonstration. That's completely my opinion, there's no way of knowing what would have happened.

EricH 22-08-2012 19:59

Re: Team 548 Einstein Statement
 
Quote:

Originally Posted by linuxboy (Post 1182759)
EricH, While it seems that going to the head ref could have yielded the same result, I think its just as likely that the ref (along with the FTA) may have chosen to hear the student out and see a demonstration.

It's just as likely, yes. But what you missed is this:

By the time the student has told the ref, who has told the FTA, you have the following chain:

1) Mentor thinks there may have been a DoS attack. (or other issue)
2) Mentor tells student to tell the ref that there may have been a DoS attack.
3) Student tells ref that there may have been a DoS attack, and the FTA may want to know about it.
4) Ref tells FTA (if the FTA isn't already there listening).

That's a minimum of twice removed, on a suspicion. The FTA is going crazy trying to figure out what's going on--and remember, all eyes are on the FTA and his crew (normally they blend into the background, or are supposed to). And, remember, there's an alert that is supposed to catch DoS attacks and it hasn't gone off.

If I'm the FTA, I'm likely to go, "Tell your mentor that there wasn't one detected and we're trying to get to the bottom of this" and get back to trying to get to the bottom of the problem. It won't be until the second match at least that I look at it and go "Hey, there might be something to what that kid was saying his mentor thought. Now what team was he on again?"


Now, if the student was there and said, "We think someone tampered with a robot during a match by this process, which you might not be able to detect", the FTA would be a whole lot more likely to take action, because a) they now have an idea that their detectors aren't working and b) they have something concrete that they can look for if the logs haven't disappeared yet. But that whole thing involves a mentor explaining the process to a student, which takes time.

ratdude747 22-08-2012 21:13

Re: Team 548 Einstein Statement
 
Quote:

Originally Posted by Al Skierkiewicz (Post 1182739)
Larry,
Not all devices that claim full 802.11 wifi can actually do 5 GHz. Most devices, phones especially, are very difficult to determine as to what frequencies they can operate at.

I know... I'm just saying there were popular laptops out there that COULD.

How do I know? My router is a dualband N (two APs) and all 3 laptops can see and connect to my 5ghz Network (set to 5ghz only) just fine.

DMetalKong 22-08-2012 22:22

Re: Team 548 Einstein Statement
 
Quote:

Originally Posted by Al Skierkiewicz (Post 1182749)
David,
The specific phone attack only occurred when a 5 GHz enabled device attempted to connect to a robot. No data transfers took place, no handshaking, no virus like attacks, no special apps or software, no involvement with the FMS. Just the simple operation of attempting to connect to the robot access point.

Al,

Correct me if I misunderstand though, but for 802.11 there is a standard protocol for the router (or other device) to attempt to make the connection. What I was suggesting was modifying this protocol through the router/AP firmware so that the routers/APs that are part of the field network could ignore unauthorized connection attempts.

I see so much discussion of problems with the field without much discussion of solutions. That is not to say that people do not have solutions; I think it is easier to focus on what went wrong than on plans for the future (especially when I get the impression that people feel like they do not have a means of influencing change in the organization as a whole). As much as this discussion is veering from the original intent of the thread (the apology), I would rather see it derailed in a constructive fashion focusing on possible solutions, even if those solutions won't necessarily work.

Siri 22-08-2012 22:37

Re: Team 548 Einstein Statement
 
Quote:

Originally Posted by Al Skierkiewicz (Post 1182735)
Siri,
I read your post and thought that you were indicating that First engineering had already made the attempt to connect to robots by the time Einstein occurred. then I read further and became more and more confused as to what point you were trying to make. So let me make a few statements..

Ok, that was the exact opposite of what I meant/said, so I'm glad we cleared that up. Thank you and thanks for the statements, too. I know I can't understand what it's like working inside something so complex and critically-viewed, much less when it's a volunteer organization. At the same time, your point about FIRST constantly collecting information from teams even if they don't say so worries me somewhat. As may have been noticed on this thread and others, the lack of two-way communication before and at events is difficult to handle in some cases. Community members are left to feel they have little recourse, whether or not we actually do. Nothing good seems to happen when officials are overwhelmed with advice (or complaints) and members feel overwhelmed with things to advise about. (I've also been on both sides of this in FIRST and neither is easy or pleasant.)

I do argue with others on this thread that we need a more consistent/accepted/responsive/official/useful/publicized/whathaveyou reporting channel for these sorts of things. So I ask as nicely and respectfully as physically possible towards both parties: how do we do this?

Alan Anderson 22-08-2012 23:12

Re: Team 548 Einstein Statement
 
Quote:

Originally Posted by DMetalKong (Post 1182802)
Correct me if I misunderstand though, but for 802.11 there is a standard protocol for the router (or other device) to attempt to make the connection. What I was suggesting was modifying this protocol through the router/AP firmware so that the routers/APs that are part of the field network could ignore unauthorized connection attempts.

There's probably no need to modify the protocol. It already dismisses failed client authentication attempts. The disruption to the field network seen on Einstein was due to a bug in the access point firmware, which combined with one version of robot router hardware to cause an unexpected loss of the network connection. That bug is no longer an issue.

An 802.11 protocol change that encrypts "management packets" could probably prevent deauthorization flood attacks from succeeding. It would also break a lot of things in the process.

Quote:

I see so much discussion of problems with the field without much discussion of solutions. That is not to say that people do not have solutions; I think it is easier to focus on what went wrong than on plans for the future (especially when I get the impression that people feel like they do not have a means of influencing change in the organization as a whole). As much as this discussion is veering from the original intent of the thread (the apology), I would rather see it derailed in a constructive fashion focusing on possible solutions, even if those solutions won't necessarily work.
Did you read the Einstein investigation report through to the end? The last two pages are all about planned possible changes, with a half dozen of them as specific solutions to observed problems.

EricVanWyk 22-08-2012 23:20

Re: Team 548 Einstein Statement
 
Quote:

Originally Posted by Siri (Post 1182806)
I do argue with others on this thread that we need a more consistent/accepted/responsive/official/useful/publicized/whathaveyou reporting channel for these sorts of things. So I ask as nicely and respectfully as physically possible towards both parties: how do we do this?

At an event, the "question box" is the best way to begin communication, you just need to be patient as your question gets routed to the best person to answer it. Outside an event, email is your best bet. Specific to these types of situations, you can use 2012frcfeedback@usfirst.org (as stated in the Einstein report). Please note that many people are currently on vacation, and the ones that aren't are buried in work.

The important thing to remember is that the hardest part of engineering is communication. The value of your ideas are limited to the people you can influence with them. As a volunteer I've been cursed out several times by people trying to influence me with their ideas, and it is turns out that screaming in someone's face it isn't very effective persuasion. By the time they've finished commenting on my heritage and IQ, they could have instead told me their idea and provided supporting information.

So, when you "attempt to notify FIRST personnel of [your] belief", please be clear, concise, and civil.


All times are GMT -5. The time now is 23:13.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright © Chief Delphi