Monday, March 15, 2021

Scammers can bypass your Google Workspace Safety Checks

A major source of headache for system administrators these days, and has been for some time, is the uptick in phishing messages that fake the sender address so it appears to be from someone within your organization. If you are like me, this is one of the things that keeps you awake at night. Organizations using Google Workspace can take advantage of a safety feature that purports to prevent this from reaching users. You can access its settings from within the admin console under Apps->Gmail->Settings->Safety.




Unfortunately, there are still a ton of legit e-mail servers that don't authenticate, so that safety feature is not going to be very helpful.  However you can enable the checks that detect someone trying to send a message with an employee's e-mail address, your domain (or a variation on it) or even an employee's name.  These are very common attacks, and such checks regularly prevent nefarious messages from reaching our end users.  

The problem is, due to a poorly-planned filter architecture on Google's part, this whole mechanism can be bypassed, allowing a spoofed message to end up in a spam queue that is managed by an end-user.  

Google Workspace Filter Architecture places spam filters and queues ahead of "safety features" such as spoof checks.

As you can see in the diagram above, the spoof checks are effectively circumvented when they are sent to a group.  A moderator will see the message in the group's spam queue, AKA "Pending messages".  If they approve the message, it will then go through the safety checks, but by then the group manager has already seen it, and may act on it.

Thursday, February 04, 2021

Cordova-plugin-ble-central without BACKGROUND_LOCATION permission

Happy New Year.

I have been developing a Cordova app on Android that uses Bluetooth Low Energy (BLE).  To accomplish this, I have been using Don Coleman's cordova-plugin-ble-central.  This is a neat plugin with a pretty simple API that lets you do serial communications over BLE. It is compatible with both Android AND iOS.  It's installable with NPM, but I recommend you get it directly from his Github.  The one on NPM seems to be broken on newer Android devices.  The issue  is that Google now requires ACCESS_FINE_LOCATION permission if you are using bluetooth, and the one on NPM is older and hasn't been updated to request this permission.  But that's not really what this post is about.

My app is essentially a remote control for a light.   All I am trying to do is communicate over bluetooth when the app is in the foreground.  However, the Don Coleman plugin demands the BACKGROUND_LOCATION permission (presumably this would be required if I was trying to continue to send/receive data notifications while the app is in the background).  The problem is that this permission comes with some fairly hefty declaration requirements if you are trying to get your app into the Play Store.  For example, you have to make a video demonstrating the feature in your app that makes use of this functionality.  As I stated earlier, I have no such feature so it will be impossible for me to get my app to pass review.  

The only solution I could see was to fork Don's plugin and remove the BACKGROUND_LOCATION permission.  So far it seems to work.  If you have a similar problem, perhaps you can benefit from this version of the plugin as well.  A couple of things:

  1. In case it doesn't go without saying, if your app is in the background, you will not be able to do Bluetooth communication using this version of the plugin.
  2. I have only made changes to the Android side. I don't know if the iOS side still somehow requests BACKGROUND_LOCATION permission.  If it does, I will ultimately need to address that as well since my app is going to be available for both platforms.

So here it is: High Tech Harmony's cordova-plugin-ble-central without BACKGROUND_LOCATION

To use it, go to your Cordova build folder of your project and do the following:

(only if you have Don's plugin already)
cordova plugin remove cordova-plugin-ble-central 

cordova plugin add https://github.com/HighTechHarmony/cordova-plugin-ble-central

cordova clean android

cordova build android



Friday, June 19, 2020

Read this if your DJI Spark is "Hopping" (erratic behavior)

My DJI drone has had this issue with my DJI Spark where, when I try to take off, it will  sort of hover, but then "hop" up and down.  It heads toward the ground and then seems to recover.  When it is heading toward the ground, the obstacle avoidance alert is going off.


Searching the internet, I found forums littered with a gazillion about "Fly Away" issues. I do NOT consider this is a FLYAWAY issue.  It seems like there are so many issues that are blanket described as "Fly Away", and while I suppose it is possible you could lose your drone as a result of this, it is most likely just going to hit the ground straight below, worst case.  I can technically fly it around, but it is fighting me the whole time.  The obstacle avoidance alert is intermittently on and off. The drone will ascend okay, but it descends VERY slowly (which is kind of scary if you get any sort of real altitude).  Also, at random it will just start heading vertically downward even though I didn't command it to.  Again the obstacle avoidance sensor beeping when the problem is occurring. Sadly I was not able to get this anomaly on video for a better description.

This issue cropped up seemingly out of nowhere. One day it flew fine, I put it away, next season I took it out, and it flew like crap.  I could occasionally get a problem-free flight out of it, but I never had any real confidence in it.  So for the last 2 years, I have been basically not flying my DJI Spark drone, due to this weird behavior.

After months of pondering (and letting my warranty lapse), I contacted DJI.  I described the issue and they recommended I send it in  to DJI for paid repair.  On the repair estimate, it said that the drone had crashed:
"After carrying out the damage assessment, we found that the unit has physical impact damage, unfortunately the damage that is not caused by product malfunction is Non- warranty repair; We'll either repair it or replace it with a product that's new or equivalent to new in both performance and reliability after payment has been received. For more information, please visit (http://www.dji.com/service/policy) - DJI North America"
The bit about impact damage was BS. I am the only one who has ever flown this thing, and I baby it.  The most I have ever done is buzzed a wall.  It has never impacted anything.  My guess is this is what they write on anything that gets shipped to them that doesn't fall under "warranty repair".  But I had no other viable options so I told them just to go ahead.

Weeks and $150 + shipping later, I got my drone back with a slip saying they replaced the vision system.  And lo, it did fly correctly... For a few (gentle!) test flights.  Then one day I took it out to fly and it started doing the hopping thing again.  I tore my hair out, ready to scrap this noisy money pit.  One last time I refocused my Google search terms to include "hopping", and that's when I hit the jackpot.  I found a handful of postings on DJI's forum of people who seemed to have the exact same problem. While there were a ton of the usual unhelpful responses (i.e. "Get rid of it! Sell it to me!"), I saw a couple of postings saying that the issue was solved by replacing the props. At first I just wrote this off.  Why would props make any sort of difference as to how the craft would fly (other than, maybe, FLY or NOT FLY)?  Okay maybe "FLY but be LOUD"...  But this post got my attention.  after a while, I realized I had the following options:
  1. Throw away drone?
  2. Buy a full set of genuine DJI props, and then throw away drone after proving it makes no difference.
So I did the latter.

And it worked.

WTF?!?!?

So naturally I now have some new questions.  How the hell is this behavior really caused?  One idea I had is that excess prop vibration somehow causes the obstacle avoidance sensor to falsely trip. 

Then there is the issue of the earlier "repair".  This was obviously the problem all along. It seems that DJI was more than happy to take my money to "fix" the craft, when the only issue was the props.  Think about it, there must be thousands of people who have experienced this problem, and I'm sure DJI customer service has enough data to recognize this as being a prop issue right off.  But either they didn't, or they chose not to tell me.  I would give them the benefit of the doubt, but then they did tell me they found "crash damage".

Anyway, lesson learned.  If your unit is out of warranty, think twice before sending it in to DJI for repair.  The only guarantee appears to be that you will pay them a hefty repair fee.