This Week In Security: Code Scanning, Information Gathering, And Seams In The Cloud

GitHub has enabled free code analysis on public repositories. This is the fruit of the purchase of Semmle, almost exactly one year ago. Anyone with write permissions to a repository can go into the settings, and enable scanning. Beyond the obvious use case of finding vulnerabilities, an exciting option is to automatically analyse pull requests and flag potential security problems automatically. I definitely look forward to seeing this tool in action.

The Code Scanning option is under the Security tab, and the process to enable it only takes a few seconds. I flipped the switch on one of my repos, and it found a handful of issues that are worth looking in to. An important note, anyone can run the tool on a forked repo and see the results. If CodeQL finds an issue, it’s essentially publicly available for anyone who cares to look for it.

Simpler Code Scanning

On the extreme other hand, [Will Butler] wrote a guide to searching for exploits using grep. A simple example, if raw shows up in code, it often signals an unsafe operation. The terms fixme or todo, often in comments, can signal a known security problem that has yet to be fixed. Another example is unsafe, which is an actual keyword in some languages, like Rust. If a Rust project is going to have vulnerabilities, they will likely be in an unsafe block. There are some other language-dependent pointers, and other good tips, so check it out.

Continue reading “This Week In Security: Code Scanning, Information Gathering, And Seams In The Cloud”

Jailbreaking The Kindle Paperwhite

The Kindle Paperwhite, Amazon’s newest e-ink reader featuring a touch interface with a higher contrast display, is now officially jailbroken.

[geekmaster], the geek master behind this hack, based his jailbreak off [Yifan]’s previous hack  to jailbreak the Kindle Touch. Installation is a snap, and only requires you to upload the data.stgz file to the root directory of the Paperwhite and restart the device. On the next boot, the Paperwhite will be jailbroken, allowing you to do tons of cool stuff with a tiny Linux device connected to an e-ink screen.

We’ve already seen a few really cool uses for jailbroken Kindles including a weather station display and a serial terminal for your Raspberry Pi. Cracking the newer and better Kindle Paperwhite means those e-ink projects you’ve been thinking about building just became much more attractive.

One word of warning from [geekmaster], though: USB downloader mode isn’t yet enabled. If you brick your device, you’ll need to connect your Kindle to a serial port. This shouldn’t be a problem for Hackaday readers, but it is something to watch out for.