Keyloggers are nasty little things that have the potential to steal the credit card numbers of you and everyone you care about. Usernames and passwords can be easily stolen this way, so they’re a useful tool for the black hats out there. One would generally expect to find a keylogger in a dodgy movie torrent or perhaps a keygen for pirated software, but this week a keylogger was found in an audio driver for an HP laptop.
The logger was found by Swiss security researchers modzero. The Conexant HD Audio Driver Package version 22.214.171.124 and earlier apparently logs keystrokes in order to monitor things like the laptop’s volume up and down keys. The real killer here is that it feels the need to log all keystrokes detected to a readily accessible file, for reasons we can’t possibly fathom. It’s a huge security risk, but it doesn’t stop there – the driver also exposes the keystrokes through an API as well, creating an even wider attack surface for malicious actors. One can in principle access the keystroke log remotely.
There’s no word from the company yet, but we really want to know – why save the keystrokes to a file at all? Code left over from debugging, perhaps? Speculate in the comments.
If you’ve been reading the news lately, you doubtless read about the find of a really big new helium gas field in Tanzania. It’s being touted as “life-saving” and “game-changing” in the popular media, but this is all spin. Helium is important for balloon animals, scientists, and MRI machines alike, but while it’s certainly true that helium prices have been rising steadily since 2000, this new field is unlikely to matter all that much in the grand scheme of things.
The foundation of every news story on helium is that we’re running out of the stuff. As with most doomsday scenarios, the end of the world’s supply of helium is overstated, and we don’t just mean in light of the new Tanzanian field. Helium is the second-most abundant element, making up 24% of the total mass of the universe. And while the earth has a disproportionate amount of heavier elements, helium is in rocks everywhere. It’s just a question of getting it out, and at what price that’s viable.
So while we’re stoked that the era of (relatively) cheap helium can continue onwards for a few more years, we’re still pretty certain that the price is going to continue to rise, and our children’s children won’t be using the stuff for something so frivolous as blowing up party balloons — it’ll be used primarily, as it is now, where it’s more valuable: in science, medicine, and industry.
Let’s take this moment to reflect on the economics of second-lightest element. Here’s to you, Helium!
According to this article in the Guardian, Premier Farnell, the electronics parts distributor who is also a UK manufacturer of the Raspberry Pi, is going to be sold to Dätwyler. Their share price immediately rose 50%, closing at just under the Swiss firm’s offer price.
Farnell itself had been on a binge, according to Wikipedia anyway, buying up electronics distributorships in Poland, India, and the US. In 2009, they bought Cadsoft, the makers of Eagle CAD software. Now they’re being sold to another distributor.
Bloomberg writes this up as being just more consolidation in an already consolidating market. What any of this will mean for the hacker on the street is anyone’s guess, but we’re putting our money on it amounting to nearly nothing. But still, now’s the time to stock up on your genuine UK-owned, made-in-UK Pis before they become Swiss-owned and made who knows where.
We never have enough peripherals on a microcontroller. Whether it’s hardware-driven PWM channels, ADCs, or serial communication peripherals, we always end up wanting just one more of these but don’t really need so many of those. Atmel’s new version of the popular ATmega328 series, the ATmega328PB, seems to have heard our pleas.
We don’t have a chip in hand, but the datasheet tantalizes. Here’s a quick rundown of the new features:
Two more 16-bit timer/counters. This is a big deal when you’re writing code that’s not backed up by an operating system and relies on the hardware for jitter-free timing.
Two of each USART, SPI, and I2C serial instead of one of each. Good when you use I2C devices that have limited address spaces, or when you need to push the bits out really fast over SPI.
Ten PWM channels instead of six. This (along with the extra 16-bit timers) is good news for anyone who uses PWM — from driving servos to making music.
Onboard capacitive sensing hardware: Peripheral Touch Controller. This is entirely new to the ATmega328PB chip, and looks like it’ll be interesting for running capacitive sense buttons without additional ICs. It relies on Atmel’s QTouch software library, though, so it looks like it’s not a free-standing peripheral as much as an internal multiplexer with maybe some hardware-level filtering. We’ll have to look into this in detail when we get our hands on one of the chips.
So what does this mean for you? A quick search of the usual suspects shows the chips in stock and shipping right now, and there’s an inexpensive dev kit available as well. If you write your own code in C, taking advantage of the new features should be a snap. Arduino folks will have to wait until the chips (and code support) work their way into the ecosystem.
Rumors about a new Raspberry Pi have been circulating around the Internet for the past week or so. Speculation has ranged from an upgraded Model A or compute module to a monster board with Gigabit Ethernet, USB 3.0, SATA and a CPU that isn’t even in production yet. The time is now, and the real news is even more interesting: it’s a $5 Raspberry Pi Zero. It’s the smallest Pi yet, while still keeping the core experience.
Passwords are terrible. The usual requirements of a number, capital letter, or punctuation mark force users to create unmemorable passwords, leading to post-it notes; the techniques that were supposed to make passwords more secure actually make us less secure, and yes, there is an xkcd for it.
[Randall Munroe] did offer us a solution: a Correct Horse Battery Staple. By memorizing a long phrase, a greater number of bits are more easily encoded in a user’s memory, making a password much harder to crack. ‘Correct Horse Battery Staple’ only provides a 44-bit password, though, and researchers at the University of Southern California have a better solution: prose and poetry. Just imagine what a man from Nantucket will do to a battery staple.
In their paper, the researchers set out to create random, memorable 60-bit passwords in an English word sequence. First, they created an xkcd password generator with a 2048-word dictionary to create passwords such as ‘photo bros nan plain’ and ’embarrass debating gaskell jennie’. This produced the results you would expect from a webcomic. The best ‘alternative’ result was found when creating poetry: passwords like “Sophisticated potentates / misrepresenting Emirates” and “The supervisor notified / the transportation nationwide” produced a 60-bit password that was at least as memorable as the xkcd method.
LMR is possibly the most popular DIY robotics website around and was started up by a fun-loving Dane, [Frits Lyneborg]. It grew a large community around building up minimal robots that nonetheless had a lot of personality or pushed a new technical idea into the DIY robotics scene. [Frits] says that he hasn’t had time for DIY robotics for a while now, and doesn’t have the resources to run a gigantic web forum either, so he worked out a deal to let the Canadian hobbyist supply company Robot Shop take it over.
LMR has always been a little bit Wild-West, and many of the members quite opinionated, and that’s been part of its charm. So when the new corporate overlords came in, set up “Rules” (which have seemingly been downgraded to “suggestions”) and clarified the ownership of the content, some feathers were ruffled.