Day: October 7, 2022

A CRT Monitor From An Obsolete Logic Analyzer

October 7, 2022 by 15 Comments

The designers of older equipment that contained a CRT monitor rarely made the effort to design their own driver and deflection circuitry. Instead they were more likely to buy an off  the shelf assembly from a monitor manufacturer, and simply supply it with their video. [TomV] has an old HP 16500A logic analyzer, and in it he found a Sony monitor chassis. With a quest for a microfiche service manual and a bit of reverse engineering, he was able to hook it up to a VGA port and use it as an extension monitor for his laptop.

The monitor chassis is a Sony CHM-9001-00, which sports their 10″ Trinitron tube. These were among the very best CRT tubes of the day, making it the type of module 1990s hacker would have been very pleased to get their hands on. Here in 2022 a look at the monitor’s 40-pin connector reveals a standard RGB interface which the service manual confirms is within the voltage range to be driven from a VGA output. A Thinkpad X220 is pressed into service, with a 576 by 360 pixel at 60 Hz video mode defined, and there we have it, a modern desktop on an obsolete piece of test equipment.

The intended destination for this monitor is a small arcade cabinet, so it needed to be independent of the HP chassis. The required 120 VDC supply comes from an inverter designed for solar battery charging, which balked at the inrush current from the monitor when fed with 12 V. Increasing the supply voltage on the low voltage side solved that, leading to a very serviceable monitor. We have no use for one, but we’d be lying if we said we didn’t want one.

Perhaps you may have wondered, what made Trinitrons so good?

This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis

October 7, 2022 by 1 Comment

If you use PHP, you likely use the Composer tool for managing dependencies, at least indirectly. And the good folks at SonarSource found a nasty, potential supply chain attack in this tool, when used in the Packagist repository. The problem is the support for arbitrary README filenames. When a package update shows up on Packagist, that service uses a Version Control Service (VCS) like Git or Mercurial to pull the specified readme location. That pull operation is subject to argument injection. Name your branch --help, and Git will happily run the help argument instead of doing the pull intended. In the case of Git commands, our intrepid researchers were unable to weaponize the issue to achieve code execution.

Composer also supports projects that use Mercurial as their VCS, and Mercurial has a --config option that has… interesting potential. It allows redefining a Mecurial command as a script snippet. So a project just has to contain a malicious payload.sh, and the readme set to --config=alias.cat=!hg cat -r : payload.sh|sh;,txt. For those keeping track at home, the vulnerability is that this cursed string of ugly is accepted by Composer as a valid filename. This uses the --config trick to redefine cat as a bit of script that executes the payload. It ends in .txt because that is a requirement of Composer.

So let’s talk about what this little hack could have been used for, or maybe still used for on an unpatched, private install of Packagist. This is an unattended attack that jumps straight to remote script execution — on an official package repository. If discovered and used for evil, this would have been a massive supply chain attack against PHP deployments. Instead, thanks to SonarSource, it was discovered and disclosed privately back in April. The official Packagist repo at packagist.org was fixed the day after disclosure, and a CVE and updated packages went out six days later. Great work all around.
Continue reading “This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis”

Five-Foot Keyboard Lays It All On The Line

October 7, 2022 by 17 Comments

We would bet that among the most technologically-inclined of our readership, there are plenty of hunt-and-peck typists. Because of course, typing quickly and from the home row has nothing to do with intelligence, and everything to do with practice and rote muscle memorization. But what if the keyboard was all home row?

That’s right — Google Japan (translated) is back at it with another joke peripheral that happens to be 100% real and open-source. Whether you want to keep your distance from others while you toil at the coffee shop, or really, really want to get into the pair programming thing, this is the keyboard for you. While the prototype was a whopping seven feet long (or wide, whatever), the final version is shorter and friendlier, and can double as a walking stick on those outdoor sanity breaks with the addition of a protective shoe.

As with their mug keyboard, we appreciate the work that went into making this keyboard real just as much as the joke itself. Our favorite factoid has to be that this is made up of 17 different circuit boards, including the control board. Be sure to check out the fairly hilarious promo video after the break.

Continue reading “Five-Foot Keyboard Lays It All On The Line”

Have 3D Printer, Will Travel

October 7, 2022 by 16 Comments

We keep hearing that the desktop computer is dying — everyone wants a mobile device like a laptop, a tablet, or a big horkin’ phone. We suppose [eponra] wants the same thing for 3D printers, since he’s provided plans for “flatpack” a portable 3D printer that can fit in a spool box.

As you might imagine, this isn’t going to give you maximum build volume. The printer’s folded down dimensions are 220x210x75mm. The build plate is fairly small at 120x114x144mm. However, it does have a heated bed and an LCD display. One note, though: you do need an external power supply that does not fit in the box. However, [eponra] notes that with an AC-powered bed, it would be possible to get everything in the box.

Continue reading “Have 3D Printer, Will Travel”