This Week In Security: Npm Timing Leak, Siemens Universal Key, And PHP In PNG

First up is some clever wizardry from the [Aqua Nautilus] research team, who discovered a timing attack that leaks information about private npm packages. The setup is this, npm hosts both public and private node.js packages. The public ones are available to everyone, but the private packages are “scoped”, meaning they live within a private namespace, “@owner/packagename” and are inaccessible to the general public. Trying to access the package results in an HTTP 404 error — the same error as trying to pull a package that doesn’t exist.


The clever bit is to keep trying, and really pay attention to the responses. Use npm’s API to request info on your target package, five times in a row. If the package name isn’t in use, all five requests will take the expected amount of time. That request lands at the service’s backend, a lookup is performed, and you get the response. On the flipside if your target package does exist, but is privately scoped, the first request returns with the expected delay, and the other four requests return immediately. It appears that npm has front-end that can cache a 404 response for a private package. That response time discrepancy means you can map out the private package names used by a given organization in their private scope.

Now this is all very interesting, but it turns into a plausible attack when combined with typosquatting and dependency confusion issues. Those attacks are two approaches to the same goal, get a node.js deployment to run a malicious package instead of the legitimate one the developer intended. One depends on typos, but dependency confusion just relies on a developer not explicitly defining the scope of a package.

Continue reading “This Week In Security: Npm Timing Leak, Siemens Universal Key, And PHP In PNG”

An Open-Source HDMI Capture Card

[YuzukiHD] has provided files for anyone that wishes to build their own HDMI capture card at home. The design is known as the Yuzuki Loop Out HDMI Capture Card PRO, or YuzukiLOHCC PRO for short.

The build is based on the MS2130, a HD video and audio capture chip that’s compatible with USB 3.2 Gen 1. We’re pretty sure that’s now called USB 3.2 Gen 1×1, and that standard is capable of transfers at up to 5 Gbps. Thus, the chip can support HDMI at up to 4K resolution at 60 Hz depending on the exact signals being passed down the line. It’s compatible with YUV422 & MJPEG modes and can be used with software like OBS Studio and FFmpeg. The board itself is relatively simple. It features an HDMI In port, an HDMI Out port, and a USB-C port for hooking up to a computer for capture.

HDMI capture cards can be expensive and fussy things, so you may find it pays to roll your own. Plus, being open sourced under the CERN Open Hardware License V2 means that you can make changes to suit your own use case if you so desire.

We’ve seen some other hilarious video capture tricks over the years, such as a convoluted rig that uses a SNES to turn a Game Boy Camera into a usable webcam. If you’ve got any such madcap hacks brewing up in your lab, be sure to let us know!

Arduino Lo-Fi Orchestra closeup thumbnail

Lo-Fi Orchestra Learns Tubular Bells

Hardware projects often fall into three categories: Those that flash lights, those that make sounds and those that move. This virtuoso performance by [Kevin]’s “Lo-Fi Orchestra” manages all three, whilst doing an excellent job of reproducing the 1973 musical classic Tubular Bells by Mike Oldfield.

Producing decent polyphonic sounds of different timbres simultaneously is a challenge for simple microcontroller boards like Arduinos, so [Kevin] has embraced the “More is more” philosophy and split up the job of sound generation in much the same way as a traditional orchestra might. Altogether, 11 Arduino Nanos, 6 Arduino Unos, an Arduino Pro Mini, an Adafruit Feather 32u4, and a Raspberry Pi running MT32-Pi make up this electronic ensemble.

Arduino servo drumkit
Arduino Servo & Relay Drumkit

The servo & relay drumkit is a particular highlight, providing some physical sounds to go along with the otherwise solid-state generation.

The whole project is “conducted” over MIDI and the flashing sequencer in the middle gives a visual indication of the music that is almost hypnotic. The performance is split into two videos (after the break), and will be familiar to fans of 70’s music and classic horror movies alike. We’re astonished how accurately [Kevin] has captured the mood of the original recording.

If this all looks slightly familiar, it may be because we have covered the Lo-Fi Orchestra before, when it entertained us with a rousing rendition of Gustav Holst’s Planets Suite. If you’re more interested in real Tubular Bells than synthesized ones, then check out this MIDI-controlled set from 2013. Continue reading “Lo-Fi Orchestra Learns Tubular Bells