Year: 2022

This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis

October 7, 2022 by 1 Comment

If you use PHP, you likely use the Composer tool for managing dependencies, at least indirectly. And the good folks at SonarSource found a nasty, potential supply chain attack in this tool, when used in the Packagist repository. The problem is the support for arbitrary README filenames. When a package update shows up on Packagist, that service uses a Version Control Service (VCS) like Git or Mercurial to pull the specified readme location. That pull operation is subject to argument injection. Name your branch --help, and Git will happily run the help argument instead of doing the pull intended. In the case of Git commands, our intrepid researchers were unable to weaponize the issue to achieve code execution.

Composer also supports projects that use Mercurial as their VCS, and Mercurial has a --config option that has… interesting potential. It allows redefining a Mecurial command as a script snippet. So a project just has to contain a malicious payload.sh, and the readme set to --config=alias.cat=!hg cat -r : payload.sh|sh;,txt. For those keeping track at home, the vulnerability is that this cursed string of ugly is accepted by Composer as a valid filename. This uses the --config trick to redefine cat as a bit of script that executes the payload. It ends in .txt because that is a requirement of Composer.

So let’s talk about what this little hack could have been used for, or maybe still used for on an unpatched, private install of Packagist. This is an unattended attack that jumps straight to remote script execution — on an official package repository. If discovered and used for evil, this would have been a massive supply chain attack against PHP deployments. Instead, thanks to SonarSource, it was discovered and disclosed privately back in April. The official Packagist repo at packagist.org was fixed the day after disclosure, and a CVE and updated packages went out six days later. Great work all around.
Continue reading “This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis”

Five-Foot Keyboard Lays It All On The Line

October 7, 2022 by 17 Comments

We would bet that among the most technologically-inclined of our readership, there are plenty of hunt-and-peck typists. Because of course, typing quickly and from the home row has nothing to do with intelligence, and everything to do with practice and rote muscle memorization. But what if the keyboard was all home row?

That’s right — Google Japan (translated) is back at it with another joke peripheral that happens to be 100% real and open-source. Whether you want to keep your distance from others while you toil at the coffee shop, or really, really want to get into the pair programming thing, this is the keyboard for you. While the prototype was a whopping seven feet long (or wide, whatever), the final version is shorter and friendlier, and can double as a walking stick on those outdoor sanity breaks with the addition of a protective shoe.

As with their mug keyboard, we appreciate the work that went into making this keyboard real just as much as the joke itself. Our favorite factoid has to be that this is made up of 17 different circuit boards, including the control board. Be sure to check out the fairly hilarious promo video after the break.

Continue reading “Five-Foot Keyboard Lays It All On The Line”

Have 3D Printer, Will Travel

October 7, 2022 by 16 Comments

We keep hearing that the desktop computer is dying — everyone wants a mobile device like a laptop, a tablet, or a big horkin’ phone. We suppose [eponra] wants the same thing for 3D printers, since he’s provided plans for “flatpack” a portable 3D printer that can fit in a spool box.

As you might imagine, this isn’t going to give you maximum build volume. The printer’s folded down dimensions are 220x210x75mm. The build plate is fairly small at 120x114x144mm. However, it does have a heated bed and an LCD display. One note, though: you do need an external power supply that does not fit in the box. However, [eponra] notes that with an AC-powered bed, it would be possible to get everything in the box.

Continue reading “Have 3D Printer, Will Travel”

Mac 128K Emulator Gets DIY Ceramic Enclosure

October 6, 2022 by 8 Comments

Creative technologist [Joselyn McDonald] wanted to hone her ceramic skills by building an iconic Macintosh 128K sculpture, complete with a fully functional operating system.

At first, she was determined to use Processing to create an interface for her sculpture by recreating the UI visually and adding some touch controls. However, she soon abandoned this tedious task after discovering MacintoshPi, which steps you through installing Mac OS 7, 8, and 9 emulators on a Raspberry Pi. [Joselyn] has also installed several retro games, including DOOM II, Carmen Sandiego, and Sim City, thanks to sites like Macintosh Garden and Macintosh Repository. 

Next, [Joselyn] hopes to set it up to display her and her partner’s schedules, and to let friends play around with nostalgic games. This piece was made using hand building, but other cool ceramic techniques like this slip cast dog bowl and this stone 3D printer have us thinking about what other types of enclosures could be built!

Building A Digital Library Of Amateur Radio And Communications

October 6, 2022 by 8 Comments

For years the Internet Archive has provided the online community with a breathtaking collection of resources, out of print books, magazines, recordings, software, and any other imaginable digital asset in easily retrievable form. Now with the help of a grant from the Amateur Radio Digital Communications Foundation they are seeking to create a collection that documents amateur radio from its earliest days to the present.

The work will be multi-faceted, and include the print and digital materials we’d expect, as well as personal archives and oral histories from notable radio amateurs. For many of us this will provide a wealth of technical details and insights into taming the ionosphere, but for future historians it will be an invaluable reference on the first century of the hobby.

Amateur radio is perhaps the oldest hardware hacking pursuit of the electronic age, because certainly at the start, radio was electronics. Thus amateur radio’s long history has indirectly given us many of the things we take for granted today. Sure it has its moribund aspects, but we think if it continues to follow the growth of new technology as it has for so many years it will continue to be an exciting pursuit. We look forward to browsing this archive, and we hope to see it grow over the years.

Header image: Lescarboura, Austin C. (Austin Celestin), 1891-, No restrictions.

Rubber Band Behemoth Winds Its Way Toward World Record

October 6, 2022 by 25 Comments

Egged on by adoring fans who demanded more aircraft videos, [ProjectAir] has decided to break the world record for rubber band powered aircraft… despite having never built a rubber band powered aircraft. Why rubber band power?

Before little two stroke motors became affordable, and long before electric motors and batteries were remotely possible, there weren’t a lot of options for powering your model aircraft. One technology that really took off was that of rubber band power. By winding a rubber band, it could store enough energy to turn a propeller for a short duration. With a 10 foot model taking the current world record, as you can see in the video below the break [ProjectAir] decided to see if he could beat it.

Rubber Band Powered Free Flight c1915 By Unknown author

Starting with a successful free flight aircraft made of foam board, [ProjectAir] simply scaled it up to an eleven foot wing- one foot larger than the ten foot world record holder. Since there were now eight rubber band motors, a mechanism was created to release the propellers in sync, but this was problematic. Eventually a slightly heavy but solid solution was found.

[ProjectAir] did more testing, more problem solving, and through rapid iterations, he eventually was able to have a successful flight under radio control. His personal goal of a 12 second flight was exceeded, and then Guinness called! They’re interested in certifying his attempt as long as his plane can fly for at least 30 seconds- almost double his current ability. What will he do? Check the video, too, for [ProjectAir]’s challenge to the community to join him in trying to beat the world record. Sounds like fun!

Aside from powering world record attempting radio controlled aircraft, did you know that you can build a rubber band powered refrigerator? It’s true!

Continue reading “Rubber Band Behemoth Winds Its Way Toward World Record”

Exploring The Cutting Edge Of Desktop ARM Hardware

October 6, 2022 by 35 Comments

While the x86 architecture certainly isn’t going away anytime soon, it seems that each year more and more of our computing is done on ARM processors. It started with our smartphones, spread into low-cost Chromebooks, and now Apple’s gone all-in with their M1/M2 chips. But so far we haven’t seen too much movement in the desktop space, a fact which has arguably slowed the development of ARM-compatible software and operating systems.

But that doesn’t mean there aren’t options out there, and no, we don’t mean using a Raspberry Pi. [Wooty-B] has been documenting their efforts to switch over to a ARM desktop, which makes for fascinating reading even if you’re currently comfortable with your architecture choices. The key is the HoneyComb LX2K, a Mini-ITX ARM development board that offers enough expansion and raw power to meet most daily computing needs…assuming you’re willing to put in the effort. Continue reading “Exploring The Cutting Edge Of Desktop ARM Hardware”