This Week In Security: ACME.sh, Leaking LEDs, And Android Apps

Let’s Encrypt has made an enormous difference to the landscape of the web. The protocol used for authenticating and receiving certificates, ACME, has spawned quite a few clients of various flavors. Some are written in Rust, some in Python or Go, and a few in straight Bash shell script. One of those last ones, acme.sh, was doing something odd when talking to a particular “Certificate Authority”, HiCA. This pseudo-CA only supports acme.sh, and now we know why. The folks behind HiCA found an RCE exploit in acme.sh, and decided to use that exploit to do certificate issuance with more “flexability”. Oof.

The nuts and bolts here is that HiCA was working as a CA-in-the-Middle, wrapping other CA’s authentication services. Those services don’t support ACME authentication at all, and HiCA used the acme.sh vulnerability to put the authentication token in the place SSL.com expected to find it. So, just a good community member offering a service that ACME doesn’t quite support, right?

Well, maybe not so innocent. The way it appears this works, is that the end user sends a certificate request to HiCA. HiCA takes that information, and initiates a certificate request off to SSL.com. SSL.com sends back a challenge, and HiCA embeds that challenge in the RCE and sends it to the end user. The end user’s machine triggers the RCE, which pushes the challenge token to the well-known location, and bypasses the ACME protection against exactly this sort of CA-in-the-middle situation.

The last piece of the authentication process is that the signing server reaches out over HTTP to the domain being signed, and looks for the token to be there. Once found, it sends the signed certificates to HiCA, who then forward them on to the end user. And that’s the problem. HiCA has access to the key of every SSL cert they handled. This doesn’t allow encryption, but these keys could be used to impersonate or even launch MitM attacks against those domains. There’s no evidence that HiCA was actually capturing or using those keys, but this company was abusing an RCE to put itself in the position to have that ability.

The takeaway is twofold. First, as an end user, only use reputable CAs. And second, ACME clients need to be hardened against potentially malicious CAs. The fact that HiCA only supported the one ACME client was what led to this discovery, and should have been a warning flag to anyone using the service. Continue reading “This Week In Security: ACME.sh, Leaking LEDs, And Android Apps”

Persistence Pays In TI-99/4A Cassette Tape Data Recovery

In the three or four decades since storing programs on audio cassettes has been relevant, a lot of irreplaceable personal computing history has been lost to the ravages of time and the sub-optimal conditions in the attics and basements where tapes have been stored. Luckily, over that time we’ve developed a lot of tools and techniques that might make it possible to recover some of these ancient treasures. But as [Noel] shows us, recovering data from cassette tapes is a tricky business.

His case study for the video below is a tape from a TI-99/4A that won’t load. A quick look in Audacity at the audio waveform seems to show the problem — an area of severely attenuated signal. Unfortunately, no amount of boosting and filtering did the trick, so [Noel] had to dig a bit deeper. It turns out that the TI tape interface standard, with its redundant data structure, was somewhat to blame for the inability to read this particular tape. As [Noel] explains, each 64-bit data record is recorded to tape twice, along with a header and a checksum. If neither record decodes correctly, then tape playback just stops.

Luckily, someone who had already run into this problem spun up a Windows program to help. CS1er — our guess would be “Ceaser” — takes WAV file input and loads each record, simply flagging the bad ones instead of just bailing out. [Noel] used the program to analyze multiple recordings of the same data and eventually got enough good records to reassemble the original program, a game called Dogfight — or was it Gogfight? Either way, he managed to get most of the data off the tape, and since it was a BASIC program, it was pretty easy to figure out the missing bytes by inspection.

[Noel]’s experience will no doubt be music to the ears of the TI aficionados out there. Of which we’ve seen plenty, from the TI-99 demoscene to running Java on one, and whatever this magnificent thing is.

Continue reading “Persistence Pays In TI-99/4A Cassette Tape Data Recovery”

These Illusions Celebrate Exploiting Human Senses

Illusions are perceptual experiences that do not match physical reality, and the 2023 Illusion of the Year contest produced a variety of nifty ones that are worth checking out. A video for each is embedded below the break, but we’ll briefly explain each as well.

Some of the visual illusions play with perspective. One such example happens to be the contest winner: Platform 9 3/4 has a LEGO car appear to drive directly through a wall. It happens so quickly it’s difficult to say what happened at all!

Another good one is theĀ Tower of Cubes, which appears as two stacks of normal-looking hollow cubes, but some of the cubes are in fact truly bizarre shapes when seen from the side. This is a bit reminiscent of the ambiguous cylinder illusion by Japanese mathematician and artist [Kokichi Sugihara].

Cornelia is representative of the hollow face illusion, in which a concave face is perceived as a normal convex one. (Interestingly this illusion is used to help diagnose schizophrenia, as sufferers overwhelmingly fail to perceive the illusion.)

The Accelerando Illusion is similar to (but differs from) an auditory effect known as the Risset Rhythm by composer Jean-Claude Risset. It exploits ambiguities in sound to create a dense musical arrangement that sounds as though it is constantly increasing in tempo.

The Buddha’s Ear Illusion creates the illusion of feeling as though one’s earlobe is being stretched out to an absurd length, and brings to mind the broader concept of body transfer illusion.

While it didn’t appear into the contest, we just can’t resist bringing up the Thermal Grill Illusion, in which one perceives a painful burning sensation from touching a set of alternating hot and cold elements. Even though the temperatures of the individual elements are actually quite mild, the temperature differential plays strange tricks on perception.

A video of each of the contest’s entries is embedded below, and they all explain exactly what’s going on for each one, so take a few minutes and give them a watch. Do you have a favorite illusion of your own? Share it in the comments!

Continue reading “These Illusions Celebrate Exploiting Human Senses”