Day: April 12, 2024

This Week In Security: BatBadBut, DLink, And Your TV Too

April 12, 2024 by 23 Comments

So first up, we have BatBadBut, a pun based on the vulnerability being “about batch files and bad, but not the worst.” It’s a weird interaction between how Windows uses cmd.exe to execute batch files and how argument splitting and character escaping normally works. And what is apparently a documentation flaw in the Windows API.

When starting a process, even on Windows, the new executable is handed a set of arguments to parse. In Linux and friends, that is a pre-split list of arguments, the argv array. On Windows, it’s a single string, left up to the program to handle. The convention is to follow the same behavior as Linux, but the cmd.exe binary is a bit different. It uses the carrot ^ symbol instead of the backslash \ to escape special symbols, among other differences. The Rust devs took a look and decided that there are some cases where a given string just can’t be made safe for cmd.exe, and opted to just throw an error when a string met this criteria.

And that brings us to the big questions. Who’s fault is it, and how bad is it? I think there’s some shared blame here. The Microsoft documentation on CreateProcess() strongly suggests that it won’t execute a batch file without cmd.exe being explicitly called. On the other hand, This is established behavior, and scripting languages on Windows have to play the game by Microsoft’s rules. And the possible problem space is fairly narrow: Calling a batch file with untrusted arguments.

Almost all of the languages with this quirk have either released patches or documentation updates about the issue. There is a notable outlier, as the Java language will not receive a fix, not deeming it a vulnerability. It’s rather ironic, given that Java is probably the most likely language to actually find this problem in the wild. Continue reading “This Week In Security: BatBadBut, DLink, And Your TV Too”

The Future Looks Bleak For Alexa Skill Development

April 12, 2024 by 30 Comments

While the average Hackaday reader is arguably less likely than most to install a megacorp’s listening device in their home, we know there’s at least some of you out there that have an Amazon hockey puck or two sitting on a shelf. The fact is, they offer some compelling possibilities for DIY automation, even if you do have to jump through a few uncomfortable hoops to bend them to your will.

That being said, we’re willing to bet very few readers have bothered installing more than a few Alexa Skills. But that’s not a judgment based on any kind of nerd stereotype — it’s just that nobody seems to care about them. A fact that’s evidenced by the recent revelation that even Amazon looks to be losing interest in the program. In a post on LinkedIn, Skill developer [Mark Tucker] shared an email he received from the mothership explaining they were ending the AWS Promotional Credits for Alexa (APCA) program on June 30th.

Continue reading “The Future Looks Bleak For Alexa Skill Development”

Make Your Music Simpler With The User-Unfriendliest Cassette Deck Ever

April 12, 2024 by 17 Comments

Call us crazy, but music was a whole lot more fun when it was on physical media. Or perhaps just easier to use, especially in the car. Whether your particular vintage favored CDs, cassettes, or even 8-tracks, being able to fish out that favorite album and slam it in the player while never taking your eyes off the road was a whole lot easier than navigating a playlist on a locked phone, or trying to control an infotainment system through soft buttons on a touch screen.

It seems like [Jarek Lupinski] is as much a Spotify Luddite as we are, since his “tape-deck” project is aimed to be as user-unfriendly as possible. It’s just an auto-reversing cassette deck movement stripped bare of all useful appurtenances, like a way to fast forward or rewind. You just put a cassette in and it plays, start to finish, before auto-reversing to play the other side in its entirety. It doesn’t even have a volume control — his cheeky advice is to “listen to louder or quieter albums” to solve that problem. Pretty easy, really, and not a EULA or advertisement in sight. Build files are available if you hate yourself enough to build one of your own.

All kidding aside, this is kind of a nice reminder of how much things have changed, and how much complexity we’ve layered onto the simplest of pleasures. If you like the minimalist approach of this project but not the deconstructed aesthetics, we’ve got you covered.