Author: Jonathan Bennett

525 Articles

This Week In Security: Huawei Gets The Banhammer, Lastpass, And Old Code Breaking

December 2, 2022 by 37 Comments

While many of us were enjoying some time off for Thanksgiving, the US government took drastic action against Huawei and four other Chinese companies. The hardest hit are Huawei and ZTE, as the ban prevents any new products from being approved for the US market. The other three companies are Dahua and Hikvision, which make video surveillance equipment, and Hytera, which makes radio systems. FCC Commissioner Brendan Carr noted the seriousness of the decision.

[As] a result of our order, no new Huawei or ZTE equipment can be approved. And no new Dahua, Hikvision, or Hytera gear can be approved unless they assure the FCC that their gear won’t be used for public safety, security of government facilities, & other national security purposes.

There is even the potential that previously approved equipment could have its authorization pulled. The raw FCC documents are available, if you really wish to wade through them. What’s notable is that two diametrically opposed US administrations have both pushed for this ban. It would surely be interesting to get a look at the classified reports detailing what was actually found. Maybe in another decade or two, we can make a Freedom of Information Act request and finally get the full story.

Continue reading “This Week In Security: Huawei Gets The Banhammer, Lastpass, And Old Code Breaking”

This Week In Security: Mastodon, Fake Software Company, And ShuffleCake

November 18, 2022 by 15 Comments

Due to Twitter’s new policy of testing new features on production, the interest in Mastodon as a potential replacement has skyrocketed. And what’s not to love? You can host it yourself, it’s part of the Fediverse, and you can even run one of the experimental forks for more features. But there’s also the danger of putting a service on the internet, as [Gareth Heyes] illustrates by stealing passwords from, ironically, the infosec.exchange instance.
Continue reading “This Week In Security: Mastodon, Fake Software Company, And ShuffleCake”

This Week In Security: Microsoft Patches, Typosquatting Continues, And Code Signing For All

November 11, 2022 by 3 Comments

The pair of Outlook vulnerabilities we’ve been tracking have finally been patched, along with another handful of fixes this Patch Tuesday, a total of six being 0-day exploits. The third vulnerability was also a 0-day, discovered by the Google Threat Analysis Group. This one resulted in arbitrary code execution when a Windows client connected to a malicious server.

A pair of escalation of privilege flaws were fixed, one being yet another print spooler issue, and the other part of a key handling service. The final zero-day fixed was a mark-of-the-web bypass, that being the tag that gets added to file metadata to indicate it’s a download from the internet. If you deliver malware inside an ISO or marked read-only in a zip file, it doesn’t show the warning when executing.

Will Typosquat For Bitcoin

A trend that doesn’t show signs of slowing down is Typosquatting, the simple malware distribution strategy of uploading tainted packages using misspelled variations of legitimate package names. The latest such scheme, discovered by researchers at Phylum, delivered a crypto-stealer in Python packages. These packages were hosted on PyPi, under names like baeutifulsoup4 and cryptograpyh. The packages install a JavaScript file that runs in the background of the browser, and monitors for a cryptocurrency address on the clipboard. When detected, the intended address is swapped for an attacker-controlled address. Continue reading “This Week In Security: Microsoft Patches, Typosquatting Continues, And Code Signing For All”

Computer Space Flies Again

November 10, 2022 by 11 Comments

[Sean] from Classic Arcade Repairs fixes classic arcade machines, and he got a request to repair a very special machine. It’s Computer Space, the first commercial arcade cabinet ever made, and loosely based on Spacewar! This grand-daddy of coin-op was a literal barn find, and was in pretty bad shape after sitting for years. All the parts appeared to be original, making them 50 years old. As you can imagine, that combination didn’t bode well for the health of the components. There’s a couple hours of footage here, but it’s invaluable troubleshooting advice, and very cool to see such an old machine being worked on.

Part one is the intro, and [Sean] started with an HP logic analyzer, just probing the many TTL chips on the board looking for floating or otherwise suspicious outputs. Figure out the obviously faulty chips and replace each with a socket and new chip. Just about every diode in the machine needed replacing.

Part two of the repair starts with a broken trace repair, and the discovery that all the ceramic capacitors on the boards were leaky. The interesting thing is that a multimeter tested those caps as having the correct capacitance, but a dedicated leak tester discovered the problem.

Part 3 shows the process of running the remaining chips through a logic tester, which found more problematic ICs. In some cases, a chip would only sometimes test as working. And strangely, one of the new, replacement chips turned out to have a problem. Though as a commenter pointed out, it could be a falling edge vs rising edge variation of the logic chips to blame. Or maybe the new chips were counterfeit. Hard to nail down.

Part 4 starts with a gotcha moment, where one of the first repairs to the board was a misstep. What appeared to be a damaged trace, was actually a factory modification (a bodge cut?). Then a lucky break really helped out, where only half of one of the 7476 chips was in use, and one of the chips on hand was only half working. Put the dead bit into the unused slot, and the machine really started to behave.

Part 5 is the victory lap, where all the components finally arrived, and everything starts working on the bench. How cool to see the old machine bleeping and blooping again.

DIY SpaceNavigator Brings The Freedom

November 9, 2022 by 25 Comments

[Pepijn de Vos] wanted a 6DOF HID. You know, a 6 Degrees Of Freedom Hardware Interface Device. Those are the fancy controllers for navigating in 3D space, for uses like Computer Aided Design, or Kerbal Space Program. And while we can’t speak to [Pepijn]’s KSP addiction, we do know that the commercially available controllers are prohibitively expensive. It takes some serious CAD work to justify the expenditure. [Pepijn] falls somewhere in-between, and while he couldn’t justify the expense, he does have the chops to design and 3D print his own.

Marvelously, he’s shared the design files for SpaceFox, linked above. It’s 6 spring-loaded potentiometers, supporting a floating printed Big Knob. The pots feed into an Arduino Pro Micro, which calculates the knob’s position on the fly and feeds in into the connected computer. On the computer side, the project uses the spacenavd driver to interface with various applications.

SpaceFox V1 is essentially a proof of concept, just asking for someone to come along and knock off the rough edges. [Pepijn] even includes a wishlist of improvements, but with the caveat that he’s satisfied with his working model. If this project really gets your 6DOF juices flowing, maybe try making an improved version, and share the improvements. And let us know about it!

Continue reading “DIY SpaceNavigator Brings The Freedom”

Commodore Datasette Does Its Own Calibration

November 7, 2022 by 41 Comments

Ah, the beloved Commodore 64. The “best-selling computer system of all time”. And hobbyists are keeping the dream alive, still producing software for it today. Which leads us to a problem with using such old equipment. When you get your copy of Petscii Robots on cassette, and try to fastload it, your machine might just consistently fail to load the program. That’s fine, time to pull out the cue-tips and rubbing alcohol, and give the read heads a good cleaning. But what if that doesn’t do the job? You may just have another problem, like tape speed drift.

There are several different ways to measure the current tape speed, to dial it in properly. The best is probably a reference cassette with a known tone. Just connect your frequency counter or digital oscilloscope, and dial in the adjustment pot until your Datasette is producing the expected tone. Oh, you don’t have a frequency counter? Well good news, [Jan Derogee] has a solution for you. See, you already have your Datasette connected to a perfectly serviceable frequency counter — your Commodore computer. He’s put out a free program that counts the pulses coming from the Datasette in a second. So play a reference cassette, run the program, and dial in your Datasette deck. Simple! Stick around after the break for a very tongue-in-cheek demonstration of the problem and solution.

Continue reading “Commodore Datasette Does Its Own Calibration”

Rope Core Drum Machine

November 6, 2022 by 7 Comments

One of our favorite musical hackers, [Look Mum No Computer] is getting dangerously close to building a computer. His quest was to create a unique drum machine, inspired by a Soviet auto-dialer that used rope core memory for number storage. Rope memory is the read-only sibling to magnetic core memory, the memory technology used to build some beloved computers back in the 60s and early 70s. Rope core isn’t programmed by magnetizing the ceramic donuts, but by weaving a wire through them. And when [Look Mum] saw the auto-dialer using the technology for a user-programmable interface, naturally, he just had to build a synth sequencer.
Continue reading “Rope Core Drum Machine”