Easily Bypass Laptop Fingerprint Sensors And Windows Hello

November 27, 2023 by Maya Posch 30 Comments

The fun part of security audits is that everybody knows that they’re a good thing, and also that they’re rarely performed prior to another range of products being shoved into the market. This would definitely seem to be the case with fingerprint sensors as found on a range of laptops that are advertised as being compatible with Windows Hello. It all began when Microsoft’s Offensive Research and Security Engineering (MORSE) asked the friendly people over at Blackwing Intelligence to take a poke at a few of these laptops, only for them to subsequently blow gaping holes in the security of the three laptops they examined.

In the article by [Jesse D’Aguanno] and [Timo Teräs] the basic system and steps they took to defeat it are described. The primary components are the fingerprint sensor and Microsoft’s Secure Device Connection Protocol (SDCP), with the latter tasked with securing the (USB) connection between the sensor and the host. Theoretically the sensitive fingerprint-related data stays on the sensor with all matching performed there (Match on Chip, MoC) as required by the Windows Hello standard, and SDCP keeping prying eyes at bay.

Interestingly, the three laptops examined (Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X) all featured different sensor brands (Goodix, Synaptics and ELAN), with different security implementations. The first used an MoC with SDCP, but security was much weaker under Linux, which allowed for a fake user to be enrolled. The Synaptics implementation used a secure TLS connection that used part of the information on the laptop’s model sticker as the key, and the ELAN version didn’t even bother with security but responded merrily to basic USB queries.

To say that this is a humiliating result for these companies is an understatement, and demonstrates that nobody in his right mind should use fingerprint- or similar scanners like this for access to personal or business information.

CAR T Cell Immunotherapy And The Quiet Hope For A Universal Cancer Treatment

November 27, 2023 by Maya Posch 1 Comment

All of us have to deal with the looming threat of developing cancer during our lifetime, no matter how good our genetics are, or how healthy our lifestyle is. Despite major improvements to the way that we treat and even cure cases of cancer, the reality today is that not all types of cancer are treatable, in many cases there’s the likelihood that one day it will return even after full remission, and chemotherapy in particular comes with potential life-long health issues. Of the most promising new and upcoming treatments, immunotherapy, is decidedly among the most interesting.

With this approach, it is the body’s own immune system that is taught to attack those cancer cells, requiring little more than a few tweaks to T-cells harvested from the patient’s body, after which they’re sent on their merry cancer-killing way. Yet as simple as this sounds, finding the right characteristics which identify the cancerous cells, and getting a solid and long-lasting immune response is a tough challenge. Despite highly promising results with immunotherapy treatment for non-solid cancers like leukemia – that have resulted in almost miraculous cures – translating this success to other cancer types has so far remained elusive.

New research now shows that changing some characteristics of these modified (chimeric antigen receptors, or CAR) T-cells may be key to making them significantly more long-lived and effective within a patient’s body. Is this the key to making immunotherapy possible for many more cancers?

Continue reading “CAR T Cell Immunotherapy And The Quiet Hope For A Universal Cancer Treatment” →

Voice-Over-LTE: The Reason Why Your Phone May Soon Stop Working

November 27, 2023 by Maya Posch 45 Comments

Although wireless standards like 3G, 4G, and 5G are mostly associated with mobile internet, they also include a phone (voice) component. Up till 4G this was done using traditional circuit-switched telephony service, but with this fourth generation the entire standard instead moved to a packet-switched version akin to Voice-over-IP, called VoLTE (voice-over-LTE). Even so, a particular phone can choose to use a 4G modem, yet still use 3G-style phone connections. Until the 3G network is shutdown, that is. This is the crux of [Hugh Jeffreys]’s latest video.

In order to make a VoLTE phone call, your phone, your provider, the receiving phone and the intermediate network providers must all support the protocol. Even some newer phones like the Samsung Galaxy J3 (2016) do not support this. For other phones you have to turn the feature on yourself, if it is available. As [Hugh] points out in the video, there’s no easy way to know whether an Android phone supports it, which is likely to lead to chaos as more and more 3G networks in Australia and elsewhere are turned off, especially in regions where people use phones for longer than a few years.

The cessation of such basic functionality is why in most countries 2G networks remain active, as they are being used by emergency services and others for whom service interruptions can literally cost lives, as well as countless feature phones and Internet of Things devices. For some phones without VoLTE, falling back to 2G might therefore still be an option if they support this. With the spotty support, lack of transparency and random shutdowns, things may however get rather frustrating for some the coming years.

Continue reading “Voice-Over-LTE: The Reason Why Your Phone May Soon Stop Working” →

Airloom’s Whacky Wind Clothesline Turbine Idea

November 26, 2023 by Maya Posch 53 Comments

What if you don’t put airfoils on a central, spinning axis, but instead have them careen around a circular track? If you’re a company called Airloom, you’d say that it’s a very cheap, very efficient and highly desirable way to install wind-based generators that can do away with those unsightly and massive 100+ meter tall wind turbines, whether on- or offshore. Although grand claims are made, and venture capital firms have poured in some money, hard data is tough to find on their exact design, or the operating details of their one and only claimed kW-level prototype.

Transpower's 'flying clothesline' wind turbine setup. — Transpower’s ‘flying clothesline’ wind turbine setup.

Despite the claims made by Airloom, they’re not the first to have this idea, with Transpower in the 1980s making itself famous with their ‘flying clothesline’ that featured a continuous loop of sails tensioned between two ropes. These ran around a pole on either end with each having a generator for a claimed total of 200 kW. Ultimately Transpower seems to have gone under along with many other wind power pioneers of the era as they couldn’t make their idea economically feasible. Something which is a definite trend in the field.

Some parts about Airloom’s design are definitely concerning, with the available images showing each airfoil running along a central rail on a number of wheels and with their ‘Power Takeoff’ (i.e. generator) not defined in any meaningful manner. Here is where [Robert Murray-Smith] had a bit of fun in a recent video, creating his own dual-chain version that somewhat resembles a mixture between the Transpower and Airloom designs. He also put the design up on Thingiverse for others to 3D print and tinker with, requiring a handful of bearings for smooth running.

For the power takeoff, [Robert] suggests that in his design the cogs around which the chain moves could be attached to a generator (like in the Transpower design), but he could see no indication of how Airloom intends to do this. Feel free to put your own speculations in the comments. And if you’re from Airloom, show us the details!

Continue reading “Airloom’s Whacky Wind Clothesline Turbine Idea” →

The Slow March Of Sodium-Ion Batteries To Compete With Lithium-Ion

November 26, 2023 by Maya Posch 56 Comments

The process of creating new battery chemistries that work better than existing types is a slow and arduous one. Not only does it know more failures than successes, it’s rare that a once successful type gets completely phased out, which is why today we’re using lead-acid, NiMH, alkaline, lithium, zinc-air, lithium-ion and a host of other battery types alongside each other. For one of the up-and-coming types in the form of sodium (Na)-based batteries the same struggles are true as it attempts to hit the right balance between anode, cathode and electrolyte properties. A pragmatic solution here involves Prussian Blue for the cathode and hard carbon for the anode, as is the case with Swedish Northvolt’s newly announced sodium-ion battery (SIB) which is sampling next year.

Commercialization of different SIB battery chemistries by various companies. (Credit: Yadav et al. 2022) — Commercialization of different SIB battery chemistries by various companies. (Credit: Yadav et al., 2022)

The story of SIBs goes back well over a decade, with a recent review article by Poonam Yadav and colleagues in Oxford Open Materials Science providing a good overview of the many types of anodes, cathodes and electrolytes which have been attempted and the results. One of the issues that prevents an SIB from directly using the carbon-based anodes employed with today’s lithium-ion batteries (LIB) is its much larger ionic radius that prevents intercalation without altering the carbon material to accept Na+ ions.

This is essentially where the hard carbon (HC) anode used by a number of SIB-producing companies comes into play, which has a far looser structure that does accept these ions and thus can be used with SIBs. The remaining challenges lie then with the electrolyte – which is where an organic form is the most successful – and the material for the sodium-containing cathode.

Although oxide forms and even sodium vanadium fluorophosphate (NVPF) are also being used, Prussian Blue analogs (PBAs) are attractive for being very low-cost and effective as cathode material once processed. An efficient way to process PB into fully sodiated and reduced Prussian White was demonstrated a few years ago, followed by successive studies backing up this assessment.

Although SIBs are seeing limited commercial use at this point, signs are that if it can be commercialized for the consumer market, it would have similar capacity as current LIBs, albeit with the potential to be cheaper, more durable and easier to recycle.

Easy Hackintosh With Docker-OSX: Soon To Be Impossible?

November 20, 2023 by Maya Posch 44 Comments

The Docker-OSX project has to be among one of the easiest ways to get a fully functional Hackintosh off the ground on any Linux or Windows (10+) system, with the Docker image handling the heavy lifting of keeping the copy of MacOS happy and satisfied, even as the legality remains questionable, as we previously reported on in 2021. Officially, Apple’s software license for MacOS states that it can only be installed and use on Apple-branded hardware, which precludes the installation in e.g. a Docker container. This has left Docker-OSX in a gray zone where it’s technically illegal, but as it’s being advertised by its developer [Sick Codes] to be for use by security researchers who participate in Apple’s Bug Bounty program (including iOS, which requires XCode, which requires MacOS, etc.), it seems to slip through the cracks.

An obvious issue which may soon spell the end of MacOS-on-x86_64 and with it this use of Docker-OSX is that MacOS is now straddling Apple Silicon and Intel’s x86_64 architecture, with the latter no longer being sold by Apple’s in any of its systems after the recent introduction of its Apple Silicon-based Mac Pro. Although MacOS Sonoma (14) still supports x86_64, this support could be cut in MacOS 15 or 16, at which point running Docker-OSX with an Apple Silicon-only MacOS image would at the very least require an AArch64-based ARM system, though likely with an ISA extension level that matches the lowest-end Apple Silicon (ARMv8.5-A for M1).

Although this should not make it impossible to run Docker-OSX on future Linux (and perhaps Windows) systems on AArch64-based systems, it would make it more complicated and expensive as using one’s existing x86_64-based PC is no longer an option aside from adding a sluggish Qemu layer in between, which would add a significant performance penalty. If you are using Docker-OSX, what are your experiences and plans here?

Continue reading “Easy Hackintosh With Docker-OSX: Soon To Be Impossible?” →

A giemsa stained blood smear from a person with beta thalassemia (Credit: Dr Graham Beards, Wikimedia Commons)

First CRISPR-Based Therapies For Sickle Cell Disease And Beta Thalassemia Approved In The UK

November 19, 2023 by Maya Posch 20 Comments

The gene-therapy-based treatment called Casgevy was recently approved in the UK, making it the first time that a treatment based on the CRISPR-Cas9 gene editing tool has been authorized for medical treatments. During the clinical trials, a number of patients were enrolled with either sickle cell disease (SCD) or β thalassemia, both of which are blood disorders that affect the production of healthy red blood cells. Of the 45 who enrolled for the SCD trial, 29 were evaluated in the initial 12-month efficacy assessment, with 28 of those found to be still free of the severe pain crises that characterizes SCD. For the β thalassemia trial, 42 patients were evaluated and 39 were still free of the need for red blood cell transfusions and iron chelation after the 12-month period, with the remaining three showing a marked reduction in the need for these.

Both of these blood disorders are inherited via recessive genes, meaning that in the case of SCD two abnormal copies of the β-globin (HBB) gene are required to trigger the disorder. For β thalassemia a person can be a carrier or have a variety of symptoms based on the nature of the two sets of mutated genes that involve the production of HbA (adult hemoglobin), with the severest form (β thalassemia major) requiring the patient to undergo regular transfusions. Both types of conditions have severe repercussions on overall health and longevity, with few individuals living to the age of 60.

The way that the Casgevy treatment works involves taking stem cells out of the bone marrow of the patient, after which the CRISPR-Cas9 tool is used to target the BCL11A gene and cut it out completely. This particular gene is instrumental in the switch from fetal γ globin (HBG1, HBG2) to adult β globin form. Effectively this modification causes the resulting cells to produce fetal-type hemoglobin (HbF) instead of adult HbA which would have the mutations involved in the blood disorder.

For the final step in the treatment, the modified stem cells have to be inserted back into the patient’s bone marrow, which requires another treatment to make the bone marrow susceptible to hosting the new cells. After this the patient will ideally be cured, as the stem cells produce new, HbF-producing cells that go on to create healthy hemoglobin. Although safety and costs (~US$2M per patient) considerations of such a CRISPR-Cas9 gene therapy may give pause, this has to be put against the prospect of 40-60 years of intensive symptom management.

Currently, the US FDA as well as the EU’s EMA are also looking at possibly approving the treatment, which might open the gates for similar gene-therapies.

Top image: A giemsa stained blood smear from a person with beta thalassemia. Note the lack of coloring. (Credit: Dr Graham Beards, Wikimedia Commons)