This Week In Security: Bitdefender, Ripple20, Starbucks, And Pwned Passwords

June 26, 2020 by 13 Comments

[Wladimir Palant] seems to be on a one man crusade against security problems in security software. The name may not be immediately recognizable, but among his other infamies is originating Adblock Plus, which we have a love-hate relationship with. (Look, surf the net with an adblocker, but disable it for sites you trust and want to support, like HaD).

This week, he announced a rather serious flaw in the Bitdefender. The disclosure starts off with high praise for the Bitdefender: “security-wise Bitdefender Antivirus is one of the best antivirus products I’ve seen so far….” Even with that said, the vulnerability he found is a serious one. A malicious website can trigger the execution of arbitrary applications. The problem was fixed in an update released on the 22nd.

Image by Wladimir Palant, CC BY-SA 4.0

The vulnerability is interesting. First, Bitdefender uses an API that was added to web browsers specifically to enable security software to work without performing man-in-the-middle decryption of HTTPS connections. When a problem is detected, Bitdefender replaces the potentially malicious page with it’s own error message.

Because of the way this is implemented, the browser sees this error message as being the legitimate contents of the requested site. Were this a static page, it wouldn’t be a problem. However, Bitdefender provides an option to load the requested page anyway, and does this by embedding tokens in that error page. When a user pushes the button to load the page, Bitdefender sees the matching tokens in the outgoing request, and allows the page. Continue reading “This Week In Security: Bitdefender, Ripple20, Starbucks, And Pwned Passwords”

Double The RAM Of A Dreamcast Console For A Cool 32 MB

June 26, 2020 by 32 Comments

The Sega Dreamcast is the forgotten orphan of the console wars, an extremely capable machine never able to escape the shadow of its PlayStation rivals and because it marked the end of Sega’s console line, never redeemed in reputation by a more popular successor. It retains a significant following a couple of decades after its heyday though, and still sees hardware hacks such as [Tsowell]’s doubling of its available RAM to 32 MB.

The console shipped with 16 MB of memory in two banks, but while the SH4 processor can address twice that figure the designers at Sega never brought the required address line out from under the BGA. So it should be impossible to give it a memory expansion, but when hardware hackers are at work nothing should be ruled out. The hack involves manipulation of the bank switching addressing, and took several careful readings for us to fully understand. The new RAM chips have two address lines tied together and wired to another, a job for some fine but ultimately not impossible soldering. To take advantage of the extra RAM there are a set of patched BIOS images.

So, if you either have a spare Dreamcast you care little enough about to risk, or you consider your console hacking skills to be so advanced that it will be a piece of cake, you can now double the platform’s RAM. Extra points if you also make it portable.

Thanks [John Little] for the tip.

Header: Evan-Amos / CC BY-SA 3.0

iPhone pictured with a lock

Is Anything Really Private Anymore?

June 26, 2020 by 53 Comments

In the connected age, every day it appears privacy is becoming more and more of an idealistic fantasy as opposed to a basic human right. In our latest privacy debate per [TechCrunch], apparently the FBI is taking some shots at Apple.

You may recall the unfortunate events, leading the FBI to ask Apple to unlock an iPhone belonging to a person of interest. Apple did not capitulate to the FBI’s request on the basis of their fundamental commitment to privacy. The FBI wasn’t really thrilled with Apple’s stance given the circumstances leading to the request. Nevertheless, eventually, the FBI was able to unlock the phone without Apple’s help.

You may find it somewhat interesting that the author of the news piece appears to be more upset with the FBI for cracking the phone than at Apple (and by extension other tech companies) for making phones that are crackable to begin with.

Maybe we should take solace in knowing that Apple stood their ground for the sake of honoring their privacy commitment. But as we saw, it didn’t really matter in the end as the FBI was able to hire a third party to help them unlock the phones and were later able to repeat the process in-house. The article also noted that there are other private companies capable of doing exactly what the FBI did. We understand that no encryption is 100% safe. So it begs the question, “Is anything really private anymore?” Share your thoughts in the comments below.

Teardown Of The Singaporean COVID-19 TraceTogether Token

June 25, 2020 by 63 Comments

A large part of fighting against the SARS-CoV-2 pandemic is the practice of contact tracing, where the whereabouts of an infected person can be traced and anyone who has been in contact with that person over the past days tested for COVID-19. While smartphone apps have been a popular choice for this kind of tracing, they come with a range of limitations, which is what the TraceTogether hardware token seeks to circumvent. Now [Sean “Xobs” Cross] has taken a look at the hardware that will be inside the token once it launches.

The Simmel COVID-19 contact tracer.

Recently, [Sean] along with [Andrew “bunnie” Huang] and a few others were asked by GovTech Singapore to review their TraceTogether hardware token proposal. At its core it’s similar to the Simmel contact tracing solution – on which both are also working – with contacts stored locally in the device, Bluetooth communication, and a runtime of a few months or longer on the non-rechargeable batteries.

The tracing protocol used is BlueTrace, which is an open application protocol aimed at digital contact tracing. It was developed by the Singaporean government, initially for use with their TraceTogether mobile app.

This smartphone app showed a number of issues. First is that Apple does not allow for iOS apps to use Bluetooth in the background, requiring the app to be active in the foreground to be useful. Apple has its own tracing protocol, but it does not cover the requirements for building a full contact graph, as [Andrew] covers in more detail. Finally, the app in general is not useful to those who do not have a recent (compatible) smartphone, or who do not have a smartphone at all.

A lot of the challenges in developing these devices lie in making them low-power, while still having the Bluetooth transceiver active often enough to be useful, as well as having enough space to store interactions and the temporary tokens that are used in the tracing protocol. As Simmel and the TraceTogether tokens become available over the coming months, it will be interesting to see how well these predictions worked out.

Creating A Custom ASIC With The First Open Source PDK

June 25, 2020 by 23 Comments

A process design kit (PDK) is a by now fairly standard part of any transformation of a new chip design into silicon. A PDK describes how a design maps to a foundry’s tools, which itself are described by a DRM, or design rule manual. The FOSSi foundation now reports on a new, open PDK project launched by Google and SkyWater Technology. Although the OpenPDK project has been around for a while, it is a closed and highly proprietary system, aimed at manufacturers and foundries.

The SkyWater Open Source PDK on Github is listed as a collaboration between Google and SkyWater Technology Foundry  to provide a fully open source PDK and related sources. This so that one can create manufacturable designs at the SkyWater foundry, that target the 130 nm node. Open tools here should mean a far lower cost of entry than is usually the case.

Although a quite old process node at this point (~19 years), it should nevertheless still be quite useful for a range of applications, especially those that merge digital and analog circuitry. SkyWater lists their SKY130 node technology stack as:

  • Support for internal 1.8V with 5.0V I/Os (operable at 2.5V)
  • 1 level of local interconnect
  • 5 levels of metal
  • Inductor-capable
  • High sheet rho poly resistor
  • Optional MiM capacitors
  • Includes SONOS shrunken cell
  • Supports 10V regulated supply
  • HV extended-drain NMOS and PMOS

It should be noted that use of this open source PDK is deemed experimental at this point in time, and should not be used for any commercial or otherwise sensitive applications.

Header image: Peellden/ CC BY-SA 3.0

A Baby Grand Gets MIDI

June 25, 2020 by 10 Comments

Like a lot of people, [Jacques] doesn’t think a big hunk of plastic light enough to carry under your arm is a piano, even if it does have 88 keys. A piano is supposed to be a hefty piece of furniture that you have to buy people pizza to help you move. So he bought a used baby grand piano. It wasn’t in very good shape, though, so while restoring it, he also added MIDI to it. You can see the finished result in the video below.

At $100, the price was right, although it cost more to move it. Between water damage, moth attacks, and storage in a garage, the piano — an old Zimmerman — needed a lot of tender loving care. When it came to MIDI, [Jacques] found a used Disklavier — a very expensive piece of kit — but it didn’t fit the Zimmerman or another piano at hand. The solenoids and optical sensors are set up for a particular piano, so what can you do? Easy! Rebuild the bar that holds the solenoids and sensors.

Continue reading “A Baby Grand Gets MIDI”

Excercise Ball Makes A Passable Landing Gear

June 25, 2020 by 17 Comments

Exercise balls are great for many things, from amusing children to breaking everything in your living room, often in quick succession. After seeing some German WWII prototype aircraft with wild landing gear designs, the [FliteTest] crew decided to see whether they could use an exercise ball to build a plane ready for even the bumpiest of runways.

Comparisons to the Gee Bee R-1 abound in the video.

The exercise ball created some constraints on the design, due to its weight and the large amount of drag it creates. To work around this, the design features a foamcore and carbon fibre construction to save weight. The exercise ball is placed front and center, serving as both the nose and landing gear of the aircraft. V-tails are used to place the rear control surfaces outside of the shadow of the ball, to help maintain control authority. Initial tests of the airframe showed handling problems. The team solved this by using a pair of gyro stabiliser boards of their own design, named Aura.

With the issues solved, the final aircraft is hilarious to behold. The huge, bouncing ball makes an excellent landing gear, able to launch off lumps and bumps and even skim over water. We’ve seen [FliteTest] get up to other escapades in the past, too. Video after the break.

[Thanks to Baldpower for the tip!]

Continue reading “Excercise Ball Makes A Passable Landing Gear”