Hunting For Space Pirates

February 24, 2023 by 14 Comments

Ever since the first artificial satellite was launched into orbit, radio operators around the world have been tuning in to their space-based transmissions. Sputnik 1 only sent back pulses of radio waves, but in the decades to follow ever more advanced radio satellites were put into service that could support two-way communications from Earth to space and back again.

Some of these early satellites were somewhat lacking in security, though, and have been re-purposed by various pirates around the world for their own ends. [Gabe] aka [saveitforparts] is here to show us how to hunt for those pirates and listen in on their radio traffic.

Pirates on these satellites have typically used them for illicit activities, and it is still illegal to use them for non-governmental or non-military purposes, so [Gabe] notes that he will only be receiving, not transmitting. The signals he is tuning in to are VHF transmissions, specifically around 220 MHz. That puts them easily within the reach of the RTL-SDR and common ham radio equipment, but since they are coming from space a more directional antenna is needed. [Gabe] quickly builds a Yagi antenna from scrap, tuned specifically to 255 MHz, and mounts it to an old remote-controlled security camera mount which allows him to point it exactly at the satellite and monitor transmissions.

From there he is able to pick up what looks like a few encrypted and/or digital transmissions, plus analog transmissions of likely pirates speaking a language he guesses to be Portuguese. He also hears what he thinks is a foreign TV broadcast, but oddly enough turns out to be NPR. These aren’t the only signals in space to tune to, either. There are plenty of purpose-built ham radio satellites available for any licensed person to use, and we’ve also seen this other RTL-SDR configured to snoop on Starlink signals.

Continue reading “Hunting For Space Pirates”

This Week In Security: GoDaddy, Joomla, And ClamAV

February 24, 2023 by 1 Comment

We’ve seen some rough security fails over the years, and GoDaddy’s recent news about a breach leading to rogue website redirects might make the highlight reel. The real juicy part is buried on page 30 of a PDF filing to the SEC.

Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.

That multi-year campaign appears to goes back to at least October 2019, when an SSH file was accessed and altered, leading to 28,000 customer SSH usernames and passwords being exposed. There was also a 2021 breach of the GoDaddy WordPress environment, that has been linked to the same group.

Reading between the lines, there may be an implication here that the attackers had an ongoing presence in GoDaddy’s internal network for that entire multi-year period — note that the quote above refers to a single campaign, and not multiple campaigns from the same actor. That would be decidedly bad.

Joomla’s Force Persuasion

Joomla has a critical vulnerability, CVE-2023-23752, which is a trivial information leak from a web endpoint. This flaw is present in all of the 4.x releases, up to 4.2.8, which contains the fix. The issue is the Rest API, which gives access to pretty much everything about a given site. It has an authentication component, of course. The bypass is to simply append ?public=true. Yes, it’s a good old “You don’t need to see his identification” force suggestion.

There’s even a PoC script that runs the request and spits out the most interesting data: the username, password, and user id contained in the data. It’s not quite as disastrous as that sounds — the API isn’t actually leaking the administrative username and password, or even password hash. It’s leaking the SQL database information. Though if your database is accessible from the Internet, then that’s pretty much as bad as it could be. Continue reading “This Week In Security: GoDaddy, Joomla, And ClamAV”

Answering Some Pico Balloon Questions

February 24, 2023 by 29 Comments

When the US Air Force shot down some suspected Chinese spy balloons a couple of weeks ago, it was widely reported that one of the targets might have been a much more harmless amateur radio craft. The so-called pico balloon K9YO was a helium-inflated Mylar balloon carrying a tiny solar-powered WSPR beacon, and it abruptly disappeared in the same place and time in which the USAF claimed one of their targets. When we covered  the story it garnered a huge number of comments both for and against the balloonists, so perhaps it’s worth returning with the views of a high-altitude-ballooning expert.

[Dave Akerman] has been sending things aloft for a long time now, we think he may have been one of the first to put a Raspberry Pi aloft back in 2012. In his blog post he attempts to answer the frequently asked questions about pico balloons, their legality, whether they should carry a beacon, and what the difference is between these balloons and the latex “weather balloon” type we’re familiar with. It’s worth a read, because not all of us are part of the high-altitude balloon community and thus it’s good to educate oneself.

Meanwhile, you can read our original report here.

Tiny Machine Learning On As Little As 2 KB Of RAM

February 24, 2023 by 6 Comments

All of the machine language stuff coming out lately doesn’t affect you if you are developing with embedded microcontrollers, right? Perhaps not. Microsoft Research India wants you to use their EdgeML tool to do machine learning tasks such as gesture recognition in tiny devices like an Arduino Uno. According to the developers, you might need as little as 2 KB of RAM. There’s no network connection required and the work is using Tensorflow underneath, so it is compatible with much of what you’ll find for bigger computers.

If you add processing power, you can get more capability. For example, one of the demonstrations is a wake-word recognizer on a Raspberry Pi Zero (although the page for that demo seems to be missing at the moment; try the GesturePod, instead).

The system generally uses Python, but there are efficient C++ implementations for selected algorithms. The code lives on GitHub. There are also a number of research papers about each tool that you can find on the GitHub page. There’s also a recent paper on MinUn, an attempt to make things even more efficient for ARM microcontrollers. In particular, MinUn can store approximate numbers to save space, allows for variable precision of tensors, and tries to reduce memory fragmentation, an important feature for CPUs that don’t have memory management units.

If you haven’t studied TensorFlow yet, start here. Why use something like this with a microcontroller? How about smarter robots?

Sailing On A Sea Of Seven-Segment Displays

February 23, 2023 by 39 Comments

The amount of information the humble seven-segment display can convey is surprising. There are the ten numerals, dead-ringers or reasonable approximations for about half the alphabet, and even a few not-quite-canonical symbols. But when you put 12,288 segments to work, you get all that and much more.

Behold Sea of Segments, an art piece by [Will Gallia] that really pushes what’s possible with seven-segment displays. The piece, which looks about the size of a decent flat-panel TV, is composed of an 8×6 array of PCBs, each of which holds an 8×4 array of white LED seven-segment displays; each board also holds two TLC5920 LED drivers. [Will] designed the PCBs to tile horizontally and vertically, making it possible to take data either from the top or right side and output to the bottom or left. Power is distributed to the modules through a series of steel bus bars, which also provide structural support for the display. The whole thing lives in an enclosure with a smoked acrylic front panel, and hangs from a pair of steel cables that also provide power.

Under the hood, a PocketBeagle does all the heavy lifting of talking to the display and translating images onto the display. [Will] came up with an encoding scheme that gives about five bits of grayscale, and built a program to figure out which segments should be lit to create an image. The result is a smooth and convincing reproduction of videos of waves on a beach, which is where the project gets its name. Check out the results in the video below.

[Will] says he drew inspiration for this build from the DigitGrid by [Skot9000]. That was a great project too, but Sea of Segments takes the concept to another level.

Continue reading “Sailing On A Sea Of Seven-Segment Displays”

German Air Force Surplus Teardown

February 23, 2023 by 11 Comments

It isn’t clear to us how [mrsylvain59] came into possession of a late-model piece of military gear from the German airforce, but we enjoyed watching the teardown below anyway. According to the documentation, the thing has a huge price tag, although we all know that the military usually pays top dollar for various reasons, so we are guessing the cost of the parts is quite a bit less than the price tag.

We don’t think [mrsylvain59] was sure what the amplifier (verstärker is German for amplifier) does. However, we recognized it as an avionics box from a UH-1 helicopter. We aren’t sure of its exact function, but it is classified under “Automatic Pilot Mechanisms and Airborne Gyro Components.”

Continue reading “German Air Force Surplus Teardown”

Two people lounge over a wooden tabletop to lean on a large black laptop. It has a green leaf on its 43" LCD desktop and RGB lighting around its edge is glowing a slightly deeper shade of green.

Supersized Laptop Laughs In The Face Of Portability

February 23, 2023 by 18 Comments

Sometimes a project needs to go big, and [Evan and Katelyn] threw portability to the wind to build the “world’s biggest” laptop.

Stretching the believability of “bigger is better,” this laptop features a 43″ screen, an enormous un-ergonomic keyboard, and a trackpad that might be bigger than your hand. Not to be outdone by other gaming laptops, it also features RGB lighting and a logo that really pops with neon resin.

The pair started the build with an aluminum extrusion frame joined by hinges. Plywood forms the top lid and bottom of the device, and the interior was covered with a mix of vinyl and ABS to keep everything tidy. A nice detail is the windows cut in the area above the keyboard to keep an eye on the charge of the two battery packs powering the laptop. Weighing more than 100 pounds, we suspect that this won’t be the next revolution in computing.

If you need more supersized gadgets, maybe try out the world’s biggest working keyboard or this giant Xbox Series X?