This Week In Security: DNS Oops, Novel C2s, And The Scam Becomes Real

Something rather significant happened on the Internet back in May, and it seems that someone only noticed it on September 3rd. [Youfu Zhang] dropped a note on one of the Mozilla security mailing lists, pointing out that there was a certificate issued by Fina for 1.1.1.1. That IP address may sound familiar, and you may have questions.

First off, yes, TLS certificates can be issued for IP addresses. You can even get a numeric TLS certificate for your IP address, via Lets Encrypt. And second, 1.1.1.1 sounds familiar because that’s CloudFlare’s public DNS resolver. On that address, Cloudflare notably makes use of DoH, a charming abbreviation for DNS over HTTPS. The last important detail is that Cloudflare didn’t request or authorize the certificate. Significant indeed.

This is a high-profile example of the major weakness of the TLS certificate system. There are over 300 trusted certificate authorities in the Microsoft Root Certificate Program, Financijska agencija (Fina) being one of them. All it takes is for one of those trusted roots to issue a bad certificate, to compromise that system. That it took four months for someone to discover and point out the problem isn’t great. Continue reading “This Week In Security: DNS Oops, Novel C2s, And The Scam Becomes Real”

Heart Rate Monitoring Via WiFi

Before you decide to click away, thinking we’re talking about some heart rate monitor that connects to a display using WiFi, wait! Pulse-Fi is a system that monitors heart rate using the WiFi signal itself as a measuring device. No sensor, no wires, and it works on people up to ten feet away.

Researchers at UC Santa Cruz, including a visiting high school student researcher, put together a proof of concept. Apparently, your heart rate can modify WiFi channel state information. By measuring actual heart rate and the variations in the WiFi signal, the team was able to fit data to allow for accurate heart rate prediction.

The primary device used was an ESP32, although the more expensive Raspberry Pi performed the same trick using data generated in Brazil. The Pi appeared to work better, but it is also more expensive. However, that implies that different WiFi chipsets probably need unique training, which, we suppose, makes sense.

Like you, we’ve got a lot of questions about this one — including how repeatable this is in a real-world environment. But it does make you wonder what we could use WiFi permutations to detect. Or other ubiquitous RF signals like Bluetooth.

No need for a clunky wristband. If you could sense enough things like this, maybe you could come up with a wireless polygraph.

Capture And Plot Serial Data In The Browser

If you’re working with a microcontroller that reads a sensor, the chances are that at some point you’re faced with a serial port passing out continuous readings. The workflow of visualizing this data can be tedious, involving a cut-and-paste from a terminal to a CSV file. What if there were a handy all-in-one serial data visualization tool, a serial data oscilloscope, if you will? [Atomic14] has you covered, with the web serial plotter.

It’s a browser-based tool that uses the WebSerial API, so sadly if you’re a Firefox user you’re not invited to the party. Serial data can be plotted and exported, and there are a range of options for viewing. Behind the scenes there’s some Node and React magic happening, but should you wish to avoid getting your hands dirty there’s an online demo you can try.

Looking at it we’re ashamed to have been labouring under a complex workflow, particularly as we find this isn’t the first to appear on these pages.

Continue reading “Capture And Plot Serial Data In The Browser”

Powering A Submarine With Rubber Bands

A look underneath the water’s surface can be fun and informative! However, making a device to go under the surface poses challenges with communication and water proofing. That’s what this rubber band powered submarine by [PeterSripol] attempts to fix!

The greatest challenge of building such a submersible was the active depth control system. The submarine is slightly negatively buoyant so that once the band power runs out, it returns to the surface. Diving is controlled by pitch fins, which will pitch downward under the torque applied by the rubber bands. Once the rubber band power runs out, elastic returns the fins to their natural pitch up position encouraging surfacing of the submarine. However, this results in uncontrolled dives and risks loss of the submersible.

Continue reading “Powering A Submarine With Rubber Bands”

Figure 7-8, caption: Example thrust sheet rotation using tether control. Credit: NASA/James Bickford.

TFINER Is An Atompunk Solar Sail Lookalike

It’s not every day we hear of a new space propulsion method. Even rarer to hear of one that actually seems halfway practical. Yet that’s what we have in the case of TFINER, a proposal by [James A. Bickford] we found summarized on Centauri Dreams by [Paul Gilster] .

TFINER stands for Thin-Film Nuclear Engine Rocket Engine, and it’s a hoot.  The word “rocket” is in the name, so you know there’s got to be some reaction mass, but this thing looks more like a solar sail. The secret is that the “sail” is the rocket: as the name implies, it hosts a thin film of nuclear materialwhose decay products provide the reaction mass. (In the Phase I study for NASA’s Innovative Advanced Concepts office (NIAC), it’s alpha particles from Thorium-228 or Radium-228.) Alpha particles go pretty quick (about 5% c for these isotopes), so the ISP on this thing is amazing. (1.81 million seconds!) Continue reading “TFINER Is An Atompunk Solar Sail Lookalike”

Looking in the back of the Tektronix 577

Repairing A Tektronix 577 Curve Tracer

Over on his YouTube channel our hacker [Jerry Walker] repairs a Tektronix 577 curve tracer.

A curve tracer is a piece of equipment which plots I-V (current vs voltage) curves, among other things. This old bit of Tektronix kit is rocking a CRT, which dates it. According to TekWiki the Tektronix 577 was introduced in 1972.

In this repair video [Jerry] goes to use his Tektronix 577 only to discover that it is nonfunctional. He begins his investigation by popping off the back cover and checking out the voltages across the voltage rails. His investigations suggest a short circuit. He pushes on that which means he has to remove the side panel to follow a lead into the guts of the machine.

Continue reading “Repairing A Tektronix 577 Curve Tracer”

Tips For Homebrewing Inductors

How hard can it be to create your own inductors? Get a wire. Coil it up. Right? Well, the devil is definitely in the details, and [Nick] wants to share his ten tips for building “the perfect” inductor. We don’t know about perfect, but we do think he brings up some very good points. Check out his video below.

If you are winding wire around your finger (or, as it appears in the video, a fork) or you are using a beefy ferrite core, you’ll find something interesting in the video.

Continue reading “Tips For Homebrewing Inductors”