This Week In Security: Samba, Wormhole Crypto Heist, And A Bogus CVE

February 4, 2022 by 6 Comments

Samba has a very serious vulnerability, CVE-2021-44142, that was just patched in new releases 4.13.17, 4.14.12, and 4.15.5. Discovered by researchers at TrendMicro, this unauthenticated RCE bug weighs in at a CVSS 9.9. The saving grace is that it requires the fruit VFS module to be enabled, which is used to support MacOS client and server interop. If enabled, the default settings are vulnerable. Attacks haven’t been seen in the wild yet, but go ahead and get updated, as PoC code will likely drop soon.

Crypto Down the Wormhole

One notable selling point to cryptocurrencies and Web3 are smart contracts, little computer programs running directly on the blockchain that can move funds around very quickly, without intervention. It’s quickly becoming apparent that the glaring disadvantage is these are computer programs that can move money around very quickly, without intervention. This week there was another example of smart contracts at work, when an attacker stole $326 million worth of Ethereum via the Wormhole bridge. A cryptocurrency bridge is a service that exists as linked smart contracts on two different blockchains. These contracts let you put a currency in on one side, and take it out on the other, effectively transferring currency to a different blockchain. Helping us make sense of what went wrong is [Kelvin Fichter], also known appropriately as [smartcontracts].

When the bridge makes a transfer, tokens are deposited in the smart contract on one blockchain, and a transfer message is produced. This message is like a digital checking account check, which you take to the other side of the bridge to cash. The other end of the bridge verifies the signature on the “check”, and if everything matches, your funds show up. The problem is that one one side of the bridge, the verification routine could be replaced by a dummy routine, by the end user, and the code didn’t catch it.

It’s a hot check scam. The attacker created a spoofed transfer message, provided a bogus verification routine, and the bridge accepted it as genuine. The majority of the money was transferred back across the bridge, where other user’s valid tokens were being held, and the attacker walked away with 90,000 of those ETH tokens. Continue reading “This Week In Security: Samba, Wormhole Crypto Heist, And A Bogus CVE”

A 64-Bit Raspberry Pi OS At Last

February 4, 2022 by 42 Comments

Long-term Raspberry Pi watchers will have seen a lot of OS upgrades in their time, from the first Debian Squeeze previews through the Raspbian years to the current Raspberry Pi OS. Their latest OS version is something different though, and could be one of the most important releases in the platform’s history so far, as finally there’s an official release of a 64-bit Raspberry Pi OS.

Would-be 64-bit Pi users have of course had the chance to run 64-bit GNU/Linux operating system builds from other distributions for nearly as long as there have been Pi models with 64-bit processors, but until now the official distribution has only been available as a 32-bit build. In their blog post they outline their reasons for this move in terms of compatibility and performance, and indeed we look forward to giving it a try.

Aside from being a more appropriate OS for a 64-bit Pi, this marks an interesting moment for the folks from Cambridge in that it is the first distribution that won’t run on all Pi models. Instead it requires a Pi 3 or better, which is to say the Pi 3, Zero 2 W, Pi 4, Pi 400, and the more powerful Compute Modules. All models with earlier processors including the original Pi, Pi Zero, and we think the dual-core Pi 2 require a 32-bit version, and while the Pi Zero, B+ and A+ featuring the original CPU are still in production this marks an inevitable move to 64-bit in a similar fashion to that experienced by the PC industry a decade or more ago.

As far as we know the Zero is still flying off the shelves, but this move towards an OS that will leave it behind is the expected signal that eventually there will be a Pi line-up without the original chip being present. We’re sure the 32-bit Pi will be supported for years to come, but it should be clear that the Pi’s future lies firmly in the 64-bit arena. They’ve retained their position as the board to watch oddly not by always making the most impressive hardware but by having the most well-supported operating system, and this will help them retain that advantage by ensuring that OS stays relevant.

On the subject of the future course of the Pi ship, our analysis that the Compute Module 4 is their most exciting piece of hardware still stands.

A computer program written in basic next to a modular synthesizer with many switches and lights

Modular Synth Pairs Perfectly With The Apple II

February 4, 2022 by 4 Comments

We have a soft spot for synthesizers – seriously, who doesn’t? So when [Joshua Coleman] combined his retro-looking DIY modular synth with the equally retro Apple II computer, we just had to share it with you.

The two machines are paired using a vintage digital-to-analog logic controller pack. This DAC was originally used to control model trains using your Apple II – something that we now desperately need to see in action. The pack can output voltages between 0 and 2.55 V at 8-bit resolution (or 256 steps), which is plenty for a retro synth.

With the card installed in Slot 7 of the Apple II and the DAC wired through to the synth’s CV/gate, it’s then a trivial matter of writing POKE statements in Applesoft BASIC to control the synth. The video after the break demonstrates playing a simple melody, as well as how one might use the Apple II keyboard to ‘play’ the synth in real time.

If you’re interested in building your own, the video below has all the information needed, as well as helpful advice on where to find a DAC for your preferred model of vintage computer. If all that doesn’t tickle your musical fancy, make sure to check out our coverage on the Game Boy MIDI synth, or perhaps this peculiar synth and visualizer combo.

Continue reading “Modular Synth Pairs Perfectly With The Apple II”

Conveyor Belt Printer Mod Is Nearly All Printed

February 3, 2022 by 19 Comments

[Call Me Swal] wanted to experiment with large 3D prints. So he took a Hornet 3D printer andĀ  designed a lot of 3D parts to convert it into an “infinite” conveyor belt printer. It looks like — as you can see in the video below — that all the parts are 3D printed but you will still need to buy material for the actual belt.

Of course, you may not have a Hornet, but the idea would be applicable to just about any similar printer. You’d have to, of course, adapt or redesign the parts.

Continue reading “Conveyor Belt Printer Mod Is Nearly All Printed”

Retrotechtacular: Understanding The Strength Of Structural Shapes

February 3, 2022 by 13 Comments

Strength. Rigidity. Dependability. The ability to bear weight without buckling. These are all things that we look for when we build a mechanical structure. And in today’s Retrotechtacular we take a closer look at the answer to a question: “What’s in A Shape?”

As it turns out, quite a lot. In a wonderful film by the prolific Jam Handy Organization in the 1940’s, we take a scientific look at how shape affects the load bearing capacity of a beam. A single sided piece of metal, angle iron, C-channel, and boxed tubing all made of the same thickness metal are compared to see not just just how much load they can take, but also how they fail.

The concepts are then given practical application in things that we still deal with on a daily basis: Bridges, cars, aircraft, and buildings. Aircraft spars, bridge beams, car frames, and building girders all benefit from the engineering discussed in this time capsule of film.

None of the concepts in this video are suddenly out of date, because while our understanding of engineering has certainly progressed since this film was made, these basic concepts remain the same. As such, they will apply to any structural or mechanical devices that we make, be it 3d printed, CNC routed, welded, glued, vacuum formed, zip tied, duct taped, bailing wired, or hot glued.

Keep your eyes open for a wonderful sights and sounds of a rare Boeing 314 Clipper landing on water and a 1920’s Buffalo Springfield Steam Roller demonstrating how wonderful the film’s sponsor, Chevrolet, makes their automobile frames.

Continue reading “Retrotechtacular: Understanding The Strength Of Structural Shapes”

3D Printing Goes Near Infrared

February 3, 2022 by 17 Comments

Researchers at the University of Texas have been experimenting with optical 3D printing using near infrared (NIR) light instead of the more traditional ultraviolet. They claim to have a proof of concept and, apparently, using NIR has many advantages. The actual paper is paywalled, but there are several good summaries, including one from [3D Printing Industry].

UV light degrades certain materials and easily scatters in some media. However, decreasing the wavelength of light used in 3D printing has its own problems, notably less resolution and slower curing speed. To combat this, the researchers used an NIR-absorbant cyanine dye that exhibits rapid photocuring. The team reports times of 60 seconds per layer and resolution as high as 300 micrometers. Nanoparticles in the resin allow tuning of the part’s appearance and properties.

Continue reading “3D Printing Goes Near Infrared”

Getting Root On Linux Amplifier Adds New Inputs

February 3, 2022 by 26 Comments

We remember when getting Linux on your average desktop computer was a tricky enough endeavor that only those with the most luxurious of graybeards would even attempt it. A “Linux box” in those heady days was more than likely an outdated machine salvaged from the dumpster, side panel forever removed, cranking away in a basement or garage. Fast forward today, and Linux is literally everywhere: from smartphones and luxury cars, to TVs and refrigerators. Ironically it’s still not on most desktop computers, but that’s a discussion for another time.

So when [Michael Nothhard] sent in the fascinating account of how he hacked his Linux-powered Bluesound Powernode N150 amplifier to unlock more inputs, theĀ least surprising element was that there was a “smart amplifier” out there running the free and open source operating system. What piqued our interest was that he was able to bust his way in with relative ease and enable some impressive new capabilities that the manufacturer would probably have rather been kept under wraps.

Configuring the CM6206’s audio settings.

[Michael] explains that the N150 has a USB port on the back side of it, and that officially, it only works with mass storage devices and a handful of approved peripherals such as a Bluetooth dongle. But as he was hoping to connect some more devices to the input-limited amplifier, he wondered if he could get a USB audio adapter recognized by the OS. After using a known exploit to get root access, he started poking around at the underlying Linux system to see what kind of trickery the developers had done.

Based on a fairly common C-Media CM6206 chipset, the StarTech 7.1 USB audio adapter was picked up by the kernel without an issue. But to actually get it working with the amplifier’s stock software, he then needed to add a new <capture> entry to the system’s sovi_info.xml configuration file and make some changes to its default ALSA settings. With the appropriate files modified, the new USB audio input device popped up under the official Bluesound smartphone application.

At the end of the write-up [Michael] notes that you’ll need to jump through a few additional hoops to make sure that an upstream firmware update doesn’t wipe all your hard work. Luckily it sounds like backing up the configuration and returning it to the newly flashed Powernode is easy enough. We’ve certainly seen more elaborate methods of gaining control of one’s sound system over the years.