This Week In Security: F5, SonicWall, And The End Of Windows 10

F5 is unintentionally dabbling in releasing the source code behind their BIG-IP networking gear, announcing this week that an unknown threat actor had access to their internal vulnerability and code tracking systems. This security breach was discovered on August 9th, and in the time since, F5 has engaged with CrowdStrike, Mandiant, and NCC Group to review what happened.

So far it appears that the worst result is access to unreleased vulnerabilities in the F5 knowledge management system. This means that any unpatched vulnerabilities were effectively 0-days, though the latest set of patches for the BIG-IP system has fixed those flaws. There aren’t any reports of those vulnerabilities being exploited in the wild, and F5 has stated that none of the leaked vulnerabilities were critical or allowed for remote exploitation.

Slightly more worrying is that this access included the product development environment. The problem there isn’t particularly the leak of the source code — one of the covered projects is NGINX, which is already open source software. The real danger is that changes could have been surreptitiously added to those codebases. The fact that NGINX is Open Source goes a long way to alleviate that danger, and when combined with the security built into tools like git, it seems very unlikely that malicious code could be sneaked into the NGINX public code base. A thorough review of the rest of the F5 codebases has similarly come up negative, and so far it looks like the supply-chain bullet has been dodged. Continue reading “This Week In Security: F5, SonicWall, And The End Of Windows 10”

Site Of Secret 1950s Cold War Iceworm Project Rediscovered

The overall theme of the early part of the Cold War was that of subterfuge — with scientific missions often providing excellent cover for placing missiles right on the USSR’s doorstep. Recently NASA rediscovered Camp Century, while testing a airplane-based synthetic aperture radar instrument (UAVSAR) over Greenland. Although established on the surface in 1959 as a polar research site, and actually producing good science from e.g. ice core samples, beneath this benign surface was the secretive Project Iceworm.

By 1967 the base was forced to be abandoned due to shifting ice caps, which would eventually bury the site under over 30 meters of ice. Before that, the scientists would test out the PM-2A small modular reactor. It not only provided 2 MW of electrical power and heat to the base, but was itself subjected to various experiments. Alongside this public face, Project Iceworm sought to set up a network of mobile nuclear missile launch sites for Minuteman missiles. These would be located below the ice sheet, capable of surviving a first strike scenario by the USSR. A lack of Danish permission, among other complications, led to the project eventually being abandoned.

It was this base that popped up during the NASA scan of the ice bed. Although it was thought that the crushed remains would be safely entombed, it’s estimated that by the year 2100 global warming will have led to the site being exposed again, including the thousands of liters of diesel and tons of hazardous waste that were left behind back in 1967. The positive news here is probably that with this SAR instrument we can keep much better tabs on the condition of the site as the ice cap continues to grind it into a fine paste.


Top image: Camp Century in happier times. (Source: US Army, Wikimedia)

A New Golden Age Of Browser Games

Arguably, the golden age of browser gaming occurred in the 00s mostly revolving around Adobe Flash. This was an era with high creativity and a low barrier of entry, and also decentralized from gatekeeping app stores. Sadly, these times have passed us by as the security concerns around Flash led to its discontinuation and most casual gamers have migrated to the app store for their fix. But that doesn’t stop some from continuing to bring gaming to the browser, even if those games were never intended for it in the first place like this browser port of Celeste.

Celeste is an indie platformer where the player climbs a mysterious mountain while confronting her inner struggles. Originally meant for consoles and PC, a group of friends including [velzie], [bomberfish], and [Toshit] aka [r58Playz] took this as a challenge especially after seeing someone else’s half finished web port of this game. Most of the build revolves around WebAssembly (wasm) and around “cursed” .NET runtime hacks which also allow the port to run the community-made Everest mod loader. It uses a multithreaded and JIT compiling version of mono-wasm backported from .NET 10 to .NET 9 to maximize performance. The team actually first started by porting Terraria to the browser, and then moved on to this Celeste port from there.

The port of Celeste can be played here, and their port of Terraria is also available, although may not support a ton of Hackaday traffic so some patience is advised. There are also GitHub repositories for Celeste and Terraria as well.  With impressive ports of relatively modern games moving into the browser, perhaps we’re entering a new golden age of browser gaming; we’ve also seen things like Minecraft implemented in only HTML and CSS lately as well.

Chicken Squisher 3000

Chicken Squisher 3000: Squish-Proof Security

Keeping chickens in predator-prone areas demands serious fortifications, but even the most robust coop can become a hassle without automation. That’s where [lcamtuf] steps in with his Chicken Squisher 3000, a clever DIY automatic door mechanism that opens and closes based on ambient light levels.

The chicken coop he previously built did not include a mechanism to automatically close the inner door at night, meaning that arrangements would have to be made should [lcamtuf] want to leave town for a couple of days. Not wanting to go with a commercial option for this door as that would require a good deal of modifications to the original door setup, the Chicken Squisher 3000 adds minimal parts to the existing door to now open and close the door at dawn and dusk.

Using a 12 V DC motor with a gear reduction, he was able to generate more than enough torque to open and close the thick wooden door. Instead of a complex geared rack and pinion setup, [lcamtuf] has the motor mounted to a smooth rod that then applies force across the swing of the door attached with a rod end bearing. Driving the door’s automation is an AVR16DD14 microcontroller which is used to read the NSL-A6009 light sensor. [lcamtuf] uses a DRV8231 motor driver for controlling power going to that 12 V motor with the added benefit of being able to adjust stall torque to dial in a value strong enough to overcome the wooden door’s friction, but weak enough to not endanger any of his birds. There are also buttons on the metal enclosure used to override the light sensor should he want to override it manually.

Thanks, [lcamtuf], for sending in your latest weekend project; we love the resourcefulness of using just a handful of cheap parts to make a robust solution for your coop. If you haven’t seen them yet, be sure to check out some of our other chicken coop door hacks featured before.

A Deep Dive Into Molten Bismuth

Bismuth is known for a few things: its low melting point, high density, and psychedelic hopper crystals. A literal deep-dive into any molten metal would be a terrible idea, regardless of low melting point, but [Electron Impressions]’s video on “Why Do Bismuth Crystals Look Like That” may be the most educational eight minutes posted to YouTube in the past week.

The whole video is worth a watch, but since spoilers are the point of these articles, we’ll let you in on the secret: it all comes down to Free Energy. No, not the perpetual motion scam sort of free energy, but the potential that is minimized in any chemical reaction. There’s potential energy to be had in crystal formation, after all, and nature is always (to the extent possible) going to minimize the amount left on the table.

In bismuth crystals– at least when you have a pot slowly cooling at standard temperature and pressure–that means instead of a large version of the rhombahedral crystal you might naively expect if you’ve tried growing salt or sugar crystals in beakers, you get the madman’s maze that actually emerges. The reason for this is that atoms are preferentially deposited onto the vertexes and edges of the growing crystal rather than the face. That tends to lead to more vertexes and edges until you get the fractal spirals that a good bismuth crystal is known for. (It’s not unlike the mechanism by which the dreaded tin whiskers grow, as a matter of fact.)

Bismuth isn’t actually special in this respect; indeed, nothing in this video would not apply to other metals, in the right conditions. It just so happens that “the right conditions” in terms of crystal growth and the cooling of the melt are trivial to achieve when melting Bismuth in a way that they aren’t when melting, say, Aluminum in the back yard. [Electron Impressions] doesn’t mention because he is laser-focused on Bismuth here, but hopper crystals of everything from table salt to gold have been produced in the lab. When cooling goes to quick, it’s “any port in a storm” and atoms slam into solid phase without a care for the crystal structure, and you get fine-grained, polycrystaline solids; when it goes slowly enough, the underlying crystal geometry can dominate. Hopper crystals exist in a weird and delightful middle ground that’s totally worth eight minutes to learn about.

Aside from being easy to grow into delightful crystals, bismuth can also be useful when desoldering, and, oddly enough, making the world’s fastest transistor.

Continue reading “A Deep Dive Into Molten Bismuth”

Positive Results With Negative Resistance

Try an experiment. Next time you are in a room with someone, ask them to name everything in the room. Only certain kinds of people will say “air” or “light.” For most people, those are just givens, and you don’t think about them unless, for some reason, you don’t have them. Resistance is like that in electronics. You use it constantly, but do you ever think much about what it is? For a resistor, the value in ohms really represents the slope of the line that describes the amount of voltage you’ll see across the component when it carries a certain amount of current. For resistors, that slope is — at least in theory — constant and positive. But [Void Electronics] made a video exploring negative resistance, and it is worth watching, below.

If you haven’t seen negative resistance before, you might wonder how that is possible. Ohm’s law is just a shorthand for calculating the slope of a graph with voltage on the Y axis and current on the X axis. It works because the voltage and current are always zero at the same time, so the slope is (V-0)/(I-0), and we just shorten that to the normal Ohm’s law equation.

But not everything has a linear response to current. Some devices will have different slopes over different current regions. And sometimes that slope can be negative, meaning that an increase in current through the device will cause it to drop less voltage. Of course, this is usually just over a narrow range and, as [Void] points out, most devices don’t specify that parameter on their data sheets. In fact, some transistors won’t even work in the circuit.

The circuit in question in the video below the break is an odd one. It uses two resistors, an LED, and a transistor. But the transistor’s base is left disconnected. No 555 needed. How does it work? Watch the video and you’ll see. There’s even a curve tracer if you don’t like to see hand-drawn graphs.

We’ve looked at negative resistance more than once. There are a few exotic devices, like tunnel diodes, that are explicitly used for the negative resistance property. When the gas in a neon bulb breaks down, you get the same effect. Continue reading “Positive Results With Negative Resistance”

After Trucking Them Home, Old Solar Panels Keep On Trucking

The fact that there exist in our world flat rocks that make lightning when you point them at the sun is one of the most unappreciated bits of wizardry in this modern age. As hackers, we love all this of techno-wizardry–but some of us abhor paying full price for it. Like cars, one way to get a great discount is to buy used. [Backyard Solar Project] helped a friend analyze some 14-year-old panels to see just how they’d held up over the years, and it was actually better than we might have expected.

The big polycrystalline panels were rated at 235 W when new, and they got 6 of them for the low, low price of “get this junk off my property”. Big panels are a bit of a pain to move, but that’s still a great deal. Especially considering that after cleaning they averaged 180 W, a capacity factor of 77%. Before cleaning 14 years worth of accumulated grime cost about eight watts, on average, an argument for cleaning your panels. Under the same lighting conditions, the modern panel (rated to 200 W) was giving 82% of rated output.

That implies that after 14 years, the panels are still at about 94% of their original factory output, assuming the factory wasn’t being overoptimistic about the numbers to begin with. Still, assuming you can trust the marketing, a half a percent power drop per year isn’t too bad. It’s also believable, since the US National Renewably Energy Laboratory (yes, they have one) has done tests that put that better than the average of 0.75 %/yr. Of course the average American solar panel lives in a hotter climate than [Backyard Solar Project], which helps explain the slower degradation.

Now, we’re not your Dad or your accountant, so we’re not going to tell you if used solar panels are worth the effort. On the one hand, they still work, but on the other hand, the density is quite a bit lower. Just look at that sleek, modern 200 W panel next to the old 235 W unit. If you’re area-limited, you might want to spring for new, or at least the more energy-dense monocrystalline panels that have become standard the last 5 years or so, which aren’t likely to be given away just yet. On the gripping hand, free is free, and most of us are much more constrained by budget than by area. If nothing else, you might have a fence to stick old panels against; the vertical orientation is surprisingly effective at higher latitudes.

Continue reading “After Trucking Them Home, Old Solar Panels Keep On Trucking”