This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis

October 7, 2022 by 1 Comment

If you use PHP, you likely use the Composer tool for managing dependencies, at least indirectly. And the good folks at SonarSource found a nasty, potential supply chain attack in this tool, when used in the Packagist repository. The problem is the support for arbitrary README filenames. When a package update shows up on Packagist, that service uses a Version Control Service (VCS) like Git or Mercurial to pull the specified readme location. That pull operation is subject to argument injection. Name your branch --help, and Git will happily run the help argument instead of doing the pull intended. In the case of Git commands, our intrepid researchers were unable to weaponize the issue to achieve code execution.

Composer also supports projects that use Mercurial as their VCS, and Mercurial has a --config option that has… interesting potential. It allows redefining a Mecurial command as a script snippet. So a project just has to contain a malicious payload.sh, and the readme set to --config=alias.cat=!hg cat -r : payload.sh|sh;,txt. For those keeping track at home, the vulnerability is that this cursed string of ugly is accepted by Composer as a valid filename. This uses the --config trick to redefine cat as a bit of script that executes the payload. It ends in .txt because that is a requirement of Composer.

So let’s talk about what this little hack could have been used for, or maybe still used for on an unpatched, private install of Packagist. This is an unattended attack that jumps straight to remote script execution — on an official package repository. If discovered and used for evil, this would have been a massive supply chain attack against PHP deployments. Instead, thanks to SonarSource, it was discovered and disclosed privately back in April. The official Packagist repo at packagist.org was fixed the day after disclosure, and a CVE and updated packages went out six days later. Great work all around.
Continue reading “This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis”

The Quiet Before The Storm?

August 27, 2022 by 82 Comments

My wife and I are reading a book about physics in the early 1900s. It’s half history of science and half biography of some of the most famous physicists, and it’s good fun. But it got me thinking about the state of physics 120 years ago.

What we’d now call classical mechanics was fully settled for quite a while, and even the mysterious electricity and magnetism had been recently put to rest by Maxwell and Heaviside. It seemed like there was nothing left to explain for a while. And then all the doors broke wide open.

As much as I personally like Einstein’s relativity work, I’d say the most revolutionary change in perspective, and driver of the most research in the intervening century, was quantum mechanics. And how did it all start? In the strangest of ways – with Niels Bohr worrying about why hydrogen and helium gasses gave off particular colors when ionized, which lead to his model of the atom and the idea of energy in quantum packets. Or maybe it was De Broglie’s idea that electrons could behave like waves or magnets, from slit and cathode-ray experiments respectively, that lead to Heisenberg’s uncertainty principle.

Either way, the birth of the strangest and most profound physics revolution – quantum mechanics – came from answering some ridiculously simple and straightforward questions. Why does helium emit pink, and how do TVs work? (I know, they didn’t have TVs yet…) Nobody looking at these phenomena, apart or together, could have thought that answering them would have required a complete re-thinking of how we think about reality. And yet it did.

I can’t help but wonder if there are, in addition to the multi-bazillion dollar projects like the Large Hadron Collider or the James Webb Space Telescope, some simpler phenomena out there that we should be asking “why?” about. Are we in a similar quiet before the storm? Or is it really true that the way to keep pushing back the boundaries of our ignorance is through these mega-projects?

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

Lenses: From Fire Starters To Smart Phones And VR

June 28, 2022 by 21 Comments

In antiquity, we see examples of magnifying crystals formed into a biconvex shape as early as the 7th century BC. Whether the people of that period used them either for fire-starting purposes or vision is unclear. Still, it is famously said that Emperor Nero of Rome watched gladiator games through an emerald.

Needless to say, the views we get through modern lenses are a lot more realistic. So how did we get from simple magnifying systems to the complex lens systems we see today? We start with a quick journey through the history of the camera and the lens, and we’ll end up with the cutting edge in lens design for smartphone cameras and VR headsets.

Continue reading “Lenses: From Fire Starters To Smart Phones And VR”

The Case For Designer Landline Phones

June 9, 2022 by 34 Comments

Long before the idea of hot dog-shaped iPhone cases, Otter Boxen, or even those swappable Nokia face plates, people were just as likely to express themselves with their landline phones. Growing up at my house in the 80s, the Slimline on the kitchen wall was hidden inside a magneto wall set from the early 1900s, the front of which swung out to reveal the modern equipment behind it. Back in my bedroom, I had the coolest phone ever, a see-through Unisonic with candy-colored guts. Down in the basement was my favorite extension, tactility-wise: a candy apple-red wall unit with dimly-lit circular push buttons that were springy and spongy and oh-so fun to dial.

Popular culture shows us that people were dreaming of cool telephone enclosures before they were even a thing. Obviously, TV secret agent Maxwell Smart’s shoe phone wasn’t plausible for the technology of that era, but it also wasn’t really feasible for aesthetic reasons. For decades, phone subscribers had to use whatever equipment Ma Bell had to offer, and you couldn’t just buy the things outright at the mall — you had to lease the hardware from her, and pay for the service.

Continue reading “The Case For Designer Landline Phones”

Researchers Build Neural Networks With Actual Neurons

March 1, 2022 by 21 Comments

Neural networks have become a hot topic over the last decade, put to work on jobs from recognizing image content to generating text and even playing video games. However, these artificial neural networks are essentially just piles of maths inside a computer, and while they are capable of great things, the technology hasn’t yet shown the capability to produce genuine intelligence.

Cortical Labs, based down in Melbourne, Australia, has a different approach. Rather than rely solely on silicon, their work involves growing real biological neurons on electrode arrays, allowing them to be interfaced with digital systems. Their latest work has shown promise that these real biological neural networks can be made to learn, according to a pre-print paper that is yet to go through peer review.
Continue reading “Researchers Build Neural Networks With Actual Neurons”

This Week In Security: Y2K22, Accidentally Blocking 911, And Bug Alert

January 7, 2022 by 45 Comments

If you had the misfortune of running a Microsoft Exchange server this past week, then you don’t need me to tell you about the Y2K22 problem. To catch rest of us up, when Exchange tried to download the first malware definitions update of 2022, the version number of the new definitions triggered a crash in the malware detection engine. The date is represented as the string 2201010001, where the first two digits represent the year. This string gets converted to a signed long integer, which maxes out at 2,147,483,647. The integer overflows, and the result is undefined behavior, crashing the engine. The server fails safe, not processing any messages without a working malware engine, which means that no e-mail gets through. Happy new year!
Continue reading “This Week In Security: Y2K22, Accidentally Blocking 911, And Bug Alert”

Quantum Atomic Interferometer For Precision Motion Sensing

December 28, 2021 by 16 Comments

The current state of the art of embedded motion sensing is based around micro-electromechanical systems (MEMS) devices. These miracles of microfabrication use tiny silicon structures, configured to detect acceleration and rotational velocity in three dimensions. Accumulate these accelerations and rotations, and you’ve got a device that can find its orientation and track movement without any external waypoints. This is the basis of the technique of dead reckoning.

Why do we care about dead reckoning anyway? Surely GPS and related positioning systems are good enough? Above ground GPS is usually good enough, but underwater and underground this simply won’t work. Even heading indoors has a dramatic effect on the GPS signal strength, so yes, we need another way for some applications.

Right now, the current state of the art in portable sensors are MEMS devices, and you can get them for the cost of a hamburger. But if you want the ultimate in accuracy, you’ll want a quantum atomic interferometer. What that is, and how it will be possible to make one small enough to be useful, is half of the story. But first, let’s talk MEMS.

Continue reading “Quantum Atomic Interferometer For Precision Motion Sensing”