The Timex Datalink was arguably the first usable smartwatch, and was worn by NASA astronauts as well as geek icons like Bill Gates. It could store alarms, reminders and phone numbers, and of course tell the time across a few dozen time zones. One of the Datalink’s main innovations was its ability to download information from your PC — either through flashing images on a CRT monitor or through a special adapter plugged into a serial port.
With CRTs thin on the ground and original serial adapters fetching ludicrous prices online, classic Datalink users today may find it hard to keep their watches in sync with their Outlook calendars. Fortunately for them, [famiclone] came up with a solution: a DIY Datalink adapter based on an Arduino. It works the same way as Timex’s serial adapter, in that it receives data through the computer’s serial port and transmits it to the watch by flashing a red LED.
Updating your watch does require the use of the original Datalink PC software, which only runs on classic operating systems like Windows 95 or 98, so you’ll need to keep a copy of such an OS running. Luckily, it has no problem with virtual machines or USB COM ports, so at least you don’t need to keep vintage PC hardware around. Then again, whipping out a 1995 Pentium laptop to update your Timex watch would make for the ultimate geek party piece.
Love classic geeky watches? Check out this featured article we did on them a few years ago. If you’re interested in using computer monitors to transmit data optically, we’ve covered a fewprojects that do just that.
For every very clever security protocol that keeps people safe, there’s a stupid hack that defeats it in an unexpected way. Take OAuth for instance. It’s the technology that sites are using when they offer to “log in with Facebook”. It’s a great protocol, because it lets you prove your identity using a trusted third party. You don’t have to use a password at whatever site you’re trying to use, you just to be logged in to your Google/Facebook/Apple account, and click the button to allow access. If you’re not logged in, the pop-up window prompts for your username and password, which of course is one way phishing attacks try to steal passwords. So we tell people to look at the URL, and make sure they are actually signing in to the proper site.
An OAuth pop-up window
The stupid hack that isn’t stupid, because it works: Recreating the browser window in HTML/CSS. Yep, it’s pretty straightforward to add a div to your site, and decorate it to look just like a browser window, just like an OAuth pop-up. In the appropriate place goes an iframe pointing to the actual phishing form. It looks convincing, but once you’re aware of the game, there’s a dead giveaway — try to move the OAuth window outside the browser window that spawned it. Websites can’t draw outside the browser window or over its window decorations, so this limitation makes it easy to confirm whether this hack is in play. The other saving grace is that a password manager isn’t fooled by this trick at all.
There’s a typo-squatting campaign going on at NPM, primarily targeted at Azure users. NPM has a packaging feature called “scoped packages”. A scope starts with the at sign, and indicates packages intentionally grouped together. In this case the scope is @azure, including packages like @azure/core-tracing, with over 1.5 million weekly downloads. The typo? Just drop the scope. NPM considers it completely acceptable to have both the @azure/core-tracing and core-tracing packages — in fact, it’s a feature of the scoping system. But forget to include the scope, and you may get a malicious package instead. Over 200 packages were targeted in this way, but have since been pulled by NPM.
The payload was strictly reconnaissance, grabbing directory listings, IP addresses, and the like. It’s likely that the information would be used to craft more malicious future updates, though no such behavior has been observed. This is likely due to how rapidly these packages were caught and removed — after only about two days. The domain used for data collection is 425a2.rt11.ml, so that string showing up in a DNS log somewhere is an indicator that one of these packages were installed.
Lapsus$ Strikes Again, Again
The loose collection of hackers knows as Lapsus$ have potentially scored breaches at both Microsoft and Okta. KrebsonSecurity has a bit more information about the group and the Microsoft case. The group seems to be doing some of their coordination over a Telegram channel, which is open for anyone to join. The group boasted of their exploits on this channel, and Microsoft respondents found and cut their access during the data exfiltration. A 10 GB file has been released containing partial source to Bing search, Bing Maps, and Cortana.
The Okta situation is even murkier, as the released screenshots indicate access back in late January. The access seems to have been limited to a administrative portal, via a Support Engineer’s account. Okta has gone out of their way to assure everyone that there was no actual breach, and the rogue access was quickly dealt with. This seems to be a bit disingenuous, as Lapsus$ was after companies making use of Okta services, and didn’t need to compromise their systems any further. Okta provides access management for other companies, like Cloudflare. There’s likely been some quiet infiltration happening in the months since this happened.
Linux Gets More Random
[Jason Donenfeld], kernel hacker and main developer of Wireguard, has worked recently on the Linux random number generator. A few changes landed in release 5.17, and more are coming in 5.18. He was kind enough to write up some of the interesting changes for our education. He considers his most important contribution to be documentation. I can confirm, among the most frustrating problems a programmer can face is when the documentation has bit-rotted to uselessness.
One of the biggest user-facing changes was the attempt to unify /dev/random and /dev/urandom. We say attempt, because this change caused multiple failures to boot on the kernel’s test setup. Apparently some architectures, specifically when being virtualized, have no method of generating high quality randomness during boot. There next killer feature is the new add_vmfork_randomness() call, that allows a newly cloned virtual machine to request a regeneration of its randomness pool. Without a call like this, the first few random numbers generated by the kernel after a VM fork would be identical — obviously a problem.
Internally, the randomness code retires the venerable SHA-1 algorithm, replacing it with the more modern BLAKE2 hash function. An interesting advantage is that BLAKE2 is intentionally a very fast algorithm, so the kernel gains a bit of performance when generating random numbers. The rest of the changes delve into more complicated cryptography considerations. Definitely worth reading if you’re interested.
Western Digital NAS RCE
We’ve covered plenty of vulnerabilties and attacks in NAS boxes from QNAP and Synology, but this week it’s Western Digital getting in on the action. Thankfully it’s research from NCC Group, demonstrated at Pwn2Own 2021, and fixed in a January update. This Remote Code Execution (RCE) vulnerability is in how the NAS handles the Apple Filing Protocol (AFP), and was actually a problem in the Netatalk project. AFP supports storing file metadata as a separate file, for the sake of compatibility. These files are in the AppleDouble format, are take the name of their parent file, prepended with a ._. The kicker is that these files can also be accessed using the Windows SMB protocol, allowing direct manipulation of the metadata file. The function that parses the metadata file does indeed detect a malformed data structure, and logs an error to that effect, but fails to fail — it goes ahead and processes the bad data.
This continue-on-error is the central flaw, but actually building an exploit required a data leak to defeat the address layout randomization in place on the device. A simpler first step was to write memory locations into the AppleDouble file, and use SMB access to read it. With the leaked address in hand, the full exploit was easy. This would be bad enough, but these devices ship with a “Public” share world-accessible over SMB and AFP. This configuration makes it a pre-auth RCE. And this demonstrates the purpose of Pwn2Own — it was discovered, made the researchers a bit of money, and was fixed before the details were made public.
[SolderParty] just announced FlexyPins (Twitter, alternative view) – bent springy clips that let you connect modules with castellated pins. With such clips, you can quickly connect and disconnect any castellated module, swapping them without soldering as you’re prototyping, testing things out, or pre-flashing modules before assembly. They’re reportedly gold-plated, and a pack of ~100 will set you back 6EUR, shipping not included.
Of course, this is basically “fancy pieces of wire”, purpose-shaped, gold-plated and, hopefully, made out of material that is springy enough and doesn’t snap easily after bending a few times. We’ve seen this concept used for prototyping before, with random pieces of wire doing a pretty good job of maintaining connectivity, but these clips bring it that much closer to production-grade. It also makes us wonder – just how hard it is to solder 30-40 of them into a circuit? Do they self-align enough with the footprints given, or do you have to hold them with tweezers at a peculiar angle as you solder them? Time will tell, of course.
On Twitter, [whitequark] has found and highlighted an intriguing design – a breakout board for the VL670, accompanied by an extensive yet very easy to digest write-up about its usefulness and inner workings. The VL670 is a chip that addresses a surprising problem – converting USB 2.0 signals into USB 3.0.
If you have a USB 2.0 device and a host with only USB 3.0 signals available, this chip is for you. It might be puzzling – why is this even needed? It’s about the little-known dark secret of USB3, that anyone can deduce if they ever have to deal with a 9-pin USB 3.0 connector where one of the three differential pairs doesn’t quite make contact.
When you see a blue “3.0” port, it’s actually USB 2 and USB 3 — two separate interfaces joined into a single connector. USB 3 uses two single-directional differential pairs, akin to PCI-E, whereas USB 2 uses a single bidirectional one, and the two interfaces on a blue connector operate basically independently of each other. There’s many implications to this that are counterintuitive if you simply take “USB 3.0” for “faster backwards-compatible USB”, and they have painful consequences.
For instance, USB 3 hub ICs have two separate hub entities inside – one for USB 3 and one for USB 2. Even if you have a USB 3 hub plugged into a USB 3 port, multiple USB 2 devices plugged into it still cannot break through the USB 2 uplink limit of 480 MBps. If you ever thought that a faster hub with a faster uplink would fix your USB 2 device speed problems – USB-IF engineers, apparently, thought differently; and you might have to find a workaround for your “many cheap SDRs and Pi 4 in a box” setup. Continue reading “A Chip To Bridge The USB 2 – USB 3 Divide”→
Early in the morning of February 24th, Dr. Jeffrey Lewis, a professor at California’s Middlebury Institute of International Studies watched Russia’s invasion of Ukraine unfold in realtime with troop movements overlaid atop high-resolution satellite imagery. This wasn’t privileged information — anybody with an internet connection could access it, if they knew where to look. He was watching a traffic jam on Google Maps slowly inch towards and across the Russia-Ukraine border.
As he watched the invasion begin along with the rest of the world, another, less-visible facet of the emerging war was beginning to unfold on an ill-defined online battlefield. Digital espionage, social media and online surveillance have become indispensable instruments in the tool chest of a modern army, and both sides of the conflict have been putting these tools to use. Combined with civilian access to information unlike the world has ever seen before, this promises to be a war like no other.
Modern Cyberwarfare
The first casualties in the online component of the war have been websites. Two weeks ago, before the invasion began en masse, Russian cyberwarfare agents launched distributed denial of service (DDoS) attacks against Ukrainian government and financial websites. Subsequent attacks have temporarily downed the websites of Ukraine’s Security Service, Ministry of Foreign Affairs, and government. A DDoS attack is a relatively straightforward way to quickly take a server offline. A network of internet-connected devices, either owned by the aggressor or infected with malware, floods a target with request, as if millions of users hit “refresh” on the same website at the same time, repeatedly. The goal is to overwhelm the server such that it isn’t able to keep up and stops replying to legitimate requests, like a user trying to access a website. Russia denied involvement with the attacks, but US and UK intelligence services have evidence they believe implicates Moscow. Continue reading “The Invisible Battlefields Of The Russia-Ukraine War”→
The geopolitics surrounding the invasion of Ukraine are outside the scope of this column, but the cybersecurity ramifications are certainly fitting fodder. The challenge here is that almost everything of note that has happened in the last week has been initially linked to the conflict, but in several cases, the reported link hasn’t withstood scrutiny. We do know that the Vice Prime Minister of Ukraine put out a call on Twitter for “cyber specialists” to go after a list of Russian businesses and state agencies. Many of the sites on the list did go down for some time, the digital equivalent of tearing down a poster. In response, the largest Russian ISP stopped announcing BGP routes to some of the targeted sites, effectively ending any attacks against them from the outside.
In any given field there are epoch-defining moments, those events after which nothing was quite the same as it had been before. It’s been a decade since the launch of the first Raspberry Pi single board computer. This was by no means the first inexpensive computer board, nor was it the first to support the GNU/Linux operating system, but it was among the first to promise a combination of those two. Coupled with support from a crop of British 8-bit alumni meant that from when it first gained publicity in early 2011 it garnered a huge buildup of interest.
We were first teased with a USB stick style prototype, which morphed into a much larger Raspberry Pi alpha board and finally into pre-production boards much closer to the model launched at the end of February ten years ago.
How To Disappoint Every Single British Geek At 6 AM
An array of Pi prototype boards pictured on display at the Cambridge University Computer Laboratory.
Pedants will claim that the 10th birthday of the Pi is technically not yet upon us because those first Model B boards went on sale on the 29th of February 2012, a leap day. The two distributors, RS and Farnell, were both putting them on sale with the expectation of selling around 10,000 units — a prediction that proved woefully inadequate, with both websites collapsing under the weight of would-be Pi-purchasers within seconds of opening up at 6 AM.
I was ready to order at 6 AM, and was only able to order mine halfway through the day. That short wait would be just the beginning — because they received so many more orders than anticipated, the bulk of the orders weren’t fulfilled until May. Nobody had imagined how wildly successful the Pi boards would become. Continue reading “It’s Official! The Raspberry Pi Is Now 10!”→
