Microsoft Bug Tracking Hacked

It seems that the database containing descriptions of critical and unfixed bugs and/or vulnerabilities in some of the most widely used software in the world, including the Windows operating system, was hacked back in 2013. This database is basically gold for any security researcher, regardless of the color of their hat. To know which programs fail and the preconditions for that to happen is half an exploit right there.

Microsoft discovered the database breach in early 2013 after the highly skilled hacking group Morpho a.k.a. Butterfly a.k.a. Wild Neutron broke into computers at a number of major tech companies, including Apple, Facebook, and Twitter. The group exploited a flaw in the Java programming language to penetrate employees’ Apple Macintosh computers and then use them as pivots into the company internal network.

Official sources say that the Microsoft bug database was poorly protected, with access possible via little more than a password. Four years later, we have official confirmation that it happened. To measure the breach impact, Microsoft started a study to correlate the potential flaws in their databases and subsequent attacks. The study found that the flaws in the stolen database were actually used in cyber attacks, but Microsoft argued the hackers could have obtained the information elsewhere, and that there’s “no evidence that the stolen information had been used in those breaches.”

There is really no way to know besides asking the actual hacking group, which will most likely not happen… unless they are HaD readers, in this case they can feel free to comment.

[via Reuters]

Bad RSA Library Leaves Millions Of Keys Vulnerable

So, erm… good news everyone! A vulnerability has been found in a software library responsible for generating RSA key pairs used in hardware chips manufactured by Infineon Technologies AG. The vulnerability, dubbed ROCA, allows for an attacker, via a Coppersmith’s attack, to compute the private key starting with nothing more than the public key, which pretty much defeats the purpose of asymmetric encryption altogether.

Affected hardware includes cryptographic smart cards, security tokens, and other secure hardware chips produced by Infineon Technologies AG. The library with the vulnerability is also integrated in authentication, signature, and encryption tokens of other vendors and chips used for Trusted Boot of operating systems. Major vendors including Microsoft, Google, HP, Lenovo, and Fujitsu already released software updates and guidelines for mitigation.

The researchers found and analysed vulnerable keys in various domains including electronic citizen documents (750,000 Estonian identity cards), authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP. The currently confirmed number of vulnerable keys found is about 760,000 but could be up to two to three orders of magnitude higher.

Devices dating back to at least 2012 are affected, despite being NIST FIPS 140-2 and CC EAL 5+ certified.. The vulnerable chips were not necessarily sold directly by Infineon Technologies AG, as the chips can be embedded inside devices of other manufacturers.

Continue reading “Bad RSA Library Leaves Millions Of Keys Vulnerable”

3D Prints And Food

We recently ran a post about a cute little 3D printed elephant that could dispense booze. The design didn’t actually have the plastic touching the liquid — there was a silicone tube carrying the shots. However, it did spark a conversation at the secret Hackaday bunker about how safe it is to use 3D printed objects for food. In particular, when I say 3D printing, I’m talking fused deposition modeling. Yes, there are other technologies, but most of us are printing using filament laid out in layers with a hot nozzle.

There’s a common idea that ABS is bad in general, but that PET and PLA are no problem because there are food-safe versions of those plastics available. However, the plastic is only a small part of the total food safety picture. Let me be clear: I am not a medical professional and although my computers have run a few plastics plants in years past, I am not really an expert on polymer chemistry, either. However, I don’t use 3D printed materials to hold or handle food and while you might not drop dead if you do, you might want to reconsider.

Continue reading “3D Prints And Food”

Stripping 3D Printed Gears For Science

While 3D printing is now well on its way to becoming “boring” in the same way that a table saw or lathe is, there was a time when the media and even some early adopters would have told you that the average desktop 3D printer was perhaps only a few decades behind the kind of replicator technology we saw on the Enterprise. But as the availability of these machines increased and more people got to see one up close, reality sunk in pretty quickly.

Many have dismissed the technology as little more than a novelty, and even within the 3D printing community itself there’s a feeling that most printers are used for little more than producing “dust collectors”. Some would see this attitude as disheartening, but the hackers over at [Gear Down For What?] see it as a challenge. They’ve made it their mission to push printed parts to increasingly ridiculous heights to show just what the technology is capable of, and in their latest entry, set out to push a pair of 3D printed gearboxes to failure.

The video starts out with a head to head challenge between two of their self-designed gearboxes. As they were spun up with battery powered drills, the smaller of the two quickly gave up the ghost, stripping out at 228 lbs. The victor of the first round then went on to pull a static load, only to eventually max out the scale at an impressive 680 lbs.

The gearbox may have defeated the scale, but the goal of the experiment was to run it to failure. By rigging up a compound pulley arrangement, they were able to double the amount of force their scale could detect. With this increased capacity the gearbox was then run up to an astonishing 1,000 lbs before it started to slip.

But perhaps the most impressive: after they got the gearbox disassembled, it was discovered that only a single planet gear out of the ten had broken. Even then, judging by how the gear sheared, the issue was more likely due to poor layer adhesion during printing than from stress alone. No gears were stripped, and in fact no visible damage was seen anywhere in the mechanism. The team is currently unable to explain the failure, other than to say that the stresses may have been so great that the plastic deformed enough that the gears were no longer meshed tightly.

This isn’t the first time we’ve checked in with the team at [Gear Down For What?], just a few months ago they impressed us by lifting an anvil with one of their printed mechanisms. They’re also not the only ones curious to find out just how far 3D printed plastic can go.

Continue reading “Stripping 3D Printed Gears For Science”

TeensyStep – Fast Stepper Library For Teensy

The Teensy platform is very popular with hackers — and rightly so. Teensys are available in 8-bit and 32-bit versions, the hardware has a bread-board friendly footprint, there are a ton of Teensy libraries available, and they can also run standard Arduino libraries. Want to blink a lot of LED’s? At very fast update rates? How about MIDI? Or USB-HID devices? The Teensy can handle just about anything you throw at it. Driving motors is easy using the standard Arduino libraries such as Stepper, AccelStepper or Arduino Stepper Library.

But if you want to move multiple motors at high micro-stepping speeds, either independently or synchronously and without step loss, these standard libraries become bottlenecks. [Lutz Niggl]’s new TeensyStep fast stepper control library offers a great improvement in performance when driving steppers at high speed. It works with all of the Teensy 3.x boards, and is able to handle accelerated synchronous and independent moves of multiple motors at the high pulse rates required for micro-stepping drivers.

The library can be used to turn motors at up to 300,000 steps/sec which works out to an incredible 5625 rpm at 1/16 th micro-stepping. In the demo video below, you can see him push two motors at 160,000 steps/sec — that’s 3000 rpm — without the two arms colliding. Motors can be moved either independently or synchronously. Synchronous movement uses Bresenham’s line algorithm to plan motor movements based on start and end positions. While doing a synchronous move, it can also run other motors independently. The TeensyStep library uses two class objects. The Stepper class does not require any system resources other than 56 bytes of memory. The StepControl class requires one IntervallTimer and two channels of a FTM  (FlexTimer Module) timer. Since all supported Teensys implement four PIT timers and a FTM0 module with eight timer channels, the usage is limited to four StepControl objects existing at the same time. Check out [Lutz]’s project page for some performance figures.

As a comparison, check out Better Stepping with 8-bit Micros — this approach uses DMA channels as high-speed counters, with each count sending a pulse to the motor.

Thanks to [Paul Stoffregen] for tipping us off about this new library. Continue reading “TeensyStep – Fast Stepper Library For Teensy”

Snazzy Balun Lets Ham Use Off-The-Shelf Coax

It’s a dilemma many hams face: it’s easy to find yourself with a big spool of RG-11 coax cable, usually after a big cable TV wiring project. It can be tempting to use it in antenna projects, but the characteristic impedance of RG-11 is 75 Ω, whereas the ham world is geared to 50 Ω. Not willing to waste a bounty of free coax, one ham built a custom 1:1 current balun for a 75 Ω dipole.

Converting between balanced and unbalanced signals is the job of a balun, and it’s where the device derives its name. For hams, baluns are particularly useful to connect a dipole antenna, which is naturally balanced, to an unbalanced coax feedline. The balun [NV2K] built is a bifilar 1:1 design, with two parallel wires wound onto a ferrite core. To tweak the characteristic impedance to the 75 Ω needed for his antenna and feedline, [NV2K] added short lengths of Teflon insulation to one of the conductors, which is as fussy a bit of work as we’ve seen in a while. We appreciate the careful winding of the choke and the care taken to make this both mechanically and electrically sound, and not letting that RG-11 go to waste is a plus.

With as much effort as hams put into antenna design, there’s a surprising dearth of Hackaday articles on the subject. We’ve talked a bit about the Yagi-Uda antenna, and we’ve showcased a cool magnetic loop antenna, but there’s precious little about the humble dipole.

[via r/amateurradio]

Dubai Police Test Quadcopter Motorcycle

If you ever wish you could be on your quadcopter when you fly it, you will really want to see the video showing the Dubai police department testing the Hoverbike. The Russian company Hoversurf that markets the device doesn’t provide a lot of technical details, but it looks fairly simple. It is basically a motorcycle seat along with a big quadcopter. From the videos about the device, you can deduce that the pilot can control it or you can fly it remotely. You can see one of the videos, below.

There are a few things that worry us here. Of course, the huge spinning propellers as the pilot’s knee level should give you sweaty palms. In the demo, they even show the removal of the propeller guards before the test flight but let’s be honest, those don’t look like they would keep a falling pilot out of the rotors at all anyway. When looking beyond the hype we find it curious that the demo doesn’t show many (if any) shots of the pilot making a turn. The benefit of a vehicle like this to police should be maneuverability and from what we saw the Hoversurf is still limited.

So is it real? Hard to say. The short videos mostly show vertical or horizontal flight with no maneuvering. Is it hard to turn? Is the battery life really short? One other oddity: When we first saw a letter from the US Patent Office on their site, we thought they might have some new technology. However, that letter is simply showing they registered a trademark and doesn’t reference a patent. If there is a patent we want to know what is new and novel here.

Of course, we know it’s possible to build such a machine since we saw [Colin Furze] do it with two rotors instead of four. The US Department of Defense is working on something with a company called Malloy and there are other practical examples. There are also some less practical examples. What we’re really on the lookout for is a product that works so well it will actually be used. You know, like those Segways that airport police use, right?

We hope Hoversurf can bring this to market because we definitely want one. There’s no reason to think they can’t, but we do wish there were more details forthcoming.