This Week In Security: Unicode Strikes Again, Trust No One (Redditor), And More

June 14, 2024 by 7 Comments

There’s a popular Sysadmin meme that system problems are “always DNS”. In the realm of security, it seems like “it’s always Unicode“. And it’s not hard to see why. Unicode is the attempt to represent all of Earth’s languages with a single character set, and that means there’s a lot of very similar characters. The two broad issues are that human users can’t always see the difference between similar characters, and that libraries and applications sometimes automatically convert exotic Unicode characters into more traditional text.

This week we see the resurrection of an ancient vulnerability in PHP-CGI, that allows injecting command line switches when a web server launches an instance of PHP-CGI. The solution was to block some characters in specific places in query strings, like a query string starting with a dash.

The bypass is due to a Windows feature, “Best-Fit”, an automatic down-convert from certain Unicode characters. This feature works on a per-locale basis, which means that not every system language behaves the same. The exact bypass that has been found is the conversion of a soft hyphen, which doesn’t get blocked by PHP, into a regular hyphen, which can trigger the command injection. This quirk only happens when the Windows locale is set to Chinese or Japanese. Combined with the relative rarity of running PHP-CGI, and PHP on Windows, this is a pretty narrow problem. The XAMPP install does use this arrangement, so those installs are vulnerable, again if the locale is set to one of these specific languages. The other thing to keep in mind is that the Unicode character set is huge, and it’s very likely that there are other special characters in other locales that behave similarly.

Downloader Beware

The ComfyUI project is a flowchart interface for doing AI image generation workflows. It’s an easy way to build complicated generation pipelines, and the community has stepped up to build custom plugins and nodes for generation. The thing is, it’s not always the best idea to download and run code from strangers on the Internet, as a group of ComfyUI users found out the hard way this week. The ComfyUI_LLMVISION node from u/AppleBotzz was malicious.

The node references a malicious Python package that grabs browser data and sends it all to a Discord or Pastebin. It appears that some additional malware gets installed, for continuing access to infected systems. It’s a rough way to learn. Continue reading “This Week In Security: Unicode Strikes Again, Trust No One (Redditor), And More”

A Super-Simple Standalone WSPR Beacon

June 14, 2024 by 26 Comments

We’ve said it before and we’ll say it again: being able to build your own radios is the best thing about being an amateur radio operator. Especially low-power transmitters; there’s just something about having the know-how to put something on the air that’ll reach across the planet on a power budget measured in milliwatts.

This standalone WSPR beacon is a perfect example. If you haven’t been following along, WSPR stands for “weak-signal propagation reporter,” and it’s a digital mode geared for exploring propagation that uses special DSP algorithms to decode signals that are far, far down into the weeds; signal-to-noise ratios of -28 dBm are possible with WSPR.

Because of the digital nature of WSPR encoding and the low-power nature of the mode, [IgrikXD] chose to build a standalone WSPR beacon around an ATMega328. The indispensable Si5351 programmable clock generator forms the RF oscillator, the output of which is amplified by a single JFET transistor. Because timing is everything in the WSPR protocol, the beacon also sports a GPS receiver, ensuring that signals are sent only and exactly on the even-numbered minutes. This is a nice touch and one that our similar but simpler WSPR beacon lacked.

This beacon had us beat on performance, too. [IgrikXD] managed to hit Texas and Colorado from the edge of the North Sea on several bands, which isn’t too shabby at all with a fraction of a watt.

Thanks to [STR-Alorman] for the tip.

[via r/amateurradio]

2024 Business Card Challenge: T-800’s 555 Brain

June 14, 2024 by 12 Comments

In Terminator 2: Judgment Day it’s revealed that Skynet becomes self-aware in August of 1997, and promptly launches a nuclear attack against Russia to draw humanity into a war which ultimately leaves the door open for the robots to take over. But as you might have noticed, we’re not currently engaged in a rebellion against advanced combat robots.

The later movies had to do some fiddling with the timeline to explain this discrepancy, but looking at this 2024 Business Card Challenge entry from [M. Bindhammer] we think there’s another explanation for the Judgement Day holdup — so long as the terminators are rocking 555 timers in their chrome skulls, we should be safe.

While the classic timer chip might not be any good for plotting world domination, it sure does make for a great way to illuminate this slick piece of PCB art when it’s plugged into a USB port. Exposed copper and red paint are used to recreate the T-800’s “Brain Chip” as it appeared in Terminator 2, so even when the board isn’t powered up, it looks fantastic on display. The handful of components are around the back side, which is a natural place to put some info about the designer. Remember, this is technically supposed to be a business card, after all.

Continue reading “2024 Business Card Challenge: T-800’s 555 Brain”

This Open Source Active Probe Won’t Break The Bank

June 13, 2024 by 19 Comments

If you’re like us, the oscilloscope on your bench is nothing special. The lower end of the market is filled with cheap but capable scopes that get the job done, as long as the job doesn’t get too far up the spectrum. That’s where fancier scopes with active probes might be required, and such things are budget-busters for mere mortals.

Then again, something like this open source 2 GHz active probe might be able to change the dynamics a bit. It comes to us from [James Wilson], who began tinkering with the design back in 2022. That’s when he learned about the chip at the center of this build: the BUF802. It’s a wide-bandwidth, high-input-impedance JFET buffer that seemed perfect for the job, and designed a high-impedance, low-capacitance probe covering DC to 2 GHz probe with 10:1 attenuation around it.

[James]’ blog post on the design and build reads like a lesson in high-frequency design. The specifics are a little above our pay grade, but the overall design uses both the BUF802 and an OPA140 precision op-amp. The low-offset op-amp buffers DC and lower frequencies, leaving higher frequencies to the BUF802. A lot of care was put into the four-layer PCB design, as well as ample use of simulation to make sure everything would work. Particularly interesting was the use of openEMS to tweak the width of the output trace to hit the desired 50 ohm impedance.

Forsp: A Forth & Lisp Hybrid Lambda Calculus Language

June 13, 2024 by 16 Comments

In the world of lambda calculus programming languages there are many ways to express the terms, which is why we ended up with such an amazing range of programming languages, even if most trace their roots back to ALGOL. Of the more unique (and practical) languages, Lisp and Forth probably range near the top, but what if you were to smudge both together? That’s what [xorvoid] did and it resulted in the gracefully titled Forsp programming language. Unsurprisingly it got a very warm and enthusiastic reception over at Hacker News.

While keeping much of Lisp-isms, the Forth part consists primarily out of it being very small and easy to implement, as demonstrated by the C-based reference implementation. It also features a Forth-like value/operand stack and function application. Also interesting is Forsp using call-by-push-value (CBPV), which is quite different from call-by-value (CBV) and call-by-name (CBN), which may give some advantages if you can wrap your mind around the concept.

Even if practicality is debatable, Forsp is another delightful addition to the list of interesting lambda calculus demonstrations which show that the field is anything but static or boring.

Shipping Your Illicit Software On Launch Hardware

June 13, 2024 by 17 Comments

In the course of a career, you may run up against projects that get cancelled, especially those that are interesting, but deemed unprofitable in the eyes of the corporate overlords. Most people would move, but [Ron Avitzur] just couldn’t let it go.

In 1993, in the midst of the transition to PowerPC, [Avitzur]’s employer let him go as the project they were contracted to perform for Apple was canceled. He had been working on a graphing calculator to show off the capabilities of the new system. Finding his badge still allowed him access to the building, he “just kept showing up.”

[Avitzur] continued working until Apple Facilities caught onto his use of an abandoned office with another former contractor, [Greg Robbins], and their badges were removed from the system. Not the type to give up, they tailgated other engineers into the building to a different empty office to continue their work. (If you’ve read Kevin Mitnick‘s Ghost in the Wires, you’ll remember this is one of the most effective ways to gain unauthorized access to a building.)

We’ll let [Avitzur] tell you the rest, but suffice it to say, this story has a number of twists and turns to it. We suspect it certainly isn’t the typical way a piece of software gets included on the device from the factory.

Looking for more computing history? How about a short documentary on the Aiken computers, or a Hack Chat on how to preserve that history?

[Thanks to Stephen for the tip via the Retrocomputing Forum!]

Marimbatron: A Digital Marimba Prototyping Project

June 13, 2024 by 6 Comments

The Marimbatron is [Leo Kuipers] ‘s final project as part of the Fab Academy program supervised by [Prof. Neil Gershenfeld] of MIT’s Center for Bits and Atoms. The course aims to teach students how to leverage all the fab lab skills to create unique prototypes using the materials at hand.

The final polyurethane/PET/Flex PCB stack-up for the sensor pad

Fortunately, one of the main topics covered in the course is documentation, and [Leo] has provided ample material for review. The marimba consists of a horizontal series of wooden bars, each mounted over a metal resonator tube. It is played similarly to the xylophone, with a piano-type note arrangement, covering about five octaves but with a lower range than the xylophone. [Leo] converted this piano-type layout into a more logical grid arrangement. The individual pads are 3D printed in PETG and attached to a DIY piezoresistive pressure sensor made from a graphite-sprayed PET sheet laid upon a DIY flexible PCB. A central addressable LED was also included for indication purposes. The base layer is made of cast polyurethane, formed inside a 3D-printed rigid mould. This absorbs impact and prevents crosstalk to nearby sensors. The sensor PCB was initially prototyped by adhering a layer of copper tape to a layer of Kapton tape and cutting it out using a desktop vinyl cutter. While this method worked for the proof of concept, [Leo] ultimately outsourced the final version to a PCB manufacturer. The description of prototyping the sensor and dealing with over-moulding was particularly fascinating.

Continue reading “Marimbatron: A Digital Marimba Prototyping Project”