This Week In Security: 1Password, Polyglots, And Roundcube

October 27, 2023 by 12 Comments

This week we got news of a security incident at 1Password, and we’re certain we aren’t the only ones hoping it’s not a repeat of what happened at LastPass. 1Password has released a PDF report on the incident, and while there are a few potentially worrying details, put into context it doesn’t look too bad.

The first sign that something might be amiss was an email from Okta on September 29th — a report of the current list of account administrators. Okta provides authentication and Single Sign-On (SSO) capabilities, and 1Password uses those services to manage user accounts and authentication. The fact that this report was generated without anyone from 1Password requesting it was a sign of potential problems.

And here’s the point where a 1Password employee was paying attention and saved the day, by alerting the security team to the unrequested report. That employee had been working with Okta support, and sent a browser session snapshot for Okta to troubleshoot. That data includes session cookies, and it was determined that someone unauthorized managed to access the snapshot and hijack the session, Firesheep style.

Okta logs seemed to indicate that the snapshot hadn’t been accessed, and there weren’t any records of other Okta customers being breached in this way. This pointed at the employee laptop. The report states that it has been taken offline, which is good. Any time you suspect malicious action on a company machine, the right answer is power it off right away, and start the investigation.

And here’s the one part of the story that gives some pause. Someone from 1Password responded to the possible incident by scanning the laptop with the free edition of Malwarebytes. Now don’t get us wrong, Malwarebytes is a great product for finding and cleaning the sort of garden-variety malware we tend to find on family members’ computers. The on-demand scanning of Malwarebytes free just isn’t designed for detecting bespoke malicious tools like a password management company should expect to be faced with.

But that turns out to be a bit of a moot point, as the real root cause was a compromised account in the Okta customer support system, as revealed on the 20th. The Okta report talks about stolen credentials, which raises a real question about why Okta support accounts aren’t all using two-factor authentication.

Continue reading “This Week In Security: 1Password, Polyglots, And Roundcube”

Retrotechtacular: Crash Testing Truck Attenuators, For Science

October 27, 2023 by 19 Comments

There are those among us who might bristle at something from the early 1980s qualifying for “Retrotechtacular” coverage, but it’s been more than 40 years since the California Department of Transportation’s truck-mounted attenuators crash testing efforts, so we guess it is what it is.

If you’re worried that you have no idea what a “truck-mounted attenuator” might be, relax — you’ve probably seen these devices attached to the backs of trucks in highway work zones. They generally look like large boxes attached to frames at the rear of the truck which are intended to soften the blow should a car somehow not see the giant orange truck covered with flashing lights and drive into the rear of it at highway speeds. Truck-mounted attenuators are common today, but back in 1982 when this film was produced, the idea was still novel enough to justify crash-testing potential designs.

Continue reading “Retrotechtacular: Crash Testing Truck Attenuators, For Science”

Why Game Boy IPS Screens Flicker

October 27, 2023 by 17 Comments

The Nintendo Game Boy was a very popular handheld in its time, but its display technology has not aged gracefully. Ripping out the original screen and dropping in a modern IPS LCD is a popular mod, but that often comes with a weird flicker now and then. [makho] is here to explain why.

The problem was that the Game Boy didn’t have any way to do transparency in the original hardware. Instead, sprites that were supposed to be a little bit transparent were instead flickered on and off rapidly. The original LCD was so slow that this flicker would be largely hidden, with the sprites in question looking suitably transparent. However, switch to a modern IPS LCD with its faster refresh rate, and the flickering will be readily visible. So it’s not a bug — it’s something that was intentionally done by developers that were designing for the screen technology of the 1980s, not the 2020s.

IPS screens have become the must-have upgrade for modern Game Boy users. Most would tell you the improved image quality and rich color is worth a little flicker here and there.

Continue reading “Why Game Boy IPS Screens Flicker”

Remembering The MUDdiest Of Times With The MUD1 And MUD2 Online RPGs

October 26, 2023 by 14 Comments

Before there were massively multiplayer online role-playing games (MMORPGs) like EverQuest, the genre was called a Multi-User Dungeon (MUD), following in the trend of calling text adventures at that time ‘dungeon crawlers’. These multi-player games required you to bring along your own imagination, for these were purely text-based affairs. Despite the first of these (MUD1) having been released all the way back in 1978 for the DEC PDP-10, these games are still being played today, long after they stopped being in the (game) news cycle.

The brief history and today’s status of MUD1 is covered in a recent article by [Bryan Lunduke], following its creation in 1979 in the UK by [Richard Bartle] and [Roy Trubshaw], its struggles and eventual renaming to ‘British Legends

Technically all you need to play is a telnet client, though you can always use a graphical web browser to log into a text adventure. Much like playing a game like Zork — which heavily inspired MUDs — you got to use your wits and map drawing skills to figure out how to navigate around the world. You can also play the new and improved MUD: MUD2. Make sure to take a peek on [Richard]’s aesthetically yellow MUD-related website and the latest gossip in the Muddled Times before joining either the UK MUD2 server or the Canadian one.

Although definitely leaning on one’s imagination more than the advanced graphics of a graphical MUD like EverQuest require, there’s a lot of fun to be had in these MUDs, as well as the plethora of others.

Thanks to [Stephen Walters] for the tip.

Blatano Art Project Tracks Devices In Its Vicinity

October 26, 2023 by 1 Comment

Computers, surveillance systems, and online agents are perceiving us all the time these days. Most of the time, it takes place in the shadows, and we’re supposed to be unaware of this activity going on in the background. The Blatano art piece from [Leigh] instead shows a digital being that actively displays its perception of other digital beings in the world around it.

The project is based on an ESP32, using the BLE Scanner library to scan for Bluetooth devices in the immediate vicinity. Pwnagochi and Hash Monster tools are also used to inspect WiFi traffic, while the CovidSniffer library picks up packets from contact-tracking apps that may be operating in the area.

This data is used to create profiles of various devices that the Blatano can pick up. It then assigns names and little robotic images to each “identity,” and keeps tabs on them over time. It’s an imperfect science, given that some devices regularly change their Bluetooth identifiers and the like. Regardless, it’s interesting to watch a digital device monitor the scene like a wallflower watching punters at a house party.

If you’ve built your own art-surveillance devices to comment on the state of modernity, don’t hesitate to drop us a line!

Interactive Chameleon Lamp Changes Color At Your Whim

October 26, 2023 by 2 Comments

You never forget your first diorama, especially when it’s interactive. Although admittely a bit late to celebrate Erntedankfest (Germanic Thanksgiving), [Markus Bindhammer] is ahead of the curve when it comes to the American version.

This interactive diorama lamp features a cute chameleon that [Markus sculpted from a wire frame and a lump of clay]. In the chameleon’s midsection is a ping pong ball that does the work of diffusing an RGB LED. Wires run out the far side and through the bamboo stand and connect to a TCS34725 RGB color sensor and an Arduino Pro Micro.

The lamp does what you think — hold any colored object up to the color sensor, and the chameleon will change colors to match. When no one is interacting with the lamp, it slowly runs through a rainbow of colors. Be sure to check out the build video after the break.

Don’t have a color sensor? You can roll your own with an RGB LED, a photocell, and not much else. If you’re wondering how they work, we’ve seen the color sensor demystified.

Continue reading “Interactive Chameleon Lamp Changes Color At Your Whim”

Tim’s Draw Bot Gets Around With A Pen

October 26, 2023 by 5 Comments

If you grew up playing with LOGO on an old 8-bit computer, you’re probably familiar with the concept of a drawbot. It’s a simple robot that drags a pen around to draw on paper. [Tim] decided to build one that uses a simple skid-steer design to get around the page. 

An Arduino Nano is the brains of the operation, paired with a CNC Shield that allows it to drive a pair of stepper motors. The stepper motors drive the wheels via cogged belts, with the 3D-printed rims fitted with square rubber drive belts used as tires for additional grip. A third jockey wheel is used for balance, in addition to the two main driven wheels. A servo is used to raise and lower the pen as needed. All the hardware is mounted on to a simple tray chassis, which was 3D printed along with most of the other basic componentry.

The robot does a good job of plotting out a drawing on a small scale, with [Tim] using it to outline his name on paper. We’ve featured some other great drawbots before, too, including this nifty spray-can version. Video after the break.

Continue reading “Tim’s Draw Bot Gets Around With A Pen”