This Week In Security: Forksquatting, RustDesk, And M&Ms

March 1, 2024 by 14 Comments

Github is struggling to keep up with a malware campaign that’s a new twist on typosquatting. The play is straightforward: Clone popular repositories, add malware, and advertise the forks as the original. Some developers mistake the forks for the real projects, and unintentionally run the malware. The obvious naming choice is forksquatting, but the researchers at apiiro went with the safer name of “Repo Confusion”.

The campaign is automated, and GitHub is aware of it, with the vast majority of these malicious repositories getting removed right away. For whatever reason, the GitHub algorithm isn’t catching all of the new repos. The current campaign appears to publishing millions of forks, using code from over 100,000 legitimate projects. It’s beginning to seem that the squatting family of attacks are here to stay.

RustDesk and Odd Certificates

The RustDesk remote access software is interesting, as it’s open source, allows self-hosting, and written in Rust. I’ve had exploring RustDesk as a todo item for a long time, but a bit of concerning drama has just finished playing out. A user pointed out back in November that a test root certificate was installed as part of the RustDesk installation. That root cert is self-signed with SHA1. There is also concern that the RustDesk binaries are signed with a different certificate.

There have been new events since then. First, there was a Hacker News thread about the issue earlier this month. The next day, CVE-2024-25140 was registered with NIST, ranking an insane CVE 9.8 CVSS. Let’s cut through some FUD and talk about what’s really going on.

Continue reading “This Week In Security: Forksquatting, RustDesk, And M&Ms”

The White House Memory Safety Appeal Is A Security Red Herring

February 29, 2024 by 102 Comments

In the Holy Programming Language Wars, the lingua franca of system programming – also known as C – is often lambasted for being unsecure, error-prone, and plagued with more types of behavior that are undefined than ones that are defined by the C standards. Many programming languages were said to be ‘C killers’, yet C is still alive today. That didn’t stop the US White House’s Office of the National Cyber Director (ONCD) from putting out a report in which both C and C++ got lambasted for being ‘unsafe’ when it came to memory management.

The full report (PDF) is pretty light on technical details, while citing only blog posts by Microsoft and Google as its ‘expert sources’. The claim that memory safety issues are the primary cause of CVEs is not substantiated, or at least ignores the severity of CVEs when looking at the CISA statistics for active exploits. Beyond this call for ‘memory safety’, the report then goes on to effectively call for more testing and validation, while kicking in doors that were opened back in the 1970s already with the Steelman requirements and the High Order Language Working Group (HOLWG) of 1975.

What truly is the impact and factual basis of the ONCD report?

Continue reading “The White House Memory Safety Appeal Is A Security Red Herring”

Internet Radio Built In Charming Cassette-Like Form Factor

February 25, 2024 by 21 Comments

You can listen to plenty of broadcast radio these days. There’s a lot of choice too, with stations on AM, FM, and digital broadcasts to boot. However, if you want the broadest possible choice, you want an internet radio. If that’s your bag, why not build a fun one like [indoorgeek’s] latest design?

The build is based around a PCB and 3D-printed components that roughly ape the design of a cassette tape. It even replicates the typical center window of a cassette tape by using a transparent OLED screen, which displays the user interface. In a neat way, the graphics on the display are designed to line up with those on the PCB, which looks excellent.

An ESP32 is the heart of the operation, which is responsible for streaming audio over the Internet via its WiFi connection. It’s powered by a small lithium-polymer battery, and hooked up with a MAX98357 Class D amplifier driven via the chip’s I2S hardware. Audio is played out over a small speaker salvaged from an old smartphone.

While it’s obviously possible to play whatever you like on a smartphone these days, sometimes it’s fun to have simple devices that just do a single job. Plus, we can’t deny this project looks really neat. Video after the break.

Continue reading “Internet Radio Built In Charming Cassette-Like Form Factor”

2024 Hackaday Europe Call For Participation Extended

February 22, 2024 by 4 Comments

Good news, procrastineers! A few folks asked us for a little more time to get their proposals together for our upcoming 2024 Hackaday Europe event in Berlin, and we’re listening. So now you’ve got an extra week – get your proposals for talks or workshops in before February 29th.

[Joey Castillo]’s awesome custom touchpad
Hackaday Europe is a two-day event taking place April 13th and 14th in Berlin, Germany. Saturday the 13th is the big day, with a full day of badge hacking, talks, music, and everything else. We’ve got the place booked until 2 AM, so get your sleep the night before. Sunday is a half-day of brunch, lightning talks, and showing off the badge hacks from the day before. And if you’re in town on Friday the 12th, we’ll be going out in the evening for drinks and dinner, location TBA but hopefully closer than where we ended up last year!

The badge is going to be a re-spin of the Supercon badge for all of you who couldn’t fly out to the US last November. There are no secrets anymore, so get your pre-hacks started now. We’ve seen some sweet all-analog hacks, some complete revisions of the entire firmware loadout, and, of course, all sorts of awesome hardware bodged onto it. Heck, we even saw Asteroids and DOOM. But we haven’t seen any native Jerobeam Fenderson-style oscilloscope music. You’ve got your homework.

What to Bring?

A few other people have asked if they could bring in (art) projects to show and share. Of course! Depending on the scale, though, you may need to contact us beforehand. If it’s larger than a tower PC, get in touch with us, and we’ll work it out. Smaller hacks, projects in progress, and anything you want to bring along to show and inspire others with, are, of course, welcome without any strings attached.

What else might you need? A computer of your choice and a micro USB cable for programming the badge. There will be soldering stations, random parts, and someone will probably be able to lend you nearly any other piece of gear, so you can pack light if you want to. But you don’t have to.

If you’d like to attend but you don’t have tickets yet – get them soon! Space is limited, and we tend to sell out. Or better yet, submit a talk and sneak in the side door. We’d love to hear what you’ve got going on, and we can’t wait to see you all.

Bioluminescent Glowing Petunias Are Now A Thing

February 16, 2024 by 45 Comments

Outside of the depths of the ocean, or cartoons, we’re not typically accustomed to plant life glowing or otherwise generating its own light. However, science is helping to change all that. Now, you can order some bioluminescent plants of your very own from Light Bio.

Light Bio is a startup company working in the synthetic biology space. It’s not content to simply pursue research behind closed doors, and is now sharing its work with the public. It has announced it plans to start selling petunias to U.S. customers which literally glow with the magic of bioluminescence.

Petunias don’t normally glow, but with some modifications, it turns out they can be convinced to. It took a large team of 26 scientists to figure out how to boost bioluminescence in plants, by isolating and optimizing genes sourced from various glowing mushroom species.

The plants will be available from April, with Light Bio planning to sell them as “Firefly Petunias.” It might sound like scary sci-fi tech, but the USDA has apparently already signed off on Light Bio selling these to the public.

Something’s been bothering me, though. It’s at the edge of my memory… I think my old housemate played bass for Glowing Petunias back in 2015. Something like that, anyway… video after the break.

Continue reading “Bioluminescent Glowing Petunias Are Now A Thing”

Memory Box Shows Photos Based On Fingerprint

February 13, 2024 by 2 Comments

With his young son’s birthday coming up in a few weeks, [Mike Buss] wanted to build him something fun that the boy could hold on to all his life. After doing some sketching, [Mike] arrived at the idea to make a memory box uses a fingerprint scanner to show different pictures based on the fingerprint.

[Mike] started by rendering the box in Blender and then cutting a sizable hole in the lid for the E-ink screen. That’s around the time the first problem came up — there were weird vertical lines in the display. Sure enough, that screen was broken. Then he added the SD card reader, but the SD card wouldn’t work, and was heating up besides. Finally, the fingerprint scanner was causing issues, but it turned out that the power supply was at fault.

After all of that, [Mike] switched from an ESP32 to a Raspi Zero W to simplify the whole process of finding a photo tagged with the person’s fingerprint. [Mike] added a Python script that listens for new memories over Wi-Fi. A memory in this case consists of a picture, a description, a list of people tagged in the picture, and some additional metadata.

One important lesson [Mike] learned was that of balancing planning vs. just taking action. If he had taken the time to consider the complexity of the tagged-photo retrieval system, he would have arrived at an SBC solution much sooner. Be sure to check out the build video after the break.

You can have all sorts of fun with fingerprint scanners, like this one that opens a secret bookcase door.

Continue reading “Memory Box Shows Photos Based On Fingerprint”

Sprint: The Mach 10 Magic Missile That Wasn’t Magic Enough

February 13, 2024 by 74 Comments

Defending an area against incoming missiles is a difficult task. Missiles are incredibly fast and present a small target. Assuming you know they’re coming, you have to be able to track them accurately if you’re to have any hope of stopping them. Then, you need some kind of wonderous missile of your own that’s fast enough and maneuverable enough to take them out.

It’s a task that at times can seem overwhelmingly impossible. And yet, the devastating consequences of a potential nuclear attack are so great that the US military had a red hot go anyway. In the 1970s, America’s best attempt to thwart incoming Soviet ICBMs led to the development of the Sprint ABM—a missile made up entirely of improbable numbers.

Continue reading “Sprint: The Mach 10 Magic Missile That Wasn’t Magic Enough”