A few weeks ago, China launched the final satellite in its BeiDou-3 satellite positioning system. Didn’t know that China had its own GPS? How about Europe’s Galileo, Russia’s GLONASS, or Japan’s QZSS? There’s a whole world of GPS-alikes out there. Let’s take a look.
Continue reading “Not Just GPS: New Options For Global Positioning”
A chaotic drone of meaningless sound to lull the human brain out of its usual drive to latch on to patterns can at times be a welcome thing. A nonsense background din — like an old television tuned to a dead channel — can help drown out distractions and other invading sounds when earplugs aren’t enough. As [mitxela] explains, this can be done with an MP3 file of white noise, and that is a solution that works perfectly well for most practical purposes. However he found himself wanting a more refined hardware noise generator with analog controls to fine tune the output, and so the Rumbler was born.
The Rumbler isn’t just a white noise generator. White noise has a flat spectrum, but the noise from the Rumbler is closer to Red or Brownian Noise. The different colors of noise have specific definitions, but the Rumbler’s output is really just white noise that has been put through some low pass filters to create an output closer to a nice background rumble that sounds pleasant, whereas white noise is more like flat static.
Why bother with doing this? Mainly because building things is fun, but there is also the idea that this is better at blocking out nuisance sounds from neighboring human activities. By the time distant music (or television, or talking, or shouting) has trickled through walls and into one’s eardrums, the higher frequencies have been much more strongly attenuated than the lower frequencies. This is why one can easily hear the bass from a nearby party’s music, but the lyrics don’t survive the trip through walls and windows nearly as well. The noise from the Rumbler is simply a better fit to those more durable lower frequencies.
[Mitxela]’s writeup has quite a few useful tips on analog design and prototyping, so give it a read even if you’re not planning to make your own analog noise box. Want to hear the Rumbler for yourself? There’s an embedded audio sample near the bottom of the page, so go check it out.
For a truly modern application of white noise, check out the cone of silence for snooping smart speakers.
We’ve looked at many vulnerabilities over the years here on Hackaday, but it’s rather rare for a CVE to score a perfect 10 severity. This is reserved for the most severe and exploitable of problems. Palo Alto announced such a vulnerability, CVE-2020-2021, on the 29th. This vulnerability affects Palo Alto devices running PAN-OS that have SAML authentication enabled and a certain validation option disabled. The vulnerability is pre-authentication, but does require access to a service protected by SAML authentication. For example, a Palo Alto device providing a web-based VPN could be vulnerable. The good news is that the vulnerable settings aren’t default, but the bad news is that the official configuration guide recommends the vulnerable settings for certain scenarios, like using a third party authentication service.
The issue is in the Security Assertion Markup Language (SAML) implementation, which is an XML based open standard for authentication. One of the primary use cases for SAML is to provide a Single Sign On (SSO) scheme. The normal deployment of SAML SSO is that a central provider handles the authentication of users, and then asserts to individual services that the connecting user is actually who they claim to be.
The setting needed for this vulnerability to be exploitable is ‘Validate Identity Provider Certificate’ to be disabled. If this option is enabled, the SSO provider must use a CA signed SAML certificates. This doesn’t appear to mean that unsigned SSL certificates would be accepted, and only applies to certificates inside the SAML messages. It seems to be widely accepted that these certificates don’t need to be CA signed. In the official announcement, the vulnerability type is said to be “CWE-347 Improper Verification of Cryptographic Signature”. Continue reading “This Week In Security: Palo Alto Scores A 10, Cursed Images, VM Escapes, And Malicious Music”
In the connected age, every day it appears privacy is becoming more and more of an idealistic fantasy as opposed to a basic human right. In our latest privacy debate per [TechCrunch], apparently the FBI is taking some shots at Apple.
You may recall the unfortunate events, leading the FBI to ask Apple to unlock an iPhone belonging to a person of interest. Apple did not capitulate to the FBI’s request on the basis of their fundamental commitment to privacy. The FBI wasn’t really thrilled with Apple’s stance given the circumstances leading to the request. Nevertheless, eventually, the FBI was able to unlock the phone without Apple’s help.
You may find it somewhat interesting that the author of the news piece appears to be more upset with the FBI for cracking the phone than at Apple (and by extension other tech companies) for making phones that are crackable to begin with.
Maybe we should take solace in knowing that Apple stood their ground for the sake of honoring their privacy commitment. But as we saw, it didn’t really matter in the end as the FBI was able to hire a third party to help them unlock the phones and were later able to repeat the process in-house. The article also noted that there are other private companies capable of doing exactly what the FBI did. We understand that no encryption is 100% safe. So it begs the question, “Is anything really private anymore?” Share your thoughts in the comments below.
USB is one of the most beloved computer interfaces of all time. Developed in the mid-1990s, it undertook a slow but steady march to the top. Offering an interface with good speeds and a compact connector, it became the standard for hooking up interface devices, storage, and even became the de-facto way to talk old-school serial, too.
In late 2014, the USB Implementers Forum finalised the standard for the USB-C plug. Its first major application was on smartphones like the Nexus 5X, and it has come to dominate the smartphone market, at least if you leave aside the iPhone. However, it’s yet to truly send USB-A packing, especially on the desktop. What gives? Continue reading “USB-C Is Taking Over… When, Exactly?”
We’re fans of haveibeenpwned.com around here, but a weird story came across my proverbial desk this week — [Troy Hunt] wrote a malicious SQL injection into one of their emails! That attack string was a simple ';--
Wait, doesn’t that look familiar? You remember the header on the haveibeenpwned web page? Yeah, it’s ';--have i been pwned?. It’s a clever in-joke about SQL injection that’s part of the company’s brand. An automated announcement was sent out to a company that happened to use the GLPI service desk software. That company, which shall not be named for reasons that are about to become obvious, was running a slightly out-of-date install of GLPI. That email generated an automated support ticket, which started out with the magic collection of symbols. When a tech self-assigned the ticket, the SQL injection bug was triggered, and their entire ticket database was wiped out. The story ends happily, thanks to a good backup, and the company learned a valuable lesson. Continue reading “This Week In Security: HaveIBeenPwned And Facebook Attack Their Customers”
As we’ve looked at the subject of face masks in the first two parts of this series, our emphasis has been on a physical step to aid your chances of making it through the COVID-19 pandemic in one piece. But given that the upheaval caused by all the social changes enacted to protect the population are likely to leave an indelible mark on those who live through them, there are significant aspects of surviving all this that go beyond the physical.
This will be a once-in-a-lifetime event for many people, a significant number will find it traumatic in some way, and for many of those people there will be an immediate and then ongoing effect on mental health. If anyone is in doubt as to from what position this is coming, I count myself among that number.
Different countries have placed their own public health restrictions on their populations, but it’s likely that many of you are in some form of lockdown situation, with social or communal activities and locations closed or curtailed, going out restricted, and with all around you in the same situation. A perfect storm of having social outlets removed while simultaneously being stuck at home perhaps with family or housemates you’d prefer not to spend too much time with is not ideal. Add to that the multiple stresses from the pandemic itself as well as other news stories from our turbulent world, and it’s hardly a surprising that it’s taking a toll. Continue reading “Surviving The Pandemic As A Hacker: Take Care Of Your Mental Health”
