This Week In Security: Bogus CVEs, Bogus PoCs, And Maybe A Bogus Breach

July 7, 2023 by 3 Comments

It appears we have something of a problem. It’s not really a new problem, and shouldn’t be too surprising, but it did pop up again this week: bogus CVEs. Starting out in the security field? What’s the best way to jump-start a career? Getting a CVE find to your name certainly can’t hurt. And as a result, you get very junior security researchers looking for and reporting novel security vulnerabilities of sometimes dubious quality. Sometimes that process looks a lot like slinging reports against the wall to see what sticks. Things brings us to an odd bug report in the OBS Studio project.

A researcher put together a script to look for possible password exposure on Github projects, and it caught a configuration value named “password” in a .ini file, being distributed in the project source. Obvious credential leak in Git source, right? Except for the little detail that it was in the “locale” folder, and the files were named ca-es.ini, ja-jp.ini, and similar. You may be in on the joke by now, but if not, those are translation strings. It wasn’t leaked credentials, it was various translations of the word “password”. This sort of thing happens quite often, and from the viewpoint of a researcher looking at results from an automated tool, it can be challenging to spend enough time with each result to fully understand the code in question. It looks like this case includes a language barrier, making it even harder to clear up the confusion.

Things took a turn for the worse when a CVE was requested. The CVE Numbering Authority (CNA) that processed the request was MITRE, which issued CVE-2023-34585. It was a completely bogus CVE, and thankfully a more complete explanation from OBS was enough to convince the researcher of his error. That, however, brings us back to CVE-2023-36262, which was published this week. It’s yet another CVE, for the same non-issue, and even pointing at the same GitHub issue where the alleged bug is debunked. There’s multiple fails here, but the biggest disappointment is MITRE, for handing out CVEs twice for the same issue. Shout-out to [Netspooky] on Twitter for spotting this one. Continue reading “This Week In Security: Bogus CVEs, Bogus PoCs, And Maybe A Bogus Breach”

Improved Hydrogen Fuel Cells Are Groovy

July 7, 2023 by 13 Comments

According to [Charles Q. Choi], a new study indicates that grooves in the hydrogen fuel cells used to power vehicles can improve their performance by up to 50%. Fuel cells are like batteries because they use chemical reactions to create electricity. Where they are different is that a battery reacts a certain amount of material, and then it is done unless you recharge it somehow. A fuel cell will use as much fuel as you give it. That allows it to continue creating electricity until the fuel runs out.

Common hydrogen fuel cells use a proton exchange membrane — a polymer membrane that conducts protons to separate the fuel and the oxidizer. You can think of it as an electrolyte. Common fuel cells use an electrode design that hasn’t changed in decades. The new research has catalyst ridges separated by empty grooves. This enhances oxygen flow and proton transport.

Conventional electrodes use an ion-conducting polymer and a platinum catalyst. Adding more polymer improves proton transport but inhibits oxygen flow. The grooved design allows for dense polymer on the ridges but allows oxygen to flow in the grooves. In technical terms, the proton transport resistance goes down, and there is little change in the oxygen transport resistance.

The grooves are between one and two nanometers wide, so don’t pull out your CNC mill. The researchers admit they had the idea for this some time ago, but it has taken several years to figure out how to fabricate the special electrodes.

Creating A Joule-Thomson Cryocooler And A Little Bit Of History At Home

July 7, 2023 by 11 Comments

The fun part about crycoolers is that there are so many different and exciting ways to make stuff cold, based on a wide variety of physics. This is why after first exploring the Stirling/GM cycle and vapor-compression to create a cryocooler that he could liquefy nitrogen with, [Hyperspace Pirate] is exploring a Joule-Thomson cooler, which is also misspelled as ‘Joule-Thompson’ by those who don’t mind take some liberties with history. Either way, the advantage of the adiabatic Joule-Thomson effect is that it is significantly simpler than the other methods — having been invented in the 19th century and used for the earliest forms of refrigeration.

This is what peak Joule-Thomson prototype cooler performance looks like.
This is what peak Joule-Thomson prototype cooler performance looks like.

The big difference between it and other technologies is that the effect is based on throttling the flow of a gas as it seeks to expand, within specific temperature and pressure ranges to ensure that the temperature change effect is positive (i.e. the temperature of the gas decreases). The net result is that of a cooling effect, which as demonstrated in the video can be used with successive stages involving different gases, or a gas mixture, to reach a low enough temperature at which nitrogen (contained in the same gas mixture) liquefies and can be collected.

Although not a very efficient process, if your local electricity costs allow it, running the compressor in a closed loop version isn’t that expensive and worth it for the science alone. Naturally, as with any experimental setup involving a range of gases, a compressor and other components, getting it to run perfectly on the first try is basically impossible, which is why this is so far Part 1 of another series on cryocoolers at home (or in the garage).

If you’re interested in the previous work [Hyperspace Pirate] has done with DIY cyrocoolers, take a look at our coverage from earlier this year.

Continue reading “Creating A Joule-Thomson Cryocooler And A Little Bit Of History At Home”

No Moving Parts LiDAR

July 6, 2023 by 29 Comments

Self-driving cars often use LiDAR — think of it as radar using light beams. One limitation of existing systems is they need some method of scanning the light source around, and that means moving parts. Researchers at the University of Washington have created a laser on a chip that uses acoustic waves to bend the laser, avoiding physically moving parts. The paper is behind a paywall, but the University has a summary poster, and you can also find an overview over on [Geekwire].

The resulting IC uses surface acoustic waves and can image objects more than 100 feet away. We would imagine this could be helpful for other applications like 3D scanning, too. The system weighs less than a conventional setup, too, so that would be valuable in drones and similar applications.

Continue reading “No Moving Parts LiDAR”

Inexpensive Ham Radio Gets Upgrades Thanks To A Trojan

July 6, 2023 by 21 Comments

Love them or hate them, the crop of cheap hand-held amateur radio transceivers is here to stay. They’re generally horrible radios, often smearing spurious emissions across the spectrum, but they’re cheap enough to throw in a glove box for emergencies, and they invite experimentation — for instance, modifying the firmware to add functionality the OEM didn’t think to offer.

The new hotness in this class of radios is the Quansheng UV-K5, a two-band transceiver you can pick up for about $40, and we suspect it’ll get hotter still with this firmware trojan by [Piotr (SQ9P)]. We’ve already seen a firmware hack for these radios, one that aimed at unlocking the full frequency range of the RF chip at the heart of the radio. Honestly, we’re not huge fans of these mods, which potentially interfere with other allocations across multiple bands. But [Piotr]’s hacks seem a bit more innocuous, focusing mainly on modifying the radio’s display and adding useful features, such as a calibrated received signal strength bar graph and a numerical RSSI display. The really neat new feature, though, is the spectrum display, which shows activity across a 2-MHz slice of spectrum centered on the currently set frequency. And just because he could, [Piotr] put in a game of Pong.

[Piotr]’s description of the mod as a trojan seems apt since his new programs run in parallel to the OEM firmware by wrapping its vector table. We’d imagine other mods are possible, and we’re keen to see what people come up with for these hackable little units. Just make sure you’re staying within the law, especially in the United States — the FCC does not play games (third item).

Better Noise Reduction With Science

July 6, 2023 by 18 Comments

Most noise-blocking headphones fall into two categories: they use some kind of material to absorb or scatter noise, or they use active cancellation that creates a signal to oppose the noise signal. As you’ve probably noticed, both of these approaches have limitations. Now, Swiss scientists think they have a new method that will work better. In Nature Communications, they describe a noise cancellation system that moves air by using ionization instead of a conventional transducer.

With the cool name plasmaacoustic metalayers, the technique uses a controlled corona discharge to create very thin layers of plasma between a metal grid and thin wires. With no voltage, sound passes freely. Applying a voltage across the assembly produces ions and moves air with very low inertia, unlike a typical speaker. By controlling the reverse pressure of air, the system can cancel incoming noise picked up by a microphone.

Continue reading “Better Noise Reduction With Science”

Adding Portals To Quake

July 6, 2023 by 14 Comments

For those who have played Quake extensively, adding portals seems unnecessary, as teleporters are already a core part of the game mechanics. What [Matthew Earl] accomplishes is more of the Portal style of portal by rendering what is on the other side of the portal with a seamless teleportation transition.

Of course, Quake is an old game with a software renderer. Just throwing another camera into the scene, rendering to another texture, and then mapping that texture to the scene isn’t an option. Quake uses an edge rasterizer and generates spans along scanlines that track where edges intersect the current scanline. Rather than making expensive per-pixel comparisons, [Matt] stashes the portal spans and renders them in a second render, so even with multiple portals, only a single screen’s worth of pixels are rendered.

However, this technique has no near clipping plane, which means objects can appear in the portal that don’t make any sense as they are in front of the portal’s viewpoint. Luckily, Quake has an ingenious method for polygon occlusion: the BSP. While [Matt] is manually checking polygons, the BSP is the perfect tool for bisecting a room along a plane. It’s an incredible hack, and we’re excited to see Quake expand into a puzzle game. [Matt] dives into greater detail on how the software renderer works in another video that’s well worth a watch.

Perhaps the most incredible aspect of this technique is that it could run on original hardware. If you want to bring a little more Quake to life, why not get the Quake light flicker in your house? Video after the break.

Continue reading “Adding Portals To Quake”