Unexpected Betrayal From Your Right Hand Mouse

August 9, 2016 by Gerrit Coetzee 40 Comments

Some people really enjoy the kind of computer mouse that would not be entirely out of place in a F-16 cockpit. The kind of mouse that can launch a browser with the gentle shifting of one of its thirty-eight buttons ever so slightly to the left and open their garage door with a shifting to the right of that same button. However, can this power be used for evil, and not just frustrating guest users of their computer?

We’ve heard of the trusted peripheral being repurposed for nefarious uses before. Sometimes they’ve even been modified for more benign purposes. All of these have a common trend. The mouse itself must be physically modified to add the vulnerability or feature. However, the advanced mice with macro support can be used as is for a vulnerability.

The example in this case is a Logitech G-series gaming mouse. The mouse has the ability to store multiple personal settings in its memory. That way someone could take the mouse to multiple computers and still have all their settings available. [Stefan Keisse] discovered that the 100 command limit on the macros for each button are more than enough to get a full reverse shell on the target computer.

Considering how frustratingly easy it can be to accidentally press an auxiliary button on these mice, all an attacker would need to do is wait after delivering the sabotaged mouse. Video of the exploit after the break.

Continue reading “Unexpected Betrayal From Your Right Hand Mouse” →

Weird CPU

August 6, 2016 by Al Williams 24 Comments

How many instructions does [agp.cooper’s] computer have? Just one. How many strip boards does it use? Apparently, 41 five 41-track boards. While being one shy from the answer to life, it is still a lot of boards for a single instruction. The high board count is due to the use of 1970’s vintage ICs including TTL parts, 2114 RAM chips, and 74S571 PROMs.

There are several different architectures for single instruction computers and [agp’s] uses what is technically at TTA (transfer-triggered architecture). That is, the one instruction is a move and the destination or source of the move determines the operation. For example, the Wierd CPU (that’s the name of it) has a P and Q register. If you load those registers and then the ADD register will contain the sum of the two numbers.

Continue reading “Weird CPU” →

LastPass Happily Forfeits Passwords To Simple Javascript

August 1, 2016 by Gerrit Coetzee 37 Comments

Lastpass is a great piece of software when it comes to convenience, but a recent simple hack shows just how insecure software like it can be. [Mathias Karlsson] nabbed a nice $1000 bounty for its discovery.

Lastpass’s auto-fill works by injecting some html into the website you’re visiting. It runs a bit of Javascript to parse the URL. However, the parsing script was laughably vague. By changing the URL of the page, inserting a few meaningless-to-the server slugs into the URL, an attacker could get Lastpass to give it a password and username combo for any website.

The discussion in the HackerNews comment section more-or-less unilaterally agreed that most systems like this have their glaring flaws, but that the overall benefits of having secure passwords generated and managed by software was still worth the risk when compared to having a few commonly reused passwords over multiple sites.

One could get a more secure key manager by using software like KeePass, but it’s missing some of the convenience factor of remote-based services and relies on a user protecting their key files adequately.

Still, as scary as they are, openly discussing hacks like this after responsible disclosure is good because they force companies like Lastpass, who have some very big name clients, to take their code review and transparency more seriously.

DIY Command Station For Kerbal Space Program Is Overkill

July 25, 2016 by Donald Papp 16 Comments

We’ve seen custom controller mods for Kerbal Space Program before, but a group calling themselves the Makerforce went a step further with their design and build of the KSP “Overkill” Command Station, which has much more in common with a fancy standup arcade unit than a custom controller. Kerbal Space Program is a hit indie game that, among other things, simulates the challenges of spaceflight. Like most games, you use the mouse and keyboard for control but many fans find this too limiting. With the help of a software mod that exposes control and status information over hardware serial communications, the door to full telemetry and remote control was opened to just about anyone to craft their own custom hardware such as flight sticks and status displays. Not content with the idea of having just a joystick and a few buttons critical for the flight process, this project took a different approach.

Continue reading “DIY Command Station For Kerbal Space Program Is Overkill” →

Microcontrollers Now Substitute For CPUs

July 14, 2016 by Bryan Cockfield 26 Comments

Microcontrollers are getting faster and faster, as is most of the rest of the computing world. Just like you can play Nintendo console games on the newest Nintendo handhelds, it seems that modern microcontrollers can replace CPUs on personal computers from the 80s. At least, that’s what [Dave] has shown with his latest project: an Atmel microcontroller that directly attaches to the CPU slot on a Commodore PET.

Essentially, the project started out as a test rig of sorts for the Commodore. [Dave] wanted to see if some of the hardware on the Commodore was still functional and behaving properly. From there, it somewhat snowballed. The address bus was easy enough to investigate, but adding only a few more pins on the microcontroller he was already using would be enough to access the databus too. A character table was soon added, a test algorithm, and more useful insights. It’s a masterful manipulation of this older hardware with modern technology and is definitely worth a look.

There’s a lot more going on in the retrocomputing world than meets the eye. One might think these old computers were all in landfills by now, but there is a devoted fanbase that does everything from building new hard drives for old computers or investigating their true audio-visual potential.

Thanks to [Mike w] for the tip!

Staying In And Playing Skyrim Has Rarely Been This Healthy

July 9, 2016 by James Hobson 4 Comments

Looking to add some activity to your day but don’t want to go through a lot of effort? [D10D3] has the perfect solution that enables you to take a leisurely bike ride through Skyrim. A standing bicycle combines with an HTC Vive (using the add-on driver VorpX which allows non-vr enabled games to be played with a VR headset) and a Makey Makey board to make slack-xercise — that’s a word now — part of your daily gaming regimen.

The Makey Makey is the backbone of the rig; it allows the user to set up their own inputs with electrical contacts that correspond to keyboard and mouse inputs, thereby allowing one to play a video game in some potentially unorthodox ways — in this case, riding a bicycle.

Setting up a couple buttons for controlling the Dragonborn proved to be a simple process. Buttons controlling some of the main inputs were plugged into a breadboard circuit which was then connected to the Makey Makey along with the ground wires using jumpers. As a neat addition, some aluminium foil served as excellent contacts for the handlebars to act as the look left and right inputs. That proved to be a disorienting addition considering the Vive’s head tracking also moves the camera. Continue reading “Staying In And Playing Skyrim Has Rarely Been This Healthy” →

Physical Kill Switch For Rogue Applications

July 9, 2016 by Elliot Williams 15 Comments

Necessity is the mother of invention, but sometimes frustration is as good a motivator. [Maciej] does a bunch of statistics in his day job using SPSS. Like most complicated pieces of software, it can get hung, and the only way to stop it is to manually kill the running processes. Apparently, that happened one time too many for [Maciej].

He took matters into his own hands, repurposing a big red emergency-stop button for the task. It’s mounted on a jar, and the microcontroller inside is configured as a USB keyboard. When he mashes the button, it opens the “Run…” menu and types out taskkill spssengine.exe for him.

We can totally see the therapeutic value of such a device. Plus, in case SPSS is gobbling up his system memory and everything’s approaching standstill, the vital seconds saved by the microcontroller’s quick-typing fingers could be a lifesaver.