Current Events

583 Articles

International Space Station Is Racing The Clock After Soyuz Failure

October 11, 2018 by 120 Comments

Today’s failed Soyuz launch thankfully resulted in no casualties, but the fate of the International Space Station (ISS) is now in question.

Just two minutes after liftoff, the crew of the Soyuz MS-10 found themselves in a situation that every astronaut since the beginning of the manned space program has trained for, but very few have ever had to face: a failure during launch. Today the crew of two, Russian Aleksey Ovchinin and American Nick Hague, were forced to make a ballistic re-entry into the Earth’s atmosphere; a wild ride that put them through higher G forces than expected and dropped the vehicle approximately 430 km from the launch site in Baikonur. Both men walked away from the event unharmed, but while the ordeal is over for them, it’s just beginning for the crew of the ISS.

Until a full investigation can be completed by Roscosmos, Russia’s space agency, the Soyuz rocket is grounded. This is standard procedure, as they obviously don’t want to launch another rocket and risk encountering the same issue. But as the Soyuz is currently the only way we have to get humans into space, this means new crew can’t be sent to the ISS until Roscosmos is confident the issue has been identified and resolved.

Soyuz MS-11, which would have brought up three new crew members to relieve those already on the Station, was scheduled for liftoff on December 20th. While not yet officially confirmed, that mission is almost certainly not going to be launching as scheduled. Two months is simply not long enough to conduct an investigation into such a major event when human lives are on the line.

The failure of Soyuz MS-10 has started a domino effect which will deprive the ISS of the five crew members which were scheduled to be aboard by the end of 2018. To make matters worse, the three current crew members must return to Earth before the end of the year as well. NASA and Roscosmos will now need to make an unprecedented decision which could lead to abandoning the International Space Station; the first time it would be left unmanned since the Expedition 1 mission arrived in November 2000.

Continue reading “International Space Station Is Racing The Clock After Soyuz Failure”

This Year’s Nobel Prizes Are Straight Out Of Science Fiction

October 10, 2018 by 22 Comments

In the 1966 science fiction movie Fantastic Voyage, medical personnel are shrunken to the size of microbes to enter a scientist’s body to perform brain surgery. Due to the work of this year’s winners of the Nobel Prize in Physics, laser tools now do work at this scale.

Arthur Ashkin won for his development of optical tweezers that use a laser to grip and manipulate objects as small a molecule. And Gérard Mourou and Donna Strickland won for coming up with a way to produce ultra-short laser pulses at a high-intensity, used now for performing millions of corrective laser eye surgeries every year.

Here is a look at these inventions, their inventors, and the applications which made them important enough to win a Nobel.

Continue reading “This Year’s Nobel Prizes Are Straight Out Of Science Fiction”

Google Discovers Google+ Servers Are Still Running

October 9, 2018 by 70 Comments

Google is pulling the plug on their social network, Google+. Users still have the better part of a year to say their goodbyes, but if the fledgling social network was a ghost town before, news of its imminent shutdown isn’t likely to liven the place up. A quick check of the site as of this writing reveals many users are already posting their farewell messages, and while there’s some rallying behind petitions to keep the lights on, the majority realize that once Google has fallen out of love with a project there’s little chance of a reprieve.

To say that this is a surprise would be disingenuous. We’d wager a lot of you already thought it was gone, honestly. It’s no secret that Google’s attempt at a “Facebook Killer” was anything but, and while there was a group of dedicated users to be sure, it never attained anywhere near the success of its competition.

According to a blog post from Google, the network’s anemic user base isn’t the only reason they’ve decided to wind down the service. A previously undisclosed security vulnerability also hastened its demise, a revelation which will particularly sting those who joined for the privacy-first design Google touted. While this fairly transparent postmortem allows us to answer what ended Google’s grand experiment in social networking, there’s still one questions left unanswered. Where are the soon to be orphaned Google+ users supposed to go?

Continue reading “Google Discovers Google+ Servers Are Still Running”

Will Drones And Planes Be Treated As Equals By FAA?

October 8, 2018 by 87 Comments

Soon, perhaps even by the time you read this, the rules for flying remote-controlled aircraft in the United States will be very different. The Federal Aviation Authority (FAA) is pushing hard to repeal Section 336, which states that small remote-controlled aircraft as used for hobby and educational purposes aren’t under FAA jurisdiction. Despite assurances that the FAA will work towards implementing waivers for hobbyists, critics worry that in the worst case the repeal of Section 336 might mean that remote control pilots and their craft may be held to the same standards as their human-carrying counterparts.

Section 336 has already been used to shoot down the FAA’s ill-conceived attempt to get RC pilots to register themselves and their craft, so it’s little surprise they’re eager to get rid of it. But they aren’t alone. The Commercial Drone Alliance, a non-profit association dedicated to supporting enterprise use of Unmanned Aerial Systems (UAS), expressed their support for repealing Section 336 in a June press release:

Basic ‘rules of the road’ are needed to manage all this new air traffic. That is why the Commercial Drone Alliance is today calling on Congress to repeal Section 336 of the FAA Modernization and Reform Act of 2012, and include new language in the 2018 FAA Reauthorization Act to enable the FAA to regulate UAS and the National Airspace in a common sense way.

With both the industry and the FAA both pushing lawmakers to revamp the rules governing small remote-controlled aircraft, things aren’t looking good for the hobbyists who operate them. It seems likely those among us with a penchant for airborne hacking will be forced to fall in line. But what happens then?

Continue reading “Will Drones And Planes Be Treated As Equals By FAA?”

Malicious Component Found On Server Motherboards Supplied To Numerous Companies

October 4, 2018 by 270 Comments

This morning Bloomberg is reporting a bombshell for hardware security. Companies like Amazon and Apple have found a malicious chip on their server motherboards. These are not counterfeit chips. They are not part of the motherboard design. These were added by the factory at the time of manufacture. The chip was placed among other signal conditioning components and is incredibly hard to spot as the nature of these motherboards includes hundreds of minuscule components.

Though Amazon and Apple have denied it, according to Bloomberg, a private security contractor in Canada found the hidden chip on server motherboards. Elemental Technologies, acquired by Amazon in 2015 for its video and graphics processing hardware, subcontracted Supermicro (Super Micro Computer, Inc.) to manufacture their server motherboards in China. It is unknown how many of the company’s products have this type of malicious hardware in them, equipment from Elemental Technologies has been supplied to the likes of government contractors as well as major banks and even reportedly used in the CIA’s drone operations.

How the Hack Works

The attacks work with the small chip being implanted onto the motherboard disguised as signal couplers. It is unclear how the chip gains access to the peripherals such as memory (as reported by Bloomberg) but it is possible it has something to do with accessing the bus. The chip controls some data lines on the motherboard that likely provide an attack vector for the baseboard management controller (BMC).

Hackaday spoke with Joe FitzPatrick (a well known hardware security guru who was quoted in the Bloomberg article). He finds this reported attack as a very believable approach to compromising servers. His take on the BMC is that it’s usually an ARM processor running an ancient version of Linux that has control over the major parts of the server. Any known vulnerability in the BMC would be an attack surface for the custom chip.

Data centers house thousands of individual servers that see no physical interaction from humans once installed. The BMC lets administrators control the servers remotely to reboot malfunctioning equipment among other administrative tasks. If this malicious chip can take control of the BMC, then it can provide remote access to whomever installed the chip. Reported investigations have revealed the hack in action with brief check-in communications from these chips though it’s difficult to say if they had already served their purpose or were being saved for a future date.

What Now?

Adding hardware to a design is fundamentally different than software-based hacking: it leaves physical evidence behind. Bloomberg reports on US government efforts to investigate the supply chain attached to these parts. It is worth noting though that the article doesn’t include any named sources while pointing the finger at China’s People’s Liberation Army.

The solution is not a simple one if servers with this malicious chip were already out in the field. Even if you know a motherboard has the additional component, finding it is not easy. Bloomberg also has unconfirmed reports that the next-generation of this attack places the malicious component between layers of the circuit board. If true, an x-ray would be required to spot the additional part.

A true solution for high-security applications will require specialized means of making sure that the resulting product is not altered in any way. This hack takes things to a whole new level and calls into question how we validate hardware that runs our networks.

Update: We changed the penultimate paragraph to include the word if: “…simple one if servers with…” as it has not been independently verified that servers were actually out in the field and companies have denied Bloomberg’s reporting that they were.

[Note: Image is a generic photo and not the actual hardware]

Bitcoin’s Double Spending Flaw Was Hush-Hush During Rollout

October 2, 2018 by 15 Comments

For a little while it was possible to spend Bitcoin twice. Think of it like a coin on a string, you put it into the vending machine to get a delicious snack, but if you pull the string quickly enough you could spend it again on some soda too. Except this coin is worth something like eighty-grand.

On September 20, the full details of the latest fix for the Bitcoin Core were published. This information came two days after the fix was actually released. Two vulnerabilities were involved; a Denial of Service vulnerability and a critical inflation vulnerability, both covered in CVE-2018-17144. These were originally reported to several developers working on Bitcoin Core, as well as projects supporting other cryptocurrencies, including ABC and Unlimited.

Let’s take a look at how this worked, and how the network was patched (while being kept quiet) to close up this vulnerability.

Continue reading “Bitcoin’s Double Spending Flaw Was Hush-Hush During Rollout”

Can You “Take Back” Open Source Code?

September 27, 2018 by 155 Comments

It seems a simple enough concept for anyone who’s spent some time hacking on open source code: once you release something as open source, it’s open for good. Sure the developer might decide that future versions of the project close up the source, it’s been known to happen occasionally, but what’s already out there publicly can never be recalled. The Internet doesn’t have a “Delete” button, and once you’ve published your source code and let potentially millions of people download it, there’s no putting the Genie back in the bottle.

But what happens if there are extenuating circumstances? What if the project turns into something you no longer want to be a part of? Perhaps you submitted your code to a project with a specific understanding of how it was to be used, and then the rules changed. Or maybe you’ve been personally banned from a project, and yet the maintainers of said project have no problem letting your sizable code contributions stick around even after you’ve been kicked to the curb?

Due to what some perceive as a forced change in the Linux Code of Conduct, these are the questions being asked by some of the developers of the world’s preeminent open source project. It’s a situation which the open source community has rarely had to deal with, and certainly never on a project of this magnitude.

Is it truly possible to “take back” source code submitted to a project that’s released under a free and open source license such as the GPL? If so, what are the ramifications? What happens if it’s determined that the literally billions of devices running the Linux kernel are doing so in violation of a single developer’s copyright? These questions are of grave importance to the Internet and arguably our way of life. But the answers aren’t as easy to come by as you might think.

Continue reading “Can You “Take Back” Open Source Code?”