Current Events

592 Articles

Global Resistor Shortage, Economics, And Consumer Behavior

January 31, 2018 by 78 Comments

The passive component industry — the manufacturers who make the boring but vital resistors, capacitors, and diodes found in every single electronic device — is on the cusp of a shortage. You’ll always be able to buy a 220 Ω, 0805 resistor, but instead of buying two for a penny like you can today, you may only get one in the very near future.

Yageo, one of the largest manufacturers of surface mount (SMD) resistors and multilayer ceramic capacitors, announced in December they were not taking new chip resistor orders. Yageo was cutting production of cheap chip resistors to focus on higher-margin niche-market components for automotive, IoT, and other industrial uses, as reported by Digitimes. Earlier this month, Yaego resumed taking orders for chip resistors, but with 15-20% higher quotes (article behind paywall, try clicking through via this Tweet).

As a result, there are rumors of runs on passive components at the Shenzhen electronics market, and several tweets from members of the electronics community have said the price of some components have doubled. Because every electronic device uses these ‘jellybean’ parts, a decrease in supply or increase in price means some products won’t ship on time, margins will be lower, or prices on the newest electronic gadget will increase.

The question remains: are we on the brink of a resistor shortage, and what are the implications of manufacturers that don’t have the parts they need?

Continue reading “Global Resistor Shortage, Economics, And Consumer Behavior”

Opt-Out Fitness Data Sharing Leads To Massive Military Locations Leak

January 28, 2018 by 79 Comments

People who exercise with fitness trackers have a digital record of their workouts. They do it for a wide range of reasons, from gathering serious medical data to simply satisfying curiosity. When fitness data includes GPS coordinates, it raises personal privacy concerns. But even with individual data removed, such data was still informative enough to spill the beans on secretive facilities around the world.

Strava is a fitness tracking service that gathers data from several different brands of fitness tracker — think Fitbit. It gives athletes a social media experience built around their fitness data: track progress against personal goals and challenge friends to keep each other fit. As expected of companies with personal data, their privacy policy promised to keep personal data secret. In the same privacy policy, they also reserved the right to use the data shared by users in an “aggregated and de-identified” form, a common practice for social media companies. One such use was to plot the GPS data of all their users in a global heatmap. These visualizations use over 6 trillion data points and can be compiled into a fascinating gallery, but there’s a downside.

This past weekend, [Nathan Ruser] announced on Twitter that Strava’s heatmap also managed to highlight exercise activity by military/intelligence personnel around the world, including some suspected but unannounced facilities. More worryingly, some of the mapped paths imply patrol and supply routes, knowledge security officers would prefer not to be shared with the entire world.

This is an extraordinary blunder which very succinctly illustrates a folly of Internet of Things. Strava’s anonymized data sharing obsfucated individuals, but didn’t manage to do the same for groups of individuals… like the fitness-minded active duty military personnel whose workout habits are clearly defined on these heat maps. The biggest contributor (besides wearing a tracking device in general) to this situation is that the data sharing is enabled by default and must be opted-out:

“You can opt-out of contributing your anonymized public activity data to Strava Metro and the Heatmap by unchecking the box in this section.” —Strava Blog, July 2017

We’ve seen individual fitness trackers hacked and we’ve seen people tracked through controlled domains before, but the global scope of [Nathan]’s discovery puts it in an entirely different class.

[via Washington Post]

Local Infrastructure: The Devil Is In The Details

January 11, 2018 by 107 Comments

About two months ago I rode my bike to work like any other day, but on the way home a construction project seemed to have spontaneously started at one of the bridges that I pass over. Three lanes had merged into one which, for a federal highway, seemed like a poorly planned traffic pattern for a such a major construction project. As it happens, about an hour after I biked across this bridge that morning both outside sections of the bridge fell into the water. There was no other physical damage that seemed to explain why parts of a bridge on U.S. 1 would suddenly collapse.

The intriguing thing about this bridge collapse was that the outer retaining wall and about half of the sidewalk on both the northbound side and the southbound side had fallen into the water at the same time. This likely wasn’t caused by something like a boat impact, car accident, or an overweight truck. Indeed, Florida Department of Transportation (FDOT) investigated the incident and found that two post tension wires that held these sections of the bridge together had failed, making it unsafe for pedestrians and bicyclists but also for any boaters below. Continue reading “Local Infrastructure: The Devil Is In The Details”

Spectre And Meltdown: Attackers Always Have The Advantage

January 10, 2018 by 45 Comments

While the whole industry is scrambling on Spectre, Meltdown focused most of the spotlight on Intel and there is no shortage of outrage in Internet comments. Like many great discoveries, this one is obvious with the power of hindsight. So much so that the spectrum of reactions have spanned an extreme range. From “It’s so obvious, Intel engineers must be idiots” to “It’s so obvious, Intel engineers must have known! They kept it from us in a conspiracy with the NSA!”

We won’t try to sway those who choose to believe in a conspiracy that’s simultaneously secret and obvious to everyone. However, as evidence of non-obviousness, some very smart people got remarkably close to the Meltdown effect last summer, without getting it all the way. [Trammel Hudson] did some digging and found a paper from the early 1990s (PDF) that warns of the dangers of fetching info into the cache that might cross priviledge boundaries, but it wasn’t weaponized until recently. In short, these are old vulnerabilities, but exploiting them was hard enough that it took twenty years to do it.

Building a new CPU is the work of a large team over several years. But they weren’t all working on the same thing for all that time. Any single feature would have been the work of a small team of engineers over a period of months. During development they fixed many problems we’ll never see. But at the end of the day, they are only human. They can be 99.9% perfect and that won’t be good enough, because once hardware is released into the world: it is open season on that 0.1% the team missed.

The odds are stacked in the attacker’s favor. The team on defense has a handful of people working a few months to protect against all known and yet-to-be discovered attacks. It is a tough match against the attackers coming afterwards: there are a lot more of them, they’re continually refining the state of the art, they have twenty years to work on a problem if they need to, and they only need to find a single flaw to win. In that light, exploits like Spectre and Meltdown will probably always be with us.

Let’s look at some factors that paved the way to Intel’s current embarrassing situation.

Continue reading “Spectre And Meltdown: Attackers Always Have The Advantage”

The 348,296th Article About Cryptocurrency

January 9, 2018 by 42 Comments

The public has latched onto the recent market events with an intense curiosity brought about by a greed for instant riches. In the last year alone, the value of Bitcoin has risen by 1,731%. We’re talking gold rush V2.0, baby. Money talks, and with a resounding $615 billion held up in cryptocurrencies, it is clear why this is assuredly not the first cryptocurrency article you have read — maybe even today. An unfortunate side effect of mass interest in a subject is the wildfire-like spread of misinformation. So, what exactly is a blockchain, and what can you still do now that everyone has finally jumped on the cryptocurrency bandwagon?

Continue reading “The 348,296th Article About Cryptocurrency”

Let’s Talk Intel, Meltdown, And Spectre

January 5, 2018 by 150 Comments

This week we’ve seen a tsunami of news stories about a vulnerability in Intel processors. We’re certain that by now you’ve heard of (and are maybe tired of hearing about) Meltdown and Spectre. However, as a Hackaday reader, you are likely the person who others turn to when they need to get the gist of news like this. Since this has bubbled up in watered-down versions to the highest levels of mass media, let’s take a look at what Meltdown and Spectre are, and also see what’s happening in the other two rings of this three-ring circus.

Meltdown and Spectre in a Nutshell

These two attacks are similar. Meltdown is specific to Intel processors and kernel fixes (basically workarounds implemented by operating systems) will result in a 5%-30% speed penalty depending on how the CPU is being used. Spectre is not limited to Intel, but also affects AMD and ARM processors and kernel fixes are not expected to come with a speed penalty.

Friend of Hackaday and security researcher extraordinaire Joe Fitz has written a superb layman’s explanation of these types of attacks. His use of the term “layman” may be a little more high level than normal — this is something you need to read.

The attack exploits something called branch prediction. To boost speed, these processors keep a cache of past branch behavior in memory and use that to predict future branching operations. Branch predictors load data into memory before checking to see if you have permissions to access that data. Obviously you don’t, so that memory will not be made available for you to read. The exploit uses a clever guessing game to look at other files also returned by the predictor to which you do have access. If you’re clever enough, you can reconstruct the restricted data by iterating on this trick many many times.

For the most comprehensive info, you can read the PDF whitepapers on Meltdown and Spectre.

Update: Check Alan Hightower’s explanation of the Meltdown exploit left as a comment below. Quite good for helping deliver better understanding of how this works.

Frustration from Kernel Developers

These vulnerabilities are in silicon — they can’t be easily fixed with a microcode update which is how CPU manufacturers usually workaround silicon errata (although this appears to be an architectural flaw and not errata per se). An Intel “fix” would amount to a product recall. They’ve already said they won’t be doing a recall, but how would that work anyway? What’s the lead time on spinning up the fabs to replace all the Intel chips in use — yikes!

So the fixes fall on the operating systems at the kernel level. Intel should be (and probably is behind the scenes) bowing down to the kernel developers who are saving their bacon. It is understandably frustrating to have to spend time and resources patching these vulnerabilities, which displaces planned feature updates and improvements. Linus Torvalds has been throwing shade at Intel — anecdotal evidence of this frustration:

“I think somebody inside of Intel needs to really take a long hard look at their CPU’s, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed.”

That’s the tamest part of his message posted on the Linux Kernel Mailing List.

Stock Sales Kerfuffle is Just a Distraction

The first thing I did on hearing about these vulnerabilities on Tuesday was to check Intel’s stock price and I was surprised it hadn’t fallen much. In fact, peak to peak it’s only seen about an 8% drop this week and has recovered some from that low.

Of course, it came out that back in November Intel’s CEO Bryan Krzanich sold off his Intel stock to the tune of $24 Million, bringing him down to his contractual minimum of shares. He likely knew about Meltdown when arranging that sale. Resist the urge to flame on this decision. Whether it’s legal or not, hating on this guy is just a distraction.

What’s more interesting to me is this: Intel is too big to fail. What are we all going to do, stop using Intel and start using something else? You can’t just pull the chip and put a new one in, in the case of desktop computers you need a new motherboard plus all the supporting stuff like memory. For servers, laptops, and mobile devices you need to replace the entire piece of equipment. Intel has a huge market share, and silicon has a long production cycle. Branch prediction has been commonplace in consumer CPUs going back to 1995 when the Pentium Pro brought it to the x86 architecture. This is a piece of the foundation that will be yanked out and replaced with new designs that provide the same speed benefits without the same risks — but that will take time to make it into the real world.

CPUs are infrastructure and this is the loudest bell to date tolling to signal how important their design is to society. It’s time to take a hard look at what open silicon design would bring to the table. You can’t say this would have been prevented with Open design. You can say that the path to new processors without these issues would be a shorter one if there were more than two companies producing all of the world’s processors — both of which have been affected by these vulnerabilities.

2017: As The Hardware World Turns

December 27, 2017 by 28 Comments

The year is almost over, and now it’s time to look back on the last fifty-odd weeks. What happened in this year in hacking? 2017 will go down as the beginning of another AI renaissance, although we’re not going to call it that; this year was all about neural nets and machine learning and advancements resulting from the development of self-driving cars and very beefy GPUs. Not since the 80s have we seen more work in ‘AI’ fields. What will it amount to this time around the hype cycle? Find out in a few years.

Biohacking was big this year, and not just because people are installing RFID tags and magnets in their hands. CRISPR is allowing for Star Trek-style genome hacking, and this year saw in vivo experiments to enable and disable individual genes in rat models. Eventually, someone is going to get a Nobel for CRISPR.

We’re going to Mars, and soon — very soon — a SpaceX Falcon Heavy is going to either lob a Tesla Roadster into solar orbit or the Atlantic Ocean. We learned about the BFR that will take dozens of people to Mars in a single launch. Boeing and Lockheed think they can compete with the Elon Musk PR powerhouse. The Bigelow Aerospace inflatable module passed its in-flight test on the ISS, giving the space station a new storage closet. Even in space, amazing stuff is happening this year.

Is that it? Not by a long shot. This year has seen some of the coolest hacks we’ve ever seen, and some of the dumbest security breaches ever. Hackaday is doing awesome. What else did 2017 have? Read on to find out.

Continue reading “2017: As The Hardware World Turns”