On August 21, 2017, the Moon will cast its shadow across the entire breadth of the United States for the first time in almost a century. It is estimated that 12 million people live within the path in which the sun will be blotted out, and many millions more are expected to pour into the area to experience the wonders of totality.
We’d really love it if you would tell us where you’ll be during the eclipse by creating your own event page, but that’s not what this article’s about. With millions gathered in a narrow swath from Oregon to South Carolina, and with the eclipse falling on a Monday so that the prior two weekend days will be filled with campouts at prime viewing locations, I expect that Eclipse 2017 will be one big coast-to-coast party. This is an event that will attract people of all stripes, from those with no interest in astronomy that have only the faintest idea of what’s actually happening celestially, to those so steeped in the science that they’ll be calling out the exact beginning of totality and when to expect Baily’s Beads to appear.
I suspect our readership leans closer to the latter than the former, and some may want to add to the eclipse experience by participating in a little citizen science. Here’s how you can get involved.
Infrastructure seems so permanent and mundane that most of us never give it a second thought. Maintenance doesn’t make for a flashy news story, but you will frequently find a nagging story on the inside pages of the news cycle discussing the slowly degrading, crumbling infrastructure in the United States.
If not given proper attention, it’s easy for these structures to fall into a state of disrepair until one suddenly, and often catastrophically, fails. We’ve already looked at a precarious dam situation currently playing out in California, and although engineers have that situation under control for now, other times we haven’t been so lucky. Today we’ll delve into a couple of notable catastrophic failures and how they might be avoided in future designs.
Gaining Weight While Delaying Repairs
Most of us take infrastructure for granted every day. Power lines, roads, pipelines, and everything else have a sense of permanence and banality that can’t be easily shaken. Sadly, this reality shattered for most people in Minneapolis, Minnesota in August 2007.
Telepresence robots are now a reality, you can wheel around the office and talk to people, join a meeting, see stuff and bump into your colleagues. But imagine if telepresence were applied to deep sea exploration. Today we can become oceanographers through the telepresence system created by Bob Ballard (known for locating the Titanic, discovered deep sea geothermal vents, and more) and his team at the Inner Space Center. Put on your Submariner wristwatch because its time for all of us to explore the ocean depths via the comfort of our home or office.
Whenever there’s a new Windows virus out there wreaking global havoc, the Linux types get smug. “That’ll never happen in our open operating system,” they say. “There are many eyes looking over the source code.” But then there’s a Heartbleed vulnerability that keeps them humble for a little while. Anyway, at least patches are propagated faster in the Linux world, right?
While the Linuxers are holier-than-thou, the Windows folks get defensive. They say that the problem isn’t with Windows, it’s just that it’s the number one target because it’s the most popular OS. Wrong, that’d be Android for the last few years, or Linux since forever in the server space. Then they say it’s a failure to apply patches and upgrade their systems, because their users are just less savvy, but that some new update system will solve the problem.
There’s some truth to the viruses and the patching, but when WannaCry is taking over hospitals’ IT systems or the radiation monitoring network at Chernobyl, it’s not likely to be the fault of the stereotypical naive users, and any automatic patch system is only likely to help around the margins.
So why is WannaCry, and variants, hitting unpatched XP machines, managed by professionals, all over the world? Why are there still XP machines in professional environments anyway? And what does any of this have to do with free software? The answer to all of these questions can be found in the ancient root of all evil, the want of money. Linux is more secure, ironically, at least partly because it’s free as in beer, and upgrading to a newer version is simply cheaper.
The Arduino Wars officially ended last October, and the new Arduino-manufacturing company was registered in January 2017. At the time, we were promised an Arduino Foundation that would care for the open-source IDE and code infrastructure in an open and community-serving manner, but we don’t have one yet. Is it conspiracy? Or foul play? Our advice: don’t fret. These things take time.
But on the other hand, the Arduino community wants to know what’s going on, and there’s apparently some real confusion out there about the state of play in Arduino-land, so we interviewed the principals, Massimo Banzi and Federico Musto, and asked them for a progress report.
The short version is that there are still two “Arduinos”: Arduino AG, a for-profit corporation, and the soon-to-be Arduino Foundation, a non-profit in charge of guiding and funding software and IDE development. The former was incorporated in January 2017, and the latter is still in progress but looks likely to incorporate before the summer is over.
Banzi, who is a shareholder of Arduino AG, is going to be the president of the Foundation, and Musto, AG’s CEO, is going to be on the executive board and both principals told us similar visions of incredible transparency and community-driven development. Banzi is, in fact, looking to get a draft version of the Foundation’s charter early, for comment by the community, before it gets chiseled in stone.
It’s far too early to tell just how independent the Foundation is going to be, or should be, of the company that sells the boards under the same name. Setting up the Foundation correctly is extremely important for the future of Arduino, and Banzi said to us in an interview that he wouldn’t take on the job of president unless it is done right. What the Arduino community doesn’t need right now is a Foundation fork. Instead, they need our help, encouragement, and participation once the Foundation is established. Things look like they’re on track.
A few months ago we reported on a case coming before the United States Supreme Court that concerned recycled printer cartridges. Battling it out were Impression Products, a printer cartridge recycling company, and Lexmark, the printer manufacturer. At issue was a shrinkwrap licence on inkjet cartridges — a legal agreement deemed to have been activated by the customer opening the cartridge packaging — that tied a discounted price to a restriction on the cartridge’s reuse.
It was of concern to us because of the consequences it could have had for the rest of the hardware world, setting a potential precedent such that any piece of hardware could have conditions still attached to it when it has passed through more than one owner, without the original purchaser being aware of agreeing to any legal agreement. This would inevitably have a significant effect on the work of most Hackaday readers, and probably prohibit many of the projects we feature.
We are therefore very pleased to see that a few days ago the Supremes made their decision, and as the EFF reports, it went in favor of Impression Products, and us, the consumer. In their words, when a patent owner:
…chooses to sell an item, that product is no longer within the limits of the monopoly and instead becomes the private individual property of the purchaser, with the rights and benefits that come along with ownership.
Betteridge’s Law of Headlines states, “Any headline that ends in a question mark can be answered by the word no.” This law remains unassailable. However, recent claims have called into question a black box hidden deep inside every Intel chipset produced in the last decade.
Yesterday, on the Semiaccurate blog, [Charlie Demerjian] announced a remote exploit for the Intel Management Engine (ME). This exploit covers every Intel platform with Active Management Technology (AMT) shipped since 2008. This is a small percentage of all systems running Intel chipsets, and even then the remote exploit will only work if AMT is enabled. [Demerjian] also announced the existence of a local exploit.
Intel’s ME and AMT Explained
Beginning in 2005, Intel began including Active Management Technology in Ethernet controllers. This system is effectively a firewall and a tool used for provisioning laptops and desktops in a corporate environment. In 2008, a new coprocessor — the Management Engine — was added. This management engine is a processor connected to every peripheral in a system. The ME has complete access to all of a computer’s memory, network connections, and every peripheral connected to a computer. The ME runs when the computer is hibernating and can intercept TCP/IP traffic. Management Engine can be used to boot a computer over a network, install a new OS, and can disable a PC if it fails to check into a server at some predetermined interval. From a security standpoint, if you own the Management Engine, you own the computer and all data contained within.
The Management Engine and Active Management Technolgy has become a focus of security researchers. The researcher who finds an exploit allowing an attacker access to the ME will become the greatest researcher of the decade. When this exploit is discovered, a billion dollars in Intel stock will evaporate. Fortunately, or unfortunately, depending on how you look at it, the Managment Engine is a closely guarded secret, it’s based on a strange architecture, and the on-chip ROM for the ME is a black box. Nothing short of corporate espionage or looking at the pattern of bits in the silicon will tell you anything. Intel’s Management Engine and Active Management Technolgy is secure through obscurity, yes, but so far it’s been secure for a decade while being a target for the best researchers on the planet.
Semiaccurate’s Claim
In yesterday’s blog post, [Demerjian] reported the existence of two exploits. The first is a remotely exploitable security hole in the ME firmware. This exploit affects every Intel chipset made in the last ten years with Active Management Technology on board and enabled. It is important to note this remote exploit only affects a small percentage of total systems.
The second exploit reported by the Semiaccurate blog is a local exploit that does not require AMT to be active but does require Intel’s Local Manageability Service (LMS) to be running. This is simply another way that physical access equals root access. From the few details [Demerjian] shared, the local exploit affects a decade’s worth of Intel chipsets, but not remotely. This is simply another evil maid scenario.
Should You Worry?
This hacker is unable to exploit Intel’s ME, even though he’s using a three-hole balaclava.
The biggest network security threat today is a remote code execution exploit for Intel’s Management Engine. Every computer with an Intel chipset produced in the last decade would be vulnerable to this exploit, and RCE would give an attacker full control over every aspect of a system. If you want a metaphor, we are dinosaurs and an Intel ME exploit is an asteroid hurtling towards the Yucatán peninsula.
However, [Demerjian] gives no details of the exploit (rightly so), and Intel has released an advisory stating, “This vulnerability does not exist on Intel-based consumer PCs.” According to Intel, this exploit will only affect Intel systems that ship with AMT, and have AMT enabled. The local exploit only works if a system is running Intel’s LMS.
This exploit — no matter what it may be, as there is no proof of concept yet — only works if you’re using Intel’s Management Engine and Active Management Technology as intended. That is, if an IT guru can reinstall Windows on your laptop remotely, this exploit applies to you. If you’ve never heard of this capability, you’re probably fine.
Still, with an exploit of such magnitude, it’s wise to check for patches for your system. If your system does not have Active Management Technology, you’re fine. If your system does have AMT, but you’ve never turned it on, you’re fine. If you’re not running LMT, you’re fine. Intel’s ME can be neutralized if you’re using a sufficiently old chipset. This isn’t the end of the world, but it does give security experts panning Intel’s technology for the last few years the opportunity to say, ‘told ‘ya so’.
