Featured

3011 Articles

Longform articles, the best of what the Hackaday writing crew has to offer.

When Good Software Goes Bad: Malware In Open Source

October 31, 2018 by 28 Comments

Open Source software is always trustworthy, right? [Bertus] broke a story about a malicious Python package called “Colourama”. When used, it secretly installs a VBscript that watches the system clipboard for a Bitcoin address, and replaces that address with a hardcoded one. Essentially this plugin attempts to redirects Bitcoin payments to whoever wrote the “colourama” library.

Why would anyone install this thing? There is a legitimate package named “Colorama” that takes ANSI color commands, and translates them to the Windows terminal. It’s a fairly popular library, but more importantly, the name contains a word with multiple spellings. If you ask a friend to recommend a color library and she says “coulourama” with a British accent, you might just spell it that way. So the attack is simple: copy the original project’s code into a new misspelled project, and add a nasty surprise.

Sneaking malicious software into existing codebases isn’t new, and this particular cheap and easy attack vector has a name: “typo-squatting”.  But how did this package get hosted on PyPi, the main source of community contributed goodness for Python? How many of you have downloaded packages from PyPi without looking through all of the source? pip install colorama? We’d guess that it’s nearly all of us who use Python.

It’s not just Python, either. A similar issue was found on the NPM javascript repository in 2017. A user submitted a handful of new packages, all typo-squatting on existing, popular packages. Each package contained malicious code that grabbed environment variables and uploaded them to the author. How many web devs installed these packages in a hurry?

Of course, this problem isn’t unique to open source. “Abstractism” was a game hosted on Steam, until it was discovered to be mining Monero while gamers were playing. There are plenty of other examples of malicious software masquerading as something else– a sizable chunk of my day job is cleaning up computers after someone tried to download Flash Player from a shady website.

Buyer Beware

In the open source world, we’ve become accustomed to simply downloading libraries that purport to do exactly the cool thing we’re looking for, and none of us have the time to pore through the code line by line. How can you trust them?

Repositories like PyPi do a good job of faithfully packaging the libraries and programs that are submitted to them. As the size of these repositories grow, it becomes less and less practical for every package to be manually reviewed. PyPi lists 156,750 projeccts. Automated scanning like [Bertus] was doing is a great step towards keeping malicious code out of our repositories. Indeed, [Bertus] has found eleven other malicious packages while testing the PyPi repository. But cleverer hackers will probably find their way around automated testing.

That the libraries are open source does add an extra layer of reliability, because the code can in principal be audited by anyone, anytime. As libraries are used, bugs are found, and features are added, more and more people are intentionally and unintentionally reviewing the code. In the “colourama” example, a long Base64 string was decoded and executed. It doesn’t take a professional researcher to realize something fishy is going on. At some point, enough people have reviewed a codebase that it can be reasonably trusted. “Colorama” has well over a thousand stars on Github, and 28 contributors. But did you check that before downloading it?

Typo-squatting abuses trust, taking advantage of a similar name and whoever isn’t paying quite close enough attention. It’s not practical for every user to check every package in their operating system. How, then, do we have any trust in any install? Cryptography solves some of these problems, but it cannot overcome the human element. A typo in a url, trusting a brand new project, or even obfuscated C code can fool the best of us from time to time.

What’s the solution? How do we have any confidence in any of our software? When downloading from the web, there are some good habits that go a long way to protect against attacks. Cross check that the project’s website and source code actually point to each other. Check for typos in URLs. Don’t trust a download just because it’s located on a popular repository.

But most importantly, check the project’s reputation, the number of contributors to the project, and maybe even their reputation. You wouldn’t order something on eBay without checking the seller’s feedback, would you? Do the same for software libraries.

A further layer of security can be found in using libraries supported by popular distributions. In quality distributions, each package has a maintainer that is familiar with the project being maintained. While they aren’t checking each line of code of every project, they are ensuring that “colorama” gets packaged instead of “colourama”. In contrast to PyPi’s 156,750 Python modules, Fedora packages only around 4,000. This selection is a good thing.

Repositories like PyPi and NPM are simply not the carefully curated sources of trustworthy software that we sometimes think them to be– and we should act accordingly. Look carefully into the project’s reputation. If the library is packaged by your distribution of choice, you can probably pass this job off to the distribution’s maintainers.

At the end of the day, short of going through the code line by line, some trust anchor is necessary. If you’re blindly installing random libraries, even from a “trustworthy” repository, you’re letting your guard down.

Kepler Closes Eyes After A Decade Of Discovery

October 30, 2018 by 16 Comments

Since its launch in March 2009, the Kepler Space Telescope has provided us with an incredible amount of data about exoplanets within our galaxy, proving these worlds are more varied and numerous than we could ever have imagined. Before its launch we simply didn’t know how common planets such as ours were, but today we know the Milky Way contains billions of them. Some of these worlds are so hot they have seas of molten rock, others experience two sunsets a day as they orbit a pair of stars. Perhaps most importantly, thousands of the planets found by Kepler are much like our own: potentially playing host to life as we know it.

Kepler lived a fruitful life by any metric, but it hasn’t been an easy one. Too far into deep space for us to repair it as we did Hubble, hardware failures aboard the observatory nearly brought the program to a halt in 2013. When NASA announced the spacecraft was beyond hope of repair, most assumed the mission would end. Even by that point, Kepler was an unqualified success and had provided us with enough data to keep astronomers busy for years. But an ingenious fix was devised, allowing it to continue collecting data even in its reduced capacity.

Leaning into the solar wind, Kepler was able to use the pressure of sunlight striking its solar panels to steady itself. Kepler’s “eyesight” was never quite the same after the failure of its reaction wheels, and it consumed more propellant than originally intended to maintain this careful balancing act, but the science continued. The mission that had already answered many of our questions about our place in the galaxy would push ahead in spite of a failure which should have left it dead in space.

As Kepler rapidly burned through its supply of propellant, it became clear the mission was on borrowed time. It was a necessary evil, as the alternative was leaving the craft tumbling through space, but mission planners understood that the fix they implemented had put an expiration date on Kepler. Revised calculations could provide an estimate as to when the vehicle would finally run its tanks dry and lose attitude control, but not a definitive date.

For the last several months NASA has known the day was approaching, but they decided to keep collecting data until the vehicle’s thrusters sputtered and failed. So today’s announcement that Kepler has at long last lost the ability to orient itself came as no surprise. Kepler has observed its last alien sunset, but the search for planets, and indeed life, in our corner of the galaxy doesn’t end today.

Continue reading “Kepler Closes Eyes After A Decade Of Discovery”

Relativity Space’s Quest To 3D Print Entire Rockets

October 30, 2018 by 27 Comments

While the jury is still out on 3D printing for the consumer market, there’s little question that it’s becoming a major part of next generation manufacturing. While we often think of 3D printing as a way to create highly customized one-off objects, that’s a conclusion largely based on how we as individuals use the technology. When you’re building something as complex as a rocket engine, the true advantage of 3D printing is the ability to not only rapidly iterate your design, but to produce objects with internal geometries that would be difficult if not impossible to create with traditional tooling.

SpaceX’s SuperDraco 3D Printed Engine

So it’s no wonder that key “New Space” players like SpaceX and Blue Origin make use of 3D printed components in their vehicles. Even NASA has been dipping their proverbial toe in the additive manufacturing waters, testing printed parts for the Space Launch System’s RS-25 engine. It would be safe to say that from this point forward, most of our exploits off of the planet’s surface will involve additive manufacturing in some capacity.

But one of the latest players to enter the commercial spaceflight industry, Relativity Space, thinks we can take the concept even farther. Not content to just 3D print rocket components, founders Tim Ellis and Jordan Noone believe the entire rocket can be printed. Minus electrical components and a few parts which operate in extremely high stress environments such as inside the pump turbines, Relativity Space claims up to 95% of their rocket could eventually be produced with additive manufacturing.

If you think 3D printing a rocket sounds implausible, you aren’t alone. It’s a bold claim, so far the aerospace industry has only managed to print relatively small rocket engines; so printing an entire vehicle would be an exceptionally large leap in capability. But with talent pulled from major aerospace players, a recently inked deal for a 20 year lease on a test site at NASA’s Stennis Space Center, and access to the world’s largest metal 3D printer, they’re certainly going all in on the idea. Let’s take a look at what they’ve got planned.

Continue reading “Relativity Space’s Quest To 3D Print Entire Rockets”

Seth Molson Is Designing The Future, One Show At A Time

October 29, 2018 by 27 Comments

From the banks of levers and steam gauges of 1927’s Metropolis to the multicolored jewels that the crew would knowingly tap on in the original Star Trek, the entertainment industry has always struggled with producing imagery of advanced technology. Whether constrained by budget or imagination, portrayals usually go in one of two directions: they either rely too heavily on contemporary technology, or else they go so far in the opposite direction that it borders on comical.

Seth Molson

But it doesn’t always have to be that way. In fact, when technology is shown properly in film it often serves as inspiration for engineers. The portrayal of facial recognition and gesture control in Minority Report was so well done that it’s still referenced today, nearly 20 years after the film’s release. For all its faults, Star Trek is responsible for a number of “life imitating art” creations; such as early mobile phones bearing an unmistakable resemblance to the flip communicators issued to Starfleet personnel.

So when I saw the exceptional use of 3D printing in the Netflix reboot of Lost in Space, I felt it was something that needed to be pointed out. From the way the crew made use of printed parts to the printer’s control interface, everything felt very real. It took existing technology and pushed it forward in a way that was impressive while still being believable. It was the kind of portrayal of technology that modern tech-savvy audiences deserve.

It left such an impression that we decided to reach out to Seth Molson, the artist behind the user interfaces from Lost in Space, and try to gain a little insight from somebody who is fighting the good fight for technology in media. To learn how he creates his interfaces, the pitfalls he navigates, and how the expectations of the viewer have changed now that we all have a touch screen supercomputer in our pocket.

Continue reading “Seth Molson Is Designing The Future, One Show At A Time”

DMCA Review: Big Win For Right To Repair, Zero For Right To Tinker

October 26, 2018 by 35 Comments

This year’s Digital Millennium Copyright Act (DMCA) triennial review (PDF, legalese) contained some great news. Particularly, breaking encryption in a product in order to repair it has been deemed legal, and a previous exemption for reverse engineering 3D printer firmware to use the filament of your choice has been broadened. The infosec community got some clarification on penetration testing, and video game librarians and archivists came away with a big win on server software for online games.

Moreover, the process to renew a previous exemption has been streamlined — one used to be required to reapply from scratch every three years and now an exemption will stand unless circumstances have changed significantly. These changes, along with recent rulings by the Supreme Court are signs that some of the worst excesses of the DMCA’s anti-circumvention clause are being walked back, twenty years after being enacted. We have to applaud these developments.

However, the new right to repair clause seems to be restricted to restoring the device in question to its original specifications; if you’d like to hack a new feature into something that you own, you’re still out of luck. And while this review was generally favorable of opening up technology to enable fair use, they didn’t approve Bunnie Huang’s petition to allow decryption of the encryption method used over HDMI cables, so building your own HDMI devices that display encrypted streams is still out. And the changes to the 3D printer filament exemption is a reminder of the patchwork nature of this whole affair: it still only applies to 3D printer filament and not other devices that attempt to enforce the use of proprietary feedstock. Wait, what?

Finally, the Library of Congress only has authority to decide which acts of reverse engineering constitute defeating anti-circumvention measures. This review does not address the tools and information necessary to do so. “Manufacture and provision of — or trafficking in — products and services designed for the purposes of circumvention…” are covered elsewhere in the code. So while you are now allowed decrypt your John Deere software to fix your tractor, it’s not yet clear that designing and selling an ECU-unlocking tool, or even e-mailing someone the decryption key, is legal.

Could we hope for more? Sure! But making laws in a country as large as the US is a balancing act among many different interests, and the Library of Congress’s ruling is laudably clear about how they reached their decisions. The ruling itself is worth a read if you want to dive in, but be prepared to be overwhelmed in apparent minutiae. Or save yourself a little time and read on — we’ve got the highlights from a hacker’s perspective.

Continue reading “DMCA Review: Big Win For Right To Repair, Zero For Right To Tinker”

The Machinists’ Mantra: Precision, Thy Name Is Rigidity

October 25, 2018 by 40 Comments

“Everything is a spring”. You’ve probably heard that expression before. How deep do you think your appreciation of that particular turn of phrase really is? You know who truly, viscerally groks this? Machinists.

As I’ve blathered on about at length previously, machine tools are all about precision. That’s easy to say, but where does precision really come from? In a word, rigidity. Machine tools do a seemingly magical thing. They remove quantities of steel (or other materials medieval humans would have killed for) with a slightly tougher piece of steel. The way they manage to do this is by applying the cutting tool to the material within a setup that is so rigid that the material has no choice but to yield. Furthermore, this cutting action is extremely precise because the tool moves as little as possible while doing so. It all comes down to rigidity. Let’s look at a basic turning setup.

Continue reading “The Machinists’ Mantra: Precision, Thy Name Is Rigidity”

GE’s Engine To Reignite Civil Supersonic Flight

October 24, 2018 by 110 Comments

On October 24th, 2003 the last Concorde touched down at Filton Airport in England, and since then commercial air travel has been stuck moving slower than the speed of sound. There were a number of reasons for retiring the Concorde, from the rising cost of fuel to bad publicity following a crash in 2000 which claimed the lives of all passengers and crew aboard. Flying on Concorde was also exceptionally expensive and only practical on certain routes, as concerns about sonic booms over land meant it had to remain subsonic unless it was flying over the ocean.

The failure of the Concorde has kept manufacturers and the civil aviation industry from investing in a new supersonic aircraft for fifteen years now. It’s a rare example of commercial technology going “backwards”; the latest and greatest airliners built today can’t achieve even half the Concorde’s top speed of 1,354 MPH (2,179 km/h). In an era where speed and performance is an obsession, commercial air travel simply hasn’t kept up with the pace of the world around it. There’s a fortune to be made for anyone who can figure out a way to offer supersonic flight for passengers and cargo without falling into the same traps that ended the Concorde program.

With the announcement that they’ve completed the initial design of their new Affinity engine, General Electric is looking to answer that call. Combining GE’s experience developing high performance fighter jet engines with the latest efficiency improvements from their civilian engines, Affinity is the first new supersonic engine designed for the civil aviation market in fifty five years. It’s not slated to fly before 2023, and likely won’t see commercial use for a few years after that, but this is an important first step in getting air travel to catch up with the rest of our modern lives.

Continue reading “GE’s Engine To Reignite Civil Supersonic Flight”