Featured

3002 Articles

Longform articles, the best of what the Hackaday writing crew has to offer.

This Week In Security: Barracuda, Zyxel, And The Backdoor

June 2, 2023 by 12 Comments

Barracuda’s Email Security Gateway (ESG) has had a vulnerability in it for years. Tracked as CVE-2023-2868, this one was introduced back in version 5.1.3.001, and only got patched during the 9.2 development cycle. Specific build information on patched firmware has not been made available, but a firmware build containing the patch was deployed on May 20.

The flaw was a command injection bug triggered by .tar files attached to incoming emails. The appliance scans attachments automatically, and the file names could trigger the qx operator in a Perl script. It’s a nasty one, ranking a 9.4 on the CVSS scale. But the really bad news is that Barracuda found the vulnerability in the wild, and they have found evidence of exploitation as far back as October 2022.

There have been three malware modules identified on the compromised appliances. SALTWATER is a backdoor trojan, with the ability to transfer files, execute commands, and host network tunnels. SEASPY is a stealthier module, that looks like a legitimate service, and uses PCAP to monitor traffic and receive commands. And SEASIDE is a Lua module for the Barracuda SMTP monitor, and it exists to host a reverse shell on command. Indicators of Compromise (IOCs) have been published, and Barracuda recommends the unplug-and-remove approach to cleaning up an infection. The saving grace is that this campaign seems to have been targeted, and wasn’t launched against every ESG on the Internet, so maybe you’re OK.

Moxa, Too

And speaking of security software that has problems, the Moxa MXsecurity appliance has a pair of problems that could be leveraged together to lead to a complete device takeover. The most serious problem is a hard coded credential, that allows authentication bypass for the web-API. Then the second issue is a command-line escape, where an attacker with access to the device’s Command Line Interface (CLI) can break out and run arbitrary commands. Continue reading “This Week In Security: Barracuda, Zyxel, And The Backdoor”

Farewell American Computer Magazines

June 1, 2023 by 80 Comments

I grew up in a small town with a small library. The next town over had what I thought at the time was a big library, but it was actually more like my town had a tiny library, and the next one over had an actual small library. When I left to go to University, I found out what a real library looked like, and I was mesmerized. Books! Lots of books, many of them written in the current decade. My grades probably suffered from the amount of time I spent in the library reading things that didn’t directly relate to my classes. But there was one thing I found that would turn out to be life-changing: A real computer magazine. Last month, Harry McCracken pointed out that the last two widely-distributed American consumer computer magazines ceased paper publication. It is the end of an era, although honestly, it is more like a comatose patient expiring than a shocking and sudden demise.

Dr. Dobb’s first issue was far from the slick commercial magazine it would become.

Actually, before I had gone to college, I did have a subscription to Kilobaud, and I still have some copies of those. No offense to Wayne Green, but Kilobaud wasn’t that inspiring. It was more an extension of his magazine “73”, and while I enjoyed it, it didn’t get me dreaming. Dr. Dobb’s Journal — the magazine I found in the stacks of my University’s library — was tangibly different. There was an undertone of changing the world. We weren’t sure why yet, but we knew that soon, everyone would have a computer. Maybe they’d balance their checkbook or store recipes. A few people already saw the potential of digital music reproduction, although, I must admit, it was so poor at the time, I couldn’t imagine who would ever care.

I say it was life-changing to discover the few issues of Dr. Dobb’s that were published back then because I would go on to contribute to Dr. Dobb’s throughout its storied history. I wrote the infamous DOS extender series, produced special issues, and, when it went mostly digital, was the embedded system blogger for them for more years than I care to admit. In fact, I have the dubious distinction of having the final blog posted; although the website has suffered enough bit rot, I’m not sure any of it has survived other than, maybe, on the Wayback machine. While I wasn’t with the magazine for its entire 38-year run, I read it for at least 35 and had some function there for about 24 of those.

Continue reading “Farewell American Computer Magazines”

Ask Hackaday: What’s Your “Tactical Tool” Threshold?

May 31, 2023 by 130 Comments

With few exceptions, every field has a pretty modest set of tools that would be considered the minimum for getting most jobs done. A carpenter can make do with tools that would fit in a smallish bag, while a mechanic can handle quite a few repairs with a simple set of socket wrenches and other tools. Even in electronics, a lot of repairs and projects can be tackled with little more than a couple of pairs of pliers, some cutters, and a cheap soldering iron.

But while the basic kit of tools for any job may be enough, there will always be those jobs that need more tools. Oh sure, sometimes you can — and should — make do with what you’ve got; I can’t count the number of times I’ve used an elastic band wrapped around the handles of a pair of needlenose pliers as an impromptu circuit board vise. But eventually, you’re going to come upon a situation where only the “real” tool will do, and substitutes need not apply.

As I look around my shop and my garage, I realize that I may have a problem with these “tactical tool” purchases. I’ve bought so many tools that I’ve used far fewer times than I thought I would, or perhaps even never used, that I’m beginning to wonder if I tackle projects just as an excuse to buy tools. Then again, some of my tactical purchases have ended up being far more useful than I ever intended, which has only reinforced my tendency toward tool collecting. So I thought I’d share a few of my experiences with tactical tools, and see how the community justifies tactical tool acquisitions.

Continue reading “Ask Hackaday: What’s Your “Tactical Tool” Threshold?”

Methane-Tracking Satellites Hunt For Nasty Greenhouse Gas Emissions

May 30, 2023 by 41 Comments

Much of the reporting around climate change focuses on carbon dioxide. It’s public enemy number one when it comes to gases that warm the atmosphere, as a primary byproduct of fossil fuel combustion.

It’s not the only greenhouse gas out there, though. Methane itself is a particularly potent pollutant, and one that is being emitted in altogether excessive amounts. Satellites are now on the hunt for methane emissions in an attempt to save the world from this odorless, colorless gas.

Continue reading “Methane-Tracking Satellites Hunt For Nasty Greenhouse Gas Emissions”

ChatGPT V. The Legal System: Why Trusting ChatGPT Gets You Sanctioned

May 29, 2023 by 67 Comments

Recently, an amusing anecdote made the news headlines pertaining to the use of ChatGPT by a lawyer. This all started when a Mr. Mata sued the airline where years prior he claims a metal serving cart struck his knee. When the airline filed a motion to dismiss the case on the basis of the statute of limitations, the plaintiff’s lawyer filed a submission in which he argued that the statute of limitations did not apply here due to circumstances established in prior cases, which he cited in the submission.

Unfortunately for the plaintiff’s lawyer, the defendant’s counsel pointed out that none of these cases could be found, leading to the judge requesting the plaintiff’s counsel to submit copies of these purported cases. Although  the plaintiff’s counsel complied with this request, the response from the judge (full court order PDF) was a curt and rather irate response, pointing out that none of the cited cases were real, and that the purported case texts were bogus.

The defense that the plaintiff’s counsel appears to lean on is that ChatGPT ‘assisted’ in researching these submissions, and had assured the lawyer – Mr. Schwartz – that all of these cases were real. The lawyers trusted ChatGPT enough to allow it to write an affidavit that they submitted to the court. With Mr. Schwartz likely to be sanctioned for this performance, it should also be noted that this is hardly the first time that ChatGPT and kin have been involved in such mishaps.

Continue reading “ChatGPT V. The Legal System: Why Trusting ChatGPT Gets You Sanctioned”

3D Model Subscriptions Are Coming, But Who’s Buying?

May 25, 2023 by 51 Comments

We’ve all been there before — you need some 3D printable design that you figure must be common enough that somebody has already designed it, so you point your browser to Thingiverse or Printables, and in a few minutes you’ve got STL in hand and are ready to slice and print. If the design worked for you, perhaps you’ll go back and post an image of your print and leave a word of thanks to the designer.

Afterwards, you’ll probably never give that person a second thought for the rest of your life. Within a day or two, there’s a good chance you won’t even remember their username. It’s why most of the model sharing sites will present you with a list of your recently downloaded models when you want to upload a picture of your print, otherwise there’s a good chance you wouldn’t be able to find the thing.

Now if you really liked the model, you might go as far as following the designer. But even then, there would likely be some extenuating circumstances. After all, even the most expertly designed widget is still just a widget, and the chances of that person creating another one that you’d also happen to need seems exceedingly slim. Most of the interactions on these model sharing sites are like two ships passing in the night; it so happened that you and the creator had similar enough needs that you could both use the same printable object, but there’s no telling if you’ll ever cross paths with them again.

Which is why the recent announcements, dropped just hours from each other, that both Thangs and Printables would be rolling out paid subscription services seems so odd. Both sites claim that not only is there a demand for a service that would allow users to pay designers monthly for their designs, but that existing services such as Patreon are unable to meet the unique challenges involved.

Both sites say they have the solution, and can help creators turn their passion for 3D design into a regular revenue stream — as long as they get their piece of the action, that is.

Continue reading “3D Model Subscriptions Are Coming, But Who’s Buying?”

The Art And Science Of Making Beautiful Transparent Ice

May 24, 2023 by 43 Comments

For most of us, ice isn’t something we’ve thought about in detail since our high school science classes. For most of us, we pour some tap water into the ice trays, slam it in the freezer, and forget about it. Then we lob the frozen misshapen cubes into a beer and enjoy a quite literally ice-cold beverage.

However, there’s so much more fun to be had with ice if you really get into it. If you’ve ever wondered how pretentious cocktail bars make their fancy ice spheres or transparent cubes, read on!

Continue reading “The Art And Science Of Making Beautiful Transparent Ice”