Slider

4955 Articles

This Week In Security: Npm Timing Leak, Siemens Universal Key, And PHP In PNG

October 14, 2022 by 12 Comments

First up is some clever wizardry from the [Aqua Nautilus] research team, who discovered a timing attack that leaks information about private npm packages. The setup is this, npm hosts both public and private node.js packages. The public ones are available to everyone, but the private packages are “scoped”, meaning they live within a private namespace, “@owner/packagename” and are inaccessible to the general public. Trying to access the package results in an HTTP 404 error — the same error as trying to pull a package that doesn’t exist.


The clever bit is to keep trying, and really pay attention to the responses. Use npm’s API to request info on your target package, five times in a row. If the package name isn’t in use, all five requests will take the expected amount of time. That request lands at the service’s backend, a lookup is performed, and you get the response. On the flipside if your target package does exist, but is privately scoped, the first request returns with the expected delay, and the other four requests return immediately. It appears that npm has front-end that can cache a 404 response for a private package. That response time discrepancy means you can map out the private package names used by a given organization in their private scope.

Now this is all very interesting, but it turns into a plausible attack when combined with typosquatting and dependency confusion issues. Those attacks are two approaches to the same goal, get a node.js deployment to run a malicious package instead of the legitimate one the developer intended. One depends on typos, but dependency confusion just relies on a developer not explicitly defining the scope of a package.

Continue reading “This Week In Security: Npm Timing Leak, Siemens Universal Key, And PHP In PNG”

Publish Or Perish: Data Storage And Civilization

October 13, 2022 by 120 Comments

Who do you think of when you think of ancient civilizations? Romans? Greeks? Chinese? India? Egyptians?  What about the Scythians, the Muisca, Gana, or the Kerma? You might not recognize that second group as readily because they all didn’t have writing systems. The same goes, to a lesser extent, for the Etruscans, the Minoans, or the inhabitants of Easter Island where they wrote, but no one remembers how to read their writing. Even the Egyptians were mysterious until the discovery of the Rosetta stone. We imagine that an author writing in Etruscan didn’t think that no one would be able to read the writing in the future–they probably thought they were recording their thoughts for all eternity. Hubris? Maybe, but what about our documents that are increasingly stored as bits somewhere?

Continue reading “Publish Or Perish: Data Storage And Civilization”

2022 Cyberdeck Contest: Picking The Best Of The Best

October 13, 2022 by 15 Comments

Given how many incredible builds we’ve covered over the last couple of years, we knew that an official Cyberdeck Contest would certainly receive some impressive entries. But never in our wildest dreams could we have predicted that more than 100 decks would end up crossing the finish line, or that of them, the vast majority would be never-before-seen designs. In fact, the response to this contest was so overwhelming that the judging process took far longer than we originally anticipated.

Ultimately, we decided that there were simply too many phenomenal builds entered into the contest to award $150 Digikey spending sprees to just three of them. So as an added bonus, we’ve rustled up some $50 Tindie gift certificates that will go to the four special category honorable mentions.

With that, let’s take a look at the cyberdecks that took top honors as decided by our panel of judges.

Continue reading “2022 Cyberdeck Contest: Picking The Best Of The Best”

The 2022 Supercon Badge Is A Handheld Trip Through Computing History

October 12, 2022 by 73 Comments

Over the last several years, there’s been a trend towards designing ever more complex and powerful electronic event badges. Color displays, sensors, WiFi, USB, Bluetooth — you name it, and there’s probably a con badge out there that has packed it in. Even our own 2019 Supercon broke new ground with the inclusion of a Lattice LFE5U-45F FPGA running a RISC-V core. Admittedly, observing this unofficial arms race has been fascinating. But as we all know, a hacker isn’t defined by the tools at their disposal, but rather the skill and imagination with which they wield them.

So this year, we’ve taken a slightly different approach. Rather than try and cram the badge with even more state of the art hardware than we did in 2019, we’ve decided to go back to the well. The 2022 Supercon badge is a lesson in what it means to truly control a piece of hardware, to know what each bit of memory is doing, and why. Make no mistake, it’s going to be a challenge. In fact, we’d wager most of the people who get their hands on the badge come November 4th will have never worked on anything quite like it before. Folks are going to get pulled out of their comfort zones, but of course, that’s the whole idea.

Continue reading “The 2022 Supercon Badge Is A Handheld Trip Through Computing History”

Rollercoasters Are Triggering The IPhone’s Crash Detection System

October 12, 2022 by 68 Comments

Apple has been busy adding new features to its smartphone and smartwatch offerings. Its new iPhone 14 and Apple Watch 8 now feature a safety system that contacts emergency services in the event the user is in a automobile accident.

As with so many new technologies though, the feature has fallen afoul of the law of unintended consequences. Reports are that the “crash detection system” is falsely triggering on rollercoasters and in other strange circumstances. Let’s take a look at how these systems work, and why this might be happening.

Continue reading “Rollercoasters Are Triggering The IPhone’s Crash Detection System”

2022 Supercon: More Talks, More Speakers!

October 11, 2022 by 3 Comments

Round two of the 2022 Supercon talks is out, and it’s another superb lineup. This round is full of high voltage, art, and science. If you’ve ever dreamed of starting up your own hacker company, making your own refrigerator, teaching your toaster to think, or just making your breath glow, then Supercon is where you want to be Nov. 4-6!

Supercon will sell out, so get your tickets now before it’s too late. And stay tuned for the next and final round of talk reveals next week! Plus the keynote speaker reveal. Plus workshops. Oh my. Continue reading “2022 Supercon: More Talks, More Speakers!”

front and back of the Jolly Wrencher SAO

Jolly Wrencher SAO, And How KiCad 6 Made It Easy

October 11, 2022 by 17 Comments

If you plan to attend Supercon or some other hacker conference, know that you’re going to get a badge with a SAO (Simple Add-On) connector, a 4-pin or 6-pin connector that you can plug an addon board onto. There’s myriads of SAOs to choose from, and if you ever felt like your choice paralysis wasn’t intense enough, now you have the option of getting a Jolly Wrencher SAO board!

This board gives you an SMD prototyping space, with 1.27mm (0.05″ pitch) pads, suitable for many passive components, ICs and even modules like the ESP32 WROOM. Those pads are diagonally interspersed with ground-fill-connected pads – if you want to bodge something on the spot, you don’t need to pull separate GND wires. Given the Supercon badge specifics, the SAO-standard SDA and SCL pins have RX and TX labels as well. For bonus points, the eyes are transparent, with LED footprints behind them – it’s my first time designing a PCB where the LED shines through the FR4, and I hope that the aesthetics work out!

This design is open with gerber files available for download, so if you thought of making a quick PCB order, I’m giving you one more .zip file to add to it. Otherwise, it’s possible that you will find a Wrencher board lying around at Supercon! Now, I’d like to tell you how KiCad 6 made it super easy to design this PCB – after all, there’s never enough SAOs, and it’s quite likely you’ll want to design your own special SAO, too.

Continue reading “Jolly Wrencher SAO, And How KiCad 6 Made It Easy”