This Week In Security: One-click, UPnP, Mainframes, And Exploring The Fog

September 9, 2022 by Jonathan Bennett 8 Comments

A couple weeks ago we talked about in-app browsers, and the potential privacy issues when opening content in them. This week Microsoft reveals the other side of that security coin — JavaScript on a visited website may be able to interact with the JS embedded in the app browser. The vulnerability chain starts with a link handler published to Android, where any https://m.tiktok[.]com/redirect links automatically open in the TikTok app. The problem here is that this does trigger a redirect, and app-internal deeplinks aren’t filtered out. One of these internal schemes has the effect of loading an arbitrary page in the app webview, and while there is a filter that should prevent loading untrusted hosts, it can be bypassed with a pair of arguments included in the URI call.

Once an arbitrary page is loaded, the biggest problem shows up. The JavaScript that runs in the app browser exposes 70+ methods to JS running on the page. If this is untrusted code, it gives away the figurative keys to the kingdom, as an auth token can be accessed for the current user. Account modification, private video access, and video upload are all accessible. Thankfully the problem was fixed back in March, less than a month after private disclosure. Still, a one-click account hijack is nothing to sneeze at. Thankfully this one didn’t escape from the lab before it was fixed.

UPnP Strikes Again

It’s not an exaggeration to say that Universal Plug and Play (UPnP) may have been the most dangerous feature to be included in routers with the possible exception of open-by-default WiFi. QNAP has issued yet another advisory of ransomware targeting their devices, and once again UPnP is the culprit. Photo Station is the vulnerable app, and it has to be exposed to the internet to get pwned. And what does UPnP do? Exposes apps to the internet without user interaction. And QNAP, in their efforts to make their NAS products more usable, included UPnP support, maybe by default on some models. If you have a QNAP device (or even if you don’t), make sure UPnP is disabled on your router, turn off all port forwarding unless you’re absolutely sure you know what you’re doing, and use Wireguard for remote access. Continue reading “This Week In Security: One-click, UPnP, Mainframes, And Exploring The Fog” →

The TAK Ecosystem: Military Coordination Goes Open Source

September 8, 2022 by Danie Conradie 38 Comments

In recent years you’ve probably seen a couple of photos of tablets and smartphones strapped to the armor of soldiers, especially US Special Forces. The primary app loaded on most of those devices is ATAK or Android Tactical Assault Kit. It allows the soldier to view and share geospatial information, like friendly and enemy positions, danger areas, casualties, etc. As a way of working with geospatial information, its civilian applications became apparent, such as firefighting and law-enforcement, so CivTAK/ATAK-Civ was created and open sourced in 2020. Since ATAK-Civ was intended for those not carrying military-issued weapons, the acronym magically become the Android Team Awareness Kit. This caught the attention of the open source community, so today we’ll dive into the growing TAK ecosystem, its quirks, and potential use cases.

Tracking firefighting aircraft in 3D space using ADS-B (Credit: The TAK Syndicate)

Continue reading “The TAK Ecosystem: Military Coordination Goes Open Source” →

Don’t Be Salty: How To Make Desalination Work In Tomorrow’s World

September 8, 2022 by Maya Posch 60 Comments

Although water is often scarce for human consumption and agriculture, this planet is three-quarters covered by the stuff. The problem is getting the salt out, and this is normally done by the Earth’s water cycle, which produces rain and similar phenomena that replenish the amount of fresh water. Roughly 3% of the water on Earth is fresh water, of which a fraction is potable water.

Over the past decades, the use of desalination has increased year over year, particularly in nations like Saudi Arabia, Israel and the United Arab Emirates, but parched United States states such as California are increasingly looking into desalination technologies. The obvious obstacles that desalination faces – regardless of the exact technology used – involve the energy required to run these systems, and the final cost of the produced potable water relative to importing it from elsewhere.

Other issues that crop up with desalination include the environmental impact, especially from the brine waste and conceivably marine life sucked into the intake pipes. As the need for desalination increases, what are the available options to reduce the power needs and environmental impact?

Continue reading “Don’t Be Salty: How To Make Desalination Work In Tomorrow’s World” →

Ask Hackaday: Stripping Wires With Lasers

September 8, 2022 by Al Williams 22 Comments

Most of us strip the insulation off wires using some form of metal blade or blades. You can get many tools that do that, but you can also get by with skillfully using a pair of cutters, a razor blade or — in a pinch — a steak knife. However, modern assembly lines have another option: laser stripping. Now that many people have reasonable laser cutters, we wonder if anyone is using laser strippers either from the surplus market or of the do-it-yourself variety?

We are always surprised that thermal strippers are so uncommon since they are decidedly low-tech. Two hot blades and a spring make up the heart of them. Sure, they are usually expensive new, but you can usually pick them up used for a song. The technology for lasers doesn’t seem very difficult, although using the blue lasers most people use in cutters may not be optimal for the purpose. This commercial product, for example, uses infrared, but if you have a CO₂ laser, that might be a possibility.

The technique has found use in large-scale production for a while. Of course, if you don’t care about potential mechanical damage, you can get automated stripping equipment with a big motor for a few hundred bucks.

We did find an old video about using a CO₂ laser to strip ribbon cable, but nothing lately. Of course, zapping insulation creates fumes, but so does lasering everything, so we don’t think that’s what’s stopping people from this approach.

Continue reading “Ask Hackaday: Stripping Wires With Lasers” →

Linux Fu: Eavesdropping On Serial

September 7, 2022 by Al Williams 21 Comments

In the old days, if you wanted to snoop on a piece of serial gear, you probably had a serial monitor or, perhaps, an attachment for your scope or logic analyzer. Today, you can get cheap logic analyzers that can do the job, but what if you want a software-only solution? Recently, I needed to do a little debugging on a USB serial port and, of course, there isn’t really anywhere to easily tie in a monitor or a logic analyzer. So I started looking for an alternate solution.

If you recall, in a previous Linux Fu we talked about pseudoterminals which look like serial ports but actually talk to a piece of software. That might make you think: why not put a piece of monitor software between the serial port and a pty? Why not, indeed? That’s such a good idea that it has already been done. When it works, it works well. The only issue is, of course, that it doesn’t always work.

Continue reading “Linux Fu: Eavesdropping On Serial” →

Agrivoltaics Is A Land Usage Hack For Maximum Productivity

September 7, 2022 by Lewin Day 53 Comments

Land tends to be a valuable thing. Outside of some weird projects in Dubai, by and large, they aren’t making any more of it. That means as we try to feed and power the ever-growing population of humanity, we need to think carefully about how we use the land we have.

The field of agrivoltaics concerns itself with the dual-use of land for both food production and power generation. It’s all about getting the most out of the the available land and available sunlight we have.

Continue reading “Agrivoltaics Is A Land Usage Hack For Maximum Productivity” →

Stable Diffusion And Why It Matters

September 6, 2022 by Matthew Carlson 51 Comments

You might not have heard about Stable Diffusion. As of writing this article, it’s less than a few weeks old. Perhaps you’ve heard about it and some of the hubbub around it. It is an AI model that can generate images based on a text prompt or an input image. Why is it important, how do you use it, and why should you care?

This year we have seen several image generation AIs such as Dall-e 2, Imagen, and even Craiyon. Nvidia’s Canvas AI allows someone to create a crude image with various colors representing different elements, such as mountains or water. Canvas can transform it into a beautiful landscape. What makes Stable Diffusion special? For starters, it is open source under the Creative ML OpenRAIL-M license, which is relatively permissive. Additionally, you can run Stable Diffusion (SD) on your computer rather than via the cloud, accessed by a website or API. They recommend a 3xxx series NVIDIA GPU with at least 6GB of RAM to get decent results. But due to its open-source nature, patches and tweaks enable it to be CPU only, AMD powered, or even Mac friendly.

This touches on the more important thing about SD. The community and energy around it. There are dozens of repos with different features, web UIs, and optimizations. People are training new models or fine-tuning models to generate different styles of content better. There are plugins to Photoshop and Krita. Other models are incorporated into the flow, such as image upscaling or face correction. The speed at which this has come into existence is dizzying. Right now, it’s a bit of the wild west. Continue reading “Stable Diffusion And Why It Matters” →