This Week In Security: F5, Novel Ransomware, Freta, And Database Woes

The big story of the last week is a problem in F5’s BIG-IP devices. A rather trivial path traversal vulnerability allows an unauthenticated user to call endpoints that are intended to be restricted to authenticated. That attack can apparently be as simple as:

'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

A full exploit has been added to the metasploit framework. The timeline on this bug is frighteningly quick, as it’s apparently being actively exploited in the wild. F5 devices are used all over the world, and this vulnerability requires no special configuration, just access to the opened management port. Thankfully F5 devices don’t expose the vulnerable interface to the internet by default, but there are still plenty of ways this can be a problem.

Freta

Microsoft has made a new tool publicly available, Freta. This tool searches for rootkits in uploaded memory snapshots from a Linux VM. The name, appropriately, is taken from the street where Marie Curie was born.

The project’s namesake, Warsaw’s Freta Street, was the birthplace of Marie Curie, a pioneer of battlefield imaging.

The impetus behind the project is the realization that once a malicious actor has compromised a machine, it’s possible to compromise any security software running on that machine. If, instead, one could perform a security x-ray of sorts, then a more reliable conclusion could be reached. Freta takes advantage of the VM model, and the snapshot capability built into modern hypervisors.

Continue reading “This Week In Security: F5, Novel Ransomware, Freta, And Database Woes”

Art of 3D printer in the middle of printing a Hackaday Jolly Wrencher logo

3D Printering: Selling Prints, And Solving The Pickup Problem

After getting a 3D printer up and running, it’s not uncommon for an enterprising hacker to dabble in 3D printing to make a little money on the side. Offering local pickup of orders is a common startup choice since it’s simple and avoids shipping entirely. It’s virtually tailor-made to make a great bootstrapping experiment, but anyone who tries it sooner or later bumps up against a critical but simple-seeming problem: how to get finished prints into a customer’s hands in a sustainable way that is not a hassle for either the provider, or the customer?

It’s very easy to accept a 3D file and get paid online, but the part about actually getting the print into the customer’s hands does not have a one-size-fits-all solution. This is what I call The Pickup Problem, and left unsolved, it can become unsustainable. Let’s look at why local pickup doesn’t always measure up, then examine possible solutions.

The Problems with Local Pickup

Local pickup for delivery of print jobs is great because there is no mucking about with shipping supplies or carriers. Also, many 3D prints when starting out will be relatively low-value jobs that no one is interested in stacking shipping fees onto, anyway.

“Your order is complete. Come to this address to pick up your order.” It is straightforward and hits all the bases, so what’s the problem?

Continue reading “3D Printering: Selling Prints, And Solving The Pickup Problem”

Bridge Over Trebled Water: How The Golden Gate Bridge Started To Sing

Throughout the spring, some Bay Area residents from Marin County to the Presidio noticed a sustained, unplaceable high-pitched tone. In early June, the sound reached a new peak volume, and recordings of the eerie noise spread across Twitter and Facebook. Soon after, The Golden Gate Bridge, Highway, & Transportation District, the agency responsible for the iconic suspension bridge’s maintenance, solved the mystery: The sound was due to high winds blowing through the slats of the bridge’s newly-installed sidewalk railing. Though a more specific explanation was not provided, the sound is most likely an Aeolian tone, a noise produced when wind blows over a sharp edge, resulting in tiny harmonic vortices in the air.

The modification of the Golden Gate Bridge railing is the most recent and most audible element of a multi-phase retrofit that has been underway since 1997. Following the magnitude 6.9 Loma Prieta Earthquake in 1989, The Golden Gate Bridge, Highway, & Transportation District (The District) began to prepare the iconic bridge for the wind and earthquake loads that it may encounter in its hopefully long life. Though the bridge had already withstood the beating of the Bay’s strong easterly winds and had been rattled by minor earthquakes, new analysis technology and construction methods could help the span hold strong against any future lateral loading. The first and second phases of the retrofit targeted the Marin Viaduct (the bridge’s north approach) and the Fort Point Arch respectively. The third and current phase addresses the main span.

Continue reading “Bridge Over Trebled Water: How The Golden Gate Bridge Started To Sing”

Marian Croak Is The MVP Of VoIP Adoption

If you’ve ever used FaceTime, Skype, own a Magic Jack, or have donated money after a disaster by sending a text message, then you have Marian Croak to thank. Her leadership and forward thinking changed how Ma Bell used its reach and made all of these things possible.

Marian Croak is a soft-spoken woman and a self-described non-talker, but her actions spoke loudly in support of Internet Protocol (IP) as the future of communication. Humans are always looking for the next best communication medium, the fastest path to understanding each other clearly. We are still making phone calls today, but voice has been joined by text and video as the next best thing to being there. All of it is riding on a versatile network strongly rooted in Marian’s work.

Continue reading “Marian Croak Is The MVP Of VoIP Adoption”

Not Just GPS: New Options For Global Positioning

A few weeks ago, China launched the final satellite in its BeiDou-3 satellite positioning system. Didn’t know that China had its own GPS? How about Europe’s Galileo, Russia’s GLONASS, or Japan’s QZSS? There’s a whole world of GPS-alikes out there. Let’s take a look.

Continue reading “Not Just GPS: New Options For Global Positioning”

The WIMP Is Dead, Long Live The Solar Axion!

For decades scientists have been building detectors deep underground to search for dark matter. Now one of these experiments, the XENON1T detector, has found an unexpected signal in their data. Although the signal does not stem from dark matter it may still revolutionize physics.

Since the 1980s the majority of scientists believe that the most likely explanation for the missing mass problem is some yet undiscovered Weakly Interacting Massive Particle (WIMP). They also figured that if you build a large and sensitive enough detector we should be able to catch these particles which are constantly streaming through Earth. So since the early 1990s, we have been putting detectors made from ultrapure materials in tunnels and mines where they are shielded from cosmic radiation and natural radioactivity.

Over the decades these detectors have increased their sensitivity by a factor of about 10 million due to ever more sophisticated techniques of shielding and discriminating against before mentioned backgrounds. So far they haven’t found dark matter, but that doesn’t mean the high-end sensing installations will go unused.

Continue reading “The WIMP Is Dead, Long Live The Solar Axion!”

Spacing Out: OneWeb Rescue, Starlink Base Stations, And Rocket Tests

Another couple of weeks, and a fresh crop of space news to run through as a quick briefing of the latest in the skies above us.

OneWeb's most recent launch, from Baikonur on the 21st of March 2020.
OneWeb’s most recent launch, from Baikonur on the 21st of March 2020. (OneWeb)

The global positioning orbits are getting pretty crowded, with GPS, Russia’s GLONASS, the EU’s Galileo, Japan’s QZSS, and now with the launch of the final satellite in their constellation, China’s BeiDou. As if five were not enough the chance that they might be joined by a sixth constellation from the United Kingdom resurfaced this week, as the UK government is expressing interest in supporting a rescue package for the troubled satellite broadband provider OneWeb. The idea of an independent GPS competitor from a post-Brexit UK has been bouncing around for a couple of years now, and on the face of it until this opportune chance to purchase an “oven ready” satellite constellation might deliver a route to incorporating a positioning payload into their design. The Guardian has its doubts, lining up a bevvy of scientists to point out the rather obvious fact that a low-earth-orbit satellite broadband platform is a very different prospect to a much-higher-orbiting global positioning platform. Despite the country possessing the expertise through its work on Galileo then it remains to be seen whether a OneWeb purchase would be a stroke of genius or a white elephant. Readers with long memories will know that British government investment in space has had its upsets before.

Happily for Brits, not all space endeavours from their islands end in ignominious retreat. Skyrora have scored another milestone, launching the first ever rocket skywards from the Shetland Islands. The Skylark Nano is a relatively tiny craft at only 2m high, and gathered research data during its flight to an altitude of 6km. We’ve followed their work before, including their testing in May of a Skylark L rocket on the Scottish mainland with a view to achieving launch capability in 2023.

A Starlink phased array end user antenna, spotted in Winsconsin. (darkpenguin22)
A Starlink phased array end user antenna, spotted in Winsconsin. (darkpenguin22)

SpaceX’s Starlink is never far away from the news, with a fresh set of launches delayed for extra pre-launch tests, and the prospect of signing up to be considered for the space broadband firm’s beta test. Of more interest for Hackaday readers though are a few shots of prototype Starlink ground stations and user terminals that have made it online, on the roof of a Tesla Gigafactory and at a SpaceX facility in Wisconsin. What can be seen are roughly 1.5m radomes for the ground stations and much smaller dinner-plate-sized enclosed arrays for the user terminals. The latter are particularly fascinating as they conceal computer-controlled phased arrays for tracking the constellation as it passes overhead. This is a technology more at home in billion-dollar military radars than consumer devices, so getting it to work on a budget that can put it on a roof anywhere in the world must be a challenge for the Starlink engineers. We can’t wait to see the inevitable eventual teardown when it comes.

Elsewhere, the Virgin Galactic SpaceShip Two completed its second glide test over its Mojave Spaceport home since being grounded in 2019 for extensive refitting, and is now said to be ready for powered tests leading to eventual commercial service giving the extremely well-heeled the chance to float in the zero gravity of suborbital spaceflight. And finally, comes the news that NASA are naming their Washington DC headquarters building for Mary W. Jackson, their first African American female engineer, whose story some of you may be familiar with from the book and film Hidden Figures. The previously unnamed building sits on a section of street named Hidden Figures Way.