This Week In Security: Bitdefender, Ripple20, Starbucks, And Pwned Passwords

June 26, 2020 by Jonathan Bennett 13 Comments

[Wladimir Palant] seems to be on a one man crusade against security problems in security software. The name may not be immediately recognizable, but among his other infamies is originating Adblock Plus, which we have a love-hate relationship with. (Look, surf the net with an adblocker, but disable it for sites you trust and want to support, like HaD).

This week, he announced a rather serious flaw in the Bitdefender. The disclosure starts off with high praise for the Bitdefender: “security-wise Bitdefender Antivirus is one of the best antivirus products I’ve seen so far….” Even with that said, the vulnerability he found is a serious one. A malicious website can trigger the execution of arbitrary applications. The problem was fixed in an update released on the 22nd.

The vulnerability is interesting. First, Bitdefender uses an API that was added to web browsers specifically to enable security software to work without performing man-in-the-middle decryption of HTTPS connections. When a problem is detected, Bitdefender replaces the potentially malicious page with it’s own error message.

Because of the way this is implemented, the browser sees this error message as being the legitimate contents of the requested site. Were this a static page, it wouldn’t be a problem. However, Bitdefender provides an option to load the requested page anyway, and does this by embedding tokens in that error page. When a user pushes the button to load the page, Bitdefender sees the matching tokens in the outgoing request, and allows the page. Continue reading “This Week In Security: Bitdefender, Ripple20, Starbucks, And Pwned Passwords” →

Grey Gear: French TV Encryption, 1980s Style

June 25, 2020 by Kristina Panos 38 Comments

Who among us didn’t spend some portion of their youth trying in vain to watch a scrambled premium cable TV channel or two? It’s a wonder we didn’t blow out our cones and rods watching those weird colors and wavy lines dance across the screen like a fever dream.

In the early days of national premium television in America, anyone who’d forked over the cash and erected a six-foot satellite dish in the backyard could tune in channels like HBO, Showtime, and the first 24-hour news network, CNN. Fed up with freeloaders, these channels banded together to encrypt their transmissions and force people to buy expensive de-scrambling boxes. On top of that, subscribers had to pay a monthly pittance to keep the de-scrambler working. Continue reading “Grey Gear: French TV Encryption, 1980s Style” →

Ditching X86, Apple Starts An ARM Race

June 25, 2020 by Lewin Day 160 Comments

At its annual World Wide Developer Conference, Apple dropped many jaws when announcing that their Mac line will be switching away from Intel processors before the year is out. Intel’s x86 architecture is the third to grace Apple’s desktop computer products, succeeding PowerPC and the Motorola 68000 family before it.

In its place will be Apple’s own custom silicon, based on 64-bit ARM architecture. Apple are by no means the first to try and bring ARM chips to bear for general purpose computing, but can they succeed where others have failed?

Continue reading “Ditching X86, Apple Starts An ARM Race” →

What’s The Deal With Snap Packages?

June 24, 2020 by Tom Nardi 150 Comments

Who would have thought that software packaging software would cause such a hubbub? But such is the case with snap. Developed by Canonical as a faster and easier way to get the latest versions of software installed on Ubuntu systems, the software has ended up starting a fiery debate in the larger Linux community. For the more casual user, snap is just a way to get the software they want as quickly as possible. But for users concerned with the ideology of free and open source software, it’s seen a dangerous step towards the types of proprietary “walled gardens” that may have drove them to Linux in the first place.

Perhaps the most vocal opponent of snap, and certainly the one that’s got the most media attention, is Linux Mint. In a June 1st post on the distribution’s official blog, Mint founder Clement Lefebvre made it very clear that the Ubuntu spin-off does not approve of the new package format and wouldn’t include it on base installs. Further, he announced that Mint 20 would actively block users from installing the snap framework through the package manager. It can still be installed manually, but this move is seen as a way to prevent it from being added to the system without the user’s explicit consent.

The short version of Clement’s complaint is that the snap packager installs from a proprietary Canonical-specific source. If you want to distribute snaps, you have to set up an account with Canonical and host it there. While the underlying software is still open source, the snap packager breaks with long tradition of having the distribution of the software also being open and free. This undoubtedly makes the install simple for naive users, and easier to maintain for Canonical maintainers, but it also takes away freedom of choice and diversity of package sources.

Continue reading “What’s The Deal With Snap Packages?” →

Netbooks: The Next Generation — Chromebooks

June 24, 2020 by Jonathan Bennett 35 Comments

Netbooks are dead, long live the Chromebook. Lewin Day wrote up a proper trip down Netbook Nostalgia Lane earlier this month. That’s required reading, go check it out and come back. You’re back? Good. Today I’m making the case that the Chromebook is the rightful heir to the netbook crown, and to realize its potential I’ll show you how to wring every bit of Linuxy goodness out of your Chromebook.

I too was a netbook connoisseur, starting with an Asus Eee 901 way back in 2009. Since then, I’ve also been the proud owner of an Eee PC 1215B, which still sees occasional use. Only recently did I finally bite the bullet and replace it with an AMD based Dell laptop for work.

For the longest time, I’ve been intrigued by a good friend who went the Chromebook route. He uses a Samsung Chromebook Plus, and is constantly using it to SSH into his development machines. After reading Lewin’s article, I got the netbook bug again, and decided to see if a Chromebook would fill the niche. I ended up with the Acer Chromebook Tab 10, codename Scarlet. The price was right, and the tablet form factor is perfect for referencing PDFs.

Two Asus Netbooks and a ChromeOS tablet. — Behold, my netbook credentials.

The default ChromeOS experience isn’t terrible. You have the functionality of desktop Chrome, as well as the ability to run virtually any Android app. It’s a good start, but hardly the hacker’s playground that a Linux netbook once was. But we can still get our Linux on with this hardware. There are three separate approaches to making a Chromebook your own virtual hackspace: Crostini, Crouton, and full OS replacement.

Continue reading “Netbooks: The Next Generation — Chromebooks” →

Ask Hackaday: Is Our Power Grid Smart Enough To Know When There’s No Power?

June 23, 2020 by Jenny List 63 Comments

Just to intensify the feeling of impending zombie apocalypse of the COVID-19 lockdown in the British countryside where I live, we had a power cut. It’s not an uncommon occurrence here at the end of a long rural power distribution network, and being prepared for a power outage is something I wrote about a few years ago. But this one was a bit larger than normal and took out much more than just our village. I feel very sorry for whichever farmer in another village managed to collide with an 11kV distribution pole.

What pops to mind for today’s article is the topic of outage monitoring. When plunged into darkness we all wonder if the power company knows about it. The most common reaction must be: “of course the power company knows the power is out, they’re the ones making it!”. But this can’t be the case as for decades, public service announcements have urge us to report power cuts right away.

In our very modern age, will the grid become smart enough to know when, and perhaps more importantly where, there are power cuts? Let’s check some background before throwing the question to you in the comments below.

Continue reading “Ask Hackaday: Is Our Power Grid Smart Enough To Know When There’s No Power?” →

Hunting Neutrinos In The Antarctic

June 22, 2020 by Moritz v. Sivers 31 Comments

Neutrinos are some of the strangest particles we have encountered so far. About 100 billion of them are going through every square centimeter on Earth per second but their interaction rate is so low that they can easily zip through the entire planet. This is how they earned the popular name ‘ghost particle’. Neutrinos are part of many unsolved questions in physics. We still do not know their mass and they might even be there own anti-particles while their siblings could make up the dark matter in our Universe. In addition, they are valuable messengers from the most extreme astrophysical phenomena like supernovae, and supermassive black holes.

The neutrinos on earth have different origins: there are solar neutrinos produced in the fusion processes of our sun, atmospheric neutrinos produced by cosmic rays hitting our atmosphere, manmade reactor neutrinos created in the radioactive decays of nuclear reactors, geoneutrinos which stem from similar processes naturally occurring inside the earth, and astrophysical neutrinos produced outside of our solar system during supernovae and other extreme processes most of which are still unknown. Continue reading “Hunting Neutrinos In The Antarctic” →