Hackaday Links: June 13, 2021

When someone offers to write you a check for $5 billion for your company, it seems like a good idea to take it. But in the world of corporate acquisitions and mergers, that’s not always the case, as Altium proved this week when they rebuffed a A$38.50 per share offer from Autodesk. Altium Ltd., the Australian company whose flagship Altium Designer suite is used by PCB and electronic designers around the world, said that the Autodesk offer “significantly undervalues” Altium, despite the fact that it represents a 42% premium of the company’s share price at the end of last week. Altium’s rejection doesn’t close the door on ha deal with Autodesk, or any other comers who present a better offer, which means that whatever happens, changes are likely in the EDA world soon.

There were reports this week of a massive explosion and fire at a Chinese polysilicon plant — sort of. A number of cell phone videos have popped up on YouTube and elsewhere that purport to show the dramatic events unfolding at a plant in Xinjiang province, with one trade publication for the photovoltaic industry reporting that it happened at the Hoshine Silicon “997 siloxane” packing facility. They further reported that the fire was brought under control after about ten hours of effort by firefighters, and that the cause is under investigation. The odd thing is that we can’t find a single mention of the incident in any of the mainstream media outlets, even five full days after it purportedly happened. We’d have figured the media would have been all over this, and linking it to the ongoing semiconductor shortage, perhaps erroneously since the damage appears to be limited to organic silicone production as opposed to metallic silicon. But the company does supply something like 17% of the world’s supply of silicon metal, so anything that could potentially disrupt that should be pretty big news.

It’s always fun to see “one of our own” take a project from idea to product, and we like to celebrate such successes when they come along. And so it was great to see the battery-free bicycle tire pressure sensor that Hackaday.io user CaptMcAllister has been working on make it to the crowdfunding stage. The sensor is dubbed the PSIcle, and it attaches directly to the valve stem on a bike tire. The 5-gram sensor has an NFC chip, a MEMS pressure sensor, and a loop antenna. The neat thing about this is the injection molding process, which basically pots the electronics in EDPM while leaving a cavity for the air to reach the sensor. The whole thing is powered by the NFC radio in a smartphone, so you just hold your phone up to the sensor to get a reading. Check out the Kickstarter for more details, and congratulations to CaptMcAllister!

We’re saddened to learn of the passing of Dale Heatherington last week. While the name might not ring a bell, the name of his business partner Dennis Hayes probably does, as together they founded Hayes Microcomputer Products, makers of the world’s first modems specifically for the personal computer market. Dale was the technical guru of the partnership, and it’s said that he’s the one who came up with the famous “AT-command set”. Heatherington only stayed with Hayes for seven years or so before taking his a $20 million share of the company and retiring, which of course meant more time and resources to devote to tinkering with everything from ham radio to battle bots. ATH0, Dale.

What Every Geek Must Know

How is it possible that there’s a geek culture? I mean, it’s one thing to assume that all folks of a nerdy enough bent will know a little Ohm’s law, can fake their way through enough quantum mechanics to at least be interesting at a cocktail party, and might even have a favorite mnemonic for the resistor colors or the angles involved in sine, cosine, and tangents. But how is it that we all know the answer to life, the universe, and everything?

Mike and I were podcasting a couple of weeks back, and it came out that he’d never played Starcraft. I was aghast! Especially since he’s into video games in general, to have not played the seminal 3-way-without-being-rock-scissors-paper game! My mind boggled. But then again, there was a time in my life when I hadn’t actually read all of Dune or Cryptonomicon, which would have left Mike’s jaw on the floor.

Whether you prefer Star Trek or Star Wars, the Matrix or the Hobbit, it’s even more surprising that we have so much in common! And thinking about it, I’m pretty sure that exactly our interchange is the reason — it’s a word of mouth culture thing. Some folks at the hackerspace are talking about Cthulu, and chances are you’re going to be reading some Lovecraft. An argument about the plausibility of the hacks in The Martian has sent at least a couple of geeks to the cinema or the library. And so it goes.

So do your part! Share your geek-culture recommendations with us all in the comments. If you were stranded on a desert island, with a decent bookshelf and maybe even a streaming video service, what’s on your top-10 list? What do you still need to see, read, or hear?

Circuit VR: Arduino Virtually Meets Analog

There was a time when building electronics and building software were two distinct activities. These days, almost any significant electronic project will use a CPU somewhere, or — at least — could. Using a circuit simulator can get you part of the way and software simulators abound. But cosimulation — simulating both analog circuits and a running processor — is often only found in high-end simulation products. But I noticed the other day the feature quietly snuck into our favorite Web-based simulator, Falstad.

The classic simulator is on the left and the virtual Arduino is on the right.

Back in March, the main project added work from [Mark McGarry] to support AVR8js written by [Uri Shaked]. The end result is you can have the circuit simulator on the left of the screen and a Web-based Arduino IDE on the right side. But how does it work beyond the simple demo? We wanted to find out.

The screen looks promising. The familiar simulator is to the left and the Arduino IDE — sort of — is to the right. There’s serial output under the source code, but it doesn’t scroll very well, so if you output a lot of serial data, it is hard to read.

Continue reading “Circuit VR: Arduino Virtually Meets Analog”

Hackaday Podcast 122: Faster Than Wind Travel, Sisyphish, ALU Desktop Calculator, And Mice In Space

Hackaday editors Elliot Williams and Mike Szczys marvel at the awesome hacks from the past week. We had way too much fun debating whether a wind-powered car can travel faster than the wind, and whether or not you can call that sailing. Low-temperature desoldering was demystified: it’s the bismuth! And we saw a camera gimbal solve the problem of hand tremor during soldering. Ford just wants to become your PowerWall. And the results are in from NASA’s mission to spin mice up in a centrifuge on the ISS.

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (around 55 MB)

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 122: Faster Than Wind Travel, Sisyphish, ALU Desktop Calculator, And Mice In Space”

This Week In Security: ALPACA, AN0M, Recovering Ransoms, And More

Let’s talk Alpacas. More specifically, “Application Layer Protocol Confusion – Analyzing and mitigating Cracks in tls Authentication“. Although this is definitely a case of someone wanting their name to spell ALPACA, the research itself is pretty clever.

It’s a way to Man-In-the-Middle an HTTPS connection, without actually needing to break the encryption. There are two primary observations at the core of the attack. First, multiple subdomains will often share the same TLS certificate. Secondly, TLS is regularly used to protect more than just HTTPS. So what happens if an HTTPS request is redirected to an SFTP server run by the same company? The TLS handshake will complete successfully, but the data returned by the server is not at all what the browser expected.

The specific details are a little light on this one, but the authors identified three broad categories of attack. The first is an upload attack, where the attacker has privileges to upload files to an FTPS server. From what I can tell, an attacker initiates an FTP upload over SSL, using the control port, and then redirects the victim’s connection to the data port on that server. The entirety of the HTML request is then saved, decrypted, on the FTPS server. This request could contain session cookies and other secrets.

The second identified attack is the opposite, the attacker uploads a malicious file, initiates a download, and then redirects a browser’s request to the FTPS data port. The malicious file is grabbed and the browser may interpret it as code to be run. The third is a reflection technique. This one’s a bit different. Essentially the attacker sends a request for DoBadThings();, and then connects the victim browser to the data port. The response is sent,
Cannot find file: DoBadThings();and the browser might just execute the script fragment. This isn’t one of those attacks that are going to be applicable to just every server, but in just the right setup, it could lead to problems.

VMWare Flaw Exploited

There is a serious VMWare flaw under active exploit right now. It’s apparently in the VMware vCenter control program, and exploiting it is as simple as six curl commands. The flaw is pre-authentication and only requires access to HTTPS port 443. At least one researcher has already seen his VMware honeypot attacked and observed the web-shell the attacker installed. This one looks like a big deal, so make sure you’re up-to-date if you run VMware.

That Time the FBI Ran a Darknet

AN0M was a popular encrypted communication tool for the underworld, really a network consisting of locked down mobile devices with a specialized app running on them. The reality was a bit different, though, the tool was actually being run as Operation Ironside, a join operation by the FBI and the Australian Federal Police (AFP). The story is a weird one, and really raises some legal and ethical questions, so buckle up.

First off, things got started back in 2018 when Phantom Secure CEO Vincent Ramos was prosecuted for RICO charges, related to his company’s work on secure phones. They specialized in taking Blackberry phones, yanking out all the IO hardware, like camera, microphone, and even GPS chips, and then installing encrypted communication apps. In short, very similar to AN0M. Phantom Secure was walking a very thin line between being a legitimate provider of secure hardware, and actively supporting criminal enterprise. When Ramos told an undercover FBI agent that his phones were specifically for drug smuggling, it became obvious that he had strayed far onto the wrong side of the law. He and many in the company were charged for related crimes.

One employee already had drug charges on his record, and agreed to cooperate with the FBI in exchange for avoiding further charges. That developer had already been developing his own device, which he called AN0M. The deal he cut with the feds was to turn over his work for immunity. A scheme was hatched, apparently over beers between agents, to complete the development of AN0M and distribute the devices, but to include a complete back door for law enforcement. This is actually very similar to what was done with Crypto AG, under Project Rubicon.

The turned developer distributed the devices to his contacts, and law enforcement agencies around the world got involved, quietly helping to make them popular. The devices served their purpose of providing messaging to all recipients. It just wasn’t known at the time that law enforcement agents were BCC’d on every message. It’s not clear what triggered the raids and announcements, but this was definitely a coordinated action.

There is a lingering question, however. Namely, do law enforcement really have the legal authority to develop and distribute a malicious device and application? Did a warrant actually cover this? Can it? There is sure to be much consternation over such questions in the months to come. Just imagine that WhatsApp is eventually revealed to be an app secretly developed by the Chinese government, then how would you feel about it?

Ransomware and Bitcoin Seizure

And in another major victory for the FBI, The majority of the funds paid by the Colonial pipeline have been recovered. It’s not entirely known how the recovery happened, but you can read the FBI Affidavit that describes the path the Bitcoins took. There’s a strange little statment at the end of that document. “The private key for the Subject Address is in the possession of the FBI in the Northern District of California.” One has to wonder a couple of things. First, how was the FBI able to track those bitcoins? And second, just how did they happen to end up in a wallet that they knew the key for? Could The AN0M story be related?

The private key for the Subject Address is in the possession of the FBI in the Northern District of California

Now here’s another angle to this. Colonial was given the choice, to pay in Bitcoin or Ethereum, and they chose Bitcoin, even though there was a 10% extra fee for that currency. They had their networks mostly back up, and they knew the decryptor wouldn’t be very helpful. They were working with law enforcement, and they still paid. This raises the very real possibility that the payment was made specifically to trace the Bitcoin transactions.

Next, remember how proud JBS was of their incident response? Now we find out that they did indeed pay an $11 million ransom. However, that was in cooperation with federal officials, and was not necessary to recover files. Oh, and paid in Bitcoin. Sound familiar? At this point, it’s a fair guess that the FBI or another agency helping them has an angle on tracing Bitcoin transactions. AN0M is one possibility. Another is that the FBI is running a “mixer”, essentially a Bitcoin money laundering service. (Shoutout to @MalwareJake for that idea.) Regardless, there seems to be a more serious stance taken towards ransomware as a result of the high profile hacks of the last few weeks.

Rocket.Chat Goes Boom

Running a Rocket.Chat instance? Go update it! This popular Open Source messaging platform uses a NoSQL backend for managing users. If you thought getting rid of SQL means you don’t have injection vulnerabilities, think again.

The MongoDB database backend passes requests and data in a JSON-like format. The first attack is to stuff a regex pattern into that JSON, and leak the password hash one character at a time. The second vulnerability uses the $where operator in MongoDB in a clever way. Rather than try to leak information directly, they used error messages to get information out. Put both together, and you can go from simply knowing a user’s email address to a shell on the hosting server in seconds. All in all, it’s an impressive hack, and the video demonstration of it is worth the watch:

Agent Smith Takes Over The Matrix

Include Security found an interesting bug in the Unity engine, where a malicious game object can run arbitrary code on the machine running the engine. It’s the sort of thing that game designers don’t think too much about until it’s a problem. I couldn’t help but think of VR Chat, a multiplayer experience that allows players to upload their own avatars. It’s built in Unity, and uses game objects for those avatars. I haven’t been able to confirm whether it has this vulnerability one way or another, but I’m very much reminded of Agent Smith copying himself onto all the other citizens of the matrix. If VR Chat does indeed have this problem, it would be rather trivial to build an avatar worm to do the same thing. Life imitates art.

Don’t Use a Password Manager?

And finally, one of the hallowed bits of cybersecurity wisdom gets challenged by [Tavis Ormandy] of Google project Zero fame. His take? Don’t use a password manager! Well, actually, it’s that you shouldn’t use a password manager that is a browser extension, because websites can actually interact with the hooks that make them work. There’s more to his argument, and his conclusion is simple. Use the password manager built into Google Chrome. Or Firefox, if that’s what you use. His argument is rather compelling, that many of them aren’t as secure as they claim to be.

 

Survey Of Simple Logic Simulators

A few months ago, a tweet by [Ken Shirriff] asking about simple digital simulators caught my attention. The topic came up again in May when a repair video by [CuriousMarc] featured one such simulator called Logisim-evolution. It made me want to take a fresh look on what’s out there and which features set the different simulators apart.

So today, let’s take a quick survey of a few such simulators that I found. I’m focusing on plain logic simulators, analyzing ones and zeros using Boolean logic. They are not doing SPICE-like analog analysis of transistor logic gates, but they’re still quite handy for proofing out designs.

Continue reading “Survey Of Simple Logic Simulators”

Historical Hackers: Ctesibius Tells Time

People are obsessed with the time and the weather. We’ve talked about the weather since we were all cave dwellers hunting with spears. But the time is a different matter. Sure, people always had the idea of the passage of time. The sun rising and setting gives a natural sense of days, but daylight and dark periods vary by the time of year and to get an accurate and linear representation of time turns out to be rather difficult. That is unless you are a Greek engineer living in Alexandria around 250 BC.

Legend has it that and engineer working in his father’s barbershop led him to discover not only the first working clock, but also the pipe organ, launching the field of pneumatics in the process. That engineer was named Ctesibius and while his story is mostly forgotten, it shows he has a place as a historical hacker.

You might think there were timekeeping devices before 250 BC, and that’s sort of true. However, the devices before Ctesibius had many limitations. For example, a sundial can tell time, but only if the sun is shining. At night or during a storm it is worthless.

Continue reading “Historical Hackers: Ctesibius Tells Time”