This Week In Security: Minecraft Fractureiser, MOVEit, And Triangulation

Modded Minecraft is having a security moment, to match what we’ve seen in the Python and JavaScript repositories over the last few months. It looks like things started when a handful of burner accounts uploaded malicious mods to Curseforge and Bukkit. Those mods looked interesting enough, that a developer for Luna Pixel Studios (LPS) downloaded one of them to test-run. After the test didn’t pan out, he removed the mod, but the malicious code had already run.

Where this gets ugly is in how much damage that one infection caused. The virus, now named fractureiser, installs itself into every other Minecraft-related .jar on the compromised system. It also grabs credentials, cookies, cryptocurrency addresses, and the clipboard contents. Once that information was exfiltrated from the LPS developer, the attacker seems to have taken manual actions, using the purloined permissions to upload similarly infected mod files, and then marking them archived. This managed to hide the trapped files from view on the web interface, while still leaving them exposed when grabbed by the API. Once the malware hit a popular developer, it began to really take off.

It looks like the first of the malicious .jar files actually goes all the way back to mid-April, so it may take a while to discover all the places this malware has spread. It was first noticed on June 1, and investigation was started, but the story didn’t become public until the 7th. Things have developed rapidly, and the malware fingerprints has been added to Windows Defender among other scanners. This helps tremendously, but the safe move is to avoid downloading anything Minecraft related for a couple days, while the whole toolchain is inspected. If it’s too late and you’ve recently scratched that voxel itch, it might be worth it to take a quick look for Indicators of Compromise (IoCs).

Continue reading “This Week In Security: Minecraft Fractureiser, MOVEit, And Triangulation”

Books You Should Read: Prototype Nation

Over the years, I’ve been curious to dig deeper into the world of the manufacturing in China. But what I’ve found is that Western anecdotes often felt surface-level, distanced, literally and figuratively from the people living there. Like many hackers in the west, the allure of low-volume custom PCBs and mechanical prototypes has me enchanted. But the appeal of these places for their low costs and quick turnarounds makes me wonder: how is this possible? So I’m left wondering: who are the people and the forces at play that, combined, make the gears turn?

Enter Prototype Nation: China and the Contested Promise of Innovation, by Silvia Lindtner. Published in 2020, this book is the hallmark of ten years of research, five of which the author spent in Shenzhen recording field notes, conducting interviews, and participating in the startup and prototyping scene that the city offers.

This book digs deep into the forces at play, unraveling threads between politics, culture, and ripe circumstances to position China as a rising figure in global manufacturing. This book is a must-read for the manufacturing history we just lived through in the last decade and the intermingling relationship of the maker movement between the west and east.

Continue reading “Books You Should Read: Prototype Nation

Know Audio: Distortion Part One

If you follow audiophile reviewers, you’ll know that their stock-in trade is a very fancy way of saying absolutely nothing of quantifiable substance about the subject while sounding knowledgeable about imagined differences between devices that are all of superlative quality anyway. If you follow us, we’ll tell you that the only reviews that matter are real-world measurements of audio performance, and blind listening tests. We don’t have to tell you how to listen to music, but perhaps it’s time in our Know Audio series to look at how audio performance is measured.

Before reaching for the bench, it’s first necessary to ask just what we are measuring. What are the properties which matter in an audio chain, or in other words, just what is it that makes an audio device good?

Continue reading “Know Audio: Distortion Part One”

Getting Started In Ham Hack Chat

Join us on Wednesday, June 7 at noon Pacific for the Getting Started in Ham Hack Chat with Mark Hughes and Beau Ambur!

If you were to scratch any random hacker from the last 100 years, chances are pretty good you’d find an amateur radio operator just beneath the surface. Radio is the first and foremost discipline where hacking was not only welcomed, but required. If you wanted to get on the air, you sat down with some coils of wire, a few random parts — as often as not themselves homemade — and a piece of an old breadboard, and you got to work. Build it yourself or do without, and when it broke down or you wanted to change bands or add features, that was all on you too.

Like everything else, amateur radio has changed dramatically over the decades, and rolling your own radio isn’t exactly a prerequisite for entry into the ham radio club anymore. Cheap but capable handheld radios are available for a pittance, better quality radios are well within most people’s budget, and commercially available antennas have reduced the need to dabble in that particular black art. The barrier to entry for amateur radio has never been lower; you don’t even have to learn Morse anymore! So why haven’t you gotten a license?

join-hack-chatWhatever your reason for putting off joining the club of licensed amateur radio operators, we’re going to do our best to change your mind. And to help us do that, we’ve asked Mark Hughes (KE6WOB) and Beau Ambur (K6EAU) to swing by the Chat and share their experiences with getting on the air. Both are relatively recent licensees, and they’ll do their best to answer your questions about getting on the air for the first time, to get on your way to building that first radio.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, June 7 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Hackaday Links Column Banner

Hackaday Links: June 4, 2023

A report released this week suggests that 50 flights into its five-flight schedule, the Mars helicopter might be starting to show its age. The report details a protracted communications outage Ingenuity’s flight controllers struggled with for six sols after flight 49 back in April. At first attributed to a “communications shadow” caused by the helicopter’s robotic buddy, Perseverance, moving behind a rocky outcrop and denying line of sight, things got a little dicey once the rover repositioned and there was still no joy. Since the helicopter has now graduated from “technology demonstration” to a full-fledged member of the team tasked with scouting locations for the rover while respecting the no-fly zone around it, it was essential to get it flying again. Several attempts to upload a flight plan failed with nothing but an acknowledgment signal from the helicopter, but a final attempt got the program uploaded and flight 50 was a complete if belated success. So that’s good, but the worrying news is that since Sol 685, the helicopter has been switching in and out of nighttime survival mode. What that portends is unclear, but no matter how amazing the engineering is, there’s only so much that can be asked on Ingenuity before something finally gives.

Continue reading “Hackaday Links: June 4, 2023”

Software Driving Hardware

We were talking about [Christopher Barnatt]’s very insightful analysis of what the future holds for the Raspberry Pi single board computers on the Podcast. On the one hand, they’re becoming such competent computers that they are beginning to compete with lightweight desktop machines, instead of just being a hacker curiosity.

On the other hand, especially given the shortage and the increase in price that has come with the Pi’s expanding memory endowments, a lot of people who would “just throw in a Raspberry Pi” are starting to think more carefully about their options. Five years ago, this would have meant looking into what you could whip together on an Arduino-based platform, either on actual Arduino hardware or on an ESP8266 or similar, but that’s a very different beast from a programmer’s perspective. Working with microcontrollers used to be very different from working with even the smallest Linux machines.

These days, there is no shortage of microcontrollers that have enough memory – both flash and RAM – to support a higher-level environment like MicroPython. And if you think about it, MicroPython brings to the microcontrollers a lot of what people were using a Raspberry Pi for in projects anyway: a friendly interactive programming environment that was free of the compile-here, flash-there debug cycle. If you’re happy coding Python on a single-board Linux computer, you’ll be more or less happy coding in MicroPython or Circuit Python on a microcontroller.

And what this leaves us with, as hackers, is a fantastic spectrum of choices. Where before there was a hard edge between programming C on an 8-bit PIC or an AVR and working with something that had a full Linux operating system like a Pi, it’s all blurry now. And as the Pis, the Jetson, and all the other Linux SBCs are blurring the boundary with more traditional computers as they all become more competent and gain more computer-like peripherals. Nowadays your choice is much freer, and the hardware landscape more fluid. You don’t have to let software development concerns drive your hardware choices, and we think that’s a great thing.

Chatting About The State Of Hacker-Friendly AR Gear

There are many in the hacker community who would love to experiment with augmented reality (AR), but the hardware landscape isn’t exactly overflowing with options that align with our goals and priorities. Commercial offerings, from Google’s Glass to the Microsoft HoloLens and Magic Leap 2 are largely targeting medical and aerospace customers, and have price tags to match. On the hobbyist side of the budgetary spectrum we’re left with various headsets that let you slot in a standard smartphone, but like their virtual reality (VR) counterparts, they can hardly compare with purpose-built gear.

But there’s hope — Brilliant Labs are working on AR devices that tick all of our boxes: affordable, easy to interface with, and best of all, developed to be as open as possible from the start. Admittedly their first product, Monocle, it somewhat simplistic compared to what the Big Players are offering. But for our money, we’d much rather have something that’s built to be hacked and experimented with. What good is all the latest features and capabilities when you can’t even get your hands on the official SDK?

This week we invited Brilliant Lab’s Head of Engineering Raj Nakaraja to the Hack Chat to talk about AR, Monocle, and the future of open source in this space that’s dominated by proprietary hardware and software.

Continue reading “Chatting About The State Of Hacker-Friendly AR Gear”