This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis

October 7, 2022 by Jonathan Bennett 1 Comment

If you use PHP, you likely use the Composer tool for managing dependencies, at least indirectly. And the good folks at SonarSource found a nasty, potential supply chain attack in this tool, when used in the Packagist repository. The problem is the support for arbitrary README filenames. When a package update shows up on Packagist, that service uses a Version Control Service (VCS) like Git or Mercurial to pull the specified readme location. That pull operation is subject to argument injection. Name your branch --help, and Git will happily run the help argument instead of doing the pull intended. In the case of Git commands, our intrepid researchers were unable to weaponize the issue to achieve code execution.

Composer also supports projects that use Mercurial as their VCS, and Mercurial has a --config option that has… interesting potential. It allows redefining a Mecurial command as a script snippet. So a project just has to contain a malicious payload.sh, and the readme set to --config=alias.cat=!hg cat -r : payload.sh|sh;,txt. For those keeping track at home, the vulnerability is that this cursed string of ugly is accepted by Composer as a valid filename. This uses the --config trick to redefine cat as a bit of script that executes the payload. It ends in .txt because that is a requirement of Composer.

So let’s talk about what this little hack could have been used for, or maybe still used for on an unpatched, private install of Packagist. This is an unattended attack that jumps straight to remote script execution — on an official package repository. If discovered and used for evil, this would have been a massive supply chain attack against PHP deployments. Instead, thanks to SonarSource, it was discovered and disclosed privately back in April. The official Packagist repo at packagist.org was fixed the day after disclosure, and a CVE and updated packages went out six days later. Great work all around.
Continue reading “This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis” →

Immersive Cursive: Growing Up Loopy

October 6, 2022 by Kristina Panos 28 Comments

Growing up, ours was a family of handwritten notes for every occasion. The majority were left on the kitchen counter next to the sink, or in a particular spot on the all-purpose table in the breakfast nook. Whether one was professing their familial love and devotion on the back of a Valpak coupon, or simply communicating an intent to be home before dinnertime, the words were generally immortalized in BiC on whatever paper was available, and timestamped for the reader’s information. You may have learned cursive in school, but I was born in it — molded by it. The ascenders and descenders betray you because they belong to me.

Both of my parents always seemed to be incapable of printing in anything other than all caps, so I actually preferred to see their cursive most of the time. As a result, I could ~~copy~~ read it quite easily from an early age. Well, I don’t think I ever had any hope of imitating Dad’s signature. But Mom’s on the other hand — like I said in the first installment, it was important for my signature to be distinct from hers, given that we have the same name — first, middle, and last. But I could probably still bust out her signature if it came down to something going on my permanent record.

While my handwriting was sort of naturally headed towards Mom’s, I was more interested in Dad’s style and that of my older brother. He had small caps handwriting down to an art, and my attempts to copy it have always looked angry and stilted by comparison. In addition, my brother’s cursive is lovely and quick, while still being legible.

Continue reading “Immersive Cursive: Growing Up Loopy” →

The State Of The SBC Interface Ecosystem, Is It Time To Design A Standard?

October 5, 2022 by Jenny List 132 Comments

We are spoiled for choice when it comes to single board computers, whether they be based around a microcontroller or a more capable SoC capable of running an operating system such as GNU/Linux. They can be had from well-established brands such as Arduino, Adafruit, or Raspberry Pi, or from a Wild West of cheaper Far Eastern modules carrying a plethora of different architectures.

Everyone has their own favourite among them, and along with that comes an ecosystem of operating systems and software development environments. There’s another aspect to these boards which has evolved; certain among them have become de facto interface connector standards for hardware peripherals. Do these standards make any sense? Let’s talk about that.

Continue reading “The State Of The SBC Interface Ecosystem, Is It Time To Design A Standard?” →

2022 Hackaday Supercon Speakers Will Inspire You

October 4, 2022 by Elliot Williams 10 Comments

The return of Supercon is taking place in just a month. We’ve got 45 fantastic talks and workshops planned for the three-day weekend, and they are as varied and inspiring as the Hackaday community itself. From molecules to military connectors, here’s an even dozen talks to whet your appetite.

Supercon is the Ultimate Hardware Conference and you need to be there! We’ll continue to announce speakers and workshops over the next couple weeks. Supercon will sell out so get your tickets now before it’s too late. And stay tuned for the next round of talk reveals next week! Continue reading “2022 Hackaday Supercon Speakers Will Inspire You” →

Big Brother Or Dumb Brother? Bus Drivers In Beijing Are Forced To Wear “Emotional Monitors”

October 3, 2022 by Zoe Skyforest 64 Comments

Humans aren’t always great at respecting each other’s privacy. However, common sense says there’s a clear boundary when it comes to the thoughts in one’s own head and the feelings in one’s heart.

For bus drivers in Beijing though, it seems that’s no longer the case. These professional drivers are now being asked to wear emotional monitors while on the job, raising concerns from both legal and privacy advocates. But the devices aren’t really anything more than workout monitors, and whether they can actually make good on their Orwellian promise remains to be seen.

In Your Head, In Your Head!

The monitoring wristbands have been rolled out to some of Beijing’s long-distance bus drivers. Credit: Cypp0847, CC-BY-SA-4.0

When George Orwell wrote 1984, it was only 1949. However, he was able to foresee a world in which surveillance was omnipresent and inescapable. He also envsioned the concept of thoughtcrime, where simply contemplating the wrong things could get you in serious trouble with the authorities.

As we all know, Orwell was way off – these predictions didn’t become reality until well into the 2000s. In the latest horrifying development, technologies now exist that claim to be able to monitor one’s emotional state. Now, China’s transportation sector is rushing to push them on their workforces.

Long-distance bus drivers in Beijing are now being told to wear electronic wristbands when on the job. These wristbands claim to be able to capture the wearer’s emotional state, monitoring it on behalf of the employer. The scheme was the idea of the Beijing Public Transport Holding Group. The state-run organization claims the technology is intended for the safety of the public, and a trial of the wristbands began in July this year. Continue reading “Big Brother Or Dumb Brother? Bus Drivers In Beijing Are Forced To Wear “Emotional Monitors”” →

Hackaday Links: October 2, 2022

October 2, 2022 by Dan Maloney 22 Comments

“Necessity is the mother of invention,” or so the saying goes. We’ve never held to that, finding that laziness is a much more powerful creative lubricant. And this story about someone who automated their job with a script is one of the best examples of sloth-driven invention since the TV remote was introduced. If we take the story at face value — and it’s the Internet, so why wouldn’t we? — this is a little scary, as the anonymous employee was in charge of curating digital evidence submissions for a law firm. The job was to watch for new files in a local folder, manually copy them to a cloud server, and verify the file with a hash to prove it hasn’t been tampered with and support the chain of custody. The OP says this was literally the only task to perform, so we can’t really blame them for automating it with a script once COVID shutdowns and working from home provided the necessary cover. But still — when your entire job can be done by a Windows batch file and some PowerShell commands while you play video games, we’re going to go out on a limb and say you’re probably underemployed.

People have been bagging on the US Space Force ever since its inception in 2019, which we think is a little sad. It has to be hard being the newest military service, especially since it branched off of the previously newest military service, and no matter how important its mission may be, there’s still always going to be the double stigmas of being both the new kid on the block and the one with a reputation for digging science fiction. And now they’ve given the naysayers yet more to dunk on, with the unveiling of the official US Space Force service song. Every service branch has a song — yes, even the Army, and no, not that one — and they all sound appropriately martial. So does the Space Force song, but apparently people have a problem with it, which we really don’t get at all — it sounds fine to us.

Continue reading “Hackaday Links: October 2, 2022” →

Unintentional Emissions

October 1, 2022 by Elliot Williams 40 Comments

First, it was the WiFi router: my ancient WRT54G that had given me nearly two decades service. Something finally gave out in the 2.4 GHz circuitry, and it would WiFi no more. Before my tears could dry, our thermometer went on the fritz. It’s one of those outdoor jobbies that transmits the temperature to an indoor receiver. After that, the remote for our office lights stopped working, but it was long overdue for a battery change.

Meanwhile, my wife had ordered a new outdoor thermometer, and it too was having trouble keeping a link. Quality control these days! Then, my DIY coffee roaster fired up once without any provocation. This thing has worked quasi-reliably for ten years, and I know the hardware and firmware as if I had built them myself – there was no way one of my own tremendously sophisticated creations would be faulty. (That’s a joke, folks.) And then the last straw: the batteries in the office light remote tested good.

We definitely had a poltergeist, a radio poltergeist. And the root cause would turn out to be one of those old chestnuts from the early days of CMOS ICs – never leave an input floating that should have a defined logic level. Let me explain.

The WRT54G was the hub of my own home automation system, an accretion of ESP8266 and other devices that all happily speak MQTT to each other. When it went down, none of the little WiFi nodes could boot up right. One of them, described by yours truly in this video, is an ESP8266 connected to a 433 MHz radio transmitter. Now it gets interesting – the thermometers and the coffee roaster and the office lights all run on 433 MHz.

Here’s how it went down. The WiFi-to-433 bridge failed to connect to the WiFi and errored out before the part of the code where it initialized GPIO pins. The 433 MHz transmitter was powered, but its digital input was left flopping in the breeze, causing it to spit out random data all the time, with a pretty decent antenna. This jammed everything in the house, and apparently even once came up with the command to turn on the coffee roaster, entirely by chance. Anyway, unplugging the bridge fixed everything.

This was a fun one to troubleshoot, if only because it crossed so many different devices at different times, some homebrew and some commercial, and all on different control systems. Until I put it together that everything on 433 MHz was failing, I hadn’t even thought of it as one event. And then it turns out to be a digital electronics classic – the dangling input!

Anyway, hope you enjoyed the ride. And spill some copper for the humble pull-down resistor.