This Week In Security: Unicode, Truecrypt, And NPM Vulnerabilities

Unicode, the wonderful extension to to ASCII that gives us gems like “✈”, “⌨”, and “☕”, has had some unexpected security ramifications. The most common problems with Unicode are visual security issues, like character confusion between letters. For example, the English “M” (U+004D) is indistinguishable from the Cyrillic “М” (U+041C). Can you tell the difference between IBM.com and IBМ.com?

This bug, discovered by [John Gracey] turns the common problem on its head. Properly referred to as a case mapping collision, it’s the story of different Unicode characters getting mapped to the same upper or lowercase equivalent.

'ß'.toLowerCase() === 'SS'.toLowerCase() // true
// Note the Turkish dotless i
'John@Gıthub.com'.toUpperCase() === 'John@Github.com'.toUpperCase()

GitHub stores all email addresses in their lowercase form. When a user sends a password reset, GitHub’s logic worked like this: Take the email address that requested a password reset, convert to lower case, and look up the account that uses the converted email address. That by itself wouldn’t be a problem, but the reset is then sent to the email address that was requested, not the one on file. In retrospect, this is an obvious flaw, but without the presence of Unicode and the possibility of a case mapping collision, would be a perfectly safe practice.

This flaw seems to have been fixed quite some time ago, but was only recently disclosed. It’s also a novel problem affecting Unicode that we haven’t covered. Interestingly, my research has turned up an almost identical problem at Spotify, back in 2013.
Continue reading “This Week In Security: Unicode, Truecrypt, And NPM Vulnerabilities”

atom drawing

What’s An Exciton?

If you read the scientific literature, you see the familiar subatomic particles you learned about in school: protons, neutrons, and electrons. If you are young enough, you see others you probably heard about, too, like quarks and gluons. But recently there has been a lot of buzz about excitons and even some transistor circuits demonstrated that use them. But what is an exciton?

It actually sounds like a subatomic particle, but it is a little more complicated than that. An exciton is a bound state of an electron and an electron hole and is technically a boson. You are probably familiar with the idea of an electron hole from semiconductor physics. Technically, it is a quasiparticle. The reason scientists are interested in the beast is that it can transport energy without transporting net electric charge. That is, the state itself is neutral, but also contains energy. Continue reading “What’s An Exciton?”

Retrotechtacular: Mechanical Arithmetic For The Masses

Last month we carried a piece looking at the development of the 8-bit home computer market through the lens of the British catalogue retailer Argos and their perennial catalogue of dreams. As an aside, we mentioned that the earliest edition from 1975 contained some of the last mechanical calculators on the market, alongside a few early electronic models. This month it’s worth returning to those devices, because though they are largely forgotten now, they were part of the scenery and clutter of a typical office for most of the century.

The Summa's internals, showing the register on the right and the type wheels on the left.
The Summa’s internals, showing the register on the right and the type wheels on the left.

Somewhere in storage I have one of the models featured in the catalogue, an Olivetti Summa Prima. I happened upon it in a dumpster as a teenager looking for broken TVs to scavenge for parts, cut down a pair of typewriter ribbon reels to fit it, and after playing with it for a while added it to my store of random tech ephemera. It’s a compact and stylish desktop unit from about 1970, on its front is a numerical keypad, top is a printer with a holder for a roll of receipt paper and a typewriter-style rubber roller, while on its side is a spring-loaded handle from which it derives its power. It can do simple addition and subtraction in the old British currency units, and operating it is a simple case of punching in a number, pulling the handle, and watching the result spool out on the paper tape. Its register appears to be a set of rotors advanced or retarded by the handle for either addition or subtraction, and its printing is achieved by a set of print bars sliding up to line the correct number with the inked ribbon. For me in 1987 with my LCD Casio Scientific it was an entertaining mechanical curiosity, but for its operators twenty years earlier it must have represented a significant time saving.

The history of mechanical calculators goes back over several hundred years to Blaise Pascal in the 17th century, and over that time they evolved through a series of inventions into surprisingly sophisticated machines that were capable of handling financial complications surprisingly quickly. The Summa was one of the last machines available in great numbers, and even as it was brought to market in the 1960s its manufacturer was also producing one of the first desktop-sized computers. Its price in that 1975 Argos catalogue is hardly cheap but around the same as an electronic equivalent, itself a minor miracle given how many parts it contains and how complex it must have been to manufacture.

We’ve put two Summa Prima videos below the break. T.the first is a contemporary advert for the machine, and the second is a modern introduction to the machine partially narrated by a Brazilian robot, so consider translated subtitles. In that second video you can see something of its internals as the bare mechanism is cranked over for the camera and some of the mechanical complexity of the device becomes very obvious. It might seem odd to pull a obsolete piece of office machinery from a dumpster and hang onto it for three decades, but I’m very glad indeed that a 1980s teenage me did so. You’re probably unlikely to stumble upon one in 2019, but should you do so it’s a device that’s very much worth adding to your collection.

Continue reading “Retrotechtacular: Mechanical Arithmetic For The Masses”

Linux Fu: Stupid SSH Tricks

If you connect to remote computers over the Internet, it is a pretty good chance you use some form of SSH or secure shell. On Linux or Unix you’ll use the ssh command. Same goes for Linux-like environments on Windows like Cygwin or WSL. For native Windows, you might be using Putty. In its simplest form, ssh is just a terminal program that talks to a server using an encrypted connection. We think it is very hard to eavesdrop on anyone communicating with a remote computer via ssh.

There are several tricks for using ssh — some are pretty straightforward and some are things you might not think of as being in the domain of a terminal program. You probably know that ssh can copy files securely, and there are easy and hard ways to set up logging in with no password.

However, you can also mount a remote filesystem via ssh (actually, there are several ways to do that). You can use ssh to securely browse the web in your favorite browser, or even use it to tunnel specific traffic by port or even use it as a makeshift VPN. In fact, there’s so much ground to cover that this won’t be the last Linux Fu to talk about ssh. But enough setup, let’s get to the tricks.

Continue reading “Linux Fu: Stupid SSH Tricks”

Prusa Dares You To Break Their Latest Printer

Two months after its surprise reveal at the 2019 East Coast RepRap Festival, the Prusa Mini has started shipping out to the first wave of early adopters. True to form, with the hardware now officially released to the public, the company has begun the process of releasing the design as open source. In their GitHub repository, owners can already find the KiCad files for the new “Buddy” control board and STLs for the machine’s printable parts.

But even so, not everyone feels that Prusa Research has made the Mini as “open” as its predecessors. Some concerned owners have pointed out that according to the documentation for the Buddy board, they’ll need to physically snap off a section of the PCB so they can flash custom firmware images via Device Firmware Upgrade (DFU) mode. Once this piece of the board has been broken off, which the documentation refers to as the Appendix, Prusa Research will no longer honor any warranty claims for the electronic components of the printer.

For the hardcore tinkerers out there, this news may come as something of a shock. Previous Prusa printers have enjoyed a fairly active firmware development community, and indeed, features that started out as user-developed modifications eventually made their way into the official upstream firmware. What’s more, certain hardware modifications require firmware tweaks to complete.

Prusa Research explains their stance by saying that there’s no way the company can verify the safety of community developed firmware builds. If thermal runaway protections have been disabled or otherwise compromised, the results could be disastrous. We’ve already seen it happen with other printers, so it’s hard to fault them for being cautious here. The company is also quick to point out that the installation of an unofficial firmware has always invalidated the printer’s warranty; physically breaking the board on the Mini is simply meant as a way to ensure the user understands they’re about to leave the beaten path.

How much support is a manufacturer obligated to provide to a user who’s modified their hardware? It’s of course an issue we’ve covered many times before. But here the situation is rather unique, as the user is being told they have to literally break a piece off of their device to unlock certain advanced functionality. If Prusa wanted to prevent users from running alternate firmware entirely they could have done so (or at least tried to), but instead they’ve created a scenario that forces the prospective tinkerer to either back down or fully commit.

So how did Prusa integrate this unusual feature into their brand new 32-bit control board? Perhaps more importantly, how is this going to impact those who want to hack their printers? Let’s find out.

Continue reading “Prusa Dares You To Break Their Latest Printer”

Weird World Of Microwaves Hack Chat

Join us on Wednesday, December 18 at noon Pacific for the Weird World of Microwaves Hack Chat with Shahriar Shahramian! We’ve been following him on The Signal Path for years and are excited to pick his brain on what is often considered one of the dark arts of electronics.

No matter how much you learn about electronics, there always seems to be another door to open. You think you know a thing or two once you learn about basic circuits, and then you discover RF circuits. Things start to get a little strange there, and stranger still as the wavelengths decrease and you start getting into the microwave bands. That’s where you see feed lines become waveguides, PCB traces act as components, and antennas that look more like musical instruments.

Shahriar is no stranger to this land. He’s been studying millimeter-wave systems for decades, and his day job is researching millimeter-wave ASICs for Nokia Bell Labs in New Jersey, the birthplace of the transistor. In his spare time, Shahriar runs The Signal Path, a popular blog and YouTube channel where he dives tear-downs, explanations, and repairs of incredibly sophisticated and often outrageously expensive equipment.

We’ll be sitting down with Shahriar this week for the last Hack Chat of 2019 with a peek inside his weird, wonderful world of microwaves. Join us with your questions about RF systems, microwaves in the communication industry, and perhaps even how he manages to find the gear featured on his channel.

join-hack-chatOur Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, December 18 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Hackaday Links Column Banner

Hackaday Links: December 15, 2019

When you’re right, you’re right. Back in January, we predicted that exoskeletons were about to break out as a mainstream product, and gave several examples of prototypes poised to become products. So it was with interest that we read about Sarcos Robotics and their new Guardian XO, a cyber suit aimed at those doing heavy lifting tasks. The wearable, full-body exoskeleton is supposed to amplify the wearer’s effort 20-fold, making a 200-pound load feel like lifting 10 pounds. It runs untethered for two hours on hot-swappable battery packs, and will be offered for lease to civilian heavy industries and the military for $100,000 a year. Honestly, it seems like you could hire a fair number of meat-robots for that sum, but still, it’s an interesting technology and a promising development.

Aficionados of 3D printing know all too well the limitations of the technology. While we’ve come a long way with things like a print in place, multiple materials, embedded electronics, and even direct 3D printing of complex mechanisms like electric motors, there’s been a long-standing obstacle to turning the 3D printer into the replicators of the Star Trek universe: batteries. But even that barrier is falling, and a new paper shows just how far we’ve come to printing batteries right into our designs. Using an off-the-shelf Prusa Mk 3 and specially formulated lithium iron phosphate/PLA and silicon dioxide/PLA filaments, the group was able to print working batteries in one shot. It’s exciting news because previous 3D-printed batteries required special printers or laborious post-processing steps. We’ll be watching for developments here.

Speaking of laboratory work, anyone who has been around labs is probably familiar with LabVIEW, the de facto standard for programming data capture and automation applications in the laboratory setting. The graphical programming language makes it easy to throw together a quick interface, and many lab-rats regret not having the expensive, proprietary environment available for their after-hours hacking. That might no longer be true, though, with special LabVIEW licensing for non-commercial users. It looks like there are two levels: LabVIEW Home Edition and a Community Edition of LabVIEW, which is currently in Beta. Either way, it’s good news for LabVIEW fans.

Friend of Hackaday Eric Strebel released a video the other day that we just had to comment on. It has nothing to do with electronics – unless you’re into circuit sculpture, that is. In the first of a two-part series, Eric covers the basics of modeling with brass and copper, using both wire and tubing. He has some great tips, like work-hardening and straightening copper wire by stretching it, and the miniature roll bender seen at 7:40 looks like something that could easily be 3D-printed. We recently did a Hack Chat on circuit sculpture with Mohit Bhoite, and saw his Supercon talk on the subject, so this video really got the creative juices flowing.

If you’re local to the Elkhorn, Wisconsin area, consider stopping by the Elkhorn Mini Maker Faire on February 15 and 16. Elkhorn looks like it has a nice central location between Milwaukee and Madison, and doesn’t appear too far from Chicago either, which is probably why they drew 1,200 people to the inaugural Faire last year. They’re looking to get that up to 2,000 people this year and over 150 booths, so if you’ve got something hackish to show off, check it out. The organizers have even set up a Hackaday.io event page to coordinate with the Hackaday community, so drop them a line and see what you can do to pitch in.

And finally, this one has us scratching our head. Activist group Extinction Rebellion (XR) has claimed they’ve “decommissioned” thousands of electric scooters in French cities. Why they’ve done this is the puzzler; they claim that the scooters-for-hire are an “ecological disaster” due to the resources needed to produce them compared to their short lifespan. We haven’t done the math. What is interesting, though, is the mode of decommissioning: XR operatives simply defaced the QR code on the scooters, rendering them un-rentable with the vendor’s smartphone app. Scooter companies might want to look into alternative rental methods if this keeps up.