Hackaday Links: March 1, 2020

March 1, 2020 by Dan Maloney 16 Comments

Talk about buried treasure: archeologists in Germany have – literally – unearthed a pristine Soviet spy radio, buried for decades outside of Cologne. While searching for artifacts from a Roman empire settlement, the archeologists found a pit containing the Soviet R-394KM transceiver, built in 1987 and apparently buried shortly thereafter without ever being used. It was found close to a path in the woods and not far from several sites of interest to Cold War-era spies. Curiously, the controls on the radio are labeled not in Cyrillic characters, but in the Latin alphabet, suggesting the radio was to be used by a native German speaker. The area in which it was found is destined to be an open-cast lignite mine, which makes us think that other Cold War artifacts may have fallen victim to the gore-covered blades of Bagger 288.

Good news for Betelgeuse fans, bad news for aficionados of cataclysmic cosmic explosions: it looks like the red giant in Orion isn’t going to explode anytime soon. Betelgeuse has been dimming steadily and rapidly since October of 2019; as a variable star such behavior is expected, but the magnitude of its decline was seen by some astronomers as a sign that the star was reaching the point in its evolution where it would go supernova. Alas, Betelgeuse started to brighten again right on schedule, suggesting that the star is not quite ready to give up the ghost. We’d have loved to witness a star so bright it rivals the full moon, but given the times we live in, perhaps it’s best not to have such a harbinger of doom appear.

If you plan to be in the Seattle area as the winter turns to spring, you might want to check out the Vintage Computer Fair Pacific Northwest. We visited back during the show’s first year and had a good time, and the Living Computers: Museum + Labs, where the event is held, is not to be missed. The Museum of Flight is supposed to be excellent as well, and not far away.

Mozilla announced this week that Firefox would turn on DNS over HTTPS (DoH) by default in the United States. DoH encrypts the DNS requests that are needed to translate a domain name to an IP address, which normally travel in clear text and are therefore easily observed. Easily readable DNS transactions are also key to content blockers, which has raised the hackles of regulators and legislators over the plan, who are singing the usual “think of the children” song. That DoH would make user data collection and ad-tracking harder probably has nothing to do with their protests.

And finally, sad news from California as daredevil and amateur rocketeer “Mad” Mike Hughes has been killed in a crash of his homemade rocket. The steam-powered rocket was to be a follow-up to an earlier, mostly successful flight to about 1,900 feet (580 m), and supposed to reach about 5,000 feet (1.5 km) at apogee. But in an eerily similar repeat of the mishap that nearly killed Evel Knievel during his Snake River Canyon jump in 1974, Mike’s parachute deployed almost as soon as his rocket left the launch rails. The chute introduced considerable drag before being torn off the rocket by the exhaust plume. The rocket continued in a ballistic arc to a considerable altitude, but without a chute Mike’s fate was sealed. Search for the video at your own peril, as it’s pretty disturbing. We never appreciated Mike’s self-professed Flat Earth views, but we did like his style. We suppose, though, that such an ending was more likely than not.

This Week In Security: Chrome Bugs And Non-bugs, Kr00k, And Letsencrypt

February 28, 2020 by Jonathan Bennett 20 Comments

Google Chrome minted a new release to fix a trio of bugs on Monday, with exploit code already in the wild for one of them. The first two bugs don’t have much information published yet. They are an integer-overflow problem in Unicode internationalization, and a memory access issue in streams. The third issue, type confusion in V8, was also fixed quietly, but a team at Exodus Intel took the time to look at the patches and figure out what the problem was.

The actual vulnerability dives into some exotic Javascript techniques, but to put it simply, it’s possible to change a data-type without V8 noticing. This allows malicious code to write into the header area of the attacked variable. The stack, now corrupted, can be manipulated to the point of arbitrary code execution. The researchers make the point that even with Google’s fast-paced release schedule, a determined attacker could have several days of virtual zero-day exploitation of a bug mined from code changes. Story via The Register.

The Chrome Problem that Wasn’t

A second Chrome story came across my desk this week: Chrome 80 introduces a new feature, ScrollToTextFragment. This useful new feature allows you to embed a string of text in a URL, and when loading that address, Chrome will scroll the page to make that text visible. For certain use cases, this is an invaluable feature. Need to highlight a specific bit of text in a big document online?

The following bookmarklet code by [Paul Kinlan] is the easy way to start using this feature. Paste this code into the URL of a bookmark, put it on the bookmark bar, highlight some text in a webpage, and then run the bookmarklet. It should open a new tab with the new URL, ready to use or send to someone.

javascript:(function()%7Bconst%20selectedText%20%3D%20getSelection().toString()%3Bconst%20newUrl%20%3D%20new%20URL(location)%3BnewUrl.hash%20%3D%20%60%3A~%3Atext%3D%24%7BencodeURIComponent(selectedText)%7D%60%3Bwindow.open(newUrl)%7D)()

Since we’re talking about it in the security column, there must be more to the story. A privacy guru at Brave, [Peter Snyder], raised concerns about privacy implications of the feature. His argument has been repeated and misrepresented in a few places. What argument was he making? Simply put, that it’s not normal user behavior to immediately scroll to an exact position on the page. Because modern web pages and browsers do things like deferred loading of images, it could be possible to infer where in the page the link was pointing. He gives the example of a corporate network where DNS is monitored. This isn’t suggesting that the entire URL is leaked over DNS, but rather that DNS can indicate when individual components of a page are loaded, particularly when they are embedded images from other sites.

While this concern isn’t nonsensical, it seems to me to be a very weak argument that is being over-hyped in the press.

Whatsapp Groups Searchable on Google

It’s not new for search engines to index things that weren’t intended to be public. There is a bit of mystery surrounding how Google finds URLs to index, and StackExchange is full of plenty of examples of webadmins scratching their heads at their non-public folders showing up in a Google search.

That said, a story made the rounds in the last few days, that WhatsApp and Telegram group invites are being indexed by Google. So far, the official word is that all the indexed links must have been shared publicly, and Google simply picked them up from where they were publicly posted.

It appears that WhatsApp has begun marking chat invitation links as “noindex”, which is a polite way to ask search engines to ignore the link.

If it’s shown that links are getting indexed without being posted publicly online, then we have a much bigger story. Otherwise, everything is working as expected.

Letsencrypt Makes Attacks Harder

Letsencrypt has rolled out an invisible change to their validation process that makes a traffic redirection attack much harder. The new feature, Multi-Perspective Validation, means that when you verify your domain ownership, Letsencrypt will test that verification from multiple geographic regions. It might be possible to spoof ownership of a domain through a BGP attack, but that attack would be much harder to pull off against traffic originating from another country, or multiple countries simultaneously. Letsencrypt is currently using different regions of a single cloud, but plans to further diversify and use multiple cloud providers for even stronger validation.

Kr00k

Brought to us by the researchers at Eset, Krook (PDF) is a simple flaw in certain wireless chips. So far, the flaw seems to be limited to WPA2 traffic sent by Broadcom and Cypress chips. They discovered Kr00k while doing some followup research on KRACK.

Let’s talk about WPA2 for a moment. WPA2 has a 4-way handshake process that securely confirms that both parties have the shared key, and then establishes a shared Temporal Key, also known as a session key. This key is private between the two devices that performed the handshake, meaning that other devices on the same wireless network can’t sniff traffic sent by other devices.

When a device disconnects, or disassociates, that session key is reset to all 0s, and no packets should be sent until another handshake is performed. Here’s the bug: The packets already in the output buffer are still sent, but are encrypted with the zeroed key, making them trivially decrypted. As it’s simple to trigger deauthentication events, an attacker can get a sampling of in-the-clear packets. The ubiquity of TLS is a saving grace here, but any unencrypted traffic is vulnerable. Eset informed vendors about the flaw in 2019, and at least some devices have been patched.

Exchange

Microsoft Exchange got a security patch this past Tuesday that addressed a pair of bugs that together resulted in a remote code execution vulnerability. The first bug was an encryption key that is generated on Exchange server installation. That generation seemed to lack a good source of entropy, as apparently every Exchange install uses the the exact same key.

The second half of this bug is a de-serialization problem, where an encrypted payload can contain a command to run. Because the encryption key is known, any user can access the vulnerable endpoint. The process of exploitation is so trivial, be sure to patch your server right away.

TODO: Remove Vulnerabilities

This one is just humorous. An Intel virtualization feature appears to have been pushed into the Linux kernel before it was finished. Know what unfinished code tends to contain? Bugs and vulnerabilities. CVE-2020-2732, in this case. It’s unclear how exactly an exploit would work, but the essence is that a virtual guest is allowed to manipulate system state in unintended ways.

Hackaday Podcast 056: Cat Of 9 Heads, Robot Squats, PhD In ESP32, And Did You Hear About Sonos?

February 28, 2020 by Mike Szczys No comments

Hackaday editors Elliot Williams and Mike Szczys gab on great hacks of the past week. Did you hear that there’s a new rev of the Pi 4 out there? We just heard… but apparently it’s release into the wild was months ago. Fans of the ESP8266 are going to love this tool that flashes and configures the board, especially for Sonoff devices. Bitluni’s Supercon talk was published this week and it’s a great roadmap of all the things you should try to do with an ESP32. Plus we take on the Sonos IoT speaker debacle and the wacky suspension system James Bruton’s been building into his humanoid robot.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Continue reading “Hackaday Podcast 056: Cat Of 9 Heads, Robot Squats, PhD In ESP32, And Did You Hear About Sonos?” →

Hands-On: Smarty Cat Is Junior’s First Slide Rule

February 27, 2020 by Al Williams 26 Comments

You may remember that I collect slide rules. If you don’t, it probably doesn’t surprise you. I have a large number of what I think of as normal slide rules. I also have the less common circular and cylindrical slide rules. But I recently picked up a real oddity that I had to share: the Smarty Cat. It isn’t exactly a slide rule but it sort of is if you stretch the definition a bit.

Real Slide Rules

A regular slide rule takes advantage of the fact that you can multiply and divide by adding logarithms. Imagine having two rulers marked in inches or centimeters — it doesn’t matter (see the adjoining image). Suppose you want to add 5 and 3. You count off 5 marks on one ruler and line it with up the zero inch mark on the other ruler. Now you count off 3 marks on the second ruler and that position on the first ruler will indicate the result. Here it lines up with the 8 mark, which is, of course, the correct answer.

That’s a simple addition. But if you can convert your numbers into logarithms, add the logarithms, and then back out to a regular number, you can multiply.

Continue reading “Hands-On: Smarty Cat Is Junior’s First Slide Rule” →

Just How Can You Lose Something The Size Of A Cargo Ship?

February 26, 2020 by Jenny List 91 Comments

I’m writing from a cozy farmhouse just outside of Oxford, UK where we are slowly emerging from a particularly intense Atlantic storm. Some areas have widespread flooding, while fallen tree branches and damaged roofs are countrywide. Our neighbours in the Irish Republic are first in the path of these storms, and receive an especially strong pasting.

In the news following the storm is a merchant ship that was washed up by this storm on the coast of County Cork. The MV Alta is a nearly 2300t and 77m (just over 253 ft) freighter that had been abandoned in 2018 south of Bermuda after a mechanical failure had rendered it incapable of navigation. Its crew had been rescued by the US Coast Guard, and since then — apart from a brief sighting in mid-Atlantic by a Royal Navy polar research vessel — it had passed unseen as a drifting ghost ship before appearing on the Irish coast.

In a very literal sense it had dropped off the radar, but the question for us is how? With the huge array of technological advances in both navigation aids and global sensing available at the end of the 21st century’s second decade, should that even be possible? It’s worth taking a while as land-lubbers to look at how ships are tracked, to try to make sense of the seeming invisibility of something that is after all pretty large and difficult to hide.

Continue reading “Just How Can You Lose Something The Size Of A Cargo Ship?” →

New Part Day: Ooh, The Things You Can Do With A CLUE

February 24, 2020 by Kristina Panos 29 Comments

There’s a new development board in town from Adafruit, and it’s called the CLUE. This tiny board can be programmed in Arduino or CircuitPython, and it is absolutely stuffed with sensors and functionality, including Bluetooth. It’s essentially a BBC Micro:bit with more sensors, a screen, and a much beefier processor. Sound interesting? Let’s get out the magnifying glass and take a look, shall we?

(Editor’s note: Adafruit ran out of the first alpha run of the hardware. While we didn’t run into any bugs, the next versions will presumably have even fewer, but will also cost $40 instead of $30. That said, they’re giving out 3,000 of them to attendants of PyCon in April, so you might also get your hands on one that way.)

And Bit:Bot takes the checkered flag! Image via Seeed Studio

First and foremost, there’s the form factor — if that bottom edge looks familiar, that’s because the CLUE is designed to work with micro:bit robot kits and anything else with that edge connector, like the CRICKIT for micro:bit, or the Bit:Bot from Seeed Studios. This is big news for the micro:bit ecosystem, and not just because the CLUE brings tons of sensors and a screen to the scene, although a 1.3″ screen at 240×240 resolution is nothing to sneeze at.

The main brain is a Nordic nRF52840, so you can pair it to your phone and stream your collected data. Or, use it to get two CLUE boards talking to each other. This is a major upgrade from the micro:bit’s nRF51822 — the CLUE is four times faster, has four times the flash memory, and has sixteen times as much RAM. We hope someone can find a way to make them into short-range messaging machines with Q10 keyboards.

Continue reading “New Part Day: Ooh, The Things You Can Do With A CLUE” →

Hacking USB Hack Chat

February 24, 2020 by Dan Maloney 17 Comments

Join us on Wednesday, February 26 at noon Pacific for the Hacking USB Hack Chat with Kate Temkin!

For all its aggravating idiosyncrasies, the Universal Serial Bus has been a game-changer in peripheral connections for nearly a quarter of a century now. What was once simply a means to connect a mouse and a keyboard to a computer has been extended and enhanced into something so much more than its original designers intended. The flexibility that led to these innovative uses for USB also led to its ubiquity, with some form of the connector sprouting from nearly every imaginable device.

Kate Temkin is well-versed in the intricacies of the Universal Serial Bus. As a software lead for Great Scott Gadgets, Kate has developed software and firmware for GSG’s products, like GreatFET and HackRF. Kate also contributes to and maintains a number of open-source projects, including the FaceDancer project. And when she’s not busy with all of this, she can be found sharing her deep knowledge with USB security training courses, where she shows how USB is vulnerable to attack, and what to do to prevent it.

Join us for the Hacking USB Hack Chat this week, where Kate will discuss anything and everything about USB. Come learn about what the future holds for the USB standard, and what you can do to keep your USB project on track.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, February 26 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about. Continue reading “Hacking USB Hack Chat” →

Hackaday

Hackaday Columns

4531 Articles

Hackaday Links: March 1, 2020