This Week In Security: Patch Monday Mysteries, CentOS 8 And CentOS Stream, Russian Surveillance, And CSRF

September 27, 2019 by Jonathan Bennett 5 Comments

So first off this week is something of a mystery. Microsoft released an out-of-cycle patch for Internet Explorer. The exploitability assessment from Microsoft indicates that this bug is under active exploitation, but not many details are available. Let’s take a look at what information has been released, and see what we can learn.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer.

It’s a remote code execution vulnerability, it affects Internet Explorer, it’s in the scripting engine, and it happens due to objects in memory being mishandled. We could take some guesses, but later in this document we’re given a few other clues. The workaround is to disable jscript.dll, and the impact is limited, as jscript9.dll is the default JavaScript engine. jscript.dll is apparently a legacy JavaScript engine that a website can request.

“Jscript” is what Microsoft called their ~~shameless copy~~ implementation of JavaScript. The older jscript.dll seems to be present in newer versions of Internet Explorer for compatibility reasons. So it’s a problem in how the older JavaScript library handles objects. Any website can request this legacy engine, so the attack vector is basically unlimited.

The urgency implied by the out-of-cycle patch, combined with the otherwise eery silence surrounding this patch, suggests this 0-day was possibly being used in a targeted attack. We hope the details will eventually be revealed.

CentOS 8 and CentOS Stream

CentOS 8 was released this week, the community repackage of Red Hat Enterprise Linux (RHEL) 8. In 2014, Red Hat announced that CentOS was officially becoming a Red Hat sponsored project. This week, CentOS Stream was also announced.

The Fedora distribution has long served as a test-bed for upcoming RHEL releases, with RHEL 8 being based on Fedora 28. CentOS Stream will serve as a “midstream” distribution, a rolling release that pulls updates from Fedora, and will eventually become future RHEL/CentOS releases. It remains to be seen exactly how far ahead of the main CentOS distribution Stream will stay. A long-standing problem with CentOS is that by the time a release hits end-of-life, some of the software versions are very old. Even though security fixes are quickly backported to these older versions, there are security issues that arise as a result. For example, CentOS 7 contains PHP 5.4 with no official path to installing a newer version of PHP. WordPress now requires PHP 5.6.20 as the oldest supported PHP version. Red Hat may backport fixes to PHP 5.4, but that doesn’t help the out-of-date installs of WordPress, running on otherwise up-to-date CentOS machines.

Hopefully CentOS Stream will provide the much needed middle-ground between the bleeding-edge pace of Fedora, and the frustratingly slow march of CentOS/RHEL.

Russian Surveillance

A Nokia employee accidentally backed up a company drive to his home storage device, which was unintentionally Internet accessible. The data contained on this drive was detailed information on Russia’s SORM (System for Operative Investigative Activities), the government’s wiretapping program. The amount of data revealed is staggering, 1.7 terabytes. Passwords, administrative URLs, and even precise physical locations were included. The breadth of information makes one wonder if it was actually an accident, or if this was intended to be another Snowden style data leak. Just an aside, it’s not clear that the revealed wiretapping effort is as broad or onerous as the one Snowden revealed.

PHPMyAdmin CSRF

Running PHPMyAdmin on one of your servers? You should probably go update it. Version 4.9.1 was released on Saturday the 21st, and contains a fix for CVE-2019-12922. This vulnerability is a Cross Site Request Forgery, or CSRF. A CSRF attack can be as simple as an image link on one site, that links to another site, and triggers an action on that second site. Let’s look at the PHPMyAdmin example:

img src="
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1";
style="display:none;"

A hidden image will actually trigger an HTTP GET request, which asks for the server’s page, and tries to remove the first entry. If a user is logged in to the PHPMyAdmin server that the link is targeting, the command will silently complete. This is one of the reasons that HTTP GET requests should never make state changes, and only ever retrieve information. An HTTP POST message is much harder to generate in this way, though not impossible.

Review: OSEPP STEM Kit 1, A Beginner’s All-in-One Board Found In The Discount Aisle

September 26, 2019 by Al Williams 11 Comments

As the name implies, the OSEP STEM board is an embedded project board primarily aimed at education. You use jumper wires to connect components and a visual block coding language to make it go.

I have fond memories of kits from companies like Radio Shack that had dozens of parts on a board, with spring terminals to connect them with jumper wires. Advertised with clickbait titles like “200 in 1”, you’d get a book showing how to wire the parts to make a radio, or an alarm, or a light blinker, or whatever.

The STEM Kit 1 is sort of a modern arduino-powered version of these kits. The board hosts a stand-alone Arduino UNO clone (included with the kit) and also has a host of things you might want to hook to it. Things like the speakers and stepper motors have drivers on board so you can easily drive them from the arduino. You get a bunch of jumper wires to make the connections, too. Most things that need to be connected to something permanently (like ground) are prewired on the PCB. The other connections use a single pin. You can see this arrangement with the three rotary pots which have a single pin next to the label (“POT1”, etc.).

I’m a sucker for a sale, so when I saw a local store had OSEPP’s STEM board for about $30, I had to pick one up. The suggested price for these boards is $150, but most of the time I see them listed for about $100. At the deeply discounted price I couldn’t resist checking it out.

So does an embedded many-in-one project kit like this one live up to that legacy? I spent some time with the board. Bottom line, if you can find a deal on the price I think it’s worth it. At full price, perhaps not. Join me after the break as I walk through what the OSEPP has to offer.

Continue reading “Review: OSEPP STEM Kit 1, A Beginner’s All-in-One Board Found In The Discount Aisle” →

Ask Hackaday: What Good Is A Robot Dog?

September 25, 2019 by Dan Maloney 63 Comments

It is said that Benjamin Franklin, while watching the first manned flight of a hot air balloon by the Montgolfier brothers in Paris in 1783, responded when questioned as to the practical value of such a thing, “Of what practical use is a new-born baby?” Dr. Franklin certainly had a knack for getting to the heart of an issue.

Much the same can be said for Spot, the extremely videogenic dog-like robot that Boston Dynamics has been teasing for years. It appears that the wait for a production version of the robot is at least partially over, and that Spot (once known as Spot Mini) will soon be available for purchase by “select partners” who “have a compelling use case or a development team that [Boston Dynamics] believe can do something really interesting with the robot,” according to VP of business development Michael Perry.

The qualification of potential purchasers will certainly limit the pool of early adopters, as will the price tag, which is said to be as much as a new car – and a nice one. So it’s not likely that one will show up in a YouTube teardown video soon, so until the day that Dave Jones manages to find one in his magic Australian dumpster, we’ll have to entertain ourselves by trying to answer a simple question: Of what practical use is a robotic dog?

Continue reading “Ask Hackaday: What Good Is A Robot Dog?” →

Who Could Possibly Need An FPGA With 9M Logic Cells And 35B Transistors?

September 24, 2019 by Al Williams 101 Comments

Xilinx recently announced the Virtex UltraScale+ VU19P FPGA. Of course, FPGA companies announce new chips every day. The reason this one caught our attention is the size of it: nearly 9 million logic cells and 35 billion transistors on a chip! If that’s not enough there is also over 2,000 user I/Os including transceivers that can move around 4.5 Tb/s back and forth.

To put things in perspective, the previous record holder — the Virtex Ultrascale 440 — has 5.5 million logic cells and an old-fashioned Spartan 3 topped out at about 50,000 cells — the new chip has about 180 times that capacity. For the record, I’ve built entire 32-bit CPUs on smaller Spartans.

That led us to wonder? Who’s buying these things? When I first heard about it I guessed that the price would be astronomical, partly due to expense but also partly because the market for these has to be pretty small. The previous biggest Xilinx part is listed on DigKey who pegs the Ultrascale 440 (an XCVU440-2FLGA2892E) at a cost of $55,000 as a non-stocked item. Remember, that chip has just over half the logic cells of the VU19P.

Continue reading “Who Could Possibly Need An FPGA With 9M Logic Cells And 35B Transistors?” →

Is A Cheap Inverter Welder Worth It?

September 23, 2019 by Jenny List 138 Comments

We’ve all seen cheap welders for sale from the usual online sources, small inverter stick welders for a very tempting price. But are they any good? When my local supermarket had one in its offers aisle, I took the plunge and placed it in my cart alongside the usual week’s supply of Marmite. That was some time around the start of the year.

Does Your Supermarket Sell Welders?

My Workzone welder from the supermarket.

What I’d bought from my local Aldi was a Workzone WWIW-80, an 80 A unit that had cost me somewhere just over £60 (about $75), and came with welding leads and a rather poor quality face shield. The German discount supermarket chains specialise in periodic offers on all kinds of interesting things, so a very similar unit has also been for sale with a Parkside brand from their competitor Lidl. These small inverter welders are fairly generic, so they can be found with a variety of brands and specifications at a lower price online if you don’t mind forgoing the generous Aldi 3 year guarantee. The cheapest I’ve seen was about £35, or $44, but that price included only the inverter, without welding leads.

As a working blacksmith my dad has had a high-quality inverter welder since the 1990s, so my frame of reference is based upon that. He tried one of the first tiny inverters when they originally came to market in the last decade, but it couldn’t take the demands of a professional welder and packed up. I thus didn’t have high expectations of this unit, but I needed one of my own and for the price it was worth the punt. I’ve used it for occasional general purpose heavy welding tasks, repairing bits of farm machinery and fittings, and rebuilding some steps on a narrowboat in 7 mm plate. It’s acquitted itself well in those tasks, in that I am not a skilled welder and my work isn’t the tidiest, but it’s allowed me to do a satisfactory job.

Continue reading “Is A Cheap Inverter Welder Worth It?” →

High-Speed PCB Design Hack Chat With Bil Herd

September 23, 2019 by Dan Maloney No comments

Join us on Wednesday, September 25 at noon Pacific for the High-Speed PCB Design Hack Chat with Bil Herd!

Printed circuits have become so commoditized that we seldom think much about design details. EDA software makes it easy to forget about the subtleties and nuances that make themselves painfully obvious once your design comes back from the fab and doesn’t work quite the way you thought it would.

PCB design only gets more difficult the faster your circuit needs to go, and that’s where a depth of practical design experience can come in handy. Bil Herd, the legendary design engineer who worked on the Commodore C128 and Plus4/264 computers and many designs since then, knows a thing or two in this space, and he’s going to stop by the Hack Chat to talk about it. This is your chance to pick the brain of someone with a wealth of real-world experience in high-speed PCB design. Come along to find out what kind of design mistakes are waiting to make your day miserable, and which ones can be safely ignored. Spoiler alert: square corners probably don’t matter.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, September 25 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about. Continue reading “High-Speed PCB Design Hack Chat With Bil Herd” →

Hackaday Links: September 22, 2019

September 22, 2019 by Dan Maloney 45 Comments

Of all the stories we’d expect to hit our little corner of the world, we never thought that the seedy doings of a now-deceased accused pedophile billionaire would have impacted the intellectual home of the open-source software movement. But it did, and this week Richard Stallman resigned from the Computer Science and Artificial Intelligence Lab at MIT, as well as from the Free Software Foundation, which he founded and served as president. The resignations, which Stallman claims were “due to pressure on MIT and me over a series of misunderstandings and mischaracterizations”, followed the disclosure of a string of emails where he perhaps unwisely discussed what does and does not constitute sexual assault. The emails were written as a response to protests by MIT faculty and students outraged over the university’s long and deep relationship with Jeffrey Epstein, the late alleged pedophile-financier. This may be one of those stories where the less said, the better. If only Stallman had heeded that advice.

They may be the radio stations with the worst programming ever, but then again, the world’s atomic clock broadcasting stations can really keep a beat. One of the oldest of these stations, WWV, is turning 100 this year, and will be adding special messages to its usual fare of beeps and BCD-encoded time signals on a 100-Hz subcarrier. If you tune to WWV at 10 past the hour (or 50 minutes past the hour for WWVH, the time station located in Hawaii) you’ll hear a special announcement. There was also talk of an open house at the National Institute of Standards and Technology complete with a WWV birthday cake, but that has since been limited to 100 attendees who pre-registered.

For the machinists and wannabes out there, the Internet’s machine shop channels all pitched in this week on something called #tipblitz19, where everyone with a lathe or mill posted a short video of their favorite shop tip. There’s a ton of great tip out there now, with the likes of This Old Tony, Abom79, Stefan Gotteswinter, and even our own Quinn Dunki contributing timesaving – and finger saving – tips. Don’t stop there though – there’s a playlist with 77 videos at last count, many of them by smaller channels that should be getting more love. Check them out and then start making chips.

Most of us know that DLP chips, which lie behind the lens of the projectors that lull us to sleep in conference rooms with their white noise and warm exhaust, are a series of tiny mirrors that wiggle around to project images. But have you ever seen them work? Now you can: Huygens Optics has posted a fascinating video deep-dive into the workings of digital light processors. With a stroboscopic camera and a lot of fussy work, the video reveals the microscopic movements of these mirrors and how that syncs up with the rotation of a color filter wheel. It’s really fascinating stuff, and hats off to Huygens for pulling off the setup needed to capture this.

And speaking of tiny optics, get a load of these minuscule digital cameras, aptly described by tipster David Gustafik as “disturbingly small.” We know we shouldn’t be amazed by things like this anymore, but c’mon – they’re ridiculously tiny! According to the datasheet, the smaller one will occupy 1 mm² on a PCB; the larger stereo camera requires 2.2 mm². Dubbed NanEye, the diminutive cameras are aimed at the medical market – think endoscopy – and at wearables manufacturers. These would be a lot of fun to play with – just don’t drop one.