US Announces Withdraw From Postal Treaty; International Shipping Prices Expected to Rise

The United States has announced plans to withdraw from a 144-year postal treaty that sets lower international shipping rates. The US claims this treaty gives countries like China and Singapore an unfair advantage that floods the US market with cheap packages. The BBC reports the withdraw of this treaty will increase shipping costs from China by between 40% and 70%.

The treaty in question is the Universal Postal Union, which established that each country should retain all money it has collected for international postage. The US Chamber of Commerce has said this treaty, ‘leads to the United States essentially paying for Chinese shipping’. This is especially true since 2010, when the US Postal Service entered an agreement with eBay Greater China & Southeast Asia and the China Post Express & Logistics Corporation. This agreement established e-packet delivery where packages weighing up to 2 kg would be delivered at lower prices. If you have ordered inexpensive products shipped from abroad, it is likely the e-packet price that made this possible.

This will affect businesses that capitalize on imports and exports; the storefronts on Amazon and eBay that resell Chinese goods rely on cheap shipping from China. It will also affect companies based outside of the United States that ship to US customers. Small businesses within the US who manufacture at low enough quantities to get their components/raw-materials shipped under the e-packet rates will also see a hit. An increase in shipping costs will mean higher prices for all of these products.

The move is also being justified as a way to even the playing field for US manufacturers who are shipping from within the US and may be paying higher rates to ship to the same customers as foreign-bought goods. It is the latest development in a growing trade war between the US and China which has already seen several rounds of tarrifs on goods like electronics, and even 3D printing filament. It’s hard to see how the compounding effect of these will be anything but higher prices for consumers. Manufacturers seeing the pinch on raw materials and components will pass this on to customers who will also soon see higher shipping prices than they are used to.

LibSSH Vuln: You Don’t Need to See my Authentication

Another day, another CVE (Common Vulnerabilities and Exposures). Getting a CVE number assigned to a vulnerability is a stamp of authenticity that you have a real problem on your hands. CVE-2018-10933 is a worst case scenario for libssh.  With a single response, an attacker can completely bypass authentication, giving full access to a system.

Before you panic and yank the power cord on your server, know that libssh is not part of OpenSSH. Your Linux box almost certainly uses OpenSSH as the SSH daemon, and that daemon is not vulnerable to this particular problem. Libssh does show up in a few important places, the most notable is probably Github and their security team already announced their implementation was not vulnerable.

Libssh has released a new version that fixes the problem. Stick around for the details after the break.

Continue reading “LibSSH Vuln: You Don’t Need to See my Authentication”

FIDO2 Authentication In All The Colors

Here at Hackaday, we have a soft spot for security dongles. When a new two-factor-authentication dongle is open source, uses USB and NFC, and supports FIDO2, the newest 2FA standard, we take notice. That just happens to be exactly what [Conor Patrick] is funding on Kickstarter.

We’ve looked at [Conor]’s first generation hardware key, and the process of going from design to physical product.  With that track record, the Solo security key promises to be more than the vaporware that plagues crowdfunding services.

Another player, Yubikey, has also recently announced a new product that supports FIDO2 and NFC. While Yubikey has stepped away from their early open source policy, Solo is embracing the open source ethos. The Kickstarter promises the release of both the software and hardware design as fully open, using MIT and CC BY-SA licenses.

For more information, see the blog post detailing the project goals and initial design process.  As always, caveat emptor, but this seems to be a crowdfunding project worth taking a look at.

Hams see Dark Side Of The Moon Without Pink Floyd

Ham radio operators bouncing signals off the moon have become old hat. But a ham radio transmitter on the Chinese Longjiang-2 satellite is orbiting the moon and has sent back pictures of the Earth and the dark side of the moon. The transceiver’s main purpose is to allow hams to downlink telemetry and relay messages via lunar orbit.

While the photo was received by the Dwingeloo radio telescope, reports are that other hams also picked up the signal. The entire affair has drawn in hams around the world. Some of the communications use a modulation scheme devised by [Joe Taylor, K1JT] who also happens to be a recipient of a Nobel prize for his work with pulsars. The Dwingeloo telescope has several ham radio operators including [PA3FXB] and [PE1CHQ].

Continue reading “Hams see Dark Side Of The Moon Without Pink Floyd”

Flash: Arduino Vidor FPGA Instructions Hit France

If you speak French and you have an Arduino Vidor 4000, you are in luck because there’s some good news. The good news is there’s finally some inside information about how to configure the onboard FPGA yourself. The bad news though is that it is pretty sparse. If your high school French isn’t up to the task, there’s always Google Translate.

We knew some of this already. You’ll need Quartus, the FPGA design tool from Altera — er, Intel — and we know about the sample project on GitHub, too. Instead of using conventional Verilog or VHDL, the new information uses schematic capture, but that’s OK. All the design entry winds up in the same place, so it should be easy to adapt to the language of your choice. In fact, in part 2 they show both some schematics and some Verilog. Google Translate does have a little trouble with code comments, though. If you want something even stouter, there’s an example that uses Verilog to output a video frame.

Continue reading “Flash: Arduino Vidor FPGA Instructions Hit France”

Mergers And Acquisitions: Apple Buys Most of Dialog

Apple is buying a $600 million stake in Dialog Semiconductor in a deal Dialog is describing as an asset transfer and licensing deal.

Dialog’s current portfolio is focused mainly on mobile devices, with Bluetooth wearables-on-a-chipCODEC chips for smartphones, and power management ICs for every type of portable electronics. Power managment ICs are by far the most visible component, although they do have the very interesting GreenPAK, a sort of mixed-signal FPGA-ish thing that is one of the more interesting chips to be come online in the last few years. Apple of course are a trillion dollar company that once made computers, but now receives most of its revenue through phone dongles and lightning connector converters. It is not clear at the time of this writing whether a Dialog engineer with experience in heat management will be joining Apple.

In the last week, Apple have taken some bad press about the state of their supply chain. Bloomberg reported Apple found hidden chips in Supermicro motherboards. ostensibly implanted by Chinese intelligence agencies. This story is reportedly multiply sourced, but there’s no evidence or explanation of how this supply chain hack was done. In short, infiltration of a supply chain by foreign agents could happen (and I suspect Bloomberg engineers found something in some of their hardware), but the Bloomberg piece is merely just a wake-up call telling us yes, you are vulnerable to a hardware attack.

This is further evidence of Apple’s commitment to vertical integration. Apple are making their own chips, and the A12 Bionic in the new iPhone X is an Apple-designed CPU, GPU, and ‘neural engine’ that turns your Facetime sessions into animated emojis. This chip is merely the latest in a series of SoCs developed by Apple, and adds to Apple’s portfolio of chips designed to run the Apple Watch, Apple AirPods, and system management controllers in Apple products. There’s no other electronics manufacturer that is as dedicated to vertical integration as Apple (although we’re pouring one out for Commodore), and the acquisition of Dialog will surely add to Apple’s capabilities.

Soyuz Rocket Emergency Landing, Everyone OK

NASA spokesperson [Brandi Dean] summarized it succinctly: “Confirming again that today’s Soyuz MS10 launch did go into ballistic re-entry mode … That means the crew will not be going to the ISS today. Instead they will be taking a sharp landing, coming back to earth”. While nobody likes last-minute changes in plans, we imagine that goes double for astronauts. On the other hand, it’s always good news when we are able to joke about a flight that starts off with a booster separation problem.

Astronauts [Nick Hague] and [Aleksey Ovchinin] were on their way this morning to the International Space Station, but only made it as far as the middle of Kazakhstan. Almost as soon as the problem occurred, the rocket was re-pathed and a rescue team was sent out to meet them. Just an hour and a half after launch, they were on-site and pulled the pair out of the capsule unharmed. Roscosmos has already commissioned a report to look into the event. In short, all of the contingency plans look like they went to plan. We’ll have to wait and see what went wrong.

Watching the video (embedded below) the only obvious sign that anyone got excited is the simultaneous interpreter stumbling a bit when she has to translate [Aleksey] saying “emergency… failure of the booster separation”. Indeed, he reported everything so calmly that the NASA commentator didn’t even catch on for a few seconds. If you want to know what it’s like to remain cool under pressure, have a listen.

Going to space today is still a risky business, but thankfully lacks the danger factor that it once had. For instance, a Soyuz rocket hasn’t had an issue like this since 1975. Apollo 12 was hit by lightning and temporarily lost its navigation computer, but only the truly close call on Apollo 13 was made into a Hollywood Blockbuster. Still, it’s worth pausing a minute or two to think of the people up there floating around. Or maybe even sneak out and catch a glimpse when the ISS flies overhead.

Continue reading “Soyuz Rocket Emergency Landing, Everyone OK”