An (Almost) Free Apollo-Era Rocket

According to recent news reports, NASA’s Marshall Space Flight Center in Huntsville Alabama wants to give away a piece of history — an engineering test article of a Saturn I Block I booster. The catch? You’ll need to pay to haul it off, which will cost about $250,000. According to C|Net, the offer appears to be for museums and schools, but it’s likely that price tag would probably scare most private buyers off anyway.

On the other hand, if you are a museum, library, school, or university, you can score cheap or free NASA stuff using their GSAXcess portal. In general, you do have to pay shipping. For example, a flexible thermal blanket from the shuttle costs $37.28. A heat tile runs about $25.

Continue reading “An (Almost) Free Apollo-Era Rocket”

This Week In Security: Black Hat, DEF CON, And Patch Tuesday

Blackhat and DEF CON both just wrapped, and Patch Tuesday was this week. We have a bunch of stories to cover today.

First some light-hearted shenanigans. Obviously inspired by Little Bobby Tables, Droogie applied for the vanity plate “NULL”. A year went by without any problems, but soon enough it was time to renew his registration. The online registration form refused to acknowledge “NULL” as a valid license plate. The hilarity didn’t really start until he got a parking ticket, and received a bill for $12,000. It seems that the California parking ticket collection system can’t properly differentiate between “NULL” and a null value, and so every ticket without a license plate is now unintentionally linked to his plate.

In the comments on the Ars Technica article, it was suggested that “NULL” simply be added to the list of disallowed vanity plates. A savvy reader pointed out that the system that tracks disallowed plates would probably similarly choke on a “NULL” value.

Hacking an F-15

In a surprising move, Air Force officials brought samples of the Trusted Aircraft Information Download Station (TADS) from an F-15 to DEF CON. Researchers were apparently able to compromise those devices in a myriad of ways. This is a radical departure from the security-through-obscurity approach that has characterized the U.S. military for years.

Next year’s DEF CON involvement promises to be even better as the Air Force plans to bring researchers out to an actual aircraft, inviting them to compromise it in every way imaginable.

Patch Tuesday

Microsoft’s monthly dump of Windows security fixes landed this week, and it was a doozy. First up are a pair of remotely exploitable Remote Desktop vulnerabilities, CVE-2019-1222 and CVE-2019-1226. It’s been theorized that these bugs were found as part of an RDP code review launched in response to the BlueKeep vulnerability from earlier this year. The important difference here is that these bugs affect multiple versions of Windows, up to and including Windows 10.

What the CTF

Remember Tavis Ormandy and his Notepad attack? We finally have the rest of the story! Go read the whole thing, it’s a great tale of finding something strange, and then pulling it apart looking for vulnerabilities.

Microsoft Windows has a module, MSCTF, that is part of the Text Services Framework. What does the CTF acronym even stand for? That’s not clear. It seems that CTF is responsible for handling keyboard layouts, and translating keystrokes based on what keyboard type is selected. What is also clear is that every time an application builds a window, that application also connects to a CTF process. CTF has been a part of Microsoft’s code base since at least 2001, with relatively few code changes since then.

CTF doesn’t do any validation, so an attacker can connect to the CTF service and claim to be any process. Tavis discovered he could effectively attempt to call arbitrary function pointers of any program talking to the same CTF service. Due to some additional security measures built into modern Windows, the path to an actual compromise is rather convoluted, but by the end of the day, any CFT client can be compromised, including notepad.

The most interesting CFT client Tavis found was the login screen. The exploit he demos as part of the write-up is to lock the computer, and then compromise the login in order to spawn a process with system privileges.

The presence of this unknown service running on every Windows machine is just another reminder that operating systems should be open source.

Biostar 2

Biostar 2 is a centralized biometric access control system in use by thousands of organizations and many countries around the globe. A pair of Israeli security researchers discovered that the central database that controls the entire system was unencrypted and unsecured. 23 Gigabytes of security data was available, including over a million fingerprints. This data was stored in the clear, rather than properly hashed, so passwords and fingerprints were directly leaked as a result. This data seems to have been made available through an Elasticsearch instance that was directly exposed to the internet, and was found through port scanning.

If you have any exposure to Biostar 2 systems, you need to assume your data has been compromised. While passwords can be changed, fingerprints are forever. As biometric authentication becomes more widespread, this is an unexplored side effect.

Locating Targets With Charm Courtesy Of A Life Size Portal Turret

What better way to count down the last 7 weeks to a big hacker camp like SHA2017 than by embarking on a last-minute, frantic build? That was [Yvo]’s thought when he decided to make a life-sized version of the adorably lethal turrets from the Valve’s Portal video games. Since that build made it to the finish line back then with not all features added, he finished it up for the CCC camp 2019 event, including the ability to close, open, target and shoot Nerf darts.

Originally based on the miniature 2014 turret (covered on Hackaday as well), [Yvo] details this new project in a first and second work log, along with a detailed explanation of how it all goes together and works. While the 2017 version took a mere 50 days to put together, the whole project took about 300 hours of 3D printing. It also comes with four Nerf guns which use flywheels to launch the darts.  The wheels are powered using quadcopter outrunner motors that spin at 25,000 RPM. The theoretical speed of a launched dart is over 100km/h, with 18 darts per gun and a fire rate of 2 darts per second.

The basic movement control for the system is handled by an Arduino Mega, while the talking and vision aspects are taken care of by a Raspberry Pi 3+, which ultimately also makes the decisions about how to move the system. As one can see in the video after the link, the system seems to work pretty well, with a negligible number of fatalities among company employees.

Though decidedly not a project for the inexperienced tinkerer, [Yvo] has made all of the design files available along with the software. We’re still dubious about the claims about the promised cake for completing one of these turrets, however.

Continue reading “Locating Targets With Charm Courtesy Of A Life Size Portal Turret”

New Teensy 4.0 Blows Away Benchmarks, Implements Self-Recovery, Returns To Smaller Form

Paul Stoffregen did it again: the Teensy 4.0 has been released. The latest in the Teensy microcontroller development board line, the 4.0 returns to the smaller form-factor last seen with the 3.2, as opposed to the larger 3.5 and 3.6 boards.

Don’t let the smaller size fool you; the 4.0 is based on an ARM Cortex M7 running at 600 MHz (!), the fastest microcontroller you can get in 2019, and testing on real-world examples shows it executing code more than five times faster than the Teensy 3.6, and fifteen times faster than the Teensy 3.2. Of course, the new board is also packed with periperals, including two 480 Mbps USB ports, 3 digital audio interfaces, 3 CAN busses, and multiple SPI/I2C/serial interfaces backed with integrated FIFOs. Programming? Easy: there’s an add-on to the Arduino IDE called Teensyduino that “just works”. And it rings up at an MSRP of just $19.95; a welcomed price point, but not unexpected for a microcontroller breakout board.

The board launches today, but I had a chance to test drive a couple of them in one of the East Coast Hackaday labs over the past few days. So, let’s have a closer look.

Continue reading “New Teensy 4.0 Blows Away Benchmarks, Implements Self-Recovery, Returns To Smaller Form”

Hackaday Links: August 4, 2019

Is the hacking community facing a HOPEless future? It may well be, if this report from 2600 Magazine is any indication. The biennial “Hackers On Planet Earth” conference is in serious financial jeopardy after the venue that’s hosted it for years, the Hotel Pennsylvania in Manhattan, announced a three-fold increase in price. Organizers are scrambling to save the conference and they’re asking for the community’s help in brainstorming solutions. Hackaday was at HOPE XI in 2016 and HOPE XII in 2018; let’s HOPE we get to see everyone again in 2020.

If you’ve ever been curious about how a 1970s PROM chip worked, Ken Shirriff has you covered. Or uncovered, as he popped the top off a ceramic MMI 5300 DIP to look at the die within. Closeups of the somewhat cockeyed die reveal its secrets – 1,024 tiny fusible links. Programming was a matter of overloading a particular fuse, turning a 1 into a 0 permanently. It’s a fascinating look at how it used to be done, with Ken’s usual attention to detail in the documentation department.

We had a great Hack Chat this week with Mihir Shah from Royal Circuits. Royal is one of the few quick-turn PCB fabs in the USA, and they specialize in lightning-fast turnaround on bare PCBs and assembled boards. He told us all about this fascinating business, and dropped a link to a side project of his. Called DebuggAR, it’s an augmented reality app that runs on a smartphone and overlays component locations, signal traces, pinouts, and more right over a live image of your board. He’s got a beta going now for iPhone users and would love feedback, so check it out.

With all the cool things you can do with LoRa radios, it’s no wonder that wireless hobbyists have taken to pushing the limits on what the technology can do. The world record distance for a LoRa link was an astonishing 702 km (436 miles). That stood for two years until it was topped, twice in the same day. On July 13th, the record was pushed to 741 km, and a mere five hours later to 766 km. All on a scant 25 mW of power.

Linux distro Manjaro made an unconventional choice regarding which office suite to include, and it’s making some users unhappy. It appears that they’ve dumped LibreOffice from the base install, opting instead to include the closed-source FreeOffice. Worse, FreeOffice doesn’t have support for saving .doc and OpenDocument files; potentially leaving LibreOffice users stranded. Paying for an upgrade to SoftMaker’s Office product can fix that, but that’s hardly free-as-in-beer free. It’s kind of like saying the beer is free, but the mug is an upgrade. UPDATE: It looks like the Manjaro team heard all the feedback and are working on a selector so you can install the office suite of your choice.

Tragic news out of New Hampshire, as amateur radio operator Joe Areyzaga (K1JGA) was killed while trying to dismantle an antenna tower. Local news has coverage with no substantial details, however the hams over on r/amateurradio seem to have the inside line on the cause. It appears the legs of the tower had filled with water over the years, rusting them from the inside out. The tower likely appeared solid to Joe and his friend Mike Rancourt (K1EEE) as they started to climb, but the tower buckled at the weak point and collapsed. K1EEE remains in critical condition after the 40′ (12 m) fall, but K1JGA is now a silent key. The tragedy serves as a reminder to everyone who works on towers to take nothing for granted before starting to climb.

And finally, just for fun, feast your eyes on this movie of the ESA’s Rosetta spacecraft as is makes its flyby of comet 67P/Churyumov–Gerasimenko. It’s stitched together from thousands of images and really makes 67P look like a place, not just a streak of light in the night sky.

Antenna Tuning For GHz Frequencies

Antenna tuning at HF frequencies is something that radio amateurs learn as part of their licence exam, and then hone over their time operating. A few basic instruments and an LC network antenna tuner in a box are all that is required, and everything from a bit of wet string to ten thousand dollars worth of commercial antenna can be loaded up and used to work the world. When a move is made into the gigahertz range though it becomes a little more difficult. The same principles apply, but the variables of antenna design are much harder to get right and a par of wire snippers and an antenna tuner is no longer enough. With a plethora of GHz-range electronic devices surrounding us there has been more than one engineer sucked into a well of doom by imagining that their antenna design would be an easy task.

An article from Baseapp then makes for very interesting reading. Titled “Antenna tuning for beginners“, it approaches the subject from the perspective of miniature GHz antennas for IoT devices and the like. We’re taken through the basics and have a look at different types of antennas and connectors, before being introduced to a Vector Network Analyser, or VNA. Here is where some of the Black Art of high frequency RF design is laid bare, with everything explained through a series of use cases.

Though many of you will at some time or other work with these frequencies it’s very likely that few of you will do this kind of design exercise. It’s hard work, and there are so many ready-made RF modules upon which an engineer has already done the difficult part for you. But it does no harm to know something about it, so it’s very much worth taking a look at this piece.

It’s an area we’ve ventured into before, at a Superconference a few years ago [Michael Ossmann] gave us a fundamental introduction to RF design.

This Week In Security: Selfblow, Encryption Backdoors, Killer Apps, And The VLC Apocalypse That Wasn’t

Selfblow (Don’t google that at work, by the way) is a clever exploit by [Balázs Triszka] that affects every Nvidia Tegra device using the nvtboot bootloader — just about all of them except the Nintendo Switch. It’s CVE 2019-5680, and rated at an 8.2 according to Nvidia, but that high CVE rating isn’t entirely reflective of the reality of the situation. Taking advantage of the vulnerability means writing to the boot device, which requires root access, as well as a kernel flag set to expose the boot partitions to userspace. This vulnerability was discovered as part of an effort by [Balázs] and other LineageOS developers to build an open source bootloader for Nvidia Tegra devices.

The Tegra boot process is a bit different, having several stages and a dedicated Boot and Power Management CPU (BPMP). A zero-stage ROM loads nvtboot to memory and starts it executing on the BPMP. One of the tasks of nvtboot is to verify the signature of the next bootloader step, nvtboot-cpu. The file size and memory location are embedded in the nvtboot-cpu header. There are two problems here that together make this vulnerability possible. The first is that the bootloader binary is loaded to its final memory location before the signature verification is performed. The code is written to validate the bootloader signature before starting it executing on the primary CPU, so all is well, right? Continue reading “This Week In Security: Selfblow, Encryption Backdoors, Killer Apps, And The VLC Apocalypse That Wasn’t”