This Week In Security: Forksquatting, RustDesk, And M&Ms

Github is struggling to keep up with a malware campaign that’s a new twist on typosquatting. The play is straightforward: Clone popular repositories, add malware, and advertise the forks as the original. Some developers mistake the forks for the real projects, and unintentionally run the malware. The obvious naming choice is forksquatting, but the researchers at apiiro went with the safer name of “Repo Confusion”.

The campaign is automated, and GitHub is aware of it, with the vast majority of these malicious repositories getting removed right away. For whatever reason, the GitHub algorithm isn’t catching all of the new repos. The current campaign appears to publishing millions of forks, using code from over 100,000 legitimate projects. It’s beginning to seem that the squatting family of attacks are here to stay.

RustDesk and Odd Certificates

The RustDesk remote access software is interesting, as it’s open source, allows self-hosting, and written in Rust. I’ve had exploring RustDesk as a todo item for a long time, but a bit of concerning drama has just finished playing out. A user pointed out back in November that a test root certificate was installed as part of the RustDesk installation. That root cert is self-signed with SHA1. There is also concern that the RustDesk binaries are signed with a different certificate.

There have been new events since then. First, there was a Hacker News thread about the issue earlier this month. The next day, CVE-2024-25140 was registered with NIST, ranking an insane CVE 9.8 CVSS. Let’s cut through some FUD and talk about what’s really going on.

Continue reading “This Week In Security: Forksquatting, RustDesk, And M&Ms”

Air Canada’s Chatbot: Why RAG Is Better Than An LLM For Facts

Recently Air Canada was in the news regarding the outcome of Moffatt v. Air Canada, in which Air Canada was forced to pay restitution to Mr. Moffatt after the latter had been disadvantaged by advice given by a chatbot on the Air Canada website regarding the latter’s bereavement fare policy. When Mr. Moffatt inquired whether he could apply for the bereavement fare after returning from the flight, the chatbot said that this was the case, even though the link which it provided to the official bereavement policy page said otherwise.

This latter aspect of the case is by far the most interesting aspect of this case, as it raises many questions about the technical details of this chatbot which Air Canada had deployed on its website. Since the basic idea behind such a chatbot is that it uses a curated source of (company) documentation and policies, the assumption made by many is that this particular chatbot instead used an LLM with more generic information in it, possibly sourced from many other public-facing policy pages.

Whatever the case may be, chatbots are increasingly used by companies, but instead of pure LLMs they use what is called RAG: retrieval augmented generation. This bypasses the language model and instead fetches factual information from a vetted source of documentation.

Continue reading “Air Canada’s Chatbot: Why RAG Is Better Than An LLM For Facts”

Big Chemistry: Hydrofluoric Acid

For all of the semiconductor industry’s legendary reputation for cleanliness, the actual processes that go into making chips use some of the nastiest stuff imaginable. Silicon oxide is comes from nothing but boring old sand, and once it’s turned into ultrapure crystals and sliced into wafers, it still doesn’t do much. Making it into working circuits requires dopants like phosphorous and boron to give the silicon the proper semiconductor properties. But even then, a doped wafer doesn’t do much until an insulating layer of silicon dioxide is added and the unwanted bits are etched away. That’s a tall order, though; silicon dioxide is notoriously tough stuff, largely unreactive and therefore resistant to most chemicals. Only one substance will do the job: hydrofluoric acid, or HFA.

HFA has a bad reputation, and deservedly so, notwithstanding its somewhat overwrought treatment by Hollywood. It’s corrosive to just about everything, it’s extremely toxic, and if enough of it gets on your skin it’ll kill you slowly and leave you in agony the entire time. But it’s also absolutely necessary to make everything from pharmaceuticals to cookware, and it takes some big chemistry to do it safely and cheaply.

Continue reading “Big Chemistry: Hydrofluoric Acid”

An image showing the new KiCad feature that allows you to easily generate schematic labels from IC symbol pin names

KiCad 8 Makes Your Life Better Without Caveats

A few days ago, KiCad 8 was released, and it’s a straight upgrade to any PCB designer’s quality of life. There’s a blog post as usual, and, this year, there’s also a FOSDEM talk from [Wayne Stambaugh] talking about the changes that we now all get to benefit from. Having gone through both of these, our impression is that KiCad 8 developers went over the entire suite, asking: “this is cool, but could we make it better”? The end result is indeed a massive improvement in a thousand different ways, from small to fundamental, and all of them seem to be direct upgrades from the KiCad 7 experience.

Continue reading “KiCad 8 Makes Your Life Better Without Caveats”

Intuitive Machines’ Nova-C Makes It To The Lunar Surface In US Return After Half A Century

Intuitive Machines’ first mission (IM-1) featuring the Nova-C Odysseus lunar lander was launched on top of a SpaceX Falcon 9 on February 15th, 2024, as part of NASA’s Commercial Lunar Payload Services (CLPS). Targeting a landing site near the lunar south pole, it was supposed to use its onboard laser range finders to help it navigate safely for a soft touchdown on the lunar surface. Unfortunately, it was this component that was found to have malfunctioned as the spacecraft was already in lunar orbit. Fortunately, there was a workaround. By using one of the NASA payloads on the lander, the Navigation Doppler Lidar (NDL), the mission could continue.

Perhaps unsurprisingly, the use of the NDL as a fallback option was considered before launch, and since its functionality overlaps with that of the primary laser range finders of Nova-C, it was pressed into service with a new configuration uploaded by IM operators back on Earth before Nova-C committed to a landing burn. Then, on February 22nd, the spacecraft began its descent to the surface, which also involved the Eaglecam payload that was designed to be released before snapping a self-portrait of the lander as it descended.

Continue reading “Intuitive Machines’ Nova-C Makes It To The Lunar Surface In US Return After Half A Century”

This Week In Security: Wyze, ScreenConnect, And Untrustworthy Job Postings

For a smart home company with an emphasis on cloud-connected cameras, what could possibly be worse than accidentally showing active cameras to the wrong users? Doing it again, to far more users, less than 6 months after the previous incident.

The setup for this breach was an AWS problem, that caused a Wyze system outage last Friday morning. As the system was restored, the load spiked and a caching library took the brunt of the unintentional DDoS. This library apparently has a fail state of serving images and videos to the wrong users. An official report from Wyze mentions that this library had been recently added, and that the number of thumbnails shown to unauthorized users was around 13,000. Eek. There’s a reason we recommend picking one of the Open Source NVR systems here at Hackaday.

ScreenConnect Exploit in the Wild

A pair of vulnerabilities in ConnectWise ScreenConnect were announced this week, Proof of Concepts were released, and are already being used in active exploitation. The vulnerabilities are a CVSS 10.0 authentication bypass and a CVSS 8.4 path traversal bypass.

Huntress has a guide out, detailing how embarrassingly easy the vulnerabilities are to exploit. The authentication bypass is a result of a .Net quirk, that adding an additional directory on the end of a .aspx URL doesn’t actually change the destination, but is captured as PathInfo. This allows a bypass of the protections against re-running the initial setup wizard: hostname/SetupWizard.aspx/literallyanything

The second vulnerability triggers during extension unpack, as the unzipping process doesn’t prevent path traversal. The most interesting part is that the unzip happens before the extension installation finishes. So an attacker can compromise the box, cancel the install, and leave very little trace of exploitation. Continue reading “This Week In Security: Wyze, ScreenConnect, And Untrustworthy Job Postings”

2024 Hackaday Europe Call For Participation Extended

Good news, procrastineers! A few folks asked us for a little more time to get their proposals together for our upcoming 2024 Hackaday Europe event in Berlin, and we’re listening. So now you’ve got an extra week – get your proposals for talks or workshops in before February 29th.

[Joey Castillo]’s awesome custom touchpad
Hackaday Europe is a two-day event taking place April 13th and 14th in Berlin, Germany. Saturday the 13th is the big day, with a full day of badge hacking, talks, music, and everything else. We’ve got the place booked until 2 AM, so get your sleep the night before. Sunday is a half-day of brunch, lightning talks, and showing off the badge hacks from the day before. And if you’re in town on Friday the 12th, we’ll be going out in the evening for drinks and dinner, location TBA but hopefully closer than where we ended up last year!

The badge is going to be a re-spin of the Supercon badge for all of you who couldn’t fly out to the US last November. There are no secrets anymore, so get your pre-hacks started now. We’ve seen some sweet all-analog hacks, some complete revisions of the entire firmware loadout, and, of course, all sorts of awesome hardware bodged onto it. Heck, we even saw Asteroids and DOOM. But we haven’t seen any native Jerobeam Fenderson-style oscilloscope music. You’ve got your homework.

What to Bring?

A few other people have asked if they could bring in (art) projects to show and share. Of course! Depending on the scale, though, you may need to contact us beforehand. If it’s larger than a tower PC, get in touch with us, and we’ll work it out. Smaller hacks, projects in progress, and anything you want to bring along to show and inspire others with, are, of course, welcome without any strings attached.

What else might you need? A computer of your choice and a micro USB cable for programming the badge. There will be soldering stations, random parts, and someone will probably be able to lend you nearly any other piece of gear, so you can pack light if you want to. But you don’t have to.

If you’d like to attend but you don’t have tickets yet – get them soon! Space is limited, and we tend to sell out. Or better yet, submit a talk and sneak in the side door. We’d love to hear what you’ve got going on, and we can’t wait to see you all.