This Week In Security: Microsoft Patches, Typosquatting Continues, And Code Signing For All

November 11, 2022 by Jonathan Bennett 3 Comments

The pair of Outlook vulnerabilities we’ve been tracking have finally been patched, along with another handful of fixes this Patch Tuesday, a total of six being 0-day exploits. The third vulnerability was also a 0-day, discovered by the Google Threat Analysis Group. This one resulted in arbitrary code execution when a Windows client connected to a malicious server.

A pair of escalation of privilege flaws were fixed, one being yet another print spooler issue, and the other part of a key handling service. The final zero-day fixed was a mark-of-the-web bypass, that being the tag that gets added to file metadata to indicate it’s a download from the internet. If you deliver malware inside an ISO or marked read-only in a zip file, it doesn’t show the warning when executing.

Will Typosquat For Bitcoin

A trend that doesn’t show signs of slowing down is Typosquatting, the simple malware distribution strategy of uploading tainted packages using misspelled variations of legitimate package names. The latest such scheme, discovered by researchers at Phylum, delivered a crypto-stealer in Python packages. These packages were hosted on PyPi, under names like baeutifulsoup4 and cryptograpyh. The packages install a JavaScript file that runs in the background of the browser, and monitors for a cryptocurrency address on the clipboard. When detected, the intended address is swapped for an attacker-controlled address. Continue reading “This Week In Security: Microsoft Patches, Typosquatting Continues, And Code Signing For All” →

Chinese Chips Are Being Artificially Slowed To Dodge US Export Regulations

November 9, 2022 by Lewin Day 68 Comments

Once upon a time, countries protected their domestic industries with tariffs on imports. This gave the home side a price advantage over companies operating overseas, but the practice has somewhat fallen out of fashion in the past few decades.

These days, governments are altogether more creative, using fancy export controls to protect their interests. To that end, the United States enacted an export restriction on high-powered computing devices. In response, Chinese designers are attempting to artificially slow their hardware to dodge these rules.

Continue reading “Chinese Chips Are Being Artificially Slowed To Dodge US Export Regulations” →

Commodore Datasette Does Its Own Calibration

November 7, 2022 by Jonathan Bennett 41 Comments

Ah, the beloved Commodore 64. The “best-selling computer system of all time”. And hobbyists are keeping the dream alive, still producing software for it today. Which leads us to a problem with using such old equipment. When you get your copy of Petscii Robots on cassette, and try to fastload it, your machine might just consistently fail to load the program. That’s fine, time to pull out the cue-tips and rubbing alcohol, and give the read heads a good cleaning. But what if that doesn’t do the job? You may just have another problem, like tape speed drift.

There are several different ways to measure the current tape speed, to dial it in properly. The best is probably a reference cassette with a known tone. Just connect your frequency counter or digital oscilloscope, and dial in the adjustment pot until your Datasette is producing the expected tone. Oh, you don’t have a frequency counter? Well good news, [Jan Derogee] has a solution for you. See, you already have your Datasette connected to a perfectly serviceable frequency counter — your Commodore computer. He’s put out a free program that counts the pulses coming from the Datasette in a second. So play a reference cassette, run the program, and dial in your Datasette deck. Simple! Stick around after the break for a very tongue-in-cheek demonstration of the problem and solution.

Continue reading “Commodore Datasette Does Its Own Calibration” →

Rope Core Drum Machine

November 6, 2022 by Jonathan Bennett 7 Comments

One of our favorite musical hackers, [Look Mum No Computer] is getting dangerously close to building a computer. His quest was to create a unique drum machine, inspired by a Soviet auto-dialer that used rope core memory for number storage. Rope memory is the read-only sibling to magnetic core memory, the memory technology used to build some beloved computers back in the 60s and early 70s. Rope core isn’t programmed by magnetizing the ceramic donuts, but by weaving a wire through them. And when [Look Mum] saw the auto-dialer using the technology for a user-programmable interface, naturally, he just had to build a synth sequencer.
Continue reading “Rope Core Drum Machine” →

Supercon Sunday: Check The Live Stream

November 6, 2022 by Elliot Williams 1 Comment

Supercon is entering the final phase: it’s Sunday! But it’s not over yet: there is a phenomenal lineup of talks today, starting at 9:30 AM PST, and we’re streaming the main stage live from the very beginning until the badge-hacking awards ceremony at 5:30 pm. And if you’d like to join in the conversation, head over to the Hack Chat or the Discord.

We kicked off Friday with a full day of badge hacking, workshops, food, drink, and music. What used to be a late-afternoon pre-registration has grown into the early morning hours, and gave people a great opportunity to catch up after two years of remote mode.

Saturday was full-on Supercon, and the talks were phenomenal. We recorded interviews, took tons of photos, and of course recorded the talks given on the DesignLab stage, and we’ll be getting those out to you over the next weeks. (It’s a lot.)

In addition to all the talks, we announced the winners of the 2022 Hackaday Prize! It was a big year for small-scale energy generation and recycling, and all of the winning projects were clever, well tested, and easily replicable. Check them out.

So now that you’re all caught up, settle in for a jam-packed Sunday. See you in the livestream if not in real life!

Supercon Is On! Join Us!

November 5, 2022 by Elliot Williams 4 Comments

Supercon is in high gear, after a full day of badge hacking that went well into the midnight hour. Now it’s time for the talks!

If you’re not here in person, you can still get in on the talks by following the 2022 Hackaday Supercon Livestream, which will be covering all the LACM stage action. We have a great lineup of speakers starting off with a keynote by Joe [Kingpin] Grand at 10:00 AM PDT and ending with the 2022 Hackaday Prize Awards at 7:00 PM — come see who won live!

Of course, talks are only one component of Supercon. The secret sauce has always been the people at the con. If you’re not joining us, we still need you to take part. There is a conference chat on Hackaday.io and on the Hackaday Discord server and all are welcome. Pop in and visit with people at the con, and others around the globe who wish they could have made it in person.

Make sure you’re on the live stream Saturday evening to watch as the Grand Prize is presented on stage during the Hackaday Prize Ceremony. Pop into the chat and ask for updates on badge hacking, the SMD Soldering Challenge, and all of the other shenanigans that make Supercon super.

Garage Door Opener Ejection Seat

November 5, 2022 by Jonathan Bennett 16 Comments

[Scott Prints] had a familiar problem. His garage door opener was boring, and rattled around annoyingly in his car’s center console. This was obviously a major issue that needed to be dealt with. His solution was to install an ejector seat. Er, well, an ejector seat button. At least, that’s what it’s labeled. (That’s sure to be a great conversation starter for passengers.)

The end result looks slick and combines several build techniques. He started by taking measurements and 3D-printing a test piece for the center console nook. Turns out, that’s a more complicated shape than it seems. Rather than try to measure the exact angles and radii, Scott turned to the tried-and-true method of fiddling with the parameters and printing a second test. Close enough.

The coolest and most challenging element of the build was engraving and cutting the aluminum plate that forms the visible part of the build. Turns out, the online recommendations for milling aluminum are laughably optimistic when you don’t have an industrial CNC machine. Slower, shallower cuts got the job done, albeit slowly. A red paint-filled marker made the letters pop. The guts of the donor garage door opener are fitted into a 3d-printed shell, and then a Big Red Button threads into the print, holding the whole build together. A bit of solder later, and the project is done. Simple, effective, and very stylish! We approve. Come back after the break for the build video.
Continue reading “Garage Door Opener Ejection Seat” →