News

3649 Articles

Frank Drake’s Legacy, Or: Are We All Alone In The Universe?

September 9, 2022 by 85 Comments

When Frank Drake began his astronomy career in the late 1950s, this was an incredibly exciting time for the field. Humanity was beginning to unlock the secrets of the Universe using ever more powerful radio frequency and optical telescopes, including the tantalizing prospect of space-based telescopes. Amidst the ramping up Space Race between the US and USSR, there was an ever-growing excitement about humankind’s future among the stars.

As concrete plans for landings and colonies on the Moon, Venus and Mars were proposed and put into action, it also brought to the forefront many existing and new questions about humanity’s place in the Universe. During Frank Drake’s 92 years on planet Earth – until his passing on September 2nd of this year – he was one of the driving forces behind the search for extraterrestrial intelligence (SETI), along with other legends like Carl Sagan.

Although to the average person the acronym SETI is most likely to bring to mind popcorn movies about little grey – or green – men, Drake’s Project Ozma, as well as the SETI Institution and the ongoing Breakthrough Listen project are just some of the attempts made by Drake and his colleagues over the decades to answer that one question that may affect the very course of humankind’s future: are we alone in the Universe?

Continue reading “Frank Drake’s Legacy, Or: Are We All Alone In The Universe?”

This Week In Security: One-click, UPnP, Mainframes, And Exploring The Fog

September 9, 2022 by 8 Comments

A couple weeks ago we talked about in-app browsers, and the potential privacy issues when opening content in them. This week Microsoft reveals the other side of that security coin — JavaScript on a visited website may be able to interact with the JS embedded in the app browser. The vulnerability chain starts with a link handler published to Android, where any https://m.tiktok[.]com/redirect links automatically open in the TikTok app. The problem here is that this does trigger a redirect, and app-internal deeplinks aren’t filtered out. One of these internal schemes has the effect of loading an arbitrary page in the app webview, and while there is a filter that should prevent loading untrusted hosts, it can be bypassed with a pair of arguments included in the URI call.

Once an arbitrary page is loaded, the biggest problem shows up. The JavaScript that runs in the app browser exposes 70+ methods to JS running on the page. If this is untrusted code, it gives away the figurative keys to the kingdom, as an auth token can be accessed for the current user. Account modification, private video access, and video upload are all accessible. Thankfully the problem was fixed back in March, less than a month after private disclosure. Still, a one-click account hijack is nothing to sneeze at. Thankfully this one didn’t escape from the lab before it was fixed.

UPnP Strikes Again

It’s not an exaggeration to say that Universal Plug and Play (UPnP) may have been the most dangerous feature to be included in routers with the possible exception of open-by-default WiFi. QNAP has issued yet another advisory of ransomware targeting their devices, and once again UPnP is the culprit. Photo Station is the vulnerable app, and it has to be exposed to the internet to get pwned. And what does UPnP do? Exposes apps to the internet without user interaction. And QNAP, in their efforts to make their NAS products more usable, included UPnP support, maybe by default on some models. If you have a QNAP device (or even if you don’t), make sure UPnP is disabled on your router, turn off all port forwarding unless you’re absolutely sure you know what you’re doing, and use Wireguard for remote access. Continue reading “This Week In Security: One-click, UPnP, Mainframes, And Exploring The Fog”

Aluminium-Sulphur Batteries For Local Grid Storage?

September 5, 2022 by 45 Comments

Lithium-Sulphur batteries have been on the cusp of commercial availability for a little while now, but nothing much has hit the shelves as of yet. There are still issues with lifetime due to cell degradation, and news about developments seems to be drying up a little. Not to worry, because MIT have come along with a new battery technology using some of the most available and cheap materials found on this planet of ours. The Aluminium-Sulphur battery developed has very promising characteristics for use with static and automotive applications, specifically its scalability and its incredible charge/discharge performance.

The cell is based upon electrodes constructed from aluminium metal and sulphur, with a electrolyte of molten catenated chloro-aluminate salts. With an operating temperature of around 100 degrees Celsius, you’re not going to want this in a mobile phone anytime soon, but that’s not the goal. The goal is the smoothing out of renewable energy sources, and localised electricity grid balancing. A major use case would be the mass charging of battery electric vehicles. As the number of charge points increases at any given location, so does the peak current needed from the grid. Aluminium-Sulphur batteries are touted to offer the solution to ease this, with their high peak discharge current capability enabling a much higher peak power delivery at the point of use.
Continue reading “Aluminium-Sulphur Batteries For Local Grid Storage?”

Magnetic Maniac Manages Mangled Memory

September 4, 2022 by 29 Comments

Ahh, floppy disks. Few things carry nostalgia quite like a floppy — either 3 1⁄2 or 5 1⁄4, depending on which generation of hacker you happen to be. (And yes, we hear you grey-beards, 8-inch floppies were definitely a thing.) The real goodies aren’t the floppies themselves, but what they carried, like Wolfenstein 3d, Commander Keen, DOS, or any number of other classics from the past. Unfortunately a bunch of floppy disks these aren’t carrying anything anymore, as bit rot eventually catches up with them. Even worse, on some trashed floppies, a format operation fails, too. Surely, these floppies are destined for the trash, right?
Continue reading “Magnetic Maniac Manages Mangled Memory”

This Week In Security: Malicious Clipboards, Snakes On A Domain, And Binary Golf

September 2, 2022 by 4 Comments

There’s a bit of a panic regarding Chromium, Google Chrome, the system clipboard, and of all things, Google Doodles on the New Tab Page. It’s all about Chromium issue 1334203, “NewTabPageDoodleShareDialogFocusTest.All test fails when user gesture is enforced”. You see, Chromium has quite a large regression test suite, and Google engineers want to ensure that the Google Doodles always work. A security feature added to the clipboard handling API happened to break a Doodles test, so to fix the Doodle, the security feature was partially reverted. The now-missing feature? Requiring user interaction before a page can read or write to the clipboard.

Now you understand why there’s been a bit of a panic — yes, that sounds really bad. Pages arbitrarily reading from your clipboard is downright malicious and dangerous. And if no interaction is required, then any page can do so, right? No, not quite. So, Chrome has a set of protections, that there are certain things that a page cannot do if the user has not interacted with the page. You might see this at play in Discord when trying to refresh a page containing a video call. “Click anywhere on this page to enable video.” It’s intended to prevent annoying auto-play videos and other irritating page behavior. And most importantly, it’s *not* the only protection against a page reading your clipboard contents. See for yourself. Reading the clipboard is a site permission, just like accessing your camera or mic.

Now it’s true that a site could potentially *write* to the clipboard, and use this to try to be malicious. For example, writing rm -rf / on a site that claims to be showing off Linux command line tips. But that’s always been the case. It’s why you should always paste into a simple text editor, and not straight into the console from a site. So, really, no panic is necessary. The Chromium devs tried to roll out a slightly more aggressive security measure, and found it broke something unrelated, so partially rolled it back. The sky is not falling.
Continue reading “This Week In Security: Malicious Clipboards, Snakes On A Domain, And Binary Golf”

It’s A Plane… It’s A Train… Um… It’s Both?

September 1, 2022 by 101 Comments

What kind of electric vehicle travels at 620 miles per hour (998 km/h)? According to Canadian and French company TransPot, their FluxJet will do it and they want to use it to virtually shrink the Great White North. An electric jet? Not exactly. The FluxJet is a magnetic levitation (maglev) train riding in a vacuum tube with contactless power delivery.

The company claims it can carry 54 passengers or 10 tons of cargo. You can see two videos about the concept below. Judging by the second video, the device might be controlled by a serial port — well, probably not, but we were still amused to see the directory of tty devices on the screen.

Pipe dream (no pun intended)? Maybe. But they did get $550 million in funding and a plan to build a line between Calgary and Edmonton that will take 45 minutes to traverse. Reports are that they did demonstrate a 1-ton 18-foot-long prototype, although we couldn’t find any actual video footage of that — just hints of it in the marketing videos.

Of course, this isn’t the first such system proposed as a “hyperloop” but they do seem to be building momentum financially. We aren’t clear what they are talking about with the “veillance flux,” but we also know that since they are a French-speaking organization, it may just be another way to say “sensors” because — we think —  veillance is a French word that means watching. We also aren’t sure how a train in a vacuum has much in common with an airplane. Maglev isn’t new, either.

Continue reading “It’s A Plane… It’s A Train… Um… It’s Both?”

Maiden Kansas City Keyboard Meetup Was A Clacking Good Time

August 30, 2022 by 10 Comments

Wow! I can’t believe it already came and went — but the first annual (semi-annual?) Kansas City Keyboard Meetup was, in my opinion, a rousing success. And I think organizer and Discord-nominated god among men [Ricardo] agrees with me. (He does; I checked before we left the venue.)

First of all, the attendance was off the charts, perhaps thanks in part to our announcement last week. We aim to get you the news sooner next time, in case you want to come in from surrounding states and municipalities. RSVPs sat around 20-something, and then shot up to 60 or so in the days leading up. Fortunately, there were enough tiny sandwiches, granola bars, and s t i c k e r s to go around. I already put mine on my keebin’ toolbox.

The Hive Was Buzzing

The event took place at Hive Co-Working thanks to [Nick], and overall, the space turned out to be a good layout. We were set up right inside the windows looking out to the street, and I like to think that we drew in a few passers-by, though I am probably more than a little bit biased. I wondered aloud on the way home how a sandwich board out on the sidewalk would have affected the influx of randos.

My husband pointed out that even though we were all the way downtown, this is Kansas City and not New York City, and most of the keyboard enthusiasts about town were already accounted for. Hmpf. I still say we should try a sandwich board next time. We could go meta and mention the tiny sandwiches inside. Don’t worry — there was plenty of sanitizer and napkins to go around, plus a box of gloves.

Continue reading “Maiden Kansas City Keyboard Meetup Was A Clacking Good Time”