News

3606 Articles

This Week In Security: The Github Supply Chain Attack, Ransomware Decryption, And Paragon

March 21, 2025 by 4 Comments

Last Friday Github saw a supply chain attack hidden in a popular Github Action. To understand this, we have to quickly cover Continuous Integration (CI) and Github Actions. CI essentially means automatic builds of a project. Time to make a release? CI run. A commit was pushed? CI run. For some projects, even pull requests trigger a CI run. It’s particularly handy when the project has a test suite that can be run inside the CI process.

Doing automated builds may sound straightforward, but the process includes checking out code, installing build dependencies, doing a build, determining if the build succeeded, and then uploading the results somewhere useful. Sometimes this even includes making commits to the repo itself, to increment a version number for instance. For each step there are different approaches and interesting quirks for every project. Github handles this by maintaining a marketplace of “actions”, many of which are community maintained. Those are reusable code snippets that handle many CI processes with just a few options.

One other element to understand is “secrets”. If a project release process ends with uploading to an AWS store, the process needs an access key. Github stores those secrets securely, and makes them available in Github Actions. Between the ability to make changes to the project itself, and the potential for leaking secrets, it suddenly becomes clear why it’s very important not to let untrusted code run inside the context of a Github Action.

And this brings us to what happened last Friday. One of those community maintained actions, tj-actions/changed-files, was modified to pull an obfuscated Python script and run it. That code dumps the memory of the Github runner process, looks for anything there tagged with isSecret, and writes those values out to the log. The log, that coincidentally, is world readable for public repositories, so printing secrets to the log exposes them for anyone that knows where to look.

Researchers at StepSecurity have been covering this, and have a simple search string to use: org:changeme tj-actions/changed-files Action. That just looks for any mention of the compromised action. It’s unclear whether the compromised action was embedded in any other popular actions. The recommendation is to search recent Github Action logs for any mention of changed-files, and start rotating secrets if present. Continue reading “This Week In Security: The Github Supply Chain Attack, Ransomware Decryption, And Paragon”

From The Ashes: Coal Ash May Offer Rich Source Of Rare Earth Elements

March 19, 2025 by 39 Comments

For most of history, the world got along fine without the rare earth elements. We knew they existed, we knew they weren’t really all that rare, and we really didn’t have much use for them — until we discovered just how useful they are and made ourselves absolutely dependent on them, to the point where not having them would literally grind the world to a halt.

This dependency has spurred a search for caches of rare earth elements in the strangest of places, from muddy sediments on the sea floor to asteroids. But there’s one potential source that’s much closer to home: coal ash waste. According to a study from the University of Texas Austin, the 5 gigatonnes of coal ash produced in the United States between 1950 and 2021 might contain as much as $8.4 billion worth of REEYSc — that’s the 16 lanthanide rare earth elements plus yttrium and scandium, transition metals that aren’t strictly rare earths but are geologically associated with them and useful in many of the same ways. Continue reading “From The Ashes: Coal Ash May Offer Rich Source Of Rare Earth Elements”

Long-tail pair waves

Current Mirrors Tame Common Mode Noise

March 17, 2025 by 12 Comments

If you’re the sort who finds beauty in symmetry – and I’m not talking about your latest PCB layout – then you’ll appreciate this clever take on the long-tailed pair. [Kevin]’s video on this topic explores boosting common mode rejection by swapping out the old-school tail resistor for a current mirror. Yes, the humble current mirror – long underestimated in DIY analog circles – steps up here, giving his differential amplifier a much-needed backbone.

So why does this matter? Well, in Kevin’s bench tests, this hack more than doubles the common mode rejection, leaping from a decent 35 dB to a noise-crushing 93 dB. That’s not just tweaking for tweaking’s sake; that’s taking a breadboard standard and making it ready for sensitive, low-level signal work. Instead of wrestling with mismatched transistors or praying to the gods of temperature stability, he opts for a practical approach. A couple of matched NPNs, a pair of emitter resistors, and a back-of-the-envelope resistor calculation – and boom, clean differential gain without the common mode muck.

If you want the nitty-gritty details, schematics of the demo circuits are on his project GitHub. Kevin’s explanation is equal parts history lesson and practical engineering, and it’s worth the watch. Keep tinkering, and do share your thoughts on this.

Continue reading “Current Mirrors Tame Common Mode Noise”

This Week In Security: The X DDoS, The ESP32 Basementdoor, And The CamelCase RCE

March 14, 2025 by 9 Comments

We would be remiss if we didn’t address the X Distributed Denial of Service (DDoS) attack that’s been happening this week. It seems like everyone is is trying to make political hay out of the DDoS, but we’re going to set that aside as much as possible and talk about the technical details. Elon made an early statement that X was down due to a cyberattack, with the source IPs tracing back to “the Ukraine area”.

The latest reporting seems to conclude that this was indeed a DDoS, and a threat group named “Dark Storm” has taken credit for the attack. Dark Storm does not seem to be of Ukrainian origin or affiliation.

We’re going to try to read the tea leaves just a bit, but remember that about the only thing we know for sure is that X was unreachable for many users several times this week. This is completely consistent with the suspected DDoS attack. The quirk of modern DDoS attacks is that the IP addresses on the packets are never trustworthy.

There are two broad tactics used for large-scale DDoS attacks, sometimes used simultaneously. The first is the simple botnet. Computers, routers, servers, and cameras around the world have been infected with malware, and then remote controlled to create massive botnets. Those botnets usually come equipped with a DDoS function, allowing the botnet runner to task all the bots with sending traffic to the DDoS victim IPs. That traffic may be UDP packets with spoofed or legitimate source IPs, or it may be TCP Synchronization requests, with spoofed source IPs.

The other common approach is the reflection or amplification attack. This is where a public server can be manipulated into sending unsolicited traffic to a victim IP. It’s usually DNS, where a short message request can return a much larger response. And because DNS uses UDP, it’s trivial to convince the DNS server to send that larger response to a victim’s address, amplifying the attack.

Put these two techniques together, and you have a botnet sending spoofed requests to servers, that unintentionally send the DDoS traffic on to the target. And suddenly it’s understandable why it’s so difficult to nail down attribution for this sort of attack. It may very well be that a botnet with a heavy Ukrainian presence was involved in the attack, which at the same time doesn’t preclude Dark Storm as the originator. The tea leaves are still murky on this one.

Continue reading “This Week In Security: The X DDoS, The ESP32 Basementdoor, And The CamelCase RCE”

Hackaday Europe 2025: Speaker Schedule And Official Event Page

March 13, 2025 by No comments

Hackaday Europe 2025 is just days away, and we’ve got the finalized speaker schedule hot off the digital press. We’re also pleased to announce that the event page is now officially live, where you can find all the vital information about the weekend’s festivities in one place.

Whether you’ll be joining the fun in Berlin, or watching the live stream from home, we’ve got a fantastic lineup of speakers this year who are eager to tell us all about the projects that have been keeping them up at night recently:

Continue reading “Hackaday Europe 2025: Speaker Schedule And Official Event Page”

Red and gold bakelite Philco farm radio on a workbench

Hacking A Heavyweight Philco Radio

March 10, 2025 by 6 Comments

There’s something magical about the clunk of a heavy 1950s portable radio – the solid thunk of Bakelite, the warm hum of tubes glowing to life. This is exactly why [Ken’s Lab] took on the restoration of a Philco 52-664, a portable AC/DC radio originally sold for $45 in 1953 (a small fortune back then!). Despite its beat-up exterior and faulty guts, [Ken] methodically restored it to working condition. His video details every crackling capacitor and crusty resistor he replaced, and it’s pure catnip for any hacker with a soft spot for analog tech. Does the name Philco ring a bell? Lately, we did cover the restoration of a 1958 Philco Predicta television.

What sets this radio hack apart? To begin with, [Ken] kept the restoration authentic, repurposing original capacitor cans and using era-appropriate materials – right down to boiling out old electrolytics in his wife’s discarded cooking pot. But, he went further. Lacking the space for modern components, [Ken] fabbed up a custom mounting solution from stiff styrofoam, fibreboard, and all-purpose glue. He even re-routed the B-wiring with creative terminal hacks. It’s a masterclass in patience, precision, and resourcefulness.

If this tickles your inner tinkerer, don’t miss out on the full video. It’s like stepping into a time machine.

Continue reading “Hacking A Heavyweight Philco Radio”