This Week In Security: Git, Patch Tuesday, Anti-Cheat, And Vulnerable Documentation

April 17, 2020 by Jonathan Bennett 8 Comments

Git released an update on Tuesday, fixing an issue that could result in leaking credentials. The vulnerability was in how Git handles an HTTP URL containing a newline. Looking at the commits in 2.26.1, we can find an example of an attack:
url = "https://one.example.com?%0ahost=two.example.com/foo.git"

So doing a git pull against this repository will connect your git instance to an attacker’s server, but using the credentials from an arbitrary server. It seems like this could potentially be used to steal Github credentials, for instance. So go make sure you have an updated Git client.
Continue reading “This Week In Security: Git, Patch Tuesday, Anti-Cheat, And Vulnerable Documentation” →

John Horton Conway, Creator Of Conway’s Game Of Life, Has Died

April 13, 2020 by Mike Szczys 57 Comments

Programmers everywhere are familiar with Conway’s Game of Life: whether they’ve written a version themselves or simply seen the mesmerizing action resulting from the cellular automata, it’s a household name in all homes where code is spoken. On Saturday April 11th, 2020 its inventor and namesake, John Horton Conway passed away from COVID-19 at the age of 82.

Born in Liverpool, Conway received his PhD in mathematics in 1964 from Gonville and Caius College, Cambridge. He accepted a position at Sidney Sussex College, Cambridge which he held until joining the faculty of Princeton University in 1987. A brilliant mathematician, he received numerous awards and was well known for his work in combinatorial game theory, group theory, and theoretical physics.

Many readers will be familiar with his Doomsday algorithm which can be used to deduce the day of the week for any given date in your head. But by far the rockstar mathematics moment of developing Conway’s Game of Life in 1970 cements him a perpetual place of legend in computing lore. His original work on the concept used pencil and paper as the computing revolution had yet to make digital resources easily available, even to mathematics researchers like Conway.

The game uses an infinite grid of squares where all of the edges of the grid wrap around. Four simple rules (which can be boiled down to three if you’re clever) determine which cells live and which cells die during each frame of the “game”. The only parameters that are needed are the number and position of living cells at the start of the game, and the delay between each game frame. But the effect of this simplicity is not to be understated. The game can be coded by a novice — and it’s become a common challenge in University course work. Small errors, or intentional tweaks, in the implementation have profound effects on behavior of the game. And the effect on the person programming it for the first time can be long lasting. You could call it a mathematics gateway drug, grabbing the curiosity of the unsuspecting mind and pulling it down the rabbit hole of advanced mathematics discovery.

We’d love to celebrate his life by hearing your own stories of programming the Game of Life in the comments below. If you haven’t yet had the pleasure, now’s a great time to take on the challenge.

[Game of Life example shown in this article is John Conway’s Game of Life – 1.0 written in Python by Nick Jarvis and Nick Wayne]

Classic Leica Film Camera Turns Digital

April 10, 2020 by Bryan Cockfield 36 Comments

While there’s still a market for older analog devices such as vinyl records, clocks, and vacuum-tube-powered radio transmitters, a large fraction of these things have become largely digital over the years. There is a certain feel to older devices though which some prefer over their newer, digital counterparts. This is true of the camera world as well, where some still take pictures on film and develop in darkrooms, but if this is too much of a hassle, yet you still appreciate older analog cameras, then this Leica film camera converted to digital might just attract your focus.

This modification comes in two varieties for users with slightly different preferences. One uses a Sony NEX-5 sensor which clips onto the camera and preserves almost all of the inner workings, and the aesthetic, of the original. This sensor isn’t full-frame though, so if that’s a requirement the second option is one with an A7 sensor which requires extensive camera modification (but still preserves the original rangefinder, an almost $700 part even today). Each one has taken care of all of the new digital workings without a screen, with the original film advance, shutters, and other HIDs of their time modified for the new digital world.

The finish of these cameras is exceptional, with every detail considered. The plans aren’t open source, but we have a hard time taking issue with that for the artistry this particular build. This is a modification done to a lot of cameras, but seldom with so much attention paid to the “feel” of the original camera.

Thanks to [Johannes] for the tip!

This Week In Security: Zoom (Really This Time), Fingerprints, And Bloatware

April 10, 2020 by Jonathan Bennett 9 Comments

You were promised Zoom news last week, but due to a late night of writing, that story was delayed to this week. So what’s the deal with Zoom? Google, SpaceX, and even the government of Taiwan and the US Senate have banned Zoom. You may remember our coverage of Zoom from nearly a year ago, when Apple forcibly removed the Zoom service from countless machines. The realities of COVID-19 have brought about an explosion of popularity for Zoom, but also a renewed critical eye on the platform’s security.

“Zoombombing”, joining a Zoom meeting uninvited, made national headlines as a result of a few high profile incidents. The US DOJ even released a statement about it. Those incidents seem to have been a result of Zoom default settings: no meeting passwords, no “waiting room”, and meeting IDs that persist indefinitely. A troll could simply search google for Zoom links, and try connecting to them until finding an active meeting. Ars ran a great article on how to avoid getting zoombombed (thanks to Sheldon for pointing this out last week).

There is another wrinkle to the Zoom story. Zoom is technically an American company, but its Chinese roots put it in a precarious situation. Recently it’s been reported that encryption keying is routed through infrastructure in China, even though the calling parties are elsewhere. In some cases, call data itself goes through Chinese infrastructure, though that was labeled as a temporary bug. Zoom was also advertising its meetings as having end-to-end encryption. That claim was investigated, and discovered to be false. All meetings get decrypted at Zoom servers, and could theoretically be viewed by Zoom staff. Continue reading “This Week In Security: Zoom (Really This Time), Fingerprints, And Bloatware” →

Iceland Is Doing Its COVID-19 Proximity Tracing The Open Source Way

April 10, 2020 by Jenny List 6 Comments

As governments around the world grapple with the problem of tracing those who have had contact with a person known to have been infected with the COVID-19 virus, attention has turned to the idea of mobile apps that can divulge who a person has been near so that they can be alerted of potential infections. This has a huge potential for abuse by regimes with little care for personal privacy, and has been a significant concern for those working in that field. An interesting compromise has been struck by Iceland, who have produced an app for their populace that stores the information on the device and only uploads it with the user’s consent once they have received a diagnosis. We can all take a look, because to ensure transparency they have released it as open source.

On signing up for the scheme a central server stores the details of each user as well as their phone number. When the epidemiologists have a need to trace a person’s contacts they send a notification, and the person can consent to their upload. This is a fine effort to retain user privacy, with depending on your viewpoint the flaw or the advantage being that the user can not have their data slurped without their knowledge. Iceland is a country with a relatively small population, so we can imagine that with enough consent there could be effective tracing.

We installed the Android version on the Hackaday phone to have a look, but unfortunately it seems to need to be in Iceland to be of use enough to explore. We would be interested to hear from our Icelandic readers, to hear their views. Meanwhile readers can juxtapose the Icelandic app with another proposal for a more anonymised version.

Real Engineering Behind Ventilators

April 7, 2020 by Al Williams 40 Comments

Experts on cognition tell us that most people think they know more than they really do. One particular indicator for that is if someone is an expert in one field and they feel like all other fields relate to theirs (everything boils down to math or chemistry or physics, for example). This causes them to be overconfident on things they don’t actually know about. When it became clear that the current virus crisis might lead to a shortage of ventilators, many electronic experts set about to design low-cost easy to replicate ventilators. How hard is it, after all, to squeeze a bag once every few seconds? But it turns out, there are a lot of details you need to know to do it right. [Real Engineering] and [Real Science] joined to create an excellent video that covers a lot of what you need to know. You can see the video below. The video shows a few designs that — while motivated by altruism — would probably do more harm than good if used on real patients.

The video’s creator is a biomedical engineer who worked in the past for Medtronic — a maker of ventilators who, by the way, recently open-sourced one of their designs. They also had [Dr. Rohin Francis], who has a medical YouTube channel, fact check the video. and provide some on-screen background We learned a few new medical terms and found that a high-end ventilator made in one factory gets built at about 225 per week. They think they can increase to 500.

Continue reading “Real Engineering Behind Ventilators” →

Can Solid Save The Internet?

April 4, 2020 by Elliot Williams 32 Comments

We ran an article on Solid this week, a project that aims to do nothing less than change the privacy and security aspects of the Internet as we use it today. Sir Tim Berners-Lee, the guy who invented the World Wide Web as a side project at work, is behind it, and it’s got a lot to recommend it. I certainly hope they succeed.

The basic idea is that instead of handing your photos, your content, and your thoughts over to social media and other sharing platforms, you’d store your own personal data in a Personal Online Data (POD) container, and grant revocable access to these companies to access your data on your behalf. It’s like it’s your own website contents, but with an API for sharing parts of it elsewhere.

This is a clever legal hack, because today you give over rights to your data so that Facebook and Co. can display them in your name. This gives them all the bargaining power, and locks you into their service. If instead, you simply gave Facebook a revocable access token, the power dynamic shifts. Today you can migrate your data and delete your Facebook account, but that’s a major hassle that few undertake.

Mike and I were discussing this on this week’s podcast, and we were thinking about the privacy aspects of PODs. In particular, whatever firm you use to socially share your stuff will still be able to snoop you out, map your behavior, and target you with ads and other content, because they see it while it’s in transit. But I failed to put two and two together.

The real power of a common API for sharing your content/data is that it will make it that much easier to switch from one sharing platform to another. This means that you could easily migrate to a system that respects your privacy. If we’re lucky, we’ll see competition in this space. At the same time, storing and hosting the data would be portable as well, hopefully promoting the best practices in the providers. Real competition in where your data lives and how it’s served may well save the Internet. (Or at least we can dream.)