News

3396 Articles

Iceland Is Doing Its COVID-19 Proximity Tracing The Open Source Way

April 10, 2020 by 6 Comments

As governments around the world grapple with the problem of tracing those who have had contact with a person known to have been infected with the COVID-19 virus, attention has turned to the idea of mobile apps that can divulge who a person has been near so that they can be alerted of potential infections. This has a huge potential for abuse by regimes with little care for personal privacy, and has been a significant concern for those working in that field. An interesting compromise has been struck by Iceland, who have produced an app for their populace that stores the information on the device and only uploads it with the user’s consent once they have received a diagnosis. We can all take a look, because to ensure transparency they have released it as open source.

On signing up for the scheme a central server stores the details of each user as well as their phone number. When the epidemiologists have a need to trace a person’s contacts they send a notification, and the person can consent to their upload. This is a fine effort to retain user privacy, with depending on your viewpoint the flaw or the advantage being that the user can not have their data slurped without their knowledge. Iceland is a country with a relatively small population, so we can imagine that with enough consent there could be effective tracing.

We installed the Android version on the Hackaday phone to have a look, but unfortunately it seems to need to be in Iceland to be of use enough to explore. We would be interested to hear from our Icelandic readers, to hear their views. Meanwhile readers can juxtapose the Icelandic app with another proposal for a more anonymised version.

Real Engineering Behind Ventilators

April 7, 2020 by 40 Comments

Experts on cognition tell us that most people think they know more than they really do. One particular indicator for that is if someone is an expert in one field and they feel like all other fields relate to theirs (everything boils down to math or chemistry or physics, for example). This causes them to be overconfident on things they don’t actually know about. When it became clear that the current virus crisis might lead to a shortage of ventilators, many electronic experts set about to design low-cost easy to replicate ventilators. How hard is it, after all, to squeeze a bag once every few seconds? But it turns out, there are a lot of details you need to know to do it right. [Real Engineering] and [Real Science] joined to create an excellent video that covers a lot of what you need to know. You can see the video below. The video shows a few designs that — while motivated by altruism — would probably do more harm than good if used on real patients.

The video’s creator is a biomedical engineer who worked in the past for Medtronic — a maker of ventilators who, by the way, recently open-sourced one of their designs. They also had [Dr. Rohin Francis], who has a medical YouTube channel, fact check the video. and provide some on-screen background We learned a few new medical terms and found that a high-end ventilator made in one factory gets built at about 225 per week. They think they can increase to 500.

Continue reading “Real Engineering Behind Ventilators”

Can Solid Save The Internet?

April 4, 2020 by 32 Comments

We ran an article on Solid this week, a project that aims to do nothing less than change the privacy and security aspects of the Internet as we use it today. Sir Tim Berners-Lee, the guy who invented the World Wide Web as a side project at work, is behind it, and it’s got a lot to recommend it. I certainly hope they succeed.

The basic idea is that instead of handing your photos, your content, and your thoughts over to social media and other sharing platforms, you’d store your own personal data in a Personal Online Data (POD) container, and grant revocable access to these companies to access your data on your behalf. It’s like it’s your own website contents, but with an API for sharing parts of it elsewhere.

This is a clever legal hack, because today you give over rights to your data so that Facebook and Co. can display them in your name. This gives them all the bargaining power, and locks you into their service. If instead, you simply gave Facebook a revocable access token, the power dynamic shifts. Today you can migrate your data and delete your Facebook account, but that’s a major hassle that few undertake.

Mike and I were discussing this on this week’s podcast, and we were thinking about the privacy aspects of PODs. In particular, whatever firm you use to socially share your stuff will still be able to snoop you out, map your behavior, and target you with ads and other content, because they see it while it’s in transit. But I failed to put two and two together.

The real power of a common API for sharing your content/data is that it will make it that much easier to switch from one sharing platform to another. This means that you could easily migrate to a system that respects your privacy. If we’re lucky, we’ll see competition in this space. At the same time, storing and hosting the data would be portable as well, hopefully promoting the best practices in the providers. Real competition in where your data lives and how it’s served may well save the Internet. (Or at least we can dream.)

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter.

Want this type of article to hit your inbox every Friday morning? You should sign up!

Open Source Telescope Controller Puts Smart Features In Old Telescopes

April 4, 2020 by 10 Comments

In times like these, we all need to look beyond ourselves. This project might help: OnStep is an open-source telescope controller, a device that controls a telescope to point at something interesting in the sky. Want to take a look at M31? Use an app on a PC or smartphone, select the object and the OnStep will pan and tilt your telescope until the Andromeda Galaxy pops into view.

Continue reading “Open Source Telescope Controller Puts Smart Features In Old Telescopes”

This Week In Security: OpenWrt, ZOOM, And Systemd

April 3, 2020 by 21 Comments

OpenWrt announced a problem in opkg, their super-lightweight package manager. OpenWrt’s target hardware, routers, make for an interesting security challenge. A Linux install that fits in just 4 MB of flash memory is a minor miracle in itself, and many compromises had to be made. In this case, we’re interested in the lack of SSL: a 4 MB install just can’t include SSL support. As a result, the package manager can’t rely on HTTPS for secure downloads. Instead, opkg first downloads a pair of files: A list of packages, which contains a SHA256 of each package, and then a second file containing an Ed25519 signature. When an individual package is installed, the SHA256 hash of the downloaded package can be compared with the hash provided in the list of packages.


It’s a valid approach, but there was a bug, discovered by [Guido Vranken], in how opkg reads the hash values from the package list. The leading space triggers some questionable pointer arithmetic, and as a result, opkg believes the SHA256 hash is simply blank. Rather than fail the install, the hash verification is simply skipped. The result? Opkg is vulnerable to a rather simple man in the middle attack.

OpenWrt doesn’t do any automatic installs or automatic updates, so this vulnerability will likely not be widely abused, but it could be used for a targeted attack. An attacker would need to be in a position to MitM the router’s internet connection while software was being installed. Regardless, make sure you’re running the latest OpenWrt release to mitigate this issue. Via Ars Technica.

Wireguard V1.0

With the Linux Kernel version 5.6 being finally released, Wireguard has finally been christened as a stable release. An interesting aside, Google has enabled Wireguard in their Generic Kernel Image (GKI), which may signal more official support for Wireguard VPNs in Android. I’ve also heard reports that one of the larger Android ROM development communities is looking into better system-level Wireguard support as well.

Javascript in Disguise

Javascript makes the web work — and has been a constant thorn in the side of good security. For just an example, remember Samy, the worm that took over Myspace in ’05. That cross-site scripting (XSS) attack used a series of techniques to embed Javascript code in a user’s profile. Whenever that profile page was viewed, the embedded JS code would run, and then replicate itself on the page of whoever had the misfortune of falling into the trap.

Today we have much better protections against XSS attacks, and something like that could never happen again, right? Here’s the thing, for every mitigation like Content-Security-Policy, there is a guy like [theMiddle] who’s coming up with new ways to break it. In this case, he realized that a less-than-perfect CSP could be defeated by encoding Javascript inside a .png, and decoding it to deliver the payload.

Systemd

Ah, systemd. Nothing seems to bring passionate opinions out of the woodwork like a story about it. In this case, it’s a vulnerability found by [Tavis Ormandy] from Google Project Zero. The bug is a race condition, where a cached data structure can be called after it’s already been freed. It’s interesting, because this vulnerability is accessible using DBus, and could potentially be used to get root level access. It was fixed with systemd v220.

Mac Firmware

For those of you running MacOS on Apple hardware, you might want to check your firmware version. Not because there’s a particularly nasty vulnerability in there, but because firmware updates fail silently during OS updates. What’s worse, Apple isn’t publishing release notes, or even acknowledging the most recent firmware version. A crowd-sourced list of the latest firmware versions is available, and you can try to convince your machine to try again, and hope the firmware update works this time.

Anti-Rubber-Ducky

Google recently announced a new security tool, USB Keystroke Injection Protection. I assume the nickname, UKIP, isn’t an intentional reference to British politics. Regardless, this project is intended to help protect against the infamous USB Rubber Ducky attack, by trying to differentiate a real user’s typing cadence, as opposed to a malicious device that types implausibly quickly.

While the project is interesting, there are already examples of how to defeat it that amount to simply running the scripts with slight pauses between keystrokes. Time will tell if UKIP turns into a useful mitigation tool. (Get it?)

SMBGhost

Remember SMBGhost, the new wormable SMB flaw? Well, there is already a detailed explanation and PoC. This particular PoC is a local-only privilege escalation, but a remote code execution attack is like inevitable, so go make sure you’re patched!

FDA Says PPE Can Be Reused After Trip Through Shipping Container Decontamination System

April 2, 2020 by 96 Comments

We are hearing so much in the news about shortages of personal protective equipment, or PPE, for healthcare workers. Factories are being asked to perform the impossible when it comes to production be the need is so real, so immediate, and so widespread.

The problem with rapid consumption of PPE is that once it has been exposed to infection, it’s contaminated and can’t be used again. Physically it may be fine, but it retains the capability to infect other people. If there were some way it could be effectively cleaned and decontaminated for re-use, it would reduce the strain on the supply chain and result in a greater availability of PPE for all those who require it.

This is the promise of Battelle’s Critical Care Decontamination System, a shipping-container-sized unit which has received approval from the FDA at break-neck speed.

Continue reading “FDA Says PPE Can Be Reused After Trip Through Shipping Container Decontamination System”

Teaching Robots Workplace Etiquette

April 1, 2020 by 3 Comments

Most often, humans and robots do not have to work directly together, instead working on different parts in a production pipeline or with the robot performing tasks instead of a human. In such cases any human-robot interaction (HRI) will be superficial. Yet what if humans and robots have to work alongside each other? This is a question which a group of students at MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) have recently studied some answers to.

In their paper on human-robot collaborative tasks (PDF), they cover the three possible models one can use for this kind of interaction: there can be no communication (‘silent’), the communication can be pre-programmed (state machine), or in this case a Markov model-based system. This framework which they demonstrate is called CommPlan and it uses observation data from human subjects to construct a Markov model that can integrate sensor data in order to decide on its next action.

In the experiment they performed (the preparation of a meal; see the embedded video after the break), human subjects had to work alongside a robot. Between the three different approaches, the CommPlan one was the fastest, using voice interaction only when it deemed it to be necessary. The experiment’s subjects expressed hereby a preference for bidirectional communication, much as would occur between human workers.

Continue reading “Teaching Robots Workplace Etiquette”