Hacker’s Discovery Changes Understanding Of The Antikythera Mechanism

With all the trained academics who have pored over the Antikythera mechanism in the 120 years since it was pulled from the Mediterranean Sea, you’d think all of the features of the ancient analog computer would have been discovered by now. But the mechanism still holds secrets, some of which can only be appreciated by someone in tune with the original maker of the device. At least that what appears to have happened with the recent discovery of a hitherto unknown lunar calendar in the Antikythera mechanism. (Video, embedded below.)

The Antikythera mechanism is fascinating in its own right, but the real treat here is that this discovery comes from one of our own community — [Chris] at Clickspring, maker of amazing clocks and other mechanical works of art. When he undertook a reproduction of the Antikythera mechanism using nothing but period-correct materials and tools four years ago, he had no idea that the effort would take the direction it has. The video below — also on Vimeo — sums up the serendipitous discovery, which is based on the unusual number of divisions etched into one of the rings of the mechanisms. Scholars had dismissed this as a mistake, but having walked a mile in the shoes of the mechanism’s creator, [Chris] knew better.

The craftsmanship and ingenuity evidenced in the original led [Chris] and his collaborators to the conclusion that the calendar ring is actually a 354-day calendar that reflects a lunar cycle rather than a solar cycle. The findings are summarized in a scholarly paper in the Horological Journal. Getting a paper accepted in a peer-reviewed journal is no mean feat, so hats off to the authors for not only finding this long-lost feature of the Antikythera mechanism and figuring out its significance, but also for persisting through the writing and publication process while putting other projects on hold. Clickspring fans have extra reason to rejoice, too — more videos are now on the way!

Continue reading “Hacker’s Discovery Changes Understanding Of The Antikythera Mechanism”

A Thousand Feet Under The Sea

If you were to plumb the depth of the oceans, you could only get so far with a snorkel or a SCUBA tank. We don’t know the price, but if you have enough money, you might consider the Triton 3300/6 — a six-person submersible that can go down to 3,300 feet (hence the name–get it–3300/6). Billed as “diving for the entire family,” we aren’t sure we can load grandma and the kids in something like this, but that doesn’t mean we wouldn’t like to try.

The machine can carry up to 1,760 pounds and can make 3 knots which isn’t going to set any speed records. At around 24,000 pounds, the two main thrusters are lucky to make that speed. The view bubble is apparently optically perfect acrylic made by a German company and the company claims the 100-inch diameter bubble is the world’s largest spherical acrylic pressure hull.

Continue reading “A Thousand Feet Under The Sea”

This Week In Security: VMWare, Microsoft Teams, Python Fuzzing, And More

There’s a VMWare problem that’s being exploited in the wild, according to the NSA (PDF). The vulnerability is a command injection on an administrative console. The web host backing this console is apparently running as root, as the vulnerability allows executing “commands with unrestricted privileges on the underlying operating system.”

The wrinkle that makes this interesting is that VMWare learned about this vuln from the NSA, which seems to indicate that it was a zero-day being used by a foreign state. The compromise chain they list is also oddly specific, making me suspect that it is a sanitized account of observed attacks.

Microsoft Teams, And the Non-CVE

[Oskars Vegeris] found a pair of interesting problems in the Microsoft Teams client, which together allows an interactionless, wormable RCE. The first vuln is an XSS problem, where a message containing a “mention” can be modified in transit to include arbitrary Javascript. To get that JS past the XSS protection filter, a unicode NULL byte is included in the payload. The second vuln is using the built-in file download code in the Teams app to download and auto-run a binary. Put together, anyone who simply loads the message in their Teams app runs the code.

Vegeris points out that since so many users have a presence in multiple rooms, it would be trivial to use this exploit to build a worm that could infect the majority of Teams users worldwide. The bug was reported privately to Microsoft and fixed back in October. A wormable RCE in a widely used tool seems like a big deal, and should net a high CVE score, right? Microsoft gave two ratings for this attack chain, for the two versions of Teams that it can affect. For the Office365 client, it’s “Important, Spoofing”, which is about as unimportant as a bug can be. The desktop app, at least, was rated “critical” for an RCE. The reason for that seems to be that the sandbox escape only works on the standalone desktop app.

But no CVE was issued for the exploit chain. In the security community, collecting CVEs is an important proof of work for your resume. Microsoft replied that they don’t issue CVEs for products that get updated automatically without user interaction. Kerfuffle ensued. Continue reading “This Week In Security: VMWare, Microsoft Teams, Python Fuzzing, And More”

Remembering Chuck Yeager: The Supersonic Legend Whose Wings Were Clipped By A High School Diploma

In history there are people whose legacy becomes larger than life. Ask anyone who built and flew the first airplane, and you’d be hard-pressed to find someone who isn’t at least aware of the accomplishments of the Wright brothers. In a similar vein, Chuck Yeager’s pioneering trip into supersonic territory with the Bell X-1 airplane made his name essentially synonymous with the whole concept of flying faster than the speed of sound. This wasn’t the sole thing he did, of course: he also fought in WWII and Vietnam and worked as an instructor and test pilot, flying hundreds of different airplanes during his career.

Yeager’s insistence on making that first supersonic flight, despite having broken two ribs days earlier, became emblematic of the man himself: someone who never let challenges keep him from exploring the limits of the countless aircraft he flew, while inspiring others to give it their best shot. Perhaps ironically, it could be said that the only thing that ever held Yeager back was only having a high school diploma.

On December 7, 2020, Chuck Yeager died at the age of 97, leaving behind a legacy that will continue to inspire many for decades to come.

Continue reading “Remembering Chuck Yeager: The Supersonic Legend Whose Wings Were Clipped By A High School Diploma”

CentOS Is Dead, Long Live CentOS

On Tuesday, December 8th, Red Hat and CentOS announced the end of CentOS 8. To be specific, CentOS 8 will reach end of life at the end of 2021, 8 years ahead of schedule. To really understand what that means, and how we got here, it’s worth taking a trip down memory lane, and looking at how the history of Red Hat Enterprise Linux (RHEL), CentOS, and IBM are intertwined.

Continue reading “CentOS Is Dead, Long Live CentOS”

The Gatwick Drone: Finally Someone Who Isn’t Us Asks Whether It Ever Really Existed

It’s taken two years, but finally it’s happened. Finally a respected national mass-media outlet has asked the question Hackaday were posing shortly after the event: what evidence was there that a drone was actually present in restricted airspace?

The Guardian newspaper in the UK is the outlet looking into the mystery of the Gatwick drone. It was the worldwide story of the moment around this time back in 2018 when the London airport closed down for several days in response to a series of drone reports. The assumption being put forward was that bad actors in the drone community were to blame, but there was significant disquiet in those ranks as the police and media story simply lacked credibility to anyone with knowledge of drones. At no point could they point to evidence that held water, the couple they arrested turned out to be innocent, and eventually a police officer admitted that there might not have been a drone after all. The damage had by then been done, as Received Opinion had it that irresponsible drone enthusiasts had put lives in danger and caused huge economic damage by closing an airport for several days.

The Guardian piece paints a fascinating and detailed picture of the events surrounding the investigation, by bringing the investigative journalism resources of a national newspaper into tracing and interviewing people involved from all sides. They talk to former Gatwick employees, off-the-record police officers with knowledge of the case, a drone specialist journalist, and the drone community including some of its members with significant professional experience in the world of aviation. It talks about the slow drip-feed of freedom of information requests revealing the machinations behind the scenes and furthermore the continuing lack of tangible proof of a drone. It’s very much worth a read, and we hope it will prompt further investigation of the events without the focus being on a non-existent drone.

We’d like to invite you to read Hackaday’s coverage from a few days after the event, and for an overview of the subject including the later Heathrow event, watch the CCCamp talk I presented on the topic in 2019. Then as now, our wish is for competent police investigations, responsible media reporting of drone stories, and credible official investigations of air proximity reports surrounding drones.

Header: Lucy Ingham, CC BY-SA 4.0.

Sufficiently Advanced Technology And Justice

Imagine that you’re serving on a jury, and you’re given an image taken from a surveillance camera. It looks pretty much like the suspect, but the image has been “enhanced” by an AI from the original. Do you convict? How does this weigh out on the scales of reasonable doubt? Should you demand to see the original?

AI-enhanced, upscaled, or otherwise modified images are tremendously realistic. But what they’re showing you isn’t reality. When we wrote about this last week, [Denis Shiryaev], one of the authors of one of the methods we highlighted, weighed in the comments to point out that these modifications aren’t “restorations” of the original. While they might add incredibly fine detail, for instance, they don’t recreate or restore reality. The neural net creates its own reality, out of millions and millions of faces that it’s learned.

And for the purposes of identification, that’s exactly the problem: the facial features of millions of other people have been used to increase the resolution. Can you identify the person in the pixelized image? Can you identify that same person in the resulting up-sampling? If the question put before the jury was “is the defendant a former president of the USA?” you’d answer the question differently depending on which image you were presented. And you’d have a misleading level of confidence in your ability to judge the AI-retouched photo. Clearly, informed skepticism on the part of the jury is required.

Unfortunately, we’ve all seen countless examples of “zoom, enhance” in movies and TV shows being successfully used to nab the perps and nail their convictions. We haven’t seen nearly as much detailed analysis of how adversarial neural networks create faces out of a scant handful of pixels. This, combined with the almost magical resolution of the end product, would certainly sway a jury of normal folks. On the other hand, the popularity of intentionally misleading “deep fakes” might help educate the public to the dangers of believing what they see when AI is involved.

This is just one example, but keeping the public interested in and educated on the deep workings and limitations of the technology that’s running our world is more important than ever before, but some of the material is truly hard. How do we separate the science from the magic?