News

3650 Articles

Russian Doomsday Radios Go Missing

December 15, 2020 by 42 Comments

Normally we like hearing about old military gear going on the surplus market. But if you encounter some late-model Russian radio and crypto equipment for sale you might want to make sure it isn’t hot (English translation). If you prefer not picking through the machine translation to English, the BBC also has a good write-up.

The Russians maintain four large planes set up as flying command and control bunkers in case of nuclear war — so-called “doomsday planes.” Like the U.S. ABNBC (better known as Looking Glass) fleet, the planes can provide the President or other senior leaders a complete command capability while in flight. As you might expect, the radios and gear on the plane are highly classified.

Continue reading “Russian Doomsday Radios Go Missing”

Hacker’s Discovery Changes Understanding Of The Antikythera Mechanism

December 12, 2020 by 46 Comments

With all the trained academics who have pored over the Antikythera mechanism in the 120 years since it was pulled from the Mediterranean Sea, you’d think all of the features of the ancient analog computer would have been discovered by now. But the mechanism still holds secrets, some of which can only be appreciated by someone in tune with the original maker of the device. At least that what appears to have happened with the recent discovery of a hitherto unknown lunar calendar in the Antikythera mechanism. (Video, embedded below.)

The Antikythera mechanism is fascinating in its own right, but the real treat here is that this discovery comes from one of our own community — [Chris] at Clickspring, maker of amazing clocks and other mechanical works of art. When he undertook a reproduction of the Antikythera mechanism using nothing but period-correct materials and tools four years ago, he had no idea that the effort would take the direction it has. The video below — also on Vimeo — sums up the serendipitous discovery, which is based on the unusual number of divisions etched into one of the rings of the mechanisms. Scholars had dismissed this as a mistake, but having walked a mile in the shoes of the mechanism’s creator, [Chris] knew better.

The craftsmanship and ingenuity evidenced in the original led [Chris] and his collaborators to the conclusion that the calendar ring is actually a 354-day calendar that reflects a lunar cycle rather than a solar cycle. The findings are summarized in a scholarly paper in the Horological Journal. Getting a paper accepted in a peer-reviewed journal is no mean feat, so hats off to the authors for not only finding this long-lost feature of the Antikythera mechanism and figuring out its significance, but also for persisting through the writing and publication process while putting other projects on hold. Clickspring fans have extra reason to rejoice, too — more videos are now on the way!

Continue reading “Hacker’s Discovery Changes Understanding Of The Antikythera Mechanism”

A Thousand Feet Under The Sea

December 11, 2020 by 15 Comments

If you were to plumb the depth of the oceans, you could only get so far with a snorkel or a SCUBA tank. We don’t know the price, but if you have enough money, you might consider the Triton 3300/6 — a six-person submersible that can go down to 3,300 feet (hence the name–get it–3300/6). Billed as “diving for the entire family,” we aren’t sure we can load grandma and the kids in something like this, but that doesn’t mean we wouldn’t like to try.

The machine can carry up to 1,760 pounds and can make 3 knots which isn’t going to set any speed records. At around 24,000 pounds, the two main thrusters are lucky to make that speed. The view bubble is apparently optically perfect acrylic made by a German company and the company claims the 100-inch diameter bubble is the world’s largest spherical acrylic pressure hull.

Continue reading “A Thousand Feet Under The Sea”

This Week In Security: VMWare, Microsoft Teams, Python Fuzzing, And More

December 11, 2020 by 9 Comments

There’s a VMWare problem that’s being exploited in the wild, according to the NSA (PDF). The vulnerability is a command injection on an administrative console. The web host backing this console is apparently running as root, as the vulnerability allows executing “commands with unrestricted privileges on the underlying operating system.”

The wrinkle that makes this interesting is that VMWare learned about this vuln from the NSA, which seems to indicate that it was a zero-day being used by a foreign state. The compromise chain they list is also oddly specific, making me suspect that it is a sanitized account of observed attacks.

Microsoft Teams, And the Non-CVE

[Oskars Vegeris] found a pair of interesting problems in the Microsoft Teams client, which together allows an interactionless, wormable RCE. The first vuln is an XSS problem, where a message containing a “mention” can be modified in transit to include arbitrary Javascript. To get that JS past the XSS protection filter, a unicode NULL byte is included in the payload. The second vuln is using the built-in file download code in the Teams app to download and auto-run a binary. Put together, anyone who simply loads the message in their Teams app runs the code.

Vegeris points out that since so many users have a presence in multiple rooms, it would be trivial to use this exploit to build a worm that could infect the majority of Teams users worldwide. The bug was reported privately to Microsoft and fixed back in October. A wormable RCE in a widely used tool seems like a big deal, and should net a high CVE score, right? Microsoft gave two ratings for this attack chain, for the two versions of Teams that it can affect. For the Office365 client, it’s “Important, Spoofing”, which is about as unimportant as a bug can be. The desktop app, at least, was rated “critical” for an RCE. The reason for that seems to be that the sandbox escape only works on the standalone desktop app.

But no CVE was issued for the exploit chain. In the security community, collecting CVEs is an important proof of work for your resume. Microsoft replied that they don’t issue CVEs for products that get updated automatically without user interaction. Kerfuffle ensued. Continue reading “This Week In Security: VMWare, Microsoft Teams, Python Fuzzing, And More”

Remembering Chuck Yeager: The Supersonic Legend Whose Wings Were Clipped By A High School Diploma

December 10, 2020 by 37 Comments

In history there are people whose legacy becomes larger than life. Ask anyone who built and flew the first airplane, and you’d be hard-pressed to find someone who isn’t at least aware of the accomplishments of the Wright brothers. In a similar vein, Chuck Yeager’s pioneering trip into supersonic territory with the Bell X-1 airplane made his name essentially synonymous with the whole concept of flying faster than the speed of sound. This wasn’t the sole thing he did, of course: he also fought in WWII and Vietnam and worked as an instructor and test pilot, flying hundreds of different airplanes during his career.

Yeager’s insistence on making that first supersonic flight, despite having broken two ribs days earlier, became emblematic of the man himself: someone who never let challenges keep him from exploring the limits of the countless aircraft he flew, while inspiring others to give it their best shot. Perhaps ironically, it could be said that the only thing that ever held Yeager back was only having a high school diploma.

On December 7, 2020, Chuck Yeager died at the age of 97, leaving behind a legacy that will continue to inspire many for decades to come.

Continue reading “Remembering Chuck Yeager: The Supersonic Legend Whose Wings Were Clipped By A High School Diploma”

CentOS Is Dead, Long Live CentOS

December 9, 2020 by 53 Comments

On Tuesday, December 8th, Red Hat and CentOS announced the end of CentOS 8. To be specific, CentOS 8 will reach end of life at the end of 2021, 8 years ahead of schedule. To really understand what that means, and how we got here, it’s worth taking a trip down memory lane, and looking at how the history of Red Hat Enterprise Linux (RHEL), CentOS, and IBM are intertwined.

Continue reading “CentOS Is Dead, Long Live CentOS”

The Gatwick Drone: Finally Someone Who Isn’t Us Asks Whether It Ever Really Existed

December 7, 2020 by 70 Comments

It’s taken two years, but finally it’s happened. Finally a respected national mass-media outlet has asked the question Hackaday were posing shortly after the event: what evidence was there that a drone was actually present in restricted airspace?

The Guardian newspaper in the UK is the outlet looking into the mystery of the Gatwick drone. It was the worldwide story of the moment around this time back in 2018 when the London airport closed down for several days in response to a series of drone reports. The assumption being put forward was that bad actors in the drone community were to blame, but there was significant disquiet in those ranks as the police and media story simply lacked credibility to anyone with knowledge of drones. At no point could they point to evidence that held water, the couple they arrested turned out to be innocent, and eventually a police officer admitted that there might not have been a drone after all. The damage had by then been done, as Received Opinion had it that irresponsible drone enthusiasts had put lives in danger and caused huge economic damage by closing an airport for several days.

The Guardian piece paints a fascinating and detailed picture of the events surrounding the investigation, by bringing the investigative journalism resources of a national newspaper into tracing and interviewing people involved from all sides. They talk to former Gatwick employees, off-the-record police officers with knowledge of the case, a drone specialist journalist, and the drone community including some of its members with significant professional experience in the world of aviation. It talks about the slow drip-feed of freedom of information requests revealing the machinations behind the scenes and furthermore the continuing lack of tangible proof of a drone. It’s very much worth a read, and we hope it will prompt further investigation of the events without the focus being on a non-existent drone.

We’d like to invite you to read Hackaday’s coverage from a few days after the event, and for an overview of the subject including the later Heathrow event, watch the CCCamp talk I presented on the topic in 2019. Then as now, our wish is for competent police investigations, responsible media reporting of drone stories, and credible official investigations of air proximity reports surrounding drones.

Header: Lucy Ingham, CC BY-SA 4.0.