News

3662 Articles

A Thousand Feet Under The Sea

December 11, 2020 by 15 Comments

If you were to plumb the depth of the oceans, you could only get so far with a snorkel or a SCUBA tank. We don’t know the price, but if you have enough money, you might consider the Triton 3300/6 — a six-person submersible that can go down to 3,300 feet (hence the name–get it–3300/6). Billed as “diving for the entire family,” we aren’t sure we can load grandma and the kids in something like this, but that doesn’t mean we wouldn’t like to try.

The machine can carry up to 1,760 pounds and can make 3 knots which isn’t going to set any speed records. At around 24,000 pounds, the two main thrusters are lucky to make that speed. The view bubble is apparently optically perfect acrylic made by a German company and the company claims the 100-inch diameter bubble is the world’s largest spherical acrylic pressure hull.

Continue reading “A Thousand Feet Under The Sea”

This Week In Security: VMWare, Microsoft Teams, Python Fuzzing, And More

December 11, 2020 by 9 Comments

There’s a VMWare problem that’s being exploited in the wild, according to the NSA (PDF). The vulnerability is a command injection on an administrative console. The web host backing this console is apparently running as root, as the vulnerability allows executing “commands with unrestricted privileges on the underlying operating system.”

The wrinkle that makes this interesting is that VMWare learned about this vuln from the NSA, which seems to indicate that it was a zero-day being used by a foreign state. The compromise chain they list is also oddly specific, making me suspect that it is a sanitized account of observed attacks.

Microsoft Teams, And the Non-CVE

[Oskars Vegeris] found a pair of interesting problems in the Microsoft Teams client, which together allows an interactionless, wormable RCE. The first vuln is an XSS problem, where a message containing a “mention” can be modified in transit to include arbitrary Javascript. To get that JS past the XSS protection filter, a unicode NULL byte is included in the payload. The second vuln is using the built-in file download code in the Teams app to download and auto-run a binary. Put together, anyone who simply loads the message in their Teams app runs the code.

Vegeris points out that since so many users have a presence in multiple rooms, it would be trivial to use this exploit to build a worm that could infect the majority of Teams users worldwide. The bug was reported privately to Microsoft and fixed back in October. A wormable RCE in a widely used tool seems like a big deal, and should net a high CVE score, right? Microsoft gave two ratings for this attack chain, for the two versions of Teams that it can affect. For the Office365 client, it’s “Important, Spoofing”, which is about as unimportant as a bug can be. The desktop app, at least, was rated “critical” for an RCE. The reason for that seems to be that the sandbox escape only works on the standalone desktop app.

But no CVE was issued for the exploit chain. In the security community, collecting CVEs is an important proof of work for your resume. Microsoft replied that they don’t issue CVEs for products that get updated automatically without user interaction. Kerfuffle ensued. Continue reading “This Week In Security: VMWare, Microsoft Teams, Python Fuzzing, And More”

Remembering Chuck Yeager: The Supersonic Legend Whose Wings Were Clipped By A High School Diploma

December 10, 2020 by 37 Comments

In history there are people whose legacy becomes larger than life. Ask anyone who built and flew the first airplane, and you’d be hard-pressed to find someone who isn’t at least aware of the accomplishments of the Wright brothers. In a similar vein, Chuck Yeager’s pioneering trip into supersonic territory with the Bell X-1 airplane made his name essentially synonymous with the whole concept of flying faster than the speed of sound. This wasn’t the sole thing he did, of course: he also fought in WWII and Vietnam and worked as an instructor and test pilot, flying hundreds of different airplanes during his career.

Yeager’s insistence on making that first supersonic flight, despite having broken two ribs days earlier, became emblematic of the man himself: someone who never let challenges keep him from exploring the limits of the countless aircraft he flew, while inspiring others to give it their best shot. Perhaps ironically, it could be said that the only thing that ever held Yeager back was only having a high school diploma.

On December 7, 2020, Chuck Yeager died at the age of 97, leaving behind a legacy that will continue to inspire many for decades to come.

Continue reading “Remembering Chuck Yeager: The Supersonic Legend Whose Wings Were Clipped By A High School Diploma”

CentOS Is Dead, Long Live CentOS

December 9, 2020 by 53 Comments

On Tuesday, December 8th, Red Hat and CentOS announced the end of CentOS 8. To be specific, CentOS 8 will reach end of life at the end of 2021, 8 years ahead of schedule. To really understand what that means, and how we got here, it’s worth taking a trip down memory lane, and looking at how the history of Red Hat Enterprise Linux (RHEL), CentOS, and IBM are intertwined.

Continue reading “CentOS Is Dead, Long Live CentOS”

The Gatwick Drone: Finally Someone Who Isn’t Us Asks Whether It Ever Really Existed

December 7, 2020 by 70 Comments

It’s taken two years, but finally it’s happened. Finally a respected national mass-media outlet has asked the question Hackaday were posing shortly after the event: what evidence was there that a drone was actually present in restricted airspace?

The Guardian newspaper in the UK is the outlet looking into the mystery of the Gatwick drone. It was the worldwide story of the moment around this time back in 2018 when the London airport closed down for several days in response to a series of drone reports. The assumption being put forward was that bad actors in the drone community were to blame, but there was significant disquiet in those ranks as the police and media story simply lacked credibility to anyone with knowledge of drones. At no point could they point to evidence that held water, the couple they arrested turned out to be innocent, and eventually a police officer admitted that there might not have been a drone after all. The damage had by then been done, as Received Opinion had it that irresponsible drone enthusiasts had put lives in danger and caused huge economic damage by closing an airport for several days.

The Guardian piece paints a fascinating and detailed picture of the events surrounding the investigation, by bringing the investigative journalism resources of a national newspaper into tracing and interviewing people involved from all sides. They talk to former Gatwick employees, off-the-record police officers with knowledge of the case, a drone specialist journalist, and the drone community including some of its members with significant professional experience in the world of aviation. It talks about the slow drip-feed of freedom of information requests revealing the machinations behind the scenes and furthermore the continuing lack of tangible proof of a drone. It’s very much worth a read, and we hope it will prompt further investigation of the events without the focus being on a non-existent drone.

We’d like to invite you to read Hackaday’s coverage from a few days after the event, and for an overview of the subject including the later Heathrow event, watch the CCCamp talk I presented on the topic in 2019. Then as now, our wish is for competent police investigations, responsible media reporting of drone stories, and credible official investigations of air proximity reports surrounding drones.

Header: Lucy Ingham, CC BY-SA 4.0.

Sufficiently Advanced Technology And Justice

December 5, 2020 by 74 Comments

Imagine that you’re serving on a jury, and you’re given an image taken from a surveillance camera. It looks pretty much like the suspect, but the image has been “enhanced” by an AI from the original. Do you convict? How does this weigh out on the scales of reasonable doubt? Should you demand to see the original?

AI-enhanced, upscaled, or otherwise modified images are tremendously realistic. But what they’re showing you isn’t reality. When we wrote about this last week, [Denis Shiryaev], one of the authors of one of the methods we highlighted, weighed in the comments to point out that these modifications aren’t “restorations” of the original. While they might add incredibly fine detail, for instance, they don’t recreate or restore reality. The neural net creates its own reality, out of millions and millions of faces that it’s learned.

And for the purposes of identification, that’s exactly the problem: the facial features of millions of other people have been used to increase the resolution. Can you identify the person in the pixelized image? Can you identify that same person in the resulting up-sampling? If the question put before the jury was “is the defendant a former president of the USA?” you’d answer the question differently depending on which image you were presented. And you’d have a misleading level of confidence in your ability to judge the AI-retouched photo. Clearly, informed skepticism on the part of the jury is required.

Unfortunately, we’ve all seen countless examples of “zoom, enhance” in movies and TV shows being successfully used to nab the perps and nail their convictions. We haven’t seen nearly as much detailed analysis of how adversarial neural networks create faces out of a scant handful of pixels. This, combined with the almost magical resolution of the end product, would certainly sway a jury of normal folks. On the other hand, the popularity of intentionally misleading “deep fakes” might help educate the public to the dangers of believing what they see when AI is involved.

This is just one example, but keeping the public interested in and educated on the deep workings and limitations of the technology that’s running our world is more important than ever before, but some of the material is truly hard. How do we separate the science from the magic?

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

The Protein Folding Break-Through

December 4, 2020 by 22 Comments

Researchers at DeepMind have proudly announced a major break-through in predicting static folded protein structures with a new program known as AlphaFold 2. Protein folding has been an ongoing problem for researchers since 1972. Christian Anfinsen speculated in his Nobel Prize acceptance speech in that year that the three-dimensional structure of a given protein should be algorithm determined by the one-dimensional DNA sequence that describes it. When you hear protein, you might think of muscles and whey powder, but the proteins mentioned here are chains of amino acids that fold into complex shapes. Cells use these proteins for almost everything. Many of the enzymes, antibodies, and hormones inside your body are folded proteins. We’ve discussed why protein folding is important as well covered recent advancements in cryo-electron microscopy used to experimentally determine the structure of folded proteins.

The shape of proteins largely controls their function, and if we can predict their shape then we get much closer to predicting how they interact. While AlphaFold 2 just predicts the static state, the sheer number of interactions that can change a protein, dynamic protein structures are still out of reach. The technical achievement of DeepMind is not to be understated. For a typical protein, there are an estimated 10^300 different configurations.

Out of the 180 million protein sequences in the Protein database, only 170,000 have had their structures identified. Technologies like the cryo-electron microscope make the process of mapping their structure easier, but it is still complex and tedious to go from sequence to structure. AlphaFold 2 and other folding algorithms are tested against this 170,000 member corpus to determine their accuracy. The previous highest-scoring algorithm of 2016 had a median global distance test (GDT) of 40 (0-100, with 100 being the best) in the most difficult category (free-modeling). In 2018, AlphaFold made waves by pushing that up to the high 50’s. AlphaFold 2 brings that GDT up to 87.

At this point in time, it is hard to determine what sort of effects this will have on the drug industry, healthcare, and society in general. Research has always been done to create the protein, identify what it does, then figure out its structure. AlphaFold 2 represents an avenue towards doing that whole process completely backward. Whether the next goal is to map all the proteins encoded in the human genome or find new, more effective drug treatments, we’re quite excited to see what becomes of this landmark breakthrough.

Continue reading “The Protein Folding Break-Through”