Tiny Basic was one of the first versions of Basic released after Bill Gates famous open letter to hobbyists in 1976. While Altair Basic was selling for $150, Tom Pittman wrote Tiny Basic for the 6800 and sold it for only $5 (don’t worry, Tom has since made it free to use). We got a kick out of browsing the Tiny Basic manual and learning that our serial number can be found on the paper tape leader, and that a Teletype will generally receive one more character, at least, after getting the X-OFF control signal.
In the video, you can see [Nick] running a short Basic program and operating his Christmas tree lights from the Vectron, although it’s only on-off control. He suggests that a PCB version is in the works, but he’s having trouble deciding when to quit adding features. That’s a conundrum we know all too well.
Over the past years, the trend has become to ditch anything with wires. This has led to many people dropping wired earphones and headphones for wireless (Bluetooth) versions. Yet along with the freedom from having the wires snagged on something and having earphones painfully torn out of your ears comes the very real risk of having them drop out of your ears to land potentially very inconvenient.
In Japan this has led to a big issue for railway companies, where throngs of commuters will often accidentally drop possessions onto the tracks. Staff members will then use a mechanical claw (‘magic hand’) to fetch them without having to risk their life by jumping down. With small items such as wireless earphones, this is however not so easy. With 947 cases of dropped earphones in the period of July-September in just the Tokyo area, this has led to desperate staff members coming up with new methods of easily retrieving the small gadgets.
Solutions range from putting something sticky like tape at the end of a stick, to modifying vacuum cleaners. Most recently Tokyo railway company JR East has collaborated with Panasonic to develop a vacuum cleaner-like device that is especially designed to easily retrieve such small items from the tracks, according to the Japan Times article.
The embedded video (also found after the break) from a Japanese broadcaster describes the issue in detail, along with tips on how to properly wear earphones so that they’re far less likely to fall out when you’re waiting on the tram or walking down the street. While it’s possible to fetch your dropped wireless earphones from the tracks, having someone step on it right after it falls out of your ear on the street is less easy to recover from.
Git’s Large File System is a reasonable solution to a bit of a niche problem. How do you handle large binary files that need to go into a git repository? It might be pictures or video that is part of a project’s documentation, or even a demonstration dataset. Git-lfs’s solution is to replace the binary files with a text-based pointer to where the real file is hosted. That’s not important to understanding this vulnerability, though. The problem is that git-lfs will call the main git binary as part of its operation, and when it does so, the full path is not used. On a Unix system, that’s not a problem. The $PATH variable is used to determine where to look for binaries. When git is run, /usr/bin/git is automagically run. On a Windows system, however, executing a binary name without a path will first look in the current directory, and if a matching executable file is not found, only then will the standard locations be checked.
You may already see the problem. If a repository contains a git.exe, git.bat, or another git.* file that Windows thinks is executable, git-lfs will execute that file instead of the intended git binary. This means simply checking out a malicious repository gets you immediate code execution. A standard install of git for Windows, prior to 2.29.2.2, contains the vulnerable plugin by default, so go check that you’re updated!
Then remember that there’s one more wrinkle to this vulnerability. How closely do you check the contents of a git download before you run the next git command? Even with a patched git-lfs version, if you clone a malicious repository, then run any other git command, you still run the local git.* file. The real solution is pushing the local directory higher up the path chain. Continue reading “This Week In Security: Platypus, Git.bat, TCL TVs, And Lessons From Online Gaming”→
When the news broke recently that communications had finally been re-established with Voyager 2, I felt a momentary surge of panic. I’ve literally been following the Voyager missions since the twin space probes launched back in 1977, and I’ve been dreading the inevitable day when the last little bit of plutonium in their radioisotope thermal generators decays to the point that they’re no longer able to talk to us, and they go silent in the abyss of interstellar space. According to these headlines, Voyager 2 had stopped communicating for eight months — could this be a quick nap before the final sleep?
Thankfully, no. It turns out that the recent blackout to our most distant outpost of human engineering was completely expected, and completely Earth-side. Upgrades and maintenance were performed on the Deep Space Network antennas that are needed to talk to Voyager. But that left me with a question: What about the rest of the DSN? Could they have not picked up the slack and kept us in touch with Voyager as it sails through interstellar space? The answer to that is an interesting combination of RF engineering and orbital dynamics.
Thanksgiving is just round the corner and [mrak_ripple] was worried about serving food under social distancing conditions. Rather than bother with standard best practice, he chose to take a more exciting route – flinging side dishes with miniature siege weaponry. (Video, embedded below.)
The mashed potato trebuchet is a build in the modern style, relying on 8020 aluminium extrusion to allow for quick and easy assembly. It also takes advantage of what appears to be a heavy duty laser cutter, which creates strong steel brackets to hold everything together. The launcher cup to hold the mash is a 3D printed part, created in resin and held on the end of the arm with duct tape, since appropriate bolts didn’t fall to hand.
In the end, repeatability was a struggle, and we suspect the trebuchet won’t actually do food service on the holiday itself. However, it could certainly make for a fun game after dinner, seeing who can get the most mash onto a willing target. We’d love to see a mash cannon too, so if you’ve built one, drop us a line. Of course, if you’re into weirder, high performance designs, the flywheel trebuchet may be more your speed. Video after the break.
Ubuntu 20.04 is an incredibly popular operating system, perhaps the most popular among the Linux distributions due to its ease-of-use. In general, it’s a fairly trustworthy operating system too, especially since its source code is open. However, an update with the 20.04 revision has led to security researcher [Kevin Backhouse] finding a surprisingly easy way to escalate privileges on this OS, which we would like to note is not great.
The exploit involves two bugs, one in accountservice daemon which handles user accounts on the computer, and another in the GNOME Display Manager which handles the login screen. Ubuntu 20.04 added some code to the daemon which looks at a specific file on the computer, and with a simple symlink, it can be tricked into reading a different file which locks the process into an infinite loop. The daemon also drops its privileges at one point in this process, a normal security precaution, but this allows the user to crash the daemon.
The second bug for this exploit involves how the GNOME Display Manager (gdm3) handles privileges. Normally it would not have administrator privileges, but if the accountservice daemon isn’t running it escalates itself to administrator, where any changes made have administrator privileges. This provides an attacker with an opportunity to create a new user account with administrator privileges.
Of course, this being Ubuntu, we can assume that this vulnerability will be immediately patched. It’s also a good time to point out that the reason that open-source software is inherently more secure is that when anyone can see the source code, anyone can find and report issues like this which allow the software maintainer (or even the user themselves) to make effective changes more quickly.
Today we’re sad to report that one of the primary support cables at the Arecibo Observatory has snapped, nudging the troubled radio telescope closer to a potential disaster. The Observatory’s 300 meter reflector dish was already badly in need of repairs after spending 60 years exposed to the elements in Puerto Rico, but dwindling funds have made it difficult for engineers to keep up. Damage from 2017’s Hurricane Maria was still being repaired when a secondary support cable broke free and smashed through the dish back in August, leading to grave concerns over how much more abuse the structure can take before a catastrophic failure is inevitable.
The situation is particularly dire because both of the failed cables were attached to the same tower. Each of the remaining cables is now supporting more weight than ever before, increasing the likelihood of another failure. Unless engineers can support the dish and ease the stress on these cables, the entire structure could be brought down by a domino effect; with each cable snapping in succession as the demands on them become too great.
Workers installing the reflector’s mesh panels in 1963.
As a precaution the site has been closed to all non-essential personnel, and to limit the risk to workers, drones are being used to evaluate the dish and cabling as engineers formulate plans to stabilize the structure until replacement cables arrive. Fortunately, they have something of a head start.
Back in September the University of Central Florida, which manages the Arecibo Observatory, contacted several firms to strategize ways they could address the previously failed cable and the damage it caused. Those plans have now been pushed up in response to this latest setback.
Unfortunately, there’s still a question of funding. There were fears that the Observatory would have to be shuttered after Hurricane Maria hit simply because there wasn’t enough money in the budget to perform the relatively minor repairs necessary. The University of Central Florida stepped in and provided the funding necessary to keep the Observatory online in 2018, but they may need to lean on their partner the National Science Foundation to help cover the repair bill they’ve run up since then.
The Arecibo Observatory is a unique installation, and its destruction would be an incredible blow for the scientific community. Researchers were already struggling with the prospect of repairs putting the powerful radio telescope out of commission for a year or more, but now it seems there’s a very real possibility the Observatory may be lost. Here’s hoping that teams on the ground can safely stabilize the iconic instrument so it can continue exploring deep space for years to come.
