News

3649 Articles

This Week In Security: PunkBuster, NAT, NAS And MP3s

October 2, 2020 by 4 Comments

Ah, the ever-present PDF, and our love-hate relationship with the format. We’ve lost count of how many vulnerabilities have been fixed in PDF software, but it’s been a bunch over the years. This week, we’re reminded that Adobe isn’t the only player in PDF-land, as Foxit released a round of updates, and there were a couple serious problems fixed. Among the vulnerabilities, a handful could lead to RCE, so if you use or support Foxit users, be sure to go get them updated.

PunkBuster

Remember PunkBuster? It’s one of the original anti-cheat solutions, from way back in 2000. The now-classic Return to Castle Wolfenstein was the first game to support PunkBuster to prevent cheating. It’s not the latest or greatest, but PunkBuster is still running on a bunch of game servers even today. [Daniel Prizmant] and [Mauricio Sandt] decided to do a deep dive project on PunkBuster, and happened to find an arbitrary file-write vulnerability, that could easily compromise a PB enabled server.

One of the functions of PunkBuster is a remote screenshot capture. If a server admin thinks a player is behaving strangely, a screenshot request is sent. I assume this targets so-called wallhack cheats — making textures transparent, so the player can see through walls. The problem is that the server logic that handles the incoming image has a loophole. If the filename ends in .png as expected, some traversal attack checks are done, and the png file is saved to the server. However, if the incoming file isn’t a png, no transversal detection is done, and the file is naively written to disk. This weakness, combined with the stateless nature of screenshot requests, means that any connected client can write any file to any location on the server at any time. To their credit, even Balance, the creators of PunkBuster, quickly acknowledged the issue, and have released an update to fix it.

Continue reading “This Week In Security: PunkBuster, NAT, NAS And MP3s”

Bunnie’s Betrusted Makes First Appearance As Mobile, FPGA-Based SoC Development Kit

September 29, 2020 by 18 Comments

Recently, [Bunnie Huang] announced his Precursor project: a spiffy-looking case housing a PCB with two FPGAs, a display, battery and integrated keyboard. For those who have seen [bunnie]’s talk at 36C3 last year, the photos may look very familiar, as it is essentially the same hardware as the ‘Betrusted’ project is intended to use. This also explains the name, with this development kit being a ‘precursor’ to the Betrusted product.

In short, it’s a maximally open, verifiable, and trustworthy device. Even the processor is instantiated on an FPGA so you know what’s going on inside the silicon.

He has set up a Crowd Supply page for the Precursor project, which provides more details. The board features a Xilinx Spartan 7 (XC7S50) and Lattice iCE40UP5K FPGA, 16 MB SRAM, 128 MB Flash, integrated WiFi (Silicon Labs WF200-based), a physical keyboard and 1100 mAh Lio-Ion battery. The display is a 200 ppi monochrome 336 x 536 px unit, with both the display and keyboard backlit.

At this point [bunnie] is still looking at how much interest there will be for Precursor if a campaign goes live. Regardless of whether one has any interest in the anti-tamper and security features, depending on the price it might be a nice, integrated platform to tinker with.

Twitter: It’s Not The Algorithm’s Fault. It’s Much Worse.

September 26, 2020 by 160 Comments

Maybe you heard about the anger surrounding Twitter’s automatic cropping of images. When users submit pictures that are too tall or too wide for the layout, Twitter automatically crops them to roughly a square. Instead of just picking, say, the largest square that’s closest to the center of the image, they use some “algorithm”, likely a neural network, trained to find people’s faces and make sure they’re cropped in.

The problem is that when a too-tall or too-wide image includes two or more people, and they’ve got different colored skin, the crop picks the lighter face. That’s really offensive, and something’s clearly wrong, but what?

A neural network is really just a mathematical equation, with the input variables being in these cases convolutions over the pixels in the image, and training them essentially consists in picking the values for all the coefficients. You do this by applying inputs, seeing how wrong the outputs are, and updating the coefficients to make the answer a little more right. Do this a bazillion times, with a big enough model and dataset, and you can make a machine recognize different breeds of cat.

What went wrong at Twitter? Right now it’s speculation, but my money says it lies with either the training dataset or the coefficient-update step. The problem of including people of all races in the training dataset is so blatantly obvious that we hope that’s not the problem; although getting a representative dataset is hard, it’s known to be hard, and they should be on top of that.

Which means that the issue might be coefficient fitting, and this is where math and culture collide. Imagine that your algorithm just misclassified a cat as an “airplane” or as a “lion”. You need to modify the coefficients so that they move the answer away from this result a bit, and more toward “cat”. Do you move them equally from “airplane” and “lion” or is “airplane” somehow more wrong? To capture this notion of different wrongnesses, you use a loss function that can numerically encapsulate just exactly what it is you want the network to learn, and then you take bigger or smaller steps in the right direction depending on how bad the result was.

Let that sink in for a second. You need a mathematical equation that summarizes what you want the network to learn. (But not how you want it to learn it. That’s the revolutionary quality of applied neural networks.)

Now imagine, as happened to Google, your algorithm fits “gorilla” to the image of a black person. That’s wrong, but it’s categorically differently wrong from simply fitting “airplane” to the same person. How do you write the loss function that incorporates some penalty for racially offensive results? Ideally, you would want them to never happen, so you could imagine trying to identify all possible insults and assigning those outcomes an infinitely large loss. Which is essentially what Google did — their “workaround” was to stop classifying “gorilla” entirely because the loss incurred by misclassifying a person as a gorilla was so large.

This is a fundamental problem with neural networks — they’re only as good as the data and the loss function. These days, the data has become less of a problem, but getting the loss right is a multi-level game, as these neural network trainwrecks demonstrate. And it’s not as easy as writing an equation that isn’t “racist”, whatever that would mean. The loss function is being asked to encapsulate human sensitivities, navigate around them and quantify them, and eventually weigh the slight risk of making a particularly offensive misclassification against not recognizing certain animals at all.

I’m not sure this problem is solvable, even with tremendously large datasets. (There are mathematical proofs that with infinitely large datasets the model will classify everything correctly, so you needn’t worry. But how close are we to infinity? Are asymptotic proofs relevant?)

Anyway, this problem is bigger than algorithms, or even their writers, being “racist”. It may be a fundamental problem of machine learning, and we’re definitely going to see further permutations of the Twitter fiasco in the future as machine classification is being increasingly asked to respect human dignity.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

Autodesk Blinks, Keeps STEP File Export In Free Version Of Fusion 360

September 25, 2020 by 84 Comments

Good news, Fusion 360 fans — Autodesk just announced that they won’t be removing support for STEP file exports for personal use licensees of the popular CAD/CAM platform after all.

As we noted last week, Autodesk had announced major changes to the free-to-use license for Fusion 360. Most of the changes, like the elimination of simulations, rolling back of some CAM features, and removal of generative design tools didn’t amount to major workflow disruptions for many hobbyists who have embraced the platform. But the loss of certain export formats, most notably STEP files, was a bone of contention and the topic of heated discussion in the makerverse. Autodesk summed up the situation succinctly in their announcement, stating that the reversal was due to “unintended consequences for the hobbyist community.”

While this is great news, bear in mind that the other changes to the personal use license are still scheduled to go into effect on October 1, while the planned change to limit the number of active projects will go into effect in January 2021. So while Fusion 360 personal use licensees will still have STEP files, the loss of other export file formats like IGES and SAT are still planned.

Road Pollution Doesn’t Just Come From Exhaust

September 25, 2020 by 48 Comments

Alumni from Innovation Design Engineering at Imperial College London and the Royal College of Art want to raise awareness of a road pollution source we rarely consider: tire wear. If you think about it, it is obvious. Our tires wear out, and that has to go somewhere, but what surprises us is how fast it happens. Single-use plastic is the most significant source of oceanic pollution, but tire microplastics are next on the naughty list. The team calls themselves The Tyre Collective, and they’re working on a device to collect tire particles at the source.

Continue reading “Road Pollution Doesn’t Just Come From Exhaust”

This Week In Security: UTorrent Vulnerable, Crowd-Sourcing Your Fail2Ban, And Cryptographers At Casinos

September 25, 2020 by 22 Comments

The uTorrent client was recently updated to fix a null pointer dereference (CVE-2020-8437), discovered by [whtaguy]. Triggering the dereference simply crashes the client — so far an actual RCE hasn’t been found. Given the nature of the null pointer dereference, it’s possible this bug is limited to denial of service. That’s extremely good, because the flaw is extremely easy to target.

BitTorrent is a clever protocol. It’s still used to distribute large files, like Linux ISOs. The concept is simple: Split a large file into small chunks. Send the chunks to a client one at a time. As each chunk is received, the client sends a copy of that chunk to the next client. As a result of this peer-to-peer (p2p) arrangement, the bandwidth available to the server is greatly multiplied. As with all other p2p arrangements, the sticking point is how to make those connections between peers, particularly when most of the world’s desktops are behind NAT routers. In practice, for two peers to share data, at least one of them has to have a port opened or forwarded to the client. This is often accomplished through Universal Plug-n-Play (UPnP) or the NAT Port Mapping Protocol (NAT-PMP). The idea of both protocols are the same; a client on an internal device can request a temporary port forward without manual intervention. Whether it’s a good idea to allow automatic port forwards is another issue for another day. Continue reading “This Week In Security: UTorrent Vulnerable, Crowd-Sourcing Your Fail2Ban, And Cryptographers At Casinos”

ESP32 Vulnerability Affects Older Chips

September 24, 2020 by 24 Comments

There is a scene from the movie RED (Retired, Extremely Dangerous) where Bruce Willis encounters a highly-secure door with a constantly changing lock code deep inside the CIA. Knowing the lock would be impossible to break, he simply destroyed the wall next to the door, reached through, and opened the door from the other side. We thought about that when we saw [raelize’s] hack to bypass the ESP32’s security measures.

Before you throw out all your ESP32 spy gadgets, though, be aware that the V3 silicon can be made to prevent the attack. V1 and V2, however, have a flaw that — if you know how to exploit it — renders secure boot and flash encryption almost meaningless.

Continue reading “ESP32 Vulnerability Affects Older Chips”