News

3618 Articles

This Week In Security: Medical Backdoors, Strings, And Changes At Let’s Encrypt

February 7, 2025 by 12 Comments

There are some interesting questions afoot, with the news that the Contec CMS8000 medical monitoring system has a backdoor. And this isn’t the normal debug port accidentally left in the firmware. The CISA PDF has all the details, and it’s weird. The device firmware attempts to mount an NFS share from an IP address owned by an undisclosed university. If that mount command succeeds, binary files would be copied to the local filesystem and executed.

Additionally, the firmware sends patient and sensor data to this same hard-coded IP address. This backdoor also includes a system call to enable the eth0 network before attempting to access the hardcoded IP address, meaning that simply disabling the Ethernet connection in the device options is not sufficient to prevent the backdoor from triggering. This is a stark reminder that in the firmware world, workarounds and mitigations are often inadequate. For instance, you could set the gateway address to a bogus value, but a slightly more sophisticated firmware could trivially enable a bridge or alias approach, completely bypassing those settings. There is no fix at this time, and the guidance is pretty straightforward — unplug the affected devices.

Continue reading “This Week In Security: Medical Backdoors, Strings, And Changes At Let’s Encrypt”

Solid Tips For Designing Assistive Technology (Or Anything Else, Really)

February 6, 2025 by 8 Comments

Do you make things, and have you got almost ten minutes to spare? If not, make the time because this video by [PrintLab] is chock-full of healthy and practical design tips. It’s about effective design of Assistive Technology, but the design concepts extend far beyond that scope.

It’s about making things that are not just functional tools, but objects that are genuinely desirable and meaningful to people’s lives. There are going to be constraints, but constraints aren’t limits on creativity. Heck, some of the best devices are fantastic in their simplicity, like this magnetic spoon.

It’s not just about functionality. Colors, textures, and style are all meaningful — and have never been more accessible.

One item that is particularly applicable in our community is something our own [Jenny List] has talked about: don’t fall into the engineer-saviour trap. The video makes a similar point in that it’s easy and natural to jump straight into your own ideas, but it’s critical not to make assumptions. What works in one’s head may not work in someone’s actual life. The best solutions start with a solid and thorough understanding of an issue, the constraints, and details of people’s real lives.

Another very good point is that designs don’t spring fully-formed from a workbench, so prototype freely using cardboard, models, 3D printing, or whatever else makes sense to you. Don’t be stingy with your prototyping! As long as you’re learning something each time, you’re on the right path.

And when a design is complete? It has the potential to help others, so share it! But sharing and opening your design isn’t just about putting the files online. It’s also about making it as easy as possible for others to recreate, integrate, or modify your work for their own needs. This may mean making clear documentation or guides, optimizing your design for ease of editing, and sharing the rationale behind your design choices to help others can build on your work effectively.

The whole video is excellent, and it’s embedded here just under the page break. Does designing assistive technology appeal to you? If so, then you may be interested in the Make:able challenge which challenges people to design and make a 3D printable product (or prototype) that improves the day-to-day life of someone with a disability, or the elderly. Be bold! You might truly help someone’s life.

Continue reading “Solid Tips For Designing Assistive Technology (Or Anything Else, Really)”

Breaking: USPS Halts Inbound Packages From China And Hong Kong Posts

February 5, 2025 by 104 Comments

Update: The USPS has now resumed acceptance of inbound packages from China. According to the updated Service Alert, they are currently working with Customs and Border Protection to “implement an efficient collection mechanism for the new China tariffs.’

Some troubling news hit overnight as the United States Post Office announced via a terse “Service Alert” that they would suspend acceptance of inbound parcels from China and Hong Kong Posts, effective immediately.

The Alert calls it a temporary suspension, but gives no timeline on when service will be restored. While details are still coming together, it seems likely that this suspension is part of the Trump administration’s Chinese tariff package, which went into effect at midnight.

Specifically, the administration looks to close the “de minimis” exemption — a loophole which allowed packages valued under $800 USD to pass through customs without having to pay any duties or fees. Those packages will now not only be subject to the overall 10% tax imposed by the new tariff package, but will now have to be formally processed through customs, potentially tacking on even more taxes and fees.

The end result is that not only will your next order of parts from AliExpress be more expensive, but it’s likely to take even longer to arrive at your door. Of course, this should come as no surprise. At the end of the day, this is precisely what the administration aims to accomplish with the new tariffs — if purchasing goods from overseas is suddenly a less attractive option than it was previously, it will be a boon to domestic suppliers. That said, some components will be imported from China regardless of who you order them from, so those prices are still going to increase.

Other carriers such as FedEx and UPS will also have to follow these new rules, but at the time of this writing, neither service had released a statement about how they intend to comply.

Freedesktop And Alpine Linux Looking For New Hosting

February 4, 2025 by 37 Comments

A well-known secret in the world of open source software is that many projects rely on donated hosting for everything from their websites to testing infrastructure. When the company providing said hosting can no longer do so for whatever reason, it leaves the project scrambling for a replacement. This is what just happened for Alpine Linux, as detailed on their blog.

XKCD's dependency model
Modern-day infrastructure, as visualized by XKCD. (Credit: Randall Munroe)

Previously Equinix Metal provided the hosting, but as they are shutting down their bare-metal services, the project now has to find an alternative. As described in the blog post, this affects in particular storage services, continuous integration, and development servers.

As if that wasn’t bad enough, Equinix was also providing hosting for the Freedesktop.org project. In a post on their GitLab, [Benjamin Tissoires] thanks the company for supporting them as long as they have, and details the project’s current hosting needs.

As the home of X.org and Wayland (and many more), the value of Freedesktop.org to the average user requires no explanation. For its part, Alpine Linux is popular in virtualization, with Docker images very commonly using it as a base. This raises the uncomfortable question of why such popular open source projects have to depend on charity when so many companies use them, often commercially.

We hope that these projects can find a new home, and maybe raise enough money from their users to afford such hosting themselves. The issue of funding (F)OSS projects is something that regularly pops up, such as the question of whether FOSS bounties for features are helpful or harmful.

Bicycle Adds Reliability With Second Chain

February 3, 2025 by 71 Comments

Ignoring the International Cycling Union‘s mostly arbitrary rules for what a bicycle is “supposed” to look like (at least if you want to race), there are actually reasons that the bicycling world has standardized around a few common parts and designs. Especially regarding the drivetrain, almost all bikes use a chain, a freewheel, and a derailleur if there are gears to shift because these parts are cheap, reliable, and easy to repair. But if you’re off grid in a place like Africa, even the most reliable bikes won’t quite cut it. That’s why a group called World Bicycle Relief designed and built the Buffalo bicycle, and the latest adds a second gear with a unique freewheel.

Bicycling YouTuber [Berm Peak] takes us through the design of this bike in his latest video which is also linked below. The original Buffalo bicycle was extremely rugged and durable, with a rear rack designed to carry up to 200 pounds and everything on the bike able to be repaired with little more than an adjustable wrench. The new freewheel adds a second gear to the bike which makes it easier to use it in hilly terrain, but rather than add a complicated and hard-to-repair derailleur the freewheel adds a second chain instead, and the rider can shift between the two gears by pedaling backwards slightly and then re-engaging the pedals.

Of course a few compromises had to be made here. While the new freewheel is nearly as rugged as the old one, it’s slightly more complex. However, they can be changed quite easily with simple tools and are small, affordable, and easy to ship as well. The bike also had to abandon the original coaster brake, but the new rim brakes are a style that are also easy to repair and also meant that the bike got a wheel upgrade as well. Bicycles like these are incredibly important in places where cars are rare or unaffordable, or where large infrastructure needed to support them is unreliable or nonexistent. We’ve seen other examples of bicycles like these being put to work in places like India as well.

Thanks to [Keith] for the tip!

Continue reading “Bicycle Adds Reliability With Second Chain”

A guy's leg encased in a 3D printer showing a fresh printed tattoo

Do, Dare Or Don’t? Getting Inked By A 3D Printer

February 2, 2025 by 19 Comments

This unusual tattoo hack by [Emily The Engineer] is not for the weak of heart, but let’s be frank: we kind of know her for that. And she gives out a warning, albeit at a good 10 minutes in, to not do this at home. What she’s about to do takes creativity and tech obsession to the next level: to transform a 3D printer into a functional tattoo machine. Therefore, [Emily] ingeniously modified one of her standard 3D printers to operate two-dimensionally, swapped its plastic extruder for a tattoo gun, and, yes, even managed to persuade a willing participant to try it out.

The entire process can be seen in [Emily]’s video below, which humorously yet meticulously documents the journey from Sharpie test runs to actually inking skin. Aside from a lot of tongue-in-cheek trial and error, this project requires a sheer amount of problem-solving. [Emily] employs firmware edits to bypass safety checks, and clever hardware adaptations to ensure smooth transitions between strokes. One impressive upgrade is the emergency solenoid system, a literal panic button to stop the machine mid-tattoo in case of trouble—a critical addition for something with needles involved!

This hack sits on the edge of DIY body modification, raising eyebrows and technical questions alike. If you missed the warning and are now frantically searching for tattoo removal options, know we’ve covered some (but you might be rightfully scared of automating that, too, at this point). If you haven’t lifted a finger while reading this, just do the safe thing: watch [Emily]’s video, and tinker about the subsequent purposes this discovery creates for 3D printing or tattoo art.

Continue reading “Do, Dare Or Don’t? Getting Inked By A 3D Printer”

This Week In Security: DeepSeek’s Oopsie, AI Tarpits, And Apple’s Leaks

January 31, 2025 by 8 Comments

DeepSeek has captured the world’s attention this week, with an unexpected release of the more-open AI model from China, for a reported mere $5 million training cost. While there’s lots of buzz about DeepSeek, here we’re interested in security. And DeepSeek has made waves there, in the form of a ClickHouse database unintentionally opened to the world, discovered by the folks from Wiz research. That database contained chat history and log streams, and API keys and other secrets by extension.

Finding this database wasn’t exactly rocket science — it reminds me of my biggest bug bounty win, which was little more than running a traceroute and a port scan. In this case it was domain and sub domain mapping, and a port scan. The trick here was knowing to try this, and then understanding what the open ports represented. And the ClickHouse database was completely accessible, leaking all sorts of sensitive data. Continue reading “This Week In Security: DeepSeek’s Oopsie, AI Tarpits, And Apple’s Leaks”