News

3619 Articles

This Week In Security: DeepSeek’s Oopsie, AI Tarpits, And Apple’s Leaks

January 31, 2025 by 8 Comments

DeepSeek has captured the world’s attention this week, with an unexpected release of the more-open AI model from China, for a reported mere $5 million training cost. While there’s lots of buzz about DeepSeek, here we’re interested in security. And DeepSeek has made waves there, in the form of a ClickHouse database unintentionally opened to the world, discovered by the folks from Wiz research. That database contained chat history and log streams, and API keys and other secrets by extension.

Finding this database wasn’t exactly rocket science — it reminds me of my biggest bug bounty win, which was little more than running a traceroute and a port scan. In this case it was domain and sub domain mapping, and a port scan. The trick here was knowing to try this, and then understanding what the open ports represented. And the ClickHouse database was completely accessible, leaking all sorts of sensitive data. Continue reading “This Week In Security: DeepSeek’s Oopsie, AI Tarpits, And Apple’s Leaks”

Google Open Sources PebbleOS: New Pebble Device In Development

January 28, 2025 by 35 Comments

The Pebble smartwatch was introduced in 2012 as part of a Kickstarter campaign and saw moderate success before the company behind it got bought out by Fitbit. Although a group of enthusiasts kept their Pebble devices alive, including via the alternate Rebble project for online services, it seemed that no new Pebble devices would grace this Earth. However, we now got a flurry of Pebble updates, with Google, the current owner of Fitbit, open sourcing the PebbleOS source, and [Eric Migicovsky] as the original Pebble founder announcing new Pebble watches.

These new Pebble watches would be very much like the original Pebble, though switching from a memory LCD to an e-paper screen but keeping compatibility with the original Pebble watch and its hackability. Currently there’s just a rePebble site where you can sign up for announcements. Over at the Rebble project people are understandably excited, with the PebbleOS source available on GitHub.

A lot of work still remains, of course. The Apache 2.0-licensed PebbleOS source was stripped of everything from fonts to the voice codec and Bluetooth stack, and of course bootstrapping whole new hardware production will require serious investment. Even so, for lovers of smart watches that work with modern-day smartphones, featuring an always-on display and amazing battery life the future has never been more bright.

Thanks to [Will0] for the tip.

The FTC Take Action, Is Time Finally Up For John Deere On Right To Repair?

January 27, 2025 by 43 Comments

Over the last decade we have brought you frequent reports not from the coolest of hackerspaces or the most bleeding edge of engineering in California or China, but from the rolling prairies of the American Midwest. Those endless fields of cropland waving in the breeze have been the theatre for an unlikely battle over right to repair, the result of which should affect us all. The case of FEDERAL TRADE COMMISSION, STATE OF ILLINOIS, and STATE OF MINNESOTA, v. DEERE & COMPANY  relates to the machinery manufacturer’s use of DRM to restrict the repair of its products, and holds the promise to end the practice once and for all.

This is being written in Europe, where were an average person asked to name a brand that says “America”, they might reach for the familiar; perhaps Disney, McDonalds, or Coca-Cola. These are the flag-bearers of American culture for outsiders, but it’s fair to say that none of them can claim to have built the country. The green and yellow Deere tractors on the other hand represent the current face of a company with nearly two hundred years of farming history, which by virtue of producing some of the first mass-produced plows, had perhaps the greatest individual role in shaping modern American agriculture and thus indirectly the country itself. To say that Deere is woven into the culture of rural America is something of an understatement, agricultural brands like Deere have an enviable customer base, the most loyal of any industry.

Thus while those green and yellow tractors are far from the only case of DRM protected repairability, they have become the symbolic poster child for the issue as a whole. It’s important to understand then how far-reaching it is beyond the concerns of us technology and open-source enthusiasts, and into something much more fundamental. Continue reading “The FTC Take Action, Is Time Finally Up For John Deere On Right To Repair?”

Schematic of quantum measurement basis on whiteboard

Shedding Light On Quantum Measurement With Calcite

January 26, 2025 by 19 Comments

Have you ever struggled with the concept of quantum measurement, feeling it’s unnecessarily abstract? You’re not alone. Enter this guide by [Mithuna] from Looking Glass Universe, where she circles back on the concept of  measurement basis in quantum mechanics using a rather simple piece of calcite crystal. We wrote about similar endeavours in reflection on Shanni Prutchi’s talk at the Hackaday SuperConference in 2015. If that memory got a bit dusty in your mind, here’s a quick course to make things click again.

In essence, calcite splits a beam of light into two dots based on polarization. By aligning filters and rotating angles, you can observe how light behaves when forced into ‘choices’. The dots you see are a direct representation of the light’s polarization states. Now this isn’t just a neat trick for photons; it’s a practical window into the probability-driven nature of quantum systems.

Even with just one photon passing through per second, the calcite setup demonstrates how light ‘chooses’ a path, revealing the probabilistic essence of quantum mechanics. Using common materials (laser pointers, polarizing filters, and calcite), anyone can reproduce this experiment at home.

If this sparks curiosity, explore Hackaday’s archives for quantum mechanics. Or just find yourself a good slice of calcite online, steal the laser pointer from your cat’s toy bin, and get going!

Continue reading “Shedding Light On Quantum Measurement With Calcite”

Sony Ends Blu-Ray, MD And MiniDV Media Production

January 24, 2025 by 30 Comments

With the slow demise of physical media the past years, companies are gradually closing shop on producing everything from the physical media itself to their players and recorders. For Sony this seems to have now escalated to where it’ll be shuttering its recordable optical media storage operations, after more than 18 years of producing recordable Blu-ray discs. As noted by [Toms Hardware] this also includes minidisc (MD) media and MiniDV cassettes.

We previously reported on Sony ending the production of recordable Blu-ray media for consumers, which now seems to have expanded to Sony’s remaining storage media. It also raises the likelihood that Sony’s next game console (likely PlayStation 6) will not feature any optical drive at all as Blu-ray loses importance. While MiniDV likely was only interesting to those of us still lugging one of those MiniDV camcorders around, the loss of MD production may be felt quite strongly in the indie music scene, where MD is experiencing somewhat of a revival alongside cassette tapes and vinyl records.

Although it would appear that physical media is now effectively dead in favor of streaming services, it might be too soon to mark its demise.

This Week In Security: ClamAV, The AMD Leak, And The Unencrypted Power Grid

January 24, 2025 by 11 Comments

Cisco’s ClamAV has a heap-based buffer overflow in its OLE2 file scanning. That’s a big deal, because ClamAV is used to scan file attachments on incoming emails. All it takes to trigger the vulnerability is to send a malicious file through an email system that uses ClamAV.

The exact vulnerability is a string termination check that can fail to trigger, leading to a buffer over-read. That’s a lot better than a buffer overflow while writing to memory. That detail is why this vulnerability is strictly a Denial of Service problem. The memory read results in process termination, presumably a segfault for reading protected memory. There are Proof of Concepts (PoCs) available, but so far no reports of the vulnerability being used in the wild.
Continue reading “This Week In Security: ClamAV, The AMD Leak, And The Unencrypted Power Grid”

Bambu Lab Tries To Clarify Its New “Beta” Authentication Scheme

January 20, 2025 by 62 Comments

Perhaps one of the most fascinating aspects of any developing tech scandal is the way that the target company handles criticism and feedback from the community. After announcing a new authentication scheme for cloud & LAN-based operations a few days ago, Bambu Lab today posted an update that’s supposed to address said criticism and feedback. This follows the original announcement which had the 3D printer community up in arms, and quickly saw the new tool that’s supposed to provide safe and secure communications with Bambu Lab printers ripped apart to extract the security certificate and private key.

In the new blog post, the Bambu Lab spokesperson takes a few paragraphs to get to the points which the community are most concerned about, which is interoperability between tools like OrcaSlicer and Bambu Lab printers. The above graphic is what they envision it will look like, with purportedly OrcaSlicer getting a network plugin that should provide direct access, but so far the Bambu Connect app remains required. It’s also noted that this new firmware is ‘just Beta firmware’.

As the flaming wreck that’s Bambu Lab’s PR efforts keeps hurtling down the highway of public opinion, we’d be remiss to not point out that with the security certificate and private key being easily obtainable from the Bambu Connect Electron app, there is absolutely no point to any of what Bambu Lab is doing.