News

3618 Articles

Perovskites: Not Just For Solar Cells Anymore

June 13, 2019 by 21 Comments

If you’ve been around long enough, you’ll know there’s a long history of advances in materials science that get blown far out of proportion by both the technical and the popular media. Most of the recent ones seem to center on the chemistry of carbon, particularly graphene and nanotubes. Head back a little in time and superconductors were all the rage, and before that it was advanced ceramics, semiconductors, and synthetic diamonds. There’s always some new miracle material to be breathlessly and endlessly reported on by the media, with hopeful tales of how one or the other will be our salvation from <insert catastrophe du jour here>.

While there’s no denying that each of these materials has led to huge advancements in science, industry, and the quality of life for billions, the development cycle from lab to commercialization is generally a tad slower than the press would have one believe. And so when a new material starts to gain traction in the headlines, as perovskites have recently, we feel like it’s a good opportunity to take a close look, to try to smooth out the ups and downs of the hype curve and manage expectations.

Continue reading “Perovskites: Not Just For Solar Cells Anymore”

The Day Hackaday’s Theme Was Broken

June 11, 2019 by 55 Comments

Today at about 10:00 AM Pacific time, Hackaday’s site host had an outage. All websites on the WordPress VIP Go platform were down, and that includes Hackaday. For about 45 minutes you couldn’t load any content, and for a bit more than two hours after that all we could display was a default WordPress theme with an alarmingly bright background.

At first, we were looking at a broken home page with nothing on it. We changed some things around on the back end and we had a black text on white background displaying our latest articles. Not ideal, but at least you could catch up on your reading if you happened to check in right at that time.

But wait! Unintended consequences are a real drag. Our theme doesn’t have comments built into the front page and blog page views, but the WordPress stock themes do. So comments left on those pages were being blasted out to your RSS feeds. I’d like to apologize for that. Once it was reported, we turned off comments on those pages and deleted what was there. But if you have a caching RSS reader you’ll still see those, sorry about that.

As I type this, all should be back to normal. The front end was restored around 1:00 PM Pacific time. We’ve continued our normal publishing schedule throughout, and we hope you have had a good laugh at this debacle. It might be a few days before I’m able to laugh about it though.

Windows 10 Goes To Shell

June 10, 2019 by 51 Comments

Windows 10 — the operating system people love to hate or hate to love. Even if you’re a Linux die-hard, it is a fair bet that your workplace uses it and that you have friends and family members that need help forcing you to use Windows at least some times. If you prefer a command line — or even just find a place where you have to use the command line, you might find the classic Windows shell a bit anemic. Some of that’s the shell’s fault, but some of it is the Windows console which is — sort of — the terminal program that runs various Windows text-based programs. If you have the creator update channel on Windows 10, though, there have been some recent improvements to the console and the Linux system that will eventually trickle down to the mainstream users.

What’s New?

So what’s new? According to Microsoft, they’ve improved the call interface to make the following things work correctly (along with “many others”):

  • Core tools: apt, sed, grep, awk, top, tmux, ssh, scp, etc.
  • Shells: Bash, zsh, fish, etc.
  • Dev tools: vim, emacs, nano, git, gdb, etc.
  • Languages & platforms: Node.js & npm, Ruby & Gems, Java & Maven, Python & Pip, C/C++, C# &
  • .NET Core & Nuget, Go, Rust, Haskell, Elixir/Erlang, etc.
  • Systems & Services: sshd, Apache, lighttpd, nginx, MySQL, PostgreSQL

The changes to the console are mostly surrounding escape sequences, colors, and mouse support. The API changes included things like allowing certain non-administrative users to create symlinks. We’ve made X Windows work with Windows (using a third-party X server) and Microsoft acknowledges that it has been done. However, they still don’t support it officially.

Continue reading “Windows 10 Goes To Shell”

GPS And ADS-B Problems Cause Cancelled Flights

June 9, 2019 by 80 Comments

Something strange has been going on in the friendly skies over the last day or so. Flights are being canceled. Aircraft are grounded. Passengers are understandably upset. The core of the issue is GPS and ADS-B systems. The ADS-B system depends on GPS data to function properly, but over this weekend a problem with the quality of the GPS data has disrupted normal ADS-B features on some planes, leading to the cancellations.

What is ADS-B and Why Is It Having Trouble?

Automatic Dependent Surveillance-Broadcast (ADS-B) is a communication system used in aircraft worldwide. Planes transmit location, speed, flight number, and other information on 1090 MHz. This data is picked up by ground stations and eventually displayed on air traffic controller screens. Aircraft also receive this data from each other as part of the Traffic Collision Avoidance System (TCAS).

ADS-B isn’t a complex or encrypted signal. In fact, anyone with a cheap RTL-SDR can receive the signal. Aviation buffs know how cool it is to see a map of all the aircraft flying above your house. Plenty of hackers have worked on these systems, and we’ve covered that here on Hackaday. In the USA, the FAA will effectively require all aircraft to carry ADS-B transponders by January 1st, 2020. So as you can imagine, most aircraft already have the systems installed.

The ADS-B system in a plane needs to get position data before it can transmit. These days, that data comes from a global satellite navigation system. In the USA, that means GPS. GPS is currently having some problems though. This is where Receiver autonomous integrity monitoring (RAIM) comes in. Safety-critical GPS systems (those in planes and ships) cross-check their current position. If GPS is sending degraded or incorrect data, it is sent to the FAA who displays it on their website. The non-precision approach current outage map is showing degraded service all over the US Eastern seaboard, as well as the North. The cause of this signal degradation is currently unknown.

What Hardware is Affected?

GPS isn’t down though — you can walk outside with your cell phone to verify that. However, it is degraded. How a plane’s GPS system reacts to that depends on the software built into the GPS receiver. If the system fails, the pilots will have to rely on older systems like VOR to navigate. But ADS-B will have even more problems. An aircraft ADS-B system needs position data to operate.  If you can’t transmit your position information, air traffic controllers need to rely on old fashioned radar to determine position. All of this adds up to a safety of flight problem, which means grounding the aircraft.

Digging through canceled flight lists, one can glean which aircraft are having issues. From the early reports, it seems like Bombardier CRJ 700 and 900 have problems. Folks on Airliners.net are speculating that any aircraft with Rockwell Collins flight management systems are having problems.

This is not a small issue, there are hundreds or thousands of canceled flights. The FAA set up a teleconference to assess the issue. Since then, the FAA has issued a blanket waiver to all affected flights. They can fly, but only up to 28,000 feet.

This is a developing story, and we’ll be keeping an eye on it. Seeing how the industry handles major problems is always educational, and there will be much to learn in the coming days.

Infineon Buys Cypress For $10B

June 6, 2019 by 11 Comments

Infineon will acquire Cypress Semiconductors for nearly $10 Billion dollars. This is the latest merger or acquisition in the semiconductor industry, and these mergers and acquisitions show no sign of stopping anytime soon.

Infineon’s market currently consists mostly of products aimed at the automotive market and power management and control. Cypress, likewise, has a wide portfolio of automotive electronics, from the guts of instrument clusters to the brains of infotainment systems. The automotive electronics industry is going gangbusters right now, and companies in the market are flush with cash; Infineon acquiring Cypress allows both companies to focus their R&D to develop products for the same market.

As with all mergers and acquisitions, there is the question of what may be lost, or what may go out of production. Cypress is most famous for their PSOC microcontrollers, but for now those uCs, and their CapSense capability, seem safe. Cypress is also noteworthy for manufacturing old-school memories, but again it looks like you’ll still be able to buy these years down the line; in any event, Alliance memory is still around stuffing DRAMs in DIPs.

This acquisition of Cypress by Infineon is one of the largest in recent memory. Apple recently bought a $600 Million stake in Dialog, and Microchip acquired Microsemi for $8.35 Billion. Tesla bought Maxwell Technologies for a mere $218 Million. This deal between Infineon and Cypress puts the company in the upper echelon of recent mergers and acquisitions.

The UK Drone Community Fights Back, Gains FOI Admission Of No Tangible Drone Evidence

June 4, 2019 by 33 Comments

Regular Hackaday readers will have noted a succession of stories following the reports of drones in the air over British airports and in proximity to aircraft. We’ve consistently asked for a better quality of investigation and reporting into these cases, because so far the absence of reported tangible evidence of a drone being present casts doubt on the validity of the official reaction. For too long the official records of air proximity incidents have relied upon a shockingly low standard of proof when apportioning blame to drone operators, and this situation has contributed to something of a panic over the issue.

It seems that some members of the British drone flying community are on the case though. Airprox Reality Check are a group analysing air proximity reports and linking them to contemporary ADS-B and weather records to identify possible explanations. They have devised a rating system based upon a number of different metrics in an attempt to quantify the reliability of a particular report, and they are tabulating their analysis of air proximity reports on a month by month basis. This includes among many analyses such gems as Airprox Report #2019046, in which an Embraer 170 flying at 9000 feet and 20 km offshore reported a drone in close proximity. The Airprox Reality Check analysis points out that no known drone could manage that feat, and refers to a passing Boeing 737 revealed through ADS-B data as a more likely culprit.

Their latest news is that they have made a Freedom of Information request to the Air Proximity Board, asking for what evidence the Board has of a drone having been involved in any of the over 350 incidents in UK airspace having been reported as involving drones. The official response contains the following quote:

in all cases UKAB has no confirmation that a drone has flown close to an aircraft other than the report made by the pilot(s). Similarly, other than from the report of the pilot(s), UKAB has no confirmation that a drone was involved.

This confirms the view of the multirotor and drone community that has been reported by Hackaday in the past, that the whole British drone panic has been based upon unreliable and uncorroborated reports from eyewitnesses with little direct experience of multirotors. If any irresponsible drone operator is flying into close proximity with aircraft or otherwise into protected airspace then it goes without saying that they should be prosecuted, yet it seems that the community is being punished as though this had happened when the reality is that no such acts are proven to have occurred.

This Week In Security: Baltimore, MacOS Zipfile Security, And App Store Monopolies

May 31, 2019 by 13 Comments

Baltimore. The city was breached, crippled and held for ransom. The ransomware attack was discovered on May 7th, shutting down a major portion of the city’s infrastructure. The latest news is that an NSA-written tool, EternalBlue, is responsible for the attack. Except maybe it isn’t? First off, digging back through the history of an attack is challenging. It’s often hard to determine the initial attack vector with certainty.

The “initial attack vector” is the patient zero of the attack — how the first machine was compromised. An organization generally has a firewall separating the outside internet from the internal network. Once an attacker has found a way to access a machine inside the network, the separation is not nearly so strict. This takes many forms, but the most common is phishing. Close contenders are RDP and SMB (Remote Desktop and Windows File Sharing). A report at Ars Technica indicates that the initial vector into the Baltimore network was a phishing email.

The second step to consider is what’s called “lateral movement”, which describes an attacker using the compromised machine to target other machines in the organization. Often an attacker will have an entire toolkit of exploits to attempt to compromise other machines. One of the exploits used in this case was the same exploit contained in the NSA tool, EternalBlue. A clever program called psexec is usually part of any lateral movement campaign. While the exploit associated with EternalBlue was probably used to compromise a few of the machines on the Baltimore network, placing all the blame on the shoulders of the NSA is missing the point. The tool is only a small part of this attack.

MacOS and NFS Shares Inside Zipfiles

MacOS has a sometimes irritating feature, Gatekeeper, that only allows running signed binaries by default. The point of Gatekeeper is to prevent a user from running a malicious binary that has been downloaded from the internet. While it is sometimes an annoyance, it is helpful for some users. [Filippo Cavallarin] announced an exploit that completely bypasses Gatekeeper on the 24th. This exploit takes advantage of the fact that Gatekeeper considers network shares to be trustworthy, and doesn’t run the normal check before executing a binary located there. While interesting, this isn’t useful unless there is a way for an attacker to mount a malicious location as a network share. Enter the Mac’s ability to automatically mount network locations through the use of the /net path. The last piece of this puzzle is the fact that zip files can contain symbolic links. A zip file can be built with a link to the /net location, automounting an arbitrary NFS location. If binary files are located in this location, the OS will happily allow the user to execute those binaries whether signed or not.

This exploit may not be the most serious of the year, but it’s still a problem that needs fixing. [Filippo] contacted Apple back in February and disclosed the problem, even getting an assurance that they would fix it within 90 days. 90 days have passed, and Apple has begun ignoring his emails, so he has made the announcement and published steps to reproduce on his website.

There has been discussion in the comments of this column about vulnerability disclosure and publishing proof of concept code. This is a perfect example of why researchers publish their work. As far as [Filippo] knows, Apple has no intention of fixing the issue he discovered. He also has no reason to believe that no one else has stumbled on this discovery before he did. We mentioned EternalBlue above. The NSA discovered the SMB vulnerability that exploit targeted and used it silently for up to five years before it was stolen and finally disclosed to Microsoft and fixed. Make no mistake, public disclosures and proof of concepts get vulnerabilities fixed. For any given vulnerability, there is no guarantee that someone else hasn’t already found it.

Just a Little Document Leak

OK, maybe not so little. A Fortune 500 company, First American, managed to host millions of private documents in an accessible format. Imagine you upload a document to a company, and get a confirmation link that looks like “test.com/documents.php?id=0252234”. If you’re like me, you’re very curious what is at id=0252233. [Ben Shoval] is a real estate developer who apparently also wanted to know the answer to that question. To his surprise, millions of uploaded documents were available for anyone to view. He tried reaching out to First American, and when there was no response to his emails, he forwarded his findings on to Krebs on Security. After what was likely years of exposure, the database was finally taken offline Friday the 24th.

Walled Garden Monopolies

Staying on the Apple train, the App Store is pretty obviously a monopoly. Someone has finally asked whether it’s an illegal monopoly. As most of these questions go, it’ll take a drawn out court battle to decide. How is this security news? If the court finds that Apple has been violating antitrust laws, one possible remediation is to allow alternative app stores. While there is always the potential for a high quality alternative store like F-droid, sketchy app stores and downloaded are a real possibility. On the other hand, it would be nice to have an iOS app store that is compatible with the GPL.