News

3649 Articles

Student Rocket Makes It To Space

May 23, 2019 by 23 Comments

Where does the Earth’s atmosphere stop and space begin? It is tempting to take the approach Justice Potter Stewart did for pornography when judging a 1964 obscenity case and say “I know it when I see it.” That’s not good enough for scientists, though. The Kármán line is what the World Air Sports Federation (FAI) defines as space. That line is 100 km (62 miles or about 330,000 feet) above sea level. A recent student-built rocket — Traveler IV — claims to be the first entirely student-designed vehicle to pass that line.

The students from the University of Southern California launched the rocket from Spaceport America in New Mexico. The new record is over twice as high as the old record, set by the same team. The rocket reached approximately 340,000, although the margin of error on the measurement is +/- 16,800 feet, so there’s a slight chance they didn’t quite cross the line.

Continue reading “Student Rocket Makes It To Space”

Wolfram Engine Now Free… Sort Of

May 22, 2019 by 8 Comments

You’ve probably used Wolfram Alpha and maybe even used the company’s desktop software for high-powered math such as Mathematica. One of the interesting things about all of Wolfram’s mathematics software is that it shares a common core engine — the Wolfram Engine. As of this month, the company is allowing free use of the engine in software projects. The catch? It is only for preproduction use. If you are going into production you need a license, although a free open source project can apply for a free license. Naturally, Wolfram gets to decide what is production, although the actual license is pretty clear that non-commercial projects for personal use and approved open source projects can continue to use the free license. In addition, work you do for a school or large company may already be covered by a site license.

Given how comprehensive the engine is, this is reasonably generous. The engine even has access to the Wolfram Knowledgebase (with a free Basic subscription). If you don’t want to be connected, though, you don’t have to be. You just won’t be able to get live data. If you want to play with the engine, you can use the Wolfram Cloud Sandbox in which you can try some samples.

Continue reading “Wolfram Engine Now Free… Sort Of”

This Week In Security: What’s Up With Whatsapp, Windows XP Patches, And Cisco Is Attacked By The Thrangrycat

May 21, 2019 by 21 Comments

Whatsapp allows for end-to-end encrypted messaging, secure VoIP calls, and until this week, malware installation when receiving a call. A maliciously crafted SRTCP connection can trigger a buffer overflow, and execute code on the target device. The vulnerability was apparently found first by a surveillance company, The NSO Group. NSO is known for Pegasus, a commercial spyware program that they’ve marketed to governments and intelligence agencies, and which has been implicated in a number of human rights violations and even the assassination of Jamal Khashoggi. It seems that this Whatsapp vulnerability was one of the infection vectors used by the Pegasus program. After independently discovering the flaw, Facebook pushed a fixed client on Monday.

Windows XP Patched Against Wormable Vulnerability

What year is it!? This Tuesday, Microsoft released a patch for Windows XP, five years after support for the venerable OS officially ended. Reminiscent of the last time Microsoft patched Windows XP, when Wannacry was the crisis. This week, Microsoft patched a Remote Desktop Protocol (RDP) vulnerability, CVE-2019-0708. The vulnerability allows an attacker to connect to the RDP service, send a malicious request, and have control over the system. Since no authentication is required, the vulnerability is considered “wormable”, or exploitable by a self-replicating program.

Windows XP through Windows 7 has the flaw, and fixes were rolled out, though notably not for Windows Vista. It’s been reported that it’s possible to download the patch for Server 2008 and manually apply it to Windows Vista. That said, it’s high time to retire the unsupported systems, or at least disconnect them from the network.

The Worst Vulnerability Name of All Time

Thrangrycat. Or more accurately, “😾😾😾” is a newly announced vulnerability in Cisco products, discovered by Red Balloon Security. Cisco uses secure boot on many of their devices in order to prevent malicious tampering with device firmware. Secure boot is achieved through the use of a secondary processor, a Trust Anchor module (TAm). This module ensures that the rest of the system is running properly signed firmware. The only problem with this scheme is that the dedicated TAm also has firmware, and that firmware can be attacked. The TAm processor is actually an FPGA, and researchers discovered that it was possible to modify the FPGA bitstream, totally defeating the secure boot mechanism.

The name of the attack, thrangrycat, might be a satirical shot at other ridiculous vulnerability names. Naming issues aside, it’s an impressive bit of work, numbered CVE-2019-1649. At the same time, Red Balloon Security disclosed another vulnerability that allowed command injection by an authenticated user.

Odds and Ends

See a security story you think we should cover? Drop us a note in the tip jar!

Wing Opens The Skies For Drones With UTM

May 20, 2019 by 7 Comments

Yesterday Alphabet (formerly known as Google) announced that their Wing project is launching delivery services per drone in Finland, specifically in a part of Helsinki. This comes more than a month after starting a similar pilot program in North Canberra, Australia. The drone design Wing has opted for consists not of the traditional quadcopter design, but a hybrid plane/helicopter design, with two big propellers for forward motion, along with a dozen small propellers on the top of the dual body design, presumably to give it maximum range while still allowing the craft to hover.

With a weight of 5 kg and a wingspan of about a meter, Wing’s drones are capable of lifting and carrying a payload of about 1.5 kg. This puts it into a category of drones far beyond of what hobbyists tend to fly on a regular basis, and worse, it involves Beyond Visual Line Of Sight (BVLOS for short) flying, which is frowned upon by the FAA and similar regulatory bodies. What Google/Alphabet figures that can enable them to make this kind of service a commercial reality is called Unmanned aircraft system Traffic Management (UTM).

UTM is essentially complementary to the existing air traffic control systems, allowing drones to integrate into these flows of manned airplanes without endangering either. Over the past years, it’s been part of NASA’s duty to develop the systems and infrastructure that would be required to make UTM a reality. Working together with the FAA and companies such as Amazon and Alphabet, the hope is that before long it’ll be as normal to send a drone into the skies for deliveries and more as it is today to have passenger and cargo planes with human pilots take to the skies.

It Is ‘Quite Possible’ This Could Be The Last Bay Area Maker Faire

May 16, 2019 by 111 Comments

The Bay Area Maker Faire is this weekend, and this might be the last one. This report comes from the San Francisco Chronicle, and covers the continuing problems of funding and organizing what has been called The Greatest Show and Tell on Earth. According to Maker Media CEO Dale Dougherty, “it is ‘quite possible’ that the event could be the Bay Area’s last Maker Faire.”

Maker Faire has been drawing artists, craftspeople, inventors, and engineers for more than a decade. In one weekend you can see risque needlepoint, art cars meant for the playa, custom racing drones, science experiments, homebrew computers, gigantic 3D printers, interactive LED art, and so much more. This is a festival built around a subculture defined by an act of creation; if you do something with your hands, if you build something, or if you make something, Maker Faire has something for you. However you define it, this is the Maker Movement and since 2006, there has been a Maker Faire, a festival to celebrate these creators.

It’s sad to learn the future of this event is in peril. Let’s take a look at how we got here and what the future might hold.

Continue reading “It Is ‘Quite Possible’ This Could Be The Last Bay Area Maker Faire”

The Great Ohio Key Fob Mystery, Or “Honey, I Jammed The Neighborhood!”

May 15, 2019 by 91 Comments

Hack long enough and hard enough, and it’s a pretty safe bet that you’ll eventually cause unintentional RF emissions. Most of us will likely have our regulatory transgression go unnoticed. But for one unlucky hacker in Ohio, a simple project ended up with a knock at the door by local authorities and pointed questions to determine why key fobs and garage door remotes in his neighborhood and beyond had suddenly been rendered useless, and why his house seemed to be at the center of the disturbance.

Few of us want this level of scrutiny for our projects, so let’s take a more in-depth look at the Great Ohio Key Fob Mystery, along with a look at the Federal Communications Commission regulations that govern what you can and cannot do on the airwaves. As it turns out, it’s easy to break the law, and it’s easy to get caught.

Continue reading “The Great Ohio Key Fob Mystery, Or “Honey, I Jammed The Neighborhood!””

This Week In Security: Backdoors In Cisco Switches, PGP Spoofing In Emails, Git Ransomware

May 13, 2019 by 7 Comments

Some switches in Cisco’s 9000 series are susceptible to a remote vulnerability, numbered CVE-2019-1804 . It’s a bit odd to call it a vulnerability, actually, because the software is operating as intended. Cisco shipped out these switches with the same private key hardcoded in software for all root SSH logins. Anyone with the key can log in as root on any of these switches.

Cisco makes a strange claim in their advisory, that this is only exploitable over IPv6. This seems very odd, as there is nothing about SSH or the key authentication process that is IPv6 specific. This suggests that there is possibly another blunder, that they accidentally left the SSH port open to the world on IPv6. Another possibility is that they are assuming that all these switches are safely behind NAT routers, and therefore inaccessible through IPv4. One of the advantages/disadvantages of IPv6 is that there is no NAT, and all the network devices are accessible from the outside network. (Accessible in the sense that a route exists. Firewalling is still possible, of course.)

It’s staggering how many devices, even high end commercial devices, are shipped with unintentional yet effective backdoors, just like this one. Continue reading “This Week In Security: Backdoors In Cisco Switches, PGP Spoofing In Emails, Git Ransomware”