News

3651 Articles

Schematic of quantum measurement basis on whiteboard

Shedding Light On Quantum Measurement With Calcite

January 26, 2025 by 19 Comments

Have you ever struggled with the concept of quantum measurement, feeling it’s unnecessarily abstract? You’re not alone. Enter this guide by [Mithuna] from Looking Glass Universe, where she circles back on the concept of  measurement basis in quantum mechanics using a rather simple piece of calcite crystal. We wrote about similar endeavours in reflection on Shanni Prutchi’s talk at the Hackaday SuperConference in 2015. If that memory got a bit dusty in your mind, here’s a quick course to make things click again.

In essence, calcite splits a beam of light into two dots based on polarization. By aligning filters and rotating angles, you can observe how light behaves when forced into ‘choices’. The dots you see are a direct representation of the light’s polarization states. Now this isn’t just a neat trick for photons; it’s a practical window into the probability-driven nature of quantum systems.

Even with just one photon passing through per second, the calcite setup demonstrates how light ‘chooses’ a path, revealing the probabilistic essence of quantum mechanics. Using common materials (laser pointers, polarizing filters, and calcite), anyone can reproduce this experiment at home.

If this sparks curiosity, explore Hackaday’s archives for quantum mechanics. Or just find yourself a good slice of calcite online, steal the laser pointer from your cat’s toy bin, and get going!

Continue reading “Shedding Light On Quantum Measurement With Calcite”

Sony Ends Blu-Ray, MD And MiniDV Media Production

January 24, 2025 by 30 Comments

With the slow demise of physical media the past years, companies are gradually closing shop on producing everything from the physical media itself to their players and recorders. For Sony this seems to have now escalated to where it’ll be shuttering its recordable optical media storage operations, after more than 18 years of producing recordable Blu-ray discs. As noted by [Toms Hardware] this also includes minidisc (MD) media and MiniDV cassettes.

We previously reported on Sony ending the production of recordable Blu-ray media for consumers, which now seems to have expanded to Sony’s remaining storage media. It also raises the likelihood that Sony’s next game console (likely PlayStation 6) will not feature any optical drive at all as Blu-ray loses importance. While MiniDV likely was only interesting to those of us still lugging one of those MiniDV camcorders around, the loss of MD production may be felt quite strongly in the indie music scene, where MD is experiencing somewhat of a revival alongside cassette tapes and vinyl records.

Although it would appear that physical media is now effectively dead in favor of streaming services, it might be too soon to mark its demise.

This Week In Security: ClamAV, The AMD Leak, And The Unencrypted Power Grid

January 24, 2025 by 11 Comments

Cisco’s ClamAV has a heap-based buffer overflow in its OLE2 file scanning. That’s a big deal, because ClamAV is used to scan file attachments on incoming emails. All it takes to trigger the vulnerability is to send a malicious file through an email system that uses ClamAV.

The exact vulnerability is a string termination check that can fail to trigger, leading to a buffer over-read. That’s a lot better than a buffer overflow while writing to memory. That detail is why this vulnerability is strictly a Denial of Service problem. The memory read results in process termination, presumably a segfault for reading protected memory. There are Proof of Concepts (PoCs) available, but so far no reports of the vulnerability being used in the wild.
Continue reading “This Week In Security: ClamAV, The AMD Leak, And The Unencrypted Power Grid”

Bambu Lab Tries To Clarify Its New “Beta” Authentication Scheme

January 20, 2025 by 62 Comments

Perhaps one of the most fascinating aspects of any developing tech scandal is the way that the target company handles criticism and feedback from the community. After announcing a new authentication scheme for cloud & LAN-based operations a few days ago, Bambu Lab today posted an update that’s supposed to address said criticism and feedback. This follows the original announcement which had the 3D printer community up in arms, and quickly saw the new tool that’s supposed to provide safe and secure communications with Bambu Lab printers ripped apart to extract the security certificate and private key.

In the new blog post, the Bambu Lab spokesperson takes a few paragraphs to get to the points which the community are most concerned about, which is interoperability between tools like OrcaSlicer and Bambu Lab printers. The above graphic is what they envision it will look like, with purportedly OrcaSlicer getting a network plugin that should provide direct access, but so far the Bambu Connect app remains required. It’s also noted that this new firmware is ‘just Beta firmware’.

As the flaming wreck that’s Bambu Lab’s PR efforts keeps hurtling down the highway of public opinion, we’d be remiss to not point out that with the security certificate and private key being easily obtainable from the Bambu Connect Electron app, there is absolutely no point to any of what Bambu Lab is doing.

Bambu Connect’s Authentication X.509 Certificate And Private Key Extracted

January 19, 2025 by 125 Comments

Hot on the heels of Bambu Lab’s announcement that it would be locking down all network access to its X1-series 3D printers with new firmware, the X.509 certificate and private key from the Bambu Connect application have now been extracted by [hWuxH]. This application was intended to be the sole way for third-party software to send print jobs to Bambu Lab hardware as we previously reported.

The Bambu Connect app is a fairly low-effort Electron-based affair, with some attempt at obfuscation and encryption, but not enough to keep prying eyes out. The de-obfuscated main.js file can be found here (archived), with the certificate and private key clearly visible. These are used to encrypt HTTP traffic with the printer, and is the sole thing standing in the way of tools like OrcaSlicer talking with authentication-enabled Bambu Lab printers.

As for what will be the next steps by Bambu Lab, it’s now clear that security through obfuscation is not going to be very effective here. While playing whack-a-mole with (paying) users who are only interested in using their hardware in the way that they want is certainly an option, this might be a wake-up call for the company that being more forthcoming with their userbase would be in anyone’s best interest.

We await Bambu Lab’s response with bated breath.

This Week In Security: Rsync, SSO, And Pentesting Mushrooms

January 17, 2025 by 14 Comments

Up first, go check your machines for the rsync version, and your servers for an exposed rsync instance. While there are some security fixes for clients in release 3.4.0, the buffer overflow in the server-side rsync daemon is the definite standout. The disclosure text includes this bit of nightmare fuel: “an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on.”

A naive search on Shodan shows a whopping 664,955 results for rsync servers on the Internet. Red Hat’s analysis gives us a bit more information. The checksum length is specified by the remote client, and an invalid length isn’t properly rejected by the server. The effect is that an attacker can write up to 48 bytes into the heap beyond the normal checksum buffer space. The particularly dangerous case is also the default: anonymous access for file retrieval. Red Hat has not identified a mitigation beyond blocking access.

If you run servers or forward ports, it’s time to look at ports 873 and 8873 for anything listening. And since that’s not the only problem fixed, it’s really just time to update to rsync 3.4.0 everywhere you can. While there aren’t any reports of this being exploited in the wild, it seems like attempts are inevitable. As rsync is sometimes used in embedded systems and shipped as part of appliances, this particular bug threatens to have quite the long tail. Continue reading “This Week In Security: Rsync, SSO, And Pentesting Mushrooms”

Audio On A Shoestring: DIY Your Own Studio-Grade Mic

January 14, 2025 by 14 Comments

When it comes to DIY projects, nothing beats the thrill of crafting something that rivals expensive commercial products. In the microphone build video below, [Electronoobs] found himself inspired by DIY Perks earlier efforts. He took on the challenge of building a $20 high-quality microphone—a budget-friendly alternative to models priced at $500. The result: an engaging and educational journey that has it’s moments of triumph, it’s challenges, and of course, opportunities for improvement.

The core of the build lies in the JLI-2555 capsule, identical to those found in premium microphones. The process involves assembling a custom PCB for the amplifier, a selection of high-quality capacitors, and designing lightweight yet shielded wiring to minimize noise. [Electronoobs] also demonstrates the importance of a well-constructed metal mesh enclosure to eliminate interference, borrowing techniques like shaping mesh over a wooden template and insulating wires with ultra-thin enamel copper. While the final build does not quite reach the studio-quality level and looks of the referenced DIY Perks’ build, it is an impressive attempt to watch and learn from.

The project’s key challenge here would be achieving consistent audio quality. The microphone struggled with noise, low volume, and single-channel audio, until [Electronoobs] made smart modifications to the shielded wiring and amplification stages. Despite the hurdles, the build stands as an affordable alternative with significant potential for refinement in future iterations.

Continue reading “Audio On A Shoestring: DIY Your Own Studio-Grade Mic”