This Week In Security: Open Source C2, Raptor Trains, And End To End Encryption

September 20, 2024 by Jonathan Bennett 14 Comments

Open Source has sort of eaten everything in software these days. And that includes malware, apparently, with open source Command and Control (C2) frameworks like Sliver and Havoc gaining traction. And of course, this oddball intersection of Open Source and security has intrigued at least one security researcher who has found some interesting vulnerabilities.

Before we dive into what was found, you may wonder why open source malware tools exist. First off, trustworthy C2 servers are quite useful for researchers, who need access to such tools for testing. Then there is Red Teaming, where a security professional launches a mock attack against a target to test its defenses. A C2 is often useful for education and hobby level work, and then there are the true criminals that do use these Open Source tools. It takes all types.

A C2 system consists of an agent installed on compromised systems, usually aiming for stealth. These agents connect to a central server, sending information and then executing any instructions given. And finally there’s a client, which is often just a web interface or even a command line interface.

Now what sort of fun is possible in these C2 systems? Up first is Sliver, written in Go, with a retro command line interface. Sliver supports launching Metasploit on compromised hosts. Turns out, it accidentally supported running Metasploit modules against the server’s OS itself, leading to an easy remote shell from an authenticated controller account.

Havoc has a fancy user interface for the clients, and also a command injection flaw. A service name field gets used to generate a shell command, so you’re only a simple escape away from running commands. That’s not quite as useful as the API that failed open when a bad username/password was given. Oops. Continue reading “This Week In Security: Open Source C2, Raptor Trains, And End To End Encryption” →

COBB Tuning Hit With $2.9 Million Fine Over Emissions Defeat Devices

September 20, 2024 by Maya Posch 110 Comments

Recently, the EPA and COBB Tuning have settled after the latter was sued for providing emissions control defeating equipment. As per the EPA’s settlement details document, COBB Tuning have since 2015 provided customers with the means to disable certain emission controls in cars, in addition to selling aftermarket exhaust pipes with insufficient catalytic systems. As part of the settlement, COBB Tuning will have to destroy any remaining device, delete any such features from its custom tuning software and otherwise take measures to fully comply with the Clean Air Act, in addition to paying a $2,914,000 civil fine.

The tuning of cars has come a long way from the 1960s when tweaking the carburetor air-fuel ratios was the way to get more power. These days cars not only have multiple layers of computers and sensor systems that constantly monitor and tweak the car’s systems, they also have a myriad of emission controls, ranging from permissible air-fuel ratios to catalytic converters. It’s little surprise that these systems can significantly impact the raw performance one might extract from a car’s engine, but if the exhaust of nitrogen-oxides and other pollutants is to be kept within legal limits, simply deleting these limits is not a permissible option.

COBB Tuning proclaimed that they weren’t aware of these issues, and that they never marketed these features as ’emission controls defeating’. They were however aware of issues regarding their products, which is why they announced ‘Project Green Speed’ in 2022, which supposedly would have brought COBB into compliance. Now it would seem that the EPA did find fault despite this, and COBB was forced to making adjustments.

Although perhaps not as egregious as modifying diesel trucks to ‘roll coal’, federal law has made it abundantly clear that if you really want to have fun tweaking and tuning your car without pesky environmental laws getting in the way, you could consider switching to electric drivetrains, even if they’re mind-numbingly easy to make performant compared to internal combustion engines.

2024 Hackaday Superconference Speakers, Round One

September 17, 2024 by Elliot Williams 6 Comments

Supercon is the Ultimate Hardware Conference and you need to be there! We’ve got a stellar slate of speakers this year — way too many to feature in one post. So here’s your first taste, and a reminder that Supercon will sell out so get your tickets now before it’s too late.

In addition to the full-length talks, we’ve got a series of Lightning Talks, so if you want to share seven minutes’ of insight with everyone there, please register your Lightning Talk idea now.

But Supercon has a lot more than just talks! The badge heavily features Supercon Add-Ons, and we want to see the awesome SAOs you are working on. There will be prizes, and we’ll manufacture four of our favorite designs in small batches for the winners, and make a full run for Hackaday Europe in 2025. Want to know more about SAOs? They’re the ideal starter PCB project.

Continue reading “2024 Hackaday Superconference Speakers, Round One” →

A person examines a diamond with a loupe.

We’ll Take DIY Diamond Making For $200,000

September 16, 2024 by Kristina Panos 12 Comments

They say you can buy anything on the Internet if you know the right places to go, and apparently if you’re in the mood to make diamonds, then Alibaba is the spot. You even have your choice of high-pressure, high-temperature (HPHT) machine for $200,000, or a chemical vapor deposition (CVD) version, which costs more than twice as much. Here’s a bit more about how each process works.

A sea of HPHT diamond-making machines. — A sea of HPHT machines. Image via Alibaba

Of course, you’ll need way more than just the machine and a power outlet. Additional resources are a must, and some expertise would go a long way. Even so, you end up with raw diamonds that need to be processed in order to become gems or industrial components.

For HPHT, you’d also need a bunch of good graphite, catalysts such as iron and cobalt, and precise control systems for temperature and pressure, none of which are included as a kit with the machine.

For CVD, you’d need methane and hydrogen gases, and precise control of microwaves or hot filaments. In either case, you’re not getting anywhere without diamond seed crystals.

Right now, the idea of Joe Hacker making diamonds in his garage seems about as far off as home 3D printing did in about 1985. But we got there, didn’t we? Hey, it’s a thought.

Main and thumbnail images via Unsplash

Watch NASA’s Solar Sail Reflect Brightly In The Night Sky

September 15, 2024 by Donald Papp 14 Comments

NASA’s ACS3 (Advanced Composite Solar Sail System) is currently fully deployed in low Earth orbit, and stargazers can spot it if they know what to look for. It’s actually one of the brightest things in the night sky. When the conditions are right, anyway.

What conditions are those? Orientation, mostly. ACS3 is currently tumbling across the sky while NASA takes measurements about how it acts and moves. Once that’s done, the spacecraft will be stabilized. For now, it means that visibility depends on the ACS’s orientation relative to someone on the ground. At it’s brightest, it appears as bright as Sirius, the brightest star in the night sky.

ACS3 is part of NASA’s analysis and testing of solar sail technology for use in future missions. Solar sails represent a way of using reflected photons (from sunlight, but also possibly from a giant laser) for propulsion.

This perhaps doesn’t have much in the way of raw energy compared to traditional thrusters, but offers low cost and high efficiency (not to mention considerably lower complexity and weight) compared to propellant-based solutions. That makes it very worth investigating. Solar sail technology aims to send a probe to Alpha Centauri within the next twenty years.

Want to try to spot ACS3 with your own eyes? There’s a NASA app that can alert you to sighting opportunities in your local time and region, and even guide you toward the right region of the sky to look. Check it out!

Five colors of Cast21 on five different wrists.

Cast21 Brings Healing Into 2024

September 14, 2024 by Kristina Panos 16 Comments

It takes but an ill-fated second to break a bone, and several long weeks for it to heal in a cast. And even if you have one of those newfangled fiberglass casts, you still can’t get the thing wet, and it’s gonna be itchy under there because your skin can’t breathe. Isn’t it high time for something better?

Enter Cast21, co-founded by Chief Technical Officer [Jason Troutner], who has been in casts more than 50 times due to sports injuries and surgeries. He teamed up with a biomedical design engineer and an electrical engineer to break the norms associated with traditional casts and design a new solution that addresses their drawbacks.

So, how does it work already? The latticework cast is made from a network of silicone tubes that harden once injected with resin and a catalyst mixture. It takes ten seconds to fill the latticework with resin and three minutes for it to cure, and the whole process is much faster than plaster or fiberglass.

This new cast can be used along with electrical stimulation therapy, which can reduce healing time and prevent muscle atrophy.

Cast21 is not only breathable, it’s also waterproof, meaning no more trash bags on your arm to take a shower. The doctor doesn’t even need a saw to remove it, just cut in two places along the seam. It can even be used as a splint afterward.

It’s great to see advancements in simple medical technologies like the cast. And it looks almost as cool as this 3D-printed exoskeleton cast we saw ten years ago.

Thanks to [Keith Olson] for the tip!

Where Do You Connect The Shield?

September 13, 2024 by Arya Voronova 24 Comments

When it comes to polarizing and confusing questions in electronics, wiring up shields is on the top-10 list when sorted by popularity. It’s a question most of us need to figure out at some point – when you place a USB socket symbol on your schematic, where do you wire up the SHIELD and MP pins?

Once you look it up, you will find Eevblog forum threads with dozens of conflicting replies, Stackexchange posts with seven different responses plus a few downvoted ones, none of them accepted, and if you try to consult the literature, the answer will invariably be “it depends”.

I’m not a connector-ground expert, I just do a fair bit of both reading and hacking. Still, I’ve been trying to figure out this debate, for a couple years now, re-reading the forum posts each time I started a new schematic with a yet-unfamiliar connector. Now, of course, coming to this question with my own bias, here’s a summary you can fall back on.

Consumer Ports

Putting HDMI on your board? First of all, good luck. Then, consider – do you have a reason to avoid connecting the shield? If not, certainly connect the shield to ground, use jumpers if that’s what makes you comfortable, though there’s a good argument that you should just connect directly, too. The reason is simple: a fair few HDMI cables omit GND pin connections, fully relying on the shield for return currents. When your HDMI connection misfires, you don’t want to be debugging your HDMI transmitter settings when the actual No Signal problem, as unintuitive as it sounds, will be simply your shield not being grounded – like BeagleBone and Odroid didn’t in the early days. By the way, is a DVI-D to HDMI adapter not working for you? Well, it might just be that it’s built in a cheap way and doesn’t connect the shields of the two sockets together – which is fixable.

Continue reading “Where Do You Connect The Shield?” →