News

3651 Articles

This Week In Security: The Rest Of The IPv6 Story, CVE Hunting, And Hacking The TSA

August 30, 2024 by 2 Comments

We finally have some answers about the Windows IPv6 vulnerability — and a Proof of Concept! The patch was a single change in the Windows TCP/IP driver’s Ipv6pProcessOptions(), now calling IppSendError() instead of IppSendErrorList(). That’s not very helpful on its own, which is why [Marcus Hutchins]’s analysis is so helpful here. And it’s not an easy task, since decompiling source code like this doesn’t give us variable names.

The first question that needs answered is what is the list in question? This code is handling the option field in incoming IPv6 packets. The object being manipulated is a linked list of packet structs. And that linked list is almost always a single member list. When calling IppSendErrorList() on a list with a single member, it’s functionally equivalent to the IppSendError() in the fixed code. The flaw must be in the handling of this list with multiple members. The only way to achieve that criteria is to send a lot of traffic at the machine in question, so it can’t quite keep up with processing packets one at a time. To handle the high throughput, Windows will assemble incoming packets into a linked list and process them in batch.

So what’s next? IppSendErrorList(), takes a boolean and passes it on to each call of IppSendError(). We don’t know what Microsoft’s variable name is, but [Marcus] is calling it always_send_icmp, because setting it to true means that each packet processed will generate an ICMP packet. The important detail is that IppSendError() can have side effects. There is a codepath where the packet gets reverted, and the processing pointer is set back to the beginning of the packet. That’s fine for the first packet in the list, but because the function processes errors on the entire list of packets, the state of the rest of those packets is now much different from what is expected.

This unexpected but of weirdness can be further abused through IPv6 packet fragmentation. With a bit of careful setup, the reversion can cause a length counter to underflow, resulting in data structure corruption, and finally jumping code execution into the packet data. That’s the Remote Code Execution (RCE). And the good news, beyond the IPv6-only nature of the flaw, is that so far it’s been difficult to actually pull the attack off, as it relies on this somewhat non-deterministic “packet coalescing” technique to trigger the flaw.

Continue reading “This Week In Security: The Rest Of The IPv6 Story, CVE Hunting, And Hacking The TSA”

The Macintosh Plus Sounds Great If You Do Exactly This With It

August 26, 2024 by 3 Comments

The Macintosh Plus is not exactly known as particularly relevant in the worlds of chiptune or electronic music more broadly. That’s not to say it can’t do anything that sounds cool, however. As [Action Retro] demonstrates,  it’s got some really impressive tricks up its sleeve if you know what you’re doing.

The video centers around “Music Mouse”, a piece of software created by Laurie Spiegel for the Macintosh Plus all the way back in 1986. Spiegel saw the Macintosh Plus as a potential instrument for musical expression, with the then-innovative mouse as the key human interface.

[Action Retro] shows off the software, which is able to create rather pleasing little melodies with little more than a swish and a swash across the mousepad. The software makes smart use of scales so you’re not forever dodging around dissonant notes, so it’s quite easy to play something beautiful. He then makes things more interesting by pairing the Macintosh Plus with his favorite guitar pedal—the Old Blood Noise Endeavors Sunlight. It’s a dynamic reverb that really opens up the sonic landscape when paired with the Mac Plus. If you’re looking for a weird avant-garde setup to take on stage at your next noise show, this has to be it.

We’re usually used to seeing Nintendo and Commodore products in the retro computer music space. The Mac makes a nice change. Video after the break.

Continue reading “The Macintosh Plus Sounds Great If You Do Exactly This With It”

Meta Cancels Augmented Reality Headset After Apple Vision Pro Falls Flat

August 24, 2024 by 50 Comments

The history of consumer technology is littered with things that came and went. For whatever reason, consumers never really adopted the tech, and it eventually dies. Some of those concepts seem to persistently hang on, however, such as augmented reality (AR). Most recently, Apple launched its Vision Pro ‘mixed reality’ headset at an absolutely astounding price to a largely negative response and disappointing sale numbers. This impending market flop seems to now have made Meta (née Facebook) reconsider bringing a similar AR device to market.

To most, this news will come as little of a surprise, considering that Microsoft’s AR product (HoloLens) explicitly seeks out (government) niches with substantial budgets, and Google’s smart glasses have crashed and burned despite multiple market attempts. In a consumer market where virtual reality products are already desperately trying not to become another 3D display debacle, it would seem clear that amidst a lot of this sci-fi adjacent ‘cool technology,’ there are a lot of executives and marketing critters who seem to forego the basic question: ‘why would anyone use this?’

Continue reading “Meta Cancels Augmented Reality Headset After Apple Vision Pro Falls Flat”

This Week In Security: Crash Your IPhone, Hack Your Site, And Bluetooth Woes

August 23, 2024 by 6 Comments

There have been some hilarious issues on mobile devices over the years. The HTC Dream had a hidden shell that was discovered when a phone rebooted after sending a text containing just the word “reboot”. iOS has gotten in on the fun from time to time, and this time it’s ""::. Type the double quotes, a colon, and any other character, and Apple’s Springboard service crashes.

Another hacker dug in a bit, and realized that Springboard is trying to jump execution to a null pointer, leading to a crash. It’s very odd that user input breaks the query parser badly enough to jump to null like that. There are a couple interesting questions that we have to ask. Given that the crash trigger is quite flexible, "anything goes":x, is it possible to manipulate that function pointer to be something other than null? And perhaps more importantly, why is the code crashing, instead of an invalid address error as one would expect from a Pointer Authentication Code (PAC) violation? Regardless, the bug seems to be fixed in the latest iOS 18 builds.

Continue reading “This Week In Security: Crash Your IPhone, Hack Your Site, And Bluetooth Woes”

Farewell Magnetic Stripe

August 21, 2024 by 115 Comments

For decades, the magnetic stripe has been ubiquitous on everything from credit cards to tickets to ID badges. But the BBC reports — unsurprisingly — that the mag stripe’s days are numbered. Between smartphones, QR codes, and RFID, there’s just less demand for the venerable technology.

IBM invented the stripe back in the early 1960s. The engineer responsible, [Forrest Parry], was also involved in developing the UPC code. While working on a secure ID for the CIA, his wife suggested using an iron to melt a strip of magnetic tape onto the card. The rest is history.

Continue reading “Farewell Magnetic Stripe”

Cost-Optimized Raspberry Pi 5 Released With 2 GB RAM And D0 Stepping

August 19, 2024 by 42 Comments

When the Raspberry Pi 5 SBC was released last year, it came in 4 and 8 GB RAM variants, which currently retail from around $80 USD and €90 for the 8 GB variant to $60 and €65 for the 4 GB variant. Now Raspberry Pi has announced the launch of a third Raspberry Pi 5 variant: a 2 GB version which also features a new stepping of the BCM2712 SoC. This would sell for about $50 USD and feature the D0 stepping that purportedly strips out a lot of the ‘dark silicon’ that is not used on the SBC.

These unused die features are likely due to the Broadcom SoCs used on Raspberry Pi SBCs being effectively recycled set-top box SoCs and similar. This means that some features that make sense in a set-top box or such do not make sense for a general-purpose SBC, but still take up die space and increase the manufacturing defect rate. The D0 stepping thus would seem to be based around an optimized die, with as only possible negative being a higher power density due to a (probably) smaller die, making active cooling even more important.

As for whether 2 GB is enough for your purposes depends on your use case, but knocking $10 off the price of an RPi 5 could be worth it for some. Perhaps more interesting is that this same D0 stepping of the SoC is likely to make it to the other RAM variants as well. We’re awaiting benchmarks to see what the practical difference is between the current C1 and new D0 steppings.

Thanks to [Mark Stevens] for the tip.

Historical Microsoft And Apple Artifacts Among First Christie’s Auction Of Living Computers Museum

August 19, 2024 by 9 Comments

Recently the Christie’s auction house released the list of items that would be going up for sale as part of the first lot of Living Computer Museum items, under the banner “Gen One: Innovations from the Paul G. Allen Collection”. One auction covers many ‘firsts’ in the history of computing,  including a range of computers like an Apple 1, and a PDP-10, as well as early Microsoft memos and code printouts. The other auctions include such items like a Gemini Spacesuit as worn by [Ed White] and a signed 1939 letter from [Albert Einstein] to [US President Roosevelt] on the discovery by the Germans of a fissionable form of uranium from which a nuclear weapon could be constructed.

We previously reported on this auction when it was first announced in June of this year. At the time many were saddened at seeing the only computer history and its related educational facilities vanish, and there were worries among those who had donated items to the museum what would happen to these now that the museum’s inventory was being put up for sale. As these donations tend to be unconditional, the museum is free to do with the item as they see fit, but ‘being sold at auction’ to probably a private collector was likely not on their mind when filling in the donation form.

As the first auctions kick off in a few days we will just have to wait and see where the museum’s inventory ends up at, but it seems likely that many of these items which were publicly viewable will now be scattered across the globe in private collections.

Top image: A roughly 180° panorama of the “conditioned” room of the Living Computer Museum, Seattle, Washington, USA. Taken in 2014. (Credit: Joe Mabel)