News

3288 Articles

This Week In Security: Loop DOS, Flipper Responds, And More!

March 22, 2024 by 8 Comments

Here’s a fun thought experiment. UDP packets can be sent with an arbitrary source IP and port, so you can send a packet to one server, and could aim the response at another server. What happens if that response triggers another response? What if you could craft a packet that continues that cycle endlessly? That is essentially the idea behind Loop DoS (Denial of Service).

This unique avalanche of packets has been managed using specific implementations of several different network services, like TFTP, DNS, and NTP. There are several CVEs being used to track the issue, but CVE-2024-2169 is particularly odd, with the description that “Implementations of UDP application protocol are vulnerable to network loops.” This seems to be a blanket CVE for UDP, which is particularly inappropriate given that the first DoS of this sort was first reported in 2009 at the latest.

More details are available in a Google Doc. There some interesting tidbits there, like the existence of cross-protocol loops, and several legacy protocols that are vulnerable by design. The important thing to remember here is you have to have an accessible UDP port for this sort of attack to take place, so if you’re not using it, firewall it.

Flipper Flips Back

We’ve covered the saga of the Flipper Zero vs the Canadian government, in the context of car theft. The short version is that Canada has seen an uptick of car thefts from organized crime. Rather than meaningfully dealing with this problem, the Canadian government went looking for scapegoats, and found the Flipper Zero.

Well now, Flipper has responded, and put simply, the message is “stop the madness”. There has never been a confirmed case of using a flipper to steal a car, and it’s very unlikely it’s ever happened. On a modern car with proper rolling-code security, it’s not meaningfully possible to use the Flipper Zero for the theft. The two primary ways criminals actually steal cars are with dedicated keyfob repeaters and CAN bus hackers.

There is a petition to sign, and for Canadians, Flipper suggests contacting your local member of parliament. Continue reading “This Week In Security: Loop DOS, Flipper Responds, And More!”

You Should Be Allowed To Fix McDonald’s Ice Cream Machines, Say Federal Regulators

March 20, 2024 by 23 Comments

Editors Note: According to our infallible record keeping, this is the 50,000th post published on Hackaday! We weren’t sure this was the kind of milestone that required any drawn out navel-gazing on our part, but it does seem significant enough to point out. We didn’t pick any specific post to go out in this slot, but the fact that it ended up being a story about the right to repair ice cream machines seems suitably hacky for the occasion.

The McDonald’s ice cream machine is one of the great marvels of the modern world. It’s a key part of our heavily-mechanized industrial economy, and it’s also known for breaking down as often as an old Italian automobile. It’s apparently illegal to repair the machines unless you’re doing so with the authority of Taylor, the manufacturer. However, as reported by The Verge, The FTC and DOJ may soon have something to say about that.

Things are coming to a head as the Copyright Office contemplates whether to carve out new exemptions in the Digital Millennium Copyright Act. The legislation is widely reviled by many for making it illegal to circumvent copy protection, an act that is often required to maintain or repair certain equipment. As a result customers are often locked into paying the original manufacturer to fix things for them.

Both the FTC and DOJ have have filed a comment with the Copyright Office on the matter. The language will warm the cockles of your heart if you’re backing the right-to-repair movement.

Changes in technology and the more prevalent use of software have created fresh opportunities for manufacturers to limit Americans’ ability to repair their own products. Manufacturers of software-enabled devices and vehicles frequently use a range of restrictive practices to cut off the ability to do a “DIY” or third-party repair, such as limiting the availability of parts and tools, imposing software “locks,” such as TPMs, on equipment that prevent thirdparty repairers from accessing the product, imposing restrictions on warranties, and using product designs that make independent repairs less available.

The agencies want new exceptions to Section 1201 of the DMCA to allow repair of “industrial and commercial equipment.” That would make it legal to tinker with McDonald’s ice cream machines, whoever you are. The hope is this would occur along with a renewal of exceptions for “computer programs that control devices designed primarily for use by consumers and computer programs that control motorized land vehicles, marine vessels, and mechanized agricultural vehicles.”

Brush up on the finer details of icecreamgate in our previous coverage. This could be a grand time for change. Enough is enough— McDonald’s ice cream machines have been down for too long! Video after the break.

Continue reading “You Should Be Allowed To Fix McDonald’s Ice Cream Machines, Say Federal Regulators”

Artist rendition of the Chandra telescope system in deep space. (Credit: NASA / James Vaughn)

The Chandra X-Ray Observatory Faces Shutdown In FY2025 Budget

March 18, 2024 by 30 Comments

The Chandra X-ray Observatory started its mission back in 1999 when Space Shuttle Columbia released it from its payload bay. Originally, it was supposed to serve only a five-year mission, but it has managed twenty-four years so far and counting, providing invaluable science along with the other Great Observatory: the Hubble Space Telescope. Unfortunately, NASA’s FY2025 budget now looks to threaten all space telescopes and Chandra in particular. This comes as part of the larger FY2025 US budget, which sees total funding for NASA increase by 2%, but not enough to prevent cuts in NASA’s space telescope operations.

NASA already anticipated this cut in 2023, with funding shifting to the Nancy Grace Roman Space Telescope (infrared spectrum, scheduled for 2027). Since Hubble is a joint operation with ESA, any shortfalls might be caught this way, but Chandra’s budget will go from 68.3M USD in FY2023 to 41.4M USD in FY2025 and from there plummeting to 5.2M USD by FY2029, effectively winding down the project and ending NASA’s flagship X-ray astronomy mission. This doesn’t sit well with everyone, with a website called Save Chandra now launched to petition the US government to save the observatory, noting that it still has a decade of fuel for its thrusters remaining and it also has stable mission costs.

Continue reading “The Chandra X-Ray Observatory Faces Shutdown In FY2025 Budget”

NASA Engineers Poke Voyager 1 And Receive Memory Dump

March 16, 2024 by 59 Comments

For months, there has been a rising fear that we may have to say farewell to the Voyager 1 spacecraft after it began to send back garbled data. Now, in a sudden twist, Voyager 1 sent back a read-out of the Flight Data Subsystem (FDS) memory after a “poke” command, which both gives some hope that the spacecraft is in a better condition than feared while also allows engineers to dig through the returned memory read-out for clues. Although this data was not sent in the format that the FDS is supposed to use when it’s working correctly, it’s nevertheless readable.

It was previously suspected that the issue lay with the telemetry modulation unit (TMU), but has since been nailed down to the FDS itself.  This comes after NASA engineers have been updating the firmware on both spacecraft to extend their lifespan, but it’s too early to consider this as a possible reason. Now, as a result of the “poke” instruction – which commands the computer to try different sequences in its firmware in case part of it has been corrupted – engineers can compare it to previous downloads to hopefully figure out the cause behind the FDS problems and a possible solution.

Inspired by this news of the decoded memory download, Nadia Drake – daughter of Frank Drake – wrote about how it affects not only the engineers who have worked on the Voyager mission for the past decades but also her own thoughts about the two Voyager spacecraft. Not only do they form a lasting reminder of her father and so many of his colleagues, but the silence that would follow if we can no longer communicate with these spacecraft would be profound. Still, this new hope is better than the earlier news about this plucky little spaceship.

Thanks to [Mark Stevens] for the tip.

This Week In Security: Apple Backdoors Curl, Tor’s New Bridge, And GhostRace

March 15, 2024 by 8 Comments

OK, that headline is a bit of a cheap shot. But if you run the curl binary that Apple ships, you’re in for a surprise if you happen to use the --cacert flag. That flag specifies that TLS verification is only to be done using the certificate file specified. That’s useful to solve certificate mysteries, or to make absolutely sure that you’re connecting to the server you expect.

What’s weird here is that on a MacOS, using the Apple provided curl binary, --cacert doesn’t limit the program to the single certificate file. On an Apple system, the verification falls back to the system’s certificate store. This is an intentional choice by Apple, but not one that’s aimed particularly at curl. The real magic is in Apple’s SSL library, which forces the use of the system keychain.

The current state of things is that this option is simply not going to do the right thing in the Apple provided binary. It’s documented with the note that “this option is supported for backward compatibility with other SSL engines, but it should not be set.” It’s an unfortunate situation, and we’re hopeful that a workaround can be found to restore the documented function of this option. Continue reading “This Week In Security: Apple Backdoors Curl, Tor’s New Bridge, And GhostRace”

An Optical Computer Architecture

March 12, 2024 by 13 Comments

We always hear that future computers will use optical technology. But what will that look like for a general-purpose computer? German researchers explain it in a recent scientific paper. Although the DOC-II used optical processing, it did use some conventional electronics. The question is, how can you construct a general computer that uses only optical technology?

The paper outlines “Miller’s criteria” for practical optical logic gates. In particular, any optical scheme must provide outputs suitable for introduction to another gate’s inputs and also support fan out of one output to multiple inputs. It is also desirable that each stage does not propagate signal degradation and isolate its outputs from its inputs. The final two criteria note that practical systems don’t depend on loss for information representation since this isn’t reliable across paths, and, similarly, the gates should require high-precision adjustment to work correctly.

The paper also identifies many misconceptions about new computing devices. For example, they assert that while general-purpose desktop-class CPUs today contain billions of devices, use a minimum of 32-bits of data path, and contain RAM, this isn’t necessarily true for CPUs that use different technology. If that seems hard to believe, they make their case throughout the paper. We can’t remember the last scientific paper we read that literally posed the question, “Will it run Doom?” But this paper does actually propose this as a canonical question.

Continue reading “An Optical Computer Architecture”

μRepRap: Taking RepRap Down To Micrometer-Level Manufacturing

March 10, 2024 by 30 Comments

When the RepRap project was started in 2005 by [Dr Adrian Bowyer], the goal was to develop low-cost 3D printers, capable of printing most of their own components. The project slipped into a bit of a lull by 2016 due to the market being increasingly flooded with affordable FDM printers from a growing assortment of manufacturers. Now it seems that the RepRap project may have found a new impetus, in the form of sub-millimeter level fabrication system called the μRepRap as announced by [Vik Olliver] on the RepRap project blog, with accompanying project page.

The basic technology is based around the OpenFlexure project’s Delta Stage, which allows for very precise positioning of an imaging element, or conceivably a fabrication tool. As a first step, [Vik] upgrade the original delta stage to a much reinforced one that can accept larger NEMA17 stepper motors. This also allows for standard 3D printer electronics to control the system much like an FDM printer, only at much smaller scales and with new types of materials. The current prototype [Vik] made has a claimed step accuracy of 3 µm, with a range of tools and deposition materials being considered, including photosensitive resins.

It should be noted here that although this is a project in its infancy, it has solid foundations due to projects like OpenFlexure. Will μRepRap kickstart micrometer-level manufacturing like FDM 3D printing before? As an R&D project it doesn’t come with guarantees, but color us excited.

Thanks to [Tequin] for the tip.