News

3668 Articles

Will There Be Any Pi Left For Us?

February 2, 2024 by 72 Comments

Our world has been abuzz with the news that Raspberry Pi are to float on the London Stock Exchange. It seems an obvious move for a successful and ambitious company, and as they seem to be in transition from a maker of small computers into a maker of chips which happen to also go on their small computers, they will no doubt be using the float to generate the required investment to complete that process.

New Silicon Needs Lots Of Cash

An RP1 chip on a Raspberry Pi 5.
The most important product Raspberry Pi have ever made.

When a tech startup with immense goodwill grows in this way, there’s always a worry that it could mark the start of the decline. You might for instance be concerned that a floated Raspberry Pi could bring in financial whiz-kids who let the hobbyist products wither on the vine as they license the brand here and there and perform all sorts of financial trickery in search of shareholder value and not much else. Fortunately we don’t think that this will be the case, and Eben Upton has gone to great lengths to reassure the world that his diminutive computers are safe. That is however not to say that there might be pitfalls ahead from a hobbyist Pi customer perspective, so it’s worth examining what this could mean.

As we remarked last year, the move into silicon is probably the most important part of the Pi strategy for the 2020s. The RP2040 microcontroller was the right chip with the right inventory to do well from the pandemic shortages, and on the SBCs the RP1 all-in-one peripheral gives them independence from a CPU house such as Broadcom. It’s not a difficult prediction that they will proceed further into silicon, and it wouldn’t surprise us to see a future RP chip containing a fully-fledged SoC and GPU. Compared to their many competitors who rely on phone and tablet SoCs, this would give the Pi boards a crucial edge in terms of supply chain, and control over the software.

Continue reading “Will There Be Any Pi Left For Us?”

This Week In Security: Glibc, Ivanti, Jenkins, And Runc

February 2, 2024 by 4 Comments

There’s a fun buffer overflow problem in the Glibc __vsyslog_internal() function. This one’s a real rollercoaster, because logging vulnerabilities are always scary, but at a first look, it seems nearly impossible to exploit. The vulnerability relies on a very long program name, which can overflow an internal buffer. No binaries are going to have a name longer than 1024 bytes, so there’s no problem, right?

Let’s talk about argv. That’s the list of arguments that gets passed into the main() function of every Linux binary when it launches. The first string in that list is the binary name — except that’s a convention, and not particularly enforced anywhere. What really happens is that the execve() system call sets that list of strings. The first argument can be anything, making this an attacker-controlled value. And it doesn’t matter what the program is trying to write to the log, because the vulnerability triggers simply by writing the process name to a buffer.

There is a one-liner to test for a vulnerable Glibc:

exec -a "`printf '%0128000x' 1`" /usr/bin/su < /dev/null

and the Qualys write-up indicates that it can be used for an escalation of privilege attack. The good news is this seems to be a local-only attack. And on top of that, a pair of other lesser severity issues were found and fixed in glibc while fixing this one.
Continue reading “This Week In Security: Glibc, Ivanti, Jenkins, And Runc”

This Time It’s Toyota: Takata Airbag Recalls Continue

February 1, 2024 by 23 Comments

The automotive industry is subject to frequent product recalls, as manufacturers correct defects in their vehicles that reveal themselves only after some use. While such events may be embarrassing for a marque, it’s not necessarily a bad thing — after all, we would rather put our trust in a carmaker prepared to own up and fix things rather than sweep their woes under the carpet.

There’s one recall that’s been going on for years which isn’t the vehicle manufacturer’s fault though, and now it seems Toyota are the latest to be hit, with some vehicles as old as two decades being part of it. Long time Hackaday readers will probably recognize where this is going as we’ve covered it before; at its centre are faulty airbag charges from Takata, and the result has been one of the largest safety related recalls in automotive history.

An automotive airbag is a fabric structure inflated at high speed by a small explosive charge when triggered by the sharp deceleration of an incident. It is intended to cushion any impact the occupant might make upon the car’s interior. The problem with the faulty Takata units is that moisture ingress could alter the properties of the charge, and this along with corrosion could increase its power and produce a hail of metal fragments on detonation.

Our colleague [Lewin Day] has penned a series of informative and insightful investigations of the technology behind the Takata scandal, going back quite a few years. With such relatively ancient vehicles now being recalled we can’t help wondering whether it would be easier for Toyota to run a buyback scheme and take the cars off the road rather than fix them in this case, but we’re curious as non automotive safety engineers why the automotive airbag has evolved in this manner. Why is one of very few consumer explosive devices not better regulated, why is it sold with an unlimited lifetime, and why are they not standardized for routine replacement on a regular schedule just like any other vehicle consumable?

2003-2004 Toyota Corolla: IFCAR, Public domain.

Roman Dodecahedrons: A Mystifying Archaeological Find

January 29, 2024 by 122 Comments

Much about archaeology can be described as trying to figure out the context in which objects and constructions should be interpreted. A good example of this are the metal dodecahedrons (twelve-sided shape) which have been found during archaeological excavations at former Roman sites. Since 1739 over 115 of them have been recorded, most recently a fully intact copper specimen found near the Lincolnshire village of Norton Disney during the Summer of 2023 by a local group of archaeologists.

Two ancient Roman bronze dodecahedrons and an icosahedron (3rd c. AD) in the Rheinisches Landesmuseum in Bonn, Germany. (Credit: Kleon3, Wikimedia)
Two ancient Roman bronze dodecahedrons and an icosahedron (3rd c. AD) in the Rheinisches Landesmuseum in Bonn, Germany. (Credit: Kleon3, Wikimedia)

As the Norton Disney History and Archaeology Group notes on their page, this is the 33rd example of one of these items found in what was once Roman Britain, lending credence to the idea that such dodecahedrons originated within the Gallo-Roman culture.

As for the objects themselves, the ones so far found were dated to between the 2nd and 4th century CE, are all made out of some kind of metal alloy (e.g. bronze), are usually a dodecahedron but sometimes different (e.g. an icosahedron with 20 faces), yet all are hollow and usually with a single large hole in each face. The dodecahedron found at Norton Disney was analyzed to consist out of 75% copper, 7% tin and 18% lead, with a width of 8.6 cm and weighing in at 254 grams.

Continue reading “Roman Dodecahedrons: A Mystifying Archaeological Find”

This Week In Security: MOAB, Microsoft, And Printers

January 26, 2024 by 15 Comments

This week, news has broken of the Mother of All Breaches, MOAB. It’s 12 terabytes and 26 billion records, averaging about 500 bytes each. Now note that a record here is likely not a discrete email address, but simply a piece of data — a row on the database.

Now before we all lose our minds over this, there’s an important detail to take note of: These aren’t new leaks. This is a compilation of leaks, and as far as researchers have checked, there aren’t any new leaks disclosed here. This was someone’s database of accumulated leak data, accidentally re-leaked via an unsecured database. [Troy Hunt] goes so far as to speculate that it could be from a breach search service, which sounds pretty plausible.

There was yet another release of credentials late last week that hasn’t attracted as much attention, but seems to represent a much bigger issue. The Naz.api data set isn’t a breach where a company was hacked, and their entire user database was stolen. Instead, this one is combination of a credential stuffing list and stealer logs.

Credential stuffing is basically a smarter brute force attack, where the credentials from one breach are tried on multiple other sites. Such a list is just the results where guesses were successful. The really interesting bit is that this dataset seems to include stealer logs. Put simply, that’s the results of malware that scrapes victim machines for credentials.

Naz.api has over 70 million unique email addresses, and it looks like about a third of them are new, at least according to the Haveibeenpwned dataset. Now that’s significant, though not really worthy of the MOAB title, either. Continue reading “This Week In Security: MOAB, Microsoft, And Printers”

San Francisco Sues To Keep Autonomous Cars Out Of The City

January 26, 2024 by 32 Comments

Although the arrival of self-driving cars and taxis in particular seems to be eternally ‘just around the corner’ for most of us, in an increasing number of places around the world they’re already operational, with Waymo being quite prevalent in the US. Yet despite approval by the relevant authorities, the city of San Francisco has opted to sue the state commission that approved Google’s Waymo and GM’s Cruise. Their goal? To banish these services from the streets of SF, ideally forever.

Whether they will succeed in this seems highly doubtful. Although Cruise has lost its license to operate in California after a recent fatal accident, Waymo’s track record is actually quite good. Using public information sources, there’s a case to be made that Waymo cars are significantly safer to be in or around than those driven by human operators. When contrasted with Cruise’s troubled performance, it would seem that the problem with self-driving cars isn’t so much the technology as it is the safety culture of the company around it.

Yet despite Waymo’s better-than-humans safety record, it is regarded as a ‘nuisance’, leading some to sabotage the cars. The more reasonable take would seem to be that although technology is not mature yet, it has the overwhelming advantage over human drivers that it never drives distracted or intoxicated, and can be deterministically improved and tweaked across all cars based on experiences.

These considerations have been taken into account by the state commission that has approved Waymo operating in SF, which is why legal experts note that SF case’s chances are very slim based on the available evidence.

So Long And Thanks For All The Flights: Ingenuity Permanently Grounded After 72 Flights

January 25, 2024 by 43 Comments

Just a few hours ago, NASA dropped some devastating news: Ingenuity will fly no more. Three years after dropping from the belly of the Perseverance rover and after 72 flights through the thin Martian atmosphere, the little helicopter that could now can’t, after having sustained damage to one or more of its rotors during its final landing.

Shadow of Ingenuity‘s rotor blade, showing damage suffered during a rough landing.

NASA’s terminal diagnosis of Ingenuity comes from a photo from one of the helicopter’s cameras, which shows a chunk missing from the tip of one of its rotors, likely caused by a rough landing after transiting a flat, sandy area that may have confused the aircraft’s navigational cameras.

While this is anything but good news, it’s not at all unexpected and in a way long overdue. Ingenuity was designed for a primary mission of just five flights, which it accomplished all the way back in May of 2021. There was heavy speculation at the time that Ingenuity might not even do that; we can recall one of the team members suggesting the odds were that Ingenuity’s tenure as the first controlled powered flying machine on another world would end as twisted wreckage in the newest, smallest crater on Mars.

But happily, Ingenuity proved the oddsmakers — and possibly those wishing to temper expectations — spectacularly wrong. In fact, by the fourth flight, it was clear that Ingenuity was in it for the long haul, enough so that NASA redefined its mission to “operational demonstration” and gave it another 30 sols of flight time. This gave the team the flight time needed to prove the helicopter’s worth as a scout for Perseverance and not just a distracting sideshow from the primary mission of searching for signs of ancient life on Mars.

Continue reading “So Long And Thanks For All The Flights: Ingenuity Permanently Grounded After 72 Flights”