If you ever had the occasion to visit Bell Labs at Murray Hill, New Jersey, or any of the nearby satellite sites, but you didn’t work there, you were probably envious. For one thing, some of the most brilliant people in the world worked there. Plus, there is the weight of history — Bell Labs had a hand in ten Nobel prizes, five Turing awards, 22 IEEE Medals of Honor, and over 20,000 patents, including several that have literally changed the world. They developed, among other things, the transistor, Unix, and a host of other high-tech inventions. Of course, Bell Labs hasn’t been Bell for a while — Nokia now owns it. And Nokia has plans to move the headquarters lab from its historic Murray Hill campus to nearby New Brunswick. (That’s New Jersey, not Canada.)
If your friends aren’t impressed by Nobels, it is worth mentioning the lab has also won five Emmy awards, a Grammy, and an Academy award. Not bad for a bunch of engineers and scientists. Nokia bought Alcatel-Lucent, who had wound up with Bell Labs after the phone company was split up and AT&T spun off Lucent.
After initially sending a cease and desist order to [Andre Basche] – the developer of a Haier hOn plugin for Home Assistant – Haier Europe’s head of Brand and IoT has now penned a much more amicable response, seeking to enter into dialogue in search of a solution for both parties.
This latest development is detailed both in the ongoing GitHub issue, as well as the Takedown FAQ and Timeline document that [Andre] created to keep track of everything that’s going on since we last checked in on the situation. As things stand, there is hope that Haier Europe may relent, especially as the company’s US division has shown no inclinations to join in on the original C&D.
In the confusion following the initial C&D announcement demanding the take-down of [Andre]’s hOn-related repositories, it was not clear to many which Haier was involved. As it turns out, Haier Europe as a separately legal entity apparently decided to go on this course alone, with Haier US distancing themselves from the issue. In that same Reddit thread it’s noted that GE Appliances (part of Haier US) has had a local API available for years. This makes Haier Europe the odd one out, even as they’re attempting some damage control now.
Amidst this whirlwind of developments, we hope that Haier Europe can indeed reach an amicable solution with the community, whether it’s continued API usage, or the development of a local API.
There’s a Gitlab vulnerability that you should probably pay attention to. Tracked as CVE-2023-7028, this issue allows an attacker to specify a secondary email during a the password reset request. Only one email has to match the one on record, but the password reset link gets sent to both emails. Yikes!
What makes this worse is there is already a Proof of Concept (PoC) released, and it’s a trivial flaw. In an HTTP/S post containing the password reset request, just include two email addresses. Thankfully, a fix is already out. Versions 16.7.2, 16.6.4, and 16.5.6 contain this patch, as well as fixes for a flaw that allowed sneaking unauthorized changes into a previously approved merge request, and an issue with Slack and Mattermost where slash commands could be spoofed.
Appliance manufacturer Haier has been integrating IoT features into their newer products, and as is so common these days, users are expected to install their “hOn” mobile application to access them. Not satisfied with that limitation, [Andre Basche] reverse engineered the protocol used by the app, and released a Python library and associated Home Assistant plugin to interface with a wide array of Haier appliances, which includes brands like Hoover, Candy, GE Appliances and others.
Unfortunately, it looks like his efforts have gotten him into a bit of legal hot water. In an issue recently opened on the project’s GitHub page, [Andre] explains the circumstances and legal options that have led him to consider pulling the repositories completely — mostly due to the cost of mounting a legal defense to the cease & desist from Haier Europe.
What’s ironic here is that Haier has been part of the Connectivity Standard Alliance (CSA) since 2022, whose goal is to ‘promote universal open IoT standards’, including Matter.
It’s possible that a legal defense will be mounted against this C&D from Haier within the coming days. Yet regardless of the outcome here, it remains problematic that these IoT-enabled Haier appliances are connected to the Haier servers. Ideally they would be controlled locally, which is the goal of projects like [Miguel Ángel López Vicente]’s ESP Haier, that uses an ESP8266 to connect Haier AC units to the local WiFi and e.g. HA instances, all without requiring internet access.
Within a few hours of this post going live, Astrobotic’s Peregrine spacecraft is expected to burn up in the Earth’s atmosphere — a disappointing end to a mission that was supposed to put the first US lander on the Moon since the Apollo program ended in 1972.
In their twentieth mission update since Peregrine was carried into space on the inaugural flight of the United Launch Alliance Vulcan Centaur rocket, Astrobotic explains that the craft has been put on a trajectory designed to ensure it breaks up over a remote area of the South Pacific.
Predicted re-renty point for the Peregrine lander.
It was previously hoped the lander, which suffered a severe system malfunction just hours after liftoff, could have at least made a close pass of the Moon in lieu of touching down. But mission controllers felt the more responsible approach was to have Peregrine make a controlled re-entry while they still had the ability to maneuver it. The alternative, allowing the craft to remain in an uncontrolled orbit between the Earth and Moon, could potentially have caused problems for future Artemis missions.
Over the last ten days, ground controllers at Astrobotic have been working to piece together what happened to the doomed lander, while at the same time demonstrating a remarkable level of transparency by keeping the public informed along the way. It’s now believed that the stream of gas being expelled from a rupture in one of the craft’s propellant tanks was acting as a sort of impromptu thruster. This not only made the craft difficult to keep oriented, but also wasted the propellants that were necessary to perform a soft landing on the lunar surface.
Although the craft was eventually brought under control, the damage to the mission had already been done. While this obviously isn’t the ending that Astrobotic was hoping for, we have no doubt that the company collected valuable data during the craft’s flight through space, which took it approximately 390,000 kilometers (242,000 miles) from Earth.
As for us space nerds, we won’t have to wait long before another lunar lander makes its attempt. Japan’s Smart Lander for Investigating Moon (SLIM) should be touching down at around 10 AM Eastern on Friday (YouTube Live Stream), and the Nova-C lander from Intuitive Machines is scheduled to be launched aboard a Falcon 9 rocket sometime next month.
A newly introduced battery called the BV100 by Chinese Betavolt Technology promises to provide half a century of power, at 100 μW in a 15x15x5 mm package. Inside the package are multiple, 2 micron-thick layers nickel-63 isotope placed between 10 micron-thick diamond semiconductor, with each diamond layer using the principle of betavoltaics to induce an electrical current in a similar fashion to a solar panel using light. Ni-63 is a β emitter with a half-life of 100 years, that decays into copper-63 (Cu-63), one of the two stable forms of copper.
From the battery’s product page we can glean a bit more information, such as that the minimum size of the betavoltaic battery is 3x3x0.03 mm with one layer of Ni-63 and two semiconductor layers, allowing for any number of layers to be stacked to increase the power output within a given package. Also noted is that the energy conversion rate of the β energetic event is about 8.8%, which could conceivably be improved in the future.
Although this battery may seem new, it’s actually based on a number of years of research in diamond semiconductors in betavoltaics, with V. S. Bormashov and colleagues in 2018 reporting on a similar diamond semiconductor with Ni-63 isotope layer battery. They noted a battery specific energy of 3300 mWh/g. Related research by Benjian Liu and colleagues in 2018 showed an alphavoltaic battery, also using diamond semiconductor, which shows another possible avenue of development, since alpha particles are significantly more energetic.
Whether we’ll see Betavolt’s BV100 or similar products appear in commercial products is still uncertain, but they plan to have a 1 Watt version ready by 2025, which when packaged into the size of an average Li-ion battery pack could mean a mobile power source that will power more than a pacemaker, and cost less than the nuclear batteries powering the two Voyager spacecraft and all active Mars rovers today.
So first off, go take a look at this curl bug report. It’s a 8.6 severity security problem, a buffer overflow in websockets. Potentially a really bad one. But, it’s bogus. Yes, a strcpy call can be dangerous, if there aren’t proper length checks. This code has pretty robust length checks. There just doesn’t seem to be a vulnerability here.
OK, so let’s jump to the punch line. This is a bug report that was generated with one of the Large Language Models (LLMs) like Google Bard or ChatGPT. And it shouldn’t be a surprise. There are some big bug bounties that are paid out, so naturally people are trying to leverage AI to score those bounties. But as [Daniel Stenberg] point out, LLMs are not actually AI, and the I in LLM stands for intelligence.
There have always been vulnerability reports of dubious quality, sent by people that either don’t understand how vulnerability research works, or are willing to waste maintainer time by sending in raw vulnerability scanner output without putting in any real effort. What LLMs do is provide an illusion of competence that takes longer for a maintainer to wade through before realizing that the claim is bogus. [Daniel] is more charitable than I might be, suggesting that LLMs may help with communicating real issues through language barriers. But still, this suggests that the long term solution may be “simply” detecting LLM-generated reports, and marking them as spam. Continue reading “This Week In Security: AI Is Terrible, Ransomware Wrenches, And Airdrop”→
