News

3612 Articles

Labor Day BBQs May Feature NYPD

September 1, 2023 by 53 Comments

Planning to host a large backyard wingding in the NYC metro area this weekend? Be sure to watch the skies for uninvited guests. That’s right, the NYPD are deploying drones over “large” Labor Day events and yes, even private barbecues. The strategy was announced during a briefing about J’ouvert — that’s a yearly Caribbean festival that marks the end of slavery. It generally brings crowds of thousands and draws a strong police presence to Brooklyn.

While this particular invasion may come as a bit of a shock, this certainly isn’t the first time the NYPD has deployed drones in the name of public safety or in response to emergencies. Data shows they have used them 124 times this year, which is up a staggering 31 times from the four events in 2022.

As you may have guessed, this has invited backlash from privacy and civil liberties advocates. One pointed out that this action “flies in the face of the POST Act,” a city law that requires the NYPD to provide transparency about their various surveillance tactics. The advocates cite the fact that regulations have not kept up with the proliferation of technology.

No matter what happens in the future with regulations, the NYPD can always crash large parties the old fashioned way. Usually, the neighbors will complain at some point, unless they were all invited.

Photo via Unsplash.

This Week In Security: Not A Vulnerability, BGP Bug Propogation, And Press Enter To Hack

September 1, 2023 by 6 Comments

Curl was recently notified of a CVE, CVE-2020-19909, rated at a hair-raising 9.8 on the CVSS scale. And PostgreSQL has CVE-2020-21469, clocking in with a 7.5 severity. You may notice something odd about those two vulnerabilities, but I promise the 2020 date is only the tip of the iceberg here.

Let’s start with PostgreSQL. That vulnerability was only present in version 12.2, which released in February of 2020, and was fixed with the 12.3 release in May of that same year. The problem is a stack buffer overflow, which doesn’t seem to enable code execution, but does cause a denial of service situation. To trigger the bug? Repeatedly send the PostgreSQL daemon the SIGHUP signal.

If you’re familiar with Linux signals, that might sound odd. See, the SIGHUP signal technically indicates the end of a user session, but most daemons use it to indicate a restart or reload request. And to send this signal, a user has to have elevated privileges — elevated enough to simply stop the daemon altogether. Put simply, it’s not a security vulnerability, just a minor bug.

And now on to curl — This one is just bizarre. The issue is a integer overflow in the --retry-delay argument, which specifies in seconds how often curl should retry a failing download. The value is multiplied by 1000 to convert to milliseconds, resulting in an overflow for very large values. The result of that overflow? A smaller value for the retry delay.

[Daniel Stenberg] makes the point that this tale is a wonderful demonstration of the brokenness of the CVE system and NVD’s handling of it. And in this case, it’s hard not to see this as negligence. We have to work really hard to construct a theoretical scenario where this bug could actually be exploited. The best I’ve been able to come up with is an online download tool, where the user can specify part of the target name and a timeout. If that tool had a check to ensure that the timeout was large enough to avoid excess traffic, this bug could bypass that check. Should we be assigning CVEs for that sort of convoluted, theoretical attack?

But here’s the thing, that attack scenario should rate something like a CVSS of 4.8 at absolute worst. NVD assigned this a 9.8. There’s no way you can squint at this bug hard enough to legitimately rank it that severe. At the time of writing, the NVD lists this as “UNDERGOING REANALYSIS”.
Continue reading “This Week In Security: Not A Vulnerability, BGP Bug Propogation, And Press Enter To Hack”

The McDonald’s Ice Cream Machine Saga And Calls For Right To Repair

August 30, 2023 by 45 Comments
The inside of a Taylor C709 ice cream machine, as seen from the back with the cover on the electronics removed. (Credit: iFixit)
The inside of a Taylor C709 ice cream machine, as seen from the back with the cover over the electronics removed. (Credit: iFixit)

Raising a likely somewhat contentious topic, iFixit and Public Knowledge have challenged the manufacturer behind McDonald’s ice cream machines to make them easy to diagnose and repair. This is a subject that’s probably familiar to anyone who is vaguely familiar with US news and the importance of ice cream at McDonald’s locations to the point that a live tracker was set up so that furtive customers can catch a glimpse at said tracker before finding themselves staring in dismay at an ‘Out of Order’ sign on one of these Taylor ice cream machines.

The story is more complex than just a machine being “broken”, however. The maintenance contracts are lucrative, the instruction manual is long, and the error codes are cryptic. When you add to that the complexity of cleaning and maintaining the machines, it’s tempting to just claim the machine is out of order. These Taylor machines (the C602 and the C709 from the iFixit video) are a bit more complex than your usual ice cream maker in that they also have a pasteurization element that’s supposed to keep already poured mix safe to use the next day.

Continue reading “The McDonald’s Ice Cream Machine Saga And Calls For Right To Repair”

Polish Railways Fall Victim To Cheap Radio Attack

August 29, 2023 by 41 Comments

Poland’s railways have recently come under a form of electronic attack, as reported by Wired. The attack has widely been called a “cyber-attack” in the mainstream media, but the incident was altogether a more simple affair pursued via good old analog radio.

The attacks were simple in nature. As outlined in an EU technical document, Poland’s railways use a RADIOSTOP system based on analog radio signals at around 150 MHz. Transmitting a basic tone sequence will trigger any duly equipped trains receiving the signal to engage emergency braking. It’s implemented as part of the PKP radio system on the Polish railway network. Continue reading “Polish Railways Fall Victim To Cheap Radio Attack”

$1 Graphene Sensor Identifies Safe Water

August 29, 2023 by 15 Comments

If you live in a place where you can buy Arduinos and Raspberry Pis locally, you probably don’t spend much time worrying about your water supply. But in some parts of the world, it is nothing to take for granted, bad water accounts for as many as 500,000 deaths worldwide every year. Scientists have reported a graphene sensor they say costs a buck and can detect dangerous bacteria and heavy metals in drinking water.

The sensor uses a GFET — a graphene-based field effect transistor to detect lead, mercury, and E. coli bacteria. Interestingly, the FETs transfer characteristic changes based on what is is exposed to. We were, frankly, a bit surprised that this is repeatable enough to give you useful data. But apparently, it is especially when you use a neural network to interpret the results.

What’s more, there is the possibility the device could find other contaminants like pesticides. While the materials in the sensor might have cost a dollar, it sounds like you’d need a big equipment budget to reproduce these. There are silicon wafers, spin coating, oxygen plasma, and lithography. Not something you’ll whip up in the garage this weekend.

Still, it is interesting to see a FET used this way and a cheap way to monitor water quality would be welcome. Using machine learning with water sensors isn’t a new idea. Of course, the sensor is one part of the equation. Monitoring is the other.

Blame It On The Sockets: Forensic Analysis Of The Arecibo Collapse

August 29, 2023 by 58 Comments

Nearly three years after the rapid unplanned disassembly of the Arecibo radio telescope, we finally have a culprit in the collapse: bad sockets.

In case you somehow missed it, back in 2020 we started getting ominous reports that the cables supporting the 900-ton instrument platform above the 300-meter primary reflector of what was at the time the world’s largest radio telescope were slowly coming undone. From the first sign of problems in August, when the first broken cable smashed a hole in the reflector, to the failure of a second cable in November, it surely seemed like Arecibo’s days were numbered, and that it would fall victim to all the other bad luck we seemed to be rapidly accruing in that fateful year. The inevitable finally happened on December 1, when over-stressed cables on support tower four finally gave way, sending the platform on a graceful swing into the side of the natural depression that cradled the reflector, damaging the telescope beyond all hope of repair.

The long run-up to the telescope’s final act had a silver lining in that it provided engineers and scientists with a chance to carefully observe the failure in real-time. So there was no real mystery as to what happened, at least from a big-picture perspective. But one always wants to know the fine-scale details of such failures, a task which fell to forensic investigation firm Thornton Tomasetti. They enlisted the help of the Columbia University Strength of Materials lab, which sent pieces of the failed cable to the Oak Ridge National Laboratory’s High Flux Isotope reactor for neutron imaging, which is like an X-ray study but uses streams of neutrons that interact with the material’s nuclei rather than their electrons.

The full report (PDF) reveals five proximate causes for the collapse, chief of which is “[T]he manual and inconsistent splay of the wires during cable socketing,” which we take to mean that the individual strands of the cables were not spread out correctly before the molten zinc “spelter socket” was molded around them. The resulting shear stress caused the zinc to slowly flow around the cable strands, letting them slip out of the surrounding steel socket and — well, you can watch the rest below for yourself.

As is usually the case with such failures, there are multiple causes, all of which are covered in the 300+ page report. But being able to pin the bulk of the failure on a single, easily understood — and easily addressed — defect is comforting, in a way. It’s cold comfort to astronomers and Arecibo staff, perhaps, but at least it’s a lesson that might prevent future failures of cable-supported structures.

Continue reading “Blame It On The Sockets: Forensic Analysis Of The Arecibo Collapse”

Close-up of a magnetic tentacle robot next to a phantom bronchiole (Credit: University of Leeds)

The Healing Touch Of Magnetic Tentacles In Photothermal Lung Cancer Therapy

August 28, 2023 by 11 Comments

Of the body’s organs, the lungs are among the trickiest to take a biopsy and treat cancer in, both due to how important they are, as well as due to their inaccessibility. The total respiratory surface within the average human lungs is about 50 to 75 square meters. Maneuvering any kind of instrument down the endless passages to reach a suspicious area, or a cancerous region to treat is nearly impossible. This has so far left much of the lungs inaccessible.

The standard of care for lung cancer is generally surgical: remove parts of the lung tissue. However, a proposed new method using magnetic tentacles may soon provide a more gentle approach, as described in Nature Engineering Communications by Giovanni Pittiglio and colleagues (press release).

The tentacles are made out of a silicone substrate with embedded magnets that allow for it to be steered using external magnetic sources. With an embedded laser fiber, the head of the tentacle can be guided to the target area, and the cancerous tissue sublimated using an external laser source. In experiments on cadavers with this system, the researchers found that they could enter 37% deeper into the lungs than with standard equipment. The procedure was also completed with less tissue displacement.

Considering the high fatality rate of lung cancers, the researchers hope that this approach could soon be turned into a viable therapy, as well as for other medical conditions where a gentle tentacle slithering into the patient’s body could effect treatments previously considered to be impossible.

Heading image: Close-up of a magnetic tentacle robot next to a phantom bronchiole (Credit: University of Leeds)