The name of this newly discovered vulnerability is BLUFFS (Bluetooth Forward and Future Secrecy), where forward and future secrecy are important terms that refer to the protection of secure sessions against compromise in the past (forward, FoS) and future (FuS). The CVE presentation notes that the Bluetooth specification does not cover either FuS or FoS. In total two new architectural vulnerabilities were discovered, both of which attack the security key.
The Bluetooth SIG has released a statement regarding this attack method. Although serious, it would seem that the core issue is that some implementations allow for encryption key lengths below 7 octets:
The problem is a library that can be convinced to call phpinfo() and include the results in the page response. That function reveals a lot of information about the system Owncloud is running on, including environment variables. In something like a Docker deployment, those environment variables may contain system secrets like admin username and password among others.
Now, there is a bit of a wrinkle here. There is a public exploit, and according to research done by Greynoise Labs, that exploit does not actually work against default installs. This seems to describe the active exploitation attempts, but the researcher that originally found the issue has stated that there is a non-public exploit that does work on default installs. Stay tuned for this other shoe to drop, and update your Owncloud installs if you have them. Continue reading “This Week In Security: Owncloud, NXP, 0-Days, And Fingerprints”→
Just three years after the iconic magazine abandoned its print version and went all-digital, Popular Science is now halting its subscription service entirely. The brand itself will live on — their site will still run tech stories and news articles, and they have two podcasts that will keep getting new episodes — but no more quarterly releases. While you can’t complain too much about a 151 year run, it’s still sad to see what was once such an influential publication slowly become just another cog in the content mill.
Started as a monthly magazine all the way back in 1872, Popular Science offered a hopeful vision of what was over the horizon. It didn’t present a fanciful version of what the next 100 years would look like, but rather, tried to read the tea leaves of cutting edge technology to offer a glimpse of what the next decade or so might hold. Flip through a few issues from the 1950s and 60s, and you won’t see pulpy stories about humanity conquering the stars or building a time machine. Instead the editors got readers ready for a day when they’d drive cars with warbird-derived turbochargers, and enjoy more powerful tools once transistor technology allowed for widespread use of small brushless motors. It wasn’t just armchair engineering either, issues would often include articles written by the engineers and researchers that were on the front lines. Continue reading “End Of An Era: Popular Science Shutters Magazine”→
It sounds like a headline from the future: the weekend before Thanksgiving, a bulldozer came for the first example of a printed home that was supposed to help the housing crisis in the city of Muscatine. Fortunately, it hadn’t been completed and sold yet.
Printing of this first house began in May 2023, and nine more were to be completed by the end of the year. Unfortunately, when tested for compressive strength, the cement mixture this first home was printed out of failed to meet the 5,000 PSI minimum required for the project. Rather than compromise on safety, the parties involved decided to knock it down and start over.
The goal now is to find out why the mixture, which met the strength requirements in laboratory testing, didn’t behave the same on-site. Currently, the plan is to start building the originally-planned second house in the spring, and begin construction on this first site after that.
The project is a collaborative effort between the Community Federation of Greater Muscatine (CFGM), Muscatine Community College, and Alquist 3D. Want to know more about the state of 3D printing when it comes to housing? Check out our handy guide.
Editors Note: The initial post initially indicated that the failed cement mixture contained hemp, but that has since found to be incorrect and the post has been edited accordingly.
In hindsight, it seems obvious to this American: attach strings to the tops of bowling pins so they can be yanked upward into holes that settle down the action so that the pins can be reset. In fact, European bowling “houses” have used string pinsetters for decades, instead of lumbering machinery that needs regular maintenance and costs several thousand dollars a month to maintain.
Although wireless standards like 3G, 4G, and 5G are mostly associated with mobile internet, they also include a phone (voice) component. Up till 4G this was done using traditional circuit-switched telephony service, but with this fourth generation the entire standard instead moved to a packet-switched version akin to Voice-over-IP, called VoLTE (voice-over-LTE). Even so, a particular phone can choose to use a 4G modem, yet still use 3G-style phone connections. Until the 3G network is shutdown, that is. This is the crux of [Hugh Jeffreys]’s latest video.
In order to make a VoLTE phone call, your phone, your provider, the receiving phone and the intermediate network providers must all support the protocol. Even some newer phones like the Samsung Galaxy J3 (2016) do not support this. For other phones you have to turn the feature on yourself, if it is available. As [Hugh] points out in the video, there’s no easy way to know whether an Android phone supports it, which is likely to lead to chaos as more and more 3G networks in Australia and elsewhere are turned off, especially in regions where people use phones for longer than a few years.
The cessation of such basic functionality is why in most countries 2G networks remain active, as they are being used by emergency services and others for whom service interruptions can literally cost lives, as well as countless feature phones and Internet of Things devices. For some phones without VoLTE, falling back to 2G might therefore still be an option if they support this. With the spotty support, lack of transparency and random shutdowns, things may however get rather frustrating for some the coming years.
The process of creating new battery chemistries that work better than existing types is a slow and arduous one. Not only does it know more failures than successes, it’s rare that a once successful type gets completely phased out, which is why today we’re using lead-acid, NiMH, alkaline, lithium, zinc-air, lithium-ion and a host of other battery types alongside each other. For one of the up-and-coming types in the form of sodium (Na)-based batteries the same struggles are true as it attempts to hit the right balance between anode, cathode and electrolyte properties. A pragmatic solution here involves Prussian Blue for the cathode and hard carbon for the anode, as is the case with Swedish Northvolt’s newly announced sodium-ion battery (SIB) which is sampling next year.
Commercialization of different SIB battery chemistries by various companies. (Credit: Yadav et al., 2022)
The story of SIBs goes back well over a decade, with a recent review article by Poonam Yadav and colleagues in Oxford Open Materials Science providing a good overview of the many types of anodes, cathodes and electrolytes which have been attempted and the results. One of the issues that prevents an SIB from directly using the carbon-based anodes employed with today’s lithium-ion batteries (LIB) is its much larger ionic radius that prevents intercalation without altering the carbon material to accept Na+ ions.
This is essentially where the hard carbon (HC) anode used by a number of SIB-producing companies comes into play, which has a far looser structure that does accept these ions and thus can be used with SIBs. The remaining challenges lie then with the electrolyte – which is where an organic form is the most successful – and the material for the sodium-containing cathode.
Although oxide forms and even sodium vanadium fluorophosphate (NVPF) are also being used, Prussian Blue analogs (PBAs) are attractive for being very low-cost and effective as cathode material once processed. An efficient way to process PB into fully sodiated and reduced Prussian White was demonstrated a few years ago, followed by successive studies backing up this assessment.
Although SIBs are seeing limited commercial use at this point, signs are that if it can be commercialized for the consumer market, it would have similar capacity as current LIBs, albeit with the potential to be cheaper, more durable and easier to recycle.
The name of this newly discovered vulnerability is BLUFFS (Bluetooth Forward and Future Secrecy), where forward and future secrecy are important terms that refer to the protection of secure sessions against compromise in the past (forward, FoS) and future (FuS). The CVE presentation notes that the Bluetooth specification does not cover either FuS or FoS. In total two new architectural vulnerabilities were discovered, both of which attack the security key.
