News

3621 Articles

Will RadioShack Return?

September 8, 2023 by 145 Comments

We suspect that if you want to write a blockbuster movie or novel, the wrong approach is to go to a studio or publisher and say, “I have this totally new idea that is like nothing you’ve ever seen before…” Even Star Trek was pitched to the network as “Wagon Train to the stars.” People with big money tend to want to bet on things that have succeeded before, which is why so many movies are either remakes or Star Trek XXII: The Search for 4 PM Dinner Specials. Maybe that’s what the El Salvador-based Unicomer Group had in mind when they bought one of our favorite brands, RadioShack. They are reportedly planning a major comeback for the beleaguered brand both online and in the physical world.

In all fairness, the Shack may be better in our memories than in our realities. It was handy to stop off and pick up a coax connector, even if it cost three times the going rate for one. There was a time when RadioShack offered reasonable parts for projects, and it seems like near the end, they tried to hit that target again, but for many years, you could not find the typical parts for a modern project there anyway. However, Unicomer isn’t just a random group of investors.

Continue reading “Will RadioShack Return?”

This Week In Security: LastPass Shoe Drops, Keys Lost, And Train Whistles Attack

September 8, 2023 by 8 Comments

There has been a rash of cryptocurrency thefts targeting some unexpected victims. Over $35 million has been drained from just over 150 individuals, and the list reads like a who’s-who of the least likely to fall for the normal crypto scams. There is a pattern that has been noticed, that almost all of them had a seed phrase stored in LastPass this past November when the entire LastPass database was breached.

The bulletproof security of the LastPass system depends in part on the rate limiting of authenticating with the LastPass web service. Additionally, accounts created before security improvements in 2018 may have had master passwords shorter than 12 characters, and the hash iterations on those accounts may have been set distressingly low. Since attackers have had unrestricted access to the database, they’ve been able to run offline attacks against accounts with very low iterations, and apparently that approach has been successful.

Microsoft’s Signing Key

You may remember a story from a couple months ago, where Microsoft found the Chinese threat group, Storm-0558, forging authentication tokens using a stolen signing key. There was a big open question at that point, as to how exactly an outside group managed to access such a signing key.

This week we finally get the answer. A crash log from 2021 unintentionally included the key, and Microsoft’s automated redaction system didn’t catch it. That crash dump was brought into development systems, and an engineer’s account was later accessed by Storm-0558. That key should not have worked for enterprise accounts, but a bug in a Microsoft key validation allowed the consumer systems key to work for enterprise accounts. Those issues have been fixed, but after quite a wild ride. Continue reading “This Week In Security: LastPass Shoe Drops, Keys Lost, And Train Whistles Attack”

Labor Day BBQs May Feature NYPD

September 1, 2023 by 53 Comments

Planning to host a large backyard wingding in the NYC metro area this weekend? Be sure to watch the skies for uninvited guests. That’s right, the NYPD are deploying drones over “large” Labor Day events and yes, even private barbecues. The strategy was announced during a briefing about J’ouvert — that’s a yearly Caribbean festival that marks the end of slavery. It generally brings crowds of thousands and draws a strong police presence to Brooklyn.

While this particular invasion may come as a bit of a shock, this certainly isn’t the first time the NYPD has deployed drones in the name of public safety or in response to emergencies. Data shows they have used them 124 times this year, which is up a staggering 31 times from the four events in 2022.

As you may have guessed, this has invited backlash from privacy and civil liberties advocates. One pointed out that this action “flies in the face of the POST Act,” a city law that requires the NYPD to provide transparency about their various surveillance tactics. The advocates cite the fact that regulations have not kept up with the proliferation of technology.

No matter what happens in the future with regulations, the NYPD can always crash large parties the old fashioned way. Usually, the neighbors will complain at some point, unless they were all invited.

Photo via Unsplash.

This Week In Security: Not A Vulnerability, BGP Bug Propogation, And Press Enter To Hack

September 1, 2023 by 6 Comments

Curl was recently notified of a CVE, CVE-2020-19909, rated at a hair-raising 9.8 on the CVSS scale. And PostgreSQL has CVE-2020-21469, clocking in with a 7.5 severity. You may notice something odd about those two vulnerabilities, but I promise the 2020 date is only the tip of the iceberg here.

Let’s start with PostgreSQL. That vulnerability was only present in version 12.2, which released in February of 2020, and was fixed with the 12.3 release in May of that same year. The problem is a stack buffer overflow, which doesn’t seem to enable code execution, but does cause a denial of service situation. To trigger the bug? Repeatedly send the PostgreSQL daemon the SIGHUP signal.

If you’re familiar with Linux signals, that might sound odd. See, the SIGHUP signal technically indicates the end of a user session, but most daemons use it to indicate a restart or reload request. And to send this signal, a user has to have elevated privileges — elevated enough to simply stop the daemon altogether. Put simply, it’s not a security vulnerability, just a minor bug.

And now on to curl — This one is just bizarre. The issue is a integer overflow in the --retry-delay argument, which specifies in seconds how often curl should retry a failing download. The value is multiplied by 1000 to convert to milliseconds, resulting in an overflow for very large values. The result of that overflow? A smaller value for the retry delay.

[Daniel Stenberg] makes the point that this tale is a wonderful demonstration of the brokenness of the CVE system and NVD’s handling of it. And in this case, it’s hard not to see this as negligence. We have to work really hard to construct a theoretical scenario where this bug could actually be exploited. The best I’ve been able to come up with is an online download tool, where the user can specify part of the target name and a timeout. If that tool had a check to ensure that the timeout was large enough to avoid excess traffic, this bug could bypass that check. Should we be assigning CVEs for that sort of convoluted, theoretical attack?

But here’s the thing, that attack scenario should rate something like a CVSS of 4.8 at absolute worst. NVD assigned this a 9.8. There’s no way you can squint at this bug hard enough to legitimately rank it that severe. At the time of writing, the NVD lists this as “UNDERGOING REANALYSIS”.
Continue reading “This Week In Security: Not A Vulnerability, BGP Bug Propogation, And Press Enter To Hack”

The McDonald’s Ice Cream Machine Saga And Calls For Right To Repair

August 30, 2023 by 45 Comments
The inside of a Taylor C709 ice cream machine, as seen from the back with the cover on the electronics removed. (Credit: iFixit)
The inside of a Taylor C709 ice cream machine, as seen from the back with the cover over the electronics removed. (Credit: iFixit)

Raising a likely somewhat contentious topic, iFixit and Public Knowledge have challenged the manufacturer behind McDonald’s ice cream machines to make them easy to diagnose and repair. This is a subject that’s probably familiar to anyone who is vaguely familiar with US news and the importance of ice cream at McDonald’s locations to the point that a live tracker was set up so that furtive customers can catch a glimpse at said tracker before finding themselves staring in dismay at an ‘Out of Order’ sign on one of these Taylor ice cream machines.

The story is more complex than just a machine being “broken”, however. The maintenance contracts are lucrative, the instruction manual is long, and the error codes are cryptic. When you add to that the complexity of cleaning and maintaining the machines, it’s tempting to just claim the machine is out of order. These Taylor machines (the C602 and the C709 from the iFixit video) are a bit more complex than your usual ice cream maker in that they also have a pasteurization element that’s supposed to keep already poured mix safe to use the next day.

Continue reading “The McDonald’s Ice Cream Machine Saga And Calls For Right To Repair”

Polish Railways Fall Victim To Cheap Radio Attack

August 29, 2023 by 41 Comments

Poland’s railways have recently come under a form of electronic attack, as reported by Wired. The attack has widely been called a “cyber-attack” in the mainstream media, but the incident was altogether a more simple affair pursued via good old analog radio.

The attacks were simple in nature. As outlined in an EU technical document, Poland’s railways use a RADIOSTOP system based on analog radio signals at around 150 MHz. Transmitting a basic tone sequence will trigger any duly equipped trains receiving the signal to engage emergency braking. It’s implemented as part of the PKP radio system on the Polish railway network. Continue reading “Polish Railways Fall Victim To Cheap Radio Attack”

$1 Graphene Sensor Identifies Safe Water

August 29, 2023 by 15 Comments

If you live in a place where you can buy Arduinos and Raspberry Pis locally, you probably don’t spend much time worrying about your water supply. But in some parts of the world, it is nothing to take for granted, bad water accounts for as many as 500,000 deaths worldwide every year. Scientists have reported a graphene sensor they say costs a buck and can detect dangerous bacteria and heavy metals in drinking water.

The sensor uses a GFET — a graphene-based field effect transistor to detect lead, mercury, and E. coli bacteria. Interestingly, the FETs transfer characteristic changes based on what is is exposed to. We were, frankly, a bit surprised that this is repeatable enough to give you useful data. But apparently, it is especially when you use a neural network to interpret the results.

What’s more, there is the possibility the device could find other contaminants like pesticides. While the materials in the sensor might have cost a dollar, it sounds like you’d need a big equipment budget to reproduce these. There are silicon wafers, spin coating, oxygen plasma, and lithography. Not something you’ll whip up in the garage this weekend.

Still, it is interesting to see a FET used this way and a cheap way to monitor water quality would be welcome. Using machine learning with water sensors isn’t a new idea. Of course, the sensor is one part of the equation. Monitoring is the other.