News

3631 Articles

This Week In Security: It’s Con Season

August 11, 2023 by 8 Comments

It must be Blackhat/DEFCON season. Up first in the storm of named vulnerabilities, we have Downfall. The PDF has the juicy details here. It’s quite similar to the Zenbleed issue from last week, in that it abuses speculative execution to leak data via a hidden register. Unlike Zenbleed, this isn’t direct access, but using cache timing analysis to extract individual bytes using a FLUSH+RELOAD approach.

The key to the vulnerability is the gather instruction, which pulls data from multiple locations in memory, often used to run a followup instruction on multiple bytes of data at once. The gather instruction is complex, takes multiple clock cycles to execute, and uses several tricks to execute faster, including managing buffers to avoid multiple reads. In certain cases, that instruction can be interrupted before it completes, leaving the data in the cache. And this data can be speculatively accessed and the values leaked through timing analysis.

This flaw affects 6th generation Intel Core processors through 11th. Mitigations are already rolling out via a microcode update, but do carry a performance hit for gather instructions. Continue reading “This Week In Security: It’s Con Season”

Pedal Car Vs Ministry Of Transport

August 9, 2023 by 49 Comments

[Tim] from the “Way Out West” Youtube channels has started a fun project — building a wooden pedal-car heavily inspired by “Bugsy Malone”. The kids-sized gangsters in that movie got around in kid-sized pedal cars. Apparently kid-sized [Tim] just loved the idea, but just didn’t have the skills or tools to try to build one. But the time has come, and he has spent years putting together a workshop, tools, and skills.

The goal is a 4-wheeled vehicle that can actually be enclosed, to keep the driver out of the rain. It would be petal powered, with an optional electric assist. It should be made of simple materials, like plywood and epoxy. The design would be freely shared, and the overall cost hopefully kept low. Come back after the link to find the rest of the story, including the monkey wrench thrown into the works.
Continue reading “Pedal Car Vs Ministry Of Transport”

Voyager 2: Communication Reestablished With One Big Shout

August 4, 2023 by 35 Comments

You could practically hear the collective “PHEW!” as NASA announced that they had reestablished full two-way communications with Voyager 2 on Friday afternoon! Details are few at this point — hopefully we’ll get more information on how this was pulled off, since we suspect there was some interesting wizardry involved. If you haven’t been following along, here’s a quick recap of the situation.

As we previously reported, a wayward command that was sent to Voyager 2, currently almost 19 light-hours distant from Earth, reoriented the spacecraft by a mere two degrees. It doesn’t sound like much, but the very narrow beamwidth on Voyager‘s high-gain antenna and the vast distance put it out of touch with the Canberra Deep Space Network station, currently the only ground station with line-of-sight to the spacecraft. While this was certainly a problem, NASA controllers seemed to take it in stride thanks to a contingency program which would automatically force the spacecraft to realign itself to point at Earth using its Canopus star tracker. The only catch was, that system wasn’t set to engage until October.

With this latest development, it appears that mission controllers weren’t willing to wait that long. Instead, based on what was universally referred to in the non-tech media as a “heartbeat” from Voyager on August 1– it appears that what they were really talking about was the use of multiple antennas at the Canberra site to pick up a weak carrier signal from the probe — they decided to send an “interstellar shout” and attempt to reorient the antenna. The 70-m DSS-43 dish blasted out the message early in the morning of August 2, and 37 hours later, science and engineering data started streaming into the antenna again, indicating that Voyager 2 was pointing back at Earth and operating fine.

Hats off to everyone involved in making this fix and getting humanity’s most remote outpost back online. If you want to follow the heroics in nearly real-time, or just like watching what goes on at the intersection of Big Engineering and Big Science, make sure you check out the Canberra DSN Twitter feed.

This Week In Security: Your Car’s Extended Warranty, Seizing The Fediverse, And Arm MTE

August 4, 2023 by 15 Comments

If you’ve answered as many spam calls as I have, you probably hear the warranty scam robocall in your sleep: “We’ve been trying to reach you about your car’s extended warranty.” That particular robocalling operation is about to run out of quarters, as the FCC has announced a nearly $300 million fine levied against that particular operation. The scammers had a list of 500 million phone numbers, and made over five billion calls in three months. Multiple laws were violated, including some really scummy behavior like spoofing employer caller ID, to try to convince people to pick up the call.

Now, that record-setting fine probably isn’t ever going to get paid. The group of companies on the hook for the amount don’t really exist in a meaningful way. The individuals behind the scams are Roy Cox and Aaron Jones, who have already been fined significant amounts and been banned from making telemarketing calls. Neither of those measures put an end to the problem, but going after Avid Telecom, the company that was providing telephone service, did finally put the scheme down.

Mastodon Data Scooped

There are some gotchas to Mastodon. Direct Messages aren’t end-to-end encrypted, your posts are publicly viewable, and if your server operator gets raided by law enforcement, your data gets caught up in the seizure.

The background here is the administrator of the server in question had an unrelated legal issue, and was raided by FBI agents while working on an issue with the Mastodon instance. As a result, when agents seized electronics as evidence, a database backup of the instance was grabbed too. While Mastodon posts are obviously public by design, there is some non-public data to be lost. IP addresses aren’t exactly out of reach of law enforcement, it’s still a bit of personal information that many of us like to avoid publishing. Then there’s hashed passwords. While it’s better than plaintext passwords, having your password hash out there just waiting to be brute-forced is a bit disheartening. But the one that really hurts is that Mastodon doesn’t have end-to-end encryption for private messages. Continue reading “This Week In Security: Your Car’s Extended Warranty, Seizing The Fediverse, And Arm MTE”

Location of the Duvanny Yar outcrop on the Kolyma River, northeastern Siberia. (Credit: Anastasia Shatilovich et al., 2023)

Nematodes From The Siberian Permafrost Woke Up After A 46,000 Year Long Nap

July 31, 2023 by 25 Comments

The general consensus among us mammals is that if we get very cold, we die. Within the world of nematodes, however, they’d like to differ on that viewpoint. This is demonstrated succinctly after researchers coaxed a batch of these worms back into action after they had been frozen in Siberian permafrost for an estimated 46,000 years. The mechanism underlying this phenomenon is called cryptobiosis, which is essentially a metabolic state that certain lifeforms can enter when environmental conditions become unsuitable.

In the case of nematodes, they hold a number of records, with a group of them having survived the STS-107 Space Shuttle Columbia in 2003 when it broke up during reentry, making it the first known lifeform to have achieved such a feat. During arctic experiments it was found that these roundworms can withstand intracellular freezing even while active depending on its diet. Continue reading “Nematodes From The Siberian Permafrost Woke Up After A 46,000 Year Long Nap”

The British Government Is Coming For Your Privacy

July 30, 2023 by 77 Comments

The list of bad legislation relating to the topic of encryption and privacy is long and inglorious. Usually, these legislative stinkers only affect those unfortunate enough to live in the country that passed them. Still, one upcoming law from the British government should have us all concerned. The Online Safety Bill started as the usual think-of-the-children stuff, but as the EFF notes, some of its proposed powers have the potential to undermine encryption worldwide.

At issue is the proposal that services with strong encryption incorporate government-sanctioned backdoors to give the spooks free rein to snoop on communications. We imagine that this will be of significant interest to some of the world’s less savoury regimes, a club we can’t honestly say the current UK government doesn’t seem hell-bent on joining. The Bill has had a tumultuous passage through the Lords, the UK upper house, but PM Rishi Sunak’s administration has proved unbending.

If there’s a silver lining to this legislative train wreck, it’s that many of the global tech companies are likely to pull their products from the UK market rather than comply. We understand that UK lawmakers are partial to encrypted online messaging platforms. Thus, there will be poetic justice in their voting once more for a disastrous bill with the unintended consequence of taking away something they rely on.

Header image: DaniKauf, CC BY-SA 3.0.

Voyager Command Glitch Causes Unplanned Pause In Communications

July 29, 2023 by 31 Comments

Important safety tip: When you’re sending commands to the second-most-distant space probe ever launched, make really, really sure that what you send isn’t going to cause any problems.

According to NASA, that’s just what happened to Voyager 2 last week, when uplinked commands unexpectedly shifted the 46-year-old spacecraft’s orientation by just a couple of degrees. Of course, at a distance of nearly 20 billion kilometers, even fractions of a degree can make a huge difference, especially since the spacecraft’s high-gain antenna (HGA) is set up for very narrow beamwidths; 2.3° on the S-band channel, and a razor-thin 0.5° on the X-band side. That means that communications between the spacecraft and the Canberra Deep Space Communication Complex — the only station capable of talking to Voyager 2 now that it has dipped so far below the plane of the ecliptic — are on pause until the spacecraft is reoriented.

Luckily, NASA considered this as a possibility and built safety routines into Voyager‘s program that will hopefully get it back on track. The program uses the onboard star tracker to get a fix on the bright star Canopus, and from there figures out which way the spacecraft needs to move to get pointed back at Earth. The contingency program runs automatically several times a year, just in case something like this happens.

That’s the good news; the bad news is that the program won’t run again until October 15. While that’s really not that far away, mission controllers will no doubt find it an agonizingly long time to be incommunicado. And while NASA is outwardly confident that communications will be restored, there’s no way to be sure until we actually get to October and see what happens. Fingers crossed.