News

3621 Articles

Faster Glacier Melting Mechanism Could Cause Huge Sea Level Rises

May 19, 2023 by 115 Comments

When it comes to the issue of climate change, naysayers often contend that we have an incomplete understanding of the Earth’s systems. While humanity is yet to uncover all the secrets of the world, that doesn’t mean we can’t act on what we know. In many cases, as climate scientists delve deeper, they find yet more supporting evidence of the potential turmoil to come.

In the stark landscapes of Greenland, a team of intrepid researchers from the University of California, Irvine, and NASA’s Jet Propulsion Laboratory have unearthed a hidden facet of ice-ocean interaction. Their discovery could potentially flip our understanding of sea level rise on its head.

Continue reading “Faster Glacier Melting Mechanism Could Cause Huge Sea Level Rises”

This Week In Security: .zip Domains, Zip Scanning

May 19, 2023 by 17 Comments

The world may not be ready, but the .zip Top Level Domain (TLD) is here. It’s a part of the generic TLD category, which was expanded to allow applications for custom TLDs. Google has led the charge, applying for 101 such new TLDs, with .zip being one of the interesting ones. Public registration for .zip domains has been open for a couple weeks, and some interesting domains have been registered, like update.zip, installer.zip, and officeupdate.zip.

The obvious question to ask is whether this new TLD can be abused for scamming and phishing purposes. And the answer is yes, sure it can. One of the trickiest ways is to use the AT symbol @ in a URL, which denotes user info at the beginning of the URL. It usually is used to include a username and password, like http://username:password@192.168.1.1/. That is pretty obvious, but what about https://google.com@bing.com? Still looks weird. The catch that really prevents this technique being abused is that slashes are disallowed in user data, so a abusive URL like https://google.com∕gmail∕inbox@bing.com is right out.

Except, take a look at that last link. Looks like it has slashes in it, so it should take you to google, and ignore the AT symbol. But it doesn’t, it goes to Bing. You may have guessed, it’s Unicode shenanigans again. Those aren’t slashes, they’re U2215, the division slash. And that means that a .zip TLD could be really sneaky, if the apparent domain is one you trust. Continue reading “This Week In Security: .zip Domains, Zip Scanning”

Go In All The Directions With Omniwheeled ESP32 Bot

May 18, 2023 by 18 Comments

The ability to change direction without turning is the specialty of omnidirectional wheels, which [maker.moekoe] used to their full potential on a pair of ESP32-controlled robots. Video after the break.

Thanks to the rollers on the wheels, the wheels could be arranged at 120° in relation to each other on the 3-wheeler and 90° 4-wheeler. [maker.moekoe] used ChatGPT and a simple python simulation to find and verify the motor control algorithm required for smooth omnidirectional driving.

A single custom PCB incorporates all the electronics, and doubles as the robot’s chassis, with the geared brushed motors bolted directly to it. An ESP32-S2 runs the show, and can also stream FPV video from the same OV2640 camera used on the popular ESP32-cam modules. The LiPo battery is held by a 3D-printed support plate screws to the bottom of the PCB. The robots can controlled by a simple web-app served by the ESP32, or a using the IMU on custom controller also built around an ESP32-S2 which uses the ESP-NOW wireless protocol.

Even though the robots’ software is still in the early stages, the movement looks extremely smooth and effortless. Plus, their all-in-one PCB chassis makes for an elegant and clean build

Continue reading “Go In All The Directions With Omniwheeled ESP32 Bot”

Mark Your Calendars, NASA Is Holding A Public Meeting On UFOs

May 15, 2023 by 22 Comments

We’re sorry, the politically correct term these days is “unidentified anomalous phenomena” (UAP), as it’s less likely to excite those with a predilection for tinfoil hats. But whether you call them flying objects or anomalous phenomena, it’s that unidentified part that has us interested.

Which is why we’ll be tuned into NASA TV at 10:30 a.m. EDT on May 31 — that’s when the agency has announced they’ll be broadcasting a meeting of an independent study team tasked with categorizing and evaluating UAP data. The public can even submit their own questions, the most popular of which will be passed on to the team.

Before you get too excited, the meeting is about how NASA can “evaluate and study UAP by using data, technology, and the tools of science”, and the press release explains that they won’t be reviewing or assessing any unidentifiable observations. So if you’re hoping for the US government’s tacit acknowledgment that we’re not alone in the universe, you’ll probably be disappointed. That said, they wouldn’t have to assemble a team to study these reports if they were all so easily dismissed. As always, interstellar visitors are dead last on the list of possible explanations, but some cases have too much hard evidence to be dismissed out of hand. They might not be little green men, but they are something.

Continue reading “Mark Your Calendars, NASA Is Holding A Public Meeting On UFOs”

ESA Juice’s RIME Antenna Breaks Free After Some Jiggling And Percussive Action

May 13, 2023 by 22 Comments

After ESA’s Jupiter-bound space probe Juice (Jupiter Icy Moons Explorer) launched on April 14th of this year, it initially looked as if it had squeezed out a refreshingly uneventful deployment, until it attempted to unfurl its solar panels and antennae. One of these antennae, for the RIME (Radar for Icy Moons Exploration) instrument that uses ice-penetrating radar to get a subsurface look at Jupiter’s moons, ended up being rather stuck. Fortunately, on May 12th it was reported that ESA engineers managed to shock the sticky pin loose.

Release of the jammed antenna coinciding with the actuation of the NEA ('NEA 6 Release'). The antenna wobbles about before settling in a locked position. (Credit: ESA)
Release of the jammed antenna coinciding with the actuation of the NEA (‘NEA 6 Release’). The antenna wobbles about before settling in a locked position. (Credit: ESA)

We previously covered the discovery of Juice’s  RIME antenna troubles, with one of the retaining pins that hold the antenna in place in its furled position stubbornly refusing to shift the few millimeters that would have allowed for full deployment. Despite the high-tech nature of the Juice spacecraft, the optimal solution to make the pin move was simply to try and shake it loose.

Attempts were initially made using the spacecraft’s thrusters to shake the whole vehicle, as well as by warming it in sunlight. Each of these actions seemed to help a little bit, but the breakthrough came when a non-explosive actuator (NEA) was actuated in the jammed bracket. This almost fully fixed the problem, leading the team in charge to decide to fire another NEA, which finally allowed the pin to fully shift and the antenna to fully deploy and lock into place.

Assuming no further issues occur during Juice’s long trip through the Solar System, Juice is expected to arrive at Jupiter after four gravity assists in July of 2031. There it will perform multiple science missions until a planned deorbit on Ganymede by late 2035.

3D Design With Text-Based AI

May 12, 2023 by 8 Comments

Generative AI is the new thing right now, proving to be a useful tool both for professional programmers, writers of high school essays and all kinds of other applications in between. It’s also been shown to be effective in generating images, as the DALL-E program has demonstrated with its impressive image-creating abilities. It should surprise no one as this type of AI continues to make in-roads into other areas, this time with a program from OpenAI called Shap-E which can render 3D images.

Like most of OpenAI’s offerings, this takes plain language as its input and can generate relatively simple 3D models with this text. The examples given by OpenAI include some bizarre models using text prompts such as a chair shaped like an avocado or an airplane that looks like a banana. It can generate textured meshes and neural radiance fields, both of which have various advantages when it comes to available computing power, training methods, and other considerations. The 3D models that it is able to generate have a Super Nintendo-style feel to them but we can only expect this technology to grow exponentially like other AI has been doing lately.

For those wondering about the name, it’s apparently a play on the 2D rendering program DALL-E which is itself a combination of the names of the famous robot WALL-E and the famous artist Salvador Dali. The Shap-E program is available for anyone to use from this GitHub page. Even though this code comes from OpenAI themselves, plenty are speculating that the AI revolution to come will largely come from open-source sources rather than OpenAI or Google, something for which the future is somewhat hazy.

This Week In Security: TPM And BootGuard, Drones, And Coverups

May 12, 2023 by 17 Comments

Full disk encryption is the go-to solution for hardening a laptop against the worst-case scenario of physical access. One way that encryption can be managed is through a Trusted Platform Module (TPM), a chip on the motherboard that manages the disk encryption key, and only hands it over for boot after the user has authenticated. We’ve seen some clever tricks deployed against these discrete TPMs, like sniffing the data going over the physical traces. So in theory, an integrated TPM might be more secure. Such a technique does exist, going by the name fTPM, or firmware TPM. It uses a Trusted Execution Environment, a TEE, to store and run the TPM code. And there’s another clever attack against that concept (PDF).

It’s chip glitching via a voltage fault. This particular attack works against AMD processors, and the voltage fault is triggered by injecting commands into the Serial Voltage Identification Interface 2.0 (SVI2). Dropping the voltage momentarily to the AMD Secure Processor (AMD-SP) can cause a key verification step to succeed even against an untrusted key, bypassing the need for an AMD Root Key (ARK) signed board firmware. That’s not a simple process, and pulling it off takes about $200 of gear, and about 3 hours. This exposes the CPU-unique seed, the board NVRAM, and all the protected TPM objects.

So how bad is this in the real world? If your disk encryption only relies on an fTPM, it’s pretty bad. The attack exposes that key and breaks encryption. For something like BitLocker that can also use a PIN, it’s a bit better, though to really offer more resistance, that needs to be a really long PIN: a 10 digit PIN falls to a GPU in just 4 minutes, in this scenario where it can be attacked offline. There is an obscure way to enable an “enhanced PIN”, a password, which makes that offline attack impractical with a secure password.

And if hardware glitching a computer seems to complicated, why not just use the leaked MSI keys? Now to be fair, this only seems to allow a bypass of Intel’s BootGuard, but it’s still a blow. MSI suffered a ransomware-style breach in March, but rather than encrypt data, the attackers simply threatened to release the copied data to the world. MSI apparently refused to pay up, and source code and signing keys are now floating in the dark corners of the Internet. There have been suggestions that this leak impacts the entire line of Intel processors, but it seems likely that MSI only had their own signing keys to lose. But that’s plenty bad, given the lack of a revocation system or automatic update procedure for MSI firmware. Continue reading “This Week In Security: TPM And BootGuard, Drones, And Coverups”