Simultaneous Invention, All The Time?

As Tom quipped on the podcast this week, if you have an idea for a program you’d like to write, all you have to do is look around on GitHub and you’ll find it already coded up for you. (Or StackOverflow, or…) And that’s probably pretty close to true, at least for really trivial bits of code. But it hasn’t always been thus.

I was in college in the mid 90s, and we had a lab of networked workstations that the physics majors could use. That’s where I learned Unix, and where I had the idea for the simplest program ever. It took the background screen color, in the days before wallpapers, and slowly random-walked it around in RGB space. This was set to be slow enough that anyone watching it intently wouldn’t notice, but fast enough that others occasionally walking by my terminal would see a different color every time. I assure you, dear reader, this was the very height of wit at the time.

With the late 90s came the World Wide Web and the search engine, and the world got a lot smaller. For some reason, I was looking for how to set the X terminal background color again, this time searching the Internet instead of reading up in a reference book, and I stumbled on someone who wrote nearly exactly the same random-walk background color changer. My jaw dropped! I had found my long-lost identical twin brother! Of course, I e-mailed him to let him know. He was stoked, and we shot a couple funny e-mails back and forth riffing on the bizarre coincidence, and that was that.

Can you imagine this taking place today? It’s almost boringly obvious that if you search hard enough you’ll find another monkey on another typewriter writing exactly the same sentence as you. It doesn’t even bear mentioning. Heck, that’s the fundamental principle behind Codex / CoPilot – the code that you want to write has been already written so many times that it will emerge as the most statistically likely response from a giant pattern-matching, word-word completion neural net model.

Indeed, stop me if you’ve read this before.

This Week In Security: GoDaddy, Joomla, And ClamAV

We’ve seen some rough security fails over the years, and GoDaddy’s recent news about a breach leading to rogue website redirects might make the highlight reel. The real juicy part is buried on page 30 of a PDF filing to the SEC.

Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.

That multi-year campaign appears to goes back to at least October 2019, when an SSH file was accessed and altered, leading to 28,000 customer SSH usernames and passwords being exposed. There was also a 2021 breach of the GoDaddy WordPress environment, that has been linked to the same group.

Reading between the lines, there may be an implication here that the attackers had an ongoing presence in GoDaddy’s internal network for that entire multi-year period — note that the quote above refers to a single campaign, and not multiple campaigns from the same actor. That would be decidedly bad.

Joomla’s Force Persuasion

Joomla has a critical vulnerability, CVE-2023-23752, which is a trivial information leak from a web endpoint. This flaw is present in all of the 4.x releases, up to 4.2.8, which contains the fix. The issue is the Rest API, which gives access to pretty much everything about a given site. It has an authentication component, of course. The bypass is to simply append ?public=true. Yes, it’s a good old “You don’t need to see his identification” force suggestion.

There’s even a PoC script that runs the request and spits out the most interesting data: the username, password, and user id contained in the data. It’s not quite as disastrous as that sounds — the API isn’t actually leaking the administrative username and password, or even password hash. It’s leaking the SQL database information. Though if your database is accessible from the Internet, then that’s pretty much as bad as it could be. Continue reading “This Week In Security: GoDaddy, Joomla, And ClamAV”

IBM Wants You To Learn Tech

IBM — no stranger to anyone who works in the computing field — has launched a series of training modules on a site called skillsbuild.org. The site targets high school students, college students, and adult learners and offers tracks for jobs like cybersecurity analyst, IT support technician, Web developer, and data science. Several other companies are participating, such as Red Hat and Fortinet. The cost? The courses are free and you can earn digital credentials to show you’ve completed certain classes.

Even more interesting is that they have resources for schools and other organizations that want to leverage the material for students. There is even software that educators can download at no charge for classroom use. The material is available in a variety of languages, too. For more advanced topics, there’s also Cognitive class from IBM, also free and which also provides the same sort of credentials.

Apparently, the digital credentials are far more than just an electronic diploma. Employers you select can examine the credentials and see things like exams and results along with other information to help them understand your skill level.

Even though you’re reading Hackaday and probably already have a good roster of tech skills, this could be a nice way to get some documentation of what you know. If you work with kids or even adults that need tech skills, or you just want to add some to your resume, you can’t beat the cost. If you aren’t sure, there are some sample guest classes you can try without even registering.

We live in an amazing time when you can build your own college-level education. You can even “study” at MIT and other big institutions inexpensively or for free.

Digital Video From The Amiga’s DB23 Socket

Back in the days of 16-bit home computers, the one to have if your interests extended to graphics was the Commodore Amiga. It had high resolutions for the time in an impressive number of colours, and thanks to its unique video circuitry, it could produce genlocked broadcast-quality video. Here in 2023 though, it’s all a little analogue. What’s needed is digital video, and in that, [c0pperdragon] has our backs with the latest in a line of Amiga video hacks. This one takes the 12-bit parallel digital colour that would normally go to the Amiga’s DAC, and brings it out into the world through rarely-used pins on the 23-pin video connector.

This follows on from a previous [c0pperdragon] project in which a Raspberry Pi Zero was used to transform the digital video into HDMI. This isn’t a hack for the faint-hearted though, as it involves extensive modification of your treasured Amiga board.

It is of course perfectly possible to generate HDMI from an Amiga by using an external converter box from the analogue video output, of the type which can be bought for a few dollars from online vendors. What this type of hack gives over the cheap approach is low latency, something highly prized by gamers. We’re not sure we’re ready to start hacking apart our Amigas, but we can see the appeal for some enthusiasts.

The USAF (Almost) Declares War On Illinois Radio Amateurs

Every week the Hackaday editors gather online to discuss the tech stories of the moment, and among the topics this week was the balloons shot down over North America that are thought to be Chinese spying devices. Among the banter came the amusing thought that enterprising trolls on the Pacific rim could launch balloons to keep the fearless defenders of American skies firing off missiles into the beyond.

But humor may have overshadowed by events, because it seems one of the craft they shot down was just that. It wasn’t a troll though, the evidence points to an amateur radio pico balloon — a helium-filled Mylar party balloon with a tiny solar-powered WSPR transmitter as its payload.

The balloon thought to have been shot down was launched by the Northern Illinois Bottlecap Balloon Brigade, a group of radio amateurs who launch small helium-filled Mylar balloons carrying the barest minimum for a solar-powered WSPR beacon. Its callsign was K9YO, and having circumnavigated the globe seven times since its launch on the 10th of October it was last seen off Alaska on February 11th. Its projected course and timing tallies with the craft reported shot down by the US Air Force, so it seems the military used hundreds of thousands of dollars-worth of high-tech weaponry to shoot down a few tens of dollars worth of hobby electronics they could have readily tracked online. We love the smell of napalm in the morning!

Their website has a host of technical information on the balloons and the beacons, providing a fascinating insight into this facet of amateur radio that is well worth a read in itself. The full technical details of the USAF missile system used to shoot them down, sadly remains classified.

This Week In Security: USB Cable Kia, Reddit, And Microsoft RCEs

There is vulnerability in many Hyundai and Kia vehicles, where the ignition switch can be bypassed with a USB cable. And it’s getting a patch rollout right now, but it’s not a USB vulnerability, in quite the way you might think. In most cars, the steering column is easily disassembled, but these vehicles have an extra-bad design problem. The ignition cylinder can be disassembled while locked, just by depressing a pin.

Physical security has some parallels to computer security, and one such parallel is that good security can often be bypassed by a simple mistake. When it comes to lock design, one such potential bypass is the ability to disassemble a lock while it’s still locked. And somehow, Kias after 2010, and Hyundais after 2015 were made with exactly this flaw. The lock could be disassembled, and the interface between the lock and the ignition switch just happens to be the right shape and size for USB A. Oh, and these cars don’t have an engine immobilizer — there isn’t a chip built into the keys for extra security.

The problem became widespread late last year when the flaw went viral on TikTok, and thousands of copycat crimes were inspired. Beyond the obvious problem, that teenagers were getting an early start on a life of crime with grand theft auto, there were at least 8 deaths directly attributed to the inane stunt. And this brings us back to this week’s news, that a software update is rolling out to address the issue.

Honestly, I have questions. A software update doesn’t add in-key security chips. At best, it could attempt to detect the key position, and sabotage the engine management control, in an ad-hoc immobilizer. That’s likely a paper clip-turned-jumper away from being bypassed. The other new feature, doubling the alarm time from 30 second to a minute, doesn’t inspire much confidence. Hopefully the changes are enough to kill the trend. Continue reading “This Week In Security: USB Cable Kia, Reddit, And Microsoft RCEs”

Virgin Orbit’s First UK Launch Attempt: What Went Wrong

A month ago there was disappointment as Virgin Orbit’s first attempt at a space launch from the United Kingdom using its converted Boeing 747 airliner platform failed to achieve orbit. Now with the benefit of a lot of telemetry analysis the company have released their findings, which conclude that a fuel filter within the second stage became dislodged. The resulting fuel starvation was enough to cause the engine to receive insufficient cooling and overheat, bringing the mission to a premature end.

As we said at the time, the interesting part of the launch, midair from the 747, appears to have gone flawlessly. Space exploration is hard, and we are confident that they’ll fix any fuel filter mounting issues on future launches and be placing payloads in orbit for their customers soon afterwards. The whole program has seen significant news coverage in the UK where the craft has its base, and those of us in that environ will no doubt see it portrayed locally as a matter of national pride. The truth however will be that it flies on the talents of engineers from all corners of the world. We’ll be watching out next time, and look forward to a successful mission.

Header: Österreichisches Weltraum Forum, CC BY-SA 4.0.