Even if you aren’t a giant history buff, you probably know that the French royal family had some difficulties in the late 1700s. The end of the story saw the King beheaded and, a bit later, his wife the famous Marie Antoinette suffered the same fate. Marie wrote many letters to her confidant, and probable lover, Swedish count Axel von Fersen. Some of those letters have survived to the present day — sort of. An unknown person saw fit to blot out parts of the surviving letters with ink, rendering them illegible. Well, that is, until now thanks to modern x-ray technology.
Anne Michelin from the French National Museum of Natural History and her colleagues were able to foil the censor and they even have a theory as to the ink blot’s origin: von Fersen, himself! The technique used may enable the recovery of other lost portions of historical documents and was published in the journal Science Advances.
Apache 2.4.50 included a fix for CVE-2021-41773. It has since been discovered that this fix was incomplete, and this version is vulnerable to a permutation of the same vulnerability. 2.4.51 is now available, and should properly fix the vulnerability.
The original exploit used .%2e/ as the magic payload, which is using URL encoding to sneak the extra dot symbol through as part of the path. The new workaround uses .%%32%65/. This looks a bit weird, but makes sense when you decode it. URL encoding uses UTF-8, and so %32 decodes to 2, and %65 to e. Familiar? Yep, it’s just the original vulnerability with a second layer of URL encoding. This has the same requirements as the first iteration, cgi-bin has to be enabled for code execution, and require all denied has to be disabled in the configuration files. Continue reading “This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger”→
Apple iPhones ship with the company’s Lightning cable, a capable and robust connector, but one that’s not cheap and is only useful for the company’s products. When the competition had only micro-USB it might have made sense, but now that basically all new non-fruity phones ship with USB-C, that’s probably the right way to go.
We’re a bit hazy on the individual iPhone model involves, but the essence of the work involves taking the internals of a Lightning-to-USB-C cable and hooking it up to the phone’s internal Lightning port. The proof-of-concept does it by putting the Apple flexible PCB outside the phone and plugging the cable part in directly, but it seems his final work involves a custom flexible board on which the reverse-engineered USB-C converter parts are mounted along with the USB-C socket itself. We see a glimpse of machining the slot in the phone’s case to USB-C dimensions, and we can’t wait for the full second installment.
Every week seems to bring another set of high-profile data leaks, and this time it’s the turn of a service that should be of concern to many in our community. A database backup from the popular 3D model sharing website Thingiverse has leaked online, containing 228,000 email addresses, full names, addresses, and passwords stored as unsalted SHA-1 or bcrypt hashes. If you have an account with Thingiverse it is probably worth your while to head over to Have I Been Pwned to search on your email address, and just to be sure you should also change your password on the site. Our informal testing suggests that not all accounts appear to be contained in the leak, which appears to relate to comments left on the site.
Aside from the seriousness of a leak in itself, the choice of encryption should raise a few eyebrows. Both SHA-1 and bcrypt can be considered broken or at best vulnerable to attack here in 2021, so much so that for any website to have avoided migration to a stronger algorithm indicates a very poor attention to website security on the part of Thingiverse. We’d like to think that it would serve as a salutary warning to other website operators in our field, to review and upgrade their encryption, but we suspect readers will agree that this won’t be the last time we report on such a leak and nervously check our own login details.
Most of the horror stories you hear about air travel seem to center around luggage. Airlines do an admirable job of getting people safely to their destinations, but checked baggage is a bit of a crapshoot — it could be there when you land, it could end up taking the scenic route, or it could just plain disappear. That’s bad enough when it contains your clothes, but when it contains your livelihood? Talk about stress!
This was the position musician [Nicolas Bras] found himself in after a recent trip. [Nicolas] was heading for a gig, but thanks to Brussels Airlines, his collection of musical instruments went somewhere else. There was nothing he could do to salvage that evening’s gig, but he needed to think about later engagements. Thankfully, [Nicolas] specializes in DIY musical instruments, made mostly with PVC tubes and salvaged parts from commercial instruments, so the solution to his problem was completely in his hands.
Fair warning to musical instrument aficionados — harvest the neck from a broken ukelele is pretty gruesome stuff. Attached to a piece of pallet wood and equipped with piezo pickups, the neck became part of a bizarre yet fascinating hybrid string instrument. A selection of improvised wind instruments came next, made from PVC pipes and sounding equally amazing; we especially liked the bass chromojara, sort of a flute with a didgeridoo sound to it. The bicycle pump beatbox was genius too, and really showed that music is less about the fanciness of your gear and more about the desire — and talent — to make it with whatever comes to hand.
Here’s hoping that [Nicolas] is eventually reunited with his gear, but hats off to him in the meantime for hacking up replacements. And if he looks familiar, that’s because we’ve seen some of his work before, like his sympathetic nail violin and “Popcorn” played on PVC pipes.
The Apache HTTP Server version 2.4.49 has a blistering vulnerability, and it’s already being leveraged in attacks. CVE-2021-41773 is a simple path traversal flaw, where the %2e encoding is used to bypass filtering. Thankfully the bug was introduced in 2.4.49, the latest release, and a hotfix has already been released, 2.4.50.
If that returns anything other than a 403 error, your server may be vulnerable. It’s worth pointing out that Apache is shipped with a configuration block that mitigates this vulnerability.
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
The Day The Internet Stood Still
You might have noticed a bit of a kerfluffel on the Internet on Monday. Facebook dropped out for nearly six hours. While the break was nice for some, it was a major problem for others. What exactly happened? The most apparent cause was that the Facebook.com domain was returning nxdomain to DNS lookups. This led to some fun tweets, with screen caps showing Facebook.com for sale. Continue reading “This Week In Security: Apache Nightmare, REvil Arrests? And The Ultimate RickRoll”→
It is unlikely that as a young lad [Richard Jenkins] would had have visions of sailing into the eye of a Category-4 hurricane. Yet that’s exactly what he’s done with the Explorer 1045, an uncrewed sailing vehicle built by his company, Saildrone. If that weren’t enough, footage from the vessel enduring greater than 120 MPH (almost 200 km/h) winds and 50 foot (15 M) waves was posted online the very next day, and you can see it below the break. We’re going to take a quick look at just two of the technologies that made this possible: Advanced sails and satellite communication. Both are visible on Explorer 1045’s sibling 1048 as seen below:
Saildrone Explorer 1048, a sibling of Explorer 1045, each one of five vessels equipped with a “hurricane wing”
The most prominent feature of course is the lack of a traditional sail. You see, from 1999-2009, [Richard Jenkins] was focused on setting the land world speed record for a wind powered vehicle. He set that record at 126.1 mph by maturing existing sail wing technology. [Richard] did away with conventional rigging and added a boom with a control surface on it, much like the fuselage and empennage of a sailplane.
Instead of adjusting rigging, the control surface could be utilized to fly the wing into its optimal position while using very little energy. [Richard] has been able to apply this technology at his company, Saildrone. The 23 foot Explorer vessel and its big brothers are the result.
How is it that the world was treated to the view from inside the eye of a hurricane only a day after the video was recorded? If you look at the stern of the vessel, you can see a domed white cylinder. It is a satellite communication base station called the Thales VesseLINK. Thales is one of the partner companies that built the satellites for the Iridium NEXT fleet, which has 66 operational satellites in Low Earth Orbit. The Iridium Certus service uses its L-Band (1.6 GHz) signal to provide up to 352 kbps of upload speed and 704 kbps down. While not blazing fast, the service is available anywhere in the world and is reliable because it is not prone to rain fade and other weather based interference.
With just these two recent innovations, the Explorer 1045 was able to sail to the eye of a hurricane, record footage and gather data, and then ship it home just hours later. And we’re hardly exploring the tip of the iceberg. More than just sailboat based cameras, these scientific instruments are designed to survive some of the harshest environments on the planet for over a year at a time. They are a marvel of applied engineering, and we’re positive that there are some brilliant hacks hiding under that bright orange exterior.
