This Week In Security: Github, Google, And Realtek

GitHub Desktop may have stopped working for you yesterday, Febuary 2nd. The reason was an unauthorized access to some decidedly non-public repositories. The most serious bit of information that escaped was code signing certificates, notably used for GitHub Desktop and Atom. Those certificates were password protected, so it’s unlikely they’ve been abused yet. Even so, Github is taking the proper steps of revoking those certificates.

The only active certificate that was revoked was used for signing the Mac releases of GitHub Desktop, so quite a few older versions of that software is no longer easily installed. If nothing else, it’s a reminder that even a project with a well run security team can have problems.

Sh1mmer-ing Chromebooks

There’s a new, clever attack on the Chromebook, specifically with the goal of unenrolling the device from an educational organization. And the “vulnerability” is a documented feature, the RMA Shim. That’s a special boot loader target that contains a valid signature, but allows the booting of other code, intended for troubleshooting and fixing devices in a repair center. Quite a few of those images have leaked, and Sh1mmer combines the appropriate image with a boot menu with some interesting options.

The first is unenrolling, so the device will act like a privately owned computer. This gets rid of content blocks and allows removing extensions. But wait, there’s more. Like rooting the device, a raw Bash terminal, and re-enabling developer mode. Now, as far as we can tell, this doesn’t *directly* break device encryption, but it’s likely that the RMA shim could be abused to tamper with the device’s filesystem. Meaning that the leak of a bunch of signed shims is a big problem for device security. If you use a Chromebook, it might be time to do some research on whether that model’s shim has been leaked. Continue reading “This Week In Security: Github, Google, And Realtek”

End Of An Automation Era As Twitter Closes Its Doors To Free API Access

Over the last few months since Elon Musk bought Twitter there has been a lot of comment and reaction, but not much with relevance to Hackaday readers. Today though that has changed, with an announcement from the company that as of February 9th they will end their free API tier. It’s of relevance here because Twitter has become one of those glue items for connected projects and has appeared in many featured works on this site. A week’s notice of a service termination is exceptionally short, so expect to see a lot of the Twitter bots you follow disappearing.

Twitter bot owners have the option of paying to continue with Twitter, or rebuilding their service to use a Mastodon instance such as botsin.space. If the fediverse is new to you, then the web is not short of tutorials on how to do this.

We feel that Twitter will be a poorer place without some of the creative, funny, or interesting bots which have enriched our lives over the years, and we hope that the spam bots don’t remain by paying for API access. We can’t help feeling that this is a misguided step though, because when content is the hook to bring in the users who are the product, throwing out an entire category of content seems short-sighted. We’re not so sure about it as a move towards profitability either, because the payback from a successful social media company is never profit but influence. In short: social media companies don’t make money but the conversation itself, and that can sometimes be worth more than money if you can avoid making a mess of it.

If the bots from our field depart for Mastodon, we look forward to seeing whether the new platform offers any new possibilities. Meanwhile if your projects don’t Toot yet, find out how an ESP32 can do it.

Header: D J Shin, CC BY-SA 3.0.

The Struggle Of Keeping A 1950s Candlepin Bowling System Working

When we hear the term ‘bowling’, most of us think of what is known as ten-pin bowling, yet this is only one of the many variations. Candlepin bowling — so called because of the distinctive pin shape — has been around since 1880, yet is mostly played within the US New England and Canadian Maritime provinces. Because of how relatively uncommon it is, candlepin bowling alleys such as the one that [Autumn Mowery]’s family runs is struggling to keep the system working, much of it due to a lack of spare parts.

On [Autumn]’s YouTube channel she goes through many of the behind the scene details at the Ellsworth, Maine-based bowling alley, the repairs and the scavenging of spare parts from the sacrificial bowling lanes that are used to keep the other lanes going for as long as possible. With the mechanics of the installed candlepin bowling system dating back to the 1940s and having been use constantly since the 1950s, it’s an every day struggle to keep the system from breaking down, with no spare parts available for sale.

Although the financially responsible approach might be to give up on the system and have a readily available tenpin bowling system installed instead, there’s a lot more to this form of bowling than the difference in pin shape. Differences include the much stricter rules, the use of a smaller ball without finger holes, lower chance of hitting a pin, and so on. This, along with the historical significance of the sport and this particular system would make it appear to be something that’s right up the (bowling) alley of our audience.

How’d you keep a 1950s-era bowling system up and running?

Thanks to [Tara Calishain] for the tip!

The Radioactive Source Missing In Australian Desert Has Been Found

Nuclear material is relatively safe when used, stored, and managed properly. This generally applies to a broad range of situations, from nuclear medicine to nuclear power generation. Some may argue it’s impossible to use nuclear weapons safely. In any case, stringent rules exist to manage nuclear material for good reason.

Sometimes, though, things go wrong, mistakes are made, and that nuclear material ends up going AWOL. That’s the situation that faced authorities in Australia, as they scoured over a thousand kilometers of desert highway for a tiny missing radioactive source with the potential to cause serious harm. Thankfully, authorities were able to track it down.

Continue reading “The Radioactive Source Missing In Australian Desert Has Been Found”

A ginger cat, wearing a blue harness with a brass and wooden box on its back

Handmade GPS Tracker Keeps An Eye On Adventurous Cats

One of the most convenient things about having cats is their independent lifestyle: most are happy to enjoy themselves outside all day, only coming back home when it’s time for dinner and a nap. What your cat gets up to during the day remains a mystery, unless you fit it with a GPS collar. When [Sahas Chitlange] went searching for a GPS tracker for his beloved Pumpkin, he found that none were exactly to his liking: too slow, too big, or simply unreliable. This led him to design and build his own, called Find My Cat.

Continue reading “Handmade GPS Tracker Keeps An Eye On Adventurous Cats”

Wizards Get Creative, Maybe Save The World

While it’s not normal Hackaday fare, we’ve covered the Dungeons & Dragons licensing kerfuffle, partially because we’re all nerds at heart, and also because it’s worrying that an Open Source styled license could be “deauthorized”. I did touch base with the Open Source Initiative, and got a telling comment that this issue was outside their purview, as the OGL 1.0a didn’t rise to the definition of an OSI approved license, and the update looked to be a disaster.

Since our coverage was published, Wizards of the Coast released part of the Fifth Edition System reference Document (SRD) under a Creative Commons license, removed the profit sharing language from the OGL update, but notably left the language in place about deauthorizing the 1.0a version of the license. As you can imagine, fans were still unamused, and we informed WotC of our displeasure when they launched a survey, asking fans their thoughts on the new license.

And the outpouring was overwhelming, with over 15,000 survey responses in just over a week. The vast majority (90% for some questions) informed WotC that they had lost their collective minds. That response, combined with a plummeting subscription count on DND Beyond, Paizo’s explosion of popularity and new ORC license announcement, and the plethora of publishers jumping ship, has finally shone the light of reason upon management at WotC.

The latest announcement is a win in basically every regard. The OGL 1.0a will not be deauthorized, and the entire 5e SRD has been released under the Creative Commons 4.0 By Attribution license. That’s an interesting choice, as CC-BY-4.0 is a very permissive license. It’s not “viral”, as it does not place any licensing restrictions on derivative works, and there are no restrictions on commercial use. The only restriction is that attribution must be included. The latest SRD is now available under both licenses, you pick your preference. So as a reward for going through the trauma, we get a sizable chunk of the game under an even less restrictive license. Bravo.

Continue reading “Wizards Get Creative, Maybe Save The World”

This Week In Security: GTA, Apple And Android, And Insecure Boot

When we first saw tweets about a security issue in Grand Theft Auto V, it sounded a bit like a troll. “Press ‘alt and f4’ to unlock a cheat mode”, or the hacker that claims to be able to delete your character. [Tez2]’s warning tweet that you shouldn’t play GTA Online without a firewall sounds like another of these online urban legends. But this one actually seems legit. NIST is even in on the fun, assigning CVE-2023-24059 for the exploit.

When playing an online game, other users send a “join request” to join the active session. This packets can contain malformed data which has been observed to crash the game client remotely. It’s believed, though not publicly confirmed, that it’s also a Remote Code Execution (RCE) vulnerability. It seems likely that this aspect will be added to some of the various cheat panels that are already widely used for this 10-year-old game. So now, rather than just giving your own character infinite ammo and health, you can inflict some havoc on other players, possibly up to corrupting their character files and getting them banned.

But why stop there? If we have code execution inside the game, what stops another player from launching a real attack? A video game isn’t sandboxed like a browser, and there’s nothing preventing a disk wiper attack or even a worm from compromising a bunch of players. The worst part is that it’s an old game, and even though there’s a large playerbase, it’s not guaranteed to get a fix. There’s at least one project aiming to be a firewall to prevent the issue. Continue reading “This Week In Security: GTA, Apple And Android, And Insecure Boot”