Slider

4980 Articles

Write Once, Run Everywhere: Cross-Platform Programming Done Right

March 4, 2020 by 58 Comments

One of the goals of programming languages back in the 1950s was to create a way to write assembly language concepts in an abstract, high-level manner. This would allow the same code to be used across the wildly different system architectures of that era and subsequent decades, requiring only a translator unit (compiler) that would transform the source code into the machine instructions for the target architecture.

Other languages, like BASIC, would use a runtime that provided an even more abstract view of the underlying hardware, yet at the cost of a lot of performance. Although the era of 8-bit home computers is long behind us, the topic of cross-platform development is still highly relevant today, whether one talks about desktop, embedded or server development. Or all of them at the same time.

Let’s take a look at the cross-platform landscape today, shall we?

Continue reading “Write Once, Run Everywhere: Cross-Platform Programming Done Right”

Inputs Of Interest: My First Aggressively Ergonomic Keyboard

March 3, 2020 by 59 Comments

Ever since my RSI surgery, I’ve had to resort to using what I call my compromise keyboard — a wireless rubber dome affair with a gentle curvature to the keys. It’s far from perfect, but it has allowed me to continue to type when I thought I wouldn’t be able to anymore.

This keyboard has served me well, but it’s been nearly three years since the surgery, and I wanted to go back to a nice, clicky keyboard. So a few weeks ago, I dusted off my 1991 IBM Model M. Heck, I did more than that — I ordered a semi-weird hex socket (7/32″) so I could open it up and clean it properly.

And then I used it for half a day or so. It was glorious to hear the buckling springs singing again, but I couldn’t ignore the strain I felt in my pinkies and ring fingers after just a few hours. I knew I had to stop and retire it for good if I wanted to keep being able to type.

Continue reading “Inputs Of Interest: My First Aggressively Ergonomic Keyboard”

Expanding, And Eventually Replacing, The International Space Station

March 3, 2020 by 99 Comments

Aboard the International Space Station (ISS), humanity has managed to maintain an uninterrupted foothold in low Earth orbit for just shy of 20 years. There are people reading these words who have had the ISS orbiting overhead for their entire lives, the first generation born into a truly spacefaring civilization.

But as the saying goes, what goes up must eventually come down. The ISS is at too low of an altitude to remain in orbit indefinitely, and core modules of the structure are already operating years beyond their original design lifetimes. As difficult a decision as it might be for the countries involved, in the not too distant future the $150 billion orbiting outpost will have to be abandoned.

Naturally there’s some debate as to how far off that day is. NASA officially plans to support the Station until at least 2024, and an extension to 2028 or 2030 is considered very likely. Political tensions have made it difficult to get a similar commitment out of the Russian space agency, Roscosmos, but its expected they’ll continue crewing and maintaining their segment as long as NASA does the same. Afterwards, it’s possible Roscosmos will attempt to salvage some of their modules from the ISS so they can be used on a future station.

This close to retirement, any new ISS modules would need to be designed and launched on an exceptionally short timescale. With NASA’s efforts and budget currently focused on the Moon and beyond, the agency has recently turned to private industry for proposals on how they can get the most out of the time that’s left. Unfortunately several of the companies that were in the running to develop commercial Station modules have since backed out, but there’s at least one partner that still seems intent on following through: Axiom.

With management made up of former astronauts and space professionals, including NASA’s former ISS Manager Michael Suffredini and Administrator Charles Bolden, the company boasts a better than average understanding of what it takes to succeed in low Earth orbit. About a month ago, this operational experience helped secure Axiom’s selection by NASA to develop a new habitable module for the US side of the Station by 2024.

While the agreement technically only covers a single module, Axiom hasn’t been shy about their plans going forward. Once that first module is installed and operational, they plan on getting NASA approval to launch several new modules branching off of it. Ultimately, they hope that their “wing” of the International Space Station can be detached and become its own independent commercial station by the end of the decade.

Continue reading “Expanding, And Eventually Replacing, The International Space Station”

The Last Scientific Calculator?

March 2, 2020 by 107 Comments

There was a time when being an engineering student meant you had a sword. Well, really it was a slide rule hanging from your belt, but it sounds cooler to call it a sword. The slide rule sword gave way to calculators hanging from your belt loop, and for many engineers that calculator was from HP. Today’s students are more likely to have a TI or Casio calculator, but HP is still in there with the HP Prime. It is hard to call it a calculator since the latest variant has a 528 MHz ARM Cortex A7, 256 MB of RAM, and 512 MB of ROM. But if you can’t justify a $150 calculator, there are some cheap and even free options out there to get the experience. To start with, HP has a free app that runs on Windows or Mac that works just like the calculator. Of course, that’s free as in no charge, not free as in open source. But still, it will run under Wine with no more than the usual amount of coaxing.

You might wonder why you need a calculator on your computer, and perhaps you don’t. However, the HP Prime isn’t just your 1980s vintage calculator. It also has an amazing number of applications including a complete symbolic math system based on xCAS/Giac. It is also programmable using a special HP language that is sort of like Basic or Pascal. Other applications include plotting, statistics, solvers, and even a spreadsheet that can hold up to 10,000 rows and 676 columns.

Portability

It is easy to think that HP provides the free PC software so you’ll go out and buy the real calculator, and that may be part of it. However, you can also get official apps for Android and iOS. They aren’t free, but they are relatively inexpensive. On iOS the cost right now is $25 and on Android it is $20. There are also “lite” versions that are free.

Continue reading “The Last Scientific Calculator?”

Project Rubicon: The NSA Secretly Sold Flawed Encryption For Decades

March 2, 2020 by 83 Comments

There have been a few moments in the past few years, when a conspiracy theory is suddenly demonstrated to be based in fact. Once upon a time, it was an absurd suggestion that the NSA had data taps in AT&T buildings across the country. Just like Snowden’s revelations confirmed those conspiracy theories, a news in February confirmed some theories about Crypto AG, a Swiss cryptography vendor.

The whole story reads like a cold-war era spy thriller, and like many of those novels, it all starts with World War II. As a result of a family investment, Boris Hagelin found himself at the helm of Aktiebolaget Cryptograph, later renamed to Crypto AG (1952), a Swedish company that built and sold cipher machines that competed with the famous Enigma machine. At the start of the war, Hagelin decided that Sweden was not the place to be, and moved to the United States. This was a fortuitous move, as it allowed Hagelin to market his company’s C-38 cipher machine to the US military. That device was designated the M-209 by the army, and became the standard in-the-field encryption machine.

Continue reading “Project Rubicon: The NSA Secretly Sold Flawed Encryption For Decades”

This Week In Security: Chrome Bugs And Non-bugs, Kr00k, And Letsencrypt

February 28, 2020 by 20 Comments

Google Chrome minted a new release to fix a trio of bugs on Monday, with exploit code already in the wild for one of them. The first two bugs don’t have much information published yet. They are an integer-overflow problem in Unicode internationalization, and a memory access issue in streams. The third issue, type confusion in V8, was also fixed quietly, but a team at Exodus Intel took the time to look at the patches and figure out what the problem was.

The actual vulnerability dives into some exotic Javascript techniques, but to put it simply, it’s possible to change a data-type without V8 noticing. This allows malicious code to write into the header area of the attacked variable. The stack, now corrupted, can be manipulated to the point of arbitrary code execution. The researchers make the point that even with Google’s fast-paced release schedule, a determined attacker could have several days of virtual zero-day exploitation of a bug mined from code changes. Story via The Register.

The Chrome Problem that Wasn’t

A second Chrome story came across my desk this week: Chrome 80 introduces a new feature, ScrollToTextFragment. This useful new feature allows you to embed a string of text in a URL, and when loading that address, Chrome will scroll the page to make that text visible. For certain use cases, this is an invaluable feature. Need to highlight a specific bit of text in a big document online?

The following bookmarklet code by [Paul Kinlan] is the easy way to start using this feature. Paste this code into the URL of a bookmark, put it on the bookmark bar, highlight some text in a webpage, and then run the bookmarklet. It should open a new tab with the new URL, ready to use or send to someone.

javascript:(function()%7Bconst%20selectedText%20%3D%20getSelection().toString()%3Bconst%20newUrl%20%3D%20new%20URL(location)%3BnewUrl.hash%20%3D%20%60%3A~%3Atext%3D%24%7BencodeURIComponent(selectedText)%7D%60%3Bwindow.open(newUrl)%7D)()

Since we’re talking about it in the security column, there must be more to the story. A privacy guru at Brave, [Peter Snyder], raised concerns about privacy implications of the feature. His argument has been repeated and misrepresented in a few places. What argument was he making? Simply put, that it’s not normal user behavior to immediately scroll to an exact position on the page. Because modern web pages and browsers do things like deferred loading of images, it could be possible to infer where in the page the link was pointing. He gives the example of a corporate network where DNS is monitored. This isn’t suggesting that the entire URL is leaked over DNS, but rather that DNS can indicate when individual components of a page are loaded, particularly when they are embedded images from other sites.

While this concern isn’t nonsensical, it seems to me to be a very weak argument that is being over-hyped in the press.

Whatsapp Groups Searchable on Google

It’s not new for search engines to index things that weren’t intended to be public. There is a bit of mystery surrounding how Google finds URLs to index, and StackExchange is full of plenty of examples of webadmins scratching their heads at their non-public folders showing up in a Google search.

That said, a story made the rounds in the last few days, that WhatsApp and Telegram group invites are being indexed by Google. So far, the official word is that all the indexed links must have been shared publicly, and Google simply picked them up from where they were publicly posted.

It appears that WhatsApp has begun marking chat invitation links as “noindex”, which is a polite way to ask search engines to ignore the link.

If it’s shown that links are getting indexed without being posted publicly online, then we have a much bigger story. Otherwise, everything is working as expected.

Letsencrypt Makes Attacks Harder

Letsencrypt has rolled out an invisible change to their validation process that makes a traffic redirection attack much harder. The new feature, Multi-Perspective Validation, means that when you verify your domain ownership, Letsencrypt will test that verification from multiple geographic regions. It might be possible to spoof ownership of a domain through a BGP attack, but that attack would be much harder to pull off against traffic originating from another country, or multiple countries simultaneously. Letsencrypt is currently using different regions of a single cloud, but plans to further diversify and use multiple cloud providers for even stronger validation.

Kr00k

Brought to us by the researchers at Eset, Krook (PDF) is a simple flaw in certain wireless chips. So far, the flaw seems to be limited to WPA2 traffic sent by Broadcom and Cypress chips. They discovered Kr00k while doing some followup research on KRACK.

Let’s talk about WPA2 for a moment. WPA2 has a 4-way handshake process that securely confirms that both parties have the shared key, and then establishes a shared Temporal Key, also known as a session key. This key is private between the two devices that performed the handshake, meaning that other devices on the same wireless network can’t sniff traffic sent by other devices.

When a device disconnects, or disassociates, that session key is reset to all 0s, and no packets should be sent until another handshake is performed. Here’s the bug: The packets already in the output buffer are still sent, but are encrypted with the zeroed key, making them trivially decrypted. As it’s simple to trigger deauthentication events, an attacker can get a sampling of in-the-clear packets. The ubiquity of TLS is a saving grace here, but any unencrypted traffic is vulnerable. Eset informed vendors about the flaw in 2019, and at least some devices have been patched.

Exchange

Microsoft Exchange got a security patch this past Tuesday that addressed a pair of bugs that together resulted in a remote code execution vulnerability. The first bug was an encryption key that is generated on Exchange server installation. That generation seemed to lack a good source of entropy, as apparently every Exchange install uses the the exact same key.

The second half of this bug is a de-serialization problem, where an encrypted payload can contain a command to run. Because the encryption key is known, any user can access the vulnerable endpoint. The process of exploitation is so trivial, be sure to patch your server right away.

TODO: Remove Vulnerabilities

This one is just humorous. An Intel virtualization feature appears to have been pushed into the Linux kernel before it was finished. Know what unfinished code tends to contain? Bugs and vulnerabilities. CVE-2020-2732, in this case. It’s unclear how exactly an exploit would work, but the essence is that a virtual guest is allowed to manipulate system state in unintended ways.

Astra Readies Secretive Silicon Valley Rocket; Firm Exits Stealth Mode, Plans Test Launch

February 28, 2020 by 27 Comments

After the end of the Second World War the United States and the Soviet Union started working feverishly to perfect the rocket technology that the Germans developed for the V-2 program. This launched the Space Race, which thankfully for everyone involved, ended with boot prints on the Moon instead of craters in Moscow and DC. Since then, global tensions have eased considerably. Today people wait for rocket launches with excitement rather than fear.

That being said, it would be naive to think that the military isn’t still interested in pushing the state-of-the-art forward. Even in times of relative peace, there’s a need for defensive weapons and reconnaissance. Which is exactly why the Defense Advanced Research Projects Agency (DARPA) has been soliciting companies to develop a small and inexpensive launch vehicle that can put lightweight payloads into Earth orbit on very short notice. After all, you never know when a precisely placed spy satellite can make the difference between a simple misunderstanding and all-out nuclear war.

More than 50 companies originally took up DARPA’s “Launch Challenge”, but only a handful made it through to the final selection. Virgin Orbit entered their air-launched booster into the competition, but ended up dropping out of contention to focus on getting ready for commercial operations. Vector Launch entered their sleek 12 meter long rocket into the competition, but despite a successful sub-orbital test flight of the booster, the company ended up going bankrupt at the end of 2019. In the end, the field was whittled down to just a single competitor: a relatively unknown Silicon Valley company named Astra.

Should the company accomplish all of the goals outlined by DARPA, including launching two rockets in quick succession from different launch pads, Astra stands to win a total of $12 million; money which will no doubt help the company get their booster ready to enter commercial service. Rumored to be one of the cheapest orbital rockets ever built and small enough to fit inside of a shipping container, it should prove to be an interesting addition to the highly competitive “smallsat” launcher market.

Continue reading “Astra Readies Secretive Silicon Valley Rocket; Firm Exits Stealth Mode, Plans Test Launch”