You Know Pi, But Do You Really Know E?

Pi Day is here! We bet that you know that famous constant to a few decimal points, and you could probably explain what it really means: the ratio of a circle’s circumference to its diameter. But what about the constant e? Sure, you might know it is a transcendental number around 2.72 or so. You probably know it is the base used for natural logarithms. But what does it mean?

The poor number probably needed a better agent. After all, pi is a fun name, easy to remember, with a distinctive Greek letter and lots of pun potential. On the other hand, e is just a letter. Sometimes it is known as Euler’s number, but Leonhard Euler was so prolific that there is also Euler’s constant and a set of Euler numbers, none of which are the same thing. Sometimes, you hear it called Napier’s constant, and it is known that Jacob Bernoulli discovered the number, too. So, even the history of this number is confusing.

But back to math, the number e is the base rate of growth for any continually growing process. That didn’t help? Well, consider that many things grow or decay through growth. For example, a bacteria culture might double every 72 hours. Or a radioactive sample might decay a certain amount per century. Continue reading “You Know Pi, But Do You Really Know E?”

This Week In Security: The X DDoS, The ESP32 Basementdoor, And The CamelCase RCE

We would be remiss if we didn’t address the X Distributed Denial of Service (DDoS) attack that’s been happening this week. It seems like everyone is is trying to make political hay out of the DDoS, but we’re going to set that aside as much as possible and talk about the technical details. Elon made an early statement that X was down due to a cyberattack, with the source IPs tracing back to “the Ukraine area”.

The latest reporting seems to conclude that this was indeed a DDoS, and a threat group named “Dark Storm” has taken credit for the attack. Dark Storm does not seem to be of Ukrainian origin or affiliation.

We’re going to try to read the tea leaves just a bit, but remember that about the only thing we know for sure is that X was unreachable for many users several times this week. This is completely consistent with the suspected DDoS attack. The quirk of modern DDoS attacks is that the IP addresses on the packets are never trustworthy.

There are two broad tactics used for large-scale DDoS attacks, sometimes used simultaneously. The first is the simple botnet. Computers, routers, servers, and cameras around the world have been infected with malware, and then remote controlled to create massive botnets. Those botnets usually come equipped with a DDoS function, allowing the botnet runner to task all the bots with sending traffic to the DDoS victim IPs. That traffic may be UDP packets with spoofed or legitimate source IPs, or it may be TCP Synchronization requests, with spoofed source IPs.

The other common approach is the reflection or amplification attack. This is where a public server can be manipulated into sending unsolicited traffic to a victim IP. It’s usually DNS, where a short message request can return a much larger response. And because DNS uses UDP, it’s trivial to convince the DNS server to send that larger response to a victim’s address, amplifying the attack.

Put these two techniques together, and you have a botnet sending spoofed requests to servers, that unintentionally send the DDoS traffic on to the target. And suddenly it’s understandable why it’s so difficult to nail down attribution for this sort of attack. It may very well be that a botnet with a heavy Ukrainian presence was involved in the attack, which at the same time doesn’t preclude Dark Storm as the originator. The tea leaves are still murky on this one.

Continue reading “This Week In Security: The X DDoS, The ESP32 Basementdoor, And The CamelCase RCE”

Linux Fu: Use The Source (Command), Luke

You can argue if bash is a good programming language or not, but you can’t argue that it is a programming language. However, there are a few oddities about it that make it different from most other languages you probably know. For one thing, variables are dynamically scoped. Second, you can easily change variables in an upper scope. This leads to a problem when you want to do something like reset your path:

#!/bin/bash
#: This does NOT work
PATH=/usr/bin:/bin

Well, actually, it does work; it just doesn’t work the way you imagine it might. The key is to realize that when you execute our script (say, resetpath), a new copy of bash runs. It inherits all the variables from your shell. Now the script sets PATH for the new copy of bash. Anything else you run in that script will see your change. But when the script exits, the new copy of bash is gone and the old copy sees the same old PATH it always did.

Continue reading “Linux Fu: Use The Source (Command), Luke”

Pixel Watch 3’s Loss Of Pulse Detection: The Algorithms That Tell Someone Is Dying

More and more of the ‘smart’ gadgets like watches and phones that we carry around with us these days come with features that we’d not care to ever need. Since these are devices that we strap onto our wrists and generally carry in close proximity to our bodies, they can use their sensors to make an estimation of whether said body is possibly in the process of expiring. This can be due to a severe kinetic event like a car crash, or something more subtle like the cessation of the beating of one’s heart.

There is a fairly new Loss of Pulse Detection (LoPD) feature in Google’s Pixel Watch 3 that recently got US FDA approval, allowing it to be made available in the US after previously becoming available in over a dozen European countries following its announcement in August of 2024. This opt-in feature regularly polls whether it can detect the user’s pulse. If not found, it cascades down a few steps before calling emergency services.

The pertinent question here is always whether it is truly detecting a crisis event, as nobody wants to regularly apologize for a false alert to the overworked person staffing the 911 or equivalent emergency line. So how do you reliably determine that your smart watch or phone should dial emergencies forthwith?

Continue reading “Pixel Watch 3’s Loss Of Pulse Detection: The Algorithms That Tell Someone Is Dying”

Illustrated Kristina with an IBM Model M keyboard floating between her hands.

Keebin’ With Kristina: The One With The Batwing Typewriter

[Alex] of YouTube channel [EastMakes] wrote into tell me about his fantastic QWERTY ‘hexpansion’ board for the 2024 EMF Tildagon badge, and [Alex], I’m super glad you did. The system works!

Let’s back up a bit. Essentially, the idea is to have a badge that can be used beyond a single camp, with the creation of expansion boards being the other main attraction. Our own [Jenny List] covered the badge in detail back in June 2024 when she got her hands on one.

A pair of hands holds the 2024 EMF Tildagon badge with a QWERTY keyboard Hexpansion built by [EastMakes].
Image by [EastMakes] via YouTube
[Alex] started by importing the Tildagon into Fusion360 and designing a way for the keyboard to attach to it physically. He then modeled the keyboard after the Blackberry types that can be found on Ali using the official EMF buttons established in earlier badges.

This QWERTY hexpansion is based on the RP2040, which is soldered around back and visible through the 3D-printed backplate. In order for the 90°-oriented board to align with the… not-90° connector, [Alex] built a little meander into the PCB.

The default OS on the Tildagon doesn’t know natively what to do with the serial messages from the keyboard, so [Alex] wrote an application that reads them in and decodes them. Be sure to check out the build and walk-through video after the break.

Continue reading “Keebin’ With Kristina: The One With The Batwing Typewriter”

TrapC: A C Extension For The Memory Safety Boogeyman

In the world of programming languages it often feels like being stuck in a Groundhog Day-esque loop through purgatory, as effectively the same problems are being solved over and over, with previous solutions forgotten and there’s always that one jubilant inventor stumbling out of a darkened basement with the One True Solution™ to everything that plagues this world beset by the Unspeakable Horror that is the C programming language.

As the latest entry to pledge its fealty at the altar of the Church of the Holy Memory Safety, TrapC promises to fix C, while also lambasting Rust for allowing that terrible unsafe keyword. Of course, since this is yet another loop through purgatory, the entire idea that the problem is C and some perceived issue with this nebulous ‘memory safety’ is still a red herring, as pointed out previously.

In other words, it’s time for a fun trip back to the 1970s when many of the same arguments were being rehashed already, before the early 1980s saw the Steelman language requirements condensed by renowned experts into the Ada programming language. As it turns out, memory safety is a miniscule part of a well-written program.

Continue reading “TrapC: A C Extension For The Memory Safety Boogeyman”

Conservationists Are Flying Microlites To Teach Birds How To Migrate

When it comes to what birds have and what humans don’t, your mind might first land on the ability to fly. However, birds are also pretty good at navigating from the air… assuming, that is, they know where they’re trying to go in the first place.

In recent decades, conservationists have been trying to reintroduce the northern bald ibis to central Europe. There’s just one problem—when the birds first died out on the continent, so did their handed-down knowledge of their traditional migration route. Somehow, the new generation had to be taught where to go.

Continue reading “Conservationists Are Flying Microlites To Teach Birds How To Migrate”