No, we’re not talking about cultural appropriation of Japan’s most famous form of short poem–this is the other Haiku, the open-source descendant of BeOS, which now has a fully-native meshcore chat client called Sestriere, thanks to the efforts of one [Atomozero]. Of course you’ll need a LoRa radio to act as a modem, but anything that speaks USB serial– which is any of the ESP32-based offerings on the market–should work.
This is interesting in that we don’t see many desktop applications leveraging LoRa networks– meshtastic or meshcore– so for one to appear for the relatively-obscure BeOS derivative is just neat. It’s also a nice peice of work: the chat window is full featured, organizing your contacts, and communicating not just with text but emojis and reaction GIFs. GIFs seem a bit extravagant for LoRa bandwith, but apparently it works. There are also Codec2-based voice messages, another thing that we didn’t expect to see over LoRa, since most ‘chat’ projects restrict themselves to text messaging.
The chat window. One nice thing about Haiku APIs is that look-and-feel isn’t in question.
The software will also map all the nodes with which you are in contact, both diagrammatically and geographically, overlaid on OpenStreetMap tiles. The network map conveniently colour-codes your contacts by the link quality, but what’s even more interesting is the WireShark-inspired packet sniffer built into the software to let you keep a really close eye on traffic on the mesh network.
Neither Haiku or MeshCore are to everyone’s tastes, but as an OS it is a worthy daily driver, even if you have to jump through some hoops to install it if you have a UEFI-only system.
Once upon a time, someone set up a livestream wherein the messages from Twitch chat could control a game of Pokemon. Since then, we’ve seen Twitch control all sorts of things. If you’d like to have them play with some LEDs in your house, you might like this project from [pfeiffer3000].
The concept is simple enough. The heart of the build is an ESP32 microcontroller, which is easy to integrate with web services thanks to its onboard WiFi capability. It’s hooked upt o a string of WS2812B addressable RGB LEDs. The LEDs themselves are installed within table tennis balls to act as nice, spherical diffusers, and installed in a square frame made of PVC pipes. As for code, the rig uses the WLED library to drive the LED strings, and code from TwitchIO to interface with Twitch chat itself. It’s as simple as rigging up a bit of Python. With everything assembled, [pfeiffer3000] had an attractive LED grid that could be controlled directly by anyone watching their Twitch stream.
Before the modern Internet existed, there were still plenty of ways of connecting with other computer users “online”, although many of them might seem completely foreign to those of us in the modern era. One of those systems was the Bulletin Board System, or BBS, which would have been a single computer, often in someone’s home, connected to a single phone line. People accessing the BBS would log in if the line wasn’t busy, leave messages, and quickly log out since the system could only support one user at a time. While perhaps a rose-tinted view, this was a more wholesome and less angsty time than the modern algorithm-driven Internet, and it turns out these systems are making a bit of a comeback as a result.
The video by [The Retro Shack] sets up a lot of this history for context, then, towards the end, uses a modern FPGA-based recreation called the Commodore 64 Ultimate to access a BBS called The Old Net, a modern recreation of what these 80s-era BBS systems were like. This involves using a modern networking card that allows the C64 to connect to Wi-Fi access points to get online instead of an old phone modem, and then using a terminal program called CCGMS to connect to the BBS itself. Once there, users can access mail, share files, and even play a few games.
While the video is a very basic illustration of how these BBS systems worked and how to access one, it is notable in that it’s part of a trend of rejecting more modern technology and systems in favor of older ones, where the users had more control. A retro machine like a C64 or Atari is not required either; modern operating systems can access these with the right terminal program, too. A more in-depth guide to the BBS can be found here for those looking to explore, and we’ve also seen other modern BBS systems recently.
In the early days of the internet, online conversations were an event. The technology was novel, and it was suddenly possible to socialize with a whole bunch of friends at a distance, all at once. No more calling your friends one by one, you could talk to them all at the same time!
Many of us would spend hours on IRC, or pull all-nighters bantering on MSN Messenger or AIM. But then, something happened, and many of us found ourselves having shorter conversations online, if we were having any at all. Thinking back to my younger days, and comparing them with today, I think I’ve figured out what it is that’s changed.
Almost all of modern society is built around various infrastructure, whether that’s for electricity, water and sewer, transportation, or even communication. These vast networks aren’t immune from failure though, and at least as far as communication goes, plenty will reach for a radio of some sort to communicate when Internet or phone services are lacking. It turns out that certain LoRa devices are excellent for local communication as well, and this system known as LoraType looks to create off-grid text-based communications networks wherever they might be needed.
The project is based around the ESP32 platform with an E22 LoRa module built-in to allow it to operate within its UHF bands. It also includes a USB-based battery charger for its small battery, an e-paper display module to display the text messages without consuming too much power, and a keyboard layout for quickly typing messages. The device firmware lets it be largely automated; it will seek out other devices on the local mesh network automatically and the user can immediately begin communicating with other devices on that network as soon as it connects.
There are a few other upsides of using a device like this. Since it doesn’t require any existing communications infrastructure to function, it can be used wherever there are no other easy options, such as in the wilderness, during civil unrest where the common infrastructure has been shut down, or simply for local groups which do not have access to cell networks or Internet. LoRa is a powerful tool for these use cases, and it’s even possible to network together larger base stations to extend the range of devices like these.
Researchers at Sonar took a crack at OpenEMR, the Open Source Electronic Medical Record solution, and they found problems. Tthe first one is a classic: the installer doesn’t get removed by default, and an attacker can potentially access it. And while this isn’t quite as bad as an exposed WordPress installer, there’s a clever trick that leads to data access. An attacker can walk through the first bits of the install process, and specify a malicious SQL server. Then by manipulating the installer state, any local file can be requested and sent to the remote server.
There’s a separate set of problems that can lead to arbitrary code execution. It starts with a reflected Cross Site Scripting (XSS) attack. That’s a bit different from the normal XSS issue, where one user puts JavaScript on the user page, and every user that views the page runs the code. In this case, the malicious bit is included as a parameter in a URL, and anyone that follows the link unknowingly runs the code.
And what code would an attacker want an authenticated user to run? A file upload, of course. OpenEMR has function for authenticated users to upload files with arbitrary extensions, even .php. The upload folder is inaccessible, so it’s not exploitable by itself, but there’s another issue, a PHP file inclusion. Part of the file name is arbitrary, and is vulnerable to path traversal, but the file must end in .plugin.php. The bit of wiggle room on the file name on both sides allow for a collision in the middle. Get an authenticated user to upload the malicious PHP file, and then access it for instant profit. The fixes have been available since the end of November, in version 7.0.0-patch-2.
Bing Chat Injection
Or maybe it’s AI freedom. So, the backstory here is that the various AI chat bots are built with rules. Don’t go off into political rants, don’t commit crimes, and definitely don’t try to scam the users. One of the more entertaining tricks clever users have discovered is to tell a chatbot to emulate a personality without any such rules. ChatGPT can’t comment on political hot button issues, but when speaking as DAN, anything goes.
Arrrrr
This becomes really interesting when Bing Chat ingests a website that has targeted prompts. It’s trivial to put text on a web page that’s machine readable and invisible to the human user. This work puts instructions for the chat assistant in that hidden data, and demonstrates a jailbreak that turns Bing Chat malicious. The fun demonstration convinces the AI to talk like a pirate — and then get the user to click on an arbitrary link. The spooky demo starts out by claiming that Bing Chat is down, and the user is talking to an actual Microsoft engineer.
LastPass Details — Plex?
Last time we talked about the LastPass breach, we had to make some educated guesses about how things went down. There’s been another release of details, and it’s something. Turns out that in one of the earlier attacks, an encrypted database was stolen, and the attackers chose to directly target LastPass Engineers in an attempt to recover the encryption key.
According to Ars Technica, the attack vector was a Plex server run by one of those engineers. Maybe related, at about the same time, the Plex infrastructure was also breached, exposing usernames and hashed passwords. From this access, attackers installed a keylogger on the developer’s home machine, and captured the engineer’s master password. This allowed access to the decryption keys. There is some disagreement about whether this was/is a 0-day vulnerability in the Plex software. Maybe make sure your Plex server isn’t internet accessible, just to be safe.
There’s one more bit of bad news, particularly if you use the LastPass Single Sign On (SSO) service. That’s because the SSO secrets are generated from an XOR of two keys, K1 and K2. K1 is a single secret for every user at an organization. K2 is the per-user secret stored by Lastpass. And with this latest hack, the entire database of K2 secrets were exposed. If K1 is still secret, all is well. But K1 isn’t well protected, and is easily accessed by any user in the organization. Ouch.
The Ring Alien
Turns out, just like a certain horror movie, there is a video that the very watching causes death. If you happen to be a Pixel phone, that is. And “death” might be a bit of an exaggeration. Though the video in question certainly nails the vibe. Playing a specific YouTube clip from Alien will instantly reboot any modern Pixel phone. A stealth update seems to have fixed the issue, but it will be interesting to see if we get any more details on this story in the future. After all, when data can cause a crash, it can often cause code execution, too.
In-The-Wild
The US Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of bugs that are known to be under active exploitation, and that list just recently added a set of notches. CVE-2022-36537 is the most recent, a problem in the ZK Framework. That’s an AJAX framework used in many places, notable the ConnectWise software. Joining the party are CVE-2022-47986, a flaw in IBM Aspera Faspex, a file transfer suite, and CVE-2022-41223 and CVE-2022-40765, both problems in the Mitel MiVoice Business phone system.
Bits and Bytes
There’s yet another ongoing attack against the PyPI repository, but this one mixes things up a bit by dropping a Rust executable as one stage in a chain of exploitation. The other novel element is that this attack isn’t going after typos and misspellings, but seems to be a real-life dependency confusion attack.
The reference implementation of the Trusted Platform Module 2.0 was discovered to contain some particularly serious vulnerabilities. The issue is that a booted OS could read and write two bytes beyond it’s assigned data. It’s unclear weather that’s a static two bytes, making this not particularly useful in the real world, or if these reads could be chained together, slowly leaking larger chunks of internal TPM data.
And finally, one more thing to watch out for, beware of fake authenticator apps. This one is four years old, has a five star rating, and secretly uploads your scanned QR codes to Google Analytics, exposing your secret authenticator key. Yoiks.
Want to experience the Hackaday Superconference from the comfort of your own workshop? Just follow us on YouTube or on Facebook as two days of live streaming talks begin this Saturday morning.
This weekend is the Hackaday Superconference, the greatest hardware conference on Earth. While the Superconference is the most amazing gatherings of engineers and engineering enthusiasts, we realize that not everyone can make it out to our ultimate hardware conference. This year, we’re doing something special for everyone who can’t make it out — we’re opening up live streams and live chat to those who can’t attend. This is your chance to take part in the Superconference, even if you’re thousands of miles away.
You are invited to the chat room for the event. Join the Superconference chat right now and be part of the culture of the Hacker Village that springs to life during Supercon.
