Maxing Out Browser Tabs With 2TB Of Memory

Tabbed browsing was a gamechanger, allowing users to effectively browse multiple websites at once without losing context. It proved a better solution than using multiple windows, and was an efficiency boon celebrated by all. Many of us are tab fiends, opening great numbers at a time as a habitual part of our workflow. [Linus] decided to find out just how many he could open on a system armed with a full 2TB of RAM.

As may be obvious, setting up a system with 2TB of RAM is no mean feat. Special server-grade RAM modules were sourced, packing 128GB of RAM each, set up for ECC operation. Packing out 16 slots, there’s a performance penalty to addressing so much RAM with a single CPU, but for memory-intensive work, it’s worthwhile. The CPU in question is an AMD 64-core processor, providing plenty of grunt for the task at hand.

In testing, the machine began to slow down long before the RAM was full. Beyond 5000 tabs, things began to crawl. At 6000 tabs, it was simply impractical to open more, with the machine taking a full 26 seconds to respond to a single click. Memory usage at this point was just 200GB, suggesting that software limitations were getting in the way of opening yet more tabs.

While it’s not a useful measure of anything important, it’s fun to explore the limits nonetheless. We’ve seen their projects before, such as this original Xbox casemod. Video after the break.

Continue reading “Maxing Out Browser Tabs With 2TB Of Memory”

This Week In Security: Chrome Bugs And Non-bugs, Kr00k, And Letsencrypt

Google Chrome minted a new release to fix a trio of bugs on Monday, with exploit code already in the wild for one of them. The first two bugs don’t have much information published yet. They are an integer-overflow problem in Unicode internationalization, and a memory access issue in streams. The third issue, type confusion in V8, was also fixed quietly, but a team at Exodus Intel took the time to look at the patches and figure out what the problem was.

The actual vulnerability dives into some exotic Javascript techniques, but to put it simply, it’s possible to change a data-type without V8 noticing. This allows malicious code to write into the header area of the attacked variable. The stack, now corrupted, can be manipulated to the point of arbitrary code execution. The researchers make the point that even with Google’s fast-paced release schedule, a determined attacker could have several days of virtual zero-day exploitation of a bug mined from code changes. Story via The Register.

The Chrome Problem that Wasn’t

A second Chrome story came across my desk this week: Chrome 80 introduces a new feature, ScrollToTextFragment. This useful new feature allows you to embed a string of text in a URL, and when loading that address, Chrome will scroll the page to make that text visible. For certain use cases, this is an invaluable feature. Need to highlight a specific bit of text in a big document online?

The following bookmarklet code by [Paul Kinlan] is the easy way to start using this feature. Paste this code into the URL of a bookmark, put it on the bookmark bar, highlight some text in a webpage, and then run the bookmarklet. It should open a new tab with the new URL, ready to use or send to someone.

javascript:(function()%7Bconst%20selectedText%20%3D%20getSelection().toString()%3Bconst%20newUrl%20%3D%20new%20URL(location)%3BnewUrl.hash%20%3D%20%60%3A~%3Atext%3D%24%7BencodeURIComponent(selectedText)%7D%60%3Bwindow.open(newUrl)%7D)()

Since we’re talking about it in the security column, there must be more to the story. A privacy guru at Brave, [Peter Snyder], raised concerns about privacy implications of the feature. His argument has been repeated and misrepresented in a few places. What argument was he making? Simply put, that it’s not normal user behavior to immediately scroll to an exact position on the page. Because modern web pages and browsers do things like deferred loading of images, it could be possible to infer where in the page the link was pointing. He gives the example of a corporate network where DNS is monitored. This isn’t suggesting that the entire URL is leaked over DNS, but rather that DNS can indicate when individual components of a page are loaded, particularly when they are embedded images from other sites.

While this concern isn’t nonsensical, it seems to me to be a very weak argument that is being over-hyped in the press.

Whatsapp Groups Searchable on Google

It’s not new for search engines to index things that weren’t intended to be public. There is a bit of mystery surrounding how Google finds URLs to index, and StackExchange is full of plenty of examples of webadmins scratching their heads at their non-public folders showing up in a Google search.

That said, a story made the rounds in the last few days, that WhatsApp and Telegram group invites are being indexed by Google. So far, the official word is that all the indexed links must have been shared publicly, and Google simply picked them up from where they were publicly posted.

It appears that WhatsApp has begun marking chat invitation links as “noindex”, which is a polite way to ask search engines to ignore the link.

If it’s shown that links are getting indexed without being posted publicly online, then we have a much bigger story. Otherwise, everything is working as expected.

Letsencrypt Makes Attacks Harder

Letsencrypt has rolled out an invisible change to their validation process that makes a traffic redirection attack much harder. The new feature, Multi-Perspective Validation, means that when you verify your domain ownership, Letsencrypt will test that verification from multiple geographic regions. It might be possible to spoof ownership of a domain through a BGP attack, but that attack would be much harder to pull off against traffic originating from another country, or multiple countries simultaneously. Letsencrypt is currently using different regions of a single cloud, but plans to further diversify and use multiple cloud providers for even stronger validation.

Kr00k

Brought to us by the researchers at Eset, Krook (PDF) is a simple flaw in certain wireless chips. So far, the flaw seems to be limited to WPA2 traffic sent by Broadcom and Cypress chips. They discovered Kr00k while doing some followup research on KRACK.

Let’s talk about WPA2 for a moment. WPA2 has a 4-way handshake process that securely confirms that both parties have the shared key, and then establishes a shared Temporal Key, also known as a session key. This key is private between the two devices that performed the handshake, meaning that other devices on the same wireless network can’t sniff traffic sent by other devices.

When a device disconnects, or disassociates, that session key is reset to all 0s, and no packets should be sent until another handshake is performed. Here’s the bug: The packets already in the output buffer are still sent, but are encrypted with the zeroed key, making them trivially decrypted. As it’s simple to trigger deauthentication events, an attacker can get a sampling of in-the-clear packets. The ubiquity of TLS is a saving grace here, but any unencrypted traffic is vulnerable. Eset informed vendors about the flaw in 2019, and at least some devices have been patched.

Exchange

Microsoft Exchange got a security patch this past Tuesday that addressed a pair of bugs that together resulted in a remote code execution vulnerability. The first bug was an encryption key that is generated on Exchange server installation. That generation seemed to lack a good source of entropy, as apparently every Exchange install uses the the exact same key.

The second half of this bug is a de-serialization problem, where an encrypted payload can contain a command to run. Because the encryption key is known, any user can access the vulnerable endpoint. The process of exploitation is so trivial, be sure to patch your server right away.

TODO: Remove Vulnerabilities

This one is just humorous. An Intel virtualization feature appears to have been pushed into the Linux kernel before it was finished. Know what unfinished code tends to contain? Bugs and vulnerabilities. CVE-2020-2732, in this case. It’s unclear how exactly an exploit would work, but the essence is that a virtual guest is allowed to manipulate system state in unintended ways.

Bluetooth Control With Chrome

All the cool projects now can connect to a computer or phone for control, right? But it is a pain to create an app to run on different platforms to talk to your project. [Kevin Darrah] says no and shows how you can use Google Chrome to do the dirty work. He takes a garden-variety Arduino and a cheap Bluetooth interface board and then controls it from Chrome. You can see the video below.

The HM-10 board is cheap and could connect to nearly anything. The control application uses Processing, which is the software the Arduino system derives from. So how do you get to Chrome from Processing? Easy. The p5.js library allows Processing to work from within Chrome. There’s also a Bluetooth BLE library for P5.

Continue reading “Bluetooth Control With Chrome”

Four Years Of Learning ESP8266 Development Went Into This Guide

The ESP8266 is a great processor for a lot of projects needing a small microcontroller and Wi-Fi, all for a reasonable price and in some pretty small form factors. [Simon] used one to build a garage door opener. This project isn’t really about his garage door opener based on a cheap WiFi-enabled chip, though. It’s about the four year process he went through to learn how to develop on these chips, and luckily he wrote a guide that anyone can use so that we don’t make the same mistakes he did.

The guide starts by suggesting which specific products are the easiest to use, and then moves on to some “best practices” for using these devices (with which we can’t argue much), before going through some example code. The most valuable parts of this guide especially for anyone starting out with these chips are the section which details how to get the web server up and running, and the best practices for developing HTML code for the tiny device (hint: develop somewhere else).

[Simon] also makes extensive use of the Chrome developers tools when building the HTML for the ESP. This is a handy trick even outside of ESP8266 development which might be useful for other tasks as well. Even though most of the guide won’t be new to anyone with experience with these boards, there are a few gems within it like this one that might help in other unrelated projects. It’s a good read and goes into a lot of detail about more than just the ESP chips. If you just want to open your garage door, though, you have lots of options.

Hyperlinking Comes To GitHub Via Extension

If you are browsing GitHub it is very tempting to open up the source code to some project and peek at how it works. The code view is easy to read, but the viewer lacks one important feature: the ability to click on an included file and find it. The Octolinker extension fixes that oversight.

If you want to try it without installing the extension, there is a mock-up demo available. Even though the demo wants you to click on specific things, if you don’t play by the rules it will still do the right thing and take you to either the code on GitHub or an appropriate page. You can even substitute the demo URL for github.com and try it out on any GitHub page without the extension.

Continue reading “Hyperlinking Comes To GitHub Via Extension”

A Chrome Extension For Configuring RGB LEDs

Like pretty much all of us, [Andy Schwarz] loves RGB LEDs. Specifically he likes to put them on RC vehicles, such as navigation lights on airplanes or flashers and headlights on cars. He found himself often rewriting very similar Arduino code for each one of these installations, and eventually decided he could save himself (and all the other hackers in the world) some time by creating a customizable Arduino firmware specifically for driving RGB LEDs.

The software side of this project, which he’s calling BitsyLED, actually comes in two parts. The first is the firmware itself, which is designed to control common RGB LEDs such as the WS2812 or members of the NeoPixel family. It can run on an Arduino Pro Mini with no problems, but [Andy] has also designed his own open hardware control board based on the ATtiny84 that you can build yourself. Currently you need a USBASP to program it, but he’s working on a second version which will add USB support.

With your controller of choice running the BitsyLED firmware, you need something to configure it. For that, [Andy] has developed a Chrome extension which offers a very slick user interface for setting up colors and patterns. The tool even allows you to create a visual representation of your LEDs so you can get an idea of what it’s going to look like when all the hardware is powered up.

RGB LEDs such as the WS2812 are some of the most common components we see in projects today, mainly because they’re so easy to physically interface with a microcontroller. But even though it only takes a couple of wires to control a large number of LEDs, you still need to write the code for it all. BitsyLED takes a lot of the hassle out of that last part, and we’re very interested to see what the hacker community makes of it.

Continue reading “A Chrome Extension For Configuring RGB LEDs”

Mechanical Build Lets You Jump Cacti In Real Life

Simple to learn, hard to master, a lifetime to kick the habit. This applies to a lot of computer games, but the T-rex Runner game for Chrome and its various online versions are particularly insidious. So much so that the game drove one couple to build a real-world version of the digital game.

For those not familiar with the game, it’s a simple side-scroller where the goal is to jump and duck a running dinosaur over and under obstacles — think Flappy Birds, but faster paced. When deciding on a weekend hackathon project, [Uri] thought a real-life version of the game would be a natural fit, since he was already a fan of the digital version. With his girlfriend [Ariella] on the team, [Uri] was able to come up with a minimally playable version of the game, with a stepper motor providing the dino jumps and a simple straight conveyor moving the obstacles. People enjoyed it enough that version 2.0 was planned for the Chrome Developer Summit. This version was much more playable, with an oval track for the obstacles and better scorekeeping. [Uri] and [Ariella] had to expand their skills to complete the build — PCB design, E-Paper displays, laser cutting, and even metal casting were all required. The video below shows the final version — but where are the pterosaurs to duck?

Real-world jumping dinos aren’t the first physical manifestation of a digital game. As in the cyber world, Pong was first — either as an arcade version or a supersized outdoor game.

Continue reading “Mechanical Build Lets You Jump Cacti In Real Life”