crypto

48 Articles

This Week In Security: Putty Keys, Libarchive, And Palo Alto

April 19, 2024 by 3 Comments

It may be time to rotate some keys. The venerable PuTTY was updated to 0.81 this week, and the major fix was a change to how ecdsa-sha2-nistp521 signatures are generated. The problem was reported on the oss-security mailing list, and it’s quite serious, though thankfully with a somewhat narrow coverage.

The PuTTY page on the vulnerability has the full details. To understand what’s going on, we need to briefly cover ECDSA, nonces, and elliptic curve crypto. All cryptography depends on one-way functions. In the case of RSA, it’s multiplying large primes together. The multiplication is easy, but given just the final result, it’s extremely difficult to find the two factors. DSA uses a similar problem, the discrete logarithm problem: raising a number to a given exponent, then doing modulo division.

Yet another cryptography primitive is the elliptic curve, which uses point multiplication as the one-way function. I’ve described it as a mathematical pinball, bouncing around inside the curve. It’s reasonably easy to compute the final point, but essentially impossible to trace the path back to the origin. Formally this is the Elliptic Curve Discrete Logarithm Problem, and it’s not considered to be quantum-resistant, either.

One of the complete schemes is ECDSA, which combines the DSA scheme with Elliptic Curves. Part of this calculation uses a nonce, denoted “k”, a number that is only used once. In ECDSA, k must be kept secret, and any repetition of different messages with the same nonce can lead to rapid exposure of the secret key.

And now we get to PuTTY, which was written for Windows back before that OS had any good cryptographic randomness routines. As we’ve already mentioned, re-use of k, the nonce, is disastrous for DSA. So, PuTTY did something clever, and took the private key and the contents of the message to be signed, hashed those values together using SHA-512, then used modulo division to reduce the bit-length to what was needed for the given k value. The problem is the 521-bit ECDSA, which takes a 521-bit k. That’s even shorter than the output of a SHA-512, so the resulting k value always started with nine 0 bits. Continue reading “This Week In Security: Putty Keys, Libarchive, And Palo Alto”

Hackaday Links Column Banner

Hackaday Links: January 8, 2023

January 8, 2023 by 12 Comments

Something odd is afoot in the mountains around Salt Lake City, Utah, at least according to local media reports of remote radio installations that have been popping up for at least the past year. The installations consist of a large-ish solar panel, a weatherproof box full of batteries — and presumably other electronics, including radios — and a mast bearing at least one antenna. Local officials aren’t quite sure who these remote setups belong to or what they’re intended to do, but the installations obviously represent a huge investment in resources.

The one featured in the story was located near the summit of Twin Peaks, which is about 11,000 feet (3,300 meters) in elevation, which with that much gear was probably a hell of a hike. Plus, the owner took great pains to make sure the site would withstand the weather, with antenna mast guy wires that must have required lugging a pretty big drill up with them. There aren’t any photos of the radios in the enclosure, but one photo shows a 900-MHz LORA antenna, while another shows what appears to be a panel antenna, perhaps pointing toward another site. So maybe a LORA mesh network? Some comments in the Twitter thread show most people are convinced this is a Helium crypto mining rig, but the Helium Explorer doesn’t show any hotspots listed in that area. Either way, the owners are out of luck, since their gear is being removed if it’s on public land.

Continue reading “Hackaday Links: January 8, 2023”

Hackaday Links Column Banner

Hackaday Links: July 10, 2022

July 10, 2022 by 9 Comments

We always like to call out a commercial success stemming from projects that got their start on Hackaday.io, and so we’re proud to announce the release of MAKE: Calculus by Joan Horvath and Rich Cameron, a book that takes a decidedly different approach to teaching calculus than traditional courses. Geared to makers and hackers, who generally tend to have a visual style of learning, the book makes heavy use of 3D-printed models to illustrate the relationships between functions. The project started five years ago as a 2017 Hackaday Prize entry, and resulted in a talk at the 2019 Supercon. Their book is now available for preorder, and might be a great way to reacquaint themselves with calc, or perhaps even to learn it for the first time. Continue reading “Hackaday Links: July 10, 2022”

Hackaday Links Column Banner

Hackaday Links: July 3, 2022

July 3, 2022 by 10 Comments

Looks like we might have been a bit premature in our dismissal last week of the Sun’s potential for throwing a temper tantrum, as that’s exactly what happened when a G1 geomagnetic storm hit the planet early last week. To be fair, the storm was very minor — aurora visible down to the latitude of Calgary isn’t terribly unusual — but the odd thing about this storm was that it sort of snuck up on us. Solar scientists first thought it was a coronal mass ejection (CME), possibly related to the “monster sunspot” that had rapidly tripled in size and was being hyped up as some kind of planet killer. But it appears this sneak attack came from another, less-studied phenomenon, a co-rotating interaction region, or CIR. These sound a bit like eddy currents in the solar wind, which can bunch up plasma that can suddenly burst forth from the sun, all without showing the usually telltale sunspots.

Then again, even people who study the Sun for a living don’t always seem to agree on what’s going on up there. Back at the beginning of Solar Cycle 25, NASA and NOAA, the National Oceanic and Atmospheric Administration, were calling for a relatively weak showing during our star’s eleven-year cycle, as recorded by the number of sunspots observed. But another model, developed by heliophysicists at the U.S. National Center for Atmospheric Research, predicted that Solar Cycle 25 could be among the strongest ever recorded. And so far, it looks like the latter group might be right. Where the NASA/NOAA model called for 37 sunspots in May of 2022, for example, the Sun actually threw up 97 — much more in line with what the NCAR model predicted. If the trend holds, the peak of the eleven-year cycle in April of 2025 might see over 200 sunspots a month.

So, good news and bad news from the cryptocurrency world lately. The bad news is that cryptocurrency markets are crashing, with the flagship Bitcoin falling from its high of around $67,000 down to $20,000 or so, and looking like it might fall even further. But the good news is that’s put a bit of a crimp in the demand for NVIDIA graphics cards, as the economics of turning electricity into hashes starts to look a little less attractive. So if you’re trying to upgrade your gaming rig, that means there’ll soon be a glut of GPUs, right? Not so fast, maybe: at least one analyst has a different view, based mainly on the distribution of AMD and NVIDIA GPU chips in the market as well as how much revenue they each draw from crypto rather than from traditional uses of the chips. It’s important mainly for investors, so it doesn’t really matter to you if you’re just looking for a graphics card on the cheap.

Speaking of businesses, things are not looking too good for MakerGear. According to a banner announcement on their website, the supplier of 3D printers, parts, and accessories is scaling back operations, to the point where everything is being sold on an “as-is” basis with no returns. In a long post on “The Future of MakerGear,” founder and CEO Rick Pollack says the problem basically boils down to supply chain and COVID issues — they can’t get the parts they need to make printers. And so the company is looking for a buyer. We find this sad but understandable, and wish Rick and everyone at MakerGear the best of luck as they try to keep the lights on.

And finally, if there’s one thing Elon Musk is good at, it’s keeping his many businesses in the public eye. And so it is this week with SpaceX, which is recruiting Starlink customers to write nasty-grams to the Federal Communications Commission regarding Dish Network’s plan to gobble up a bunch of spectrum in the 12-GHz band for their 5G expansion plans. The 3,000 or so newly minted experts on spectrum allocation wrote to tell FCC commissioners how much Dish sucks, and how much they love and depend on Starlink. It looks like they may have a point — Starlink uses the lowest part of the Ku band (12 GHz – 18 GHz) for data downlinks to user terminals, along with big chunks of about half a dozen other bands. It’ll be interesting to watch this one play out.

Hackaday Links Column Banner

Hackaday Links: January 30, 2022

January 30, 2022 by 12 Comments

After all the fuss and bother along the way, it seems a bit anticlimactic now that the James Webb Space Telescope has arrived at its forever home orbiting around L2. The observatory finished its trip on schedule, arriving on January 24 in its fully deployed state, after a one-month journey and a couple of hundred single-point failure deployments. The next phase of the mission is commissioning, and is a somewhat more sedate and far less perilous process of tweaking and trimming the optical systems, and getting the telescope and its sensors down to operating temperature. The commissioning phase will take five or six months, so don’t count on any new desktop photos until summer at the earliest. Until then, enjoy the video below which answers some of the questions we had about what Webb can actually see — here’s hoping there’s not much interesting to see approximately in the plane of the ecliptic.

Continue reading “Hackaday Links: January 30, 2022”

Hackaday Links Column Banner

Hackaday Links: December 5, 2021

December 5, 2021 by 15 Comments

Sad news from Germany, with the recent passing of a legend in the crypto community: Mr. Goxx, the crypto-trading hamster. The rodent rose to fame in the crypto community for his trades, which were generated at random during his daily exercise routines — his exercise wheel being used like a roulette wheel to choose a currency, and a pair of tunnels determined whether the transaction would be a buy or sell. His trading career was short, having only started this past June, but he was up 20% over that time — that’s nothing to sneeze at. Our condolences to Mr. Goxx’s owners, and to the community which sprung up around the animal’s antics.

It might seem a little early to start planning which conferences you’d like to hit in 2022, but some require a little more lead time than others. One that you might not have heard of is DINACON, the Digital Naturalism Conference, which explores the intersection of technology and the natural world. The con is set for the entire month of July 2022 and will be held in Sri Lanka. It has a different structure than most cons, in that participants attend for a week or so on a rotating basis, much like a biology field station summer session. It sounds like a lot of fun, and the setting couldn’t be more idyllic.

If you haven’t already killed your holiday gift budget buying NFTs, here’s something you might want to consider: the Arduino Uno Mini Limited Edition. What makes it a Limited Edition, you ask? Practically, it’s the small footprint compared to the original Uno and the castellated edges, but there are a bunch of other extras. Each elegant black PCB with gold silk screening is individually numbered and comes in presentation-quality packaging. But the pièce de résistance, or perhaps we should say the cavallo di battaglia, is that each one comes with a hand-signed letter from the Arduino founders. They honestly look pretty sharp, and at $45, it’s really not a bad collector’s piece.

And finally, the YouTube algorithm giveth again, when this infrastructure gem popped up in our feed. You wouldn’t think there’d be much of interest to see in a water main repair, but you’d be wrong, especially when that main is 50′ (15 m) below the surface, and the repair location is 600′ (183 m) from the access hatch. Oh yeah, and the pipe is only 42″ (1 m) in diameter, and runs underneath a river. There’s just so much nope in this one, especially since the diver has to swim into a special turning elbow just to get pointed in the right direction; how he turns around to swim out is not worth thinking about. Fascinating tidbits include being able to see the gravel used to protect the pipe in the riverbed through the crack in the pipe, and learning that big water mains are not completely filled, at least judging by the small air space visible at the top of the pipe. Those with claustrophobia are probably best advised to avoid this one, but it’s still amazing to see how stuff like this is done.

Continue reading “Hackaday Links: December 5, 2021”

Hackaday Links Column Banner

Hackaday Links: October 31, 2021

October 31, 2021 by 17 Comments

Global supply chain issues are beginning to hit closer to home for the hacker community, as Raspberry Pi has announced their first-ever price increase on their flagship Pi 4. The move essentially undoes the price drop on the 2GB version of the Pi 4 that was announced in February, and sets the price back up from $35 to $45. Also rolled back is the discontinuation of the 1GB version, which will now be available at the $35 price point. The announcements come from Eben Upton himself, who insists the price increase is only temporary. We applaud his optimism, but take it with a grain of salt since he also said that 2021 production across the board will stay at the seven million-unit level, which is what they produced in 2020. That seems to speak to deeper issues within the supply chain, but more immediately, it’s likely that the supply of Pi products will be pinched enough that you’ll end up paying above sticker price just to get the boards you need. Hope everyone is stocked up.

On the topic of supply chain issues and their threat to Christmas gift-giving, here’s one product we hope is stranded in a container off Long Beach or better still, bobbing along in the Strait of Juan De Fuca: a toddler’s toy telephone that actually makes and receives calls. Anyone born in the last 60 years probably had one of the Fisher-Price Chatter telephone, a toy that in its original form looked like a desk telephone on wheels that was dragged behind the child, popping along and providing endless hours of clicky amusement as kids twisted the dial and lifted the receiver. Come to think of it, the Chatter telephone may be as close to a dial phone as anyone born since 1990 may have come. Anyway, some genius stuck a Bluetooth module into the classic phone to let it hook up to an app on an actual phone, allowing kids (or more likely their nostalgia-soaked parents) to make and receive calls. It’s actually priced at a reasonable $60, so there might be some hacking potential here.

Also tangential to supply chains, we stumbled across a video guide to buying steel that might interest readers. Anyone who has seen the displays of steel and other metals at the usual big-box retailers might wonder what the fuss is, but buying steel that way or ordering online is a great way to bust a project’s budget. Fabricator and artist Doug Boyd insists that finding a local steel supplier is the best bang for your buck, and has a bunch of helpful tips for not sounding like a casual when you’re ordering. It’s all good advice, and would have helped us from looking foolish a time or two at the metal yard; just knowing that pipe is measured by inside diameter while tubing is measured by outside dimensions is worth the price of admission alone.

With all the money you save on steel and by not buying Raspberry Pis, perhaps you’ll have a couple of hundred thousand Euros lying around to bid on this authentic 1957 Sputnik I satellite. The full-scale model of Earth’s first artificial satellite — manhole covers excluded — was a non-flown test article, but externally faithful to the flown hardware that kicked off the first Space Race. The prospectus says that it has a transmitter and a “modern power supply”; it’s not clear if the transmitter was originally part of the test article or added later. The opening bid is €85,000 and is expected to climb considerably.

And finally, there’s something fascinating about “spy radios,” especially those from the Cold War era and before, when being caught with one in your possession was probably going to turn out to be a very bad day. One such radio is the Radio Orange “Acorn” receiver, which is in the collection of the Crypto Museum. The radio was used by the Dutch government to transmit news and information into the occupied Netherlands from their exile in London. Built to pass for a jewelry box, the case for the radio was made from an old cigar box and is a marvel of 1940s miniaturization. The radio used three acorn-style vacuum tubes and was powered by mains current; another version of the Radio Orange receiver was powered by a bike dynamo or even a water-powered turbine, which could be run from a tap or garden hose. The video below shows the water-powered version in action, but the racket it made must have been problematic for its users, especially given the stakes.

Continue reading “Hackaday Links: October 31, 2021”