This Week In Security: Use Emacs, Crash A Windows Server, And A Cryptocurrency Heist

June 14, 2019 by Jonathan Bennett 5 Comments

It looks like Al was right, we should all be using Emacs. On the 4th of June, [Armin Razmjou] announced a flaw in Vim that allowed a malicious text file to trigger arbitrary code execution. It’s not every day we come across a malicious text file, and the proof of concept makes use of a clever technique — escape sequences hide the actual payload. Printing the file with cat returns “Nothing here.” Cat has a “-v” flag, and that flag spills the secrets of our malicious text file. For simplicity, we’ll look at the PoC that doesn’t include the control characters. The vulnerability is Vim’s modeline function. This is the ability to include editor options in a text file. If a text file only works with 80 character columns, a modeline might set “textwidth=80”. Modeline already makes use of a sandbox to prevent the most obvious exploits, but [Armin] realized that the “:source!” command could run the contents of a file outside that sandbox. “:source! %” runs the contents of the current file — the malicious text file.

:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

Taking this apart one element at a time, the “:!” is the normal mode command to run something in the shell, so the rest of the line is what gets run. “uname -a” is the arbitrary command, benign in this case. Up next is the OR operator, “||” which fully evaluates the first term first, and only evaluates what comes after the operator if the first term returns false. In this case, it’s a simple way to get the payload to run even though the rest of the line is garbage, as far as bash is concerned. “vi:” informs Vim that we have a modeline string. “:fen” enables folding, and “:fdm=expr” sets the folding method to use an expression. This feature is usually used to automatically hide lines matching a regular expression. “:fde=” is the command to set the folding expression. Here’s the exploit, the folding expression can be a function like “execute()” or “assert_fails()”, which allows calling the :source! command. This pops execution out of the sandbox, and begins executing the text file inside vim, just as if a user were typing it in from the keyboard. Continue reading “This Week In Security: Use Emacs, Crash A Windows Server, And A Cryptocurrency Heist” →

Radio Free Blockchain: Bitcoin From Space

April 2, 2019 by Dan Maloney 31 Comments

Cryptocurrencies: love them, hate them, or be baffled by them, but don’t think you can escape them. That’s the way it seems these days at least, with news media filled with breathless stories about Bitcoin and the other cryptocurrencies, and everyone from Amazon to content creators on YouTube now accepting the digital currency for payments. And now, almost everyone on the planet is literally bathed in Bitcoin, or at least the distributed ledger that makes it work, thanks to a new network that streams the Bitcoin blockchain over a constellation of geosynchronous satellites.

Continue reading “Radio Free Blockchain: Bitcoin From Space” →

Mining Bitcoin On The ESP32 For Fun, Definitely Not Profit

March 19, 2019 by Lewin Day 7 Comments

Bitcoin’s great, if you sold at the end of 2017. If you’re still holding, your opinion might be a little more sour. The cost to compete in the great hashing race continues to rise while cryptocurrency values remain underwhelming. While getting involved at the top end is prohibitively expensive, you can still have some fun with the basic concepts – as [Jake] did, by calculating Bitcoin hashes on the ESP32.

It’s a project that is very much done for fun, rather than profit. [Jake] notes that even maxing out both cores, it would take 31 billion years to mine one block at current difficulty levels. Regardless, the underlying maths is nothing too crazy. Double-hashing the right data with the SHA256 algorithm is all that’s required, a task that is well within the ESP32’s capabilities. There’s hardware acceleration available, too – though this is weirdly slower than doing it in software.

Overall, you’re not going to get rich hashing Bitcoin on a cheap microcontroller platform. You might just learn something useful, though. If this isn’t weird enough though, you could always try the same thing on a 1970s Xerox Alto.

Raspberry Pi Counts Down To The Last Bitcoin

January 31, 2019 by Tom Nardi 15 Comments

Even though it might appear to be pretend Internet money, by design, there are a finite number of Bitcoins available. In the same way that the limited amount of gold on the planet and the effort required to extract it from the ground keeps prices high, the scarcity of Bitcoin is intended to make sure it remains valuable. As of right now, over 80% of all the Bitcoins that will ever exist have already been put into circulation. That sounds like a lot, but it’s expected to take another 100+ years to free up the remaining ones, so we’ve still got a way to go.

Even though his device will probably no longer exist when the final Bitcoin hits the pool, [Jonty] has built a ticker that will count down as the final coins get mined from the digital ground. The countdown function is of course a bit tongue-in-cheek, but the gadget also shows slightly more pertinent information such as the current Bitcoin value, so you can always remember what a huge mistake it was not to invest while they were still worth pennies.

On the hardware side, this is a pretty simple project. The enclosure is laser cut 5 mm MDF, and it holds a Raspberry Pi 3, a MAX7219 32×8 LED dot matrix display, and a 10 mm white LED with accompanying resistor. The white LED is placed behind an acrylic diffuser to give the Bitcoin logo on the side of the display a soft pleasing glow when the device is powered up. There are no buttons or other controls on the ticker, once the software has been configured it just gets plugged in and away it goes.

As for the software, it takes the form of a Python script [Jonty] has created which uses Requests and Beautiful Soup to scrape the relevant data from bitcoinblockhalf.com. The script supports pulling any of the 19 variables listed on the site and displaying it on the LED matrix, which range from the truly nerdy stats like daily block generation to legitimately useful data points that anyone with some Bitcoin in their digital wallets might like to have ticking away on their desks.

The first decade of Bitcoin has been a pretty wild ride, not only monetarily, but in the wide array of hardware now involved in cryptocurrency mining and trading. From Bitcoin traffic lights to custom-made mining rigs that are today more useful as space heaters, it takes a lot of hardware to support these virtual coins.

Continue reading “Raspberry Pi Counts Down To The Last Bitcoin” →

Now That’s What I Call Crypto: 10 Years Of The Best Of Bitcoin

January 29, 2019 by Brian Benchoff 18 Comments

On January 3rd, 2009, the Genesis Block was created. This was the first entry on the Bitcoin blockchain. Because of the nature of Bitcoin, all transactions lead back to this block. This is where Bitcoin began, almost exactly ten years ago.

The Genesis Block was created by Satoshi, a person or persons we know nothing about. In the decade since, we’ve seen the astonishing rise and meteoric descent of Bitcoin, and then it happened again after the bubble was re-inflated.

Due to the nature of Bitcoins, blockchains, and ledgers, the entire history of Bitcoin has been recorded. Every coin spent and every satoshi scrupled has been recorded for all to see. It’s time for a retrospective, and not just because I wanted to see some art based on the covers of Now That’s What I Call Music albums. No, ten years is a lot of stories to tell.

Continue reading “Now That’s What I Call Crypto: 10 Years Of The Best Of Bitcoin” →

What Can The Blockchain Do For You?

October 25, 2018 by Brian Benchoff 40 Comments

Imagine you’re a general, camped outside a fortified city with your army. Your army isn’t strong enough to take the city without help. But you do have help: camped on other hills outside this city are a half dozen more generals, with their armies ready to attack. Attacking one army at a time will fail; taking this city will require at least three or four armies, and an uncoordinated attack will leave thousands dead outside the city gates. How do you coordinate an attack with the other generals? Now, how do you coordinate your attack if one of those other generals is Benedict Arnold? What happens when one of the generals is working with the enemy?

This situation is a slight rephrasing of the Byzantine Generals Problem, first presented in the ACM Transactions on Programming Languages and Systems in 1982. It’s related to the Two Generals Problem formulated a decade prior. These are the analogies we use when we talk about trust over a communications channel, how hard it is to transmit knowledge, and how to form a consensus around imperfect facts.

This problem was upended in late 2008 when Satoshi Nakamoto, a person or group of people, published a white paper on the ‘block chain’. This was the solution to double-spending in digital currency. Think of it as having a digital thing that only one person could own. As a test of this block chain technology, Bitcoin was launched at the beginning of 2009. Things got more annoying from there.

Now, blockchain is at the top of the hype cycle. Every industry is looking at blockchain tech to figure out how it will work for them. Kodak launched their own blockchain, there are proposals to use the blockchain in drones and 3D printers. Medical records could be stored on the blockchain, HIPAA be damned, and there’s a blockchain phone, for reasons. This doesn’t even cover the massive amount of speculation in Bitcoin itself; thousands of other cryptocurrencies have also sprung up, and people are losing money.

The blockchain is a confusing thing, with hashes and Merkle trees and timestamps. Everyone is left asking themselves, what does the blockchain actually do? Is there an independent body out there that will tell me what the blockchain is good for, and when I should use it? You’re in luck: NIST, the National Institute of Standards and Technology released their report on blockchain technology (PDF). Is blockchain magic? No, no it is not, and it probably shouldn’t be used for anything other than a currency.

Continue reading “What Can The Blockchain Do For You?” →

RGB Sensor’s New Job: Cryptocurrency Trade Advisor

July 8, 2018 by Donald Papp 15 Comments

[XenonJohn] dabbles in cryptocurrency trading, and when he saw an opportunity to buy an RGB color sensor, his immediate thought — which he admitted to us would probably not be the immediate thought of most normal people — was that he could point it to his laptop screen and have it analyze the ratio of green (buy) orders to red (sell) orders being made for crypto trading. In theory, if at a given moment there are more people looking to buy than there are people looking to sell, the value of a commodity could be expected to go up slightly in the short-term. The reverse is true if a lot of sell orders coming in relative to buy orders. Having this information and possibly acting on it could be useful, but then again it might not. Either way, as far as out-of-left-field project ideas go, promoting an RGB color sensor to Cryptocurrency Trading Advisor is a pretty good one.

Since the RGB sensor only sees what is directly in front of it, [XenonJohn] assembled a sort of simple light guide. By enclosing the area of the screen that contains orders in foil-lined cardboard, the sensor can get a general approximation of the amount of red (sell orders) versus green (buy orders). The data gets read by an Arduino which does a simple analysis and sends alerts when a threshold is crossed. He dubbed it the Crypto-Eye, and a video demo is embedded below.

Continue reading “RGB Sensor’s New Job: Cryptocurrency Trade Advisor” →