google

170 Articles

This Week In Security: XCode Infections, Freepik, And Crypto Fails

August 28, 2020 by 8 Comments

There is a scenario that keep security gurus up at night: Malware that can detect software compilation and insert itself into the resulting binary. A new Mac malware, XCSSET (PDF), does just that, running whenever Xcode is used to build an application. Not only is there the danger of compiled apps being malicious, the malware also collects data from the developer’s machine. It seems that the malware spreads through infected Xcode projects.

WordPress Plugins

WordPress has a complicated security track record. The core project has had very few serious vulnerabilities over the years. On the other hand, WordPress sites are routinely compromised. How? Generally through vulnerable plugins. Case in point? Advanced Access Manager. It’s a third party WordPress plugin with an estimate 100,000 installations. The problem is that this plugin requires user levels, a deprecated and removed WordPress feature. The missing feature had some unexpected results, like allowing any user to request administrator privileges.

The issue has been fixed in 6.6.2 of the plugin, so if you happen to run the Advanced Access Manager plugin, make sure to get it updated. Beyond that, maybe it’s time to do an audit on your WordPress site. Uninstall unused plugins, and make sure the rest are up to date, along with the WordPress installation itself. Continue reading “This Week In Security: XCode Infections, Freepik, And Crypto Fails”

Your Phone Is Now Helping To Detect Earthquakes

August 17, 2020 by 37 Comments

Most people’s personal experience with seismographs begins and ends with simple childhood science experiments. Watching a pendulum make erratic marks on a piece of paper while your classmates banged on the table gave you an idea on how the device worked, and there’s an excellent chance that’s the last time you gave the concept much thought. Even among hackers, whose gear in general tends to be more technologically equipped than the norm, you’re unlikely to find a dedicated seismograph up and running.

But that’s not because the core technology is hard to come by or particularly expensive. In fact, one could say with almost absolute certainty that if you aren’t actively reading these words on a device with a sensitive accelerometer onboard, you have one (or perhaps several) within arm’s reach. Modern smartphones, tablets, and even some laptops, now pack in sensors that could easily be pushed into service as broad strokes seismometers; they just need the software to collect and analyze the data.

Or at least, they did. By the time you read this article, Google will have already started rolling out an update to Android devices which will allow them to use their onboard sensors to detect possible earthquakes. With literally billions of compatible devices in operation all over the planet, this will easily become the largest distributed sensor network of its type ever put into operation. But that doesn’t mean you’re going to be getting a notification on your phone to duck and cover anytime soon.

Continue reading “Your Phone Is Now Helping To Detect Earthquakes”

Marian Croak Is The MVP Of VoIP Adoption

July 7, 2020 by 23 Comments

If you’ve ever used FaceTime, Skype, own a Magic Jack, or have donated money after a disaster by sending a text message, then you have Marian Croak to thank. Her leadership and forward thinking changed how Ma Bell used its reach and made all of these things possible.

Marian Croak is a soft-spoken woman and a self-described non-talker, but her actions spoke loudly in support of Internet Protocol (IP) as the future of communication. Humans are always looking for the next best communication medium, the fastest path to understanding each other clearly. We are still making phone calls today, but voice has been joined by text and video as the next best thing to being there. All of it is riding on a versatile network strongly rooted in Marian’s work.

Continue reading “Marian Croak Is The MVP Of VoIP Adoption”

Creating A Custom ASIC With The First Open Source PDK

June 25, 2020 by 23 Comments

A process design kit (PDK) is a by now fairly standard part of any transformation of a new chip design into silicon. A PDK describes how a design maps to a foundry’s tools, which itself are described by a DRM, or design rule manual. The FOSSi foundation now reports on a new, open PDK project launched by Google and SkyWater Technology. Although the OpenPDK project has been around for a while, it is a closed and highly proprietary system, aimed at manufacturers and foundries.

The SkyWater Open Source PDK on Github is listed as a collaboration between Google and SkyWater Technology Foundry  to provide a fully open source PDK and related sources. This so that one can create manufacturable designs at the SkyWater foundry, that target the 130 nm node. Open tools here should mean a far lower cost of entry than is usually the case.

Although a quite old process node at this point (~19 years), it should nevertheless still be quite useful for a range of applications, especially those that merge digital and analog circuitry. SkyWater lists their SKY130 node technology stack as:

  • Support for internal 1.8V with 5.0V I/Os (operable at 2.5V)
  • 1 level of local interconnect
  • 5 levels of metal
  • Inductor-capable
  • High sheet rho poly resistor
  • Optional MiM capacitors
  • Includes SONOS shrunken cell
  • Supports 10V regulated supply
  • HV extended-drain NMOS and PMOS

It should be noted that use of this open source PDK is deemed experimental at this point in time, and should not be used for any commercial or otherwise sensitive applications.

Header image: Peellden/ CC BY-SA 3.0

Autonomous Sentry Gun Packs A Punch And A Ton Of Build Tips

June 10, 2020 by 17 Comments

What has dual compressed-air cannons, 500 roll-on deodorant balls, and a machine-learning brain with a bad attitude? We didn’t know either, until [Leo Fernekes] dropped this video on his autonomous robot sentry gun and saw it in action for ourselves.

Now, we’ve seen tons of sentry guns on these pages before, shooting everything from water to various forms of Nerf. And plenty of those builds have used some form of machine vision to aim the gun onto the target. So while it might appear that [Leo]’s plowing old ground here, this build is chock full of interesting tips and tricks.

It started when [Leo] saw a video on TensorFlow basics from our friend [Edje Electronics], which gave him the boost needed to jump into an AI project. The controller he ended up with looks for humans in the scene and slews the turret onto target, where the air cannons can do their thing. The hefty ammo is propelled by compressed air, which is dumped into the chamber using a solenoid valve with an interesting driver that maximizes the speed at which it opens. Style points go to the bacteriophage T4-inspired design, and to the sequence starting at 1:34 which reminded us of the factory scene from RoboCop.

[Leo] really put a ton of work into this project, and the results show. He is hoping to get an art gallery or museum to show it as an interactive piece to comment on one possible robot-human future, presumably after getting guests to sign a release. Whatever happens to it, the robot looks great and [Leo] learned a lot from it, as did we.

Continue reading “Autonomous Sentry Gun Packs A Punch And A Ton Of Build Tips”

Make It Easier For Your Software Project To Accept Contributions

April 29, 2020 by 30 Comments

[Flameeyes] has heard complaints (and at times, he admits, has complained himself) about big companies not contributing improvements to projects they seem to find useful, or rolling their own implementation rather than use and contribute to an existing code base. Having recently left Google after seven years, he has some insights into some of the reasons big corporations (at least Google, anyway) may sometimes seem to eschew making code contributions, and some of the reasons might come as a surprise.

There are things a corporation can do differently, but there are also some things that can be done on the project’s end to make accepting contributions easier. [Flameeyes] took some time to write out a few pointers on how to make it easier for others (particularly large corporations) to contribute code to a software project.

The biggest issue is the software license. Without one, there is no legal structure to use, distribute, or contribute to the code, and no corporate entity will want to touch it. Google specifically forbids creating patches for projects with either no license, or incompatible licenses. An example of an incompatible license is one that forbids commercial use, because everything a corporation like Google does — even research –is considered a commercial endeavor. In addition, on the corporate side making contributions might trigger a code review process of some kind for some licenses, but not for others. [Flameeyes] suggests the MIT license as one that is acceptable to pretty much everyone with a minimum of fuss. Another caution: if a project’s code resides in an online repository, make sure the repository is licensed as well.

A few other small suggestions (such as maintaining an AUTHORS file to track contributors in a tidy way) rounds out the advice. It sounds simple, but software licensing is so critical to the whole affair that it’s important to get it right — he suggests the REUSE tool for anyone wanting to make sure a project’s licensing is tidy.

[Flameeyes] makes a point that none of this guidance is based on secret or institutional knowledge. Google has a public document detailing exactly how they use and deal with open source, and it’s a solid guide for how to make your project more accepting of contributions from a corporate entity like Google. (Or, if you prefer, a guide on how to set up as many barriers as possible for your project.)

In case you missed it, we just want to remind you that our favorite recent open source project from Google is definitely Pigweed.

Geofence Warrant Sends Bicyclist’s Privacy Over The Handlebars

March 25, 2020 by 98 Comments

About a year ago, Zachary McCoy took a bike ride around his neighborhood in Gainesville, Florida. It may have been forgettable to him, but not to history. Because McCoy used an app to track his mileage, the route was forever etched in the Google-verse and attached to his name.

On the day of this ill-fated bike ride, McCoy passed a certain neighbor’s house three times. While this normally wouldn’t raise alarm, the neighbor happened to be the victim of a burglary that day, and had thousands of dollars worth of jewelry stolen. The Gainesville police had zero leads after a four-day investigation, so they went to the county to get a geofence warrant. Thanks to all the location data McCoy had willingly generated, he became the prime suspect.

Continue reading “Geofence Warrant Sends Bicyclist’s Privacy Over The Handlebars”