Microsoft Bug Tracking Hacked

It seems that the database containing descriptions of critical and unfixed bugs and/or vulnerabilities in some of the most widely used software in the world, including the Windows operating system, was hacked back in 2013. This database is basically gold for any security researcher, regardless of the color of their hat. To know which programs fail and the preconditions for that to happen is half an exploit right there.

Microsoft discovered the database breach in early 2013 after the highly skilled hacking group Morpho a.k.a. Butterfly a.k.a. Wild Neutron broke into computers at a number of major tech companies, including Apple, Facebook, and Twitter. The group exploited a flaw in the Java programming language to penetrate employees’ Apple Macintosh computers and then use them as pivots into the company internal network.

Official sources say that the Microsoft bug database was poorly protected, with access possible via little more than a password. Four years later, we have official confirmation that it happened. To measure the breach impact, Microsoft started a study to correlate the potential flaws in their databases and subsequent attacks. The study found that the flaws in the stolen database were actually used in cyber attacks, but Microsoft argued the hackers could have obtained the information elsewhere, and that there’s “no evidence that the stolen information had been used in those breaches.”

There is really no way to know besides asking the actual hacking group, which will most likely not happen… unless they are HaD readers, in this case they can feel free to comment.

[via Reuters]

An Old Video Game Controller on Even Older Computer

For those of us not old enough to remember, and also probably living in the States, there was a relatively obscure computer built by Microsoft in the early 80s that had the strong Commodore/Atari vibe of computers that were produced before PCs took over. It was known as the MSX and only saw limited release in the US, although was popular in Japan and elsewhere. If you happen to have one of these and you’d like to play some video games on it, though, there’s now a driver (of sorts) for SNES controllers.

While the usefulness of this hack for others may not help too many people, the simplicity of the project is elegant for such “ancient” technology. The project takes advantage of some quirks in BASIC for reading a touch-pad digitizer connected to the joystick port using the SPI protocol. This is similar enough to the protocol used by NES/SNES controllers that it’s about as plug-and-play as 80s and 90s hardware can get. From there, the old game pad can be used for anything that the MSX joystick could be used for.

We’ve seen a handful of projects involving the MSX, so while it’s not as popular as Apple or Commodore, it’s not entirely forgotten, either. In fact, this isn’t even the first time someone has retrofitted a newer gaming controller to an MSX: the Wii Nunchuck already works for these machines.

Doing It With Fewer Bytes Than Bill Gates

The MITS Altair 8800 occupies a unique place in computing history as the first commercially succesful microcomputer for personal rather than business use. It is famous as the platform upon which the first Microsoft product ran, their first BASIC interpreter.

[Josh Bensadon] has an Altair 8800, and became intrigued by its bootloader. The simplest method of programming the machine is through binary using a set of switches on the front panel, and he remarks that there should be a warning in the manual: “fingers will get sore after repeated use of the small switches on the ALTAIR”.

In the Altair manual there are two listings, one 21 byte, and another in 20 bytes. Bill Gates is on record as saying that their first effort was 46 bytes long, but with more work he managed to create one in 17 bytes. Now [Josh] has beaten that, he’s created an Altair 8800 bootloader in only 14 bytes.

His write-up goes into great detail about how those bytes are shaved off, and provides us with a fascinating insight into the 8800’s architecture. Even if your 8-bit assembler is a little rusty, it’s a fascinating read.

We’ve featured Altair-inspired projects many times here at Hackaday, but rarely the real thing. This Altair PC case with the ability to emulate the original was rather a nice idea, as was this Altair front panel project. If you want the joy without the heartache though, there is an online emulator.

Skin Bling: Wearable Electronics from Golden Temporary Tattoos

MIT Media Lab and Microsoft have teamed up to take wearable devices one step further — they’ve glued the devices directly to the user’s skin. DuoSkin is a temporary tattoo created with gold leaf. Metallic “Flash” temporary fashion tattoos have become quite popular recently, so this builds on the trend. What the team has done is to use them to create user interfaces for wearable electronic devices.

weeding-gold-leaf-temporary-tattooGenerally speaking, gold leaf is incredibly fragile. In this process to yield the cleanest looking leaf the gold is not actually cut. Instead, the temporary tattoo film and backer are cut on a standard desktop vinyl cutter. The gold leaf is then applied to the entire film surface. The cut film/leaf can then be “weeded” — removing the unwanted portions of film which were isolated from the rest by the cutting process — to complete the temporary tattoo. The team tested this method and found that traces 4.5 mm or more thick were resilient enough to last the entire day on your skin.

The gold leaf tattoos make excellent capacitive touch sensors. The team was able to create sliders, buttons, and even 2 dimensional diamond grids. These controls were used to move a cursor on a computer or phone screen. They were even able to create a wearable NFC tag. The gold leaf is the antenna, and the NFC chip itself is mounted on the temporary tattoo backer.

These devices all look great, but with the exception of the NFC chip, we’re not seeing the electronics driving them. Capacitive touch sensors used as a UI for a phone will have to have a Bluetooth radio and a battery somewhere. We’re that’s all hidden under the arm of the user. You can see what we’re taking about in the video after the break. That said, the tools and materials are ubiquitous and easy to work with. Take a quick read through the white paper (PDF) and you can be making your own version of this today.

Continue reading “Skin Bling: Wearable Electronics from Golden Temporary Tattoos”

Microsoft Live Account Credentials Leaking From Windows 8 And Above

Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user’s Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account).

Continue reading “Microsoft Live Account Credentials Leaking From Windows 8 And Above”

Devilishly Advocative: Microsoft Heats Ocean; Builds Skynet’s Safe Haven

Have you heard that Microsoft is testing underwater data centers? On the surface (well, actually on the ocean floor) it’s not a bad idea. Project Natick seals a node of servers in a steel pipe for an undersea adventure planned for at least 10 years. The primary reason is to utilize cold ocean temperatures to keep the machines cool as they crunch through your incessant Candy Crush Saga sessions.

microsoft-project-natick-squarePassive cooling is wonderful, and really drops the energy footprint of a data center, albeit a very small one which is being tested. Scaled up, I can think of another big impact: property taxes. Does anyone know what the law says about dropping a pod in the ocean? As far as I can tell, laying undersea cabling is expensive, but once installed there are no landlords holding out their hands for a monthly extraction. Rent aside, taking up space with windowless buildings sucking huge amounts of electricity isn’t going to win hearts and minds of the neighborhood. Undersea real estate make sense there too.

But it’s fun to play Devil’s Advocate, and this one immediately raised my eyebrow. I read as much Sci Fi as time allows, and am always interested to see which authors are registering the best technology predictions. This is the second time in short order that I turn to [William Hertling’s] work. Back in November, Google announced a project to add predictive responses to Gmail. This parallels the premise of [Hertling’s] Singularity Series which begins with Avogadro Corp. Another major point in that novel is the use of offshore data centers.

Continue reading “Devilishly Advocative: Microsoft Heats Ocean; Builds Skynet’s Safe Haven”

Microsoft, Minecraft, and Kids

Code.org annually sponsors an Hour of Code (December 7th to the 13th will be the third one). The goal is to try to teach kids the basics of computer science in just an hour. Microsoft has announced they will team with Code.org to bring Minecraft-based lessons to this year’s hour.

It makes sense when you remember that Microsoft bought Mojang (the company behind Minecraft) last year. Users can sign up for the free Hour of Code Minecraft module and learn how to make characters adventure through a Minecraft world using programming. There are other themed modules, too, including Star Wars, Frozen, and other kid-attracting motifs. There’s also a lot of videos (like the one below) that explain why you might want to learn about computer science.

If you think Minecraft isn’t a sufficient programming language, don’t be so sure. There are many Minecraft CPUs out there as well as a (very slow) word processor. If you want real hardware, you might check out our review of Minecraft-related projects from earlier this year.

Continue reading “Microsoft, Minecraft, and Kids”