Arbitrary Code Execution Over Radio

Computers connected to networks are constantly threatened by attackers who seek to exploit vulnerabilities wherever they can find them. This risk is particularly high for machines connected to the Internet, but any network connection can be susceptible to attacks. As highlighted by security researcher and consultant [Rick Osgood], even computers connected to nothing more than a radio can be vulnerable to attacks if they’re using certain digital modes of communication.

The vulnerability that [Rick] found involves exploiting a flaw in a piece of software called WinAPRS. APRS is a method commonly used in the amateur radio community for sending data over radio, and WinAPRS allows for this functionality on a PC. He specifically sought out this program for vulnerabilities since it is closed-source and hasn’t been updated since 2013. After some analysis, he found a memory bug which was used to manipulate the Extended Instruction Pointer (EIP) register which stores the memory address of the next instruction to be executed by the CPU. This essentially allows for arbitrary code execution on a remote machine via radio.

The exploit was found while using Windows XP because it lacks some of the more modern memory protection features of modern operating systems, but the exploit does still work with Windows 10, just not as reliably and with a bit of extra effort required. It’s a good reminder to use open-source software when possible so issues like these can get resolved, and to regularly install security updates when possible. If you’re looking to delve into the world of APRS in more modern times, take a look at this project which adds APRS to budget transceivers. Just make sure you get your license first.

Commodore 64 Reports The News

In the late 80s and into the 90s, [Cameron Kaiser] aka [ClassicHasClass] was an aspiring journalist, first becoming interested in the career in elementary school and then working on various publications into university. At some point, he started using a piece of software for laying out newspapers called The Newsroom which, he admits, was lacking a lot of tools that would have been modern even for the time, but had an otherwise agreeable price tag thanks to its focus more on home desktop publishing and newsletter production than on full-scale newspaper operations. It did have one interesting feature that he never could figure out, though, at least until he went back and pieced this mystery together.

The software itself ran on the Apple II and was eventually ported to other systems of the era, including the Commodore 64. The mystery feature was known as “Wire Service” and appeared to be a way that users of the software who had a modem could connect with one another and share news releases, layouts, graphics, and other content created in Newsroom, but in the days where it would have been modern never was able to connect to anything. In fact, it was eventually abandoned by the developers themselves in later releases of the software. But [ClassicHasClass] was determined to get it working. Continue reading “Commodore 64 Reports The News”

FOSDEM 2023: An Open-Source Conference, Literally

Every year, on the first weekend of February, a certain Brussels university campus livens up. There, you will find enthusiasts of open-source software and hardware alike, arriving from different corners of the world to meet up, talk, and listen. The reason they all meet there is the conference called FOSDEM, a long-standing open-source software conference which has been happening in Belgium since 2000. I’d like to tell you about FOSDEM because, when it comes to conferences, FOSDEM is one of a kind.

FOSDEM is organized in alignment with open-source principles, which is to say, it reminds me of an open-source project itself. The conference is volunteer-driven, with a core of staff responsible for crucial tasks – yet, everyone can and is encouraged to contribute. Just like a large open-source effort, it’s supported by university and company contributions, but there’s no admission fees for participants – for a conference, this means you don’t have to buy a ticket to attend. Last but definitely not least, what makes FOSDEM shine is the community that it creates.

FOSDEM’s focus is open software – yet, for hackers of the hardware world, you will find a strong hardware component to participate in, since a great number of FOSDEM visitors are either interested in hardware, or even develop hardware-related things day-to-day. It’s not just that our hardware can’t live without software, and vice-versa – here, you will meet plenty of pure software, a decent amount of pure hardware, and a lot of places where the two worlds are hard to distinguish. All in all, FOSDEM is no doubt part of hacker culture in Europe, and today, I will tell you about my experience of FOSDEM 2023. Continue reading “FOSDEM 2023: An Open-Source Conference, Literally”

Chataigne: An Open-Source Swiss Army Knife

[Ben Kuper] is a developer with a history of working on art installations, and had hit upon a common problem often cited by artists. When creating installations involving light, sound, and motion, they often spend too much time on the nuts and bolts of electronics, programming, and so on. Such matters are a huge time sink with a steep learning curve and oftentimes just a plain distraction from the actual artistic intent they’re trying to focus upon. [Ben] has been working for a few years on a software tool, Chataigne which is designed as the glue between various software tools and hardware interfaces, enabling complex control of the application using simple building blocks. Continue reading “Chataigne: An Open-Source Swiss Army Knife”

Prototyping The Prototype

For basic prototyping, the go-to tool to piece together a functioning circuit is the breadboard. It’s a great way to prove a concept works before spending money and time on a PCB. For more complex tasks we can make use of simulation software such as SPICE. But there hasn’t really been a tool to blend these two concepts together. That’s what CRUMB is hoping to solve as a tool that allows simulating breadboard circuits.

Currently, most basic circuit functions are working for version 1.0. This includes passive components like resistors, capacitors, switches, some LEDs, and potentiometers, as well as some active components like transistors and diodes. There are some logic chips available such as 74XX series chips and 555 timers, which opens up a vast array of circuit building. There’s even an oscilloscope feature, plus audio output to incorporate buzzers into the circuit simulation. Currently in development is an LCD display module and improvements to the oscilloscope.

Besides prototyping, this could be useful for anyone, students included, who is learning about circuits without the need to purchase any hardware. The major downside to this project is that it there doesn’t seem to have a free or trial version, the source is not available, and it’s only for sale on Steam, Apple Store, and Google Play. That being said, there is a forum available for users to discuss problems and needs for future versions, so it’s possible that a community could build up around it. We’ve seen previously non-free versions of circuit simulation software become more open after some time, so it’s not out of the realm of possibility.

Thanks to [Thomas] for the tip!

Arduino IDE v2.0 screen with callout tags to identify features

Arduino IDE 2.0 Is Here

Arduino have released the latest version of their Integrated Development Environment (IDE), Version 2.0 and it is a big step up from the previous release, boasting plenty of new features to help you to develop your code more easily.

As the de-facto way for beginners to get into programming hardware, more experienced users have sometimes complained about what they see as the over-simplistic IDE — even lacking relatively basic features such as autocomplete. The new version provides this, and much more besides. Continue reading “Arduino IDE 2.0 Is Here”

Diff Tool Knows What You Mean

We will admit to not being particularly artistic, but we do remember an art teacher telling us that sometimes it is better to draw what isn’t there instead of what’s there — a concept known as negative space. [Wilfred] makes a similar point when explaining his “fantastic diff” tool called, appropriately, difftastic. He points out that when comparing two programs, the goal isn’t so much to determine what changed, but rather what stayed the same. The more you can identify as the same, the less you have to show as a change.

The tool compares source code in a smart way, assisted by tree-sitter which has many different languages already parsed, at least well enough for this purpose. According to [Wilfred’s] post the tool supports 44 different languages ranging from bash and YAML, Verilog to VHDL, and C++ to Rust, among others.

Continue reading “Diff Tool Knows What You Mean”