Fail2ban is a great tool for dynamically blocking IP addresses that show bad behavior, like making repeated login attempts. It was just announced that a vulnerability could allow an attacker to take over a machine by being blocked by Fail2ban. The problem is in the mail-whois action, where an email is sent to the administrator containing the whois information. Whois information is potentially attacker controlled data, and Fail2ban doesn’t properly sterilize the input before piping it into the mail binary. Mailutils has a feature that uses the tilde key as an escape sequence, allowing commands to be run while composing a message. Fail2ban doesn’t sanitize those tilde commands, so malicious whois data can trivially run commands on the system. Whois is one of the old-school unix protocols that runs in the clear, so a MItM attack makes this particularly easy. If you use Fail2ban, make sure to update to 0.10.7 or 0.11.3, or purge any use of mail-whois from your active configs. Continue reading “This Week In Security: Fail2RCE, TPM Sniffing, Fishy Leaks, And Decompiling”→
We have to admit that a first glance at the article, by [Davide Sher], tripped our nonsense detector pretty hard. After all, the piece appeared in 3D Printing Media Network, a trade publication that has a vested interest in boosting the additive manufacturing (AM) industry. We were also pretty convinced going in that, while 3D-printing is innovative and powerful, even using industrial printers it wouldn’t be able to scale up enough for print parts in the volumes needed for modern consumer products. How long would it take for even a factory full of 3D-printers to fill a container with parts that can be injection molded in their millions in China?
But as we read on, a lot of what [Davide] says makes sense. A container full of parts that doesn’t arrive exactly when they’re needed may as well never have been made, while parts that are either made on the factory floor using AM methods, or produced locally using a contract AM provider, could be worth their weight in gold. And he aptly points out the differences between this vision of on-demand manufacturing and today’s default of just-in-time manufacturing, which is extremely dependent on supply lines that we now know can be extremely fragile.
So, color us convinced, or at least persuaded. It will certainly be a while before all the economic fallout of the Suez blockage settles, and it’ll probably longer before we actually see changes meant to address the problems it revealed. But we would be surprised if this isn’t seen as an opportunity to retool some processes that have become so optimized that a gust of wind could take them down.
If you thought the global shortage of computer chips couldn’t get any worse, apparently you weren’t counting on 2021 looking back at 2020 and saying, “Hold my beer.” As if an impacted world waterway and fab fires weren’t enough to squeeze supply chains, now we learn that water restrictions could potentially impact chip production in Taiwan. The subtropical island usually counts on three or four typhoons a year to replenish its reservoirs, but 2020 saw no major typhoons in the region. This has plunged Taiwan into its worst drought since the mid-1960s, with water-use restrictions being enacted. These include a 15% reduction of supply to industrial users as well as shutting off the water entirely to non-industrial users for up to two days a week. So far, the restrictions haven’t directly impacted chip and display manufacturers, mostly because their fabs are located outside the drought zone. But for an industry where a single fab can use millions of gallons of water a day, it’s clearly time to start considering what happens if the drought worsens.
Speaking of the confluence of climate and technology, everyone problem remembers the disastrous Texas cold snap from last month, especially those who had to endure the wrath of the unusually brutal conditions in person. One such victim of the storm is Grady, everyone’s favorite YouTube civil engineer, who recently released a very good post-mortem on the engineering causes for the massive blackouts experienced after the cold snap. In the immediate aftermath of the event, we found it difficult to get anything approaching in-depth coverage on its engineering aspects — our coverage excepted, naturally — as so much of what we found was laden with political baggage. Grady does a commendable job of sticking to the facts as he goes over the engineering roots of the disaster and unpacks all the complexity of the infrastructure failures we witnessed. We really enjoyed his insights, and we wish him and all our friends in Texas the best of luck as they recover.
If you’re into the demoscene, chances are pretty good that you already know about the upcoming Revision 2021, the year’s big demoscene party. Like last year’s Revision, this will be a virtual gathering, but it seems like we’re all getting pretty used to that by now. The event is next weekend, so if you’ve got a cool demo, head over and register. Virtual or not, the bar was set pretty high last year, so there should be some interesting demos that come out of this year’s party.
Many of us suffer from the “good enough, move on” mode of project management, leaving our benches littered with breadboarded circuits that got far enough along to bore the hell out of us make a minimally useful contribution to the overall build. That’s why we love it when we get the chance to follow up on a build that has broken from that mode and progressed past the point where it originally caught our attention. A great example is Frank Olsen’s all-wood ribbon microphone. Of course, with magnets and an aluminum foil ribbon element needed, it wasn’t 100% wood, but it still was an interesting build when we first spied it, if a bit incomplete looking. Frank has fixed that in grand style by continuing the wood-construction theme that completes this all-wood replica of the iconic RCA Model 44 microphone. It looks fabulous and sounds fantastic; we can’t help but wonder how many times Frank glued his fingers together with all that CA adhesive, though.
Well, that was quite a show! The Perseverance rover arrived on Mars Thursday. Don’t tell the boss, but we spent the afternoon watching the coverage in the house on the big TV rather than slaving away in the office. It was worth it; for someone who grew up watching Jules Bergman and Frank Reynolds cover the Apollo program and the sometimes cheesy animations provided by NASA, the current coverage is pretty intense. A replay of the coverage is available – skip to about the 1:15:00 mark to avoid all the filler and fluff preceding the “Seven Minutes of Terror” main event. And not only did they safely deliver the package, but they absolutely nailed the landing. Perseverance is only about 2 km away from the ancient river delta it was sent to explore for signs of life. Nice shooting!
We’re also being treated to early images from Jezero crater. The first lowish-rez shots, from the fore and after hazard cameras, popped up just a few seconds after landing — the dust hadn’t even settled yet! Some wags complained about the image quality, apparently without thinking that the really good camera gear was stowed away and a couple of quick check images with engineering cameras would be a good idea while the rover still had contact with the Mars Reconnaissance Orbiter. Speaking of which, the HiRISE camera on the MRO managed to catch a stunning view of Perseverance’s descent under its parachute; the taking of that photo is an engineering feat all by itself. But all of this pales in comparison to a shot from one of the down-looking cameras in the descent stage, show Perseverance dangling from the skycrane just before touchdown. It was a really good day for engineering.
Would that our Earthly supply chains were as well-engineered as our Martian delivery systems. We’ve been hearing of issues all along the electronics supply chain, impacting a wide range of industries. Some of the problems are related to COVID-19, which has sickened workers staffing production and shipping lines. Some, though, like a fire at the AKM semiconductor plant in Japan, have introduced another pinch point in an already strained system. The fire was in October, but the impact on the manufacturer depending on the plant’s large-scale integration (LSI) and temperature-compensated crystal oscillators (TCXO) products is only just now being felt in the amateur radio market. The impact is likely not limited to that market, though — TCXOs pop up lots of gear, and the AKM plant made LSI chips for all kinds of applications.
What do you get when you combine a 3D-printer, a laser cutter, a CNC router, and a pick-and-place robot? Drones that fly right off the build plate, apparently. Aptly enough, it’s called LaserFactory, and it comes from MITs Computer Science and Artificial Intelligence Lab. By making different “bolt-on” tools for a laser cutter, the CSAIL team has combined multiple next-generation manufacturing methods in one platform. The video below shows a drone frame being laser-cut from acrylic, to which conductive silver paste is added by an extruder. A pick-and-place head puts components on the silver goo, solders everything together with a laser, and away it goes. They also show off ways of building up 3D structures, both by stacking up flat pieces of acrylic and by cutting and bending acrylic in situ. It’s obviously still just a proof of concept, but we really like the ideas presented here.
And finally, as proof that astronomers can both admit when they’re wrong and have fun while doing so, the most remote object in the Solar System has finally received a name. The object, a 400-km diameter object in a highly elliptical orbit that takes it from inside the orbit of Neptune to as far as 175 astronomical units (AU) from the Sun, is officially known as 2018 AG37. Having whimsically dubbed the previous furthest-known object “Farout,” astronomers kept with the theme and named its wayward sister “Farfarout.” Given the rapid gains in technology, chances are good that Farfarout won’t stay the Sun’s remotest outpost for long, and we fear the (Far)nout trend will eventually collapse under its own weight. We therefore modestly propose a more sensible naming scheme, perhaps something along the lines of “Farthest McFaraway.” It may not scale well, but at least it’s stupid.
There are an awful lot of machines on the market these days that fall under the broad category of “cheap Chinese laser cutters”. You know the type — the K40s, the no-name benchtop CO2 cutters, the bigger floor-mount units. If you’ve recently purchased one of these machines from one of the usual vendors, or even if you’re just thinking about doing so, you’ll likely have some questions. In which case, this “Chinese Laser Cutters 101” online class might be right up your alley. We got wind of this though its organizer, Jonathan Schwartz of American Laser Cutter in Los Angeles, who says he’s been installing, repairing, and using laser cutters for a decade now. The free class will be on February 8 at 5:00 PM PST, and while it’s open to all, it does require registration.
We got an interesting tip the other day that had to do with Benford’s Law. We’d never heard of this one, so we assumed was a “joke law” like Murphy’s Law or Betteridge’s Rule of Headlines. But it turns out that Benford’s Law describes the distribution of leading digits in large sets of numbers. Specifically, it says that the leading digit in any given number is more likely to be one of the smaller numbers. Measurements show that rather than each of the nine base 10 digits showing up about 11% of the time, a 1 will appear in the leading digit 30% of the time, while a 9 will appear about 5% of the time. It’s an interesting phenomenon, and the tip we got pointed to an article that attempted to apply Benford’s Law to image files. This technique was used in a TV show to prove an image had been tampered with, but as it turns out, Hollywood doesn’t always get technical material right. Shocking, we know, but the technique was still interesting and the code developed to Benford-ize image files might be useful in other ways.
Everyone knew it was coming, and for a long time in advance, but it still seems that the once-and-for-all, we’re not kidding this time, it’s for realsies shutdown of Adobe Flash has had some real world consequences. To wit, a railroad system in the northern Chinese city of Dalian ground to a halt earlier this month thanks to Flash going away. No, they weren’t using Flash to control the railroad, but rather it was buried deep inside software used to schedule and route trains. It threw the system into chaos for a while, but never fear — they got back up and running by installing a pirated version of Flash. Here’s hoping that they’re working on a more permanent solution to the problem.
First it was toilet paper and hand sanitizer, now it’s…STM32 chips? Maybe, if the chatter on Twitter and other channels is to be believed. Seems like people are having a hard time sourcing the microcontroller lately. It’s all anecdotal so far, of course, but the prevailing theory is that COVID-19 and worker strikes have lead to a pinch in production. Plus, you know, the whole 2020 thing. We’re wondering if our readers have noticed anything on this — if so, let us know in the comments below.
And finally, just because it’s cool, here’s a video of what rockets would look like if they were transparent. Well, obviously, they’d look like twisted heaps of burning wreckage on the ground is they were really made with clear plastic panels and fuel tanks, but you get the idea. The video launches a virtual fleet — a Saturn V, a Space Shuttle, a Falcon Heavy, and the hypothetical SLS rocket — and flies them in tight formation while we get to watch their consumables be consumed. If the burn rates are accurate, it’s surprising how little fuel and oxidizer the Shuttle used compared to the Saturn. We were also surprised how long the SLS holds onto its escape tower, and were pleased by the Falcon Heavy payload reveal.
Modern society has brought us all kinds of wonders, including rapid intercontinental travel, easy information access, and decreased costs for most consumer goods thanks to numerous supply chains. When those supply chains break down as a result of a natural disaster or other emergency, however, the disaster’s effects can be compounded without access to necessary supplies. That’s the focus of Field Ready, a nonprofit that sets up small-scale manufacturing in places without access to supply chains, or whose access has been recently disrupted.
As part of this year’s Hackaday Prize, a each of our four nonprofit partners outline specific needs that became the targets of a design and build challenge. Field Ready was one of those nonprofits, and for the challenge they focused on quality control for their distributed manufacturing system. We took a look at Field Ready back in June to explore some of the unique challenges associated with their work, which included customers potentially not knowing that a product they procured came from Field Ready in the first place, leading to very little feedback on the performance of the products and nowhere to turn when replacements are needed.
The challenge was met by a dream team whose members each received a $6,000 microgrant to work full time on the project. The’ve just made their report on an easier way of tracking all of the products produced, and identifying them even for those not in the organization. As a result, Field Ready has a much improved manufacturing and supply process which allows them to gather more data and get better feedback from users of their equipment. Join us after the break for a closer look at the system and to watch the team’s presentation video.
In whichever hemisphere you dwell, winter is the time of year when viruses come into their own. Cold weather forces people indoors, crowding them together in buildings and creating a perfect breeding ground for all sorts of viruses. Everything from the common cold to influenza spread quickly during the cold months, spreading misery and debilitation far and wide.
In addition to the usual cocktail of bugs making their annual appearance, this year a new virus appeared. Novel coronavirus 2019, or 2019-nCoV, cropped up first in the city of Wuhan in east-central China. From a family of viruses known to cause everything from the common cold to severe acute respiratory syndrome (SARS) in humans, 2019-nCoV tends toward the more virulent side of the spectrum, causing 600 deaths out of 28,000 infections reported so far, according to official numbers at the time of this writing.
(For scale: the influenzas hit tens of millions of people, resulting in around four million severe illnesses and 500,000 deaths per season, worldwide.)
With China’s unique position in the global economy, 2019-nCoV has the potential to seriously disrupt manufacturing. It may seem crass to worry about something as trivial as this when people are suffering, and of course our hearts go out to the people who are directly affected by this virus and its aftermath. But just like businesses have plans for contingencies such as this, so too should the hacking community know what impact something like 2019-nCoV will have on supply chains that we’ve come to depend on.
