Video Killed The Radio Alarm Clock

For decades now, MTV has been on a bizarre trajectory given its original name was an acronym for Music Television. In the original days in the 80s and 90s it kept mostly true to its name, but starting around two decades ago they expanded into reality and other non-musical television programming and have now left it largely behind. Plenty of those who grew up in its heyday have an understandable amount of nostalgia for the channel as a cultural touchstone, and [Derf] used MTV archival footage to build a video alarm clock which helps him keep in tune with the past.

To keep the appropriate 80s aesthetic, the build uses a portable TV from the late 80s with its original CRT. The video files are hosted on more modern technology though, in this case a Raspberry Pi. The Pi is set up to run a python script which launches the VLC media player with a playlist loaded with video files, in this case a long list of MTV shows. Some configuration needs to be done to get it to output to the old CRT properly which depends on the hardware used, but once that’s in place it’s ready to be used as an alarm. [Derf] is using a smart outlet to power the TV at the appropriate time, and a cron job which starts the video player simultaneously at a somewhat random point in the playlist.

As far as retro TVs go, having one as an alarm clock is certainly a novel idea. We have seen a few others in the past, though, one to play the golden age of The Simpsons, and another that recreates the nostalgia of 90s cable television complete with a preview channel and era-appropriate commercials.

Continue reading “Video Killed The Radio Alarm Clock”

Ask Hackaday: What About Imperfect Features?

Throughout the last few years’ time, I’ve been seeing sparks of an eternal discussion here and there. It’s a nuanced one, but if I could summarize, it’s about different feature development strategies we can follow to design things, especially if they’re aimed at a larger market. Specifically – when adding a feature, how complete and perfect should it be?

A while back, I read a Mastodon thread about VLC not implementing backwards per-frame skipping. At the surface level, it’s about an indignant user asking – what’s the deal with VLC not having a “go back a frame” button? A ton of video players have this feature implemented. There’s a forum thread linked, and, reading it could leave you with a good few conflicting emotions. Here’s a recap.

In what appears to be one of multiple threads asking about a ‘previous frame’ button in VLC, there’s an 82-post discussion involving multiple different VLC developers. The users’ argument is that it appears to be clearly technically possible to add a ‘previous frame’ button in practice, and the developers’ argument is that it’s technologically complex to implement in some cases – for certain formats, even impossible to implement! Let’s go into the developers’ stated reasoning in more details, then – here’s what you can find in the thread, to the best of my ability.

Continue reading “Ask Hackaday: What About Imperfect Features?”

YouTube Like It’s 1970s France With This Minitel-VCR Mashup

When it’s not just sticking fake gears on things and calling it a day, the Steampunk look is pretty cool. Imagining technology in a world stuck with Victorian aesthetics is a neat idea, and one that translates to the look of other time periods — Fallout, anyone?

But what if you try to create a technological aesthetic based on a more recent and less celebrated time? That’s what [ghettobastler] has attempted with this somewhat bizarre Minitel-YouTube-VCR mash-up. Taking inspiration from a webcomic’s take on “Formicapunk,” modern tech based on the aesthetic of the wildly successful French videotex service of the 70s and 80s, the system uses a very cool Minitel 1B terminal and a Raspberry Pi 3.

A custom level-shifter for the Pi

With the help of a level-shifting circuit, the Mintel and the Pi talk over serial, allowing the terminal to be used as, well, a terminal for the Pi. Videos are downloaded from YouTube by the Pi, which sends the video to the VCR from its composite output, and controls the VCR with an IR LED that emulates the original remote. Come to think of it, just watch the video below — it’s probably easier than trying to describe it.

It’s weird, true, but we love the look of that Minitel terminal. Something about it just screams cyberdeck; if anyone has a spare one of these, get busy and put something together for our Cyberdeck Design Contest.

Continue reading “YouTube Like It’s 1970s France With This Minitel-VCR Mashup”

This Week In Security: VPN Gateways, Attacks In The Wild, VLC, And An IP Address Caper

We’ll start with more Black Hat/DEFCON news. [Meh Chang] and [Orange Tsai] from Devcore took a look at Fortinet and Pulse Secure devices, and found multiple vulnerabilities. (PDF Slides) They are publishing summaries for that research, and the summary of the Fortinet research is now available.

It’s… not great. There are multiple pre-authentication vulnerabilities, as well as what appears to be an intentional backdoor.

CVE-2018-13379 abuses an snprintf call made when requesting a different language for the device login page. Snprintf is an alternative to sprintf, but intended to prevent buffer overflows by including the maximum string length to write to the target buffer, which sounds like a good idea but can lead to malicious truncation.

The code in question looks like snprintf(s, 0x40, "/migadmin/lang/%s.json", lang);.
When loading the login page, a request is made for a language file, and the file is sent to the user. At first look, it seems that this would indeed limit the file returned to a .json file from the specified folder. Unfortunately, there is no further input validation on the request, so a language of ../../arbitrary is considered perfectly legitimate, escaping the intended folder.  This would leak arbitrary json files, but sincesnprintf doesn’t fail if it exceeds the specified length, sending a request for a lang that’s long enough results in the “.json” extension not being appended to the request either.

A metasploit module has been written to test for this vulnerability, and it requests a lang of /../../../..//////////dev/cmdb/sslvpn_websession. That’s just long enough to force the json extension to fall off the end of the string, and it is Unix convention is to ignore the extra slashes in a path. Just like that, the Fortigate is serving up any file on its filesystem just for asking nice.

More worrying than the snprintf bug is the magic value that appears to be an intentional backdoor. A simple 14 character string sent as an http query string bypasses authentication and allows changing any user’s password — without any authentication. This story is still young, it’s possible this was intended to have a benign purpose. If it’s an honest mistake, it’s a sign of incompetence. If it’s an intentional backdoor, it’s time to retire any and all Fortinet equipment you have.

Pulse Secure VPNs have a similar pre-auth arbitrary file read vulnerability. Once the full report is released, we’ll cover that as well.

Exploitation in the Wild

But wait, there’s more. Hide your kids, hide your wife. Webmin, Pulse Secure, and Fortigate are already being exploited actively in the wild, according to ZDNet. Based on reports from Bad Packets, the Webmin backdoor was being targeted in scans within a day of announcement, and exploited within three days of the announcement. There is already a botnet spreading via this backdoor. It’s estimated that there are around 29,000 vulnerable Internet-facing servers.

Both Pulse Secure and Fortinet’s Fortigate VPN appliances are also being actively targeted. Even though the vulnerabilities were reported first to the vendors, and patched well in advance of the public disclosure, thousands of vulnerable devices remain. Apparently routers and other network appliance hardware are fire-and-forget solutions, and often go without important security updates.

VLC is Actually Vulnerable This Time

The VLC media player has released a new update, fixing 11 CVEs. These CVEs are all cases of mishandling malformed media files, and are only exploitable by opening a malicious file with VLC. Be sure to go update VLC if you have it installed. Even though no arbitrary code execution has been demonstrated for any of these issues, it’s likely that it will eventually happen.

Gray Market IP Addresses

With the exhaustion of IPv4 addresses, many have begun using alternative methods to acquire address space, including the criminal element. Krebs on Security details his investigation into one such story: Residential Networking Solutions LLC (Resnet). It all started with an uptick in fraudulent transactions originating from Resnet residential IP addresses. Was this a real company, actually providing internet connectivity, or a criminal enterprise?

This Week In Security: Selfblow, Encryption Backdoors, Killer Apps, And The VLC Apocalypse That Wasn’t

Selfblow (Don’t google that at work, by the way) is a clever exploit by [Balázs Triszka] that affects every Nvidia Tegra device using the nvtboot bootloader — just about all of them except the Nintendo Switch. It’s CVE 2019-5680, and rated at an 8.2 according to Nvidia, but that high CVE rating isn’t entirely reflective of the reality of the situation. Taking advantage of the vulnerability means writing to the boot device, which requires root access, as well as a kernel flag set to expose the boot partitions to userspace. This vulnerability was discovered as part of an effort by [Balázs] and other LineageOS developers to build an open source bootloader for Nvidia Tegra devices.

The Tegra boot process is a bit different, having several stages and a dedicated Boot and Power Management CPU (BPMP). A zero-stage ROM loads nvtboot to memory and starts it executing on the BPMP. One of the tasks of nvtboot is to verify the signature of the next bootloader step, nvtboot-cpu. The file size and memory location are embedded in the nvtboot-cpu header. There are two problems here that together make this vulnerability possible. The first is that the bootloader binary is loaded to its final memory location before the signature verification is performed. The code is written to validate the bootloader signature before starting it executing on the primary CPU, so all is well, right? Continue reading “This Week In Security: Selfblow, Encryption Backdoors, Killer Apps, And The VLC Apocalypse That Wasn’t”

Optimizing Screen Time To Heart Beats

Kids spend too much time in front of a screen these days. They also won’t get off my lawn, and music today is just a bunch of static. They don’t respect their elders, either. While kids today are terrible, we can fix that first problem — sitting in front of a screen all day. For his Hackaday Prize entry, [Donovan] has created a device that optimizes screen time to reduce sensory overload. It’s the Optimote, the combination of a remote control and biofeedback.

The idea behind the Optimote is to actually to reduce stimulation when watching something on a screen. For many people, including people on the autism spectrum, watching TV or YouTube videos can often result in debilitating sensory overload. You can’t relax in this state, you can’t learn, and you certainly can’t get any entertainment value out of the glowing rectangle in front of your face.

The Optimote uses a pulse sensor, an Arduino, an incredible break-away cable that seems to be missing from any other wearable device like this, and a software stack that interacts with VLC. During periods of high pulse rate, the video skips to low-intensity footage. There’s a ‘calm’ mode that puts media volume and tempo in sync with heart rate. The ‘thrill’ mode plays an eerie scene looping with the Jaws theme.

So far, the prototype is a success, and [Donovan] is looking forward to large-scale user experience testing to determine how effective and enjoyable this technology can become.

Hacked By Subtitles

CheckPoint researchers published in the company blog a warning about a vulnerability affecting several video players. They found that VLC, Kodi (XBMC), Popcorn-Time and strem.io are all vulnerable to attack via malicious subtitle files. By carefully crafting a subtitles file they claim to have managed to take complete control over any type of device using the affected players when they try to load a video and the respective subtitles.

According to the researchers, things look pretty grim:

We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years. (…) Each of the media players found to be vulnerable to date has millions of users, and we believe other media players could be vulnerable to similar attacks as well.

One of the reasons you might want to make sure your software is up to date is that some media players download subtitles automatically from several shared online repositories. An attacker, as the researchers proved, could manipulate the website’s ranking algorithm and not only would entice more unsuspecting users to manually download his subtitles,  but would also guarantee that his crafted malicious subtitles would be those automatically downloaded by the media players.

No additional details were disclosed yet about how each video player is affected, although the researchers did share the details to each of the software developers so they can tackle the issue. They reported that some of the problems are already fixed in their current versions, while others are still being investigated. It might be a good idea to watch carefully and update your system before the details come out.

Meanwhile, we can look at the trailer:

Continue reading “Hacked By Subtitles”