This Week In Security: Good Faith, Easy Forgery, And I18N

May 27, 2022 by Jonathan Bennett 26 Comments

There’s a danger in security research that we’ve discussed a few times before. If you discover a security vulnerability on a production system, and there’s no bug bounty, you’ve likely broken a handful of computer laws. Turn over the flaw you’ve found, and you’re most likely to get a “thank you”, but there’s a tiny chance that you’ll get charged for a computer crime instead. Security research in the US is just a little safer now, as the US Department of Justice has issued a new policy stating that “good-faith security research should not be charged.”

While this is a welcome infection of good sense, it would be even better for such a protection to be codified into law. The other caveat is that this policy only applies to federal cases in the US. Other nations, or even individual states, are free to bring charges. So while this is good news, continue to be careful. There are also some caveats about what counts as good-faith — If a researcher uses a flaw discovery to extort, it’s not good-faith.
Continue reading “This Week In Security: Good Faith, Easy Forgery, And I18N” →

Why Get Dressed When There Are Software Pants?

May 12, 2022 by Kristina Panos 42 Comments

With so many of us working from home over the last two years, it’s really become apparent that people generally dislike sitting all day with pants on. Until such a utopian time when all clothing is considered unisex, and just as many men as women are kicking it in loose, flowing skirts and dresses, you may want to remember to actually wear something on your lower half, uncomfortable though pants may be. But there is another way — you could build [Everything Is Hacked]’s pants filter and continue to be a chaos agent. Check out the video after the break.

That’s right, whether you forego or just forget to dress yourself below the equator, the pants filter has you covered. It works like you might expect — machine learning tracks body landmarks and posture to figure out where your NSFW region is and keep it under wraps.

By default, it blurs everything below the belt, or you can draw on pants if you’re inclined to be in revealing tighty-whities and prefer more coverage. You can adjust the width of the pants to cover the covid-19 you may have put on since 2020, and even change the pants to match your shirt.

We love that [Everything Is Hacked] had the um, gumption to test the pants filter in public at what appears to be a local taco joint. After the first few rounds of weird looks, he switched to a pants moustache to save face.

Want to add even more fun to those boring video calls? Try connecting up some vintage hardware, or install a pull chain to end those sessions with a gesture that won’t get you fired.

Continue reading “Why Get Dressed When There Are Software Pants?” →

Hackaday Links: August 8, 2021

August 8, 2021 by Kristina Panos 6 Comments

Do you have burning opinions about GitHub Copilot, the AI pair programmer that Microsoft introduced a few months ago? Are you worried about the future of free and open software? The Free Software Foundation is funding a call for white papers of 3,000 or fewer words that address either Copilot itself or the subjects of copyright, machine learning, or free software as a whole. If you need more background information first, check out [Maya Posch]’s excellent article on the subject of Copilot and our disappointing AI present. Submissions are due by 10AM EDT (14:00 UTC) on Monday, August 23rd.

There are big antique books, and then there are antiphonaries — these are huge tomes full of liturgical chants and things of that nature. When one of them needs a lot of restoration work, what do you do? You build an all-in-one housing, display case, and cart that carefully holds it up and open (YouTube). Otherwise, you have to have multiple gloved people being extra careful. Jump to about the 14-minute mark to see the device, which is mostly made from extruded aluminum.

In more modern news: you may be waiting out this chip shortage like everyone else, but does it require renting out a bunch of real estate in perpetuity? We didn’t think so. Here’s an aerial photo of a stockpile of Ford Super Duty trucks that are waiting for chips at a dead stop outside the Kentucky Speedway. Thousands of brand new trucks, exposed to the elements for who knows how long. What could go wrong?

While we’re asking questions, what’s in a name? Well, that depends. We’ve all had to think of names for everything from software variables to actual children. For something like a new exoplanet survey, you might as well make the demonym remarkable, like COol COmpanions ON Ultrawide orbiTS, or COCONUTS. Hey, it’s more memorable than calling them X-14 and -15, et cetera. And it’s not like the name isn’t meaningful and descriptive. So, readers: do you think this is the worst name ever, planetary system or otherwise? Does it shake your tree? We’re on the fence.

Avoid Awkward Video Conference Situations With PIR And Arduino

July 24, 2021 by Danie Conradie 10 Comments

Working from home with regular video meetings has its challenges, especially if you add kids to the mix. To help avoid embarrassing situations, [Charitha Jayaweera] created Present!, a USB device to automatically turn of your camera and microphone if you suddenly need to leave your computer to maintain domestic order.

Present consists of just a PIR sensor and Arduino in a 3D printed enclosure to snap onto your monitor. When the PIR sensor no longer detects someone in range, it sends a notification over serial to a python script running on the PC to switch off the camera and microphone on Zoom (or another app). It can optionally turn these back on when you are seated again. The cheap HC-SR501 PIR module’s range can also be adjusted with a trimpot for your specific scenario. It should also be possible to shrink the device to the size of the PIR module, with a small custom PCB or one of the many tiny Arduino compatible dev boards.

For quick manual muting, check out the giant 3D printed mute button. Present was an entry into the Work from Home Challenge, part of the 2021 Hackaday Prize.

Project Starline Realizes Asimov’s 3D Vision

May 20, 2021 by Al Williams 36 Comments

Issac Asimov wrote Caves of Steel in 1953. In it, he mentions something called trimensional personification. In an age before WebEx and Zoom, imagining that people would have remote meetings replete with 3D holograms was pretty far-sighted. We don’t know if any Google engineers read the book, but they are trying to create a very similar experience with project Starline.

The system is one of those that seems simple on the face of it, but we are sure the implementation isn’t easy. You sit facing something that looks like a window. The other person shows up in 3D as though they were on the other side of the window. Think prison visitation without the phone handset. The camera is mounted such that you look naturally at the other person through your virtual window.

Continue reading “Project Starline Realizes Asimov’s 3D Vision” →

This Week In Security: Pwn2own, Zoom Zero Day, Clubhouse Data, And An FBI Hacking Spree

April 16, 2021 by Jonathan Bennett 11 Comments

Our first story this week comes courtesy of the Pwn2own contest. For anyone not familiar with it, this event is held twice a year, and features live demonstrations of exploits against up-to-date software. The one exception to this is when a researcher does a coordinated release with the vendor, and the update containing the fix drops just before the event. This time, the event was held virtually, and the attempts are all available on Youtube. There were 23 attacks attempted, and only two were outright failures. There were 5 partial successes and 16 full successes.

One of the interesting demonstrations was a zero-click RCE against Zoom. This was a trio of vulnerabilities chained into a single attack. The only caveat is that the attack must come from an accepted contact. Pwn2Own gives each exploit attempt twenty minutes total, and up to three attempts, each of which can last up to five minutes. Most complex exploits have an element of randomness, and exploits known to work sometimes don’t work every time. The Zoom demonstration didn’t work the first time, and the demonstration team took enough time to reset, they only had enough time for one more try.

BleedingTooth

We first covered BleedingTooth almost exactly six months ago. The details were sparse then, but enough time has gone by to get the full report. BleedingTooth is actually a trio of vulnerabilities, discovered by [Andy Nguyen]. The first is BadVibes, CVE-2020-24490. It’s a lack of a length check in the handling of incoming Bluetooth advertisement packets. This leads to a buffer overflow. The catch here is that the vulnerability is only possible over Bluetooth 5. Continue reading “This Week In Security: Pwn2own, Zoom Zero Day, Clubhouse Data, And An FBI Hacking Spree” →

Zoom Out Of The Classroom With A Mushroom Button

February 4, 2021 by Kristina Panos 16 Comments

Considering the state of well, everything, we can’t tell you how glad we are to be out of school. That goes double for not being a teacher these days. [Elena] had some awesome light-up tactile buttons set aside for a killer Kerbal Space Program controller, but it’s funny how a pandemic will change your priorities. Instead, those buttons found a good home in this colorful and enticing Zoom control panel.

[Elena]’s ready pile of Arduinos yielded no Leonardos or Pro Micros, but that’s okay because there’s a handy bootloader out there that allows you to reprogram the USB interface chip of an Uno or a Mega and use it as a keyboard. After setting that up, it was mostly a matter of wiring all those latching and momentary buttons and LEDs to the Mega and making them look fantastic with a set of icons. (We all know the big red mushroom button is for aborting the call; so does it really need an icon?)

[Elena] was inspired by the Zoom call-terminating pull chain we saw a month or so ago as well as the pink control box that launched a thousand or so macro keyboards. Have you made your own sanity-saving solution for our times? Let us know!