Welp, sup, yep, yup, nope
> Though we have presented quite a bit of informal and recent use, our earliest written use of welp goes back over 70 years. It shows up in a scholarly article on two of welp’s linguistic cousins: yep and nope. Well gained that final -p as part of a normal process of articular: the lips come together to stop the sound of well and prepare for the next sound, and some hear that stoppage as a -p. This means it is very common in speech. One linguist went so far as to say that anyone who didn’t know what welp meant was probably an alien.
CVE-2020-8816 – Pi-hole Remote Code Execution
> Pi-hole is affected by a Remote Code Execution vulnerability. An authenticated user of the Web portal can execute arbitrary command with the underlying server with the privileges of the local user executing the service. Exploitation of this vulnerability can be automated.
Neat trick to get around input restrictions:
> Luckily for us, the PATH contains the strings “pihole” and “usr” which in turn contains the “p”, “h” and “r” lower-case characters. Those are the only letters we need to write “php -r”.
Vulnerabilities! We’ve got vulnerabilities here! … See? Nobody cares.
> Jurassic Park is often (mistakenly) left out of the hacker movie canon. It clearly demonstrated the risk of an insider attack on control systems (Velociraptor rampage, amongst other tragedies…) nearly a decade ahead of the Maroochy sewage incident, it’s the first film I know of with a digital troll (“ah, ah, ah, you didn’t say the magic word!”), and Samuel L. Jackson correctly assesses the possible consequence of a hard reset (namely, everyone dying), resulting in his legendary “Hold on to your butts”. The quotable mayhem is seeded early in the film, when biotech spy Lewis Dodgson gives a sack of money to InGen’s Dennis Nedry to steal some dino DNA. Dodgson’s caricatured OPSEC (complete with trilby and dark glasses) is mocked by Nedry shouting, “Dodgson! Dodgson! We’ve got Dodgson here! See, nobody cares…” Three decades later, this quote still comes to mind* whenever conventional wisdom doesn’t seem to square with observed reality, and today we’re going to apply it to the oft-maligned world of Industrial Control System (ICS) security.
Learning from LadderLeak: Is ECDSA Broken?
> The paper authors were able to optimize existing attacks exploiting one-bit leakages against 192-bit and 160-bit elliptic curves. They were further able to exploit leakages of less than one bit in the same curves.
> We’re used to discrete quantities in computer science, but you can leak less than one bit of information in the case of side-channels.
> If “less than one bit” sounds strange, that’s probably our fault for always rounding up to the nearest bit when we express costs in computer science.
Is X25519 Associative? Sometimes!
> The age design includes a double invocation of X25519: once with a domain separation tweak, once with the actual secret. While implementing this I wondered: can we multiply those two scalars first, instead of doing two point multiplications in a row? It would be much faster!
Latency in Asynchronous Python
> This week I was debugging a misbehaving Python program that makes significant use of Python’s asyncio. The program would eventually take very long periods of time to respond to network requests. My first suspicion was a CPU-heavy coroutine hogging the thread, preventing the socket coroutines from running, but an inspection with pdb showed this wasn’t the case. Instead, the program’s author had made a couple of fundamental mistakes using asyncio. Let’s discuss them using small examples.
How to Put More “Character” Into Your NPCs
> There’s something about the term “NPC” (Non-Player Character) that sounds hollow to me. Maybe it’s the ambiguousness of acronyms, or how the term literally sounds like “empty.” As a narrative designer, my philosophy is to think of NPCs less like assets on a spreadsheet, and more like my cast. There are big and small parts, but I believe designers can give any character soul. (Even a character whose soul was stolen by an evil wizard of some sort!) A bit more effort can make a minor NPC more human, and a game’s world more alive.
> A San Diego federal judge Friday dismissed a $10 million defamation lawsuit filed by the owners and operators of San Diego-based One America News Network against MSNBC and political commentator Rachel Maddow. Last summer, the liberal host told her viewers that the Trump-friendly conservative network “really literally is paid Russian propaganda.”
Cities are closing streets to make way for restaurants and pedestrians
> The forced distancing required by the coronavirus prompted several cities to quickly close some public roads to make room so cooped-up residents anxious to get outside for exercise could do so safely.
> Now, following moves to shut, narrow or repurpose streets from Oakland to Tampa, cities including Washington are seeking to understand how those emergency closures might have lasting impacts on some of urban America’s most important, and contested, real estate.
Penguin poop creates a buttload of laughing gas
> Gobs of guano from king penguins in the sub-Antarctic give rise to comical clouds of nitrous oxide—aka laughing gas—according to a recent study published in the journal Science of the Total Environment.
Pictures from inside the German intelligence agency BND
> The German foreign intelligence service Bundesnachrichtendienst (BND) is moving to a brand new headquarters in Berlin. Here we show some unique pictures from inside the former headquarters in the village of Pullach and also give an impression of what the new building looks like.
The U.S. Is Getting Shorter, as Mapmakers Race to Keep Up
> Scientists are hard at work recalibrating where and how the nation physically sits on the planet. It’s not shrinkage — it’s “height modernization.”
> The grand recalibration, called “height modernization,” is part of a broader effort within the National Oceanic and Atmospheric Administration, or NOAA, to establish more accurately where and how the United States physically sits on the planet. This new National Spatial Reference System, encompassing height, latitude, longitude and time, is expected to be rolled out in late 2022 or 2023, Ms. Blackwell said. It will replace reference systems from the 1980s that are slightly askew, having been derived from calculations that were done before the advent of supercomputers or global navigation satellite systems such as GPS.
The Deprecated *nix API
> But for “*nix”, without any clarifying context, I for one think in terms of shell scripts and their utilities. And the problem is that my own naïve scripts, despite being written on a legit *nix variant, simply will not run on a vanilla Linux, macOS, or *BSD installation. They certainly can—I can install fish, and sd, and ripgrep, and whatever else I’m using, very easily—but those tools aren’t available out-of-the-box, any more than, I dunno, the PowerShell 6 for Linux is.
Three bugs in the Go MySQL Driver
> Adding to this challenge, authzd is deployed to our Kubernetes clusters, where we’ve been experiencing issues with high latencies when opening new TCP connections, something that particularly affects the pooling of connections in the Go MySQL driver. One of the most dangerous lies that programmers tell themselves is that the network is reliable, because, well, most of the time the network is reliable. But when it gets slow or spotty, that’s when things start breaking, and we get to find out the underlying issues in the libraries we take for granted.
Good walkthrough of dealing with some unfriendly bugs.
Installation images renamed from .fs to .img
> There are some UEFI direct-from-internet bootloaders that require the name *.img. So this makes things more convenient for those, while keeping it consistant in all architectures.
How to decode a data breach notice
> But data breach notifications have become an all-too-regular exercise in crisis communications. These notices increasingly try to deflect blame, obfuscate important details and omit important facts. After all, it’s in a company’s best interest to keep the stock markets happy, investors satisfied and regulators off their backs. Why would it want to say anything to the contrary?
Ray Tracing In Notepad.exe At 30 FPS
> A few months back, there was a post on Reddit (link), which described a game that used an open source clone of Notepad to handle all its input and rendering. While reading about it, I had the thought that it would be really cool to see something similar that worked with stock Windows Notepad. Then I spent way too much of my free time doing exactly that.
> I ended up making a Snake game and a small ray tracer that use stock Notepad for all input and rendering tasks, and got to learn about DLL Injection, API Hooking and Memory Scanning along the way. It seemed like writing up the stuff I learned might make for an interesting read, and give me a chance to show off the dumb stuff I built at the same time, so that’s what these next couple blog posts will be about.
The Rise and Fall of Polywater
> Chemicals, like humans, have unique fingerprints, and instruments called spectrometers can identify the elements and molecules from a chemical fingerprint, or spectrum. Yet success hinges on the size of the sample, where bigger is better. In published papers anomalous-water believers lamented there just wasn’t enough of it, certainly not enough to identify its molecular makeup. Scientists measured what they could with the tiny amounts of anomalous water available, largely physical properties, such as boiling point, appearance, thermal expansion, and viscosity. These observations bolstered their conviction that anomalous water was real, but for every believer there were many more skeptics who loudly dismissed the results. The matter would only be settled by a definitive chemical analysis from a spectrometer sensitive enough to determine the fluid’s chemical composition and structure.
> Wheelhouse is a newsletter for makers that covers new materials, techniques, and tools.
(You can read on the web without subscribing.)
Why is This Website Port Scanning me?
> Recently, I was tipped off about certain sites performing localhost port scans against visitors, presumably as part of a user fingerprinting and tracking or bot detection. This didn’t sit well with me, so I went about investigating the practice, and it seems many sites are port scanning visitors for dubious reasons.