I’ve been growing dissatisfied with my old hosted wordpress blog for a while, for various reasons, and the recent unpleasantness from the Automattic CEO (which I shall not rehash here; you can search the tech news if you want to know more) was a sufficient catalyst for me to start looking for alternatives.
I considered hosting my own Wordpress instance, but hosting and maintaining it would be a huge pain and I was really looking for a low-friction solution. There are a bunch of static blog generators out...
Ever wondered why 100nF is a go-to value for decoupling capacitors? This number has pervaded in datasheets and electronics advice going back to the 1980s, and is still widely present in the datasheets of modern components. Folks are out there sprinkling 100nF capacitors on their boards like seasoning, and when they decide 100nF isn’t enough, they inevitably recommend the big/little practice, e.g. 1uF + 100nF in parallel.
Unfortunately, 100nF kinda sucks, and this common decoupling practice is incredibly...
Back in August I did a stream on Twitch where I dug through the OCP Grand Teton server chassis design. The Open Compute Project (OCP) is an organisation that works to design and publish open server standards. Their projects cover all sorts of datacenter tech, including entire server platforms. Many of their projects are published with collateral, i.e. the design files for the platform, including entire sets of schematics, PCB designs, documentation, mechanical drawings, etc.
OCP Grand Teton is a...
This isn’t really a blog post in the normal sense. I got diagnosed with ADHD when I was 31, primarily as a result of seeing other people talk about ADHD and realising that their experiences strongly resonated with me. Part of the medical diagnosis process involved me putting together a list of symptoms I experienced. Since then this list has proven useful when talking to other people who think they might have ADHD, as a reference point. It only occurred to me today that I should probably just make the list...
The SPICE models released by vendors are often really bad, producing results that do not anywhere near match the behaviour described in the datasheet. A recent example I ran into was for the CREE XLamp XP-E2 series LEDs, where the provided models underestimated the forward diode current by a factor of 6 compared to the datasheet and real-world measurements. Some vendors also don’t bother to release SPICE models at all, making it difficult to simulate the parts in LTspice.
Luckily, it is possible to turn...
This is a short rewrite of a post I wrote elsewhere, but which is no longer easily searchable or accessible.
If you’ve got a DIMM that’s going bad and your system supports Machine Check Architecture (MCA) / Machine Check Exceptions (MCEs), you might see alerts about memory errors popping up in your logs or console output. They typically look something like this:
MCA: Bank 9, Status 0x8c000047000800c0
MCA: Global Cap 0x0000000007000c16, Status 0x0000000000000000
MCA: Vendor "GenuineIntel", ID...
Content warning: this post contains references to online stalking, doxxing, harassment, and deadnaming.
I have a lot of opinions about copyright and the DMCA, but a vanishingly small proportion of those opinions are particularly unique or notable. There are plenty of people who are far better qualified than I to opine about the state of copyright law at a structural level, and I will not presume that I could write anything on the matter that would be contributory.
I do, however, have direct experience...
This blog post is a companion piece to my LED PWM Calculator web tool.
Your eyes are part of an evolutionary pathway that started more than half a billion years ago. Vision capable of accurately identifying objects and movements in the dark has proven to be a key asset when it comes to the chances of surviving the night in an environment filled with predators. This blog post is about LEDs, which are not generally considered to be predators. However, this millennia-long evolutionary process of biological...
Intel has a technology called Virtual RAID on CPU (VROC) that lets you set up RAID arrays of NVMe SSDs, with the RAID calculations being offloaded to specialised hardware on the CPU instead of being done in software. When I built my workstation back in 2019, I installed an Asus HYPER M.2 card, which is a PCIe 3.0 x16 carrier card that breaks out into four M.2 slots. The M.2 slots are separated using 4-way bifurcation, which allows one 16-lane slot to be split into four 4-lane slots. With four Corsair MP510...
This is part two of my “convert a bunch of notes I made about capacitors into a blog post” series. If you missed part one, which covered ceramics and MLCCs, you may wish to read it first.
Again, this article is mostly going to be useful to you if you already know a bunch about capacitors and want a big infodump to pick up some new facts from, and it comes with a caveat that I am not a capacitor expert.
I’m primarily going to talk about wet aluminium electrolytic capacitors in this post, since they’re...
I’ve been reading about capacitors a lot lately. Not just their high-level circuit behaviours, but also their materials and physical properties. I put together a heap of notes on the topic. Knowing me, these notes will languish in my documents folder and I’ll never look at them again. And that’s ok, because that’s just how my brain works, but it occurs to me that someone else might find these notes useful.
As such, I’ve transformed them into something more readable, and that’s what this blog post is. I’ve...
Microsoft added a new field, GuardMemcpyFunctionPointer, to the PE load config structure in Windows 22H2. I couldn’t find any documentation on this at all, either from Microsoft or from reverse engineers, so I thought I’d post my initial findings here.
The field is a virtual address (VA) that typically points into the .rdata section. At this virtual address there is another virtual address, which (in every binary I have checked so far) points to the memcpy implementation in the .text section. As is...
How many processors does Windows 10 support? It’s a simple question, but the correct answer is surprisingly hard to come by.
What led me to ask this question was curiosity: I wondered whether it would be possible to run Windows 10 on a Supermicro 7089P-TR4T - a single-node server with eight Intel Xeon Scalable sockets in an S8S configuration.
Windows Server licenses come with a baseline limit of 16 physical processor cores. If you want to use more cores, you have to buy additional core licenses. For...
FreeNAS 11.x is no longer receiving package updates due to the major version update to TrueNAS 12.x. A side effect is that the CA certificates database from systems on 11.x is now outdated and contains expired CA certificates. This causes errors such as the following when attempting to create jails or update the OS:
Update server could not be reached
HTTPSConnectionPool(host='update-master.ixsystems.com', port=443): Max retries exceeded with url: /FreeNAS/trains.txt (Caused by...
Today I found that Calculator.exe could not open. Since it is now a Microsoft Store app, apparently that is a thing that can happen, rather than the executable just being an innate standalone part of the OS. Moronic design decisions aside, finding a fix for this error online is an exercise in futility, because apparently nobody actually knows what the problem is and just guesses at solutions (e.g. sfc /scannow… sigh).
To save folks some reading if they’re trying to figure out if this blog post is even...
Intel Cryo Cooling is an active cooling solution that uses a TEC, also known as a Peltier element, to cool the CPU. A TEC can pump heat from one side of it to the other, meaning that one side gets cold while the other gets hot. This is useful for situations where you want to reduce the heat of something below the ambient temperature. Many camping fridges utilise TECs for this purpose.
While TECs have previously been investigated for the purposes of sub-ambient cooling, they were generally considered...
This blog post started as a ridiculously long comment on a GitHub issue. It’s long enough that it should be a blog post, as someone on Twitter pointed out to me, so now I’m replicating it here with some tweaks to make it read a bit better in continuous prose.
A caveat: I very quickly slapped this together and have not 100% validated everything. There might be some mistakes. Shout at me on Twitter (I’m over on Mastodon now) if you find issues.
The issue at hand here is this: you’ve got an x86_64 Windows...
Memory DIMMs have a small flash memory chip (EEPROM) on them, containing an important descriptor table called the Serial Presence Detect (SPD). This data tells the system the size, speed, timings, operating voltage, manufacturer, part number, overclocking profiles, and all sorts of other information about each DIMM. The SPD chip is accessed using the SMBus protocol, which is based on I2C.
Tools such as CPU-Z, RAMMon, and RW Everything can be used to read the SPD data by talking to the flash chip over a...
Everyone has something that they are weirdly knowledgeable about. For me, that’s Futurama. It’s one of my favourite shows of all time and I’m only just shy of being that guy who goes to comic conferences to annoy the writers with questions about minor production mistakes.
The thing I’m going to talk about in this post is the show’s season and episode numbers. That might sound like the most tedious thing that has ever been talked about ever, and maybe it is. But it’s also weirdly complicated, to the point...
SwiftOnSecurity asked “What would you change in Windows?”. There are a lot of replies to the thread, and I read them all. I have some of my own thoughts, too, but it was too much for a bunch of Twitter replies, and I think it’s probably useful to collate everything I saw in the thread (or at least the ones that I agree with - some of them are a bit wild) into one place. So without further ado, here’s what I would change in Windows:
Finish the new settings UI
The new settings system was a recurring theme...
The Windows XP SP1 and Server 2003 source code leaked recently, and it includes the build system. While it isn’t exactly simple to get it up and running, and not everything is included (missing winlogon is the biggest problem), people have already figured it out and managed to make working VMs from it.
A quick disclaimer: Nothing in this blog post contains any source or copyrighted material from the leak, in any form. Don’t ask me for the leaked source, and don’t ask me where to find the leaked source,...
At the worst possible moment, my C920 developed a horizontal line of dead pixels. I’m due to run an online event this weekend and I can’t do that without a half-decent webcam. But, with the lockdown in full effect, it seems that everyone has scrambled to buy them, and they’re out of stock everywhere - including Logitech’s own store. The RMA process is likely to take weeks, and I don’t have the luxury of waiting that long. I managed to find a BRIO 4K Stream Edition in stock at a rather inflated price, but...
Windows Server supports NIC Teaming, also known as Load Balancing/Failover (LBFO), which allows you to bond multiple network interfaces together, for example using 802.3ad (LACP). It used to be possible to use Powershell on Windows 10 to use teaming, even though it wasn’t intended, but in 2016 Microsoft said that the feature was never intended to be available on desktop SKUs, and removed it.
But, if it can be removed, it can be put back in!
By copying a few files and registry keys from a Windows...
I ran into an issue where trying to view a wiki page in Gitea threw an error:
template: repo/wiki/view:48:14: executing "repo/wiki/view" at <(not $.DisableHTTP) (and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH))>: can't give argument to non-function not $.DisableHTTP
This issue was fixed in Gitea 1.11.4, so you’re probably running 1.11.3 or before. The latest version of the Gitea plugin in FreeNAS, at time of writing, contains version 1.11.5, which fixes the issue. You can...
SMB Multi-Channel is a useful performance feature that distributes SMB traffic over multiple network connections, allowing it to scale across multiple network adapters, as well as multiple CPU cores through the use of receive-side scaling (RSS). It is supported and enabled in Windows 10 by default, and Samba has support for it as of version 4.4. At the time of writing, FreeNAS 11 is running smbd version 4.10.2, which of course means it supports multi-channel.
Multi-channel works by making multiple TCP...
I’m transitioning all of my local network services toward using an internal CA, but AdvancedTomato is a little trickier in that regard because it doesn’t have support for loading a custom cert or key in the web UI.
Instead, you must connect over SSH and modify the certificate files manually, then write them to nvram. Simply upload cert.pem and key.pem to the root home directory, then save this shell script:
cp ./cert.pem /etc/cert.pem
cp ./key.pem /etc/key.pem
sed -i "/END CERTIFICATE/q"...
TL;DR - OBS can do this using a display capture source and multiple output projectors. I’m using Streamlabs OBS on Windows, but you can probably make it work on regular OBS on any supported OS.
On my home workstation I’ve got three side-by-side monitors. Normally I roughly dedicate them to separate tasks - left usually has social/chat apps, music, etc., middle is whatever I’m working on, and right is usually either reserved for reference (e.g. documentation, diagrams, etc.) or as a sort of holding...
A lot of folks on the net seem to be interested in moving games from the Epic Games store from one drive to another, usually because they’re running out of space on their disk or they want to move the game to faster storage. I installed a bunch of games when I first built my new workstation, before I built a VROC RAID0 of M.2 NVMe SSDs, and wanted to move all of the games to the new large and fast storage array. Unfortunately, all of the advice I’ve found so far is basically to move the game files...
I recently built a new computer and enabled BitLocker on it. When doing so, it asked me to save my recovery key, but I didn’t have a working printer or a flash drive to hand to save my recovery key to (also it doesn’t seem sane to store the recovery key in cleartext on a USB stick), so I cheated and used Print to PDF to save the recovery key to my OS drive… the one I was encrypting.
A little later I was hardening my security settings and changed the DEP policy to from the default (opt-in) to opt-out. I...
I’ve recently been making some mods for the game Rust. I don’t play much of the game myself, as I’m pretty bad at FPS games in general, but I do enjoy watching a select few YouTubers and streamers play it. One thing that I’ve seen a bunch of them complain about is the excessive use of autoturrets and other traps during raids, and for griefing people and areas. While I can’t do much to help the vanilla players, I am familiar with making mods for the game using the Oxide mod framework, which is now part of...
I just hit 100,000 reputation on Information Security StackExchange! 🎉
I thought this would be a good moment to talk about why StackExchange is so important to me, and what my journey into security looked like. The story starts way back in 2012, before I worked in infosec. Back then I was a few months out of university, having studied for a computing degree (basically compsi + dev management), working my first job as an entry-level developer. I had already been interested in security for over a decade by...
Weak referencing is a really useful feature when you don’t mind if an object is deleted, but you might still potentially want to access it again in future. For those of you who aren’t familiar with the concept of weak referencing, I’ll describe it briefly. If you already know how it works then you can skip ahead.
.NET is a garbage collected language, meaning that objects you create on the heap (e.g. with new) are automatically cleared up by the garbage collector (GC) when they are no longer being used....
A lesser-known feature of the Windows memory manager is that it can maintain write watches on allocations for debugging and profiling purposes. Passing the MEM_WRITE_WATCH flag to VirtualAlloc “causes the system to track pages that are written to in the allocated region”. The GetWriteWatch and ResetWriteWatch APIs can be used to manage the watch counter. This can be (ab)used to catch out debuggers and hooks that modify memory outside the expected pattern.
There are four primary ways to exploit this...
A short while ago, slipstream/RoL dropped an exploit for the ASUS memory mapping driver (ASMMAP/ASMMAP64) which was vulnerable to complete physical memory access (read/write) to unprivileged users, allowing for local privilege escalation and all sorts of other problems. An aside to this was that there were also IOCTLs available to perform direct I/O operations (in/out instructions) directly from unprivileged usermode, which had additional interesting impacts for messing with system firmware without...
I’ll be speaking at 44CON this year, at the community evening on Wednesday 9th September. The community evening is free to attend - you just need to register to attend if you don’t have a conference ticket. My talk is currently scheduled at 19:45, and I’m speaking about writing Windows drivers, with the goal of leaving you a bit more informed about how they work, and how to get started.
In addition to my talk, Saumil Shah will be speaking about Stegosploit, and Michael Boman will be running a workshop on...
Back in June, I was doing some analysis on a Windows driver and discovered that the INIT section had the read, write, and executable characteristics flags set. Windows executables (drivers included) use these flags to tell the kernel what memory protection flags should be applied to that section’s pages once the contents are mapped into memory. With these flags set, the memory pages become both writable and executable, which violates the W^X policy, a concept which is considered good security practice....
Another year has rolled by (damn, I really don’t update this blog much, do I?) and Securi-Tay IV is coming up. I’ll be speaking about security issues related to serialisation and deserialisation of data in modern programming languages, including PHP and C#.
My colleague FreakyClown will be talking about robbing banks for a living, which promises to be amusing at the very least (which reminds me - ask me about coathangers and server rooms when you see me).
Most importantly though: we (and by that I mean...
Just a quick tip for anyone doing a code review of a Java EE web application: LAPSE+ is a very useful tool to have in the arsenal, whether you’ve got the original source or just the JAR/WAR file.
In my case, the client provided me with a single .WAR file which contained the application. As it was a large application, I didn’t really fancy digging through everything manually with JD-GUI, although it is an excellent Java decompiler. I decided to take the opportunity to give LAPSE+ a try.
Here’s what you’ll...
I’m doing a talk about cryptography at Securi-Tay 2014 on the 15th of January, up in Dundee, Scotland. The talk is aimed at people who are interested in cryptography from a practical perspective, but are put off by the slew of hieroglyphs and maths-speak that tends to plague the field. The talk is entitled “Breaking bad crypto without breaking your brain”. I promise that there are no Breaking Bad references in there, primarily because I seem to be the only person on earth that still hasn’t started watching...
In my previous post I talked about a vulnerability in Steam which allows you to bypass UAC. I’m going to be totally transparent here: I fucked up. I wrote the draft post a few days back, then did some more work on the vulnerability. I discovered something much more serious in the process. I posted last night’s blog post at 1am, tired as hell, and in my sleep-deprived state I completely neglected to update it properly, and there are several mistakes and bits of missing information. The draft went out and...
Like many other gamers, I love Steam. Not only is it ridiculously convenient, but it’s also become a pretty awesome platform for indie game developers to get their games out there. It provides a online store platform for 54 million users, and most of the time it does an excellent job. That’s partly the reason why I’m so frustrated with Valve right now.
I spent a good few hours playing with a bug I found in Steam, and then made an effort to provide Valve with a clear, concise, detailed security...
Dropbox has become a daily part of my life. I rely on it to synchronise data between my growing set of devices. But how much of an impact does it have on the security of my system? I decided to find out by digging around in exactly what it does to my machine, or more specifically, the processes running on it.
The first thing I want to check out is what modules are loaded into various processes. Tools like Dropbox like to extend the functionality of other programs using shell extensions, which are nothing...
When I moved into my flat, I found that the previous tenant had left behind his Sky Broadband router. Awesome - a new toy to break! Sadly I got bogged down with silly things like moving house and going to work, so I didn’t get a chance to play with it. Until now, that is.
This isn’t the first embedded device I’ve played with. Over the years I’ve desoldered EEPROMs from routers, done unspeakable things to photocopiers, and even overvolted an industrial UPS unit via SNMP. The router I shall be discussing in...
In light of the numerous recent attacks against SSL, I thought I’d offer up a quick and simple crypto lesson about why MAC-then-encrypt schemes are bad. This post will require only a minimum of knowledge about cryptography, so hopefully it’ll be useful to a wide range of people.
This is not designed to be a full and detailed description of how SSL works, or how various attacks against it works, but rather a short primer on the subject for those who know a bit about crypto but don’t really understand how...
I just came across a cool trick you can try which allows you to crack passwords on a remote system that is running the VMware Authentication Daemon. This service installs and runs by default on Windows host machines that have VMware Virtual Workstation installed, and listens on TCP port 912. It shows up on nmap as apex-mesh, but doesn’t follow the APEX protocol at all. Instead, it looks a little bit like a hybrid between an FTP and SMTP server:
220 VMware Authentication Daemon Version 1.0,...
There are two main points to take away from the Kelihos.B takedown. The first is that malware writers, as smart as they are, are really dumb.
Forget about malware for a moment, and imagine the architecture involved in Kelihos.B was part of a legitimate distributed-computing business system. Would you invest all that time and effort to build a P2P network and design a mechanism for message propagation, then leave it wide open to attack by failing to include any form of authentication mechanism? It’s...
A new vulnerability (CVE-2012-0056) that affects almost 650 different builds of the Linux kernel builds allows effortless privilege escalation to root. It works by forking child processes to trick the self_exec_id check on /proc/pid/mem access, allowing the code to modify its own SUID and gain root.
CVE-2012-0056 $ ./mempodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+]...
I was dubious at first, but I really have grown to like Redis. It’s a wonderfully simple solution to the problem of high-performance fast-changing data storage. However, its simplicity (combined with the incompetency of certain users) can easily become a detriment to security.
The Redis protocol is a simple plain-text mechanism, offering no transport layer security. This is a problem in itself, but it gets worse. By default, it listens on all available IP addresses on port 6379, with no authentication...
In this series of posts, I’m going to discuss executable analysis, the methods that are used and mechanisms to prevent them. There are three types of analysis that can be performed on executables:
Static - Analysis of the sample file on disk.
Emulated - Branch and stack analysis of the sample through an emulator.
Live - Analysis of the executing sample on a VM, usually using hooks.
I’m going to look at each type in detail, giving examples of techniques used in each and ways to make analysis...