The flaws in smart contracts and the security corner round out the news. Read on...
Share this using the hashtag #SWE.
Reverse-engineering a 45-year old ALU.This post from Ken Shirriff explains how the ALU worked in Intel’s first 8-bit microprocessor, the 8008. If you don’t know why that matters, “the 8008 is historically important because it essentially started the microprocessor revolution and is the ancestor of the x86 processor family that you are probably using right now.”
Understanding htop. htop is a powerful process monitor that reveals much more data about a machine’s performance than regular top. Here’s a great overview that explains what all the fields, graphs, and related stuff means.
Pay attention to denomination pay out ratios. Win more on the higher denominated slot machines. They have a higher pay out ratio. This may come as a surprise, however it is the lower denominated slot machines that have the worst pay out ratios.
Hack Slot Machine App
“Smart Contracts” are neither?This post from Ed Felten’s Freedom to Tinker explains how smart contracts, as used in some blockchain-based systems, aren’t really smart and aren’t really contracts.
Have $55? This tool will destroy many devices just by plugging it in. The “USB Killer” device does what it says on the tin, permanently damaging the USB port or entire device in many pieces of hardware. It does this by sucking power from the device, storing it in a series of onboard capacitors, then barfing a giant voltage spike across the USB/Lightning port of the target device, causing it to have a bad day. Maybe Apple’s courage in removing ports was just a brilliant bit of foresight.
A hole in the cloud. Another great 33C3 talk was this series of talks discussing how memory deduplication in virtual machines can be exploited. The three methods (CAIN, CAIN+Rowhammer, and Flip Feng Shui) combine to enable things like SSH login, browser exploits, and a compromise of the software update process.
Cheating a slot machine through the power of random numbers. Using a cell phone app to exploit the PRNG in a slot machine lead to huge casino losses. Read more in this piece from Wired. How much can you exploit the machines for? Try “upwards of $250,000 in a single week.”
The people responsible for sending the missile warning have been sacked. An alerting system test at Spangadhlem Air Base in Germany probably lead to much freaking-out, as a message was sent telling airmen that a missile was inbound to the base and to seek shelter immediately. Eight minutes later, the all clear was sent.
“Web Bluetooth” - two words I never wanted to see together. Chrome version 56 has added support for the Web Bluetooth API, opening up your Bluetooth devices to fun and exciting exploits from the Internet… I mean, opening up your Bluetooth devices to interact with websites for things like data exchange or software updates. Ostensibly, you must affirmatively opt-in before any data about your Bluetooth devices is shared with the website, but we’ll see how well that actually is implemented.
In the security corner: websites continue to find ways to fingerprint users, that doll might be a spy, and new Mac malware comes from Russia, with love:
- In news I’m certain surprised absolutely nobody, researchers have developed a technique to track users even if they use multiple browsers. As you might guess if you’re familiar with fingerprinting techniques, it relies primarily on WebGL tasks, most of which execute in very similar ways across browsers. According to the researchers, they are able to successfully fingerprint over 99% of users.
- The “My Friend Cayla” doll was classified by the German government as an illegal espionage apparatus, because it contains a microphone and is disguised as another object. The Germans, for some reason, are very wary of anything that could conceivably be used for surveillance. Access to the doll is, of course, not very secure, contributing to the problem.
- Xagent malware for the Mac has been blamed on APT28, the same Russian hacking group allegedly responsible for the DNC leaks in the 2016 election. Xagent has many capabilities and uses domains that look like Apple domains to hide their C&C services. Of course, attributing malware to any group is more art than science, but this is still noteworthy because of how strong this malware is.
Hack Slot Machine At Casino
As a programming note, we won’t produce a rundown next week. Look for the next one on Monday, March 6. Further, we’re continuing to experiment with the best way to deliver this content. Look for video features to join this rundown soon. If you have feedback, or think there’s something I should cover next time, leave a comment!
Slot Machine Hacks No Money
Cover photo: A slot machine interface. Note: the machine pictured is not made by the manufacturer of the machines that were exploited in the slot machine story. It's just a flashy pic of a slot machine. Credit: Bloomberg / Getty