back to article How to make a stranger's insecure 3D printer halt-and-catch-fire – plus more alerts from infosec world

We're one week further along, and we hope everyone is well out there. Time for another security roundup amid the coronavirus lockdown. 3D printing turns red hot In what was surely a very serious piece of research and not just an excuse to set stuff ablaze, the team at the aptly-named CoalFire have demonstrated how a 3D printer …

  1. IGotOut Silver badge

    ".....developers in the Play Store, each said to be requesting excessive permissions with the aim of pumping out ads to unsuspecting users...."

    I take it Google is the No1 in the list of developers?

  2. Henry Wertz 1 Gold badge

    Yes and no

    "Charges may include: disrupting a public meeting, computer intrusion, using a computer to commit a crime, hate crimes, fraud, or transmitting threatening communications.""

    Of course, the big problem here is the FBI field offfice is wrong about claiming Zoom bombing is "video hacking" (or more properly cracking.) When there is no password set, nothing is being cracked and there is no computer intrusion. Disrupting a public meeting? Maybe but I doubt they'd bother. FBI is infamous for claiming they won't lift a finger until like $250,000 in damages are racked up.

    Hate crimes, fraud, and transmitting threatening communications? Don't do it, it's not nice and the FBI is likely to throw the book at you over it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yes and no

      Surely the meeting ID can be regarded as a security token if it is not plaintext? Weak security does not exculpate intrusion.

      1. imanidiot Silver badge

        Re: Yes and no

        It's more like trying random phone numbers and annoying whoever picks up. Not exactly nice to do, but mostly just a nuisance.

        1. Anonymous Coward
          Anonymous Coward

          Re: Yes and no

          Not really, because your phone number doesn't change every time you use it. (Unless you are a spammer.)

    2. Anonymous Coward
      Anonymous Coward

      Re: Yes and no

      The FBI is far more interested in chasing the drugs merchants than hackers or spam merchants. When you bust a drug merchant then you can make a little money on the side and enjoy a puff or two when you get home. Busting a hacker or spam caller is boring.

    3. Anonymous Coward
  3. Alan J. Wylie

    Halt and catch fire

    Nice headline

    1. Anonymous Coward
      Anonymous Coward

      Re: Halt and catch fire

      It was an undocumented and undesirable opcode on the original Motorola 68000. Apparently it turned one internal bus driver on high and another on low, and then stopped. Until there was a sharp crack and an epoxy smell, and a very distinct raised line down the middle of the 64 pin IC. The 68000 drew an average 500mA, a lot for the period, and a lot more when HCF hit the execution engine.

      I know of at least one case where a demo tape of this caused a company to go for the TMS9900 rather than the 68000, which was a longer term error as the bug was fixed on subsequent steppings.

      1. Alan Brown Silver badge

        Re: Halt and catch fire

        It would happen on the 6502 as well.

        1. Anonymous Coward
          Anonymous Coward

          Re: Halt and catch fire

          But not as much fun and not nearly so expensive.

      2. Anonymous Coward
        Anonymous Coward

        Re: Halt and catch fire

        The ICL 2903 was programmed at a very low level with critical timings. The card reader had a timing problem that was notorious under certain error conditions - giving the command: "select solenoid and catch fire".

  4. bombastic bob Silver badge
    Megaphone

    harvested WINDOWS login creds?

    " they harvested login credentials, particularly Windows login creds, from visitors."

    Was THIS because of the use of the (strongarmed during setup) MICROSOFT LOGON???

    You know, the one that is KINDA DIFFICULT to set up WITHOUT using it (requires 2 or 3 extra steps EVERY! TIME! YOU! DO! IT!), because "The Store" is _SO_ important to your computing (even with that 'updated' windows 8.1 version I did a VM install with yesterday... MSDN yeah, still need it to test things).

    Meanwhile EVERYONE (including Intuit) seems to be on board to FORCE YOU INTO THIS SOMEHOW, by NOT SUPPORTING WIN 7 ANY MORE!!!

    And I bet that THIS is a CLEAR EXAMPLE why a "Microsoft Logon" is EXTREMELY BAD!!!

  5. Mage Silver badge
    Devil

    and spoof the online repository it fetches its firmware

    Can that be done by a drive by java attack, maybe in an advert?

    The JS in the Browser checks default IP addresses, user names and passwords of routers. Then programs in a malicious DNS to spoof a variety of websites and repositories.

    I always change the default router passwords. I notice loads of people don't. Not all companies with expensive equipment have IT depts. Many businesses now think they can use the "Cloud" and have no IT staff at all and have no better password security than a home user. Or put all the passwords in a spreadsheet "in the Cloud". Or entirely rely on MS 365 accounts.

    1. Mage Silver badge
      Facepalm

      Re: Can that be done by a drive by java attack

      Javascript. Which is about as much related to Java as BASIC to ForTran.

  6. Anonymous Coward
    Anonymous Coward

    "More than half of US phone calls are spam"

    I have received a spam call from my wife. It was 'from' her phone number. Our numbers are both on the same exchange. Only a few minutes earlier she had received a spam call from another number in our exchange's range. They try to make the calling number believable.

    Screw that "add to your block list" advice. Just today I received calls from the same spammer from a 269 area code and a 731 area code. Same voice answered. (I answer these calls, say boo to the initial silence, and drop the phone near some mechanical equipment for the then connecting 'operator' to enjoy - use their time up) The last 10 spam numbers don't even share an area code.

    Every spam call only increases my hatred of the enabling phone companies.

    1. Drew Scriver Silver badge

      Re: "More than half of US phone calls are spam"

      If you have time it's probably best to string them along so they can't snare unsuspecting octogenarians during that time. Call it a public service.

      Talking to scammers/telemarketers in an old-person voice tends to works best - they fall for it every time. Great way to spend an otherwise boring commute.

      1. Anonymous Coward
        Anonymous Coward

        Re: "More than half of US phone calls are spam"

        "Talking to scammers/telemarketers in an old-person voice tends to works best - they fall for it every time. "

        When I get bored part way through I meekly ask "May I say something?". Then give them a mouthful of loud invective. Unexpected transitions from "nice to "bad" are a shock to the human psyche.

        Still doesn't stop another of their team ringing again with the same script spiel about being from "BT" or "Microsoft" telling me my PC is infected. You would think they would try to be more efficient in avoiding wasted effort.

    2. Luiz Abdala
      Terminator

      Re: "More than half of US phone calls are spam"

      Remember when we had public phonebooks?

      A list containing your name, your home address, and your phone number?

      Sarah Connor in Terminator?

      I bet that a phonebook wouldn't even be allowed to be created today.

      1. Anonymous Coward
        Anonymous Coward

        Re: "More than half of US phone calls are spam"

        "I bet that a phonebook wouldn't even be allowed to be created today."

        In the UK - BT deliver a local one to line subscribers every year or so. In the old monopoly days only subscribers who had gone ex-directory weren't listed. Nowadays the customer base is spread over many suppliers - so fewer numbers and addresses are listed. The local version is also now printed with such a small typeface that it needs a magnifying glass to read it.

        The directory enquiries service is now provided by many suppliers - often at eye watering prices per request. Fortunately BT have a national online version of their customers.

        Other online services will also provide search information about a person - even if only using their name to trawl various UK data sources. The personal opt-out from the sold electoral roll listing means they now lack full access to more up-to-date versions of that government compiled data.

  7. Version 1.0 Silver badge

    Security? We've heard of it.

    It's just today's list of hacks and bugs, all of which will be fixed in the next few days maybe. I know that my devices are secure because they update every single day or two ... it's entertaining to turn of the automatic updates on your phone and then just get notified that you need to update - virtually every single bloody day!

    What does this tell us about the coders? How come they are still employed because they screw up all the time.

    The old joke was that if builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization (Weinburgs law). But these days it means the builders would be mega-rich because they would be selling new buildings every other day, collecting the inhabitants data and selling them adverts for new buildings.

    1. Drew Scriver Silver badge

      Re: Security? We've heard of it.

      What's more, the executives brag about how many bugs can be fixed and how quickly!

      What happened to the days that execs would brag about how little need there was for fixing bugs because they were fastidious about Q&A?

    2. baud

      Re: Security? We've heard of it.

      Hey, at least your phone is still getting updates

  8. baud
    Flame

    I'm disappointed the coalFire page didn't feature any picture of a test of the vulnerability on an actual 3d printer.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021