“Please say it wasn’t a regex, please say it wasn’t a regex; aww, crap, it was a regex!” That seems to be the conclusion now that Crowdstrike has released a full root-cause analysis of its now-infamous Windows outage that took down 8 million machines with knock-on effects that reverberated through everything from healthcare to airlines. We’ve got to be honest and say that the twelve-page RCA was a little hard to get through, stuffed as it was with enough obfuscatory jargon to turn off even jargon lovers such as us. The gist, though, is that there was a “lack of a specific test for non-wildcard matching criteria,” which pretty much means someone screwed up a regular expression. Outside observers in the developer community have latched onto something more dire, though, as it appears the change that brought down so many machines was never tested on a single machine. That’s a little — OK, a lot — hard to believe, but it seems to be what Crowdstrike is saying. So go ahead and blame the regex, but it sure seems like there were deeper, darker forces at work here.

Congratulations, new parents; on top of everything else you’re dealing with, including raging sleep deprivation, there’s a good chance that your bundle of joy has just been bricked. It seems that something called a Snoo, an unbelievably expensive “smart bassinette,” has had its most useful features hidden behind a paywall, and parents are hopping mad. And rightly so; selling something for $1,700 with all the features activated only to pull back two-thirds of them unless the owner coughs up another $20 a month is a little unreasonable. Then again, back in the day we’d have gladly given someone twenty bucks a day if it helped get the kid to sleep, which the Snoo seems to do admirably well. And really, how long is the kid going to be in the thing anyway? Couple of months, tops. What’s another hundred or two when you’ve already spent nearly two grand? Still, we’d love to see someone hack one of these things, or even just do a teardown to see what makes it tick.

Dog lovers, listen up: the dog is OK. But not so much the dog owner’s apartment, as the not-goodest boy managed to burn the place down by gnawing on a lithium-ion battery pack. The entire event, which happened in Tulsa, Oklahoma in May, was captured on a security camera, which shows the moment the playful pup got his first mouthful of nastiness from a tooth penetrating the pack. The speed with which the fire took off is terrifying, but easy to understand since the dog bed where it started was essentially a big pile of tinder. Thankfully, the dog and his co-conspirators noped right out of the house through a doggie door, but it looks like the apartment was a total loss.

Have a project that needs a wiring harness? You might want to check out this cool harness designer. We haven’t had much chance to play with it yet, but it seems pretty cool. You select connectors, wire gauges, and lengths, and the app generates a BOM and wiring diagram.

And finally, in another case of the algorithm actually delivering for a change, we found this very good piece on the history of electrical distribution pylons. It’s heavily UK-centric, but that doesn’t get in the way at all. It not only goes over the history of pylons but also delves a bit into their engineering, both electrical and mechanical. As a bonus, it answers some of the questions you might never know you had, like what those little doo-dads attached to the wires near the insulators are.

First up this week is the story of EvilVideo, a clever telegram exploit that disguises an APK as a video file. The earliest record we have of this exploit is on June 6th when it was advertised on a hacking forum.

Researchers at ESET discovered a demo of the exploit, and were able to disclose it to Telegram on June 26th. It was finally patched on July 11. While it was advertised as a “one-click” exploit, that’s being a bit generous, as the ESET demo video shows. But it was a clever exploit. The central trick is that an APK file can be sent in a Telegram chat, and it displays what looks like a video preview. Tap the “video” file to watch it, and Telegram prompts you to play it with an external player. But it turns out the external player in this case is Android itself, which prompts the target to install the APK. Sneaky.

Traffic Control

We briefly covered this story a couple months ago, focusing on how bad of an idea it is to threaten a good faith researcher with legal action. Well the details of this traffic controller hack are available, and it’s about what you’d expect. Part one is all about getting the hardware and finding a trivial security bypass. The “web security” tab in the user interface seems to be an iframe, and navigating directly to that iframe address simply doesn’t trigger a login prompt. That’s the issue that [Andrew Lemon] first disclosed to Q-Free, leading to the legal nastygram.

Well now we have part two of that research, and spoilers: it doesn’t get any better. A couple false starts led [Andrew] to a desperation move. He had a new box to test and no login for it, so he started at the basics with the Burp proxy. And lo and behold, in the request was an odd string. 1.3.6.1.4.1.1206.3.36.1.6.10.1*IDO_0=2&

That is an Object IDentifier (OID) for the Simple Network Management Protocol (SNMP). These things use a version of SNMP known as National Transportation Communications for Intelligent Transportation System Protocol, or NTCIP. And this device not only uses that protocol, it seems to do so without authentication. Among the fields that are readable and writable without auth are the system username and system password. No hashing in sight. Now we can only hope that this is ancient hardware that isn’t in use any longer, or at least no longer connected to the Internet. And we’ll also hope that vendors like Q-Free have learned their lessons since this software was written. Though given their response to the vulnerability disclosure, we’re not holding our breaths.

The Rest of the Crowdstrike Story

You may have noticed a bit of weirdness around the world last Friday. Early in the morning of the 18th, Croudstrike pushed a rapid response content update to their Falcon antivirus platform. Rapid Response data does get tested, but does not get a staged roll out. And in this case, a bug in the testing platform led to the invalid file being pushed out, and because the rollout was not staged, it went everywhere all at once.

This bogus configuration data triggered an out-of-bounds memory read in the Falcon kernel driver, leading to system crashes. The particularly bitter context is that Crowdstrike had done the same thing to Linux machines a few months earlier. It’s beginning to seem that antivirus kernel drivers are a bad idea.

Microsoft has made it clear that this wasn’t a Microsoft incident. And the little known fact is that Microsoft tried to put an end to antivirus kernel drivers years ago, and was blocked by government regulators. And why didn’t Windows offer to boot without the crashing driver? The Crowdstrike kernel driver marks itself as a boot-start driver. The one ray of hope is that it’s possible for the system to stay up just long enough for Crowdstrike to pull an update before the system crash. It only takes something like 15 reboots.

This time it was Microsoft

There was, apparently, another Blue Screen crash this month. The July Patch Tuesday update dropped some computers into the BitLocker recovery screen, which just happens to be that same shade of blue. It’s not yet clear what about this set of fixes triggered the problem, but it seems that getting the recovery key does get these machines running again.

LetsKill OCSP

Let’s Encrypt surprised a few of us by announcing the end of OCSP this week. The Online Certificate Status Protocol is used to query whether a given certificate is still valid. One of the problems with that protocol is that it requests status updates per DNS address, effectively sending a running browsing history over the Internet. There’s a technical issue, in that the attacks that OCSP is designed to defend against also place the attacker in a position to block OCSP requests, and clients will silently ignore OCSP requests that time out.

The replacement is the Certificate Revocation List (CRL), which is a simple list of revoked certificates. The problem is that those lists can be huge. Mozilla and Google have rolled out a clever solution, that uses data compression and aggressive optimization to handle those CRLs like any other browser update. And hence, OCSP is destined to go away.

InSecure Boot

Binarly is sounding the alarm on Secure Boot. The biggest problem is that at least five device manufacturer used demo keys in production. The master key predictably leaked, and as a result about 200 devices have broken secure boot protections. That key is labeled DO NOT TRUST - AMI Test PK? Perfect, ship it!

Bits and Bytes

Docker Engine had a nasty regression, where a flaw fixed in 2019 wasn’t properly forward-ported to later versions. CVE-2024-41110 is a CVSS 10.0 issue, where an API call with Content-Length of 0 is forwarded without any authentication.

An interesting bug was just fixed in curl, where a TLS certificate could trigger the curl ASN.1 parser to fail and return an error. When it did this, the function in question can call free() on a stack buffer, which is particularly bad idea. This is notable as the curl developers refer to it as a “C mistake (likely to have been avoided had we not been using C)”. Time to add some Rust code to curl?

And finally, there’s something you should know about Github. Code is forever. This is all working as intended, but can catch you if you’re not aware. Namely, private or deleted commits that are attached to a public repo are still accessible, if you know or guess the short commit hash. This has some important ramifications for cleaning up data leaks, and developing private forks. Knowing is half the battle!

When monitors around the world display a “Blue Screen of Death” and you know it’s probably your fault, it’s got to be a terrible, horrible, no good, very bad day at work. That’s likely the situation inside CrowdStrike this weekend, as engineers at the cybersecurity provider struggle to recover from an update rollout that went very, very badly indeed. The rollout, which affected enterprise-level Windows 10 and 11 hosts running their flagship Falcon Sensor product, resulted in machines going into a boot loop or just dropping into restore mode, leaving hapless millions to stare at the dreaded BSOD screen on everything from POS terminals to transit ticketing systems.

Tales of woe from the fallout from what’s being called “the largest IT outage in history” are pouring in, including this very bewildered game developer who while stranded at an airport had plenty of ponder about why CrowdStrike broke the cardinal rule of software development by rolling a change to production on a Friday. The good news is that there’s a workaround, but the bad news is that someone has to access each borked machine and manually delete a file to fix it. Current estimates place the number of affected machines at 8.5 million, so that’s a lot of legwork. There’s plenty of time after the fix is rolled out for a full accounting of the impact, including the search for the guilty and persecution of the innocent, but for now, let’s spare a moment’s pity for the devs who must be sweating things out this weekend.

Back in 2011, Craig Fugate of the Federal Emergency Management Agency said of disaster response in the southern US, “If you get there and the Waffle House is closed? That’s really bad.” Thus was born the “Waffle House Index,” an informal measure of a natural disaster’s impact based on where individual restaurants in the chain that prides itself on always being open are actually up and running. With over 1,900 locations in 25 states, you’d think it would cover just about any emergency, but desperate Texans eschewed the index during the recent extensive power outages in the Houston area caused by Hurricane Beryl by inventing the “Whattaburger Index.” We haven’t had the pleasure of this particular delicacy, but it seems Texans can’t get enough of the hamburger chain, enough so that their online app’s location map provides a pretty granular view of a wide swathe of Texas. Plus, the chain thoughtfully color-codes each location’s marker by whether it’s currently open or closed, making it a quick and easy way to check where the power is on or off — at least during regular business hours. Hat’s off to the enterprising Texans who figured this out, and here’s hoping that life has returned to normal for everyone by now.

While we’re generally not fans of Apple products, which seem overpriced and far too tightly controlled for our liking, we’ve been pretty impressed by some of the results people have reported using their Apple AirTags to recover lost or stolen items — this recent discovery of a cache of stolen tools (fourth item) comes to mind. Results such as that require a “me too” response from the Android side of the market, resulting in the Find My Device network that, perhaps unsurprisingly, doesn’t appear to work very well. The test was pretty much what you’d expect — drop an Android-compatible tag in the mail along with an AirTag and track their journey. The Android tag only reported in a couple of times, while the AirTag provided a comprehensive track of the parcel’s journey through the USPS. Our first thought is that this speaks mostly to the power of being first to market, allowing Apple to have a more completely built-out infrastructure. But this may say more about the previously mentioned flexibility of Android compared to Apple; we know we noped the hell out of participating in Find My Device as soon as it rolled out on our Android phone. Seems like a lot of Android users feel the same way.

And finally, while we haven’t checked out comments on this week’s podcast, we’re pretty sure we’re getting raked over the coals for betraying our ignorance of and lack of appreciation for the finer points of soccer, or football. Whatever you call it, we just don’t get it, but we do understand and agree with our own Lewin Day’s argument that instrument-enhanced officiating isn’t making the game any better. Our argument is that in any sport, the officials are like a third team, one that’s adversarial to both of the competing teams, hopefully equally so, and that giving them super-human abilities isn’t fair to the un-enhanced players on the field/pitch/court/ice. So it was with considerable dismay that we learned that Major League Baseball is experimenting with automatic umpires to call balls and strikes behind the plate. While you may not care about baseball, you have to appreciate the ability of an umpire to stand directly in the line of fire of someone who can hurl a ball fast enough to hit a strike zone about the size of a pizza box the ball in less than 500 milliseconds. Being able to determine if the ball ended up in or out of that box is pretty amazing, not to mention all the other things an umpire has to do to make sure the game is played by the rules. They’re not perfect, of course, and neither are the players, and half the fun of watching sports for us is witnessing the very human contest of wills and skills of everyone involved. It seems like a bad idea to take the humans out of that particular loop.

Los desarrolladores japoneses Skeleton Crew y sus aprendices Devolver Digital han revelado Forestrike, un juego de kung-fu táctico en el que la repetición es la clave del éxito. El juego se lanzará en 2025 para PC vía Steam y Nintendo Switch, pero los afortunados asistentes al BitSummit tendrán la oportunidad de probar una demo anticipada del juego este fin de semana.

En el juego tomarás el control de un artista marcial llamado Yu y te embarcarás en un viaje a través del país para liberar al Emperador de la influencia de un malvado Almirante. Adoptando las técnicas de uno de los cinco maestros de kung-fú, cada batalla presenta un rompecabezas que hay que resolver usando la mente además de los puños.

Yu se topa con muchos enemigos en su camino hacia la capital, y siempre le superan en número, pero tiene un arma secreta: la Previsión, una técnica meditativa que le permite percibir mentalmente los combates una y otra vez hasta encontrar una secuencia de movimientos que le permita superar las adversidades.

Una vez listo, nuestro héroe debe luchar en la realidad, donde perder significa empezar todo de nuevo, pero el progreso es permanente. Ganar no siempre significa que saldrá ileso de cada encuentro, pero cuanto más lejos llegue, más fuerte se hará.

Forestrike es la última creación de Skeleton Crew, el equipo detrás de Olija, juego desarrollado en 2021, también publicado por Devolver, y continúa con el estilo artístico único del estudio, el tipo de combate y la narrativa basada en la fantasía.

Acerca de Forestrike 

Forestrike es un juego táctico de kung-fu en el que la repetición es la clave del éxito. Ponte en la piel de un artista marcial llamado Yu y embárcate en un viaje por todo el país para liberar al emperador de la influencia de un almirante maligno. Adoptando las técnicas de uno de los cinco maestros únicos, cada batalla presenta un rompecabezas que deberás resolver usando tanto la mente como los puños.

En su viaje hacia la capital, Yu se verá en constante inferioridad numérica contra incontables enemigos, pero tiene un arma secreta: la presciencia, una técnica de meditación que le permite percibir combates una y otra vez hasta encontrar una secuencia de movimientos que le permita salir victorioso.

Una vez preparado, nuestro héroe deberá luchar en la realidad. Aunque si pierde tendrá que empezar de nuevo, el progreso es permanente. Que salga victorioso no siempre significará que también salga ileso, pero cuanto más avance en su viaje, más fuerte se volverá.

Características principales:

• Mejor prevenir que curar – La Previsión, una mecánica de juego distintiva que permite a los jugadores experimentar sin consecuencias antes de luchar de verdad, y ganar o morir en el intento. El bucle de juego roguelike de Forestrike genera runs y encuentros únicos cada vez que se realiza, por lo que la adaptación y la improvisación son cruciales para progresar.
• Combate Kung-Fú visceral – Siempre en inferioridad numérica, aprende a despachar turbas de brutales enemigos con aplomo y eficacia usando todo lo que tengas a tu disposición. Mejora y personaliza tus movimientos con las técnicas de los maestros que elijas para burlar a tus oponentes en feroces batallas.
• Fantasía artesanal – Viaja a través de un mundo de fantasía visualmente impactante habitado por personajes únicos, feroces enemigos y mágicas revelaciones. Intrincados paisajes pixel art forman un atmosférico telón de fondo en el que lucen animaciones y personajes hechos a mano.

La entrada Forestrike llegará a PC y NSW en el 2025 – Primeros Screenshots y Trailer de Gameplay apareció primero en PC Master Race Latinoamérica.

Durante la Anime Expo 2024, el publisher Aksys Games anunció hoy que Blazing Strike, el nuevo juego de lucha del estudio RareBreed Makes Games, se lanzará para PlayStation 5, PlayStation 4, Switch y PC a través de Steam el 17 de octubre.

Our upcoming 2D fighter inspired by genre-defining predecessors, Blazing Strike, will release for Nintendo Switch, PlayStation 4 & 5, and PC on October 17!

Check out the new trailer shown at Anime Expo 2024! https://t.co/LSYEwSPVGf pic.twitter.com/XcnCZZncdu

— Aksys Games (@aksysgames) July 5, 2024

También estará disponible una edición limitada en la tienda de Aksys, que incluye un libro de arte a todo color, una banda sonora en doble CD y un juego de cartas de personajes coleccionables.

Acerca de Blazing Strike 

Inspirado en las clásicas series de juegos de lucha arcade de grandes de la industria como Capcom y SNK, el próximo juego de lucha en 2D del desarrollador RareBreed Makes Games evoca la emoción y la nostalgia de los pioneros del género del pixel art en 2D al mismo tiempo que incorpora un sistema de juego único con mecánicas modernas.

Blazing Strike presenta un sistema de cuatro botones con seis ataques normales: puñetazos y patadas ligeras, medias y fuertes, así como tres movimientos de defensa: bloquear, defender y parar.

Un Rush Trigger permite a los luchadores ejecutar ataques y movimientos de ritmo rápido, pero usarlo agotará lentamente el Rush Meter, enviando al personaje a un estado de aturdimiento temporal.

Esto permite a los jugadores ejecutar combos emocionantes mientras tienen que administrar el Rush Meter. El juego incluye tres modos de juego: Modo Historia, Modo Arcade y Modo VS, con entrenamiento, combate y partidas en línea a través de Persona AI, y juego en línea impulsado por GGPO.

«¡Desafía a luchadores de todas las dimensiones con Blazing Strike! Después de sobrevivir a un evento apocalíptico, los restos de la civilización humana están en desorden. En este mundo distópico gobernado por un gobierno corrupto y asesino, un grupo de resistencia está listo para defender al pueblo.

¿Lograrán derrocar a estos malvados autócratas? Únete a la batalla para enfrentarte a los luchadores más fuertes de este mundo post-apocalíptico, ya que están destinados a enfrentarse en un largo viaje hacia la victoria.»

Características principales:

• Lo clásico se encuentra con lo moderno – El sistema rápido de Blazing Strike crea una nueva forma de experimentar un clásico juego de lucha en 2D.
• Un elenco colorido Selecciona entre 14 luchadores jugables únicos y juega contra 3 jefes ocultos.
• Modo Historia completa Sumérgete en el mundo de Blazing Strike con extensas escenas de historia, diálogos, misiones y peleas.
• Humano vs IA: entrena tu Persona AI para imitar tu estilo de lucha. Con Persona AI entrenada, los jugadores pueden luchar contra una CPU que juega como ellos, o incluso hacer que su IA luche en línea contra otros.
• Campos de pruebas mundiales: juega partidos en línea contra luchadores de todo el mundo sin demoras en la red, gracias a GGPO.

La entrada Blazing Strike se lanzará en PC y Consolas el 17 de Octubre – Nuevo Trailer de la Anime Expo 2024 apareció primero en PC Master Race Latinoamérica.

CrowdStrike offers an advanced cloud-based cybersecurity platform to protect endpoints, cloud workloads, identities, and data. Its key features include a next-gen antivirus, threat intelligence, and endpoint detection and response (EDR). CrowdStrike uses AI and machine learning to stop breaches and empower organizations with real-time visibility, protection, and response across their entire digital infrastructure.

Source