Locked In Your Home
What brand is your home? Do you live in a Google, Apple, or Amazon house? Because in a modern “smart home” you may choose only one, and that choice locks you into dependence on only that vendor and its approved partners for any future appliances and home gadgets. Your “AI” voice assistant may talk to you, but it won’t talk to its competitors.
With the current trajectory, the smart home will become much like your phone–under a single vendor’s control, not yours. They will get to choose which appliances integrate, which services they use for your voice queries, and what happens to your personal data. If they do something you don’t like, it will be even harder (and more expensive) to switch to a competitor than it already is with a phone or laptop.
Fortunately it’s not too late to change the current situation. If there is any hope for a smart home where you hold the keys, it must start with open standards for how devices communicate. Only then is there a space where truly open alternatives to Big Tech smart home gadgets can exist for the average consumer outside of do-it-yourself electronics projects.
There is an effort underway with the industry organization Matter to create such standards but like with other industry standards membership and compliance is voluntary. Consumers should pressure existing smart home companies to comply with open standards and vote with their wallet. For our part, we will continue our work to build alternatives that don’t lock you in, based on our Social Purpose commitment to protect people’s privacy, security and freedom.
Also: PhishLabs spying on my WordPress blog?
LibreOffice on Chromebooks and Apache/OpenOffice
-
Today we are looking at how to install LibreOffice 7.2 on a Chromebook. Please follow the video/audio guide as a tutorial where we explain the process step by step and use the commands below.
If you have any questions, please contact us via a YouTube comment and we would be happy to assist you!
-
Welcome to the latest monthly overview of events from the Apache community. Here's a summary of what happened in September [video highlights available]...
-
We start this week with a good write-up by [Eugene Lim] on getting started on vulnerability hunting, and news of a problem in OpenOffice’s handling of DBase files. [Lim] decided to concentrate on a file format, and picked the venerable dbase format, .dbf. This database format was eventually used all over the place, and is still supported in Microsoft Office, Libreoffice, and OpenOffice. He put together a fuzzing approach using Peach Fuzzer, and found a handful of possible vulnerabilities in the file format, by testing a very simple file viewer that supported the format. He managed to achieve code execution in dbfview, but that wasn’t enough.
Armed with a vulnerability in one application, [Lim] turned his attention to OpenOffice. He knew exactly what he was looking for, and found vulnerable code right away. A buffer is allocated based on the specified data type, but data is copied into this buffer with a different length, also specified in the dbase file. Simple buffer overflow. Turning this into an actual RCE exploit took a bit of doing, but is possible. The disclosure didn’t include a full PoC, but will likely be reverse engineered shortly.
Normally we’d wrap by telling you to go get the update, but OpenOffice doesn’t have a stable release with this fix in it. There is a release candidate that does contain the fix, but every stable install of OpenOffice in the world is currently vulnerable to this RCE. The vulnerability report was sent way back on May 4th, over 90 days before full disclosure. And what about LibreOffice, the fork of OpenOffice? Surely it is also vulnerable? Nope. LibreOffice fixed this in routine code maintenance back in 2014. The truth of the matter is that when the two projects forked, the programmers who really understood the codebase went to LibreOffice, and OpenOffice has had a severe programmer shortage ever since. I’ve said it before: Use LibreOffice, OpenOffice is known to be unsafe.
-
Venturing out into the wilderness of vulnerability research can be a daunting task. Coming from a background in primarily web and application security, I had to shift my hacking mindset towards memory corruption vulnerabilities and local attack vectors. This two-part series will share how I got started in vulnerability research by discovering and exploiting code execution zero-days in office applications used by hundreds of millions of people. I will outline my approach to getting started in vulnerability research including dumb fuzzing, coverage-guided fuzzing, reverse engineering, and source code review. I will also discuss some management aspects of vulnerability research such as CVE assignment and responsible disclosure.
Audiocasts/Shows: Q4OS, LHS, an Hackaday Podcast
-
In this video, I'm going to take a look at the recently released Q4OS 4.6, codenamed "Gemini." Q4OS is a fast and friendly, desktop oriented operating system based on Debian 11 Testing. Q4OS now uses the Plasma desktop as its default.
-
It's time once again for The Weekender. This is our bi-weekly departure into the world of amateur radio contests, open source conventions, special events, listener challenges, hedonism and just plain fun. Thanks for listening and, if you happen to get a chance, feel free to call us or e-mail and send us some feedback. Tell us how we're doing. We'd love to hear from you.
-
Hackaday editors Elliot Williams and Mike Szczys peruse the great hardware hacks of the past week. There’s a robot walker platform that wirelessly offloads motor control planning to a computer. We take a look at automating your fishing boat with a trolling motor upgrade, building the Hoover dam in your back yard, and playing Holst’s Planets on an army of Arduini. Make sure you stick around until the end as we stroll through distant memories of Gopher, and peek inside the parking garages of the sea.
Games: Debian GNU/Linux Experience, Godot 3.3.4, and Steam
-
PC gaming, for me, is sort of a hit or miss thing.
Even though Wine (If you’re feeling cheeky, the “Linux Subsystem for Windows”) and, for that matter, Steam with Proton, a Wine fork optimized for gaming, have advanced a lot.
I use laptops, and the only way to get a GPU upgrade with a laptop is to buy a new laptop.
(Well, external GPUs are becoming more of a thing, but I’m not really sure where the GNU/Linux support stands on that, and if it would mean a proprietary driver, no thanks anyway.)
Anyway, even up to a couple of years ago, controllers under Wine were dicey and even getting an XBOX 360 controller to be recognized involved terrible hacks involving a userspace driver, blacklisting a kernel module (xpad), and then installing an XBOX 360 controller emulator program for Windows in Wine so you could map the output of the actual hardware to an emulated version of the controller, which would send it along to video games.
What a pain in the ass! I mean, not as much of one as installing a GNU/Linux distribution in the 90s with winmodems and having to tell X your modelines, under pains and penalties of potentially frying your computer monitor. (How uncivilized!). Modern GNU/Linux should be no more difficult than a small tweak here, a tweak there, and you’re done. At it’s very worst, no problem is likely to come up that would be worse than something that could come up under Windows.
-
While we're busy working on both the upcoming Godot 4.0 and 3.4 releases (with a dev snapshot for 3.4 beta 5 available now), we still cherry-pick important bug fixes to the 3.3 branch regularly for maintenance releases (see our release policy).
Godot 3.3.3 was released a month ago, and a handful of important fixes have been queued in the 3.3 branch since then. Most notably, users of the GDScript LSP in Visual Studio Code have been experiencing crashes in 3.3.3, which are fixed in this new Godot 3.3.4.
Note: Version numbers can be confusing with three branches worked on in parallel - this release is 3.3.4, i.e. a maintenance update to the 3.3 branch. This is not the upcoming 3.4 feature release.
Godot 3.3.4, like all future 3.3.x releases, focuses purely on bug fixes, and aims to preserve compatibility. It is a recommended upgrade for all Godot 3.3 users.
-
It's that time again! From now until October 7 you get to try out various new demos on Steam, watch developer livestreams and much more.
This is another wonderful chance to test out various games before they see a full release. For the games included in the event, they are supposed to be releasing somewhere between October 7, 2021 and May 1, 2022 so even if you find something you like it might be a while before you get to see the full complete thing.
