When we think of the average hot rodder, we think of guys and gals that love anything on four wheels. They’re good with hand tools, fabrication and know the ins and outs of the internal combustion engine. Their tools of the trade are welders, grinders and boxed-end wrenches. But their knowledge of electric circuits doesn’t go beyond wiring up a 12 volt DC tail light. On the surface, the role of a hot rodder would seem quite different from that of a hardware hacker. But if you abstract what they do, you find that they take machines and modify their design to make them do something more than they were originally designed to do. When viewed in this light, hot rodders are hackers. Continue reading “Worlds Collide: Hot Rodders and Hackers”→
[Louise] tried out her new E3D Cyclops dual extrusion system by printing a superb model dragon. The piece was sculpted in Blender, stands 13cm tall and can be made without supports. It’s an impressive piece of artwork that reflects the maker’s skill, dedication and hard work. She shared her creation on the popular Thingiverse website which allows others to download the file for use on their own 3D printer. You can imagine her surprise when she stumbled upon her work being sold on eBay.
It turns out that the owner of the eBay store is not just selling [Louise]’s work, he’s selling thousands of other models taken from the Thingiverse site. This sketchy and highly unethical business model has not gone unnoticed, and several people have launched complaints to both Thingiverse and eBay. Now, there are lots of things to talk about here, but the 800 pound high voltage transformer in the room is the legality of the whole thing. What he’s doing might be unethical, but is it illegal?
When [Louise] politely asked the eBay store owner to remove her work, he responded with:
“When you uploaded your items onto Thingiverse for mass distribution, you lost all rights to them whatsoever. They entered what is known in the legal world as “public domain”. The single exception to public domain rules are original works of art. No court in the USA has yet ruled a CAD model an original work or art.”
Most of the uploaded CAD models on Thingiverse are done under the Creative Commons license, which is pretty clear in its assertion that anyone can profit from the work. This would seem to put the eBay store owner in the clear for selling the work, but it should be noted that he’s not properly attributing the work to the original creator. There are other derivatives of the license, some of which prohibit commercial use of the work. In these cases, the eBay store owner would seem to be involved in an obvious violation of the license.
There are also questions stirring with his use of images. He’s not taking the CAD model and making his own prints for images. He lifting the images of the prints from the Thingiverse site along with the CAD files. It’s a literal copy/paste business model.
With that said, the eBay store owner makes a fairly solid argument in the comments section of the post that broke the news. Search for the poster named “JPL” and the giant brick of text to read it. He argues that the Thingiverse non-commercial license is just lip service and has no legal authority. One example of this is how they often provide links to companies that will print a CAD design on the same page of a design that’s marked as non-commercial. He sums up one of many good points with the quote below:
“While we could list several other ways Thingiverse makes (money), any creator should get the picture by now-Thingiverse exists to make Stratasys (money) off of creators’ designs in direct violation of its very own “non-commercial” license. If a creator is OK with a billion-dollar Israeli company monetizing his/her designs, but hates on a Philly startup trying to make ends-meet, then they have a very strange position indeed.”
OK Hackaday readers, you have heard both sides of the issue. Here’s the question(s):
1. Is the eBay seller involved in illegal activity?
2. Can he change his approach to stay within the limits of the license? For instance, what if he credits the original maker on the sale page?
3. How would you feel if you found your CAD file for sale on his eBay store?
The cell phones of yesteryear were covered in buttons. Today’s cell phones are mostly a touch display with maybe one or two buttons. As time marches on, we find ourselves using our fingers more for gestures and swipes than button pushing to control our devices. Sadly, the television remote has been stuck in an antiquated state and most are still covered in archaic buttons.
[Frederick] has decided to dig the TV remote out from the stone age and updated it to use simple gestures for control. We’ve seen gesture control before, but this one is certainly the most elegant. He’s using a Raspberry Pi with a Skywriter HAT gesture recognition board. The driver is super easy to install and can be done in a single command line. The Skywriter hat interpreters the hand gesture and the Pi fires the appropriate signal via an IR emitter. This approach made the project fairly simple to put together, with surprisingly good results.
It was the year of 1687 when Isaac Newton published “The Principia“, which revealed the first mathematical description of gravity. Newton’s laws of motion along with his description of gravity laid before the world a revolutionary concept that could be used to describe everything from the motions of heavenly bodies to a falling apple. Newton would remain the unequivocal king of gravity for the next several hundred years. But that would all change at the dawn of the 20th century when a young man working at a Swiss patent office began to ask some profound questions. Einstein had come to the conclusion that Newtonian physics was not adequate to describe the findings of the emerging electromagnetic field theories. In 1905, he published a paper entitled “On the Electrodynamics of Moving Bodies” which corrects Newton’s laws so they work when describing the motions of objects near the speed of light. This new description became known as Special Relativity.
It was ‘Special’ because it didn’t deal with gravity or acceleration. It would take Einstein another 10 years to work these two concepts into his relativity theory. He called it General Relativity – an understanding of which is necessary to fully grasp the significance of gravitational waves.
Computer Numeric Control technology has been around for a long time. It’s at the heart of our 3D printers, laser cutters / etchers and CNC milling machines. They all work the same way — you begin with a CAD program and make some type of design. Then the computer converts the file into a set of XYZ coordinates and moves a tool head accordingly. Now let us pose to ourselves a most interesting question. What if you reversed the process? What if you could take a CNC’d object and convert it into XYZ coordinates?
This is precisely what [dave] is attempting to do. He’s made a basic CNC outfit and installed encoders on the steppers. He then manually moves the tool head to trace out an object. At the same time, the encoders are feeding the coordinates to a computer for recording. The idea is to replay the coordinates to see if the CNC can replicate the object.
Judging from the video below, the project is a success!
It can be argued that MakerBot, a company that makes popular 3D printers, hit its pinnacle with the introduction of the Replicator 2. It was designed well and completely open source, including the motherboard that drove the printer – known as the Mightyboard. China quickly picked up on the success of the Replicator 2 and copy/pasted several of their own versions (at a much cheaper sale price). One of these outfits is called Wanhao, and their version of the Replicator 2 is called..wait for it…the Duplicator!
Their version of the Mighyboard is identical to the original, minus a few nickle and dime components. This suggests that Wanhao made an effort to cut as much cost as possible without looking at what functionality they were removing. And anytime a company does this, you can bet the quality of the board manufacturer is at the bottom of the barrel. [Avrydev] found this out the hard way when he repaired a faulty motherboard from a broken Duplicator.
The board would not connect to the software via USB, and the startup tune pitch was off. [Arvydev] flashed new firmware via ICSP, but that did not help. He eventually clued in on the main crystal for the Atmega processor. A quick swap and presto! The printer is as good as new.
It’s difficult to say if [Aaron Barr], then CEO of software security company HBGary Federal, was in his right mind when he targeted the notorious hacking group known as Anonymous. He was trying to correlate Facebook and IRC activity to reveal the identities of the group’s key figures. In the shadowy world of black-hat hacking, getting your true identity revealed is known as getting doxed, and is something every hacker fears. Going after such a well-known group would be sure to get his struggling company some needed publicity. It would also have the most unfortunate side effect of getting the hacking groups attention as well.
Perhaps [Aaron Barr] expected Anonymous to come after him…maybe he even welcomed the confrontation. After all, he was an ‘expert’ in software security. He ran his own security company. His CTO [Greg Hoglund] wrote a book about rootkits and maintained the website rootkits.com that boasted over 80 thousand registered users. Surely he could manage a few annoying attacks from a couple of teenage script kiddies playing on their parent’s computer. It would have been impossible for him to know how wrong he was.
It took the handful of hackers less that 24 hours to take complete control over the HBGary Federal website and databases. They also seized [Barr’s] Facebook, Twitter, Yahoo and even his World of Warcraft account. They replaced the HBGary Federal homepage with this declaration – with a link to a torrent file containing some 50,000 emails resting ominously at the bottom. At the same time, they were able to use social engineering techniques to SSH into the rootkit.com site and delete its entire contents.
It became clear that these handful of Anonymous hackers were good. Very good. This article will focus on the core of the HBGary hackers that would go on to form the elite LulzSec group. Future articles in this new and exciting Dark Arts series will focus on some of the various hacking techniques they used. Techniques including SQL injection, cross-site scripting, remote file inclusion and many others. We will keep our focus on how these techniques work and how they can be thwarted with better security practices.
[Jake Davis] – aka [Topiary] – might have been the least technically skilled of the group, but he made up for it in his ability with words. He was by far the most articulate of the group and commanded the official LulzSec Twitter feed, where he taunted the group’s victims and appeased their ever-growing fan base. [Topiary] goes back to the days of Anonymous and its origin on the popular image board 4chan. Being articulate and quick-witted, he was exceptionally good at doing prank calls while streaming them live to eager fans. His talent did not go unrecognized and the role of “mouthpiece” for Anonymous was his for the taking. Whenever a home page was defaced and replaced with an official Anonymous message, he was the author. The hacked HBGary homepage linked above was [Topiary’s] work.
Lest we leave you with the impression that [Topiary] was not a hacker, he learned a great deal of technical skills during his involvement with Anonymous and later Lulzsec. When he was arrested at his home on the Shetland Islands, he had 17 virtual machines running on an encrypted drive. His last tweet before his arrest – “You cannot arrest an idea”.
[Mustafa Al-Bassam] – aka [Tflow] – was a bit socially awkward, but you would have never known it based on his demeanor in the secluded chat rooms of the Lulzsec hackers. Cool, calm and collected, [Tflow] never got involved with the many arguments that took place. The ability to check his emotions combined with advanced coding skills led his fellow hackers to believe he was much older than he really was. [Pwnsauce], another Lulzsec member whom we will not cover due to lack of information, believed he was at least 30 years old.
It was [Tflow] who first shed light on [Aaron Barr’s] plans to dox the Anonymous “leaders”. It was [Tflow] who wrote an advanced piece of code that allowed the citizens of Tunisia to get past their government’s ISP restrictions during the Arab Spring and post on social media. Let that sink in for a minute…a 16-year-old teenager had empowered an entire nation of people with a PHP script. [The Jester], a hacker who commanded a massive bot-net, once tried to hoodwink [Tflow] and his fellow hackers with a malicious script. [Tflow] took the script, reduced it from a few dozen lines to only two lines without limiting functionality, and sent it back to [The Jester] with the following note: Try this instead.
[Ryan Ackroyd] was big into computer video games as a teen. He liked hacking them and hung out online with other like-minded people. A girl by the name of [Kayla] joined their circle of friends and [Ryan] enjoyed her company. A rival video game hacking group tried to hack [Ryan’s] group, and targeted the weakest link – 16-year-old [Kayla]. They destroyed her social networks and even got into her parent’s bank account. [Ryan] and his friends were furious. They all went after their rival, using the alias [Kayla] in her honor. Their retribution was so devastating that “Kayla” earned a reputation across this particular corner of the internet as someone not to cross. Over the years, the group fell apart, but [Ryan] remained and kept the alias of a 16 year old girl named [Kayla] who shouldn’t be messed with.
It was [Kayla] who socially engineered her way into rootkit.com. It was [Kayla] who discovered the SQL injection insecurity on the HBGary Federal website. She later wrote a program that scanned URLs many times per second looking for zero days. She’s a self-taught reverse engineer and was arguably the most skilled hacker on the Lulzsec team. She even had a trip wire in her apartment that wiped all hard drives when the police entered, and was branded by the courts as “highly forensically aware”. That’s legalese for “This guy knows his stuff”. She has some wise words in this reddit thread.
[Hector Monsegur] – aka [Sabu] – was the oldest and most mature of the Lulzsec hackers. He was the recognized leader of the group. He drove daily operations and squashed arguments. He was also a very skilled hacker himself, coming from a background of hacking government websites in his native Puerto Rico. [Sabu] was a hactivist, and believed in hacking for a social cause, while many of his team were still beholden to their 4chan/b/ days of hacking “for the lulz”. [Sabu] was not only a hacker of computers, he was a hacker of people, and highly skilled in the art of social engineering. Using his skills, he was able to steer LulzSec in the direction he wanted it to go.
[Sabu] was the first of the LulzSec hackers to get doxxed. When he was confronted by the FBI with a 100+ year prison sentence, he could not bear the idea of his kids growing up without him and turned informant. He has only recently returned to twitter, much to the annoyance of Anonymous.
You have met the core of the LulzSec hackers. There are two more that we did not talk about due to lack of information: [Pwnsauce] and [AVUnit]. As of today, no one knows the true identity of [AVUnit]. It’s possible there are even more that we don’t know about. However, it is generally recognized that the hackers covered here were the core members.
Now that we know a little bit about the people behind some of the most remarkable hacks of modern times, we will go into detail about how they were able to carry these hacks out. If you’re looking for a “How to Hack a Website 101” tutorial, this series of articles will disappoint you. But if you want to know how these former hackers were able to do what they did, you will find this series quite enjoyable. We’re not just going to talk about the various techniques used, we’re going to understand how they work on a fundamental level. So stay tuned and keep your virtual machines on standby.
We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency, by Parmy Olsen. ISBN-978-0316213523