Join Hackaday And Tindie At The Southern California Linux Expo

Do you like Open Source? Join Hackaday and Tindie at the largest community-run Open Source conference in North America. We’ll be at the Southern California Linux Expo next week, and we want to see you there.

What’s happening at SCALE this year? Amateur radio license exams, a PGP signing party, Bad Voltage Live and The Spazmatics, and a ton of great talks.

Hackaday and Tindie will be at SCALE Friday through Sunday, showing off the coolest parts of Hackaday, Hackaday.io, and our lovable robotic dog, Tindie. We’ll be handing out t-shirts and stickers, and we’ll be giving tours of the SupplyFrame Design Lab located just two blocks away from the convention center. The Design Lab is a crown jewel of our corporate overlord’s emphasis on Open Hardware, and if you want to see where the magic happens, this is your chance. We’ll be running tours of the Lab on Friday, so find the Hackaday and Tindie crew in the expo area around 3:40 PM.

Here’s something cool: We’re offering discounted SCALE passes, too. They’re 50% off using the code ‘HACK’ at this link. That’s $45 for four days of fun. Continue reading “Join Hackaday And Tindie At The Southern California Linux Expo”

Cloudbleed — Your Credentials Cached in Search Engines

In case you are still wondering about the SHA-1 being broken and if someone is going to be spending hundreds of thousands of dollars to create a fake Certificate Authority and sniff your OkCupid credentials, don’t worry. Why spend so much money when your credentials are being cached by search engines?… Wait, what?

A serious combination of bugs, dubbed Cloudbleed by [Tavis Ormandy], lead to uninitialized memory being present in the response generated by the reverse proxies and leaked to the requester. Since these reverse proxies are shared between Cloudflare clients, this makes the problem even worst, since random data from random clients was leaking. It’s sort of like Heartbleed for HTTP requests. The seriousness of the issue can be fully appreciated in [Tavis] words:

“The examples we’re finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I’ve informed cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”

sexAccording to Cloudflare, the leakage can include HTTP headers, chunks of POST data (perhaps containing passwords), JSON for API calls, URI parameters, cookies and other sensitive information used for authentication (such as API keys and OAuth tokens). An HTTP request to a Cloudflare web site that was vulnerable could reveal information from other unrelated Cloudflare sites.

Adding to this problem, search engines and any other bot that roams free on the Internet, could have randomly downloaded this data. Cloudflare released a detailed incident report explaining all the technicalities of what happened and how they fixed it. It was a very quick incident response with initial mitigation in under 47 minutes. The deployment of the fix was also quite fast. Still, while reading the report, a sense that Cloudflare downplayed this issue remains. According to Cloudflare, the earliest date that this problem could have started is 2016-09-22 and the leak went on until 2017-02-18, five months, give or take.

Just to reassure the readers and not be alarmist, there is no evidence of anyone having exploiting what happened. Before public exposure, Cloudflare worked in proximity with search engines companies to ensure memory was scrubbed from search engine caches from a list of 161 domains they had identified. They also report that Cloudflare has searched the web (!), in sites like Pastebin, for signs of leaks and found none.

On the other hand, it might be very well impossible to know for sure if anyone has a chunk of this data cached away somewhere in the aether. It’s impossible to know. What we would really like to know is: does [Tavis] get the t-shirt or not?

What Does a Hacker Do With A Photocopier?

The year is 2016. Driving home from a day’s work in the engineering office, I am greeted with a sight familiar to any suburban dwelling Australian — hard rubbish. It’s a time when local councils arrange a pickup service for anything large you don’t want anymore — think sofas, old computers, televisions, and the like. It’s a great way to make any residential area temporarily look like a garbage dump, but there are often diamonds in the rough. That day, I found mine: the Ricoh Aficio 2027 photocopier.

It had spent its days in a local primary school, and had survived fairly well. It looked largely intact with no obvious major damage, and still had its plug attached. Now I needed to get it home. This is where the problems began.

Continue reading “What Does a Hacker Do With A Photocopier?”

Toast-Bot Butters For You (Sometimes)

Sometimes — despite impracticality, safety, failure, and general good sense — one has an urge to see a project through for the sake of it. When you’re sick of buttering your toast every morning, you might take a leaf out of Rick Sandc– ahem, [William Osman]’s book and build a toast-bot to take care of the task for you.

[Osman] — opting for nail the overkill quotient — is using a reciprocating saw motor to hold the butter while the toast moves underneath the apparatus on a platform controlled by a linear stepper motor. The frame and mounts for Toast-Bot were cut out of wood on his home-built laser cutter — affectionately named Retina Smelter 9000′ — and assembled after some frustration and application of zip-ties. The final result DOES butter toast, but — well — see for yourself.

Continue reading “Toast-Bot Butters For You (Sometimes)”

3D Printing Using Holograms is Actually Printing in 3D

It’s the year 2260 and you’re being beamed from your starship to the planet below. Being a descendant of present day 3D printers, the transporter prints you out, slowly making one layer before moving on to the next, going from the ground up. The you-that-was hopes nothing spills out before you’re done. But what if you could print every atom in your body at the same time? If those transporters are descendant’s of Daqri’s holographic 3D printing technology then that’s just what will happen.

Daqri’s process is akin to SLA (stereolithography) and SLA/DLP (digital light processing). In SLA, a laser beam is shone onto a pool of resin, hardening the resin at the beam’s point. The laser scans across the resin’s surface, drawing one layer. More resin is added and then the next layer is drawn. In SLA/DLP, the light for an entire layer is projected onto the surface at once. While both methods involve stereolithography, the acronym SLA by itself is commonly used to refer to the laser approach.

Holograhically 3D printing a paperclip
Holograhically 3D printing a paperclip

Daqri’s process however, uses a holographic chip of their own making to project the light for all the layers at the same time into the material, a light-activated monomer. Their chip is a silicon wafer containing a grid of tunable crystals. Those crystals control the magnitude and phase of light reflected down into the monomer, creating a 3D volume of interference patterns. The brief description of the process says that a laser is used to shine light onto the crystals, so there’s probably still some scanning going on. However, in the video, all of the object being printed appears illuminated at the same time so the scanning is likely very fast, similar to how a laser in a light show seemingly paints what appears to be a 2D shape on the side of a building, even though it’s really just a rapidly moving point. There’s also the possibility that the beam’s point is large enough to encapsulate all of the chip at once. You can see a demonstration of it in the video below.

Continue reading “3D Printing Using Holograms is Actually Printing in 3D”

Universal Radio Hacker

If you are fascinated by stories you read on sites like Hackaday in which people reverse engineer wireless protocols, you may have been tempted to hook up your RTL-SDR stick and have a go for yourself. Unfortunately then you may have encountered the rather steep learning curve that comes with these activities, and been repelled by a world with far more of the 1337 about it than you possess. You give up after an evening spent in command-line dependency hell, and move on to the next thing that catches your eye.

You could then be interested by [Jopohl]’s Universal Radio Hacker. It’s a handy piece of software for investigating unknown wireless protocols. It supports a range of software defined radios including the dirt-cheap RTL-SDR sticks, quickly demodulates any signals you identify, and provides a whole suite of tools to help you extract the data they contain. And for those of you scarred by dependency hell, installation is simple, at least for this Hackaday scribe. If you own an SDR transceiver, it can even send a reply.

To prove how straightforward the package is, we put an RTL stick into a spare USB port and ran the software. A little investigation of the menus found the spectrum analyser, with which we were able to identify the 433 MHz packets coming periodically from a wireless thermometer. Running the record function allowed us to capture several packets, after which we could use the interpretation and analysis screens to look at the binary stream for each one. All in the first ten minutes after installation, which in our view makes it an easy to use piece of software. It didn’t deliver blinding insight into the content of the packets, that still needs brain power, but at least if we were reverse engineering them we wouldn’t have wasted time fighting the software.

We’ve had so many reverse engineering wireless protocol stories over the years, to pick only a couple seems to miss the bulk of the story. However both this temperature sensor and this weather station show how fiddly it can be without a handy software package to make it easy.

Via Hacker News.

Jean-Luc PYcARD is a Pocketable Python Development Platform

It’s a good thing that a ridiculous pun and a screenprint of Jean-Luc Picard on the bottom of the board is enough to qualify for the 2017 Hackaday Sci-Fi Contest, because [bobricius]’s Python-plus-Arduino card and environmental sensor potpourri is very cool.

The PCB design itself is great. It’s got a gigantic LED array, cutout for a wrist strap, and an onboard USB plug so you can program it just by sticking it in your computer; it shows up as a USB mass storage device when you plug it in. The files that show up on the “drive” are Micropython code that you can edit, save, and then run directly on the device. You can hardly beat that for convenience.

And there’s a full complement of sensors: not one but two temperature and humidity sensors, including our recent favorite BME280, which also reads barometric pressure. (We suspect that makes it a tri-corder.) There’s a real-time clock, a buzzer, and some buttons. Want to add more sensors? I2C ports are broken out for your convenience.

Besides having Star Trek flair, this board would give the various educational platforms a run for their money: Micro:bit, we’re looking at you. Very cool indeed!