SHAttered — SHA-1 is broken in

A team from Google and CWI Amsterdam just announced it: they produced the first SHA-1 hash collision. The attack required over 9,223,372,036,854,775,808 SHA-1 computations, the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations. While this may seem overwhelming, this is a practical attack if you are, lets say, a state-sponsored attacker. Or if you control a large enough botnet. Or if you are just able to spend some serious money on cloud computing. It’s doable. Make no mistake, this is not a brute-force attack, that would take around 12,000,000 single-GPU years to complete.

SHA-1 is a 160bit standard cryptographic hash function that is used for digital signatures and file integrity verification in a wide range of applications, such as digital certificates, PGP/GPG signatures, software updates, backup systems and so forth. It was, a long time ago, proposed as a safe alternative to MD5, known to be faulty since 1996. In 2004 it was shown that MD5 is not collision-resistant and not suitable for applications like SSL certificates or digital signatures. In 2008, a team of researchers demonstrated how to break SSL based on MD5, using 200 Playstations 3.

Early since 2005 theoretical attacks against SHA-1 were known. In 2015 an attack on full SHA-1 was demonstrated (baptized the SHAppening). While this did not directly translate into a collision on the full SHA-1 hash function due to some technical aspects, it undermined the security claims for SHA-1. With this new attack, dubbed SHAttered, the team demonstrated a practical attack on the SHA-1 algorithm, producing two different PDF files with the same checksum.

The full working code will be released in three months, following Google’s vulnerability disclosure policy, and it will allow anyone to create a pair of PDFs that hash to the same SHA-1 sum given two distinct images and some, not yet specified, pre-conditions.

For now, recommendations are to start using SHA-256 or SHA-3 on your software. Chrome browser already warns if a website has SHA-1 certificate, Firefox and the rest of the browsers will surely follow. Meanwhile, as always, tougher times are ahead for legacy systems and IoT like devices.

Microchip Launches New Family Of PICs

Over the last few years, we’ve seen projects and products slowly move from 8-bit microcontrollers to more powerful ARM microcontrollers. The reason for this is simple — if you want to do more stuff, like an Internet-connected toaster, you need more bits, more Flash, and more processing power. This doesn’t mean 8-bit microcontrollers are dead, though. Eight bit micros are still going strong, and this week Microchip announced their latest family of 8-bit microcontrollers.

The PIC16F15386 family of microcontrollers is Microchip’s latest addition to their portfolio of 8-bit chips. This family of microcontrollers is Microchip’s ‘everything and the kitchen sink’ 8-bit offering. Other families of PICs have included features such as a complementary waveform generator, numerically controlled oscillator, a configurable logic controller, power saving functionality and the extreme low power features, but never before in one piece of silicon.

This feature-packed 8-bit includes a few new tricks not seen before in previous Microchip offerings. Of note are power management features (IDLE and DOZE modes), and a Device Information Area on the chip that contains factory-calibrated data (ADC voltage calibration and a fixed voltage reference) and an ID unique to each individual chip.

As you would expect from a new family of PICs, the 16F15386 is compatible with the MPLAB Xpress IDE and the MPLAB Code Configurator, a graphical programming environment. The products in the family range from 8-pin packages (including DIP!) with 3.5kB of program Flash to 48-pin QFPs with 28kB of program Flash. The goal for Microchip is to provide a wide offering, allowing designers to expand their builds without having to change microcontroller families.

All of these chips can be sampled now, although the lower pin count devices won’t be available through normal means until next month.

Genetically Engineered Muscle Cells Power Tiny Bio-Robots

One of the essential problems of bio-robotics is actuators. The rotors, bearings, and electrical elements of the stepper motors and other electromechanical drives we generally turn to for robotics projects are not really happy in living systems. But building actuators the way nature does it — from muscle tissue — opens up a host of applications. That’s where this complete how-to guide on building and controlling muscle-powered machines comes in.

Coming out of the [Rashid Bashir] lab at the University of Illinois at Urbana-Campaign, the underlying principles are simple, which of course is the key to their power. The technique involves growing rings of muscle tissue in culture using 3D-printed hydrogel as forms. The grown muscle rings are fitted on another 3D-printed structure, this one a skeleton with stiff legs on a flexible backbone. Stretched over the legs like rubber bands, the muscle rings can be made to contract and move the little bots around.

Previous incarnations of this technique relied on cultured rat heart muscle cells, which contract rhythmically of their own accord. That yielded motion but lacked control, so for this go-around, [Bashir] et al used skeletal muscle cells genetically engineered to contract when exposed to light. Illuminating different parts of the muscle ring lets the researchers move the bio-bots anywhere they want. They can also use electric stimulation to control the bio-bots.

The method isn’t quite at the point where home lab biohackers will start churning out armies of bio-bots. But the paper is remarkably detailed in methods and materials, from the CAD files for 3D-printing the forms and bio-bot skeletons to a complete troubleshooting guide. It’s all there, and it could be a game changer for developing the robotic surgeons of the future.

Continue reading “Genetically Engineered Muscle Cells Power Tiny Bio-Robots”

More Layoffs at MakerBot

MakerBot CEO [Nadav Goshen] announced that changes are needed to ensure product innovation and support long-term goals in a blog post published yesterday. To that end, MakerBot will reduce its staff by 30%. This follows a series of layoffs over a year ago that reduced the MakerBot workforce by 36%. With this latest series of layoffs, MakerBot has cut its workforce by over 50% in the span of two years.

In addition to these layoffs, the hardware and software teams will be combined. Interestingly, the current Director of Digital Products, [Lucas Levin], will be promoted to VP of Product. Many in the 3D printer community have speculated MakerBot is pivoting from a hardware company to a software company. [Levin]’s promotion could be the first sign of this transition.

When discussing MakerBot, many will cite the documentary Print the Legend. While it is a good introduction to the beginnings of the desktop 3D printer industry, it is by no means complete. The documentary came out too early, it really doesn’t mention the un-open sourceness of MakerBot, the lawsuit with Form Labs wasn’t covered, and there wasn’t a word on how literally every other 3D printer manufacturer is selling more printers than MakerBot right now.

Is this the end of MakerBot? No, but SYSS is back to the pre-3D-printer-hype levels. Stratasys’ yearly financial report should be out in a month or so. Last year, that report was the inspiration for the MakerBot obituary. It’s still relevant, and proving to be more and more correct, at least from where MakerBot’s Hardware business stands.

SparkFun Gets Back To Their Roots With SparkX

Way back in the before years when there were still interesting concepts for reality TV, Nate Seidle blew up a power supply in his dorm room. Instead of finding replacement parts, Nate decided to start a company. For the last decade and a half, SparkFun has grown immensely, been an incredible resource for makers and engineers alike, and shipped out hundreds of thousands of their iconic red boxes.

Being the CEO of a company means you need to do CEO stuff, and a few summers ago Nate the CEO became Nate the Engineer once again. SparkFun is still doing great, but now we know what Nate has been up to these last months. He’s getting back to SparkFun’s roots with SparkX. This is the newest stuff SparkFun has to offer, there is zero documentation or support, and they’re only developing products because Nate wants to.

In a series of blog posts on the SparkFun blog, Nate goes over what is involved in building a new brand for the latest and greatest SparkFun can produce. This involves setting up the SparkX lab, getting the OtherMills pumping out circuit boards, and  inevitably the occasional containment failure of the blue smoke.

The first product in the SparkX lineup, Product 0, is a breakout board for the MLX90393 magnetometer. This is a pretty nifty magnetometer that Ted Yapo over on hackaday.io has used to characterize magnets. Really, though, the SparkX Product 0 is exactly what it says on the tin: a breakout board that is just an experiment, comes with no guarantees or support. It is the heart of what Sparkfun set out to do twenty years ago.

ASLR^CACHE Attack Defeats Address Space Layout Randomization

Researchers from VUSec found a way to break ASLR via an MMU sidechannel attack that even works in JavaScript. Does this matter? Yes, it matters. A lot. The discovery of this security flaw along with the practical implementation is really important mainly because of two factors: what it means for ASLR to be broken and how the MMU sidechannel attack works inside the processor.

Address Space Layout Randomization or ASLR is an important defense mechanism that can mitigate known and, most importantly, unknown security flaws. ASLR makes it harder for a malicious program to compromise a system by, as the name implies, randomizing the process addresses when the main program is launched. This means that it is unlikely to reliably jump to a particular exploited function in memory or some piece of shellcode planted by an attacker.

Breaking ASLR is a huge step towards simplifying an exploit and making it more reliable. Being able to do it from within JavaScript means that an exploit using this technique can defeat web browser ASLR protection running JavaScript, the most common configuration for Internet users.

ASLR have been broken before in some particular scenarios but this new attack highlights a more profound problem. Since it exploits the way that the memory management unit (MMU) of modern processors uses the cache hierarchy of the processor in order to improve the performance of page table walks, this means that the flaw is in the hardware itself, not the software that is running. There are some steps that the software vendors can take to try to mitigate this issue but a full and proper fix will mean replacing or upgrading hardware itself.

In their paper, researchers reached a dramatic conclusion:

Continue reading “ASLR^CACHE Attack Defeats Address Space Layout Randomization”

Hackaday.io Passes 200,000 Registered Users

Hackaday.io just welcomed the 200,000th registered user! We are the world’s largest repository of open hardware projects and Hackaday.io is proving its worth as the world’s most vibrant technology community. This is where you go to get inspiration for your next project, to get help fleshing out your product ideas, to build your engineering dream team, and to tell the tales of the workbench whether that be success, failure, or anything in between.

Over the past six months, as we’ve grown from the 150k member milestone to this one, our movement has enjoyed ever-increasing interaction among this amazing group of people. Thank you for spending so much time here and making Hackaday.io a great place for everyone!

Hack Chat Bring Experts from Many Fields

bunnie03-01It’s always great when you can watch a conference talk or interview online. But if you weren’t there in person the opportunity for meaningful interaction has already passed. With this in mind, we’ve been inviting experts from numerous fields to host discussions live in the Hackaday.io Hack Chat room.

This is a great way to further our goal of forming a global virtual hackerspace. It’s common to have talks and workshops at a hackerspace, where you can not only learn from and ask questions of the person leading the event, but meet others who share your interests. This has happened time and again with recent guests including Bunnie Huang who talked about making and breaking hardware, a group of Adafruit engineers who discussed their work extending the MicroPython libraries, Sprite_tm who covered the continuing development of ESP32 support, and many more.

This Friday at Noon PST Hackaday’s own Jenny List will be leading the Hack Chat on RF Product design. See you there!

Amazing Projects

It’s pretty amazing to see a guide on building a smartphone for $50 in parts. If that exists anywhere, it’s probably on Hackaday.io — and it’s actually pushing about 80,000 views so far! Arsenijs is a regular around these parts and his ZeroPhone — a 2G communications device based on the Raspberry Pi Zero — is a project that he’s been updating as his prototype-to-production journey progresses. It has a big team behind it and we can’t wait to see where this one goes.

zerophone-thumbWorking on your own is still a great way to learn and we see all kinds of examples of that. Just4Fun is learning the dark arts that went into early personal computing with a $4 project to build a Z80 system on a breadboard.

We revel in the joy of seeing great hardware art come to life. FlipFrame is a great example; it’s a digital picture frame project that goes far beyond that simple description. It rotates the entire screen to fit the layout of the image while showing off all of the hardware that makes this possible rather than hiding it away inside a case.

In addition to our registered users milestone, we’re just about to pass our 20,000th published project. There are so many projects to celebrate and draw inspiration from, and that collection grows every day!

The Rise of Build Contests

This winter we’ve seen a ton of interest in the build contests hosted on Hackaday.io. Of course, nothing can compare to the reach of the Hackaday Prize, our worldwide engineering initiative that challenges people to Build Something That Matters. The 2016 winners were announced in November; even so, people have been tripping over themselves to get a project built for the numerous contests we’ve hosted since then.

enlightenpiOf note is the 1 kB Challenge — a contest dreamed up by our own Adam Fabio which challenged entrants to build an embedded project whose compiled code was 1 kB or less. It was a joy to dive into the entries for this and it will certainly return again.

Running right now is the revival of my favorite build contest: the Hackaday Sci-Fi Contest. Bring your favorite Sci-Fi tech to life — it just needs to be recognizable from a book, movie, or TV show and include some type of electronics.

Meet Your Friends in Real Life

Some of my closest friends in life were first met online. But eventually, you just want to hang out in the same room. This is becoming more and more common with Hackaday.io. In November we celebrated our second Hackaday SuperConferece where hundreds of people who love hardware creation gathered in Los Angeles for two days of amazing talks, workshops, and hands-on hacking challenges. This is a good one to add to your calendar but tickets do sell out so consider some other options.

We have regular meetups in LA and New York. If you are ever traveling there, make sure to look up the schedule and see if it can be part of your trip. Perhaps the most interesting was World Create Day. In 2016, we had 80 groups across the world plan meetups on the same day so that the Hackaday community could hang out in real life. We’re not ready to share the details quite yet, but you should plan for that to happen again this year. Something to look forward to!