Hackaday Links Column Banner

Hackaday Links: March 17, 2024

A friend of ours once described computers as “high-speed idiots.” It was true in the 80s, and it appears that even with the recent explosion in AI, all computers have managed to do is become faster. Proof of that can be found in a story about using ASCII art to trick a chatbot into giving away the store. As anyone who has played with ChatGPT or its moral equivalent for more than five minutes has learned, there are certain boundary conditions that the LLM’s creators lawyers have put in place to prevent discussion surrounding sensitive topics. Ask a chatbot to deliver specific instructions on building a nuclear bomb, for instance, and you’ll be rebuffed. Same with asking for help counterfeiting currency, and wisely so. But, by minimally obfuscating your question by rendering the word “COUNTERFEIT” in ASCII art and asking the chatbot to first decode the word, you can slip the verboten word into a how-to question and get pretty explicit instructions. Yes, you have to give painfully detailed instructions on parsing the ASCII art characters, but that’s a small price to pay for forbidden knowledge that you could easily find out yourself by other means.

Continue reading “Hackaday Links: March 17, 2024”

Hackaday Podcast Episode 262: Wheelchair Hacking, Big Little Science At Home, Arya Talks PCBs

Join Hackaday Editors Elliot Williams and Tom Nardi as they go over their favorite hacks and stories from the past week.  This episode starts off with an update on Hackaday Europe 2024, which is now less than a month away, and from there dives into wheelchairs with subscription plans, using classic woodworking techniques to improve your 3D printer’s slicer, and a compendium of building systems. You’ll hear about tools for finding patterns in hex dumps, a lusciously documented gadget for sniffing utility meters, a rare connector that works with both HDMI and DisplayPort, and a low-stress shortwave radio kit with an eye-watering price tag. Finally, they’ll take a close look at a pair of articles that promise to up your KiCAD game.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download in DRM-free MP3.

Continue reading “Hackaday Podcast Episode 262: Wheelchair Hacking, Big Little Science At Home, Arya Talks PCBs”

This Week In Security: Apple Backdoors Curl, Tor’s New Bridge, And GhostRace

OK, that headline is a bit of a cheap shot. But if you run the curl binary that Apple ships, you’re in for a surprise if you happen to use the --cacert flag. That flag specifies that TLS verification is only to be done using the certificate file specified. That’s useful to solve certificate mysteries, or to make absolutely sure that you’re connecting to the server you expect.

What’s weird here is that on a MacOS, using the Apple provided curl binary, --cacert doesn’t limit the program to the single certificate file. On an Apple system, the verification falls back to the system’s certificate store. This is an intentional choice by Apple, but not one that’s aimed particularly at curl. The real magic is in Apple’s SSL library, which forces the use of the system keychain.

The current state of things is that this option is simply not going to do the right thing in the Apple provided binary. It’s documented with the note that “this option is supported for backward compatibility with other SSL engines, but it should not be set.” It’s an unfortunate situation, and we’re hopeful that a workaround can be found to restore the documented function of this option.

Jenkins, Bring Me a File

The Jenkins continuous delivery server has a critical issue, CVE-2024-23897. It’s an arbitrary file read that clocks in with a 9.8 CVSS score. The one quirk about the way this works is the vulnerable function does the file read as strings, and loses quite a bit of the raw binary in the process. And many of the interesting files, like the .Secret files, use binary encoding. And on a Linux or Mac system, the default character encoding is UTF-8, which renders half of that 32-byte key unreadable. Far too many missing bytes to be useful.

But hang on. There’s a caveat here. Because of US cryptography export restrictions, JDK ships with only 128-bit encryption keys, truncating the rest of the bits. That means we’ve only got 16 byte keys, and an attacker can recover half the bits via this vulnerability. We may have a problem.

And wait, there’s more! Because the bytes have had an attempt at interpretation as UTF-8, we know more about the missing bytes than one might think. Check out the breakdown by [Guillaume Quéré] for more details, but the short version is that with just a little luck, one of these keys can be brute-forced in minutes or hours on a single desktop. More missing bytes means more processing time, but this is not an attack outside the realm of possibility, particularly for a determined adversary.

Big. Really big

There are some thresholds where things change. Doing security for yourself looks much different from doing security for a small business. It’s different again when at the enterprise level. But what does security posture look like for a company that competes for the top-ten list of largest companies in the world? We get a bit of a peak behind the curtain, at how the Alphabet (Google) migration to BeyondCorp Managed Non-Privileged (MNP) network went.

The basic idea of BeyondCorp is that inside the network offers no benefits or privileges. Every user and device gets authenticated, and has limited capabilities. It sounds great, but runs into the issues you might expect at a technical shop like Google. That’s things like employees needing access to an IRC chat for emergency communications, lots of SSH use, and plenty other niche network needs that’s hard to put into a simple category, and handle through MNP networks. Lots to chew on here, learning about how the really big teams work.

Tor Has a New Toy

One of the fun cat-and-mouse games we get to watch is the constant battle between the folks behind Tor trying to stay a step ahead of various regimes and their attempts to block access. Well Tor has a new tool ready for use, the WebTunnel. The concept is pretty simple in concept — just make it look like all the other HTTPS traffic. Part of the magic here is that all the Tor WebTunnel bridges are also normal web sites, and the Tor traffic is handled by a reverse proxy. So when a sophisticated packet inspection system like the Great Firewall investigates the hidden Tor connection, the website at the remote end checks out.

The weak points here are the same as the rest of the hidden Tor entry node schemes: A user has to have unfettered Internet access to fetch a node address. The system has to stay under the radar enough to prevent an adversary from just grabbing the list of endpoints and blocking them. We’re hoping for the best for Tor and WebTunnels.

GhostRace

There’s a new speculative execution bug, GhostRace. Though more properly, this might be best thought of as a new class of gadgets that enable the Spectre attack. GhostRace is the realization that thread synchronization checkpoints like mutexes and spinlocks can work as conditional branches. The other interesting observation is that an Inter-Process Interrupt (IPI) storm can be used to freeze execution at the proper point in code, extending the window to abuse GhostRace indefinitely.

There’s a mitigation that could be applied to the kernel, but at a performance cost of 5% globally, it’s been opted against for now. In the words of Linux Torvalds, “There’s security, and then there’s just being ridiculous.” The IPI storm is being treated as a problem, and has been fixed, cutting down on the issue’s exposure for abuse.

Bits and Bytes

There’s a clever attack against Tesla customers, where a fake WiFi access point presents a Captive Portal, that prompts the user to sign in with a valid Tesla account. That’s a phishing portal, and the sign-in is then used to add a new “phone key”, which gives full access to the vehicle. The hack was originally pulled off using a Flipper Zero, which fed into the pandemonium about that particular device. This is your reminder that this is a simple WiFi trick, and any laptop running a bit of software could also pull it off. And more people have laptops.

We’re big fans of the Termux command line tool for Android. While yes, tapping on the tiny keyboard on your mobile screen is a terrible experience, bringing your entire toolkit of command line tools along in your pocket is awesome!. And here’s another tool that belongs on the mobile. APKDeepLense is specifically designed for scanning APKs to look for vulnerable apps. With Termux, we have the added bonus of doing the scan locally. Neat!

With just a bit of know-how and curiosity, you don’t have to look far to find exploitable bugs. [Stefán] was looking at a travel website, and was annoyed by a disabled checkbox that was pre-selected, and labeled as a mandatory fee. That’s nothing to a skilled hacker with access to elite tools like… Google Chrome’s built-in devtools. Remove the flag on the checkbox, deselect it, and the price dropped accordingly. But that’s just user facing, surely the transaction wouldn’t complete for the lower price, right? It completed for the lower price. There’s no trains, but the story covers ferries and automobiles for more fun.

And finally, have you ever wanted an in-depth look at a Ruby exploit chain? Include Security brings us the goods, with a walk-through of how to go from a deserialization bug all the way to arbitrary code execution. The takeaway? Don’t do unsafe deserialization on user-provided payloads!

Retrotechtacular: Air Mail For The Birds

Today, if you want to send a message to a distant location, you’ll probably send an e-mail or a text message. But it hasn’t always been that easy. Military commanders, in particular, have always needed ways to send messages and were early adopters of radio and, prior to that, schemes like semaphores, drums, horns, Aldis lamps, and even barrels of water to communicate over distances.

One of the most reliable ways to pass messages, even during the last world war, was by carrier pigeon.  Since the U.S. Army Signal Corps handled anything that included messages, it makes sense that the War Department issued TM 11-410 about how to use and care for pigeons. Think of it as the network operations guide of 1945. The practice, though, is much older. There is evidence that the Persians used pigeons in the 6th century BC, and Julius Caesar’s army also used the system.

You wouldn’t imagine that drawing an assignment in the Signal Corps might involve learning about breeding pigeons, training them, and providing them with medical attention, but that’s what some Signal Corps personnel did. The Army started experimenting with pigeons in 1878, but the Navy was the main user of the birds until World War I, when the U.S. Pigeon Intelligence Service was formed. In World War II, they saw use in situations where radio silence was important, like the D-Day invasion.

The Navy also disbanded its earlier Pigeon Messenger Service. It then returned to avian communications during the World Wars, using them to allow aviators to send messages back to base without radio traffic. The Navy had its own version of the pigeon manual.

Continue reading “Retrotechtacular: Air Mail For The Birds”

Lithium-Ion Batteries Power Your Devboards Easily

Last summer, I was hanging out with a friend from Netherlands for a week, and in the middle of that week, we decided to go on a 20 km bike trip to a nearby beach. Problem? We wanted to chat throughout the trip, but the wind noise was loud, and screaming at each other while cycling wouldn’t have been fun. I had some walkie-talkie software in mind, but only a single battery-powered Pi in my possession. So, I went into my workshop room, and half an hour later, walked out with a Pi Zero wrapped in a few cables.

I wish I could tell you that it worked out wonders. The Zero didn’t have enough CPU power, I only had single-core ones spare, and the software I had in mind would start to badly stutter every time we tried to run it in bidirectional mode. But the battery power solution was fantastic. If you need your hack to go mobile, read on.

Continue reading “Lithium-Ion Batteries Power Your Devboards Easily”

Review: The New Essential Guide To Electronics In Shenzhen

The city of Shenzhen in China holds a special fascination for the electronic hardware community, as the city and special economic zone established by the Chinese government at the start of the 1980s it has become probably one of the most important in the world for electronic manufacturing. If you’re in the business of producing electronic hardware you probably want to do that business there, and if you aren’t, you will certainly own things whose parts were made there. From the lowly hobbyist who buys a kit of parts on AliExpress through the project featured on Hackaday with a Shenzhen-made PCB, to the engineer bringing an electronic product to market, it’s a place which has whether we know it or not become part of our lives.

First, A Bit Of History

A picture of booths in a Shenzhen market
These are the markets we have been looking for. Credit: Naomi Wu.

At a superficial level it’s very easy to do business there, as a quick trawl through our favourite Chinese online retailers will show. But when you’ve graduated from buying stuff online and need to get down to the brass tacks of sourcing parts and arranging manufacture, it becomes impossible to do so without  being on the ground. At which point for an American or European without a word of Chinese even sourcing a resistor becomes an impossibly daunting task. To tackle this, back in 2016 the Chinese-American hardware hacker and author Andrew ‘bunnie’ Huang produced a slim wire-bound volume, The Essential Guide to Electronics in Shenzhen. This book contained both a guide to the city’s legendary Huaquanbei electronics marts and a large section of point-to-translate guides for parts, values, and all the other Chinese phrases which a non-Chinese-speaker might need to get their work done in the city. It quickly became an essential tool for sourcing in Shenzhen, and more than one reader no doubt has a well-thumbed copy on their shelves.

There are places in the world where time appears to move very slowly, but this Chinese city is not one of them. A book on Shenzhen written in 2016 is now significantly out of date, and to keep pace with its parts that have since chanced beyond recognition, an update has become necessary. In this endeavour the mantle has passed to the hardware hacker and Shenzhen native Naomi Wu, someone with many years experience in introducing the people, culture, and industries of her city to the world. Her updated volume, The New Essential Guide to Electronics in Shenzhen has been the subject of a recent crowdfunding effort, and I was lucky enough to snag one. It’s a smart hardcover spiral-bound book with a red and gold cover, and it’s time to open it up and take a look. Continue reading “Review: The New Essential Guide To Electronics In Shenzhen”

The Short Workbench

Imagine an electronics lab. If you grew up in the age of tubes, you might envision a room full of heavy large equipment. Even if you grew up in the latter part of the last century, your idea might be a fairly large workbench with giant boxes full of blinking lights. These days, you can do everything in one little box connected to a PC. Somehow, though, it doesn’t quite feel right. Besides, you might be using your computer for something else.

I’m fortunate in that I have a good-sized workspace in a separate building. My main bench has an oscilloscope, several power supplies, a function generator, a bench meter, and at least two counters. But I also have an office in the house, and sometimes I just want to do something there, but I don’t have a lot of space. I finally found a very workable solution that fits on a credenza and takes just around 14 inches of linear space.

How?

How can I pack the whole thing in 14 inches? The trick is to use only two boxes, but they need to be devices that can do a lot. The latest generation of oscilloscopes are quite small. My scope of choice is a Rigol DHO900, although there are other similar-sized scopes out there.

If you’ve only seen these in pictures, it is hard to realize how much smaller they are than the usual scopes. They should put a banana in the pictures for scale. The scope is about 10.5″ wide (265 mm and change). It is also razor thin: 3″ or 77 mm. For comparison, that’s about an inch and a half narrower and nearly half the width of a DS1052E, which has a smaller screen and only two channels.

A lot of test gear in a short run.

If you get the scope tricked out, you’ve just crammed a bunch of features into that small space. Of course, you have a scope and a spectrum analyzer. You can use the thing as a voltmeter, but it isn’t the primary meter on the bench. If you spend a few extra dollars, you can also get a function generator and logic analyzer built-in. Tip: the scope doesn’t come with the logic analyzer probes, and they are pricey. However, you can find clones of them in the usual places that are very inexpensive and work fine.

There are plenty of reviews of this and similar scopes around, so I won’t talk anymore about it. The biggest problem is where to park all the probes. Continue reading “The Short Workbench”