Hackaday Links: April 2, 2017

Toorcamp registration is open. It’s June 20-24th on Orcas Island, Washington.

Hey, you. The guy still using Mentor Graphics. Yeah, you. Siemens has acquired Mentor Graphics.

CNC knitting machines are incredibly complicated but exceptionally cool. Until now, most CNC knitting machines are actually conversions of commercial machines. Beginning with [Travis Goodspeed] and  [Fabienne Serriere] hack of a knitting machine, [Becky Stern]’s efforts, and the Knitic project, these knitting machines are really just brain transplants of old Brother knitting machines. A few of the folks from the OpenKnit project have been working to change this, and now they’re ready for production. Kniterate is a project on Kickstarter that’s a modern knitting machine, and basically a 2D woolen printer. This is an expensive machine at about $4500, but if you’ve ever seen the inside of one of these knitting machines, you’ll know building one of these things from scratch is challenging.

There was a time when a Macintosh computer could play games. Yes, I know this sounds bizarre, but you could play SimCity 2000, Diablo, and LucasArts adventure games on a machine coming out of Cupertino. [Novaspirit] wanted to relive his childhood, so he set up a Mac OS 7 emulator on a Raspberry Pi. He’s using Minivmac, beginning with an install of OS 7.1, upgrading that to 7.5.3, then upgrading that to 7.5.5. It should be noted the utility of the upgrade to 7.5.5 is questionable — the only real changes from 7.5.3  to 7.5.5 are improved virtual memory support (just change some emulator settings to get around that) and networking support (which is difficult on an emulator). If you’re going to upgrade to 7.5.5, just upgrade to 8.1 instead.

It’s getting warmer in the northern hemisphere, and you know what that means: people building swamp coolers. And you know what that means: people arguing about the thermodynamics of swamp coolers. We love these builds, so if you have a swamp cooler send it on in to the tip line.

The Prusa edition of Slic3r is out. The improvements? It’s not a single core app anymore (!), so slicing is faster. It’s got that neat variable layer slicing. Check out all the features.

It takes at least a week to delete your Facebook account. In the meantime, you can lawyer up and hit the gym. Additionally, we’re not really sure Facebook actually deletes your profile when you disable your account. Robots to the rescue. [anerdev] built a robot to delete all his content from Facebook. It’s a pair of servos with touchpad-sensitive pens. Add an Arduino, and you have a Facebook deleting machine.

Facebook Open-Sources their Capture-the-Flag Hacking Challenges

If you want to learn how to defeat computer security, nothing beats hands-on experience. Of course, if you get your hands on someone’s system without their permission, you may end up having a very short training that ends with a jail term. And that’s where capture-the-flag (CTF) events come in.

A CTF is a system of increasingly-difficult challenges that can’t be too easy or too hard. A well-designed CTF teaches all of the participants stuff that they didn’t know, no matter how far they get and what skills they came in with. Designing a good CTF is difficult.

But since it’s also a competition, running one also involves a lot of horrible bookkeeping for the folks running it. Registering teams and providing login pages is the dirty work that you have to do in the background, that takes away time from building the systems which others are going to take apart.

Which is why it’s great that Facebook is opening up their CTF-hosting platform, along with a few starter challenges, for us all to play along. We love CTFs and related hacking challenges. If this spurs the creation of more, we’re all for it. You can find the whole setup on GitHub.

If you’re new to CTFs, here’s an awesome collection of CTF-related material on GitHub to get you started. And if your tastes run more toward hardware hacking, we’ve covered previous firmware CTFs, but frankly there’s a lot more material out there. We feel a feature post coming on…

Thanks [ag4ve] for the unintentional tip!

You Can Learn a lot about Social Engineering from a Repo Man

The most vulnerable part of any secure information system is the human at the controls. Secure passwords, strong encryption, and stringent protocols are all worthless if that human can be coerced to give away the keys to the kingdom. The techniques of attacking a system through the human are collectively known as social engineering. While most of us don’t use social engineering in our day-to-day jobs, anyone can fall victim to it, so it’s always good to see this stuff in action. Some of the best examples of social engineering come from unlikely places. One of those is [Matthew Pitman].

reponinja[Matt] is one of those people we all hope we never to meet in real life. He’s a repo man. For those not familiar with the term, [Matt] is the guy who comes to pick up your car, boat or other asset when you fall behind on your loan payments. Generally, these repossession agents are contractors, working for the bank or loan agency who holds the loan on the collateral. As you might expect, no one is happy to see them coming.

[Matt] uses plenty of high-tech gadgetry in his line of work, everything from GPS tracking devices to drones. He calls his tow truck the Repo Ninja, and the interior is decked out with an internet connection, laptop, and tons of cameras. Even so, his greatest asset is social engineering. His 26 years of experience have taught him how to work people to get what he needs: their cars.

Continue reading “You Can Learn a lot about Social Engineering from a Repo Man”

Hackaday Links: Summer, 2015

[Elia] was experimenting with LNAs and RTL-SDR dongles. If you’re receiving very weak signals with one of these software defined radio dongles, you generally need an LNA to boost the signal. You can power an LNA though one of these dongles. You’ll need to remove a few diodes, and that means no ESD protection, and you might push the current consumption above the 500mA a USB port provides. It does, however, work.

We’ve seen people open up ICs with nitric acid, and look inside them with x-rays. How about a simpler approach? [steelcityelectronics] opened up a big power transistor with nothing but a file. The die is actually very small – just 1.8×1.8mm, and the emitter bond wire doesn’t even look like it’ll handle 10A.

Gigantic Connect Four. That’s what the Lansing Makers Network built for a Ann Arbor Maker Faire this year. It’s your standard Connect Four game, scaled up to eight feet tall and eight feet wide. The disks are foam insulation with magnets; an extension rod (with a magnet at the end) allows anyone to push the disks down the slots.

[Richard Sloan] of esp8266.com fame has a buddy running a Kickstarter right now. It’s a lanyard with a phone charger cable inside.

Facebook is well-known for the scientific literacy of its members. Here’s a perpetual motion machine. Comment gold here, people.

Here’s some Hackaday Prize business: We’re giving away stuff to people who use Atmel, Freescale, Microchip, and TI parts in their projects. This means we need to know you’re using these parts in your projects. Here’s how you let us know. Also, participate in the community voting rounds. Here are the video instructions on how to do that.

Race Conditions Exploit Granted Free Money on Web Services

[Josip] has been playing around with race conditions on web interfaces lately, finding vulnerabilities on both Facebook and Digital Ocean. A race condition can occur when a piece of software processes multiple threads using a shared resource.

For example, [Josip] discovered that he was able to manipulate page reviews using just a single Facebook account. Normally, a user is permitted to leave just one review for any given Facebook page. This prevents a single user from being able to skew the page’s overall ranking by making a bunch of positive or negative reviews. The trick to manipulating the system was to intercept the HTTP request that submitted the page review. The request was then replayed over and over in a very short amount of time.

Facebook’s servers ended up processing some of these requests simultaneously, essentially unaware that multiple requests had come in so close together. The result was that multiple reviews were submitted, artificially changing the pages overall ranking even though only one review actually showed up on the page for this user. The user can then delete their single review, and repeat this cycle over and over. It took Facebook approximately two months to fix this vulnerability, but in the end it was fixed and [Josip] received a nice bounty.

The Digital Ocean hack was essentially the exact same process. This time instead of hacking page reviews, [Josip] went after some free money. He found that he was able to submit the same promotional code multiple times, resulting in a hefty discount at checkout time. Digital Ocean wasted no time fixing this bug, repairing it within just ten days of the disclosure.

Exposing Private Facebook Photos with a Malicious App

[Laxman] is back again with another hack related to Facebook photos. This hack revolves around the Facebook mobile application’s “sync photos” function. This feature automatically uploads every photo taken on your mobile device to your Facebook account. These photos are automatically marked as private so that only the user can see them. The user would have to manually update the privacy settings on each photo later in order to make them available to friends or the public.

[Laxman] wanted to put these privacy restrictions to the test, so he started poking around the Facebook mobile application. He found that the Facebook app would make an HTTP GET request to a specific URL in order to retrieve the synced photos. This request was performed using a top-level access token. The Facebook server checked this token before sending down the private images. It sounds secure, but [Laxman] found a fatal flaw.

The Facebook server only checked the owner of the token. It did not bother to check which Facebook application was making the request. As long as the app had the “user_photos” permission, it was able to pull down the private photos. This permission is required by many applications as it allows the apps to access the user’s public photos. This vulnerability could have allowed an attacker access to the victim’s private photos by building a malicious application and then tricking victims into installing the app.

At least, that could have been the case if Facebook wasn’t so good about fixing their vulnerabilities. [Laxman] disclosed his finding to Facebook. They had patched the vulnerability less than an hour after acknowledging the disclosure. They also found this vulnerability severe enough to warrant a $10,000 bounty payout to [Laxman]. This is in addition to the $12,500 [Laxman] received last month for a different Facebook photo-related vulnerability.

Deleting Facebook Albums Without Permission

[Laxman] was poking around Facebook looking for security vulnerabilities. Facebook runs a bug bounty program which means if you can find a vulnerability that’s serious enough, it can earn you cold hard cash. It didn’t take much for [Laxman] to find one worthy of a bounty.

The graph API is the primary way for Facebook apps to read and write to the Facebook social graph. Many apps use this API, but there are limitations to what it can do. For example, the API is unable to delete users’ photo albums. At least, it’s not supposed to be able too. [Laxman] decided to test this claim himself.

He started by sending a command to delete one of his own albums using a graph explorer access token. His request was denied. The application didn’t have the correct permissions to be able to perform that action. It seemed that Facebook was correct and the API was unable to delete photos. [Laxman] had another trick up his sleeve, though. He noticed that the wording of the response suggested that other apps would have the ability to delete the albums, so he decided to check the Facebook mobile application.

He decided to send the same request with a different token. This time he used a token from the Facebook for Mobile application. This actually worked, and resulted in his photo album being deleted. To take things a step further, [Laxman] sent the same requests, but changed the user’s ID to a victim account he had set up. The request was accepted and processed without a problem. This meant that [Laxman] could effectively delete photo albums from any other user without that user’s consent. The vulnerability did require that [Laxman] had permission to view the album in the first place.

Since [Laxman] is one of the good guys, he sent this bug in to the Facebook team. It took them less than a day to fix the issue and they rewarded [Laxman] $12,500 for his trouble. It’s always nice to be appreciated. The video below shows [Laxman] walking through how he pulled off this hack using Burp Suite. Continue reading “Deleting Facebook Albums Without Permission”