Recently, Google discovered that a certificate authority (CA) issued forged certificates for Google domains. This compromises the trust provided by Transport Layer Security (TLS) and Secure HTTP (HTTPS), allowing the holder of the forged certificates to perform a man-in-the-middle attack.
To validate that the website you’re visiting is actually who they claim to be, your browser ensures that the certificate presented by the server you’re accessing was signed by a trusted CA. When someone requests a certificate from a CA, they should verify the identity of the person making the request. Your browser, and operating system, have a set of ultimately trusted CAs (called root CAs). If the certificate was issued by one of them, or a intermediate CA that they trust, you will trust the connection. This whole structure of trust is called a Chain of Trust.
With a forged certificate, you can convince a client that your server is actually http://www.google.com. You can use this to sit between a client’s connection and the actual Google server, eavesdropping their session.
In this case, an intermediate CA did just that. This is scary, because it undermines the security that we all rely on daily for all secure transactions on the internet. Certificate pinning is one tool that can be used to resist this type of attack. It works by associating a host with a specific certificate. If it changes, the connection will not be trusted.
The centralized nature of TLS doesn’t work if you can’t trust the authorities. Unfortunately, we can’t.
[Koush] is at it again, this time releasing AirCast, an Android app that’ll push videos to the Chromecast from Dropbox, Google Drive, and your phone’s Gallery. Astute Hackaday readers will recall that AirCast has been around for a few weeks now, but limited to only his whitelisted Chromecast. As [Koush] explains it, he had to reverse engineer the protocols and now he simply avoids the Chromecast SDK entirely. If you’re lucky enough to have a Chromecast, you’ll want to hurry and grab the APK (direct download link) and have some fun with it before it self-destructs. [Koush] isn’t ready to release it for more than a 48 hour period, but we encourage you to take advantage of AirCast and contribute to his call for feedback, bugs, and crash reports. You have a little under a day left.
See “AllCast” work its magic in the video below. No, that’s not a typo. Apparently [Koush] has been struggling with available names for the app, and you’ll hear him call it “AllCast” in the Youtube video. That name was taken for some other product, though, and “AirCast” has now replaced it. If you suddenly regret not immediately ordering a Chromecast and are sitting this one out, go read [Mike’s] rant and get psyched up for when they’re back in stock.
Continue reading “Controlling Chromecast: AirCast APK released”
I’ve had my hands on this Chromecast for almost a week now and I love it. Years ago I hacked my first Xbox after seeing [Kevin Rose] do it on The Screensavers (I did the hardware mod but that’s inconsequential). Why did I do this? So that I could run Xbox Media Center, the predecessor of XBMC. Since then I’ve dreamed of a device which can be hung on the back of the TV with Velcro and run XBMC. We basically got there with the Raspberry Pi, but the Chromecast is the form-factor that I had always envisioned. This lets me watch Netflix, while the RPi runs XBMC. The two are match made in heaven for under a hundred bucks.
That’s why I love the Chromecast device itself, but the bigger picture is that I love what it stands for. Keep reading to see what i mean.
Continue reading “Rant: Why I love what the Chromecast stands for”
Meet [Alex Spiride]. He’s one of the fifteen finalists of the 2013 Google Science Fair. A native of Plano, Texas, [Alex] entered his squid-inspired underwater propulsion system in the 13-14 year old category.
The red cylinder shown in the image inlay is his test rig. It is covered well on his project site linked above. You just need to click around the different pages using the navigation tiles in the upper right to get the whole picture. The propulsion module uses water sprayed out the nozzle to push the enclosure forward. The hull is made of PVC, with a bladder inside which is connected to the nozzle. The bladder is full of water, but the cavity between it and the hull is full of air. Notice the plastic hose which is used to inject pressurized air, squeezing the bladder to propel the water out the nozzle. Pretty neat huh?
We think [Alex’s] work stands on its own. But we can’t help thinking what the next iteration could look like. We wonder what would happen if you wrapped that bladder in muscle wire? Would it be strong enough to squeeze the bladder?
You can see all fifteen finalists at the GSF announcement page. Just don’t be surprised if you see some of those other projects on our front page in the coming days.
Continue reading “Google Science Fair finalist explains squid-inspired underwater propulsion”
It’s not his first Internet radio, but [Matthias]’ modernization of a classic Bakelite radio is a real, functional piece of art. Not only does it retain the look of an old radio, it also has the capability to listen to streams and his entire MP3 collection through the Internet.
For the software, [Matthias] used jquery to pull down web radio streams and soon figured out how to play all his MP3s through Google Music. This, and a web-based remote for his mobile device, allows the new old-school Internet radio to play everything [Matthias] would ever want to listen to.
The controls for the radio are rotary encoders, with indication provided by a really fabulous numbered LED display (seen above) replacing the 70-year-old tuning dial. These numbers indicate both the current Google Music playlist or the currently playing Internet stream, depending on what mode the selector knob is at.
It’s a beautiful piece of work, and the knobs and dials look like something that could have come from a real 70-year-old radio. That’s a win in our book.
In a positive twist on the usual publicity events that our administration has experimented with over the years, President [Obama] will be hosting a google+ hangout with some lucky people to discuss, well, whatever matters. It is nice to see the people running the country finally getting to grips with some technology. It is still scary to hear how many people making the laws about data still don’t even use a computer.
[Limor] from Adafruit was selected as one of the few that would get to ask the President some questions. She will be focusing on manufacturing and small businesses. We think she’s a great candidate to do so. We’ve watched her go from someone who just did some really well documented hacks to someone who runs a successful business focusing on open information and education (and gadgets of course). You can also submit your own questions, and if they get enough votes, the president will answer them.
Google+ Hangouts provide a group video chat with the ability to add apps. [RobotGrrl] created a Node.js web app to control an Arduino that can be added to a Hangout.
In this simple example, [RobotGrrl] demonstrates how to toggle an LED from the Hangout. This includes a tutorial on setting up your EC2 instance, full source for the server and client apps, the processing sketch to control an Arduino, and the code to allow the app to be added to a Hangout.
This example shows the basics, but there’s a whole slew of things that could be controlled with this system. [RobotGrrl] even demonstrates some robots that are controlled from a Hangout interface.
Check out an overview video after the break.
Continue reading “Add an Arduino to a Google+ Hangout”