Paged Out! Releases Long-Awaited Third Issue

December 27, 2023 by Tom Nardi 4 Comments

We’re happy to pass along word that Paged Out! has finally released Issue #3. This online zine covers a wide array of technical topics, from software development to hardware hacking, computer security, and electronics.

It’s distributed as a PDF, and is notable for its somewhat experimental format that limits each article to a single page. The first two issues were released back in 2019, but between a global pandemic and some administrative shuffling, progress on the current release was slowed considerably.

Among the 50 articles that make up the third Paged Out! there are a number of pieces focusing on hardware, such as the serial communications “cheat sheet” from [Jay Greco], and a pair of articles covering the state-of-the-art in custom keyboards. But overall the zine does lean hard into programming topics, and is probably best suited for those with an interest in software development and infosec.

Still, the line between hardware and software is getting blurrier all the time, so we’re sure you can find something in Paged Out! that should interest you no matter which side of the fence you’re on. Here’s hoping the time between releases can be reduced a bit for Issue #4.

JawnCon 0x0: A Strong Start With A Bright Future

November 13, 2023 by Tom Nardi 9 Comments

Last month, I had the pleasure witnessing a birth. No, not of a child. What I’m talking about is something far rarer, though arguably, just as loud and danger fraught — the birth of a new hacker convention.

The very first JawnCon took place on October 19th and 20th at Arcadia University, just outside of Philadelphia. If you’re in the Northeast US and suddenly find yourself surprised to learn that a hacker con managed to slip under your radar, don’t be. The organizers, who previously helped launch the WOPR Summit back in 2019, wisely decided to keep the scale of this first outing in check. Just a single track of talks, a chill out room, and 130 or like-minded individuals.

Although, even if they’d hatched a more ambitious plan, it’s hard to imagine they’d have had enough time to pull it off. Due to various circumstances, JawnCon had to come together at a breakneck pace, with less than 100 days separating the con’s inception and kickoff. That an event such as this could not only be organized so quickly, but go off without a hitch, is a testament to the incredible folks behind the scenes.

As for what a Jawn is…well, that might take a bit more explaining. It’s regional slang that’s perhaps best described as a universal noun in that it can be used to refer to basically anything or anyone. Think “smurf” or “da kine”. According to organizer Russell Handorf, the all-encompassing nature of the word describes not only his personal ethos but the spirit of the event. Rather than focusing too closely on any one aspect of hacking, JawnCon set out to explore a diverse array of tech topics from both the new and old schools. It would be an event where you could listen to a talk on payphone remote management, try your hand at lock picking, and learn about the latest in anti-drone technology, all under the same roof.

To that end, the team did an incredible job. Everyone I spoke to, young or old, newbie or vet, had a fantastic time. What’s more, as revealed in the Closing Remarks, the con actually managed to stay in the black — no mean feat for a first attempt. With a little luck, it seems like JawnCon is well on its way to becoming one of the Northeast’s can’t-miss hacker events. Continue reading “JawnCon 0x0: A Strong Start With A Bright Future” →

Hackaday Links: July 26, 2020

July 26, 2020 by Dan Maloney 12 Comments

An Australian teen is in hot water after he allegedly exposed sensitive medical information concerning COVID-19 patients being treated in a local hospital. While the authorities in Western Australia were quick to paint the unidentified teen as a malicious, balaclava-wearing hacker spending his idle days cracking into secure systems, a narrative local media were all too willing to parrot, reading down past the breathless headlines reveals the truth: the teen set up an SDR to receive unencrypted POCSAG pager data from a hospital, and built a web page to display it all in real-time. We’ve covered the use of unsecured pager networks in the medical profession before; this is a well-known problem that should not exactly take any infosec pros by surprise. Apparently authorities just hoped that nobody would spend $20 on an SDR and an afternoon putting it all together rather than address the real problem, and when found out they shifted the blame onto the kid.

Speaking of RF hacking, even though the 2020 HOPE Conference is going virtual, they’ll still be holding the RF Hacking Village. It’s not clear from the schedule how exactly that will happen; perhaps like this year’s GNU Radio Conference CTF Challenge, they’ll be distributing audio files for participants to decode. If someone attends HOPE, which starts this weekend, we’d love to hear a report on how the RF Village — and the Lockpicking Village and all the other attractions — are organized. Here’s hoping it’s as cool as DEFCON Safe Mode’s cassette tape mystery.

It looks like the Raspberry Pi family is about to get a big performance boost, with Eben Upton’s announcement that the upcoming Pi Compute Module 4 will hopefully support NVMe storage. The non-volatile memory express spec will allow speedy access to storage and make the many hacks Pi users use to increase access speed unnecessary. While the Compute Modules are targeted at embedded system designers, Upton also hinted that NVMe support might make it into the mainstream Pi line with a future Pi 4A.

Campfires on the sun? It sounds strange, but that’s what solar scientists are calling the bright spots revealed on our star’s surface by the newly commissioned ESA/NASA Solar Orbiter satellite. The orbiter recently returned its first images of the sun, which are extreme closeups of the roiling surface. They didn’t expect the first images, which are normally used to calibrate instruments and make sure everything is working, to reveal something new, but the (relatively) tiny bright spots are thought to be smaller versions of the larger solar flares we observe from Earth. There are some fascinating images coming back from the orbiter, and they’re well worth checking out.

And finally, although it’s an old article and has nothing to do with hacking, we stumbled upon Tim Urban’s look at the mathematics of human relations and found it fascinating enough to share. The gist is that everyone on the planet is related, and most of us are a lot more inbred than we would like to think, thanks to the exponential growth of everyone’s tree of ancestors. For example, you have 128 great-great-great-great-great-grandparents, who were probably alive in the early 1800s. That pool doubles in size with every generation you go back, until we eventually — sometime in the 1600s — have a pool of ancestors that exceeds the population of the planet at the time. This means that somewhere along the way, someone in your family tree was hanging out with someone else from a very nearby branch of the same tree. That union, likely between first or second cousins, produced the line that led to you. This is called pedigree collapse and it results in the pool of ancestors being greatly trimmed thanks to sharing grandparents. So the next time someone tells you they’re descended from 16th-century royalty, you can just tell them, “Oh yeah? Me too!” Probably.

Fear Of Potato Chips: Samy Kamkar’s Side-Channel Attack Roundup

March 9, 2020 by Dan Maloney 13 Comments

What do potato chips and lost car keys have in common? On the surface, it would seem not much, unless you somehow managed to lose your keys in a bag of chips, which would be embarrassing enough that you’d likely never speak of it. But there is a surprising link between the two, and Samy Kamkar makes the association in his newly published 2019 Superconference talk, which he called “FPGA Glitching and Side-Channel Attacks.”

Continue reading “Fear Of Potato Chips: Samy Kamkar’s Side-Channel Attack Roundup” →

What Happens When A Regular Person Finds A Huge Security Flaw?

January 29, 2019 by Brian Benchoff 38 Comments

The biggest news in the infosec world, besides the fact that balaclavas are becoming increasingly popular due to record-low temperatures across the United States, is that leet haxors can listen to you from your iPhone using FaceTime without you even answering the call. There are obvious security implications of this bug: phones should only turn on the microphone after you pick up a call. This effectively turns any iPhone running iOS 12.1 or later into a party line. In response Apple has taken group FaceTime offline in preparation of a software update later this week.

So, how does this FaceTime bug work? It’s actually surprisingly simple. First, start a FaceTime call with an iPhone contact. While the call is dialing, swipe up, and tap Add Person. Add your own phone number in the Add Person screen. This creates a group call with two instances of your iPhone, and the person you’re calling. You may now listen in to the audio of the person you originally called even though they haven’t chosen to pick up the call. Dumb? Yes. Insecure? Horribly. If your iPhone is ringing, the person on the other end could be listening in.

But this isn’t a story about how Apple failed yet again. This is a story about how this security flaw was found, and what a normal person can do if they ever find something like this.

Continue reading “What Happens When A Regular Person Finds A Huge Security Flaw?” →

Non-Nefarious Raspberry Pi Only Looks Like A Hack

November 13, 2018 by Dan Maloney 50 Comments

We’re going to warn you right up front that this is not a hack. Or at least that’s how it turned out after [LiveOverflow] did some digital forensics on a mysterious device found lurking in a college library. The path he took to come to the conclusion that nothing untoward was going on was interesting and informative, though, as is the ultimate purpose of the unknown artifacts.

As [LiveOverflow] tells us in the video below, he came upon a Reddit thread – of which we can now find no trace – describing a bunch of odd-looking devices stashed behind garbage cans, vending machines, and desks in a college library. [LiveOverflow] recognized the posted pictures as Raspberry Pi Zeroes with USB WiFi dongles attached; curiosity piqued, he reached out to the OP and offered to help solve the mystery.

The video below tells the tale of the forensic fun that ensued, including some questionable practices like sticking the device’s SD card into the finder’s PC. What looked very “hackerish” to the finder turned out to be quite innocuous after [LiveOverflow] went down a remote-diagnosis rabbit hole to discern the purpose of these devices. We won’t spoil the reveal, but suffice it to say they’re part of a pretty clever system with an entirely non-nefarious purpose.

We thought this was a fun infosec romp, and instructive on a couple of levels, not least of which is keeping in mind how “civilians” might see gear like this in the wild. Hardware and software that we deal with every day might look threatening to the general public. Maybe the university should spring for some labels describing the gear next time.

Continue reading “Non-Nefarious Raspberry Pi Only Looks Like A Hack” →

E-Mail Service Claims It Doesn’t Store Your Mail

November 10, 2018 by Al Williams 28 Comments

There have been many news stories lately about companies misusing your data, including your e-mails. What’s more, these giant repositories of data are favorite targets for hackers. Even if you trust the big corporations, you are also betting on their security. Criptext claims they have (possibly) the most private e-mail service ever. It uses the open Signal protocol and stores private keys and encrypted mail only on your device. All the applications to access your mail are open source, so presumably, someone would eventually spot any backdoors or open holes.

At the moment the service is free and the company reports that even when a paid offering is ready, there will still be a free tier. Of course, you can send and receive normal e-mail, too. You can also use a passphrase you send to someone else (presumably not by e-mail) so they can read an encrypted message.

Continue reading “E-Mail Service Claims It Doesn’t Store Your Mail” →