Great Scott! A Flux Capacitor Notification Light

If you are into your social media, then you probably like to stay updated with your notifications. [Gamaral] feels this way but he wasn’t happy with the standard way of checking the website or waiting for his phone to alert him. He wanted something a little more flashy. Something like a flux capacitor notification light. This device won’t send his messages back in time, but it does look cool.

He started with an off-the-shelf flux capacitor USB charger. Normally this device just looks cool when charging your USB devices. [Gamaral] wanted to give himself more control of it. He started by opening up the case and replacing a single surface mount resistor. The replacement component is actually a 3.3V regulator that happens to be a similar form factor as the original resistor. This regulator can now provide steady power to the device itself, as well as a ESP8266 module.

The ESP8266 module has built-in WiFi capabilities for a low price. The board itself is also quite small, making it suitable for this project. [Gamaral] used just two GPIO pins. The first one toggles the flux circuit on and off, and the second keeps track of the current state of the circuit. To actually trigger the change, [gamaral] just connects to the module via TCP and issues a “TIME CIRCUIT ON/OFF” command. The simplicity makes the unit more versatile because an application running on a PC can actually track various social media and flash the unit accordingly.

Dial is a Simple and Effective Wireless Media Controller

[Patrick] was looking for an easier way to control music and movies on his computer from across the room. There is a huge amount of remote control products that could be purchased to do this, but as a hacker [Patrick] wanted to make something himself. He calls his creation, “Dial” and it’s a simple but elegant solution to the problem.

Dial looks like a small cylindrical container that sits on a flat surface. It’s actually split into a top and bottom cylinder. The bottom acts as a base and stays stationary while the top acts as a dial and a push button. The case was designed in SOLIDWORKS and printed on a 3D printer.

The Dial runs on an Arduino Pro mini with a Bluetooth module. The original prototype used Bluetooth 2.0 and required a recharge after about a day. The latest version uses the Bluetooth low energy spec and can reportedly last several weeks on a single charge. Once the LiPo battery dies, it can be recharged easily once plugged into a USB port.

The mechanical component of the dial is actually an off-the-shelf rotary encoder. The encoder included a built-in push button to make things easier. The firmware is able to detect rotation in either direction, a button press, a double press, and a press-and-hold. This gives five different possible functions.

[Patrick] wrote two pieces of software to handle interaction with the Dial. The first is a C program to deal with the Bluetooth communication. The second is actually a set of Apple scripts to actually handle interaction between the Dial and the various media programs on his computer. This allows the user to more easily write their own scripts for whatever software they want. While this may have read like a product review, the Dial is actually open source! Continue reading “Dial is a Simple and Effective Wireless Media Controller”

SpoofedMe Attack Steals Accounts by Exploiting Social Login Mechanisms

We’ve all seen the social logon pop up boxes. You try to log into some website only to be presented with that pop up box that says, “Log in with Facebook/Twitter/Google”. It’s a nice idea in theory. You can log into many websites by using just one credential. It sounds convenient, but IBM X-Force researchers have recently shown how this can be bad for the security of your accounts. And what’s worse is you are more vulnerable if the service is offered and you are NOT using it. The researcher’s have called their new exploit SpoofedMe. It’s aptly named, considering it allows an attacker to spoof a user of a vulnerable website and log in under that user’s account.

So how does it work? The exploit relies on vulnerabilities in both the identity provider (Facebook/Twitter/etc) and the “relying website”. The relying website is whatever website the user is trying to log into using their social media account. The easiest way to describe the vulnerability is to walk through an example. Here we go.

Let’s imagine you are an attacker and you want to get into some victim’s Slashdot account. Slashdot allows you to create a local account within their system if you like, or you can log in using your LinkedIn account. Your victim doesn’t actually have a LinkedIn account, they use a local Slashdot account.

The first step of your attack would be to create a LinkedIn account using your victim’s email address. This needs to be the same address the victim is using for their local Slashdot account. This is where the first vulnerability comes in. LinkedIn needs to allow the creation of the account without verifying that the email address belongs to you.

The second step of the attack is now to attempt to log into Slashdot using your newly created LinkedIn account. This is where the second vulnerability comes in. Some social media services will authenticate you to websites like Slashdot by sending Slashdot your user information. In this case, the key piece of information is your email address. Here’s the third vulnerability. Slashdot sees that your LinkedIn account has the same email address as one of their local users. Slashdot assumes that LinkedIn has verified the account and permits you, the attacker, to log in as that user. You now have access to your victim’s Slashdot account. In another scenario, Slashdot might actually merge the two credentials together into one account.

What’s really interesting about this hack is that it isn’t even very technical. Anyone can do this. All you need is the victim’s email address and you can try this on various social media sites to see if it works. It’s even more interesting that you are actually more vulnerable if you are not using the social logons. Some real world examples of this vulnerability are with LinkedIn’s social logon service, Amazon’s service, and’s service. Check out the demonstration video below. Continue reading “SpoofedMe Attack Steals Accounts by Exploiting Social Login Mechanisms”

Hackaday Links: April 20, 2012

Introducing Hackaday: how it’s made edition

Ever wonder how the make the forms for marine propellers? Now you have. It turns out they use a bunch of plywood, Bondo, and sandpaper. Awesome viewing for a coffee break.

Finally a new way to hurt yourself!

[Darrell]’s solder flux pen was filled and capped at sea level. When this pen made it to his work bench high in the mountains of Colorado there was a significant amount of pressure in that pen. The flux squirted out right into [Darrell]’s eye. Better get some Visine on that, man.

The most accurate television portrayal of hacking ever

[Russell] was watching TV last night and saw an interesting commercial. It’s a bunch of electronic components, then a nook color showing the front page of Make: Projects, an Arduino schematic, and finally a happy robot. Two observations: firstly, someone in media and advertising doesn’t think ‘hacking’ is WarGames stealing bank accounts. Secondly, an ad exec looked into current users.

Here’s the official YouTube video of the commercial.

In a world… where components aren’t soldered… one man… uses a soldering station.

Adafruit linked to the most outrageous promo video ever. This Weller soldering station provides 240 watts, battles alongside Agamemnon at Troy,  has rework tweezers, and travels to Italy to wage war against the Latins.

An IDE for the 21st century

[Chris] is currently developing a new paradigm for programming. He calls it Light Table, and it’s designed to be an improvement over a simple text editor and project manager. All the documentation is at your fingertips, you can make changes on the fly. It reminds us of the zzstructure emulator we saw last year. It’s something to keep an eye on at least.

BBC covers an old-school hacker

Yesterday, the BBC posted an article on [Julian Skidmore]’s AVR-based homebrew computer.

[Julian]’s project uses an AVR and a derivative of Forth to recreate the capabilities of the 8-bit computers of yesteryear. With 8kB of RAM, [Julian] got a TV-out up and running, and even included code for a Lunar Lander game.

We’re happy for [Julian] getting some notoriety as an old-school solder monkey, but we’re wondering why the BBC is covering a project not unlike the something that could be seen on hackaday once a week. Could it be the first inkling of respect for the hacker and DIY community in the general public’s eye?

In any event, we love the initiative shown in [Julian]’s quote at the bottom of the BBC article: “Building the machine is a way to learn the essentials of what a computer is all about.” If you want to understand something, you’ve got to build it yourself. Truer words…

Nanotouch: a tiny AVR media thing

[Rossum] is at it again. This time, he has created a super tiny media device to get us drooling. You might recall him from the 8-bit device we showed you before. The Nanotouch is roughly the dimensions of a 96×64 OLED screen(slightly larger than a quarter), with about 1/3 to 1/2 of an inch of stuff packed behind it.  The screen itself is mounted atop 4 buttons. This allows you to depress the screen edges for navigation.  He does mention that this design needs a little work to prolong the life of the screen, but we really like the intuitive way of navigating.  At its heart is an ATmega32u4.

We thought his last version was fantastic, but this one has us enamored. He states he’ll publish schematics and code, as he did before. We just didn’t want to wait to share.

[thanks Joakim]

VLC media player 0.9.2 released

VideoLAN just released VLC media player 0.9.2. VLC is probably the best known open source media player, and supports most audio/video formats without additional codecs. Before VLC, we usually installed buggy codec packs to watch videos in Winamp or Windows Media Player. We’ve found the nightly builds to be pretty stable for the past month, but it’s nice to see the final version released.

Download Squad gushed over the new interface design, but omitted the real change — VideoLAN switched from wxWidgets to the Qt toolkit. Among many changes, Qt allows video effects to be applied without restarting the media.

One of our favorite new features is an adjustments and effects menu for quick picture, sound, and subtitle tweaks. The new version has better support for flash videos (FLV), and will stream from most online video sharing sites. See the full changelog at the VideoLAN wiki, and help out if that’s your thing.

[via Download Squad]