Hackaday Links: June 25th, 2017

There will be no special badges for DEFCON. Everyone will still have badges — and our expectations are tempered because of the one year on / one year off schedule for electronic badges — there just won’t be mind-bending puzzles wrapped up in the official badges. What this means: it probably won’t matter if you’re late for linecon, and someone in the DEFCON hive mind still has a Facebook. Also, DEFCON is canceled.

In the past, we have decried the very existence of fidget spinners. It’s what the kids are into, after all. However, an electronic fidget spinner is an interesting engineering challenge. It combines the mechanical fun of bearing science, the exacting precision of balancing stuff, and stuffing electronics where no electronics should be. This Kickstarter is perhaps the best electronic fidget spinner we’ve seen. The electronics are powered by a coin cell and are packed into one of the spaces for the ‘wing’ bearings, and two additional weighted bearings allow the spinner to balance. There’s a small magnet for a hall effect sensor in the ‘stator cap’ so RPM can be measured. This design uses the most common mold for a fidget spinner, making it very manufacturable. Compare this design to the Internet of Fidget Spinners, a POV fidget Spinner, another POV fidget spinner, an educational electronic fidget spinner, or this amazing technique to measure the speed of a fidget spinner that will blow your mind, and you’ll see this Kickstarter project is clearly the superior design.

You kids are spoiled with your programmable drum machines like your 808 and 909. Back in the day, drum machines were attached to organs, and only had a few patterns. You couldn’t change the patterns, you could only change the speed. [Jan] has created one of these prehistoric drum machines in a microcontroller. You get hard rock, disco, reggae, rock, samba, rumba, cha-cha, bossa nova, beguine, synthpop, boogie, waltz, jazz rock, and slow rock. Awesome.

There’s a new electronics magazine. It’s called DIYODE, and we’re all kicking ourselves for not coming up with that name.

Do you need a new password? Humans really aren’t good at coming up with random numbers, and if you need a completely random alphanumeric password, it’s best left to a computer. Have no fear, because there’s now a website that generates the single most secure password on the planet. This password, “H4!b5at+kWls-8yh4Guq”, features upper and lowercase characters, numbers, symbols, and twenty unique characters. This password was developed by security researchers and encryption specialists in Europe, so you know it has absolutely nothing to do with the NSA, CIA, or any other American three-letter agency.

Speaking of three-letter agencies, last Wednesday was International Selfie Day! That doesn’t mean you still can’t get in on the action. Take a selfie right now and upload it to social media! What’s facial recognition?

Looking for a great little ESP32 breakout board with all the bells and whistles? Olimex has a new board out with Ethernet, a MicroSD card slot, and 20 GPIOs broken out.

Is My Password Safe? Practices for People Who Know Better

A couple of weeks back a report came out where [Tavis Ormandy], a widely known security researcher for Google Project-Zero, showed how it was possible to abuse Lastpass RPC commands and steal user passwords. Irony is… Lastpass is a software designed to keep all your passwords safe and it’s designed in a way that even they can’t access your passwords, the passwords are stored locally using strong cryptography, only you can access them via a master-key. Storing all your passwords in only place has its downfalls. By the way, there is no proof or suggestion that this bug was abused by anyone, so if you use Lastpass don’t worry just yet.

But it got me thinking, how worried and how paranoid should a regular Internet user should be about his password? How many of us have their account details exposed somewhere online? If you’ve been around long enough, odds are you have at least a couple of accounts on some major Internet-based companies. Don’t go rushing into the Dark Web and try to find if your account details are being sold. The easiest way to get your paranoia started is to visit Have I Been Pwned. For those who never heard about it, it’s a website created by [Troy Hunt], a well-known security professional. It keeps track of all known public security breaches he can get his hands on and provides an answer to a simple question: “Was my account in any major data leak?” Let’s take a look.

Continue reading “Is My Password Safe? Practices for People Who Know Better”

Password-Free Guest WiFi from Raspberry Pi

Anytime you’re having more than a handful of people over to your place for a wild rager or LAN party (or both), you’ll generally need a way to make sure everyone can get their devices on the network. Normally, this would involve either putting your WiFi password into more phones than you can count or yelling your password across a crowded room. Neither of these options suited [NicoHood] and his partner, however, so he came up with another more secure solution to the WiFi-in-a-crowded-room problem.

He calls his project “guestwlan” and it’s set up to run on a Raspberry Pi with a touch screen. When a potential WiFi user approaches the Pi and requests access to the network, the Pi displays a QR code. Within that code is all of the information that the prospective device needs to connect to the network. For those who have already spotted the new security vulnerability that this creates, [NicoHood] has his guest WiFi on a separate local network just to make sure that even if someone nefarious can access the Internet, it would be more difficult for them to do anything damaging to his local network. As it stands, though, it’s a lot more secure than some other WiFi networks we’ve seen.

[NicoHood] also released his software on Git but it has been configured for use with Arch. He says that it would probably work in a Debian environment (which the Raspberry Pi-specific OS is based on) but this is currently untested. Feel free to give it a try and let us know how it goes.

Crack Mike Tyson’s Punch Out Bang Bang Passwords

[Bisqwit] has feelings about games that use exclamation points in his idiosyncratic walkthrough of all the nuances of the passwords in the famous Punch Out Bang Bang.

As he states in his deeply weird (though in no way wrong) channel intro, when he’s not driving a bus or teaching Israeli dance, he works hard to understand the things around him. Naturally, a mysterious phone number shaped set of digits in a favorite game was a secret worth extracting.

The digits can represent every possible state in the game.  It uses a pretty simple decoding and encoding scheme, which he walks through. As he says, it all becomes clear when you can see the source code.

After working through all the quirks he is able to arbitrarily generate any state in the game and handle the exceptions (such as Nintendo USA’s phone number). You can see all his code here and try it out for yourself. Video after the break.

We’ve grown to respect [Bisqwit] as the explainer of all things console games. You will like his explanation of how to write a code emulator for an NES CPU.

Continue reading “Crack Mike Tyson’s Punch Out Bang Bang Passwords”

Botnet Recall of Things

After a tough summer of botnet attacks by Internet-of-Things things came to a head last week and took down many popular websites for folks in the eastern US, more attention has finally been paid to what to do about this mess. We’ve wracked our brains, and the best we can come up with is that it’s the manufacturers’ responsibility to secure their devices.

Chinese DVR manufacturer Xiongmai, predictably, thinks that the end-user is to blame, but is also consenting to a recall of up to 300 million 4.3 million of their pre-2015 vintage cameras — the ones with hard-coded factory default passwords. (You can cut/paste the text into a translator and have a few laughs, or just take our word for it. The company’s name gets mis-translated frequently throughout as “male” or “masculine”, if that helps.)

Xiongmai’s claim is that their devices were never meant to be exposed to the real Internet, but rather were designed to be used exclusively behind firewalls. That’s apparently the reason for the firmware-coded administrator passwords. (Sigh!) Anyone actually making their Internet of Things thing reachable from the broader network is, according to Xiongmai, being irresponsible. They then go on to accuse a tech website of slander, and produce a friendly ruling from a local court supporting this claim.

Whatever. We understand that Xiongmai has to protect its business, and doesn’t want to admit liability. And in the end, they’re doing the right thing by recalling their devices with hard-coded passwords, so we’ll cut them some slack. Is the threat of massive economic damage from a recall of insecure hardware going to be the driver for manufacturers to be more security conscious? (We kinda hope so.)

Meanwhile, if you can’t get enough botnets, here is a trio of recent articles (one, two, and three) that are all relevant to this device recall.

Via threatpost.

Microsoft Live Account Credentials Leaking From Windows 8 And Above

Discovered in 1997 by Aaron Spangler and never fixed, the WinNT/Win95 Automatic Authentication Vulnerability (IE Bug #4) is certainly an excellent vintage. In Windows 8 and 10, the same bug has now been found to potentially leak the user’s Microsoft Live account login and (hashed) password information, which is also used to access OneDrive, Outlook, Office, Mobile, Bing, Xbox Live, MSN and Skype (if used with a Microsoft account).

Continue reading “Microsoft Live Account Credentials Leaking From Windows 8 And Above”

LastPass Happily Forfeits Passwords to Simple Javascript

Lastpass is a great piece of software when it comes to convenience, but a recent simple hack shows just how insecure software like it can be. [Mathias Karlsson] nabbed a nice $1000 bounty for its discovery.

Lastpass’s auto-fill works by injecting some html into the website you’re visiting. It runs a bit of Javascript to parse the URL. However, the parsing script was laughably vague. By changing the URL of the page, inserting a few meaningless-to-the server slugs into the URL, an attacker could get Lastpass to give it a password and username combo for any website.

The discussion in the HackerNews comment section more-or-less unilaterally agreed that most systems like this have their glaring flaws, but that the overall benefits of having secure passwords generated and managed by software was still worth the risk when compared to having a few commonly reused passwords over multiple sites.

One could get a more secure key manager by using software like KeePass, but it’s missing some of the convenience factor of remote-based services and relies on a user protecting their key files adequately.

Still, as scary as they are, openly discussing hacks like this after responsible disclosure is good because they force companies like Lastpass, who have some very big name clients, to take their code review and transparency more seriously.