This Week In Security: Npm Timing Leak, Siemens Universal Key, And PHP In PNG

First up is some clever wizardry from the [Aqua Nautilus] research team, who discovered a timing attack that leaks information about private npm packages. The setup is this, npm hosts both public and private node.js packages. The public ones are available to everyone, but the private packages are “scoped”, meaning they live within a private namespace, “@owner/packagename” and are inaccessible to the general public. Trying to access the package results in an HTTP 404 error — the same error as trying to pull a package that doesn’t exist.


The clever bit is to keep trying, and really pay attention to the responses. Use npm’s API to request info on your target package, five times in a row. If the package name isn’t in use, all five requests will take the expected amount of time. That request lands at the service’s backend, a lookup is performed, and you get the response. On the flipside if your target package does exist, but is privately scoped, the first request returns with the expected delay, and the other four requests return immediately. It appears that npm has front-end that can cache a 404 response for a private package. That response time discrepancy means you can map out the private package names used by a given organization in their private scope.

Now this is all very interesting, but it turns into a plausible attack when combined with typosquatting and dependency confusion issues. Those attacks are two approaches to the same goal, get a node.js deployment to run a malicious package instead of the legitimate one the developer intended. One depends on typos, but dependency confusion just relies on a developer not explicitly defining the scope of a package.

Continue reading “This Week In Security: Npm Timing Leak, Siemens Universal Key, And PHP In PNG”

Teardown: Siemens 8mm SMD Parts Feeder

Many of Hackaday’s readers will be no stranger to surface mount electronic components, to the extent that you’ll likely be quite comfortable building your own surface-mount projects. If you have ever built a very large surface-mount project, or had to do a number of the same board though, you’ll have wished that you had access to a pick-and-place machine. These essential components of an electronics assembly line are CNC robots that pick up components from the reels of tape in which they are supplied, and place them in the appropriate orientation in their allotted places on the PCB. They are an object of desire in the hardware hacker community and over the years we’ve seen quite a few home-made examples. Their workings are easy enough to understand, but there is still much to gain by studying them, thus it was very interesting indeed to see a friend acquiring a quantity of surplus Siemens component feeders from an older industrial pick-and-place machine. A perfect opportunity for a teardown then, to see what makes them tick.

Continue reading “Teardown: Siemens 8mm SMD Parts Feeder”

Hackaday Links Column Banner

Hackaday Links: May 5, 2019

Simulacra and simulation and Kickstarter videos. The Amigo Robot is a 4-wheeled omnibot robot on Kickstarter. It does STEM or STEAM or whatever. Oh neat, injection molded magnetic pogo pins, that’s cool. Watch the video for this Kickstarter, it is a work of postmodern horror. We live in a post-reality world, and this is beyond parody.  You have the ubiquitous cheerful whistling, a ukulele, tambourine and a glockenspiel. You’ve got a narrator that falls squarely into the uncanny valley and a cadence that could have only been generated by a computer. You’ve got grammar that is very much correct, but somehow wrong; ‘It is the key to interact with family pets’. This is really, really bad.

Who is Satoshi? The creator of Bitcoin, a person or persons known as Satoshi Nakamoto, has been an open question for years now, with many people claiming they are the one that invented Bitcoin (with the implication that they’re in control of the first coins and therefore a multi-Billionaire). Newsweek found someone named Dorian Nakamoto, but that guy didn’t make Bitcoin. Wired magazine used back-dated blog posts to identify the creator of Bitcoin. Needless to say, the creator of Bitcoin has not been identified yet. Now, there’s an unveiling of sorts coming up. gotsatoshi.com has a live countdown and doesn’t use Rockapella as a house band. This bears repeating, again: there is exactly one way to prove the identity of Satoshi Nakamoto. To prove you are Satoshi, all you need to do is move some of the first Bitcoins. That’s it, that’s all you need to do, and it’s not going to happen when the gotsatoshi.com countdown hits zero.

CNC machines controlled by a Pi abound, but here’s a word of warning about buying a ‘bargain’ CNC machine from China from [Rob] via our tips line:

In the “homebrew” community, I know some people have their own CNC machines – I’ve seen a hundred and one projects using Raspberry Pis to run homemade CNCs and so on, so I guess there is a good supply of open-source/freeware to software to control them with.
However, some people, like a mate at work, might be tempted by a good “bargain” from China.  No names, no pack drill, but just before last Christmas, my mate bought a “cheap” CNC system from China – It was about three or four thousand Euros, if I remember rightly.  It has been working well and he done some work for our work as well. No problems.
Last week, our firm was contacted by Siemens. They claimed that someone at our firm has been using unlicensed Siemens software.  At first no-one knew what they were on about.  Someone thought it might be about some CAD system or other – we had been trialing a few to see which suited us best, but we had stuck well within the restrictions for the trials.
Then we found out it was the software on his CNC machine.  Because he had used his work laptop with it, the system had “phoned home” and alerted Siemens that an unlicensed version was being used.  Siemens then demanded EUR 32,000 – yes, thirty two THOUSAND Euros to license the software.  That was something like EUR 27,000 for the commercial license and EUR 5 000 for the second one.  It was explained that he had bought the CNC system from where-ever and had a license issued by the manufacturer.  I license that Siemens do not acknowledge.  They have now accepted that he bought and used it in good faith that it was fully legit, so they waived the commercial license and are now demanding “only” EUR 5,000, but that still comes with the threat – pay up or we take you to court…

We’re all very familiar that Dassault Systems will start hitting you up for that Solidworks license you didn’t pay for, but this is effectively firmware for a CNC machine that is phoning home through a laptop. In effect it’s a reverse Stuxnet, brought to you by a cheap Chinese CNC machine.

Here’s a hot tip for anyone who wants to do something people want. Direct to garment printers (DTG printers) are pretty much inkjet printers modified to print on t-shirts. ‘dtg printer’ is one of Hackaday’s perennial top search terms, most likely because of a post we did ten years ago. If you want to join the cool kids club and do something people desperately want, find a cheap inkjet and turn it into a DTG printer.

Red Hat has changed its logo. Red Hat, the company that somehow makes money on Open Source software, changed their logo this week. The branding for Red Hat hasn’t been very good since 2016 or thereabouts, and the branding for the Fedora project has been taking hits for just as long, m’lady. Beyond that, customer surveys revealed that the old ‘Shadowman’ logo evoked feelings like, ‘sinister, secretive, evil, and sneaky’. The new logo removes the shadowman entirely, and makes the hat the focus of attention. There is now official confirmation that there is a black band around the crown of the hat (in the Shadowman logo, this band could be confused for a shadow), and the crown is sharper. The jury is still out on the fedora vs. trilby argument, and indeed the argument is even more divisive now: the difference between a trilby and a fedora is in how they are worn, and by removing the Shadowman from the logo we now have fewer context clues to make the determination. Bet you didn’t think you were going to read two hundred words about the Red Hat logo today, did you?

Desktop Factory Teaches PLC Programming

How to train young engineers in industrial automation is a thorny issue. Most factories have big things that can do a lot of damage and cost tons of money if the newbie causes a crash. Solution: shrink the factory down to desktop size and let them practice on that.

Luckily for [Vadim], there’s an off-the-shelf solution for miniaturizing factory automation: FischerTechnik industrial training models. The models have motors, conveyors, pneumatic cylinders, and sensors galore, but the controller is not exactly the industry standard programmable logic controller (PLC). [Vadim] set out to remedy this by building an interface between the FischerTechnik models and a Siemens PLC. He went through a couple of revisions of his board, including one using rivets from the sewing store to interface with the FischerTechnic connectors. Eventually, he settled on more robust connectors and came up with a board that lets students delve into PLC programming without killing anyone. The video below shows it going through its paces; we can only imagine where playing with these kits as a kid would have led us.

As great as [Vadim]’s system is for training engineers, we can also see it helpful in getting kids interested in a career in industrial automation. We recently covered a similar effort to show kids big science using LEGO Mindstorms. Both of these can help get STEM kids to see the wider world of technical careers and perhaps steer them into automation. After all, the people who make the robots are probably going to be the last ones obsoleted, right?

Continue reading “Desktop Factory Teaches PLC Programming”

Hackaday Links: August 21, 2016

Are you in New York? What are you doing this week? Hackaday is having a party on Wednesday evening. come on out!

How about a pub in Cambridge? Hackaday and Tindie will be there too, on Wednesday evening. It’s a bring-a-hack, so bring a hack and enjoy the company of your fellow nerds. If this goes late enough we can have a trans-Atlantic Hackaday meetup.

Portable emulation machines are all the rage, and [Pierre] built one based on the Raspberry Pi Zero. It’s small, looks surprisingly comfortable to hold, and is apparently it’s fairly inexpensive to build your own.

For the last year or so, the Raspberry Pi Zero has existed. This came as a surprise to many who couldn’t buy a Raspberry Pi Zero. In other news, Ferraris don’t exist, and neither do Faberge egg omelets. Now, the Raspberry Pi shortage is officially over. They’re in stock everywhere, and we can finally stop listening to people who call the Pi Zero a marketing ploy.

No Starch Press is having another Humble Bundle. Pay what you want, and you get some coding books. They have Python, Haskell, and R, because no one should ever have to use SPSS.

[Reg] wrote in to tell us about something interesting he found while cruising eBay. The used and surplus market is awash in Siemens MC45/MC46 cellular modem modules. They’re a complete GSM ‘cellular modem engine’, with an AT command set, and cost about $10 each. Interfacing them with a board requires only two (strange) connectors, SIM and SD card sockets, and a few traces to through-hole pads. Anyone up for a challenge? A breakout board for this cellular modem could be very useful, should someone find a box full of these modules in a surplus shop.

On this page, about halfway down the page, is an LCD driver board. It turns a video signal into something a small, VGA resolution LCD will understand. This driver board is unique because it is completely hand-made. This is one of those small miracles of a soldering iron and copper clad board. If anyone out there is able to recognize these parts, I’d love for you to attempt an explanation in the comments.

A few weeks ago, the RTL8710 WiFi module showed up on the usual online marketplaces. Initially, we thought it was a competitor to the ever-popular ESP8266, offering a small microcontroller, WiFi, and a bunch of useful output pins. A module based on the RTL8710, the RTL-00, is much more than a competitor. It’s pinout compatible with the ESP8266. This module can be swapped into a project in place of the ESP-12, probably the most popular version of the ESP8266. This is genius, and opens the door to a lot of experimentation with the RTL8710.

Because You Can’t Go To Germany Without Seeing Model Trains

As with all our extracurricular adventures, we needed to visit a few hackerspaces while in Munich. The first one was MCSM/Make Things Munich, formerly the Siemens Club for model engines. We’ve been to a few hackerspaces and have the passport stamps to prove it, and we can say without a doubt this space is unique.

MCSM was a hackerspace before the concept of hackerspaces existed. Originally, this was the Siemens Club for Model Engines, filled with engineers from the Siemens plant tinkering with model trains, model boats, and models of anything that moves. One of the members that guided us through the space, [Carlos Morra] told us when he joined, he alone dropped the average age of the space’s membership by a decade.

Inside the space, you’ll find the usual tools and equipment – lathes, CNC mills, an electronics workbench, and a bunch of old but still valuable equipment. Most of this equipment was salvaged from the Siemens plant. The organization for this space, though, cannot be compared to anything I’ve ever seen. There are floor to ceiling cabinets filled with everything you can imagine, all carefully indexed and sorted.

Of course, being formerly called the Model Engine club, there will be an immense train layout. I counted at least five gauges of track in two sprawling layouts, one of which was easily 15 square meters. It’s a true hackerspace built from a model train club, how can it get better than that?

Pictures below.

Continue reading “Because You Can’t Go To Germany Without Seeing Model Trains”

Using A Cellphone LCD As Auxiliary Linux Display

[Neil] is driving this Siemens A60 LCD using a parallel port on his Linux box. He likes this module because it has an integrated LED back-light, controller IC, and the pads are large enough for a human to solder. He notes that the screen runs on 2.9V, which matches the forward voltage of the LEDs used as back-lights. This means it is possible to use one f the LEDs as a shunt to drop  incoming voltage down to a safe level for the controller. In fact, that’s what he did. The data lines are connected to the parallel port along with some current limiting resistors. The LEDs are connected with resistor calculated for maximum brightness, with the output from the LED used as the source voltage for the LCD controller chip.Whether you want to use one of these screens with a PC or something else, the code that [Neil] worked out should provide the information necessary to do so.

The Nokia cellphone LCD post inspired [Neil] to send in a tip about this project. If you’ve got well documented hacks that you’re just sitting on why not let us know about them?