Hack a Day » slashdot

Hackaday in the social tangle

Caleb Kraft — Wed, 20 Jul 2011 14:01:59 +0000

Like any other organization out there, we’re always trying to find new ways to reach our audience. Admittedly, we’re not the fastest when it comes to adopting a new social communication site. We’re working on it though, trying to be a bit more interactive … or just plain active.

So, if you’re looking for other ways to get your hacking fix, or see some interesting commentary, find us on facebook, twitter, our own forums, and now G+. We just signed up to G+ and our name is ~~“Hackie Smith”~~. If you need an invite, email us at ~~theofficialhackaday@gmail.com~~ see below. Sometimes there’s good discussion in those places that doesn’t end up here on the site.

You can also find several of us spattered across the web in sites like Reddit and Slashdot.

[Update: Our g+ page got shut down. Feel free to find any of the writers on g+. I'll give out invites, look for "Caleb Kraft" or 60mango@gmail]

Filed under: news

Foundation cooling

James Munns — Thu, 27 Aug 2009 00:56:31 +0000

Overclockers are always trying to come up with new, colder, and quieter ways to keep their PCs cool. [gigs] was so dedicated to this, he decided to lay 6 meters of copper pipe to use as a radiator in his new house’s foundation. As of now, the foundation is laid (copper pipes and all), and the forum posts come complete with finished slab pics, though there is no house to speak of yet.

[via Slashdot]

Posted in home hacks, pcs hacks

Distributed computing in JavaScript

Eliot — Wed, 04 Mar 2009 00:00:31 +0000

We’ve heard about the idea of using browsers as distributed computing nodes for a couple years now. It’s only recently, with the race towards faster JavaScript engines in browsers like Chrome that this idea seems useful. [Antimatter15] did a proof of concept JavaScript implementation for reversing hashes. Plura Processing uses a Java applet to do distributed processing. Today, [Ilya Grigorik] posted an example using MapReduce in JavaScript. Google’s MapReduce is designed to support large dataset processing across computing clusters. It’s well suited for situations where computing nodes could go offline randomly (i.e. a browser navigates away from your site). He included a JavaScript snippet and a job server in Ruby. It will be interesting to see if someone comes up with a good use for this; you still need to convince people to keep your page open in the browser though. We’re just saying: try to act surprised when you realize Hack a Day is inexplicably making your processor spike…

[via Slashdot]

Posted in google hacks, news

Hackit: DTV converter boxes?

Eliot — Thu, 22 Jan 2009 02:53:57 +0000

An anonymous Slashdot reader asked today what was the best digital television to analog converter box. He was looking for one with the best hacking potential. We actually purchased a Zenith DTT900 HD converter box this summer specifically wondering about the hacking potential. We did a teardown and you can find a full gallery on Flickr. Our conclusion was this: there’s not much there. You’re talking about a box that takes a digital RF signal and turns it into a crappier looking analog signal over composite. There isn’t much you can do outside of its designed use. Do you have any ideas what else can be done with it?

Slashdot commenter [timeOday] did mention a Tivax brand box that features a serial port. You can use it to issue remote commands to the box.

Not much has been said about the actual coupons. We’ve got a scan of them embedded below. The $40 coupons are essentially credit cards. We ran ours through a magstripe reader confirming this. Even though the card isn’t stamped with the recipient’s name, it is stored on the magstripe.

Posted in HackIt, home entertainment hacks, video hacks

Use the CPU cache to prevent cold boot? No.

Eliot — Mon, 19 Jan 2009 01:22:50 +0000

Frozen Cache is a blog dedicated to a novel way to prevent cold boot attacks. Last year the cold boot team demonstrated that they could extract encryption keys from a machine’s RAM by placing it in another system (or the same machine by doing a quick reboot). Frozen Cache aims to prevent this by storing the encryption key in the CPU’s cache. It copies the key out of RAM into the CPU’s registers and then zeroes it in RAM. It then freezes the cache and attempts to write the key back to RAM. The key is pushed into the cache, but isn’t written back to RAM.

The first major issue with this is the performance hit. You end up kneecapping the processor when you freeze the cache and the author suggests that you’d only do this when the screen is locked. We asked cold boot team member [Jacob Appelbaum] what he thought of the approach. He pointed out that the current cold boot attack reconstructs the key from the full keyschedule, which according to the Frozen Cache blog, still remains in RAM. They aren’t grabbing the specific key bits, but recreating it from all this redundant information in memory. At best, Frozen Cache is attempting to build a ‘ghetto crypto co-processor’.

We stand by our initial response to the cold boot attacks: It’s going to take a fundamental redesign of RAM before this is solved.

[via Slashdot]

Posted in downloads hacks, security hacks

Apple tries to stop sneaker hackers

Caleb Kraft — Sun, 14 Sep 2008 13:48:19 +0000

Apparently, Apple has decided that extending DRM to your Nike accessories will keep hackers at bay. Sick of people cutting the sensors out of their Nike shoes for use on other apparell, they have applied for a patent. Ever noticed the warning that it’s illegal to pull the tag off of a mattress? Did that stop you?

[via Slashdot]

Hackit: Network Attached Storage?

Eliot — Sun, 06 Jul 2008 02:40:00 +0000

With each passing day the rate we acquire digital media increases (we don’t even bother unpacking our CDs when we move anymore). Large publishers have started moving away from DRM, which means we’ll be buying even more digital media in the future. Acquiring all of this nonphysical property puts importance on not just making it easily accessible, but also protecting it from destruction. Slashdot asked for reader suggestions of what NAS to buy; we’ve compiled some of the options below and want to know what you use.

For those willing to build machines themselves, there are several NAS focused distributions available. FreeNAS is based on FreeBSD and takes up less than 32MB even though it has a full featured web interface. Openfiler can be used for building full fledged NAS/SAN appliances. It can be deployed on bare metal or as a virtual machine and 2.3 has new features like bonding multiple NICs. CryptoNAS is a liveCD that helps you build a user friendly NAS device with full hard disk encryption.

Many consumer NAS devices have chosen to run Linux. This makes them good hacking targets for adding new functionality and we’ve covered many of them in the past. The Linksys NSLU2 “slug” has been very popular. Buffalo has sold many different devices: the Kurobox, Linkstation, and Terastation have a dedicated modification community. We’ve got a LaCie Ethernet Disk mini unopened in our office that was initially purchased because we knew they could be hacked. NAS-Central has a list of many of the other online communities dedicated to NAS devices.

Not that excited about administrating one more Linux box? When Apple released the Time Capsule earlier in the year it introduced the world to high capacity storage that “just works”. Although not exactly server grade, it brought the idea of regular backups to the home user. 1TB is nice, but it’s not upgradeable or easily replaceable; look to the Drobo for that. Drobo has built a fan base by making storage management easy for anyone. Just throw your commodity drives into the box and you’re ready to go. Unfortunately, turning it into a NAS is a $200 addition. They’ve published an SDK, so you should see new applications coming for it soon.

All of these options are just for in house serving, but none of them are true backup solutions since your data still goes away when your house burns down. A couple years ago, [Jeremy Zawodny] looked into moving his backup servers to Amazon’s S3 and compiled a list of tools that work with the service. Jungle Disk is probably the most user friendly. It’s multiplatform and mounts as a local disk. There’s an add-in for Windows Home Server too. If you’re looking to set up a simple personal backup system, we highly recommend [jwz]‘s advice for regular backups.

That’s a fairly thorough rundown of hacker friendly backup options, but we want to know what you use. How do you store, serve, and protect your data? What custom features have you added to commercial NAS devices?

Neutering the Apple Remote Desktop exploit

Eliot — Thu, 19 Jun 2008 23:45:00 +0000

Yesterday, Slashdot reported a privilege escalation vulnerability in OSX. Using AppleScript you can tell the ARDAgent to execute arbitrary shell script. Since, ARDAgent is running as root, all child processes inherit root privleges. Intego points out that if the user has activated Apple Remote Desktop sharing the ARDAgent can’t be exploited in this fashion. So, the short term solution is to turn on ARD, which you can do without giving any accounts access privileges. TUAW has an illustrated guide to doing this in 10.4 and 10.5.

Wireless hacking with the OLPC XO

Eliot — Tue, 27 May 2008 23:45:00 +0000

Not even a week ago we asked what we should do with our OLPC XO. InformIT’s [Seth Fogie] has written a great two part article that covers turning it into a hacker toolkit. Part one is an overview of the OLPC, how to upgrade it, and do some usability tweaks. Part two covers installing Nessus, Metasploit, and doing some wireless sniffing. We’ll be building our own little green monster based on this and let you know how it goes.

[via Slashdot]

Phlashing denial of service attack, the new hype

Eliot — Tue, 20 May 2008 23:15:00 +0000

Imagine how surprised we were to discover that by accidentally bricking our router we were executing a brand new attack: Phlashing Denial Of Service (PDOS). This week at EUSecWest, researcher [Rich Smith] will present the theoretical PDOS attack. Instead of taking over control of an embedded system, the attacker turns it into a nonfunctioning brick by flashing it with a broken firmware. Anyone who has flashed a device knows the danger of interrupting the procedure.

Embedded systems, like wireless routers, network cameras, and printers require remote access to be upgraded. This could be over the network or just a USB cable. Unfortunately most devices go unpatched because of this lack of easy access. The upgrade procedure can be very insecure too. The last time we flashed a custom firmware on our La Fonera we had to set up a TFTP server for it to download the firmware from. The TFTP protocol has no authentication, so anyone could pose as the server and offer a bad firmware for download. Many embedded system upgrade tools use TFTP because of its ease of implementation and low hardware overhead.

The PDOS attack hasn’t been seen in the wild and we don’t expect to. Malware is a business and destroying hardware doesn’t seem to have much income potential. The article presents this as an alternative to maintaining a botnet to perform a DDOS. With a DDOS, you deny the service, ask for ransom, and return service when they pay. With PDOS, you threaten to deny their service, they don’t pay, and then you destroy their equipment and get nothing. We agree with [HD Moore] that a more successful attack would be installing your own custom firmware that gives you full control of the system and full access to the network to do as you please.

Outside of griefing, the PDOS attack is not a threat. In any case, firmware upgrade procedures for embedded devices need to be improved.

[via /.]