Year: 2019

Here’s Your First Look At The Talks Of The 2019 Hackaday Superconference

September 27, 2019 by 21 Comments

The ultimate hardware conference returns this November as the Hackaday Superconference springs to life in Pasadena, California. It is our pleasure to announce the first set of accepted speakers who have confirmed their appearances at Supercon. This reveal is only the tip of the iceberg, so keep your eye on Hackaday as we continue to reveal the rest of the exemplary talks and workshops that make up this year’s conference.

However, don’t wait to get your ticket. Yes, we sell out every year, but the pace of ticket sales has been much faster this year and soon they will all be gone. Don’t miss out, as you can see from the small sample below, Supercon will be packed with amazing people and you need to be one of them!

The Talks (Part One of Many)


  • Matthias Balwierz aka bitluni

    Multimedia Fun with the Esp32

    The ESP32 microcontroller is a beast! Everyone knows that already. Composite video and VGA are common now. But a few years ago these capabilities weren’t obvious. This talk will recap the journey of squeezing out every possible bit of performance to generate audio and video with the least amount of additional components. It’s a detail-packed discussion of the projects I’ve documented on my YouTube channel bitluni’s lab.


  • Sarah Kaiser

    Hacking Quantum Key Distribution Hardware or How I Learned to Stop Worrying and Burn Things with Lasers

    Quantum devices are the next big addition to the general computing and technology landscape. However, just like classical hardware, quantum hardware can be hacked. I will share some of my (successful) attempts to break the security of quantum key distribution hardware with the biggest laser I could find!


  • Mohit Bhoite

    Building Free-Formed Circuit Sculptures

    I’ll be talking about building free-formed circuit sculptures, and how anyone with the right tools can get involved in this art form. We’ll explore ways to make these sculptures interact with the environment around them or with the user.


  • Thea Flowers

    Creating a Sega-Inspired Hardware Synthesizer from the Ground Up.

    What makes the Sega Genesis sound chip unique? I’ll share some short history about why the Genesis happened at a very specific moment to have this sort of chip. I’ll talk about designing and building a synthesizer around it and the challenges I encountered by trying to do this as my first hardware project.


  • Helen Leigh

    Sound Hacking and Music Technologies

    I will explore the ways in which music is influenced by making and hacking, including a whistle-stop tour of some key points in music hacking history. This starts with 1940s Musique Concrete and Daphne Oram’s work on early electronic music at the BBC, and blossoms into the strange and wonderful projects coming out of the modern music hacker scenes, including a pipe organ made of Furbies, a sound art marble run, robotic music machines and singing plants.


  • Adam Zeloof

    Thermodynamics for Electrical Engineers: Why Did My Board Melt (And How Can I Prevent It)?

    In this presentation I will provide circuit designers with the foundation they need to consider thermal factors in their designs. Heat transfers through on-board components and knowing how to characterize this means we can choose the right heat sink for any application. Learn about free simulation tools that can be used to perform these analyses and boost your knowledge of thermodynamics and heat transfer (although those who are already familiar with the subject will find some utility in it as well).


  • Samy Kamkar

    FPGA Glitching & Side Channel Attacks

    I will explore some of the incredible work that has been done by researchers, academics, governments, and the nefarious in the realm of side channel analysis. We’ll inspect attacks that were once secret and costly, but now accessible to all of us using low cost hardware such as FPGAs. We’ll learn how to intentionally induce simple yet powerful faults in modern systems such as microcontrollers.


  • Daniel Samarin

    Debugging Electronics: You Can’t Handle the Ground Truth!

    Root-causing quickly is all about having the right tools, having the right infrastructure in place, and knowing how to use them. Is it the firmware, the circuit, a bad crimp, or backlash in the gears? I will outline strategies for finding out what the issue is, so that you can focus on fixing the right thing.

You Miss It, You’ll Miss It

If there’s any way you can make it to Supercon in person, you should. One of the two talk stages will be live-streamed, and the other recorded, but there is no substitute for hanging out with these eight awesome people, plus five hundred of our closest friends. Anyone who’s made it to the conference before can tell you that the intimate atmosphere is packed with opportunities to meet new people, connect with those you’ve only seen on the internet, and learn about the newest developments happening in the world of hardware creation. See you in November!

Hackaday Podcast 037: Two Flavors Of Robot Dog, Hacks That Start As Fitness Trackers, Clocks That Wound Themselves, And Helicopter Chainsaws

September 27, 2019 by No comments

Hackaday Editors Mike Szczys and Elliot Williams take a look at the latest hacks from the past week. We keep seeing awesome stuff and find ourselves wanting to buy cheap welders, thermal camera sensors, and CNC parts. There was a meeting of the dog-shaped robots at ICRA and at least one of them has super-fluid movements. We dish on 3D printed meat, locking up the smartphones, asynchronous C routines, and synchronized clocks.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 037: Two Flavors Of Robot Dog, Hacks That Start As Fitness Trackers, Clocks That Wound Themselves, And Helicopter Chainsaws”

This Week In Security: Patch Monday Mysteries, CentOS 8 And CentOS Stream, Russian Surveillance, And CSRF

September 27, 2019 by 5 Comments

So first off this week is something of a mystery. Microsoft released an out-of-cycle patch for Internet Explorer. The exploitability assessment from Microsoft indicates that this bug is under active exploitation, but not many details are available. Let’s take a look at what information has been released, and see what we can learn.

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer.

It’s a remote code execution vulnerability, it affects Internet Explorer, it’s in the scripting engine, and it happens due to objects in memory being mishandled. We could take some guesses, but later in this document we’re given a few other clues. The workaround is to disable jscript.dll, and the impact is limited, as jscript9.dll is the default JavaScript engine. jscript.dll is apparently a legacy JavaScript engine that a website can request.

“Jscript” is what Microsoft called their shameless copy implementation of JavaScript. The older jscript.dll seems to be present in newer versions of Internet Explorer for compatibility reasons. So it’s a problem in how the older JavaScript library handles objects. Any website can request this legacy engine, so the attack vector is basically unlimited.

The urgency implied by the out-of-cycle patch, combined with the otherwise eery silence surrounding this patch, suggests this 0-day was possibly being used in a targeted attack. We hope the details will eventually be revealed.

CentOS 8 and CentOS Stream

CentOS 8 was released this week, the community repackage of Red Hat Enterprise Linux (RHEL) 8. In 2014, Red Hat announced that CentOS was officially becoming a Red Hat sponsored project. This week, CentOS Stream was also announced.

The Fedora distribution has long served as a test-bed for upcoming RHEL releases, with RHEL 8 being based on Fedora 28. CentOS Stream will serve as a “midstream” distribution, a rolling release that pulls updates from Fedora, and will eventually become future RHEL/CentOS releases. It remains to be seen exactly how far ahead of the main CentOS distribution Stream will stay. A long-standing problem with CentOS is that by the time a release hits end-of-life, some of the software versions are very old. Even though security fixes are quickly backported to these older versions, there are security issues that arise as a result. For example, CentOS 7 contains PHP 5.4 with no official path to installing a newer version of PHP. WordPress now requires PHP 5.6.20 as the oldest supported PHP version. Red Hat may backport fixes to PHP 5.4, but that doesn’t help the out-of-date installs of WordPress, running on otherwise up-to-date CentOS machines.

Hopefully CentOS Stream will provide the much needed middle-ground between the bleeding-edge pace of Fedora, and the frustratingly slow march of CentOS/RHEL.

Russian Surveillance

A Nokia employee accidentally backed up a company drive to his home storage device, which was unintentionally Internet accessible. The data contained on this drive was detailed information on Russia’s SORM (System for Operative Investigative Activities), the government’s wiretapping program. The amount of data revealed is staggering, 1.7 terabytes. Passwords, administrative URLs, and even precise physical locations were included. The breadth of information makes one wonder if it was actually an accident, or if this was intended to be another Snowden style data leak. Just an aside, it’s not clear that the revealed wiretapping effort is as broad or onerous as the one Snowden revealed.

PHPMyAdmin CSRF

Running PHPMyAdmin on one of your servers? You should probably go update it. Version 4.9.1 was released on Saturday the 21st, and contains a fix for CVE-2019-12922. This vulnerability is a Cross Site Request Forgery, or CSRF. A CSRF attack can be as simple as an image link on one site, that links to another site, and triggers an action on that second site. Let’s look at the PHPMyAdmin example:

img src="
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1";
style="display:none;"

A hidden image will actually trigger an HTTP GET request, which asks for the server’s page, and tries to remove the first entry. If a user is logged in to the PHPMyAdmin server that the link is targeting, the command will silently complete. This is one of the reasons that HTTP GET requests should never make state changes, and only ever retrieve information. An HTTP POST message is much harder to generate in this way, though not impossible.

Gatwick Drone Incident: Police Still Clueless

September 27, 2019 by 32 Comments

Quietly released and speedily buried by Parliamentary wrangles over Brexit is the news that Sussex Police have exhausted all lines of inquiry  into the widely publicised drone sighting reports that caused London’s Gatwick Airport to be closed for several days last December. The county’s rozzers have ruled out 96 ‘people of interest’ and combed through 129 separate reports of drone activity, but admit that they are no closer to feeling any miscreant collars. There is no mention of either their claims at the time to have found drone wreckage, their earlier admissions that sightings might have been of police drones, or even that there might have been no drone involved at all.

Regular readers will know that we have reported extensively the sorry saga of official reactions to drone incidents, because we believe that major failings in reporting and investigation will accumulate to have an adverse effect on those many people in our community who fly multi-rotors. In today’s BBC report for example there is the assertion that 109 of the drone sightings came from “‘credible witnesses’ including a pilot and airport police” which while it sounds reassuring is we believe a dangerous route to follow because it implies that the quality of evidence is less important than its source. It is crucial to understand that multi-rotors are still a technology with which the vast majority of the population are still unfamiliar, and simply because a witness is a police officer or a pilot does not make them a drone expert whose evidence is above scrutiny.

Whichever stand you take on the drone sightings at Gatwick and in other places it is clear that Sussex Police do not emerge from this smelling of roses and that their investigation has been chaotic and inept from the start. We believe that there should be a public inquiry into the whole mess, so that those embarrassing parts of it which they and other agencies are so anxious to quietly forget can be subjected to scrutiny. We do not however expect this to happen any time soon.

Keystone Kops header image: Mack Sennett Studios [Public domain].

LEDs Light The Way To This Backdoor

September 27, 2019 by 41 Comments

A curious trend for some years in the world of PC hardware has been that of attaching LEDs to all the constituent parts of a computer. The idea is that somehow a gaming rig that looks badass will somehow be just a little bit faster. As [Graham  Sutherland] discovered when he wanted to extinguish the LEDs on his new Gigabyte graphics card, these LEDs can present an unexpected security hazard.

The key to their insecurity comes in the Gigabyte driver. This is a piece of software that you would normally expect to be an abstraction layer with an interface visible to your user level privilege, and a safe decoupling between that and the considerably more security sensitive hardware layer from which the LED bus can be found. Instead of this, the Gigabyte driver is more of a wrapper that simply exposes the LED bus directly to the user level. It’s intended that user-level code can easily bit-bang WS2812 LEDs without hinderance, but its effect is to provide a gaping hole in the security layers intended to keep malicious code away from the hardware. The cherry on the cake is provided by the discovery of a PIC microcontroller on the bus which can be flashed with new code, providing an attacker with persistent storage unbeknownst to the operating system or CPU.

The entire Twitter thread is very much worth reading whether you are a PC infosec savant or a dilettante, because not only should we all know something about the mechanisms of PC backdoors we should also be aware that sometimes a component as innocuous as an LED can be a source of a security issue.

Thanks [Slurm] for the tip.

Gigabyte motherboard picture: Gani01 [Public domain].

Awesome Animation Channel Is An Educational Rabbit Hole

September 27, 2019 by 3 Comments

Once [Shabab] clued us in to the brilliant animations of [Jared Owen], we pretty much lost an afternoon exploring this incredible YouTube channel. Self-taught Blender wizard [Jared] combines fantastic animations with clear and concise explanations for the inner workings of everything from Nerf guns and Fisher-Price corn poppers to the International Space Station.

Space nerds and casuals alike should check out [Jared]’s crowning achievement: a three-video Apollo spacecraft series, which covers many details in a short amount of time. Want more Apollo? Here’s a deeper dive into the lunar module. [Jared] uses music to great effect in these videos, especially in the Apollo series.

Several videos are devoted to mechanisms, like the humble gumball machine, the grand piano, and the combination lock. In addition to all the great how-it-works videos, [Jared] explores various noteworthy buildings. You know there’s a bowling alley in the White House, right? [Jared]’s tour shows you exactly where it is.

We love the diversity of the videos, all of which [Jared] researches in great detail. He enjoys working from user suggestions, so let him know what you’re dying to see dissected in detail.

Thanks for the tip, [Shabab].

3 Words To Describe Any Spot On Earth

September 26, 2019 by 118 Comments

For quite a long while now, latitude and longitude has been the way humankind has navigated the globe. This is a perfectly workable system, but it’s a little overwrought for daily use by the layperson. What3Words seeks to provide a simpler solution.

The system is based on splitting the surface of the globe into a grid of 3 m x 3 m sections. This includes oceans and bodies of water. With the grid layed out, each section is given a name consisting of three English words strung together. For example, ///eggs.form.breakfast denotes a spot in the outskirts of Chengdu, China, while ///crops.cards.gifts is a good approximation of that spot where the Naked Cowboy hangs out in Times Square, New York.

Addresses in this format are written with three leading forward slashes, along with a dot between each word. An attempt has been made to only use uncontroversial words, as well as to make sure no crude addresses are created by awkward combinations. Don’t worry, we checked – but if you do find anything good, drop it in the comments below.

It’s a tool that’s been around for a while, but an interesting one nonetheless. It’s something that needs a wider societal acceptance to become truly useful; we imagine it could be good in a small social circle once everyone is familiar with it. It may yet catch on – only time will tell!