A Briefcase Computer For Your Hacking Needs

May 31, 2019 by Lewin Day 17 Comments

Decent laptop computers have been available for decades now. Despite this, there’s still something charming and enigmatic about a computer hidden within a briefcase. [MakeFailRepeat] wanted just such a rig, so did the maker thing and built one.

The project began when [MakeFailRepeat] was donated a 15″ monitor that ran on 12V. Naturally, it needed to be used in an awesome project, and the build began. MDF panels were cut to mount the screen inside an aluminium briefcase, and covered in black felt for a pleasing look and feel. A Logitech wireless keyboard and touchpad combo is used for input. The brains of the operation is a Raspberry Pi, equipped with a UPS HAT to handle battery and mains power, and an Adafruit Speaker Bonnet for sound.

The project was inspired by the classic video game Captive, released on Amiga, Atari, and MS-DOS platforms way back in 1990. While we’re pretty sure [MakeFailRepeat] isn’t trapped on a space station, his briefcase computer should nonetheless prove useful. A computer isn’t the only thing you can build into a briefcase, though. Video after the break.

Continue reading “A Briefcase Computer For Your Hacking Needs” →

The Automated Solution To Your Unpopularity

May 31, 2019 by Brian Benchoff 18 Comments

You feel that you’re unpopular and no one likes you. The bad news is that if that’s the case in the real world there’s no easy way to fix it. The good news is there’s a great substitute — your popularity on Instagram. With this vending machine you can replace your personality with followers on Instagram. It’s just a shame we have to wait a year until Coachella.

This project is an interactive installation from [Dries Depoorter] that makes it possible to buy followers and likes in just a few seconds. It’s not limited to Instagram — you can get followers on FaceBook, YouTube, and Twitter, too. The hardware consists of a Raspberry Pi 3B+, an Arduino, coin acceptor, a few character LCDs running over I2C, and somewhat surprising for a one-off ‘art installation’, a lot of DIN rails mounted to a real industrial enclosure. Someone here knows what they’re doing; there’s something resembling cable management inside this box and this vending machine is built to last.

Using this vending machine is as easy as sticking a few Euro coins in the slot and selecting the number of followers or likes you’d like. In a few minutes afterward, hundreds of notifications pop up on your phone. There’s no mention of the software in this vending machine aside from it being written in Python, which makes us wonder where these Instagram bots are based. Check out the video below.

Continue reading “The Automated Solution To Your Unpopularity” →

Freeform ESP8266 Network Attached Data Display

May 31, 2019 by Tom Nardi 10 Comments

Like many of us, [Josef Adamčík] finds himself fascinated with so-called “freeform” electronic designs, where the three dimensional circuit makes up sections of the device’s structure. When well executed, such designs really blur the line between being a practical device and an artistic piece. In fact his latest design, an ESP8266 MQTT client, would seem to indicate there might not be much of a “line” at all.

The inspiration for this project actually comes from something [Josef] had worked on previously: an ESP8266-based environmental monitoring system. That device had sensors to pick up on things such as humidity and ambient light level, but it didn’t have a display of its own; it just pushed the data out onto the network using MQTT. So he thought a companion device which could receive this environmental data and present it to him in a unique and visually appealing way would be a natural extension of the idea.

As the display doesn’t need any local sensors of its own, it made the design and construction much easier. Which is not to say it was easy, of course. In this write-up, [Josef] takes the reader through the process of designing each “layer” of the circuit in 2D, printing it out onto paper, and then using that as a guide to assemble the real thing. Once he had the individual panels done, he used some pieces of cardboard to create a three dimensional jig which helped him get it all soldered together.

On the software side it’s pretty straightforward. It just pulls the interesting bits of information off of the network and displays it on the OLED. Right now it’s configured to show current temperature on the display, but of course that could be changed to pretty much anything you could imagine if you’re looking to add a similar device to your desktop. There’s also a red LED on the device which lights up to let [Josef] know when the batteries are getting low on the remote sensor unit; a particularly nice touch.

If you’d like to see more of these freeform circuits, we’d advise you to checkout the finalists for our recently concluded “Circuit Sculpture” contest. Some of the finalists are truly beyond belief.

Make Your Own Old School LED Displays

May 31, 2019 by Lewin Day 13 Comments

We live in an era in which all manner of displays are cheap and readily available. A few dollars spent online can net you a two-line alphanumeric LCD, a graphical OLED screen, or all manner of other options. Years ago however, people made do with little monolithic LED devices. [sjm4306] wanted to recreate something similar, and got down to work (Youtube link, embedded below).

The resulting device uses 0603 sized SMD LEDs, soldered onto a tiny PCB. 20 LEDs are used per digit, which can display numbers 0-9 and letters A-F. The LEDs are laid out in a pattern similar to Hewlett-Packard designs from years past. This layout gives the numerals a more pleasant appearance compared to a more-classic 7-segment design. Several tricks are used to make the devices as compact as possible, such as putting vias in the LED pads. This is normally a poor design technique, but it helps save valuable space.

[sjm4306] has developed a breadboard model, and a more advanced version that has a pad on the rear to mount a PIC16F88 microcontroller directly. We look forward to seeing these modules developed further, and can imagine they’d prove useful in a variety of projects.

For reference, check out these Soviet-era 7-segment displays. Video after the break.

Continue reading “Make Your Own Old School LED Displays” →

A Work Light For Hacker Events

May 31, 2019 by Jenny List No comments

If you’ve ever attended a hacker camp, you’ll know the problem of a field of tents lit only by the glow of laser illumination through the haze and set to the distant thump of electronic dance music. You need to complete that project, but the sun’s gone down and you didn’t have space in your pack to bring a floodlight.

In Days of Yore you might have stuck a flickering candle in an empty Club-Mate bottle and carried on, but this is the 21st century. [Jana Marie] has the solution for you, and instead of a candle, her Club-Mate bottle is topped a stack of LED-adorned PCBs with a lithium-ion battery providing a high intensity downlight. It’s more than just a simple light though, it features variable brightness and colour temperature through touch controls on the top surface, as well as the ability to charge extra 18650 cells. At its heart is an STM32F334 microcontroller with a nifty use of its onboard timer to drive a boost converter, and power input is via USB-C.

We first saw an early take on this project providing illumination for a bit of after-dark Hacky Racer fettling at last year’s EMF 2018 hacker camp, since then it has seen some revisions. It’s all open-source so you can give it a go yourself if you like it.

This Week In Security: Baltimore, MacOS Zipfile Security, And App Store Monopolies

May 31, 2019 by Jonathan Bennett 13 Comments

Baltimore. The city was breached, crippled and held for ransom. The ransomware attack was discovered on May 7th, shutting down a major portion of the city’s infrastructure. The latest news is that an NSA-written tool, EternalBlue, is responsible for the attack. Except maybe it isn’t? First off, digging back through the history of an attack is challenging. It’s often hard to determine the initial attack vector with certainty.

The “initial attack vector” is the patient zero of the attack — how the first machine was compromised. An organization generally has a firewall separating the outside internet from the internal network. Once an attacker has found a way to access a machine inside the network, the separation is not nearly so strict. This takes many forms, but the most common is phishing. Close contenders are RDP and SMB (Remote Desktop and Windows File Sharing). A report at Ars Technica indicates that the initial vector into the Baltimore network was a phishing email.

The second step to consider is what’s called “lateral movement”, which describes an attacker using the compromised machine to target other machines in the organization. Often an attacker will have an entire toolkit of exploits to attempt to compromise other machines. One of the exploits used in this case was the same exploit contained in the NSA tool, EternalBlue. A clever program called psexec is usually part of any lateral movement campaign. While the exploit associated with EternalBlue was probably used to compromise a few of the machines on the Baltimore network, placing all the blame on the shoulders of the NSA is missing the point. The tool is only a small part of this attack.

MacOS and NFS Shares Inside Zipfiles

MacOS has a sometimes irritating feature, Gatekeeper, that only allows running signed binaries by default. The point of Gatekeeper is to prevent a user from running a malicious binary that has been downloaded from the internet. While it is sometimes an annoyance, it is helpful for some users. [Filippo Cavallarin] announced an exploit that completely bypasses Gatekeeper on the 24th. This exploit takes advantage of the fact that Gatekeeper considers network shares to be trustworthy, and doesn’t run the normal check before executing a binary located there. While interesting, this isn’t useful unless there is a way for an attacker to mount a malicious location as a network share. Enter the Mac’s ability to automatically mount network locations through the use of the /net path. The last piece of this puzzle is the fact that zip files can contain symbolic links. A zip file can be built with a link to the /net location, automounting an arbitrary NFS location. If binary files are located in this location, the OS will happily allow the user to execute those binaries whether signed or not.

This exploit may not be the most serious of the year, but it’s still a problem that needs fixing. [Filippo] contacted Apple back in February and disclosed the problem, even getting an assurance that they would fix it within 90 days. 90 days have passed, and Apple has begun ignoring his emails, so he has made the announcement and published steps to reproduce on his website.

There has been discussion in the comments of this column about vulnerability disclosure and publishing proof of concept code. This is a perfect example of why researchers publish their work. As far as [Filippo] knows, Apple has no intention of fixing the issue he discovered. He also has no reason to believe that no one else has stumbled on this discovery before he did. We mentioned EternalBlue above. The NSA discovered the SMB vulnerability that exploit targeted and used it silently for up to five years before it was stolen and finally disclosed to Microsoft and fixed. Make no mistake, public disclosures and proof of concepts get vulnerabilities fixed. For any given vulnerability, there is no guarantee that someone else hasn’t already found it.

Just a Little Document Leak

OK, maybe not so little. A Fortune 500 company, First American, managed to host millions of private documents in an accessible format. Imagine you upload a document to a company, and get a confirmation link that looks like “test.com/documents.php?id=0252234”. If you’re like me, you’re very curious what is at id=0252233. [Ben Shoval] is a real estate developer who apparently also wanted to know the answer to that question. To his surprise, millions of uploaded documents were available for anyone to view. He tried reaching out to First American, and when there was no response to his emails, he forwarded his findings on to Krebs on Security. After what was likely years of exposure, the database was finally taken offline Friday the 24th.

Walled Garden Monopolies

Staying on the Apple train, the App Store is pretty obviously a monopoly. Someone has finally asked whether it’s an illegal monopoly. As most of these questions go, it’ll take a drawn out court battle to decide. How is this security news? If the court finds that Apple has been violating antitrust laws, one possible remediation is to allow alternative app stores. While there is always the potential for a high quality alternative store like F-droid, sketchy app stores and downloaded are a real possibility. On the other hand, it would be nice to have an iOS app store that is compatible with the GPL.

Hackaday Podcast 021: Chasing Rockets, Tripping On Vintage Synthesizers, A Spectacular IoT Security Fail, And Early Alzheimer’s Detection Via VR

May 31, 2019 by Dan Maloney 5 Comments

Mike Szczys is on a well-deserved vacation this week, so staff writer Dan Maloney joins managing editor Elliot Williams for a look at all the great hacks of the week. On this episode we’re talking about licensing fees for MIDI 2.0, a two-way fail while snooping on employees, and the potential for diagnosing Alzheimer’s with virtual reality. We also dive into the well-engineered innards of a robotic cheetah, a personal assistant safe enough for kids to use, and how listening to your monitor reveals more about you than you’d think. You don’t want to miss a space nerd’s quest for fire or a hacker’s guide to solder and soldering. And you’ve got to catch the story of a hapless hacker’s contact high from a vintage synthesizer. It’s quite a trip.

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)