This Week In Security: The X DDoS, The ESP32 Basementdoor, And The CamelCase RCE

We would be remiss if we didn’t address the X Distributed Denial of Service (DDoS) attack that’s been happening this week. It seems like everyone is is trying to make political hay out of the DDoS, but we’re going to set that aside as much as possible and talk about the technical details. Elon made an early statement that X was down due to a cyberattack, with the source IPs tracing back to “the Ukraine area”.

The latest reporting seems to conclude that this was indeed a DDoS, and a threat group named “Dark Storm” has taken credit for the attack. Dark Storm does not seem to be of Ukrainian origin or affiliation.

We’re going to try to read the tea leaves just a bit, but remember that about the only thing we know for sure is that X was unreachable for many users several times this week. This is completely consistent with the suspected DDoS attack. The quirk of modern DDoS attacks is that the IP addresses on the packets are never trustworthy.

There are two broad tactics used for large-scale DDoS attacks, sometimes used simultaneously. The first is the simple botnet. Computers, routers, servers, and cameras around the world have been infected with malware, and then remote controlled to create massive botnets. Those botnets usually come equipped with a DDoS function, allowing the botnet runner to task all the bots with sending traffic to the DDoS victim IPs. That traffic may be UDP packets with spoofed or legitimate source IPs, or it may be TCP Synchronization requests, with spoofed source IPs.

The other common approach is the reflection or amplification attack. This is where a public server can be manipulated into sending unsolicited traffic to a victim IP. It’s usually DNS, where a short message request can return a much larger response. And because DNS uses UDP, it’s trivial to convince the DNS server to send that larger response to a victim’s address, amplifying the attack.

Put these two techniques together, and you have a botnet sending spoofed requests to servers, that unintentionally send the DDoS traffic on to the target. And suddenly it’s understandable why it’s so difficult to nail down attribution for this sort of attack. It may very well be that a botnet with a heavy Ukrainian presence was involved in the attack, which at the same time doesn’t preclude Dark Storm as the originator. The tea leaves are still murky on this one.

Continue reading “This Week In Security: The X DDoS, The ESP32 Basementdoor, And The CamelCase RCE”

ClockworkPi Unveils New PicoCalc Handheld

Do you like scientific calculators? Don’t bother answering that question, you’re reading Hackaday so we already know the answer. We also know you’re a fan of building things yourself and open source, which makes us fairly sure you’ll be just as interested in the recently announced ClockworkPi PicoCalc as we are.

On the surface, it looks like a chunky scientific calculator, though on further inspection you’ll note it comes equipped with a QWERTY keyboard. But open up the case and what you’ve really got is an elaborate carrier board for the Raspberry Pi Pico. The PicoCalc supports all variants of the microcontroller, but realistically we can’t think of any reason that you wouldn’t just use the latest version.

With the MCU connected, you’ll have access to the PicoCalc’s 320×320 4-inch IPS screen, backlit I2C-connected keyboard, SD card slot, 8 MB PSRAM, and dual PWM speakers. Power is provided by a pair of 18650 cells (which you’ll need to supply on your own), and the board has the necessary circuitry to charge them up over USB-C.

Everything is housed in an injection molded case, but the project page says all the necessary CAD files will be eventually be released under the GPL v3 so you can 3D print or CNC your own enclosure. For now though, the only thing of note that seems to be in the PicoCalc GitHub repository is a PCB schematic.

The software side of things is a little less clear. The page mentions a BASIC interpreter, MP3 playback, and support for various programming languages, but we get the impression that’s just a list of stuff you can run on the Pi Pico. There are a few images that clearly show the PicoCalc actually being used as a calculator however, so there may be an official firmware yet to be revealed.

The PicoCalc kit is on sale now, and will set you back $75 USD — which actually includes a first-generation Pi Pico, on the off chance that you don’t already have a few laying around. We’ve been impressed with the previous offerings from ClockworkPi, so assuming this new kit maintains that same build quality, it seems like a fair enough price.

The Trials And Tribulations Of Building A Pasta Display

We love unique displays here at Hackaday. If you can figure out how to show information on some weird object, we’re all about it. So when [Julius Curt] wrote in to share his work on the Pasta Analog Display, we were hooked from the subject line.

But in reading his account, it ended up being even better than we hoped for. Because it turns out, getting pasta to behave properly in an electromechanical device is trickier than you might think. Oh sure, as [Julius] points out, those ridges on the side of penne might make them look like gears — but after spending the time and effort to build a particularly slick 3D printed frame to actually use them as such, it turns out they just won’t cooperate. You’d think the pasta makers of the world would have some respect for mechanical tolerances, but unfortunately not.

Continue reading “The Trials And Tribulations Of Building A Pasta Display”