Author: Brian Benchoff

5252 Articles

Apple Passwords: They All ‘Just Work’

January 12, 2018 by 40 Comments

When the Macintosh was released some thirty-odd years ago, to Steve Jobs’ triumphant return in the late 90s, there was one phrase to describe the simplicity of using a Mac. ‘It Just Works’. Whether this was a reference to the complete lack of games on the Mac (Marathon shoutout, tho) or a statement to the user-friendliness of the Mac, one thing is now apparent. Apple has improved the macOS to such a degree that all passwords just work. That is to say, security on the latest versions of macOS is abysmal, and every few weeks a new bug is reported.

The first such security vulnerability in macOS High Sierra was reported by [Lemi Ergin] on Twitter. Simply, anyone could login as root with an empty password after clicking the login button several times. The steps to reproduce were as simple as opening System Preferences, Clicking the lock to make changes, typing ‘root’ in the username field, and clicking the Unlock button. It should go without saying this is incredibly insecure, and although this is only a local exploit, it’s a mind-numbingly idiotic exploit. This issue was quickly fixed by Apple in the Security Update 2017-001

The most recent password flaw comes in the form of unlocking the App Store preferences that can be unlocked with any password. The steps to reproduce on macOS High Sierra are simply:

  • Click on System Preferences
  • Click on App Store
  • Click the padlock icon
  • Enter your username and any password
  • Click unlock

This issue has been fixed in the beta of macOS 10.13.3, which should be released within a month. The bug does not exist in macOS Sierra version 10.12.6 or earlier.

This is the second bug in macOS in as many months where passwords just work. Or don’t work, depending on how cheeky you want to be. While these bugs have been overshadowed with recent exploits of Intel’s ME and a million blog posts on Meltdown, these are very, very serious bugs that shouldn’t have happened in the first place. And, where there are two, there’s probably more.

We don’t know what’s up with the latest version of the macOS and the password problems, but we are eagerly awaiting the Medium post from a member of the macOS team going over these issues. We hope to see that in a decade or two.

Glitch Delays And Teensy Audio

January 11, 2018 by 4 Comments

With the release of the Teensy 3.6 and the associated audio processing libraries, it’s never been a better time to get into DIY synth and effects projects. [Scott] is a musician and maker of electronic musical instruments, so he decided to leverage the power of the Teensy and make a delay module that really can’t be done any other way.

The function of this delay module is somewhat similar to a multi-head tape-based delay, only it’s completely impossible outside of the digital domain. There are four ‘read heads’ on a circular buffer. The first three heads play small loops within the buffer at different speeds, one at the original speed, one at half speed (and an octave below) and one at double speed (and an octave above). The fourth head doesn’t loop, instead, it plays the delay buffer in reverse. There are, of course, handy knobs for setting the level of each ‘read head’.

This project is built around [Scott]’s port of the JUCE framework, a very powerful audio API that’s now well suited for laptop and embedded development. The files for this project are all available on the GitHub, and [Scott] plans to build an expansion module for CV control of all the parameters.

So, how does this glitch delay sound? Pretty good. The video below is just a tele into a looper pedal, and into the glitch delay. There are surely some ambient post-rock stars wetting their skinny jeans over this one, and it’s a great application of the Teensy’s audio processing power, to boot.

Continue reading “Glitch Delays And Teensy Audio”

Friday Hack Chat: Assembling In Quantity With MacroFab

January 10, 2018 by 6 Comments

Building one of something is easy. You see it here every day, and yes, building a single robot, or a board to convert Segas to HDMI, or an Internet of Things thing is easy. Manufacturing is another story entirely. You’re going to have BOMs to work with, you’ll have suppliers, and you need to deal with assembly, programming, and packaging. Do you even know where you’re going to store all those boxes of parts? Manufacturing is a difficult task, but luckily there are assembly houses and contract manufacturers ready to ease the burden a little.

For this week’s Hack Chat, we’re going to be talking about Assembly as a Service through MacroFab. MacroFab is an online assembly house and contract manufacturer that makes creating hardware simple. If you thought sending a board file off to OSH Park and receiving a PCB in a week is amazing, you clearly haven’t experienced MacroFab. Here, you can upload your board and BOM, and with minimal effort, receive a completely populated product in a few weeks.

Our guest for this week’s Hack Chat will be [Parker Dillmann], MacroFab co-founder, with backgrounds in embedded design and DSP. He runs longhornengineer, a blog full of amazing projects that fit in well with the usual Hackaday fare. Shoutouts are especially deserved for the Game Boy VGA adapter.

During this week’s Hack chat, we’re going to be talking to [Parker] about manufacturing, the pitfalls, how you can better design for manufacturing (DFM), the machines used by MacroFab, pogo pin adapters, solder fountains, and all the cool stuff that turns one of a thing into thousands of a thing. If you’re wondering what MacroFab’s results look like, you’ve probably already held a few in your hands; the badge for this year’s Hackaday Superconference was manufactured by MacroFab, as were a lot of the independent badges at last year’s Def Con.

During this Hack Chat, we’ll be discussing:

  • What is the process for a first-time manufacturer?
  • Where can you find out how to design better for manufacturing?
  • What kinds of products are made at MacroFab?
  • What kinds of equipment is typically used for board assembly?

As always, we’re looking for questions from the community, you can add those as a comment on the Hack Chat event page.

join-hack-chat

Our Hack Chats are live community events on the Hackaday.io Hack Chat group messaging. This Hack Chat is going down Friday, January 12th at noon, Pacific time. Time Zones got you down? Here’s a handy countdown timer!

Click that speech bubble to the left, and you’ll be taken directly to the Hack Chat group on Hackaday.io.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

WiFi Alliance Announces Upcoming Fixes To WPA2

January 10, 2018 by 27 Comments

Last October, before Intel’s Management Engine was completely broken and the Spectre and Meltdown exploits drove Intel’s security profile further into the ground, we had a problem with wireless networking. WPA2 was cracked with KRACK, the Key Reinstallation Attack. The sky isn’t falling quite yet, but the fact remains that the best WiFi security currently available isn’t very secure at all.

This week, at the Consumer Electronics Show in Las Vegas, the WiFi Alliance announced they would introduce security enhancements in 2018. While it’s not said in the press release if this is a reaction to KRACK, the smart money says yes, this is indeed a reaction to KRACK.

Four new capabilities are outlined in the upcoming release of WPA3 this year. One feature will be protection for users who do not choose complex passwords. A second feature will simplify the process of configuring security on devices that have no display, ostensibly like that little button on your router that you’ve never pressed. The third feature will ‘strengthen user privacy in open networks’, while the fourth, the one we really care about, will add a 192-bit security suite which will, ‘further protect WiFi networks with higher security requirements’.

While most devices currently in service should have a patch for KRACK by now, there will always be thousands of unpatched devices, because, really, who is in charge of the router at your local coffee shop? We’re not sure about the timing of the WiFi Alliance’s announcement of upcoming security improvements: coming during CES when the entirety of the tech press is gawking at manned quadcopters and an endless variety of voice assistants. But we have to say better late than never.

Improved Perfboard For Surface Mount Parts

January 9, 2018 by 26 Comments

Look through the last two decades of electronics project built on perfboard, and you’ll notice a trend. Perfboard is designed for through-hole parts, but ever more frequently, the parts we need are only available as surface mount devices. What does this mean for the future of all those protoboard, veroboard, and tagboard designs? It’s not good, but fortunately, there may be an answer. It’s perfboard designed for mounting SOICs, SOTs, and other surface mount devices.

Perfboard is an extremely simple concept. Most through-hole electronic components are built around 0.1″ or 2.54 mm spacing between pins. Yes, there are exceptions, but you can always bend the middle pin of a transistor and put it in a hole. SMT devices are different. You can’t really bend the pins, and the pin pitch is too small for the 0.1″ holes in traditional perfboard.

[electronic_eel] is changing that game up with his own design for perfboard. This perfboard has the traditional 0.1″ holes, but there are SMD pads sprinkled about between these holes. The result is being able to solder SOIC, SOT23-6, SOT23 and SOT363 devices directly to a board alongside 0603 and 0805 devices. Connect everything with a few beads of solder and you have a functional circuit made out of surface mount devices on something that’s still compatible with the old protoboard designs.

This isn’t the first time we’ve seen a new type of protoboard make it into production. A few years ago, Perf+, a bizarre ‘bus-based’ protoboard solution came onto the scene, although that wasn’t really designed for SMD parts. While [electronic_eel] doesn’t have any plans to sell his protoboard, the files are available, and you can easily design your own small piece of perfboard.

Go Retro To Build A Spectre And Meltdown-Proof X86 Desktop

January 7, 2018 by 95 Comments

[Yeo Kheng Meng] had a question: what is the oldest x86 processor that is still supported by a modern Linux kernel? Furthermore, is it actually possible to use modern software with this processor? It’s a question that surely involves experimentation, staring into the bluescreen abyss of BIOS configurations, and compiling your own kernel. Considering Linux dropped support for the 386 in 2012, the obvious answer is a 486. This supposition was tested, and the results are fantastic. You can, indeed, install a modern Linux on an ancient desktop.

This project got its start last month at a Super Silly Hackathon where [Yeo] and [Hui Jing] installed Damn Small Linux on an ancient IBM PS/1 desktop of 1993 vintage. The hardware consists of an AMD 486 clone running at 133MHz, 64 MB of RAM, a 48x IDE CDROM drive (wow!), a floppy emulator, a Sound Blaster, 10Mbps Ethernet card, and a CompactFlash to IDE adapter. By any account, this is a pimped-out rig for 1993 that would have cost more than a car at the time. The hardware works, but can you run a modern Linux kernel on it?

[Yeo] decided to install the Gentoo x86 minimal installation, but sanity and time constraints meant compiling a kernel on a 486 wasn’t happening. That was done on a modern Thinkpad after partitioning all the drives, verifying all the compilation parameters, and configuring the kernel itself. The bootloader is LILO (Grub2 didn’t work), but for the most part, this is entirely modern software running on a 25-year-old machine. The step-by-step instructions for becoming a /g/entooman on a 486 are available on GitHub.

The entire (boring) boot process can be seen in the video below. One interesting application of this build is that the 486 does not support out-of-order execution, making this completely safe from Meltdown and Spectre attacks. It’s an impressive retrocomputing achievement that right now could not be more timely.

Continue reading “Go Retro To Build A Spectre And Meltdown-Proof X86 Desktop”

Hackaday Links Column Banner

Hackaday Links: January 7, 2018

January 7, 2018 by 23 Comments

Whelp, Spectre and Meltdown are the tech news du jour right now, and everyone is wondering: what is the effect of this problem on real hardware in real server rooms? Epic Games patched their machines and found something shocking. The CPU utilization for one of their online services increased about 100%. We don’t know what this server is doing, or what this process is, but the Spectre and Meltdown patches will increase CPU load depending on the actual code running. This is bad for Epic — they now have to buy an entirely new server farm. This is doubly bad for Intel, and there is speculation of a class action suit floating around the darker corners of the Interwebs.

It is with a heavy heart that I must report the passing of John Young, the only person to have commanded four different classes of spacecraft (five if you include the lunar rover), including the first launch of the Space Shuttle. He was, simply, the most badass astronaut to ever live. Need proof of that? His heart rate during the launch of a Saturn V was seventy.

By the time this post is published, you’ll have less than twenty-four hours to submit your project to the Coin Cell Challenge. Get to it!

A short reminder that Shmoocon is a mere two weeks away. What is Shmoocon? A totally chill cyber/sec/hacker con at the Washington D.C. Hilton (yes, where Reagan was shot). We’ll be there, and we’re looking for some like-minded Hackaday peeps to chill out with. Want a meetup? Reply in the comments.

A few years ago, the ESP8266 appeared out of the blue in a few Chinese reseller’s web shops, and everything has been gravy since. Now there’s a new magic do-everything chip appearing on AliExpress and Taobao. It’s the RDA5981, a chip with an ARM Cortex M4 core, 32Mbit of Flash, 192k or user RAM, b/g/n WiFi, I2S, and enough peripherals to be useful. Given the support for a MIC, line in, MP3, WAV, WMA and AAC, it appears this is an all-in-one chip designed for Bluetooth speakers or some other audio application. You can find modules on Alibaba and a few breakout boards on Taobao.

According to my sources (the press releases that somehow slipped through the ‘CES’ filter on my email), the world’s fastest, smallest, biggest, least expensive, and newest drone is set to be unveiled at CES in Vegas this week.