What Is Entropy And How Do I Get More Of It?

November 2, 2017 by Elliot Williams 55 Comments

Let’s start off with one of my favorite quotes from John von Neumann: “Any one who considers arithmetical methods of producing random digits is, of course, in a state of sin. For, as has been pointed out several times, there is no such thing as a random number — there are only methods to produce random numbers, and a strict arithmetic procedure of course is not such a method.”

What von Neumann is getting at is that the “pseudo” in pseudorandom number generator (PRNG) is really a synonym for “not at all”. Granted, if you come in the middle of a good PRNG sequence, guessing the next number is nearly impossible. But if you know, or can guess, the seed that started the PRNG off, you know all past and future values nearly instantly; it’s a purely deterministic mathematical function. This shouldn’t be taken as a rant against PRNGs, but merely as a reminder that when you use one, the un-guessability of the numbers that it spits out is only as un-guessable as the seed. And while “un-guessability” isn’t a well-defined mathematical concept, or even a real word, entropy is.

That’s why entropy matters to you. Almost anything that your computer wants to keep secret will require the generation of a secret random number at some point, and any series of “random” numbers that a computer generates will have only as much entropy, and thus un-guessability, as the seed used. So how does a computer, a deterministic machine, harvest entropy for that seed in the first place? And how can you make sure you’ve got enough? And did you know that your Raspberry Pi can be turned into a heavy-duty source of entropy? Read on!

Continue reading “What Is Entropy And How Do I Get More Of It?” →

Pull Passwords Out Of Silicon

October 30, 2017 by Elliot Williams 15 Comments

[q3k] got tipped off to a very cool problem in the ongoing Pwn2Win capture-the-flag, and he blew it out of the water by decoding the metal interconnect layers that encode a password in a VLSI IC. And not one to rent someone else’s netlist extraction code, he did it by writing his own.

The problem in the Pwn2Win CTF came in the form of the design files for a hypothetical rocket launch code. The custom IC takes an ASCII string as input, and flips a pin high if it matches. Probably the simplest way to do this in logic is to implement a shift register that’s long enough for the code string’s bits, and then hard-wire some combinatorial logic that only reads true when all of the individual bits are correct.

(No, you don’t want to implement a password-checker this way — it means that you could simply brute-force the password far too easily — but such implementations have been seen in the wild.)

Anyway, back to our story. After reversing the netlist, [q3k] located 320 flip-flops in a chain, suggesting a 40-byte ASCII code string. Working backward in the circuit from the “unlocked” pin to the flip-flops, he found a network of NOR and NAND gates, which were converted into a logic notation and then tossed into Z3 to solve. Some cycles later, he had pulled the password straight out of the silicon!

This looks like a really fun challenge if you’re into logic design or hardware reverse engineering. You don’t have to write your own tools to do this, of course, but [q3k] would say that it was worth it.

Thanks [Victor] for the great tip!
Featured image by David Carron, via Wikipedia.

Hackaday Prize Entry: Two Leg Robot

October 20, 2017 by Elliot Williams 12 Comments

If you’re working on your own bipedal robot, you don’t have to start from the ground up anymore. [Ted Huntington]’s Two Leg Robot project aims to be an Open Source platform that’ll give any future humanoid-robot builders a leg up.

While we’ve seen quite a few small two-legged walkers, making a pair of legs for something human-sized is a totally different endeavor. [Ted]’s legs are chock-full of sensors, and there’s a lot of software that processes all of the data. That’s full kinematics and sensor info going back and forth from 3D model to hardware. Very cool. And to top it all off, “Two Leg” uses affordable motors and gearing. This is a full-sized bipedal robot platform that you might someday be to afford!

Will walking robots really change the world? Maybe. Will easily available designs for an affordable bipedal platform give hackers of the future a good base to stand on? We hope so! And that’s why this is a great entry for the Hackaday Prize.

Inside Two-Factor Authentication Apps

October 16, 2017 by Elliot Williams 66 Comments

Passwords are in a pretty broken state of implementation for authentication. People pick horrible passwords and use the same password all over the place, firms fail to store them correctly and then their databases get leaked, and if anyone’s looking over your shoulder as you type it in (literally or metaphorically), you’re hosed. We’re told that two-factor authentication (2FA) is here to the rescue.

Well maybe. 2FA that actually implements a second factor is fantastic, but Google Authenticator, Facebook Code Generator, and any of the other app-based “second factors” are really just a second password. And worse, that second password cannot be stored hashed in the server’s database, which means that when the database is eventually compromised, your “second factor” blows away with the breeze.

Second factor apps can improve your overall security if you’re already following good password practices. We’ll demonstrate why and how below, but the punchline is that the most popular 2FA app implementations protect you against eavesdropping by creating a different, unpredictable, but verifiable, password every 30 seconds. This means that if someone overhears your login right now, they wouldn’t be able to use the same login info later on. What 2FA apps don’t protect you against, however, are database leaks.

Continue reading “Inside Two-Factor Authentication Apps” →

Happy Ada Lovelace Day!

October 10, 2017 by Elliot Williams 74 Comments

Today is Ada Lovelace Day, a day to celebrate and encourage women in the fields of science and technology. The day is named after Augusta Ada King-Noel, Countess of Lovelace, born Byron. (You can see why we just call her Ada Lovelace.) She was a brilliant mathematician, and the writer of what’s probably the first real computer program — it computed the Bernoulli series. At least according Charles Babbage, in correspondence to Michael Faraday, she was an “enchanted math fairy”. Not only a proto-coder, she wrote almost all of the existing documentation about Babbage’s computation engine. She’s a stellar example of a brilliant and unique individual. If you were looking for a superhero to represent women in science and tech, Ada’s a good pick.

In our minds, she gets stiff competition from Marie Curie. Curie did fundamental research on radioactivity, is one of two people with Nobel Prizes in two different sciences, and got to name the two elements that she discovered. 2011 was the Year of Marie Curie in France and Poland. She has her own year in addition to her own unit. Even Spiderman doesn’t have those radioactive super powers!

Don’t Need Another Hero?

But on a day dedicated to getting more women into the technical arts, it’s also a little bit daunting to pick Lovelace or Curie as a symbol. Are you ever going to have something that equals “first computer program” or “two Nobel Prizes” on your résumé? We aren’t. It’s great to have heroes, but maybe we need more than just heroes — we also need mentors.

Continue reading “Happy Ada Lovelace Day!” →

Who Owns Arduino?

October 5, 2017 by Elliot Williams 67 Comments

Who owns Arduino? We don’t mean metaphorically — we’d say that’s the community of users and developers who’ve all contributed to this amazing hardware/software ecosystem. We mean literally. Whose chips are on the table? Whose money talks? It looks like ARM could have a stake!

The Arduino vs Arduino saga “ended” just under a year ago with an out-of-court settlement that created a private holding company part-owned by both parties in the prior dispute over the trademark. And then, [Banzi] and the original founders bought out [Musto]’s shares and took over. That much is known fact.

The murky thing about privately held companies and out-of-court settlements is that all of the details remain private, so we can only guess from outside. We can speculate, however, that buying out half of the Arduino AG wasn’t cheap, and that even pooling all of their resources together, the original founders just didn’t have the scratch to buy [Musto] out. Or as the Arduino website puts it, “In order to make [t]his a reality, we needed a partner that would provide us with the resources to regain full ownership of Arduino as a company… and Arm graciously agreed to support us to complete the operation.” That, and the rest of the Arduino blog post, sure looks like ARM provided some funds to buy back Arduino.

We reached out to [Massimo Banzi] for clarification and he replied:

“Hi arm did not buy nor invest in arduino. The founders + Fabio Violante still own the company. As I wrote in the blog post we are still independent, open source and cross platform.”

We frankly can’t make sense of these conflicting statements, at least regarding whether ARM did or didn’t contribute monetary resources to the deal. ARM has no press release on the deal as we write this. Continue reading “Who Owns Arduino?” →

Knitting ALUs (and Flipdots)

September 20, 2017 by Elliot Williams 6 Comments

[Irene Posch] is big into ~~knitted~~ fabric circuits. And while most of the textile circuits that we’ve seen are content with simply conducting enough juice to light an LED, [Irene]’s sights are set on ~~knittable~~ crafted arithmetic logic units (ALUs). While we usually think of transistors as the fundamental building-blocks of logic circuits, [Irene] has developed what is essentially a ~~knit~~ crochet relay. Be sure to watch the video after the break to see it in construction and in action.

The basic construction is a coil of conductive thread that forms an electromagnet, and a magnetic bead suspended on an axle so that it can turn in response to the field. To create a relay, a flap of knit conductive thread is attached to the bead, which serves as the pole for what’s essentially a fabric-based SPDT switch. If you’ve been following any of our relay-logic posts, you’ll know that once you’ve got a relay, the next step to a functioning computer is a lot of repetition.

How does [Irene] plan to display the results of a computation? On knit-and-bead flipdot displays, naturally. Combining the same electromagnet and bead arrangement with beads that are painted white on one side and black on the other yields a human-readable one-bit display. We have an unnatural affinity for flipdot displays, and making the whole thing out of fabric-store components definitely flips our bits.

Anyway, [Irene Posch] is a textile-tech artist who you should definitely be following if you have any interest in knittable computers. Have you seen anything else like this? Thanks [Melissa] for the awesome tip!

Continue reading “Knitting ALUs (and Flipdots)” →