Kerry Scharfglass Secures Your IoT Things

December 20, 2019 by 6 Comments

We’ve all seen the IoT device security trainwrecks: those gadgets that fail so spectacularly that the comment section lights up with calls of “were they even thinking about the most basic security?” No, they probably weren’t. Are you?

Hackaday Contributor and all around good guy Kerry Scharfglass thinks about basic security for a living, and his talk is pitched at the newcomer to device security. (Embedded below.) Of course “security” isn’t a one-size-fits-all proposition; you need to think about what threats you’re worried about, which you can ignore, and defend against what matters. But if you’ve never worked through such an exercise, you’re in for a treat here. You need to think like a maker, think like a breaker, and surprisingly, think like an accountant in defining what constitutes acceptable risks. Continue reading “Kerry Scharfglass Secures Your IoT Things”

Macro Foot Stool Helps Me Get A Leg Up On Work

December 20, 2019 by 12 Comments

Macros are meant to make our lives easier, but they live up to this promise with mixed results. Generally speaking, a macro is a special combination of keys on the keyboard that execute a custom task — their goal is to speed up your productivity by getting away from mousing through menus. But once a macro requires more than two keys, they can get a bit cumbersome to input. I have personally found that repeated use of macros that require ctrl+shift can potentially cause problems. I don’t know about you (and your repetitive stress mileage may vary), but personal injury is the polar opposite of what I want from something that’s supposed to be convenient.

The more I thought about how nice it would be to have a field of dedicated one-punch macro keys, the more incomplete my life seemed without it. Every uncomfortable three-key shortcut I chorded was more motivational than the last.

I love keyboard shortcuts, and not just because I prefer keyboard navigation in general. A lot of little things about writing for the web can be streamlined with shortcuts, like writing html tags and doing image manipulation. And I’m always looking for a better workflow to pin down my fleeting mental fragments, at least until that dark day that I can turn on Dropbox Thoughts™ and burn my brainwaves directly to disk.

Continue reading “Macro Foot Stool Helps Me Get A Leg Up On Work”

Hackaday Podcast 047: Prusa Controversy, Bottle Organ Breakdown, PCBs Bending Backwards, And Listen To Your LED

December 20, 2019 by 4 Comments

Hackaday editors Mike Szczys and Elliot Williams get together for the 47th and final Hackaday Podcast of 2019. We dive into the removable appendix on Prusa’s new “Buddy” control board, get excited over the world’s largest grid-backup battery, and commiserate about the folly of designing enclosures as an afterthought. There’s some great research into which threaded-inserts perform best for 3D-printed parts, how LEDs everywhere should be broadcasting data, and an acoustic organ that’s one-ups the traditional jug band.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 047: Prusa Controversy, Bottle Organ Breakdown, PCBs Bending Backwards, And Listen To Your LED”

All Your SDR Software In A Handy Raspberry Pi Image

December 20, 2019 by 29 Comments

The SDR revolution has brought a bonanza of opportunities for experimentation to the radio enthusiast, but with it has come a sometimes-confusing array of software for which even installation can be a difficult prospect for an SDR novice. If you’re bamboozled by it all then help may be at hand courtesy of [Luigi Cruz], who has packaged a suite of ready-to-go popular SDR software in an OS image for the Raspberry Pi.

On board the Raspbian-based OS image are SDR Angel, Soapy Remote, GQRX, GNURadio, LimeUtil, and LimeVNA. In hardware terms the RTL-SDR is supported, along with the LimeSDR, PlutoSDR, Airspy, and Airspy HF. All are completely ready-to-go and even have desktop shortcuts, so if the CLI scares you then you can still dive in and play. More importantly it’s designed for use with SDR transmitters as well as receivers, so the barrier for full SDR operation for radio amateurs has become significantly lower too.

This year has seen the seven-year anniversary of the RTL-SDR hack that probably did most to kickstart the use of SDRs in our community. Our colleague [Tom Nardi] wrote a retrospective that’s worth a look for its overview of some SDR tricks that have evolved over that time. Meanwhile if you don’t mind restricting your outlook somewhat, it’s possible to turn the Raspberry Pi 3 into an SDR all without any extra hardware.

This Week In Security: Unicode, Truecrypt, And NPM Vulnerabilities

December 20, 2019 by 22 Comments

Unicode, the wonderful extension to to ASCII that gives us gems like “✈”, “⌨”, and “☕”, has had some unexpected security ramifications. The most common problems with Unicode are visual security issues, like character confusion between letters. For example, the English “M” (U+004D) is indistinguishable from the Cyrillic “М” (U+041C). Can you tell the difference between IBM.com and IBМ.com?

This bug, discovered by [John Gracey] turns the common problem on its head. Properly referred to as a case mapping collision, it’s the story of different Unicode characters getting mapped to the same upper or lowercase equivalent.

'ß'.toLowerCase() === 'SS'.toLowerCase() // true
// Note the Turkish dotless i
'John@Gıthub.com'.toUpperCase() === 'John@Github.com'.toUpperCase()

GitHub stores all email addresses in their lowercase form. When a user sends a password reset, GitHub’s logic worked like this: Take the email address that requested a password reset, convert to lower case, and look up the account that uses the converted email address. That by itself wouldn’t be a problem, but the reset is then sent to the email address that was requested, not the one on file. In retrospect, this is an obvious flaw, but without the presence of Unicode and the possibility of a case mapping collision, would be a perfectly safe practice.

This flaw seems to have been fixed quite some time ago, but was only recently disclosed. It’s also a novel problem affecting Unicode that we haven’t covered. Interestingly, my research has turned up an almost identical problem at Spotify, back in 2013.
Continue reading “This Week In Security: Unicode, Truecrypt, And NPM Vulnerabilities”

Movie-Style Hacking With A Wall Of Glowing Hex

December 20, 2019 by 21 Comments

Over the years, the media has managed to throw together some pretty ridiculous visual depictions of computer hacking. But perhaps none have gone as far down the road of obfuscation as The Matrix, where the most experienced hackers are able to extract information from a display of cascading green glyphs like a cyberpunk version of reading tea leaves. It’s absolutely ridiculous, with zero basis in reality.

Well, maybe not anymore. Taking a page from these outlandish visions of hacking, [Erik Bosman] has constructed a dedicated hex dump display out of fourteen segment alphanumeric LEDs that looks like it could be pulled from a movie set. But make no mistake, it’s more than just a pretty face. By cleverly varying the brightness of the individual characters, he’s managed to make his so-called “hexboard” completely usable despite the fact that everything’s the same color.

While he says the project is not quite at 100% yet, he’s already released the firmware, computer-side software, and even the PCB design files for anyone who might want to build their own version. Though as you might imagine, it’s quite a tall order.

The display is broken up into segments holding eight Houkem-5421 LED modules apiece, each with its own STM32F030F4 and two TC7258E LED controllers. The bill of materials on this one is a bit intimidating, but when the end result look this good it’s hard to complain.

To build a somewhat smaller version that also features a more retro vibe, you might consider doing something similar by chaining together vintage LED “bubble” displays.

Programming Arduinos With Voice Commands

December 20, 2019 by 5 Comments

Programming is a valuable skill, though one that can be daunting to learn. Throw hardware in the mix, and things ratchet up another level again. However, there are many projects that have sought to reduce the level of difficulty for newcomers. HeyTeddy is a new project that allows users to program an Arduino with voice commands, and the help of on-screen tutorials.

It’s a system that initially sounds cumbersome, but through smart design, is actually quite streamlined. Users can talk to the system, which uses an Amazon Alexa device for natural language voice recognition. This enables HeyTeddy to respond to questions like “how do I use a flex sensor?” as well as direct commands, such as “Set pin 10 to 250”.

The demo video does a great job of demonstrating the system. While the system is not suited to professional development tasks, its has value as an educational tool for beginners. The system is able to guide users through both hardware setup on a breadboard, as well as guide them through tests when things don’t work. Once their experience level builds, code can be exported to the Arduino IDE for direct editing.

It’s a great tool that has plenty of promise to bring many more users into the hardware hacking fold. It’s out of the workshop of [MAKInteract], whose work we’ve seen before. Video after the break.

Continue reading “Programming Arduinos With Voice Commands”