This Week In Security: Terrapin, Seized Unseized, And Autospill

December 22, 2023 by 5 Comments

There’s a new SSH vulnerability, Terrapin (pdf paper), and it’s got the potential to be nasty — but only in an extremely limited circumstance. To understand the problem, we have to understand what SSH is designed to do. It replaces telnet as a tool to get a command line shell on a remote computer. Telnet send all that text in the clear, but SSH wraps it all inside a public-key encrypted tunnel. It was designed to safely negotiate an unfriendly network, which is why SSH clients are so explicit about accepting new keys, and alerting when a key has changed.

SSH uses a sequence counter to detect Man-in-the-Middle (MitM) shenanigans like packet deletion, replay, or reordering. That sequence isn’t actually included in the packet, but is used as part of the Message Authentication Check (MAC) of several encryption modes. This means that if a packet is removed from the encrypted tunnel, the MAC fails on the rest of the packets, triggering a complete connection reset. This sequence actually starts at zero, with the first unencrypted packet sent after the version banners are exchanged. In theory, this means that an attacker fiddling with packets in the pre-encryption phase will invalidate the entire connection as well. There’s just one problem.

The innovation from the Terrapin researchers is that an attacker with MitM access to the connection can insert a number of benign messages in the pre-encryption phase, and then silently drop the first number of messages in the encrypted phase. Just a little TCP sequence rewriting for any messages between, and neither the server nor client can detect the deception. It’s a really interesting trick — but what can we do with it?

For most SSH implementations, not much. The 9.6 release of OpenSSH addresses the bug, calling it cryptographically novel, but noting that the actual impact is limited to disabling some of the timing obfuscation features added to release 9.5.

Continue reading “This Week In Security: Terrapin, Seized Unseized, And Autospill”

Displays We Love Hacking: SPI And I2C

December 21, 2023 by 18 Comments

I’ve talked about HD44780 displays before – they’ve been a mainstay of microcontroller projects for literal decades. In the modern hobbyist world, there’s an elephant in the room – the sheer variety of I2C and SPI displays you can buy. They’re all so different, some are LCD and some are OLED, some have a touchscreen layer and some don’t, some come on breakouts and some are a bare panel. No matter which one you pick, there are things you deserve to know.

These displays are exceptionally microcontroller-friendly, they require hardly any GPIOs, or none extra if you already use I2C. They’re also unbelievably cheap, and so tiny that you can comfortably add one even if you’re hurting for space. Sure, they require more RAM and a more sophisticated software library than HD44780, but with modern microcontrollers, this is no problem at all. As a result, you will see them in almost every project under the sun.

What do you need for those? What are the requirements to operate one? What kind of tricks can you use with them? Let’s go through the main aspects.

Continue reading “Displays We Love Hacking: SPI And I2C”

FLOSS Weekly Episode 762: Spilling The Tea

December 20, 2023 by 8 Comments

Editor’s Note: We’re excited to announce that Hackaday is the new home of FLOSS Weekly, a long-running podcast about free, libre, and open-source software! The TWiT network hosted the podcast for an incredible seventeen years, but due to some changes on their end, they recently had to wind things down. They were gracious enough to let us pick up the torch, with Jonathan Bennett now taking over hosting duties.

Tune in every Wednesday for a new episode, featuring interviews with developers and project leaders, coverage of the free/libre software you use everyday (maybe without even knowing it), and the latest Open Source news.

This week Jonathan Bennett and Simon Phipps talk with Neal Gompa of Fedora, CentOS, openSUSE and more. The conversation starts off with asking Neal how he went from working on a minor project 11 years ago, to being the lead of KDE on Fedora. How does a company properly sponsor Open Source development? Neal speaks from his experience at Red Hat and other places, to give some really interesting answers.

The crew move on to what happened at Red Hat with CentOS, and why just maybe it was a good thing. Is the age of a company a good indicator of how they will treat Open Source? Is CentOS Stream the best thing to happen to Red Hat Enterprise Linux? What was it like to be at Red Hat during that time? How does a company manage the tension between sales and engineering? We cover this and more!

Continue reading “FLOSS Weekly Episode 762: Spilling The Tea”

Arduino Auto-Glockenspiel Looks Proper In Copper

December 16, 2023 by 19 Comments

What is it about solenoids that makes people want to make music with them? Whatever it is, we hope that solenoids never stop inspiring people to make instruments like [CamsLab]’s copper pipe auto-glockenspiel.

At first, [CamsLab] thought of striking glasses of water, but didn’t like the temporary vibe of a setup like that. They also considered striking piano keys, but thought better of it when considering the extra clicking sound that the solenoids would make, plus it seemed needlessly complicated to execute. So [CamsLab] settled on copper pipes.

That in itself was a challenge as [CamsLab] had to figure out just the right lengths to cut each pipe in order to produce the desired pitch. Fortunately, they started with a modest 15-pipe glockenspiel as a proof of concept. However, the most challenging aspect of this project was figuring out how to mount the pipes so that they are close enough to the solenoids but not too close, and weren’t going to move over time. [CamsLab] settled on fishing line to suspend them with a 3D-printed frame mounted on extruded aluminium. The end result looks and sounds great, as you can hear in the video after the break.

Of course, there’s more than one way to auto-glockenspiel. You could always use servos.

Continue reading “Arduino Auto-Glockenspiel Looks Proper In Copper”

Could North Korea’s New Satellite Have Spied On Guam So Easily?

November 27, 2023 by 29 Comments

Earlier this week, another nation joined the still relatively exclusive club of those which possess a satellite launch capability. North Korea launched their Malligyong-1 spy satellite, and though it has naturally inflamed the complex web of political and military tensions surrounding the Korean peninsula, it still represents something of a technical achievement for the isolated Communist state. The official North Korean news coverage gleefully reported with much Cold War style rhetoric, that Kim Jong-Un had visited the launch control centre the next day and viewed intelligence photographs of an American base in Guam. Could the satellite have delivered in such a short time? [SatTrackCam Leiden] has an interesting analysis. Continue reading “Could North Korea’s New Satellite Have Spied On Guam So Easily?”

The Ghost Detector 9000 Is A Fun Spirit-Chasing Game

November 21, 2023 by 1 Comment

Halloween may have come and gone for another year, but we’re still finding neat spooky projects lurking out on the Interwebs. Case in point, the Ghost Detector 9000 from [Jules].

Effectively, what you’re looking at here is a fun interactive ghost-detecting game. It consists of a Raspberry Pi Zero hooked up with an IMU sensor that can detect the rig’s movement and orientation. As the user moves the Ghost Detector 9000 around, it outputs lights and sound when it’s aimed at a so-called “ghost-signal”. The user then pulls the trigger to “capture” the ghost. The whole rig is built inside a flashlight which presented a useful form factor for modification.

For those eager to dive into the nitty-gritty, [Jules] has shared the project files on GitHub. There’s some nifty stuff going on, like Rust code that interfaces with I2C devices hooked up to the Pi, and a sensor-fusion algorithm to make the most out of the data from the 9-axis IMU.

It’s a fun build that probably taught [Jules] a great deal along the way, even if it’s a game at heart. If you prefer to shoot zombies instead of capture ghosts, we’ve seen a build that lets you go hunting with a laser crossbow, too.

Continue reading “The Ghost Detector 9000 Is A Fun Spirit-Chasing Game”

Watch Time Roll By On This Strange, Spiral Clock

November 13, 2023 by 15 Comments

[Build Some Stuff] created an unusual spiral clock that’s almost entirely made from laser-cut wood, even the curved and bendy parts.

The living hinge is one thing, but getting the spacing, gearing, and numbers right also takes work.

The clock works by using a stepper motor and gear to rotate the clock’s face, which consists of a large dial with a spiral structure. Upon this spiral ramp rolls a ball, whose position relative to the printed numbers indicates the time. Each number is an hour, so if the ball is halfway between six and seven, it’s 6:30. At the center of the spiral is a hole, which drops the ball back down to the twelve at the beginning of the spiral so the cycle can repeat.

The video (embedded below) demonstrates the design elements and construction of the clock in greater detail, and of particular interest is how the curved wall of the spiral structure consists of a big living hinge, a way to allow mostly rigid materials to flex far beyond what they are used to. Laser cutting is well-suited to creating living hinges, but it’s a technique applicable to 3D printing, as well.

Thanks to [Kelton] for the tip!

Continue reading “Watch Time Roll By On This Strange, Spiral Clock”