This Week In Security: Git Deep Dive, Mailchimp, And SPF

January 20, 2023 by 10 Comments

First up, git has been audited. This was an effort sponsored by the Open Source Technology Improvement Fund (OSTIF), a non-profit working to improve the security of Open Source projects. The audit itself was done by researchers from X41 and GitLab, and two critical vulnerabilities were found, both caused by the same bad coding habit — using an int to hold buffer lengths.

On modern systems, a size_t is always unsigned, and the same bit length as the architecture bit-width. This is the proper data type for string and buffer lengths, as it is guaranteed not to overflow when handling lengths up to the maximum addressable memory on the system. On the other hand, an int is usually four bytes long and signed, with a maximum value of 2^31-1, or 2147483647 — about 2 GB. A big buffer, but not an unheard amount of data. Throw something that large at git, and it will break in unexpected ways.

Our first example is CVE-2022-23521, an out of bounds write caused by an int overflowing to negative. A .gitattributes file can be committed to a repository with a modified git client, and then checking out that repository will cause the num_attrs variable to overflow. Push the overflow all the way around to a small negative number, and git will then vastly under-allocate the attributes buffer, and write all that data past the end of the allocated buffer.

CVE-2022-41903 is another signed integer overflow, this time when a pretty print format gets abused to do something unexpected. Take a look at this block of code:

Continue reading “This Week In Security: Git Deep Dive, Mailchimp, And SPF”

Building A NAS That Really Looks Like A NAS

January 20, 2023 by 19 Comments

Building your own network attached storage (NAS) for personal use isn’t all that difficult. A single board computer, a hard disk and a power supply in an enclosure is all the hardware you need. Then, choose from one of several open source NAS software solutions and you’re up and running. [tobychui] decided to notch things up by designing a NAS that really looks like a NAS. It’s tailored to his specific requirements and looks like a professional product to boot. The design features dual 3.5 inch HDD bays, a small footprint, is low cost, compatible with a variety of single board computers, and can handle high data transfer speeds by using RAM and SD card for buffering.

Not only has he done a great job with the hardware design, but he’s also developed a companion software for the NAS. “ArozOS” is a web desktop operating system that provides full-fledged desktop experience within a browser. ArozOS has a great user interface and features a lot of networking, file, disk management and security functions. He has also developed a launcher application to enable over-the-air (OTA) software updates.

Assembling the device will need some planning and preparation, even though most of the hardware is off the shelf. You will need a SATA to USB 2.0 adapter, a SBC (Orange Pi Zero, Raspberry Pi 4, Orange Pi Zero 2, etc) , three buck converters — one each to provide 12 V to the two hard disks and a third to provide 5 V to the SBC. You’ll also need a 12 V / 6 A or 24 V / 3 A external power brick, or a USB-C 65 W GaN charger with a triggering module to set the desired voltage and current.

There is also one custom power distribution board which is essentially a carrier board to mount the buck converters and connectors for power and USB data. For the 3D prints, [tobychui] recommends printing at the highest resolution for a nice finish.

The off the shelf SATA to USB adapter will need to be taken apart before it can be fixed to the 3D printed SATA adapter plate and might pose the most challenge during construction, but the rest of the assembly is fairly straightforward. Once assembly is complete, [tobychui] walks you through installation of the ArozOZ software, mounting the drives and making them accessible over the network.

Have you got your data backup act in order ? If not, it’s still not too late to make it a new Year’s resolution. And if you need help figuring things out, check out New Year Habits – What Do You Do For Data Storage?

Continue reading “Building A NAS That Really Looks Like A NAS”

Automated Drip Watering Device Keeps Plants Happy

January 20, 2023 by 10 Comments

Plants tend to need a regular supply of water to stay happy. If you’re a green thumb, it’s one of the primary things you should take care of before you go on holiday. This DIY plant watering system from [Jaychouu] offers to handle just that.

The system consists of a soda bottle acting as a water container, and an electronically-controlled valve to control the flow of water to plants. Irrigation of the plants is via dripper nozzles to provide a small but consistent feed to the plants. The use of drippers tends to disturb the soil less than pressurized jets of water. A soil humidity sensor is used to detect moisture levels and avoid over-watering. There’s also a capacitive water level sensor that fires off a warning when the reservoir’s water level is low. An ESP32 serves as the brains of the operation, allowing remote control via Blynk.

If you’re looking for a simple way to drip water your plants while you’re away, it’s hard to go wrong with this concept. If you feel like a more passive solution though, we’ve seen other viable methods too.

Continue reading “Automated Drip Watering Device Keeps Plants Happy”

That Old ThinkPad Needs An Open Source 2.5″ IDE SSD

January 19, 2023 by 25 Comments

So you fancy yourself a FOSS devotee, do you? Running GNU/Linux on your old ThinkPad, avoiding devices that need binary blobs? Got LibreBoot installed too? Not bad, not bad. But what about the hard drive? Can you be sure you aren’t leaking some freedoms out of that spinning rust?

Well, worry no more. Thanks to the work of [dosdude1], we now have an open source solid state drive that’s designed to work with any device which originally used a 2.5 inch IDE hard drive. The choice of releasing it under the GPL v3 versus an open hardware license might seem an odd choice at first, but turns out that’s actually what the GNU project recommends currently for circuit designs.

Fair warning: all the chips on the board are BGA.

Which is precisely what we’re talking about here — just a circuit design done up in KiCad. There’s no firmware required, and the PCB features very little beyond the four BGA152/BGA132 NAND flash chips and the SM2236 controller IC. You’ve just got to get the board fabricated, obtain (or salvage) the chips, and suddenly your retro laptop is sporting the latest in mass storage technology.

So how does it work? The SM2236 is actually a CompactFlash (CF) controller, and since IDE and CF interfaces are so similar, the PCB doesn’t have to do much to adapt from one to the other. Sprinkle in a few NANDs, and you’ve got yourself a native SSD suitable for old school machines. [dosdude1] says the board can slot four 64 GB chips, which should be more than enough given the age of the systems this gadget will likely be installed in. There are a few catches though: the NAND chips need to be supported by the SM2236, and they all have to match.

If you need something even smaller, [dosdude1] produced a 1.8 inch SSD using the same techniques back in October of last year.

Continue reading “That Old ThinkPad Needs An Open Source 2.5″ IDE SSD”

What Else Is An M.2 WiFi Slot Good For?

January 19, 2023 by 23 Comments

Many mainboards and laptops these days come with a range of M.2 slots, with only a subset capable of NVME SSDs, and often a stubby one keyed for ‘WiFi’ cards. Or that’s what those are generally intended to be used for, but as [Peter Brockie] found out when pilfering sites like AliExpress, is that you can get a lot of alternate expansion cards for those slots that have nothing to do with WiFi.

Why this should be no surprise to anyone who knows about the M.2 interface is because each ‘key’ type specifies one or more electrical interfaces that are available on that particular M.2 slot. For slots intended to be used with NVME SSDs, you see M-keying, that makes 4 lanes of PCIe available. The so-called ‘WiFi slots’ on many mainboards are keyed usually for A/E, which means two lanes of PCIe, USB 2.0, I2C and a few other, rather low-level interfaces. What this means is that you can hook up any PCIe or or USB (2.0) peripheral to these slots, as long as the bandwidth is sufficient.

What [Peter] found includes adapter cards that add Ethernet (1 Gb, 2.5 Gb), USB 2.0 ports, SIM card (wireless adapter?), an SFP fiber-based networking adapter, multiple M.2 to 2+ SATA port adapters, tensor accelerator chips (NPUs) and even a full-blown M.2 to x16 PCIe slot adapter. The nice thing about this is that if you do not care about using WiFi with a system, but you do have one of those ports lounging about uselessly, you could put it to work for Ethernet, SFP, SATA or other purposes, or just for hooking up internal USB devices.

Clearly this isn’t a market that has gone unexploited for very long, with a bright outlook for one’s self-designed M.2 cards. Who doesn’t want an FPGA device snuggled in a PCIe x2 slot to tinker with?

Continue reading “What Else Is An M.2 WiFi Slot Good For?”

Q Meter Measures… Q, Of Course

January 19, 2023 by 20 Comments

If you’ve ever dealt with RF circuits, you probably have run into Q — a dimensionless number that indicates the ratio of reactance to resistance. If you ever wanted to measure Q, you could do worse than pick up a vintage Boonton 160A Q meter. [Mikrowave1] did just that and shows us how it works in the video below.

Most often, the Q is of interest in an inductor. A perfect inductor would have zero resistance and be all reactance. If you could find one of those, it would have an infinite Q because you divide the reactance by the resistance. Of course, those inductors don’t exist. You can also apply Q to any circuit with reactance and the video talks about how to interpret Q for tuned circuits. You can also think of the Q number as the ratio of frequency to bandwidth or the dampening in an oscillator. A versatile measurement, indeed.

It sounds as though you could just measure the resistance of a coil and use that to compute Q. But you really need to know the total loss, and that’s not all due to resistance. A meter like the 160A uses a signal generator and measures the loss through the circuit.

The best part of the video is the teardown, though. This old tube gear is oddly beautiful in a strange sort of way. A real contrast to the miniaturized circuits of today. The Q meter is one of those nearly forgotten pieces of gear, like a grid dip oscillator. If you need to wind your own coils, by the way, you could do worse than see how [JohnAudioTech] does it.

Continue reading “Q Meter Measures… Q, Of Course”

High-Speed Sled Adds Bicycle Suspension

January 19, 2023 by 3 Comments

While you might have bought the best pair of skis in the 90s or 00s, as parts on boots and bindings start to fail and safety standards for ski equipment improve, even the highest-quality skis more than 15 or 20 years old will eventually become unsafe or otherwise obsolete. There are plenty of things that can be done with a pair of old skis, but if you already have a shot ski and an Adirondack chair made of old skis, you can put another pair to use building one of the fastest sleds we’ve ever seen.

[Josh Charles], the creator of this project, took inspiration from his father, who screwed an old pair of skis to the bottom of an traditional runner sled when he was a kid. This dramatically increased the speed of the sled, but eliminated its ability to steer. For this build [Josh] built a completely custom frame rather than re-use an existing sled, which allowed him to not only build a more effective steering mechanism for the skis, but also to use bicycle suspension components to give this sled better control at high speeds.

This build is part of a series that [Josh] did a few years ago, and you can find additional videos about it documenting his design process and his initial prototypes and testing. The amount of work he put into this build is evident when it’s seen finally traversing some roads that had been closed for winter; he easily gets the sled up in the 30 mph range several times. If you’re looking to go uphill in the snow, though, take a look at this powered snowboard instead.

Continue reading “High-Speed Sled Adds Bicycle Suspension”