Ferris Bueller’s Day Off is a pop culture classic, and remains one of the standout teen films of the era. Notably, titular character Ferris was somewhat of a hacker himself, with the movie showcasing several contraptions the teenager used to get out of a day of school. Among them was the intercom, which [Aaron] faithfully recreated with modern technology.
For those who haven’t seen the film, the intercom was hooked up to a cassette player to feign a believable response to anyone that visited the house while Ferris was away. Rather than do things the old fashioned way, [Aaron] built his replica using an ESP32 fitted with a sound chip instead. When visitors ring the intercom, it plays back sound clips from the movie, while also signalling another ESP microcontroller inside [Aaron]’s house to let him know he has visitors.
The build is a charming tribute to the classic film, and all the more fun for [Aaron’s] efforts to make it look the part as well, choosing to build it inside a period-correct intercom housing. To avoid confusion for those who haven’t seen the film, however, he’s been careful to place a sign up to clarify the intercom is not as it seems.
There’s plenty of times we’ve seen a laptop fail, break, or just become too slow for purpose despite the fact that it’s still packing some useful components. With all the single-board computers and other experiments lurking about the average hacker workshop, it’s often useful to have a spare screen on hand, and an old laptop is a great way to get one. This recycled display build from [Gregory Sanders] is a great example of how to reuse old hardware.
The build doesn’t simply package a laptop monitor in the same way as a regular desktop unit. Instead, [Gregory] designed a custom 3D printed frame with an arch design. The laptop screen is installed onto the frame using its original hinges, and [Gregory] designed in standoffs for an laptop LCD driver board to run the display as well as a generic frame where single-board computers can be installed.
The result is a portable monitor that can be folded up for easy transport, which is also self-supporting with its nice large base. It can also be used with other hardware, as it has a full complement of DVI, HDMI and VGA inputs on board. Of course, while you’re tinkering with laptop displays, you might also consider building yourself a dual-screen laptop as well.
There was a time when building electronics and building software were two distinct activities. These days, almost any significant electronic project will use a CPU somewhere, or — at least — could. Using a circuit simulator can get you part of the way and software simulators abound. But cosimulation — simulating both analog circuits and a running processor — is often only found in high-end simulation products. But I noticed the other day the feature quietly snuck into our favorite Web-based simulator, Falstad.
The classic simulator is on the left and the virtual Arduino is on the right.
Back in March, the main project added work from [Mark McGarry] to support AVR8js written by [Uri Shaked]. The end result is you can have the circuit simulator on the left of the screen and a Web-based Arduino IDE on the right side. But how does it work beyond the simple demo? We wanted to find out.
The screen looks promising. The familiar simulator is to the left and the Arduino IDE — sort of — is to the right. There’s serial output under the source code, but it doesn’t scroll very well, so if you output a lot of serial data, it is hard to read.
Hackaday editors Elliot Williams and Mike Szczys marvel at the awesome hacks from the past week. We had way too much fun debating whether a wind-powered car can travel faster than the wind, and whether or not you can call that sailing. Low-temperature desoldering was demystified: it’s the bismuth! And we saw a camera gimbal solve the problem of hand tremor during soldering. Ford just wants to become your PowerWall. And the results are in from NASA’s mission to spin mice up in a centrifuge on the ISS.
Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
Back in the early days of the musical synthesizer, some designers who wished for polyphony in their instruments would simply build multiple tone-generators for as many notes as they wished to play. [Kevin] took that same approach with his Arduino orchestra, and set about having it play the closing number from Star Wars: A New Hope.
The build consists of twelve Arduino Nanos, each wired up to power, a speaker, and the same MIDI cable. The MIDI cable carries note data for each Arduino on a separate MIDI channel, allowing each to play its own role in the orchestra. [Kevin] then set about arranging the Star Wars music into a MIDI file suitable for the Arduinos, roughly setting six voices to high parts and six voices low. The Arduinos play the notes received using the simple tone() function. The result is a very chiptune rendition of the end of the fourth episode of the world’s most famous space opera.
It’s a way to Man-In-the-Middle an HTTPS connection, without actually needing to break the encryption. There are two primary observations at the core of the attack. First, multiple subdomains will often share the same TLS certificate. Secondly, TLS is regularly used to protect more than just HTTPS. So what happens if an HTTPS request is redirected to an SFTP server run by the same company? The TLS handshake will complete successfully, but the data returned by the server is not at all what the browser expected.
The specific details are a little light on this one, but the authors identified three broad categories of attack. The first is an upload attack, where the attacker has privileges to upload files to an FTPS server. From what I can tell, an attacker initiates an FTP upload over SSL, using the control port, and then redirects the victim’s connection to the data port on that server. The entirety of the HTML request is then saved, decrypted, on the FTPS server. This request could contain session cookies and other secrets.
The second identified attack is the opposite, the attacker uploads a malicious file, initiates a download, and then redirects a browser’s request to the FTPS data port. The malicious file is grabbed and the browser may interpret it as code to be run. The third is a reflection technique. This one’s a bit different. Essentially the attacker sends a request for DoBadThings();, and then connects the victim browser to the data port. The response is sent, Cannot find file: DoBadThings();and the browser might just execute the script fragment. This isn’t one of those attacks that are going to be applicable to just every server, but in just the right setup, it could lead to problems.
VMWare Flaw Exploited
There is a serious VMWare flaw under active exploit right now. It’s apparently in the VMware vCenter control program, and exploiting it is as simple as six curl commands. The flaw is pre-authentication and only requires access to HTTPS port 443. At least one researcher has already seen his VMware honeypot attacked and observed the web-shell the attacker installed. This one looks like a big deal, so make sure you’re up-to-date if you run VMware.
That Time the FBI Ran a Darknet
AN0M was a popular encrypted communication tool for the underworld, really a network consisting of locked down mobile devices with a specialized app running on them. The reality was a bit different, though, the tool was actually being run as Operation Ironside, a join operation by the FBI and the Australian Federal Police (AFP). The story is a weird one, and really raises some legal and ethical questions, so buckle up.
First off, things got started back in 2018 when Phantom Secure CEO Vincent Ramos was prosecuted for RICO charges, related to his company’s work on secure phones. They specialized in taking Blackberry phones, yanking out all the IO hardware, like camera, microphone, and even GPS chips, and then installing encrypted communication apps. In short, very similar to AN0M. Phantom Secure was walking a very thin line between being a legitimate provider of secure hardware, and actively supporting criminal enterprise. When Ramos told an undercover FBI agent that his phones were specifically for drug smuggling, it became obvious that he had strayed far onto the wrong side of the law. He and many in the company were charged for related crimes.
One employee already had drug charges on his record, and agreed to cooperate with the FBI in exchange for avoiding further charges. That developer had already been developing his own device, which he called AN0M. The deal he cut with the feds was to turn over his work for immunity. A scheme was hatched, apparently over beers between agents, to complete the development of AN0M and distribute the devices, but to include a complete back door for law enforcement. This is actually very similar to what was done with Crypto AG, under Project Rubicon.
The turned developer distributed the devices to his contacts, and law enforcement agencies around the world got involved, quietly helping to make them popular. The devices served their purpose of providing messaging to all recipients. It just wasn’t known at the time that law enforcement agents were BCC’d on every message. It’s not clear what triggered the raids and announcements, but this was definitely a coordinated action.
There is a lingering question, however. Namely, do law enforcement really have the legal authority to develop and distribute a malicious device and application? Did a warrant actually cover this? Can it? There is sure to be much consternation over such questions in the months to come. Just imagine that WhatsApp is eventually revealed to be an app secretly developed by the Chinese government, then how would you feel about it?
Ransomware and Bitcoin Seizure
And in another major victory for the FBI, The majority of the funds paid by the Colonial pipeline have been recovered. It’s not entirely known how the recovery happened, but you can read the FBI Affidavit that describes the path the Bitcoins took. There’s a strange little statment at the end of that document. “The private key for the Subject Address is in the possession of the FBI in the Northern District of California.” One has to wonder a couple of things. First, how was the FBI able to track those bitcoins? And second, just how did they happen to end up in a wallet that they knew the key for? Could The AN0M story be related?
The private key for the Subject Address is in the possession of the FBI in the Northern District of California
Now here’s another angle to this. Colonial was given the choice, to pay in Bitcoin or Ethereum, and they chose Bitcoin, even though there was a 10% extra fee for that currency. They had their networks mostly back up, and they knew the decryptor wouldn’t be very helpful. They were working with law enforcement, and they still paid. This raises the very real possibility that the payment was made specifically to trace the Bitcoin transactions.
Next, remember how proud JBS was of their incident response? Now we find out that they did indeed pay an $11 million ransom. However, that was in cooperation with federal officials, and was not necessary to recover files. Oh, and paid in Bitcoin. Sound familiar? At this point, it’s a fair guess that the FBI or another agency helping them has an angle on tracing Bitcoin transactions. AN0M is one possibility. Another is that the FBI is running a “mixer”, essentially a Bitcoin money laundering service. (Shoutout to @MalwareJake for that idea.) Regardless, there seems to be a more serious stance taken towards ransomware as a result of the high profile hacks of the last few weeks.
Rocket.Chat Goes Boom
Running a Rocket.Chat instance? Go update it! This popular Open Source messaging platform uses a NoSQL backend for managing users. If you thought getting rid of SQL means you don’t have injection vulnerabilities, think again.
The MongoDB database backend passes requests and data in a JSON-like format. The first attack is to stuff a regex pattern into that JSON, and leak the password hash one character at a time. The second vulnerability uses the $where operator in MongoDB in a clever way. Rather than try to leak information directly, they used error messages to get information out. Put both together, and you can go from simply knowing a user’s email address to a shell on the hosting server in seconds. All in all, it’s an impressive hack, and the video demonstration of it is worth the watch:
Agent Smith Takes Over The Matrix
Include Security found an interesting bug in the Unity engine, where a malicious game object can run arbitrary code on the machine running the engine. It’s the sort of thing that game designers don’t think too much about until it’s a problem. I couldn’t help but think of VR Chat, a multiplayer experience that allows players to upload their own avatars. It’s built in Unity, and uses game objects for those avatars. I haven’t been able to confirm whether it has this vulnerability one way or another, but I’m very much reminded of Agent Smith copying himself onto all the other citizens of the matrix. If VR Chat does indeed have this problem, it would be rather trivial to build an avatar worm to do the same thing. Life imitates art.
Don’t Use a Password Manager?
And finally, one of the hallowed bits of cybersecurity wisdom gets challenged by [Tavis Ormandy] of Google project Zero fame. His take? Don’t use a password manager! Well, actually, it’s that you shouldn’t use a password manager that is a browser extension, because websites can actually interact with the hooks that make them work. There’s more to his argument, and his conclusion is simple. Use the password manager built into Google Chrome. Or Firefox, if that’s what you use. His argument is rather compelling, that many of them aren’t as secure as they claim to be.
Modern smart watches have some incredible features, but they still don’t stack up to what science fiction promised us, both in size and capabilities. Fortunately, [Zack Freedman] has set out to change that with the Singularitron, a modular wearable computer that is less Apple Watch and more Pip-Boy.
The most striking features of this monstrosity is its size and the out-of-production four-line VFD display. The inputs consist of a row of large RGB-illuminated buttons and a rotary encoder mounted at an angle to curve around the wearers arm. On the inside are a pair of PCBs with an integrated Teensy 3.2, BLE module, motion processing module, haptic driver and power circuitry drawing from a removable 18650 battery. The armband is from a commercial wrist mounted barcode scanner which attaches to the Singularitron with a quick-detach mount.
A major feature of the Singularitron is its modularity. Arrayed around its edges are four slots with spring-loaded contacts for add-on modules. Modules have access to the SPI and I2C busses, two GPIO pins, 3.3 V and 5 V lines. Each module also contains an EEPROM chip to store the module’s ID and any configured settings, allowing modules to be hot swapped and automatically recognised. [Zack] has created a number of modules, like a laser pointer, environmental sensor, OLED display and a Teensy 4.0 to blink an LED. When a module is plugged or inserted, a series of randomly generated status messages flash across the display, thanks to an awesome little library which we are absolutely copying for our own projects. Ironically, keeping the time is one of the Singularitron weak points, since [Zack] wasn’t able to fit a backup battery inside, so the time needs to be reset when the battery dies. Maybe a module with an RTC and backup battery is the perfect solution. Continue reading “A Massive Modular Smartwatch To Match Your Sci-Fi Fantasies”→
