Read QR Codes Without A Computer

January 22, 2024 by 23 Comments

Did you ever watch Star Wars and wondered how people understood what R2D2 was saying? Maybe [Luke Skywalker] would enjoy learning to decode QR Codes by hand, too. While it might not be very practical, it would be a good party trick — assuming, like us, you party with nerds.

You can start by scanning a code, or the site will create one according to your specifications or generate one randomly. It then takes the selected code and shows you how it is put together. Fun fact: 21×21 “modules” (QR-speak for pixels) is the size of a version 1 QR code. Each version increases the size by four modules.

Continue reading “Read QR Codes Without A Computer”

X-Ray Investigations Hack Chat

January 22, 2024 by 7 Comments

Join us on Wednesday, January 24 at noon Pacific for the X-Ray Investigation Hack Chat with Ahron Wayne!

It’s hard to imagine a world where we didn’t figure out how to use X-rays to peer inside things. Before Röntgen’s discovery that X-rays could penetrate living tissue, doctors had only limited (and often unpleasant) ways to get a look at what was going on inside the human body, and few of us would want to return to those days.

As fantastically useful as X-rays and later computed tomography (CT) became in medicine, it didn’t take too long for other uses for the technology to come along. Non-clinical applications for X-ray and CT abound, including their use in non-invasively exploring relics of immense archaeological value. One recent effort in this space that gained a lot of coverage in the press was the combination of CT imaging and machine learning to read the ink inside carbonized papyrus scrolls from the ruins of Pompeii.

join-hack-chatThe result was the “Vesuvius Challenge,” where different teams looked for techniques to virtually unwrap the roasted relics. Ahron’s contribution to the project was a little unusual — he bought a used desktop CT scanner, fixed it up, and started experimenting with reading ink from the carbonized remains of simulated papyrus scrolls. In other words, he made some scrolls, cooked them to beyond well-done in the oven, and tried to understand what happens to ink on papyrus that gets blasted by a volcano. If that’s not enough to get you to stop by the Hack Chat when Ahron joins us, we’re not sure what else would be! Suffice it to say we’re pretty excited about what Ahron has to say about DIY CT,  X-rays, collaborative open-source citizen science, and unwrapping the mysteries of Pompeii.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, January 24 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

Featured image: Daderot, CC0, via Wikimedia Commons

This Week In Security: AI Is Terrible, Ransomware Wrenches, And Airdrop

January 12, 2024 by 8 Comments

So first off, go take a look at this curl bug report. It’s a 8.6 severity security problem, a buffer overflow in websockets. Potentially a really bad one. But, it’s bogus. Yes, a strcpy call can be dangerous, if there aren’t proper length checks. This code has pretty robust length checks. There just doesn’t seem to be a vulnerability here.

OK, so let’s jump to the punch line. This is a bug report that was generated with one of the Large Language Models (LLMs) like Google Bard or ChatGPT. And it shouldn’t be a surprise. There are some big bug bounties that are paid out, so naturally people are trying to leverage AI to score those bounties. But as [Daniel Stenberg] point out, LLMs are not actually AI, and the I in LLM stands for intelligence.

There have always been vulnerability reports of dubious quality, sent by people that either don’t understand how vulnerability research works, or are willing to waste maintainer time by sending in raw vulnerability scanner output without putting in any real effort. What LLMs do is provide an illusion of competence that takes longer for a maintainer to wade through before realizing that the claim is bogus. [Daniel] is more charitable than I might be, suggesting that LLMs may help with communicating real issues through language barriers. But still, this suggests that the long term solution may be “simply” detecting LLM-generated reports, and marking them as spam. Continue reading “This Week In Security: AI Is Terrible, Ransomware Wrenches, And Airdrop”

37C3: The Tech Behind Life With Quadraplegia

January 9, 2024 by 21 Comments

While out swimming in the ocean on vacation, a big wave caught [QuadWorker], pushed him head first into the sand, and left him paralyzed from the neck down. This talk isn’t about injury or recovery, though. It’s about the day-to-day tech that makes him able to continue living, working, and travelling, although in new ways. And it’s a fantastic first-hand insight into how assistive technology works for him.

If you can only move your head, how do you control a computer? Surprisingly well! A white dot on [QuadWorker]’s forehead is tracked by a commodity webcam and some software, while two button bumpers to the left and right of his head let him click with a second gesture. For cell phones, a time-dependent scanner app allows him to zero in successively on the X and Y coordinates of where he’d like to press. And naturally voice recognition software is a lifesaver. In the talk, he live-demos sending a coworker a text message, and it’s almost as fast as I could go. Shared whiteboards allow him to work from home most of the time, and a power wheelchair and adapted car let him get into the office as well.

The lack of day-to-day independence is the hardest for him, and he says that they things he misses most are being able to go to the bathroom, and also to scratch himself when he gets itchy – and these are yet unsolved problems. But other custom home hardware also plays an important part in [QuadWorker]’s setup. For instance, all manner of home automation allows him to control the lights, the heat, and the music in his home. Voice-activated light switches are fantastic when you can’t use your arms.

This is a must-watch talk if you’re interested in assistive tech, because it comes direct from the horse’s mouth – a person who has tried a lot, and knows not only what works and what doesn’t, but also what’s valuable. It’s no surprise that the people whose lives most benefit from assistive tech would also be most interested in it, and have their hacker spirit awakened. We’re reminded a bit of the Eyedrivomatic, which won the 2015 Hackaday Prize and was one of the most outstanding projects both from and for the quadriplegic community.

Continue reading “37C3: The Tech Behind Life With Quadraplegia”

Hackaday Podcast Episode 248: Cthulhu Clock Radio Transharmonium, Thunderscan, And How To Fill Up In Space

December 15, 2023 by No comments

This week, Elliot sat down with Dan for the penultimate podcast of 2023, and what a week it was. We started with news about Voyager; at T+46 years from launch, any news tends to be bad, and the latest glitch has everyone worried. We also took a look at how close the OSIRIS-REx mission came to ending in disaster, all for want of consistent labels.

Elliot was charmed by a Cthulhu-like musical instrument, while Dan took a shine to a spark gap transmitter that’s probably on the FCC’s naughty list. Any sufficiently advanced technology is indistinguishably from magic, and we looked at the laser made possible by the magician-in-chief himself, C.V. Raman. Why would you stuff a PSU full of iron filings? Probably for the same reason you’d print fake markings on a 6502 chip. We also took a look at the chemistry and history of superglue, a paper tape reader that could lop off your arm, and rocket gas stations in space.

 

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Grab a copy for yourself if you want to listen offline.

Continue reading “Hackaday Podcast Episode 248: Cthulhu Clock Radio Transharmonium, Thunderscan, And How To Fill Up In Space”

This Week In Security: Owncloud, NXP, 0-Days, And Fingerprints

December 1, 2023 by 18 Comments

We’re back! And while the column took a week off for Thanksgiving, the security world didn’t. The most pressing news is an issue in Owncloud, that is already under active exploitation.

The problem is a library that can be convinced to call phpinfo() and include the results in the page response. That function reveals a lot of information about the system Owncloud is running on, including environment variables. In something like a Docker deployment, those environment variables may contain system secrets like admin username and password among others.

Now, there is a bit of a wrinkle here. There is a public exploit, and according to research done by Greynoise Labs, that exploit does not actually work against default installs. This seems to describe the active exploitation attempts, but the researcher that originally found the issue has stated that there is a non-public exploit that does work on default installs. Stay tuned for this other shoe to drop, and update your Owncloud installs if you have them. Continue reading “This Week In Security: Owncloud, NXP, 0-Days, And Fingerprints”

Easily Bypass Laptop Fingerprint Sensors And Windows Hello

November 27, 2023 by 30 Comments

The fun part of security audits is that everybody knows that they’re a good thing, and also that they’re rarely performed prior to another range of products being shoved into the market. This would definitely seem to be the case with fingerprint sensors as found on a range of laptops that are advertised as being compatible with Windows Hello. It all began when Microsoft’s Offensive Research and Security Engineering (MORSE) asked the friendly people over at Blackwing Intelligence to take a poke at a few of these laptops, only for them to subsequently blow gaping holes in the security of the three laptops they examined.

In the article by [Jesse D’Aguanno] and [Timo Teräs] the basic system and steps they took to defeat it are described. The primary components are the fingerprint sensor and Microsoft’s Secure Device Connection Protocol (SDCP), with the latter tasked with securing the (USB) connection between the sensor and the host. Theoretically the sensitive fingerprint-related data stays on the sensor with all matching performed there (Match on Chip, MoC) as required by the Windows Hello standard, and SDCP keeping prying eyes at bay.

Interestingly, the three laptops examined (Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X) all featured different sensor brands (Goodix, Synaptics and ELAN), with different security implementations. The first used an MoC with SDCP, but security was much weaker under Linux, which allowed for a fake user to be enrolled. The Synaptics implementation used a secure TLS connection that used part of the information on the laptop’s model sticker as the key, and the ELAN version didn’t even bother with security but responded merrily to basic USB queries.

To say that this is a humiliating result for these companies is an understatement, and demonstrates that nobody in his right mind should use fingerprint- or similar scanners like this for access to personal or business information.