This Week In Security: Password Sanity, Tank Hacking, And The Mystery 9.9

September 27, 2024 by 15 Comments

It looks like there’s finally hope for sane password policies. The US National Institue of Standards and Technology, NIST, has released a draft of SP 800-63-4, the Digital Identity Guideline.

There’s password guidance in there, like “SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords” and “SHALL NOT require users to change passwords periodically.” NIST approved passwords must be at least 8 characters long, with a weaker recommendation of at least 15 characters. Security questions like name of first pet get the axe. And it’s strongly recommended that all ASCII and Unicode characters should be acceptable for passwords.

This is definitely moving in the right direction. NIST guidelines are only binding for government services and contractors, though they do eventually get picked up by banks and other industries. So there’s hope for sane password policies eventually.

Tank Hacking

Researchers at Bitsight are interested in infrastructure security, and they opted to take a closer look at Automatic Tank Gauging (ATG) systems. Those are found at gas stations, as well as any other facility that needs automated monitoring of liquids or gasses in a tank. There is an actual ATG message format, originally designed for RS-232 serial, and woefully unprepared for the interconnected present. The protocol allows for an optional security code, but it maxes out at only six alpha-numeric characters.

Among the vulnerabilities getting announced today, we have a pair of CVSS 10 command injection flaws, a quartet of 9.8 authentication bypass flaws, with one of those being a hardcoded credential — AKA a backdoor. The other CVSS9+ flaw is a SQL injection, with a trio of slightly less serious flaws. Continue reading “This Week In Security: Password Sanity, Tank Hacking, And The Mystery 9.9”

British Commuters Get Their WiFi Hacked

September 27, 2024 by 24 Comments

As if there weren’t enough worrying global news stories already, today the British press and media have been full of a story involving the public WiFi networks at some major railway stations. Instead of being faced with the usual don’t-be-naughty terms and conditions page, commuters were instead faced with a page that definitely shouldn’t have been there.

Hackaday readers will immediately have guessed what is likely to have happened. This is probably more of a compromise of the page than of the network itself, and, indeed, the BBC are reporting that it may have come via an administrator account at Network Rail’s er… network provider. Fortunately, it seems the intent was to spread a political message rather than malware, so perhaps those travelers got off lightly. The various companies involved have all got the proverbial egg on their faces, and we’re glad we don’t work in the IT department concerned.

Continue reading “British Commuters Get Their WiFi Hacked”

Blinking An LED Passively

September 27, 2024 by 44 Comments

It is a pretty common first project to use an Arduino (or similar) to blink an LED. Which, of course, brings taunts of: you could have used a 555! You can, of course, also use any sort of oscillator, but [Mustafa] has a different approach. Blinking an LED with three resistors and a capacitor. Ok, ok… one of the resistors is a light-dependent resistor, but still.

In reality, this is a classic relaxation oscillator. The capacitor charges until the LED lights. This, however, causes the capacitor to discharge, which eventually turns off the LED, and the process starts again.

There is one wrinkle that could be considered a feature. In daylight, the capacitor will stay in the off state, so the blinking only occurs in darkness. Of course, the resistor also has to have a sufficient view of the LED. You might use this as a safety light that only works in the dark.

A simple circuit, but it just goes to show that we tend to forget the simple solutions in a world where a computer costs less than a dollar.

Of course, you can get a chip whose sole purpose is to blink LEDs. We always like examples of doing more with less.

Continue reading “Blinking An LED Passively”

Stretch Goal: 300X Arduino

September 26, 2024 by 5 Comments

The Faboratory at Yale University has set a number of stretch goals. We don’t mean that in the usual sense. They’ve been making, as you can see in the video below, clones of commercial devices that can stretch over 300%. They’ve done Ardunios and similar controllers along with sensors. The idea is to put computer circuits in flexible robots and other places where flexibility is key, like wearable electronics.

If you are interested in details, you’ll want to read the paper in Science Robotics. They take the existing PCB layout and use a laser to cut patterns in a paper mask over the stretchable substrate. They then apply oxidized gallium-indium to build conductors.

Continue reading “Stretch Goal: 300X Arduino”

Want To Help Capture Some Digital Ephemera? Break Out Your VHS Player

September 26, 2024 by 16 Comments

Do you live in the UK, have a VCR and capture card, and an interest in Teletext? [James O’Malley] needs your help! Teletext was, for many people around the world, their first experience of an electronic information system. The simple text and block graphics were transmitted on rotation as data bursts in the frame blanking periods of analogue TV broadcasts, and in an era of printed newspapers, they became compulsory reading. The UK turned off its old-style teletext over a decade ago with the switch to digital, but fragments of the broadcasts remain and can be painstakingly revived from period video recordings with the appropriate software.

This is where [James’] problem begins. Having recovered a very large archive of 1980s and 1990s VHS tapes, he’s come to the realisation that he’s bitten off more than he can chew, and that the archive needs to be in the hands of an individual, entity, or organisation which can give it the resources necessary to archive both the teletext and the programming that it contains. Can you help? Give the article linked above a read.

Meanwhile, you can wallow in a bit of nostalgia by browsing the archive of recovered pages, and while you’re at it, take a minute to envy the French.

A Universal RF Amplifier

September 26, 2024 by 17 Comments

If you need an amplifier, [Hans Rosenberg] has some advice. Don’t design your own; grab cheap and tiny RF amplifier modules and put them on a PCB that fits your needs. These are the grandchildren of the old mini circuits modules that were popular among hams and RF experimenters decades ago. However, these are cheap, simple, and tiny.

You only need a handful of components to make them work, and [Hans] shows you how to make the selection and what you need to think about when laying out the PC board. Check out the video below for a very detailed deep dive.

Continue reading “A Universal RF Amplifier”

Reverse Time Back To The Days Of RPN

September 26, 2024 by 68 Comments

While Texas Instruments maintains dominance in the calculator market (especially graphing calculators), there was a time when this wasn’t the case. HP famously built the first portable scientific calculator, the HP-35, although its reverse-Polish notation (RPN) might be a bit of a head-scratcher to those of us who came up in the TI world of the last three or four decades. Part of the reason TI is so dominant now is because they were the first to popularize infix notation, making the math on the calculator look much more like the math written on the page, especially when compared to the RPN used by HP calculators. But if you want to step into a time machine and see what that world was like without having to find a working HP-35, take a look at [Jeroen]’s DIY RPN calculator.

Since the calculator is going to be RPN-based, it needs to have a classic feel. For that, mechanical keyboard keys are used for the calculator buttons with a custom case to hold it all together. It uses two rows of seven-segment displays to show the current operation and the results. Programming the Arduino Nano to work as an RPN calculator involved a few tricks, though. [Jeroen] wanted a backspace button, but this disrupts the way that the Arduino handles the input and shows it on the display but it turns out there’s an Arudino library which solves some of these common problems with RPN builds like this.

One of the main reasons that RPN exists at all is that it is much easier for the processor in the calculator to understand the operations, even if it makes it a little bit harder for the human. This is because early calculators made much more overt use of a stack for performing operations in a similar way to Assembly language. Rather than learning Assembly, an RPN build like this can be a great introduction to this concept. If you want to get into the weeds of Assembly programming this is a great place to go to get started.