Russian Hackers Domain Fronting

March 28, 2017 by 51 Comments

FireEye just put out a report on catching the Russian hacker group “Advanced Persistent Threat 29” (APT29, for lack of a better code name) using the meek plugin for TOR to hide their traffic. If you’re using meek with meek-reflect.appspot.com, you’ll find it’s been shut down. If all of this is gibberish to you, read on for a breakdown.

meek is a clever piece of software. Imagine that you wanted to communicate with the Tor anonymizing network, but that you didn’t want anyone to know that you were. Maybe you live in a country where a firewall prevents you from accessing the full Web, and blocks Tor entry nodes as part of their Great Firewall. You’d want to send traffic somewhere innocuous first, and then bounce it over to Tor, in order to communicate freely.

That’s what meek does, but it goes one step further. The reflector server is hosted using the same content-delivery network (CDN) as a popular service, say Google’s search engine. The CDN has an IP address, like every other computer on the Internet, but it delivers content for any of the various services it hosts. Traffic to the CDN, encrypted with TLS, looks the same whether it’s going to the meek reflector or to Google, so nobody on the outside can tell whether it is a search query or packets destined for Tor. Inside the CDN, it’s unencrypted and passed along to the reflector.

Anyway, meek was invented to help bring the uncensored Internet to people who live in oppressive regimes, and now cybersecurity researchers have observed it being used by Russian state hackers to hide their tracks. Sigh. Technology doesn’t know which side it’s on — the same backdoor that the FBI wants to plant in all our communications can be used by the mafia just as easily. Plugins that are meant to bring people freedom of speech can just as easily be used to hide the actions of nation-state hackers.

What a strange world we live in.

Source Parts On TaoBao: An Insider’s Guide

March 28, 2017 by 60 Comments

For hardware aficionados and Makers, trips to Shenzhen’s Huaqiangbei have become something of a pilgrimage. While Huaqiangbei is a tremendous and still active resource, increasingly both Chinese and foreign hardware developers do their sourcing for components on TaoBao. The selection is vastly greater and with delivery times rarely over 48 hours and frequently under 24 hours for local purchases it fits in nicely with the high-speed pace of Shenzhen’s hardware ecosystem.

For overseas buyers, while the cost of Taobao is comparable to, or slightly less than AliExpress and Chinese online stores, the selection is again, many, many times the size. Learning how to effectively source parts from Taobao will be both entertaining and empowering.

Continue reading “Source Parts On TaoBao: An Insider’s Guide”

Arch Your Eyebrow At Impression Products V. Lexmark International

March 28, 2017 by 63 Comments

When it comes to recycled printer consumables, the world seems to divide sharply into those who think they’re great, and those who have had their printer or their work ruined by a badly filled cartridge containing cheaper photocopy toner, or God knows what black stuff masquerading as inkjet ink. It doesn’t matter though whether you’re a fan or a hater, a used printer cartridge is just a plastic shell with its printer-specific ancilliaries that you can do with what you want. It has performed its task the manufacturer sold it to you for and passed its point of usefulness, if you want to fill it up with aftermarket ink, well, it’s yours, so go ahead.

There is a case approaching the US Supreme Court though which promises to change all that, as well as to have ramifications well beyond the narrow world of printer cartridges. Impression Products, Inc. v. Lexmark International, Inc. pits the printer manufacturer against a small cartridge recycling company that refused to follow the rest of its industry and reach a settlement.

At issue is a clause in the shrink-wrap legal agreement small print that comes with a new Lexmark cartridge that ties a discounted price to an agreement to never offer the cartridge for resale or reuse. They have been using it for decades, and the licence is deemed to have been agreed to simply by opening the cartridge packaging. By pursuing the matter, Lexmark are trying to set a legal precedent allowing such licencing terms to accompany a physical products even when they pass out of the hands of the original purchaser who accepted the licence.

There is a whole slew of concerns to be addressed about shrink-wrap licence agreements, after all, how many Lexmark owners even realise that they’re agreeing to some legal small print when they open the box? But the concern for us lies in the consequences this case could have for the rest of the hardware world. If a precedent is set such that a piece of printer consumable hardware can have conditions still attached to it when it has passed through more than one owner, then the same could be applied to any piece of hardware. The prospect of everything you own routinely having restrictions on the right to repair or modify it raises its ugly head, further redefining “ownership” as  “They really own it”. Most of the projects we feature here at Hackaday for example would probably be prohibited were their creators to be subject to these restrictions.

We’ve covered a similar story recently, the latest twist in a long running saga over John Deere tractors. In that case though there is a written contract that the farmer buying the machine has to sign. What makes the Lexmark case so much more serious is that the contract is being applied without the purchaser being aware of its existence.

We can’t hold out much hope that the Supreme Court understand the ramifications of the case for our community, but there are other arguments within industry that might sway them against it. Let’s hope Impression Products v. Lexmark doesn’t become a case steeped in infamy.

Thanks to [Greg Kennedy] for the tip.

Lexmark sign by CCC2012 [CC0].

“Norman, Coordinate!”

March 28, 2017 by 22 Comments

If Star Trek taught us anything, it’s clearly that we’re not quite in the future yet. Case in point: androids are not supposed to be little flecks of printed circuits with wires and jacks sprouting off them. Androids are supposed to be gorgeous fembots in polyester kimonos with beehive hairdos, designed to do our bidding and controlled by flashing, beeping, serial number necklaces.

Not willing to wait till the 23rd century for this glorious day, [Peter Walsh] designed and built his own android amulet prop from the original series episode “I, Mudd.” There’s a clip below if you need a refresher on this particularly notable 1967 episode, but the gist is that the Enterprise crew is kidnapped by advanced yet simple-minded androids that can be defeated by liberal doses of illogic and overacting.

The androids’ amulets indicate when they BSOD by flashing and beeping. [Peter]’s amulet is a faithful reproduction done up in laser-cut acrylic with LEDs and a driver from a headphone. The leads for the amulet go to a small control box with a battery pack and the disappointing kind of Android, and a palmed microswitch allows you to indicate your current state of confusion.

You’ll be sure to be the hit of any con with this one, although how to make smoke come out of your head is left as an exercise for the reader. Or if you’d prefer a more sophisticated wearable from The Next Generation, check out this polished and professional communicator badge. Both the amulet and the communicator were entries in the Hackaday Sci-Fi contest.

Continue reading ““Norman, Coordinate!””

Hacked IoT Switch Gains I2C Super Powers

March 27, 2017 by 50 Comments

Economies of scale and mass production bring us tons of stuff for not much money. And sometimes, that stuff is hackable. Case in point: the $5 Sonoff WiFi Smart Switch has an ESP8266 inside but the firmware isn’t very flexible. The device is equipped with the bare minimum 1 MB of SPI flash memory. Even worse, it doesn’t have the I2C ports extra pins exposed so that you can’t just connect up your own sensors and make them much more than just a switch. But that’s why we have soldering irons, right?

Continue reading “Hacked IoT Switch Gains I2C Super Powers”

Safe Cracking Is [Nate’s] Latest R&D Project

March 27, 2017 by 17 Comments

We love taking on new and awesome builds, but finding that second part (the “awesome”) of each project is usually the challenge. Looks like [Nathan Seidle] is making awesome the focus of the R&D push he’s driving at Sparkfun. They just put up this safe cracking project which includes a little gamification.

The origin story of the safe itself is excellent. [Nate’s] wife picked it up on Craig’s List cheap since the previous owner had forgotten the combination. We’ve seen enough reddit/imgur threads to not care at all what’s inside of it, but we’re all about cracking the code.

The SparkX (the new rapid prototyping endeavor at Sparkfun) approach was to design an Arduino safe cracking shield. It has a motor driver for spinning the dial and can drive a servo that pulls the lever to open the door. There is a piezo buzzer to indicate success, and the board as a display header labeled but not in use, presumably to show the combination currently under test. We say “presumably” because they’re not publishing all the details until after it’s cracked, a process that will be live streamed starting Wednesday. This will keep us guessing on the use of that INA169 current sensor that plugs into the safecracking shield. There is what appears to be a reflectance sensor above the dial to keep precise track of the spinning dial.

Electrically this is what we’d expect, but mechanically we’re in love with the build. The dial and lever both have 3D printed adapters to interface with the rest of the system. The overall framework is built out of aluminum channel which is affixed to the safe with rare earth magnets — a very slick application of this gear.

The gamification of the project has to do with a pair of $100 giveaways they’re doing for the closest guess on how long it’ll take to crack (we hope it’s a fairly fast cracker) and what the actual combination may be. For now, we want to hear from you on two things. First, what is the role of that current sensor in the circuit? Second, is there a good trick for optimizing a brute force approach like this? We’ve seen mechanical peculiarities of Master locks exploited for fast cracking. But for this, we’re more interested in hearing any mathematical tricks to test likely combinations first. Sound off in the comments below

Casting Machine Bases In Composite Epoxy

March 27, 2017 by 62 Comments

When you’re building a machine that needs to be accurate, you need to give it a nice solid base. A good base can lend strength to the machine to ensure its motions are accurate, as well as aid in damping vibrations that would impede performance. The problem is, it can be difficult to find a material that is both stiff and strong, and also a good damper of vibrations. Steel? Very stiff, very strong, terrible damper. Rubber? Great damper, strength leaves something to be desired. [Adam Bender] wanted to something strong that also damped vibrations, so developed a composite epoxy machine base.

[Adam] first takes us through the theory, referring to a graph of common materials showing loss coefficient plotted against stiffness. Once the theory is understood, [Adam] sets out to create a composite material with the best of both worlds – combining an aluminium base for stiffness and strength, with epoxy composite as a damper. It’s here where [Adam] begins experimenting, mixing the epoxy with sand, gravel, iron oxide and dyes, trying to find a mixture that casts easily with a good surface finish and minimum porosity.

With a mixture chosen, it’s then a matter of assembling the final mould, coating with release agent, and pouring in the mixture. The final result is impressive and a testament to [Adam]’s experimental process.

We’ve seen similar builds before — like this precision CNC built with epoxy granite — but detail in the documentation here is phenomenal.