Micro:bit Makes Cardboard Pinball More Legit

February 24, 2021 by 2 Comments

What have you been doing to ward off the winter blues? [TechnoChic] decided to lean in to winter and make a really fun-looking game out of it by combining the awesome PinBox 3000 cardboard pinball sandbox with a couple of Micro:bits to handle and display the player’s score. Check it out the build and gameplay in the video after the break.

The story of Planet Winter is a bittersweet tale: basically, a bunch of penguins got tired of climate change and left Earth en masse for a penguin paradise where it’s a winter wonderland all year round. There’s a party igloo with disco lights and everything.

[TechnoChic] used a Micro:bit plugged into a Brown Dog Gadgets board to keep track of scoring, control the servo that kicks the ball back out of the igloo, and run the blinkenlights. It sends score updates over Bluetooth to a second Micro:bit and a Pimoroni Scrollbit display that sit opposite the pinball launcher. She went through a few switch iterations before settling on conductive maker tape and isolating the ball so it only contacts the tape tracks.

There are two ways to score on Planet Winter — the blizzard at the end of the ball launcher path nets you ten points, and getting the ball in the party igloo is good for thirty. Be careful on the icy lake in the middle of the playfield, because if the ball falls through the ice, it’s gone for good, along with your points. It’s okay, though, because both the party igloo and the ice hole trigger an avalanche which releases another ball.

Seriously, these PinBox 3000 kits are probably the most fun you can have with cardboard, even fresh out of the box. They are super fun even if you only build the kit and make a bunch of temporary targets to test gameplay, but never settle on a theme (ask us how we know). Not convinced? Hackaday Editor-in-Chief [Mike Szczys] explored them in depth at Maker Faire in 2018.

Continue reading “Micro:bit Makes Cardboard Pinball More Legit”

Hands On With The Ortur Laser Cutter

February 23, 2021 by 63 Comments

I couldn’t write very much without a computer. Early in my career, I wrote with a typewriter. Unless you are pretty close to perfect — I’m not — it is very frustrating to make edits on typewritten stuff. The equivalent in the real world, for me, has been 3D printers and CNC machines. I can visualize a lot of things that I’m not careful enough to build with normal tools. Despite my 7th-grade shop teacher’s best efforts, everything I did turned out to be a toothpick or a number 7. But I can get my ideas into CAD and from there the machines do the rest. That’s why I was excited to get a laser cutter this past Christmas. You might wonder why I’d need a laser cutter if I have the other tools. Then again, if you read Hackaday, you probably don’t need me to explain why you need a new gadget. I’ve had my eye on a laser for a good long time, but recent developments made it more attractive. I thought I’d share with you some of what I’ve found getting started with the Ortur laser cutter. The cutter is easy to put together and costs somewhere in the $200-$400 range depending on what you get with it. I thought I’d take some time to share what I’ve learned about it.

Why a Laser?

If you haven’t had experience with a laser cutter or engraver before, you might think it is a very specific instrument. Sure, the Ortur is good at engraving some things (but not all things). It can cut some things, too, but not as many things as a big serious laser cutter. However, creative people find lots of ways to use cutting and engraving to produce things you might not expect.

Continue reading “Hands On With The Ortur Laser Cutter”

This Week In Security: ISNs, Patch Tuesday, And Clubhouse

February 19, 2021 by 4 Comments

Let’s talk TCP. Specifically, how do the different TCP connections stay distinct, and how is a third party kept from interrupting a connection? One of the mechanisms that help accomplish this feat is the TCP sequence number. Each of the two endpoints of a TCP connection tracks an incrementing 32-bit number, corresponding to the bytes sent in the connection. It’s handy, because each side can use that value to track what parts of the data stream they have received. On missing packets, a message can be sent requesting bytes 7-15 to be resent, for instance.

Each side of the connection sets their own Initial Sequence Number (ISN), and it’s important that this number is unique, as collisions can cause stream confusion. That statement should make your security spidey sense tingle. If a collision can cause problems when it happens by chance, what can a hacker do with it intentionally? Potentially quite a bit. Knowing the current sequence number, as well as a couple other pieces of information, a third party can close a TCP stream or even inject data. The attack has been around for years, originally known as the Mitnick Attack. It was originally possible because TCP implementations used a simple counter to set the ISN. Once the security ramifications of this approach were understood, the major implementations moved to a random number generation for their ISNs.

Now to this week’s story: researchers at Forescout took the time to check 11 TCP/IP stacks for vulnerability to the old Mitnick Attack (PDF Whitepaper). Of the eleven embedded stacks texted, nine have serious weaknesses in their ISN generation. Most of the vulnerable implementations use a system time value as their ISN, while several use a predictable pseudorandom algorithm that can be easily reversed.

CVEs have been assigned, and vendors notified of “NUMBER:JACK”, Forescout’s name for the research. Most of the vulnerable software already has patches available. The problem with embedded systems is that they often never get security updates. The vulnerable network stacks are in devices like IP cameras, printers, and other “invisible” software. Time will tell if this attack shows up as part of a future IoT botnet.
Continue reading “This Week In Security: ISNs, Patch Tuesday, And Clubhouse”

BASIC: Cross-Platform Software Hacking Then And Now

February 16, 2021 by 125 Comments

Surely BASIC is properly obsolete by now, right? Perhaps not. In addition to inspiring a large part of home computing today, BASIC is still very much alive today, even outside of retro computing.

There was a time, not even that long ago, when the lingua franca of the home computer world was BASIC. This wasn’t necessarily always the exact same BASIC; the commands and syntax differed between whatever BASIC dialect came with any given model of home computer (Commodore, Atari, Texas Instruments, Sinclair or any of the countless others). Fortunately most of these licensed or were derived from the most popular microcomputer implementation of BASIC: Microsoft BASIC.

BASIC has its roots in academics, where it was intended to be an easy to use programming language for every student, even those outside the traditional STEM fields. Taking its cues from popular 1960s languages like FORTRAN and ALGOL, it saw widespread use on time-sharing systems at schools, with even IBM joining the party in 1973 with VS-BASIC. When the 1970s saw the arrival of microcomputers, small and cheap enough to be bought by anyone and used at home, it seemed only natural that they too would run BASIC.

The advantage of having BASICĀ  integrated into these systems was obvious: not only were most people who bought such a home computer already familiar with BASIC, it allows programs to be run without first being compiled. This was good, because compiling a program takes a lot of RAM and storage, neither of which were plentiful in microcomputers. Instead of compiling BASIC source code, BASIC interpreters would interpret and run the code one line at a time, trading execution speed for flexibility and low resource use.

After turning on one’s microcomputer, the BASIC interpreter would usually be loaded straight from an onboard ROM in lieu of a full-blown operating system. In this interpreter shell, one could use the hardware, write and load BASIC programs and save them to tape or disk. Running existing BASIC code as well as compiled programs on one’s computer, or even typing them in from a listing in a magazine all belonged to the options. As BASIC implementations between different home computers were relatively consistent, this provided for a lot of portability.

That was then, and this is now. Are people actually still using the Basic language?

Continue reading “BASIC: Cross-Platform Software Hacking Then And Now”

This Week In Security: Morse Code Malware, Literal And Figurative Watering Holes, And More

February 12, 2021 by 6 Comments

Code obfuscation has been around for a long time. The obfuscated C contest first ran way back in 1984, but there are examples of natural language obfuscation from way earlier in history. Namely Cockney rhyming slang, like saying “Lady from Bristol” instead of “pistol” or “lump of lead” instead of “head”. It’s speculated that Cockney was originally used to allow the criminal class to have conversations without tipping off police.

Code obfuscation in malware serves a similar purpose — hiding from security devices and applications. There are known code snippets and blacklisted IP addresses that anti-malware software scans for. If that known bad code can be successfully obfuscated, it can avoid detection. This is a bit of a constant game of cat-and-mouse, as the deobfuscation code itself eventually makes the blacklist. This leads to new obfuscation techniques, sometimes quite off the wall. Well this week, I found a humdinger of an oddball approach. Morse Code.

Yep, dots and dashes. The whole attack goes like this. You receive an email, claiming to be an invoice. It’s a .xlsx.hTML file. If you don’t notice the odd file extension, and actually let it open, you’re treated to a web page. The source of that page is a very minimal JS script that consists of a morse code decoder, and a payload encoded in Morse. In this case, the payload is simply a pair of external scripts that ask for an Office 365 login. The novel aspect of this is definitely the Morse Code. Yes, our own [Danie] covered this earlier this week, but it was too good not to mention here. Continue reading “This Week In Security: Morse Code Malware, Literal And Figurative Watering Holes, And More”

This Week In Security: Perl.com, The Great Suspender, And Google’s Solution

February 5, 2021 by 46 Comments

Perl has been stolen. Well, perl.com, at least. The perl.com domain was transferred to a different registrar on January 27, without the permission of the rightful owner. The first to notice the hack seems to have been [xtaran], who raised the alarm on a Reddit thread. The proper people quickly noticed, and started the process of getting control of the domain again. It seems that several other unrelated domains were also stolen in the same attack.

I’ve seen a couple of theories tossed around about how the domains were stolen. With multiple domains being moved, it initially seemed that the registrar had been compromised in some way. One of the other victims was told that a set of official looking documents had been supplied, “proving” that the attacker was the rightful owner of the domain. In any case, the damage is slowly being unwound. Perl.com is once again in the proper hands, evidenced by the proper SSL certificate issued back in December.

The Great Suspender, Suspended

I was greeted by a particularly nasty surprise on Thursday of this week. One of the Chrome extensions I’ve come to rely on was removed by Google for containing malware. The Great Suspender automatically hibernates unused tabs, saving ram and processor cycles that would otherwise be spent on those 150 open tabs that should really be bookmarks. What happened here?

I’ll point out that I’m extremely careful about installing extensions. It’s code written by a third party, often very difficult to inspect, and can view and modify the sites you visit. You can manage what sites an extension has access to, but for a tool like the Suspender, it essentially needs access to all of them. The solution is to use open source extensions, right? “Well yes, but actually no.” Suspender is open source, after all. The link above goes to the project’s Github page. In that repo you’ll find an announcement from last year, that the founding developer is finished with the project, and is selling the rights to an unknown third party, who took over maintainership. If this sounds familiar, there are echoes of the event-stream debacle.

It’s not clear exactly what malicious behavior Google found that led to the extension being pulled, but a more careful look at the project reveals that there were potential problems as early as October of 2020. An addition to the extension introduced execution of code from a remote server, never a good idea. For what it’s worth, the original maintainer has made a statement, defending the new owners, and suggesting that this was all an innocent mistake.

The lesson here? It’s not enough to confirm that an extension checks the “open source” box. Make sure there is an active community, and that there isn’t a 6 month old bug report detailing potentially malicious activity.

Libgcrypt

It’s not everyday you see a developer sending out a notice that everyone should stop using his latest release. That’s exactly what happened with Libgcrypt 1.9.0. Our friends over at Google’s Project Zero discovered an extremely nasty vulnerability in the code. It’s a buffer overflow that happens during the decryption process, before even signature verification. Since libgcrypt is used in many PGP implementations, the ramifications could be nasty. Receive an encrypted email, and as soon as your client decrypts it, code is executing. Thankfully, an update that fixes the issue has already been released.

Android Botnet

A new botnet is targeting Android devices in a peculiar way — looking for open ADB debug ports exposed to the Internet. Google makes it very clear that ADB over the network is insecure, and should only be used for development purposes, and on controlled networks. It’s astounding that so many vendors ship hardware with this service exposed. Beyond that, it’s surprising that so many people give their Android devices public IP addresses (or IPv6 addresses that aren’t behind a firewall). The botnet, named Matryosh, has another unique feature, as it uses Tor for command and control functions, making it harder to track.

Google Solution to Open-Source Security

Google published a post on their open source blog, giving an overview for their new framework for the security of open source projects. “Know, Prevent, Fix” is their name for the new effort, and it must have been written by management, because it’s full of buzzwords. The most interesting elements are their goals for critical software. They identify problems like the ability of a single maintainer to push bad code into a project, and how anonymous maintainers is probably a bad idea. It will be interesting to see how these ideas develop, and how Google will help open source communities implement them.

Microsoft in My Pi

And finally, I was amused by an article lamenting the inclusion of the VSCode repository in the default Raspberry Pi OS images. He does raise a couple legitimate points. Amont them, you do send a ping to Microsoft’s servers every time you check for new updates.

The larger point is that the official VSCode binaries have telemetry code added to them — code that isn’t in the open source repository. What is it doing? You don’t know. But it probably violates European law.

Want to use VSCode, but not interested in shipping info off to Microsoft? VSCodium is a thing.

Bike Wheel Light Flashes Just Right

February 4, 2021 by 22 Comments

When it comes to safely riding a bike around cars, the more lights, the better. Ideally, these lights would come on by themselves, so you don’t have to remember to turn them on and off every time. That’s exactly the idea behind [Jeremy Cook]’s latest build — it’s an automatic bike light that detects vibration and lights up some LEDs in response.

The build is pretty simple — a coin cell-powered ATtiny85 reads input from a spring vibration sensor and flashes the LEDs. This is meant to complement [Jeremy]’s primary bike light, which is manually operated and always on. We especially like that form follows function here — the board shape is designed to be zip-tied to the spokes so it’s as close to the action as possible. He cleverly used cardboard and a laser cutter to mock up a prototype for a board that fits between the spokes. Pretty cool for your second professionally-fabbed PCB ever, if you ask us. Ride past the break to check out the build video.

If you don’t think fireflies on your spokes are enough to keep you safe, go full rainbow party bike.

Continue reading “Bike Wheel Light Flashes Just Right”