This Week In Security: Looney Tunables, Not A 0-day*, And Curl Warning

October 6, 2023 by 8 Comments

This week starts out with a nifty vulnerability in the glibc dynamic loader. This is an important step in running a binary executable on Linux, as it pulls the list of required shared libraries, and loads those libraries into memory. Glibc also includes a feature to adjust some runtime settings, via the GLIBC_TUNABLES environment variable. That’s where the vulnerability resides, and researchers from Qualsys obviously had a bit of fun in taking inspiration to pick the vulnerability name, “Looney Tunables”.

The problem is memory handling in the sanitizing parser. This function iterates through the environment variable, looking for strings of tunable1=aa, separated by colons. These strings get copied to the sanitized buffer, but the parsing logic goes awry when handling the malformed tunable1=tunable2=AAA. The first equals sign is taken at face value, copying the rest of the string into the buffer. But then the second equals sign is also processed as another key=value pair, leading to a buffer overflow.

The reason this particular overflow is interesting is that if the binary to be run is a Set-User-ID (SUID) root application, the dynamic loader runs as root, too. If the overflow can achieve code execution, then it’s a straightforward privilege escalation. And since we’re talking about it, you know there’s a way to execute code. It turns out, it’s possible to overwrite the pointer to the library search path, which determines where the dynamic loader will look for libraries. Tell it to look first in an attacker-controlled location, and you can easily load a malicious libc.so for instant code execution.

This vulnerability affects many Linux distros, and there’s already a Proof of Concept (PoC) published. So, it’s time to go check for updates for cve-2023-4911. Continue reading “This Week In Security: Looney Tunables, Not A 0-day*, And Curl Warning”

Wok Your Way To The Center Of The Galaxy

October 6, 2023 by 14 Comments

The round bottom of a proper wok is the key to a decent stir fry, but it also makes it hard to use on traditional Western stoves. That’s why many woks end up in a dark kitchen cabinet, unused and unloved. But wait; it turns out that the round bottom of a wok is the perfect shape for gathering something else — radio waves, specifically the 21-cm neutral hydrogen emissions coming from the heart of our galaxy.

Turning a wok into an entry-level radio telescope doesn’t appear to be all that hard, at least judging by what [Leo W.H. Fung] et al detail in their paper (PDF) on “WTH” or “Wok the Hydrogen.” Aside from the wok, which serves as the main reflector, you’ll need a bit of coaxial cable and some stiff copper wire to fashion a small dipole antenna and balun, plus some plastic tubing to support it at the focal point of the reflector. Measuring the wok’s shape and size, which in turn determines its focal point, is probably the hardest part of the build; luckily, the paper includes tips on doing just that. The authors address the controversy of parabolic versus spherical reflectors and arrive at the conclusion that for a radio telescope fashioned from a wok, it just doesn’t matter.

As for the signal processing chain, WTH holds few surprises. A Nooelec Sawbird+ H1 acts as preamp and filter for the 1420-MHz hydrogen line signal, which feeds into an RTL-SDR dongle. Careful attention is paid to proper grounding and shielding to keep the noise floor as low as possible. Mounting the antenna is a decidedly ad hoc affair, and aiming is as simple as eyeballing various stars near the center of the galactic plane — no need to complicate things.

Performance is pretty good: WTH measured the recession velocity of neutral hydrogen to within 20 km/s, which isn’t bad for something cobbled together from scrap. We’ve seen plenty of DIY hydrogen line observatories before, but WTH probably wins the “get on the air tonight” award.

Thanks to [Heinz-Bernd Eggenstein] for the tip.

Creating An Automated Hydrogen Generator At Home

October 6, 2023 by 34 Comments

Everyone and their pet hamster probably knows that the most common way to produce hydrogen is via the electrolysis of water, but there are still a number of steps between this elementary knowledge and implementing a (mostly) automated hydrogen generator. Especially if your end goal is to create liquid hydrogen when everything is said and done. This is where [Hyperspace Pirate]’s latest absolutely not dangerous project commences, with the details covered in the recently published video.

Automated hydrogen generator setup, courtesy of [Hyperspace Pirate]'s dog drinking bowl.
Automated hydrogen generator setup, courtesy of [Hyperspace Pirate]’s dog drinking bowl.
Since electrolysis cannot occur with pure water, sodium hydroxide (NaOH) is used in the solution to provide the ions. The electrodes are made of 316 stainless steel, mostly because this is cheap and good enough for this purpose. Although the original plan was to use a stacked series of electrodes with permeable membranes like in commercial electrolysers, this proved to be too much of a hassle to seal up leak-tight. Ergo the demonstrated version was attempted, where an upturned glass bell provides the barrier for the produced hydrogen and oxygen. With this system it’s easy to measure the volume of the produced hydrogen due to the displaced water in the bell.

Once enough hydrogen gas is produced, a vacuum pump is triggered by a simple pair of electrodes to move the hydrogen gas to a storage container. Due to hydrogen embrittlement concerns, an aluminium tank was used rather than a steel one. Ultimately enough hydrogen gas was collected to fill a lot of party balloons, and with the provided information in the video it should be quite straightforward to reproduce the system.

Where the automation comes into play is with a control system that monitors for example how long the vacuum pump has been running, and triggers a fail safe state if it’s more than a set limit. With the control system in place, [Hyperspace Pirate] was able to leave the hydrogen generator running for hours with no concerns. We’re hopeful that his upcoming effort to liquify this hydrogen will be as successful, or the human-rated blimp, or whatever all this hydrogen will be used for.

Continue reading “Creating An Automated Hydrogen Generator At Home”

Just What Is Tone, In A Microphone?

October 5, 2023 by 23 Comments

As long-time Hackaday readers will know, there is much rubbish spouted in the world of audio about perceived tone and performance of different hi-fi components. Usually this comes from audiophiles with, we’d dare to suggest, more money than sense. But oddly there’s an arena in which the elusive tone has less of the rubbish about it and it in fact, quite important. [Jim Lill] is a musician, and like all musicians he knows that different combinations of microphones impart a different sound to the recording. But as it’s such a difficult property to quantify, he’s set out to learn all he can about where the tone comes from in a microphone.

He’s coming to this from the viewpoint of a musician rather than an engineer, but his methodology is not diminished by this. He’s putting each mic on test in front of the same speaker at the same position, and playing a standard piece of music and a tone sweep through each. He doesn’t have an audio analyser, reference speaker and microphone, or anechoic chamber, so he’s come up with a real-world standard instead. He’s comparing every mic he can find with a Shure SM57, the go-to general purpose standard in the world of microphones for as long as anyone can remember, being a 1960s development of their earlier Unidyne series. His reasoning is that while its response is not flat the sound of the SM57 is what most people are used to hearing from a microphone, so it makes sense to measure the others against its performance.

Along the way he tests a huge number of microphones including famous and expensive ones from exclusive studios and finally one he made himself by mounting a cartridge atop a soda can. You’ll have to watch the video below the break for his conclusions, we can promise it’s worth it.

Continue reading “Just What Is Tone, In A Microphone?”

An SMD Capacitor Guide

October 5, 2023 by 5 Comments

For electronics, your knowledge probably follows a bit of a bell curve over time. When you start out, you know nothing. But you eventually learn a lot. Then you learn enough to be comfortable, and most of us don’t learn as much about new things unless we just happen to need it. Take SMD components. If you are just starting out, you might not know how to find the positive lead of an SMD capacitor. However, if you’ve been doing electronics for a long time, you might not have learned all the nuances of SMD. [Mr SolderFix] has been addressing this with a series of videos covering the basics of different SMD components, and this installment covers capacitors.

If you are dyed-in-the-wool with SMD, you might not get a lot out of the video, but we picked up a few tips, like using a zip tie for applying flux. The video starts with an examination of the different packages and markings. Then it moves on to soldering the components down.

Continue reading “An SMD Capacitor Guide”

We’d Sure Like To Strum The Chrumm Keyboard

October 5, 2023 by 11 Comments

If you want something as personal as a keyboard done right, you have to do it yourself. Not quite satisfied with the multitude of mechanical offerings out there, [summific] decided to throw their hat into the ring and design the Chrumm keyboard. And boy, are we glad they did.

Between the lovely tenting angle and tilt, the gorgeous flexible PCBs, and the pictures that could pass for renders, [summific] has given us something beautiful to behold that we can only dream of thocking on. Even the honeycomb plate is nice. Oh, but this monoblock split is completely open source.

This Raspberry Pi Pico-powered keyboard features a 3D printable case design without visible screws, and a rotary encoder in the middle. Those palm rests are firmly attached from the underside. Why are the thumb cluster keycaps upside down? It’s not meant to drive you insane; it’s because the contour is more finger-friendly that way, according to some people.

[summific] makes this look easy, but it doesn’t matter, because all the hard work is already done. If you want something easier, start with a macropad. Or a macro pad, even.

Via reddit

Neat Soldering Station Design Has Workshop & Portable Versions

October 5, 2023 by 15 Comments

The warm and rather stinky heart of any hacker’s lair is the soldering station, where the PCB meets the metal (solder). A good soldering station lets you get on with the business of building stuff without worrying about piffling details like temperature and remembering to turn the thing off. The AxxSolder is a neat design from [AxxAxx] that fulfills these criteria, as it includes full PID control of the iron and an auto sleep feature. It will run from any DC power source from 9 to 26 Volts, so you can run it off your bench power supply and have one less thing to plug in. There is even a portable version for those on-the-go hackathons.

Continue reading “Neat Soldering Station Design Has Workshop & Portable Versions”