This Week In Security: Default Passwords, Lock Slapping, And Mastodown

May 3, 2024 by 8 Comments

The UK has the answer to all our IoT problems: banning bad default passwords. Additionally, the new UK law requires device makers to provide contact info for vulnerability disclosures, as well as a requirement to advertise vulnerability fix schedules. Is this going to help the security of routers, cameras, and other devices? Maybe a bit.

I would argue that default passwords are in themselves the problem, and complexity requirements only nominally help security. Why? Because a good default password becomes worthless once the password, or algorithm leaks. Let’s lay out some scenarios here. First is the static default password. Manufacturer X makes device Y, and sets the devices to username/password admin/new_Complex_P@ssword1!. Those credentials make it onto a default password list, and any extra security is lost.

What about those devices that have a different, random-looking password for each device? Those use an algorithm to derive that password from the MAC address and/or serial number. That may help the situation, but the algorithm can be retrieved from the firmware, and most serial numbers are predictable in one way or another. This approach is better, but not a silver bullet.

So what would a real solution to the password problem look like? How about no default password at all, but no device functionality until the new password passes a cracklib complexity and uniqueness check. I have seen a few devices that do exactly this. The requirement for a disclosure address is a great idea, which we’ve talked about before regarding the similar EU legislation.

Continue reading “This Week In Security: Default Passwords, Lock Slapping, And Mastodown”

Don’t Object To Python Objects

May 2, 2024 by 24 Comments

There’s the old joke about 10 kinds of programmers, but the truth is when it comes to programming, there are often people who make tools and people who use tools. The Arduino system is a good example of this. Most people use it like a C compiler. However, it really uses C++, and if you want to provide “things” to the tool users, you need to create objects. For example, when you put Serial in a program, you use an object someone else wrote. Python — and things like Micropython — have the same kind of division. Python started as a scripting language, but it has added object features, allowing a rich set of tools for scripters to use. [Damilola Oladele] shows the ins and outs of object-oriented Python in a recent post.

Like other languages, Python allows you to organize functions and data into classes and then create instances that belong to that class. Class hierarchies are handy for reusing code, customizing behavior, and — through polymorphism — building device driver-like architectures.

Continue reading “Don’t Object To Python Objects”

Start Your Creepy Jack-O-Lantern Project Early This Year With Gourdan

May 2, 2024 by 1 Comment

For a lot of us, projects take time, and they have to be squeezed in around the regular chores of real life. Thus, if you’re starting your Halloween builds after the holiday displays have already hit the stores, you’re probably too late. We’re here to implore you to start building early this year—and you can take inspiration from a great pumpkin called Gourdan.

Gourdan is the work of [Braden Sunwold]. It’s a pumpkin with a fearsome visage and creepy eyes that follow you around the room. This is achieved thanks to a Raspberry Pi 3 nestled within Gourdan’s gourdy body. Gourdan’s eyes are a pair of 1.54-inch LCDs which display animated eyes. Thus, no mechanical wizardry is required here—it’s all done digitally. A camera attached to the Raspberry Pi tracks people with the aid of OpenCV, and the eyes are created and animated with the help of Adafruit example code.

There’s never a better time to start hacking for Halloween than right now. And hey, who knows—your neighbour might have kicked off in January, so they’ll have an almighty head start. They could have something really impressive in the works!

And don’t forget—you can always send us your holiday hacks, whatever the time of year! Just hit up the tipsline. Happy making!

3D Printed Wheels Passively Transform To Climb Obstacles

May 2, 2024 by 15 Comments

Wheels do a great job at rolling over all kinds of terrain, particularly if you pair them with compliant tires. However, they’re not perfect, and can get stumbled by things like large vertical steps. Enter the PaTS-Wheel — a compliant mechanism that can tackle such obstacles with ease.

The PaTS-Wheel takes advantage of printable flexural hinges. Under regular conditions, it exists as a simple round wheel. However, when presented with a step obstacle, its individual segments can bend and flex to grab on to the step and hoist the vehicle up. It all happens passively as a result of the wheel’s structure, no actuators or control system are needed to achieve this action.

The video below does a great job of explaining the concept in raw engineering terms, as well as showing it in action. If you really want to drill down though, dive into the research paper. The design outperformed smooth wheels and whegs in climbing ability, and was able to match smooth wheels in simple tests of flat ground power consumption. The results are very impressive.

We’ve seen other transforming wheels before, like these wheg-like constructions, but nothing so passive and elegant as these. Video after the break.

Continue reading “3D Printed Wheels Passively Transform To Climb Obstacles”

Programming Ada: Packages And Command Line Applications

May 1, 2024 by 5 Comments

In the previous installment in this series we looked at how to set up an Ada development environment, and how to compile and run a simple Ada application. Building upon this foundation, we will now look at how to create more complex applications, along with how to parse and use arguments passed to Ada applications on the command line (CLI). After all, passing flags and strings to CLI applications when we launch them is a crucial part of user interaction, as well as when automating systems as is the case with system services.

The way that a program is built-up is also essential, as well-organized code eases maintenance and promotes code reusability through e.g. modularity. In Ada you can organize subprograms (i.e. functions and procedures) in a declarative fashion as stand-alone units, as well as embed subprograms in other subprograms. Another option is packages, which roughly correspond to C++ namespaces, while tagged types are the equivalent of classes. In the previous article we already saw the use of a package, when we used the Ada.Text_IO package to output text to the CLI. In this article we’ll look at how to write our own alongside handling command line input, after a word about the role of the binding phase during the building of an Ada application.

Continue reading “Programming Ada: Packages And Command Line Applications”

This Arduino Is Feeding The Fishes

May 1, 2024 by 7 Comments

Depending on the species, a fish can be a fairly low-maintenance pet. But of course even the most laid back of creatures needs to eat, so you’ll have to make sure to feed them regularly. If you’re a fish owner who would like to simplify tending to your creatures, you might find value in this project from [CrazyScience].

This fish feeder is based on an Arduino Uno, the 8-bit microcontroller development board which has done so much for so many. The Arduino drives a stepper motor, which rotates a 3D printed disc mechanism for dispensing food. Each slot of the disc is loaded with a small amount of fish food, so that when it rotates, a slot dumps its contents through a slot into the water.

Activating the system is as easy as a wave of the hand. That’s thanks to an ultrasonic sensor, which detects movement close by, and triggers the food delivery mechanism in turn. We’d love to see this upgraded with a timer mode too, though it would require the addition of a real-time clock module to the humble Arduino Uno.

It’s a simple project, but one that teaches all kinds of useful skills, from programming to design and 3D printing. We just worry that the fish bowl in the demo is a far too small for fish to remain healthy. We’ve seen some other similar projects before, too.

Continue reading “This Arduino Is Feeding The Fishes”

Supercon 2023: Jose Angel Torres On Building A Junkyard Secure Phone

May 1, 2024 by 10 Comments

If you ever wondered just what it takes to build a modern device like a phone, you should have come to last year’s Supercon and talked with [Jose Angel Torres]. He’s an engineer whose passion into investigating what makes modern devices tick is undeniable, and he tells us all about where his forays have led so far – discovering marvels that a Western hacker might not be aware of.

Six years ago, he has moved to China, having previously been responsible for making sure that their Chinese subcontractors would manufacture things in the right ways. Turns out, doing that while being separated by an ocean set up more than just the timezone barriers – they were communicating between different worlds.

[Jose] tells us of having learned Chinese on the spot, purely from communicating with people around him, and it’s no wonder he’s had the motivation! What he’s experienced is being at the heart of cycle of hardware life, where devices are manufactured, taken apart and rebuilt anew. Here’s how he tapped into that cycle, and where he’s heading now.

Continue reading “Supercon 2023: Jose Angel Torres On Building A Junkyard Secure Phone”