Hackaday Podcast Episode 251: Pluto, Pinball, Speedy Surgery, And DIY GPS

January 5, 2024 by Dan Maloney 7 Comments

Welcome to 2024! This time around, Elliot and Dan ring in a new year of awesome hacks with quite an eclectic mix. We kick things off with a Pluto pity party and find out why the tiny ex-planet deserved what it got. What do you do if you need to rename a bunch of image files? You rope a local large-language model in for the job, of course. We’ll take a look at how pinball machines did their thing before computers came along, take a fractal dive into video feedback, and localize fireworks with a fleet of Raspberry Pi listening stations. Ever wonder what makes a GPS receiver tick? The best way to find out might be to build one from scratch. Looking for some adventure? A ride on an electroluminescent surfboard might do, or perhaps a DIY “Vomit Comet” trip would be more your style. And make sure you stick around for our discussion on attempts to optimize surgery efficiency, and our look back at 2023’s top trends in the hardware world.

Grab a copy for yourself if you want to listen offline.

Continue reading “Hackaday Podcast Episode 251: Pluto, Pinball, Speedy Surgery, And DIY GPS” →

This Week In Security: Bitwarden, Reverse RDP, And Snake

January 5, 2024 by Jonathan Bennett 10 Comments

This week, we finally get the inside scoops on some old stories, starting with the Bitwarden Windows Hello problem from last year. You may remember, Bitwarden has an option to use Windows Hello as a vault unlock option. Unfortunately, the Windows credential API doesn’t actually encrypt credentials in a way that requires an additional Windows Hello verification to unlock. So a derived key gets stored to the credential manager, and can be retrieved through a simple API call. No additional biometrics needed. Even with the Bitwarden vault locked and application closed.

There’s another danger, that doesn’t even require access to the the logged-in machine. On a machine that is joined to a domain, Windows backs up those encryption keys to the Domain Controller. The encrypted vault itself is available on a domain machine over SMB by default. A compromised domain controller could snag a bitwarden vault without ever even running code on the target machine. The good news is that this particular problem with Bitwarden and Windows Hello is now fixed, and has been since version 2023.10.1.

Reverse RDP Exploitation

We normally think about the Remote Desktop Protocol as dangerous to expose to the internet. And it is. Don’t put your RDP service online. But reverse RDP is the idea that it might also be dangerous to connect an RDP client to a malicious server. And of course, multiple RDP implementations have this problem. There’s rdesktop, FreeRDP, and Microsoft’s own mstsc that all have vulnerabilities relating to reverse RDP.

The technical details here aren’t terribly interesting. It’s all variations on the theme of not properly checking remote data from the server, and hence either reading or writing past internal buffers. This results in various forms of information leaks and code executions problems. What’s interesting is the different responses to the findings, and then [Eyal Itkin]’s takeaway about how security researchers should approach vulnerability disclosure.

So first up, Microsoft dismissed a vulnerability as unworthy of servicing. And then proceeded to research it internally, and present it as a novel attack without properly attributing [Eyal] for the original find. rdesktop contained quite a few of these issues, but were able to fix the problem in a handful of months. FreeRDP fixed some issues right away, in what could be described as a whack-a-mole style process, but a patch was cooked up that would actually address the problem at a deeper level: changing an API value from the unsigned size_t to a signed ssize_t. That change took a whopping 2 years to actually make it out to the world in a release. Why so long? Continue reading “This Week In Security: Bitwarden, Reverse RDP, And Snake” →

The World Of Web Browsers Is In A Bad Way

January 4, 2024 by Jenny List 115 Comments

There once was a man who invented a means for publishing scientific documents using hypertext. He made his first documents available from his NeXT cube, and a lot of the academics who saw them thought it was a great idea. They took the idea, expanded it, and added graphics, and pretty soon people who weren’t scientists wanted to use it too. It became the Next Big Thing, and technology companies new and old wanted a piece of the pie.

You all know the next chapter of this story. It’s the mid 1990s, and Microsoft, having been caught on the back foot after pursuing The Microsoft Network as a Compuserve and AOL competitor, did an about-turn and set out to conquer the Web. Their tool of choice was Microsoft Internet Explorer 3, which since it shipped with Windows 95 and every computer that mattered back then came with Windows 95, promptly entered a huge battle with Netscape’s Navigator browser. Web standards were in their infancy so the two browsers battled each other by manipulating the underlying technologies on which the Web relied. Microsoft used their “Embrace and extend” strategy to try to Redmondify everything, and Netscape got lost in the wilderness with Netscape 4, a browser on which nightmarish quirks were the norm. By the millennium it was Internet Explorer that had won the battle, and though some of the more proprietary Microsoft web technologies had fallen by the wayside, we entered the new decade in a relative monoculture. Continue reading “The World Of Web Browsers Is In A Bad Way” →

FLOSS Weekly Episode 764: You Have To Be Pretty Cynical

January 3, 2024 by Jonathan Bennett 8 Comments

This week Jonathan Bennett and Katherine Druckman talk with benny Vasquez, chair of AlmaLinux, all about the weird road we’ve been on with Enterprise Linux distributions, and how that’s landed us here, where we have AlmaLinux, Rocky Linux, and multiple other Red Hat downstream distros. What’s the difference between those projects, and why does it matter?

Projects need more than just developers. How do you keep members doing documentation, bug hunting, outreach, and even graphic design plugged in and feeling like part of the team? How do you walk the narrow line between the different directions a project can drift, setting up your community for long term success? And where’s the most surprising place benny has found AlmaLinux running? And why is benny’s first name never capitalized? Give this week’s show a listen to find out!

Continue reading “FLOSS Weekly Episode 764: You Have To Be Pretty Cynical” →

A Few Reasonable Rules For The Responsible Use Of New Technology

January 3, 2024 by Jenny List 96 Comments

If there’s one thing which probably unites all of Hackaday’s community, it’s a love of technology. We live to hear about the very latest developments before anyone else, and the chances are for a lot of them we’ll all have a pretty good idea how they work. But if there’s something which probably annoys a lot of us the most, it’s when we see a piece of new technology misused. A lot of us are open-source enthusiasts not because we’re averse to commercial profit, but because we’ve seen the effects of monopolistic practices distorting the market with their new technologies and making matters worse, not better. After all, if a new technology isn’t capable of making the world a better place in some way, what use is it?

It’s depressing then to watch the same cycle repeat itself over and over, to see new technologies used in the service of restrictive practices for short-term gain rather than to make better products. We probably all have examples of new high-tech products that are simply bad, that are new technology simply for the sake of marketing, and which ultimately deliver something worse than what came before, but with more bling. Perhaps the worst part is the powerlessness, watching gullible members of the public lapping up something shiny and new that you know to be flawed, and not being able to do anything about it.

Here at Hackaday though, perhaps there is something I can do about it. I don’t sit in any boardroom that matters but I do have here a soapbox on which to stand, and from it I can talk to you, people whose work takes you into many fascinating corners of the tech industry and elsewhere. If I think that new technologies are being used irresponsibly to create bad products, at least I can codify how that might be changed. So here are my four Rules For The Responsible Use Of New Technology, each with some examples. They should each be self-evident, and I hope you’ll agree with me. Continue reading “A Few Reasonable Rules For The Responsible Use Of New Technology” →

It’s Pronounced GIF

January 2, 2024 by Jenny List 197 Comments

As the holiday season is upon us and a Hackaday scribe sits protected from the incoming Atlantic storms in her snug eyrie, it’s time for her to consider the basics of her craft. Writing, spelling, and the English language; such matters as why Americans have different English spellings from Brits, but perhaps most important of them all for Hackaday readers; is it “gif”, or is is “jif”? This or the jokey sentence about spellings might be considered obvious clickbait, but instead they’re a handle to descend into the study of language. Just how do we decide the conventions of our language, and should we even care too much about them?

Don’t Believe Everything You Read in School

A picture of an American classroom in 1004 — Not everything you learn here is worth holding on to. Harrison Keely, CC BY 4.0.

We are sent to school to Learn Stuff. During that time we are deprived of our liberty as a succession of adults attempt year after year to cram our heads with facts. Some of it we find interesting and other parts not so much, but for the majority of it, we are discouraged from thinking for ourselves and are instead expected to learn by rote a set of fixed curricula.

Thus while writers have to discover for themselves that English is a constantly evolving language through which they can break free of these artificial bounds that school has imposed upon them, far too many people remain afraid to put their head above the linguistic parapet.

The result is that perceived deviations from the rules are jumped upon by those afraid to move with the language, and we even find our own linguistic Holy Wars to fight. The one mentioned above about “gif” versus “jif” is a great example, does it really matter that much whether you pronounce it with a hard “G” because that’s how most people say it, or as though it were a “J” because the creator of the file format said it that way? Not really, because English is an evolving language in the hands of those who speak it, not those of the people who write school books. Continue reading “It’s Pronounced GIF” →

2023: As The Hardware World Turns

January 2, 2024 by Tom Nardi 18 Comments

We’ve made it through another trip around the sun, and for the first time in what feels like far too long, it seems like things went pretty well for the hackers and makers of the world. Like so many, our community suffered through a rough couple of years: from the part shortages that made building even the simplest of devices more expensive and difficult than it should have been, to the COVID-mandated social distancing that robbed us of our favorite meetups. But when looking back on the last twelve months, most of the news was refreshingly positive.

Pepperoni costs ten bucks, but they can’t activate Windows on their registers…

Oh sure, a trip to to the grocery store can lead to a minor existential crisis at the register, but there’s not much we at Hackaday can do about that other than recommend you some good hydroponics projects to help get your own home farm up and running.

As has become our New Year tradition, we like to take this time to go over some of the biggest stories and trends that we picked up on from our unique vantage point. Some will be obvious, but there’s always a few that sneak up on us. These posts tend to make for interesting reading in the future, and if you’ve got the time, we’d recommend going back and reading the previous entries in this series and reminiscing a bit.

It’s also a good time to reflect on Hackaday itself — how we’ve grown, the things that have changed, and perhaps what we can do better going forward. Believe it or not we do read all of the feedback from the community, whether it’s in the comments of individual posts or sent into us directly. We couldn’t do this without readers like you, so please drop us a line and let us know what you’re thinking.

So before we get any farther into 2024, let’s wind back the clock and revisit some of the highlights from the previous year.

Continue reading “2023: As The Hardware World Turns” →