Hinged Parts For The 8th Grade Set

June 16, 2023 by Al Williams 8 Comments

I recently agreed to run a 3D printing camp for 8th graders. If you’ve never shared your knowledge with kids, you should. It is a great experience. However, it isn’t without its challenges. One thing I’ve learned: don’t show the kids things that you don’t want them to try to print.

I learned this, of course, the hard way. I have several “flexy”3D prints. You know the kind. Flexy dinosaurs, cats, hedgehogs, and the like. They all have several segments and a little hinge so the segments wobble. The problem is the kids wanted to print their own creations with flexy hinges.

I’ve built a few print-in-place hinges, but not using Tinkercad, the software of choice for the camp. While I was sure it was possible, it seemed daunting to get the class to learn how to do it. Luckily, there’s an easy way to add hinges like this to a Tinkercad design. There was only one problem.

Continue reading “Hinged Parts For The 8th Grade Set” →

This Week In Security: ACME.sh, Leaking LEDs, And Android Apps

June 16, 2023 by Jonathan Bennett 3 Comments

Let’s Encrypt has made an enormous difference to the landscape of the web. The protocol used for authenticating and receiving certificates, ACME, has spawned quite a few clients of various flavors. Some are written in Rust, some in Python or Go, and a few in straight Bash shell script. One of those last ones, acme.sh, was doing something odd when talking to a particular “Certificate Authority”, HiCA. This pseudo-CA only supports acme.sh, and now we know why. The folks behind HiCA found an RCE exploit in acme.sh, and decided to use that exploit to do certificate issuance with more “flexability”. Oof.

The nuts and bolts here is that HiCA was working as a CA-in-the-Middle, wrapping other CA’s authentication services. Those services don’t support ACME authentication at all, and HiCA used the acme.sh vulnerability to put the authentication token in the place SSL.com expected to find it. So, just a good community member offering a service that ACME doesn’t quite support, right?

Well, maybe not so innocent. The way it appears this works, is that the end user sends a certificate request to HiCA. HiCA takes that information, and initiates a certificate request off to SSL.com. SSL.com sends back a challenge, and HiCA embeds that challenge in the RCE and sends it to the end user. The end user’s machine triggers the RCE, which pushes the challenge token to the well-known location, and bypasses the ACME protection against exactly this sort of CA-in-the-middle situation.

The last piece of the authentication process is that the signing server reaches out over HTTP to the domain being signed, and looks for the token to be there. Once found, it sends the signed certificates to HiCA, who then forward them on to the end user. And that’s the problem. HiCA has access to the key of every SSL cert they handled. This doesn’t allow encryption, but these keys could be used to impersonate or even launch MitM attacks against those domains. There’s no evidence that HiCA was actually capturing or using those keys, but this company was abusing an RCE to put itself in the position to have that ability.

The takeaway is twofold. First, as an end user, only use reputable CAs. And second, ACME clients need to be hardened against potentially malicious CAs. The fact that HiCA only supported the one ACME client was what led to this discovery, and should have been a warning flag to anyone using the service. Continue reading “This Week In Security: ACME.sh, Leaking LEDs, And Android Apps” →

Retrotechtacular: Circuit Potting, And PCBs The Hard Way

June 15, 2023 by Dan Maloney 8 Comments

There was a time when the very idea of building a complex circuit with the intention of destroying it would have been anathema to any electrical engineer. The work put into designing a circuit, procuring the components, and assembling it, generally with point-to-point wiring and an extravagant amount of manual labor, only to blow it up? Heresy!

But, such are the demands of national defense, and as weapons morphed into “weapon systems” after World War II, the need arose for electronics that were not only cheap enough to blow up but also tough enough to survive the often rough ride before the final bang. The short film below, simply titled “Potted and Printed Circuits“, details the state of the art in miniaturization and modularization of electronics, circa 1952. It was produced by the Telecommunications Research Establishment (TRE), the main electronics R&D entity in the UK during the war which was responsible for inventions such as radar, radio navigation, and jamming technology.

Continue reading “Retrotechtacular: Circuit Potting, And PCBs The Hard Way” →

New Wearable Detects Imminent Vocal Fatigue

June 15, 2023 by Lewin Day 2 Comments

“The show must go on,” so they say. These days, whether you’re an opera singer, a teacher, or just someone with a lot of video meetings, you rely on your voice to work. But what if your voice is under threat? Work it too hard, or for too long, and you might find that it suddenly lets you down.

Researchers from Northwestern University have developed a new technology to protect against this happenstance. It’s the first wearable device that monitors vocal usage and calls for time out before damage occurs. The research has been published in the Proceedings of the National Academy of Sciences.

Continue reading “New Wearable Detects Imminent Vocal Fatigue” →

The Simplest Social Engineering Hack Of Them All

June 15, 2023 by Jenny List 62 Comments

Here at Hackaday we cover news and interesting features for the hacker community, with an emphasis more on the hardware side. Nevertheless we also cover stories from time to time from the broader world of security. These usually involve vulnerabilities discovered through the patient work of software or hardware researchers, and are certainly what we’d call hacking. But what about those information security breaches that aren’t hacks like that at all? What happens when the person being breached simply gives you the information?

I’ve got one, and while it’s Not A Hack, it’s definitely something that we and those outside our community need to talk about. I’m talking about the depressingly common occurrence of organisations who should know better, gifting their letterhead to all and sundry in the form of freely editable Word documents. Continue reading “The Simplest Social Engineering Hack Of Them All” →

Linux Fu: Easy And Easier Virtual Networking

June 14, 2023 by Al Williams 15 Comments

One of the best things about Linux is that there are always multiple ways to do anything you want to do. However, some ways are easier than others. Take, for example, virtual networking. There are plenty of ways to make a bunch of Internet-connected computers appear to be on a single private network. That’s nothing new, of course. Linux and Unix have robust networking stacks. Since 2018, though, Wireguard has been the go-to solution; it has a modern architecture, secure cryptography, and good performance.

There’s only one problem: it is relatively difficult to set up. Not impossible, of course. But it is a bit difficult, depending on what you want to accomplish.

How Difficult?

You must set up a wireguard server and one or more clients. You’ll need to pick a range of IP addresses. You might need to turn on routing. You have to generate keys. You might need to configure DNS and other routing options. You’ll certainly need to modify firewall rules. You’ll also need to distribute keys.

None of these steps are terribly difficult, but it is a lot to keep straight. The wg program and wg-quick script do most of the work, but you have a lot of decisions and configuration management to keep straight.

Browse the official “quick start,” and you’ll see that it isn’t all that quick. The wg-quick script is better but only handles some use cases. If you want really limited use cases, there are third-party tools to do a lot of the rote work, but if you need to change anything, you’ll still need to figure it all out.

That being said, once you have it set up, it pretty much works without issue and works well. But that initial setup can be very frustrating. Continue reading “Linux Fu: Easy And Easier Virtual Networking” →

Supercon 2022: [Liz McFarland] Builds Golden Wings, Shows You How

June 13, 2023 by Arya Voronova 7 Comments

Are you, by any chance, wondering about giving yourself wings? You should listen to [Liz McFarland] sharing her experience building a Wonder Woman suit, and not just any – the Golden Eagle suit from Wonder Woman 1984, adorned with a giant pair of wings. If a suit like that is in your plans, you’ll be warmly welcomed at a cosplay convention – and [Liz] had her sights on the San Diego Comic Con. With an ambitious goal of participating in the Comic Con’s cosplay contest, the suit had to be impressive – and impressive, it indeed was, not just for its looks, but for its mechanics too.

[Liz] tells us everything – from producing the wings and painting them, to keeping them attached to the body while distributing the weight, and of course, things like on-venue nuances and safety with regards to other participants. The dark side of cosplay building reality isn’t hidden either – talking, of course, about the art of staying within a reasonably tight budget. This build takes advantage of a hackerspace that [Liz] is an active member in – the [Crash Space] in LA. Everything is in – lasercutting, 3D printing, and even custom jigs for bending wing-structual PVC pipes play a role.

It would have been a travesty to not have the wings move at will, of course, and [Liz] had all the skills you could want for making the wings complete. She went for two linear actuators, walking us through the mechanical calculations and considerations required to have everything fit together. It’s not easy to build a set of wings on its own, let alone one that moves and doesn’t crumble as you use it – if you have already attempted bringing mechanical creations like this into life, you can see the value in what [Liz] shares with us, and if you haven’t yet delved into it, this video will help you avoid quite a few pitfalls while setting an example you can absolutely reach.

The suit was a resounding success at the con, and got [Liz] some well-earned awards – today, the suit’s story is here for the hackers’ world. Now, your cosplay aspirations have an inspiring real-life journey to borrow from, and we thank [Liz] for sharing it with us.

Continue reading “Supercon 2022: [Liz McFarland] Builds Golden Wings, Shows You How” →

Hackaday

Slider

4920 Articles

Hinged Parts For The 8th Grade Set

This Week In Security: ACME.sh, Leaking LEDs, And Android Apps

Retrotechtacular: Circuit Potting, And PCBs The Hard Way

New Wearable Detects Imminent Vocal Fatigue

The Simplest Social Engineering Hack Of Them All

Linux Fu: Easy And Easier Virtual Networking

How Difficult?

Supercon 2022: [Liz McFarland] Builds Golden Wings, Shows You How

Search

Never miss a hack

If you missed it

Is That Ancient Reel Of PLA Any Good?

Ask Hackaday: How Do You Detect Hidden Cameras?

I, Integrated Circuit

After 30 Years, Virtual Boy Gets Its Chance To Shine

How Vibe Coding Is Killing Open Source

Our Columns

Keebin’ With Kristina: The One With The Height-Adjustable Key Caps

Hackaday Links: February 8, 2026

Hackaday Podcast Episode 356: Nanoprinting, Vibe Coding, And Keebin’ With Kristina, IN HELL!

The Weird Propeller That Offers Improved Agility On The Water

Big Heat Pumps Are Doing Big Things

How Difficult?

Search

Never miss a hack

Subscribe

If you missed it

Our Columns