Slider

4935 Articles

Hackaday Podcast 201: Faking A Transmission, Making Nuclear Fuel, And A Slidepot With A Twist

January 13, 2023 by 2 Comments

Even for those with paraskevidekatriaphobia, today is your lucky day as Editor-in-Chief Elliot Williams and Staff Writer Dan Maloney sit under ladders with umbrellas while holding black cats to talk about the week in awesome hacks. And what a week it was, with a Scooby Doo code review, mushrooms in your PCBs, and the clickiest automatic transmission that never was. Have you ever flashed the firmware on a $4 wireless sensor? Maybe you should try. Wondering how to make a rotary Hall sensor detect linear motion? We’ll answer that too. Will AI muscle the dungeon master out of your D&D group? That’s a hard no. We’ll talk about a new RISC-V ESP32, making old video new again, nuclear reactor kibble, and your least satisfying repair jobs. And yes, everyone can relax — I’m buying her a new stove.

Download the podcast in case our servers get unlucky.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 201: Faking A Transmission, Making Nuclear Fuel, And A Slidepot With A Twist”

This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM

January 13, 2023 by 7 Comments

This week we start with a Remote Code Execution (RCE) vulnerability that has potential to be a real pain for sysadmins. Cacti, the system monitoring and graphing solution, has a pair of bugs that chain together to allow an attacker with unauthenticated access to the HTTP/S port to trivially execute bash commands. The first half of this attack is an authentication bypass, and it’s embarrassingly trivial. The Cacti authentication code trusts the Forwarded-For: header in the request. Set it to the server’s IP, and the authentication code treats it like a localhost request, bypassing any real authentication process.

The second half is found in the remote_agent.php endpoint, where the poller_id is set by the user and treated as a string. Then, if the right host_id and local_data_id item is triggered, that string is concatenated into a proc_open() function call. The string isn’t sanitized, so it’s trivial enough to include a second command to run, dropping a webshell, for instance.

Version 1.2.23 of Cacti contains the fix, and released on the 2nd. This one is likely to be exploited, and if automated exploitation hasn’t started already, it likely will soon. So if you have a Cacti install, go double-check that the interface isn’t exposed to the world.

JSON Web Token

Researchers at Unit 42 found an exploit that can be used to achieve an RCE in the JsonWebToken project. The issue is this library’s verify() function, which takes arguments of the token to check, the key to use, and options. If there aren’t any algorithms specified in the options object, then the key is processed as a PEM string. The toString() method of that key is called during the actual check, and the assumption is that it’s either a string or buffer. But what if the key passed in to the verify() function was actually a complex object, bringing it’s own toString() method along to play. At that point, we have arbitrary code execution. And if this code is running on the server-side under node.js, that means a popped server.

But wait, it’s not that simple, right? It’s not like a valid JWT can contain an arbitrary object — that would be a problem all on its own. So CVE-2022-23529 is a stepping-stone. It’s insecure code, but the rest of the application has to have another vulnerability for this one to be reachable. Continue reading “This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM”

Art of 3D printer in the middle of printing a Hackaday Jolly Wrencher logo

3D Printering: Can You Ever Have Enough Vitamins?

January 12, 2023 by 66 Comments

As a community we owe perhaps more than we realise to the RepRap project. From it we get not only a set of open-source printer designs, but that 3D printing at our level has never become dominated by proprietary manufacturers in the way that for example paper printing is. The idea of a printer that can reproduce itself has never quite been fully realised though, because of what the RepRap community refer to as “vitamins“.

These are the mass-produced parts such as nuts, bolts, screws, and other parts which a RepRap printer can’t (yet) create for itself. It’s become a convenience among some of my friends to use this term in general for small pieces of hardware, which leads me to last week. I had a freshly printed prototype of one of my projects, and my hackerspace lacked the tiny self-tapping screws necessary for me to assemble it. Where oh where, was my plaintive cry, are the vitamins!

So my hackerspace is long on woodscrews for some reason, and short on machine screws and self-tappers. And threaded inserts for that matter, but for some reason it’s got a kit of springs. I’m going to have to make an AliExpress order to fix this, so the maybe I need you lot to help me. Just what vitamins does a a lone hardware hacker or a hackerspace need? Continue reading “3D Printering: Can You Ever Have Enough Vitamins?”

AI-Controlled Twitch V-Tuber Has More Followers Than You

January 12, 2023 by 45 Comments

Surely we have all at least heard of Twitch by now. For the as-yet uninitiated: imagine you had your own TV channel. What would you do on it? Although Twitch really got going as a place for gamers to stream the action, there are almost as many people jamming out on their guitars, or building guitars, or just talking about guitars. And that’s just the example that uses guitars — if you can think of it, someone is probably doing it live on Twitch, within the Terms of Service, of course.

Along with the legions of people showing their faces and singing their hearts out, you have people in partial disguise, and then you have v-tubers. That stands for virtual tubers, and it just means that the person is using an anime avatar to convey themselves.

Now that you’re all caught up, let’s digest the following item together: there’s a v-tuber on Twitch that’s controlled entirely by AI. Let me run that by you again: there’s a person called [Vedal] who operates a Twitch channel. Rather than stream themselves building Mad Max-style vehicles and fighting them in a post-apocalyptic wasteland, or singing Joni Mitchell tunes, [Vedal] pulls the strings of an AI they created, which is represented by an animated character cleverly named Neuro-sama. Not only does Neuro-sama know how to play Minecraft and osu!, she speaks gamer and interacts regularly with chat in snarky, 21st century fashion. And that really is the key behind Twitch success — interacting with chat in a meaningful way.

Continue reading “AI-Controlled Twitch V-Tuber Has More Followers Than You”

Wizards Slay The Dragon That Lays The Golden Egg

January 11, 2023 by 77 Comments

Hail, and well met adventurers! There’s rumors of dark dealings, and mysterious machinations from that group of Western mystics, Wizards of the Coast (WotC). If this pernicious plot is allowed to succeed, a wave of darkness will spread over this land of Open Source gaming, the vile legal fog sticking to and tainting everything it touches. Our quest today is to determine the truth of these words, and determine a defense for the world of open gaming, and indeed perhaps the entire free world! Beware, the following adventure will delve into the bleak magic of licensing, contract law, and litigation.

Ah, Dungeons and Dragons. The original creation of Gary Gygax, refined by countless others, this table-top role-playing game has brought entertainment and much more to millions of players for years. In 2000, WotC made a decision that opened the mechanics of that universe to everyone. The 3rd Edition of Dungeons and Dragons was released under the Open Gaming License, a very intentional port of Open Source licensing to table-top gaming — obviously inspired by the GNU Public License. Ryan Dancey was one of the drivers behind the new approach, and made this statement about it:

I think there’s a very, very strong business case that can be made for the idea of embracing the ideas at the heart of the Open Source movement and finding a place for them in gaming. […] One of my fundamental arguments is that by pursuing the Open Gaming concept, Wizards can establish a clear policy on what it will, and will not allow people to do with its copyrighted materials. Just that alone should spur a huge surge in independent content creation that will feed into the D&D network.

Continue reading “Wizards Slay The Dragon That Lays The Golden Egg”

Supercon 2022: Samy Kamkar’s Glowing Breath

January 10, 2023 by 6 Comments

Sometimes the journey itself is the destination. This one started when [Samy] was 10 and his mom bought a computer. He logged on to IRC to talk with people about the X-Files and was WinNuked. Because of that experience, modulo a life of hacking and poking and playing, the talk ends with a wearable flex-PCB Tesla coil driving essentially a neon sign made from an ampule of [Samy]’s own breath around his neck. Got that? Buckle up, it’s a rollercoaster.

Continue reading “Supercon 2022: Samy Kamkar’s Glowing Breath”

All About USB-C: Power Delivery

January 9, 2023 by 65 Comments

USB-C eliminates proprietary barrel plug chargers that we’ve been using for laptops and myriads of other devices. It fights proprietary phone charger standards by explicitly making them non-compliant, bullying companies into making their devices work with widely available chargers. As a hobbyist, you no longer need to push 3 A through tiny MicroUSB connectors and underspecced cables to power a current-hungry Pi 4. Today, all you need is a USB-C socket with two resistors – or a somewhat special chip in case the resistors don’t quite get you where you want to be.

You get way more bang for your buck with USB-C. This applies to power too; after all, not all devices will subsist on 15 W – some will want more. If 15 W isn’t enough for your device, let’s see how we can get you beyond.

Reaching Higher

USB-C power supplies always support 5 V and some are limited to that, but support for higher voltages is where it’s at. The usual voltage steps of USB-C are 5 V, 9 V, 15 V and 20 V ; 12V support is optional and is more of a convention. These steps are referred to as SPR, and EPR adds 28 V, 36 V and 48 V steps into the mix – for up to 240 W; necessitating new cables, but being fully backwards and forwards compatible, and fully safe to use due to cable and device checks that USB-C lets you perform.

A charger has to support all steps below its highest step, which means that 20 V-capable chargers also have to support 5 V, 9 V, and 15 V as well – in practice, most of them indeed do, and only some might skip a step or two. You can also get voltages in-between, down to 3.3 V, even, using a PD standard called PPS (or the AVS standard for EPR-range chargers) – it’s not a requirement, but you’ll find that quite a few USB-C PSUs will oblige, and PPS support is usually written on the label. Continue reading “All About USB-C: Power Delivery”