Say It With Me: Bandwidth

Bandwidth is one of those technical terms that has been overloaded in popular speech: as an example, an editor might ask if you have the bandwidth to write a Hackaday piece about bandwidth. Besides this colloquial usage, there are several very specific meanings in an engineering context. We might speak about the bandwidth of a signal like the human voice, or of a system like a filter or an oscilloscope — or, we might consider the bandwidth of our internet connection. But, while the latter example might seem fundamentally different from the others, there’s actually a very deep and interesting connection that we’ll uncover before we’re done.

Let’s have a look at what we mean by the term bandwidth in various contexts.

Continue reading “Say It With Me: Bandwidth”

Low-Level Analog Measurement Hack Chat

Join us on Wednesday 17 July 2019 at noon Pacific for the Low-Level Analog Measurement Hack Chat with Chris Gammell!

A lot of electronics enthusiasts gravitate to the digital side of the hobby, at least at first. It’s understandable – an Arduino, a few jumpers, and a bit of code can accomplish a lot. But in the final analysis, digital circuits are just analog circuits with the mystery abstracted away, and understanding the analog side opens up a fascinating window on the world of electronics.

Chris Gammell is well-known around hacker circles thanks to his Amp Hour Podcast with Dave Jones, his KiCad tutorials, and his general hacker chops. He’s also got a thing for the analog world, and wants to share some of the tips and tricks he’s developed over his two decades as an electrical engineer. In the next Hack Chat, we’ll be joining Chris down in the weeds to learn the ins and outs of low-level analog measurements. Join us with your questions and insights, or just come along to peel back some of the mysteries of the analog world.

join-hack-chatOur Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday July 17 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Review: Shi Yi Tool Sy365-8 Desoldering Iron, Second Cheapest You Can Find

Is the second cheapest tool you can find any better than the cheapest one?

Readers with long memories will recall there was a time when I amused myself by tacking inexpensive tools or electronic devices to my various orders from the Chinese electronic Aladdin’s Cave. Often these inexpensive purchases proved to be as disastrous or ineffective as you might expect, but sometimes they show unexpected promise, true diamonds in the rough. It’s been a while and life has intervened over the last year, but it’s time to resume this harmless diversion.

Memories Of An Explosive Conclusion

A particularly memorable review came in April 2018, when I bought a five pound ($6.30) desoldering iron. I described it then as an “unholy lovechild of a cheap solder sucker and an even cheaper soldering iron“, and while that was an accurate portrayal it also showed promise as a useful tool that would fill a niche in my requirements. Desoldering is always slightly annoying, and a heated desolder pump genuinely does make a difference. Unfortunately for me, the cheap desoldering tool was not a product I’d recommend that anyone try for themselves. A combination of questionable electrical safety and a propensity to explosively deconstruct itself meant it has languished unused in my big box of cheap junk, and I’m still without a decent desoldering solution. It is time to buy something better, and in the rich tradition of reviewing inexpensive stuff I decided to pick up the next cheapest desoldering iron I could find. Eight pounds ($10) secured me a Shi Yi Tool Sy365-8, and I set to on this review.

The unit arrived in a blister pack along with a wire tool for clearing its nozzle and a metal pointy thing whose intended use is unclear. All the information on the pack is in Chinese, but with Google Translate it was revealed to be nothing more than the usual descriptive text. The iron itself is similar to the previously reviewed model, something like a chunky take on a cheap soldering iron with the plunger and button of a spring-loaded desoldering tool protruding from the handle. It also has the same arrangement of the power cord emerging from the side of the handle below the element, and the same American-style NEMA mains plug.

Commenters assured me last time that in China this is sometimes used as a 230V connector, however for UK mains I put a BS1363A plug on it.

Extra Insulation Gives Confidence

The iron's tip required tinning to be most effective.
The iron’s tip required tinning to be most effective.

Examining it more closely it was clear where at least some of my extra three quid had gone. The element and tip look very similar to those on the cheaper iron, but where the previous one’s mains cable had entered without sleeving right against the hot metal base of the element, this one has an extra insulating collar between handle and metalwork. It doesn’t have a double-insulated symbol anywhere on it, but unlike the other model it gives me confidence in its 3A twin wire no earth mains cable.

In use, the iron performed exactly as expected. A heated solder sucker is an effective tool, able to more efficiently remove solder than a separate iron and sucker. It smoked a bit on first use due to oil from manufacturing and it could use a bit more power than the quoted 36W because large joints needed a bit of time to get the heat into them, but otherwise it’s exactly the desoldering tool I expected for my 8 quid.

Will It Blow? Or Will It Suck?

This plunger seems to be securely retained.
This plunger seems to be securely retained.

So to the most important paragraph of the whole review, the one with the answer to the question you’re all asking. Did this tool explosively deconstruct itself as its cheaper competitor had? That solder sucker had been fixed together by friction alone, its piston was a push-on fit, and a bit of usage had dislodged it. I’m pleased to say that this one appears to have a different design with a secure cap over the top of the piston, and try as I might I couldn’t launch its plunger off across the room.

In conclusion then, the Shi Yi Tool Sy365-8 desoldering iron is an effective tool for its size and power rating that appears to have been designed with some thought to electrical safety and which seems well-enough assembled that it remains in one piece during repeated use. It won’t replace your high-end desoldering station, but it’s a handy bench tool for the occasional desolderer.

Hackaday Links: July 14, 2019

The M5Stack is a plastic box loaded up with an ESP32, a display, some pin headers, and a few buttons. Why does this exist? It’s a platform of sorts, and we’ve seen people adding LoRa to the M5Stack as well as thermal cameras. Hot from random online retailers is the M5Stick, a smaller version of the ~Stack that still has a screen, still has pin headers, and still has an ESP32. It’s a new development platform that’s using a USB C plug (hot trends 2019), and it still has all the features of an ESP32.

Ever wonder how they put designs on skateboard decks, or graphic designs on luggage? That would be a UV printer — it’s basically an inkjet that uses UV-curing ink, but the print head has a Z axis, and the bed is usually huge. [Scotty] of Strange Parts recently took a look at a factory that makes UV printers. Yeah, there’s a lot of wiring that goes into these machines, and yeah, you can do a lot with them. Remember: the cheapest UV printers are about $3k, and yeah, you can print designs on PCBs with them.

Virgin Orbit is the Branson-branded take on the Stratolaunch; this is a rocket that uses a single 747 to loft a small rocket into the stratosphere and send it off into a sun-synchronous orbit. This week, Virgin Orbit has completed drop tests to characterize how the rocket falls away from the 747. This is also called ‘a bombing run’, and we could have used a few GoPros on the rocket itself.

Last weekend was ‘LeHack’, a French hacker/infosec conference. There was a coffee vending machine there, complete with touch screen and an offer to pay via your smartphone with an app. You know what happened. It turns out, you can take over all the accounts using the app. You can also brute force the user’s pins. Lesson learned? Why the hell does a coffee machine need an app?

The New Pallet Wood! First off, don’t make anything out of pallet wood unless you know what you’re doing; there’s some nasty chemicals in pallet wood. That said, you can make a fortune with pallet wood furniture on Etsy, and that’s doubly true if you make a pallet wood resin river table. This is the new pallet wood. Hollow core doors are easy to disassemble with a table saw, and provide two large sheets of plywood, and enough sticks to make a frame for something. What can you do with all this wood? Build a guitar, of course.

Linux Fu: Named Pipe Dreams

If you use just about any modern command line, you probably understand the idea of pipes. Pipes are the ability to connect the output from one program to the input of another. For example, you can more easily review contents of a large directory on a Linux machine by connecting two simple commands using a pipe:

ls | less

This command runs ls and sends its output to the input of the less program. In Linux, both commands run at once and output from ls immediately appears as the input of less. From the user’s point of view it’s a single operation. In contrast, under regular old MSDOS, two steps would be necessary to run these commands:

ls > SOME_TEMP_FILE
less < SOME_TEMP_FILE

The big difference is that ls will run to completion, saving its output a file. Then the less command runs and reads the file. The result is the same, but the timing isn’t.

You may be wondering why I’m explaining such a simple concept. There’s another type of pipe that isn’t as often used: a named pipe. The normal pipes are attached to a pair of commands. However, a named pipe has a life of its own. Any number of processes can write to it and read from it. Learn the ways of named pipes will certainly up your Linux-Fu, so let’s jump in!

Continue reading “Linux Fu: Named Pipe Dreams”

Hackaday Podcast 026: Tamper-Proof Electronics, Selfie Drones, Rocket Fuel, Wire Benders, And Wizard-Level Soldering

Hackaday Editors Mike Szczys and Elliot Williams are back after last week’s holiday break to track down all of the hacks you missed. There are some doozies; a selfie-drone controlled by your body position, a Theremin that sings better than you can, how about a BGA hand-soldering project whose creator can’t even believe he pulled it off. Kristina wrote a spectacular article on the life and career of Mary Sherman Morgan, and Tom tears down a payment terminal he picked up in an abandoned Toys R Us, plus much more!

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Direct download (48 MB)

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 026: Tamper-Proof Electronics, Selfie Drones, Rocket Fuel, Wire Benders, And Wizard-Level Soldering”

This Week In Security: Censoring Researchers, The Death Of OpenPGP, Dereferencing Nulls, And Zoom Is Watching You

Last week the schedule for our weekly security column collided with the Independence Day holiday. The upside is that we get a two-for-one deal this week, as we’re covering two weeks worth of news, and there is a lot to cover!

[Petko Petrov], a security researcher in Bulgaria, was arrested last week for demonstrating an weakness he discovered in a local government website. In the demonstration video, he stated that he attempted to disclose the vulnerability to both the software vendor and the local government. When his warnings were ignored, he took to Facebook to inform the world of the problem.

From the video, it appears that a validation step was performed on the browser side, easily manipulated by the end user. Once such a flaw is discovered, it becomes trivial to automate the process of scraping data from the vulnerable site. The vulnerability found isn’t particularly interesting, though the amount of data exposed is rather worrying. The bigger story is that as of the latest reports, the local government still intends to prosecute [Petko] for downloading data as part of demonstrating the attack.

Youtube Censorship

We made a video about launching fireworks over Wi-Fi for the 4th of July only to find out @YouTube gave us a strike because we teach about hacking, so we can't upload it. YouTube now bans: "Instructional hacking and phishing: Showing users how to bypass secure computer systems"

In related news, Google has begun cracking down on “Instructional Hacking and Phishing” videos. [Kody] from the Null Byte Youtube channel found himself locked out of his own channel, after receiving a strike for a video discussing a Wifi vulnerability.

The key to getting a video unblocked seems to be generating lots of social media attention. Enough outcry seems to trigger a manual review of the video in question, and usually results in the strike being rescinded.

Improved Zip Bomb

A zip bomb is a small zip file that unzips into a ridiculously large file or collection of files. While there are obvious nefarious uses for such a file, it has also become something of a competition, crafting the most extreme zip bomb. The previous champion was 42.zip, a recursive zip file that when fully extracted, weighs in at 42 petabytes. A new contender may have just taken the crown, and without using zip file recursion.

[David Fifield] discovered a pair of ZIP tricks. First being that multiple files can be constructed from a single “kernel” of compressed data. The second is that file headers could also be part of files to be decompressed. It’s clever work, and much easier to understand when looking at the graphics he put together. From those two points, the only task left is to optimize. Taking advantage of the zip64 format, the final compression ratio was approximately 98 million to one.

Breaking OpenPGP Keyservers

OpenPGP as we know it is on the ropes. OpenPGP is the technique that allows encryption and verification of emails through cryptographic signatures. It’s the grandaddy of modern secure communication, and still widely used today. One of the features of OpenPGP is that anyone can upload their public key to keyservers hosted around the world. Because of the political climate in the early 90’s when OpenPGP was first developed, it was decided that a baked-in feature of the keyserver was that uploaded keys could never be deleted.

Another feature of OpenPGP keys is that one user can use their key to sign another user’s key, formally attesting that it is valid. This creates what is known as a “web of trust”. When an OpenPGP instance validates a signature, it also validates all the attestations attached to that signature. Someone has spammed a pair of OpenPGP certificates with tens of thousands of signatures. If your OpenPGP client refreshes those signatures, and attempts to check the validations, it will grind to a halt under the load. Loading the updated certificate permanently poisons the offline key-store. In some cases, just the single certificate can be deleted, but some users have had to delete their entire key store.

It’s now apparent that parts of the OpenPGP infrastructure hasn’t been well maintained for quite some time. [Robert J. Hansen] has been spearheading the public response to this attack, not to mention one of the users directly targeted. In a follow-up post, he alluded to the need to re-write the keyserver component of OpenPGP, and the lack of resources to do so.

It’s unclear what will become of the OpenPGP infrastructure. It’s likely that the old keyserver network will have to be abandoned entirely. An experimental keyserver is available at keys.openpgp.org that has removed the spammed signatures.

Beware the QR Codes

Link shorteners are a useful way to avoid typing out a long URL, but have a downside — you don’t know what URL you’re going to ahead of time. Thankfully there are link unshorteners, like unshorten.it. Paste a shortlink and get the full URL, so you don’t accidentally visit a shady website because you clicked on a shortened link. [Nick Guarino] over at cofense.com raises a new alarm: QR codes can similarly lead to malicious or questionable websites, and are less easily examined before scanning. His focus is primarily how a QR code can be used to bypass security products, in order to launch a fishing attack.

Most QR scanners have an option to automatically navigate to the web page in the code. Turn this option off. Not only could scanning a QR code lead to a malicious web site, but URLs can also launch actions in other apps. This potential problem of QR codes is very similar to the problem of shortened links — the actual payload isn’t human readable prior to interacting with it, when it’s potentially too late.

Dereferencing Pointers for Fun and Profit

On the 10th, the Eset blog, [welivesecurity], covered a Windows local priveledge escalation 0-day being actively exploited in the wild. The exploit highlights several concepts, one of which we haven’t covered before, namely how to use a null pointer dereference in an exploit.

In C, a pointer is simply a variable that holds a memory location. In that memory location can be a data structure, a string, or even a callable function. By convention, when pointers aren’t referring to anything, they are set to NULL. This is a useful way to quickly check whether a pointer is pointing to live data. The process of interacting with a pointer’s data is known a dereferencing the pointer. A NULL pointer dereference, then, is accessing the data referred to by a pointer that is set to NULL. This puts us in the dangerous territory of undefined behavior.

Different compilers, architectures, and even operating systems will potentially demonstrate different behavior when doing something undefined. In the case of C code on 32-bit Windows 7, NULL is indistinguishable from zero, and memory location zero is a perfectly valid location. In this case, we’re not talking about the physical location zero, but logical address zero. In modern systems, each process has a dedicated pool of memory, and the OS manages the offset and memory mapping, allowing the process to use the simpler logical memory addressing.

Windows 7 has a function, “NtAllocateVirtualMemory”, that allows a process to request access to arbitrary memory locations. If a NULL, or zero, is passed to this function as the memory location, the OS simply picks a location to allocate that memory. What many consider a bug is that this function will effectively round down small memory locations. It’s quite possible to allocate memory at logical address 0/NULL, but is considered to be bad behavior. The important takeaway here is that in Windows 7, a program can allocate memory at a location referred to by a null pointer.

On to the vulnerability! The malicious program sets up a popup menu and submenu as part of its GUI. While this menu is still being initialized, the malicious program cancels the request to set up the menu. By timing the cancellation request precisely, it’s possible for the submenu to still be created, but to be a null pointer instead of the expected object. A second process can then trigger the system process to call a function expected to be part of the object. Because Windows allows the allocation of memory page zero, this effectively hands system level execution to the attacker. The full write-up is worth the time to check out.

Zoom Your Way to Vulnerability

Zoom is a popular web-meeting application, aimed at corporations, with the primary selling point being how easy it is to join a meeting. Apparently they worked a bit too hard on easy meeting joins, as loading a malicious webpage on a Mac causes an automatic meeting join with the mic and webcam enabled, so long as that machine has previous connected to a Zoom meeting. You would think that uninstalling the Zoom client would be enough to stop the madness, but installing Zoom also installs a local webserver. Astonishingly, uninstalling Zoom doesn’t remove the webserver, but it was designed to perpetually listen for a new Zoom meeting attempt. If that sounds like a Trojan to you, you’re not wrong.

The outcry over Zoom’s official response was enough to inform them of the error of their ways. They have pushed an update that removes the hidden server and adds a user interaction before joining a meeting. Additionally, Apple has pushed an update that removes the hidden server if present, and prompts before joining a Zoom meeting.

Wireless Keyboards Letting You Down

Have you ever typed your password using a wireless keyboard, and wondered if you just broadcast it in the clear to anyone listening? In theory, wireless keyboards and mice use encryption to keep eavesdroppers out, but at least Logitech devices have a number of problems in their encryption scheme.

Part of the problem seems to be Logitech’s “Unifying” wireless system, and the emphasis on compatibility. One receiver can support multiple devices, which is helpful when eliminating cable clutter, but also weakens the encryption scheme. An attacker only has to be able to monitor the radio signals during pairing, or even monitoring signals while also observing keypresses. Either way, a few moments of processing, and an attacker has both read and write access to the wireless gear.

Several even more serious problems have fixed with firmware updates in the past years, but [Marcus Mengs], the researcher in question, discovered that newly purchased hardware still doesn’t contain the updated firmware. Worse yet, some of the effected devices don’t have an officially supported firmware update tool.

Maybe wired peripherals are the way to go, after all!