Hackaday Columns

4632 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

This Week In Security: Filename Not Sanitized, MonikerLink, And Snap Attack!

February 16, 2024 by 7 Comments

Reading through a vulnerability report about ClamAV, I came across a phrase that filled me with dread: “The file name is not sanitized”. It’s a feature, VirusEvent, that can be enabled in the ClamnAV config. And that configuration includes a string formatting function, where the string includes %v and %s, which gets replaced with a detected virus name and the file name from the email. And now you see the problem, I hope: The filename is attacker supplied input.

Where this really gets out of hand is what ClamAV does with this string. execle("/bin/sh", "sh", "-c", buffer_cmd, NULL, env). So let’s talk defensive program design for a minute. When it comes to running a secondary command, there are two general options, system() and the exec*() family of system calls. system() is very simple to use. It pauses execution of the main process and asks the operating system to run a string, just as if the user had typed that command into the shell. While this is very convenient to use, there is a security problem if any of that command string is user-supplied. All it takes is a semicolon or ampersand to break assumptions and inject a command.

To the rescue comes exec(). It’s a bit more complicated to use, requiring the programmer to manually call fork() and wait(). But it’s not running the command via the shell. exec() executes a program directly, totally eliminating the potential for command injection! Except… oops.

Yeah, exec() and related calls don’t offer any security protections when you use them to execute /bin/sh. I suspect the code was written this way to allow running a script without specifying /bin/sh in the config. The official fix was to disable the filename format character, and instead supply it as an environment variable. That certainly works, and that fix is available in 1.0.5, 1.2.2, and 1.3.0.

The real danger here is that we have another case where some hardware appliance manufacturer has used ClamAV for email filtering, and uses this configuration by default. That’s how we get orders from CISA to unplug your hardware, because it’s already compromised. Continue reading “This Week In Security: Filename Not Sanitized, MonikerLink, And Snap Attack!”

Retrotechtacular: Some Days You Just Can’t Get Rid Of A Nuclear Bomb

February 15, 2024 by 19 Comments

It may seem a bit obvious to say so, but when a munition of just about any kind is designed, little thought is typically given to how to dispose of it. After all, if you build something that’s supposed to blow up, that pretty much takes care of the disposal process, right?

But what if you design something that’s supposed to blow up only if things go really, really wrong? Like nuclear weapons, for instance? In that case, you’ll want to disassemble them with the utmost care. This 1993 film, produced by the US Department of Energy, gives a high-level overview of nuclear weapons decommissioning at the Pantex plant in Texas. Fair warning: this film was originally on a VHS tape, one that looks like it sat in a hot attic for quite a few years before being transferred to DVD and thence to YouTube. So the picture quality is lousy, in some points nearly unwatchably so. Then again, given the subject matter that may be a feature rather than a bug.

Continue reading “Retrotechtacular: Some Days You Just Can’t Get Rid Of A Nuclear Bomb”

Linux Fu: Curling C

February 15, 2024 by 11 Comments

Sometimes, it pays to read the man pages of commands you use often. There might be a gem hidden in there that you don’t know about. Case in point: I’ve used curl (technically, cURL, but I’m going to stick with curl) many times to grab data from some website or otherwise make a web request. But what happens if you want to do the same thing from a C program? Well, you could be lazy and just spawn a copy of curl. But it turns out curl has a trick up its sleeve that can help you. If only I’d read the man page sooner!

First Things

The simplest use of curl is to just name a URL on the command line. For example, consider this session:

$ curl http://www.hackaday.com 
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

This isn’t so useful because it is a 301 response (to send you to the https server, in this case). The -L option will make curl go get the page instead of the redirect. Try:

$ curl -L http://www.hackaday.com

Continue reading “Linux Fu: Curling C”

Inputs Of Interest: The Svalboard Could Be Your Salvation

February 14, 2024 by 12 Comments

You know, sometimes dreams really do come true. When I told you about the DataHand keyboard almost four years ago, I never imagined I’d ever get to lay my hands on anything even remotely like it, between the original price point and the fact that they really, really hold their value. But thanks to [Morgan Venable], creator of the Svalboard, I can finally tell you what it’s like to type with your digits directionalized.

If you don’t recall, the DataHand was touted to be a total revolution in typing for RSI sufferers. It debuted in 1993 for a hefty price tag of about $1,500 — pretty far out of reach of the average consumer, but well within the budgets of the IT departments of companies who really wanted to keep their workers working. You want minimum finger travel? It doesn’t get more minimal than this concept of a d-pad plus the regular down action for each finger.

The Svalboard aims to be the new and improved solution for something that barely exists anymore, but still has a devoted following. Although the DataHand was built on a gantry and adjustable using knobs, the smallest fit possible on the thing is still rather big. Conversely, the Svalboard is fully customizable to suit any size hand and fingertip.

Continue reading “Inputs Of Interest: The Svalboard Could Be Your Salvation”

Ethernet For Hackers: The Very Basics

February 12, 2024 by 93 Comments

Ethernet is ubiquitous, fast, and simple. You only need two diffpairs (four wires) to establish a 100Mbit link, the hardware is everywhere, you can do Ethernet over long distances easily, and tons of the microcontrollers and SoCs support it, too. Overall, it’s a technology you will be glad to know about, and there’s hundreds of scenarios where you could use it.

If you need to establish a high-bandwidth connection between two Linux boards in your project, or maybe a Linux board and a powerful MCU, maybe make a network between microcontrollers, Ethernet’s your friend. It also scales wonderfully – there’s so much tech around Ethernet, that finding cables, connectors or ICs tends to be dead easy. Plus, the world of Ethernet is huge beyond belief. Ethernet as most of us know it is actually just the consumer-facing versions of Ethernet, and there’s a quite a few fascinating industrial and automotive Ethernet standards that flip many of our Ethernet assumptions upside down.

Now, you might be missing out on some benefits of Ethernet, or perhaps misunderstanding how Ethernet works at all. What does it mean when a microcontroller datasheet says “has Ethernet interface”? If you see five pins on an SBC and the manufacturer refers to them as “Ethernet”, what do you even do with them? Why does the Raspberry Pi 4 SoC support Ethernet but still requires an extra chip, and what even is GMII? Continue reading “Ethernet For Hackers: The Very Basics”

Hackaday Links Column Banner

Hackaday Links: February 11, 2024

February 11, 2024 by 4 Comments

Apple’s Vision Pro augmented reality goggles made a big splash in the news this week, and try as we might to resist the urge to dunk on them, early adopters spotted in the wild are making it way too easy. Granted, we’re not sure how many of these people are actually early adopters as opposed to paid influencers, but there was still quite a bit of silliness to be had, most of it on X/Twitter. We’d love to say that peak idiocy was achieved by those who showed themselves behind the wheels of their Teslas while wearing their goggles, with one aiming for an early adopter perfecta, but alas, most of these stories appear to be at least partially contrived. Some people were spotted doing their best to get themselves killed, others were content to just look foolish, especially since we’ve heard that the virtual keyboard is currently too slow for anything but hunt-and-peck typing, which Casey Niestat seemed to confirm with his field testing. After seeing all this, we’re still unsure why someone would strap $4,000 worth of peripheral-vision-restricting and easily fenced hardware to their heads, but hey — different strokes. And for those of you wondering why these things are so expensive, we’ve got you covered.

Continue reading “Hackaday Links: February 11, 2024”

One Project At A Time, Or A Dozen?

February 10, 2024 by 34 Comments

We got a bunch of great food for thought in this week’s ask-us-anything on the Hackaday Podcast, and we all chewed happily. Some of my favorite answers came out of the question about how many projects we all take on at once. Without an exception, the answer was “many”. And while not every one of the projects that we currently have started will eventually reach the finish line, that’s entirely different from saying that none of them ever do. On the contrary, Tom Nardi made the case for having a number of irons simultaneously in the fire.

We all get stuck from time to time. That’s just the nature of the beast. The question is whether you knuckle down and try to brute-force power your way through the difficulty, or whether you work around it. A lot of the time, and this was Dan Maloney’s biggest bugaboo, you lack the particular part or component that you had in mind to get the job done. In that situation, sometimes you just have to wait. And what are you going to do while waiting? Work on Project B! (But take good notes of the state of Project A, because that makes it a lot easier to get back into the swing of things when the parts do arrive.)

Al and I both weighed in on the side of necessity, though. Sometimes, no matter how many attractive other projects you’ve got piled up, one just needs to get out the door first. My recent example was our coffee roaster. Before I start a big overhaul, I usually roast a couple days’ worth of the evil bean. And then the clock starts ticking. No roasting equals two unhappy adults in this household, so it’s really not an option. Time pressure like that helps focus the mind on the top-priority project.

But I’m also with Tom. It’s a tremendous luxury to have a handful of projects in process, and be able to hack on one simply because you’re inspired, or in love with the project at that moment. And when the muse calls, the parts arrive, or you finally figure out what was blocking you on Project A, then you can always get back to it.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!