Hackaday Columns

4352 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

This Week In Security: ACME.sh, Leaking LEDs, And Android Apps

June 16, 2023 by 3 Comments

Let’s Encrypt has made an enormous difference to the landscape of the web. The protocol used for authenticating and receiving certificates, ACME, has spawned quite a few clients of various flavors. Some are written in Rust, some in Python or Go, and a few in straight Bash shell script. One of those last ones, acme.sh, was doing something odd when talking to a particular “Certificate Authority”, HiCA. This pseudo-CA only supports acme.sh, and now we know why. The folks behind HiCA found an RCE exploit in acme.sh, and decided to use that exploit to do certificate issuance with more “flexability”. Oof.

The nuts and bolts here is that HiCA was working as a CA-in-the-Middle, wrapping other CA’s authentication services. Those services don’t support ACME authentication at all, and HiCA used the acme.sh vulnerability to put the authentication token in the place SSL.com expected to find it. So, just a good community member offering a service that ACME doesn’t quite support, right?

Well, maybe not so innocent. The way it appears this works, is that the end user sends a certificate request to HiCA. HiCA takes that information, and initiates a certificate request off to SSL.com. SSL.com sends back a challenge, and HiCA embeds that challenge in the RCE and sends it to the end user. The end user’s machine triggers the RCE, which pushes the challenge token to the well-known location, and bypasses the ACME protection against exactly this sort of CA-in-the-middle situation.

The last piece of the authentication process is that the signing server reaches out over HTTP to the domain being signed, and looks for the token to be there. Once found, it sends the signed certificates to HiCA, who then forward them on to the end user. And that’s the problem. HiCA has access to the key of every SSL cert they handled. This doesn’t allow encryption, but these keys could be used to impersonate or even launch MitM attacks against those domains. There’s no evidence that HiCA was actually capturing or using those keys, but this company was abusing an RCE to put itself in the position to have that ability.

The takeaway is twofold. First, as an end user, only use reputable CAs. And second, ACME clients need to be hardened against potentially malicious CAs. The fact that HiCA only supported the one ACME client was what led to this discovery, and should have been a warning flag to anyone using the service. Continue reading “This Week In Security: ACME.sh, Leaking LEDs, And Android Apps”

Retrotechtacular: Circuit Potting, And PCBs The Hard Way

June 15, 2023 by 8 Comments

There was a time when the very idea of building a complex circuit with the intention of destroying it would have been anathema to any electrical engineer. The work put into designing a circuit, procuring the components, and assembling it, generally with point-to-point wiring and an extravagant amount of manual labor, only to blow it up? Heresy!

But, such are the demands of national defense, and as weapons morphed into “weapon systems” after World War II, the need arose for electronics that were not only cheap enough to blow up but also tough enough to survive the often rough ride before the final bang. The short film below, simply titled Potted and Printed Circuits, details the state of the art in miniaturization and modularization of electronics, circa 1952. It was produced by the Telecommunications Research Establishment (TRE), the main electronics R&D entity in the UK during the war which was responsible for inventions such as radar, radio navigation, and jamming technology.

Continue reading “Retrotechtacular: Circuit Potting, And PCBs The Hard Way”

New Wearable Detects Imminent Vocal Fatigue

June 15, 2023 by 2 Comments

“The show must go on,” so they say. These days, whether you’re an opera singer, a teacher, or just someone with a lot of video meetings, you rely on your voice to work. But what if your voice is under threat? Work it too hard, or for too long, and you might find that it suddenly lets you down.

Researchers from Northwestern University have developed a new technology to protect against this happenstance. It’s the first wearable device that monitors vocal usage and calls for time out before damage occurs. The research has been published in the Proceedings of the National Academy of Sciences.

Continue reading “New Wearable Detects Imminent Vocal Fatigue”

Linux Fu: Easy And Easier Virtual Networking

June 14, 2023 by 15 Comments

One of the best things about Linux is that there are always multiple ways to do anything you want to do. However, some ways are easier than others. Take, for example, virtual networking. There are plenty of ways to make a bunch of Internet-connected computers appear to be on a single private network. That’s nothing new, of course. Linux and Unix have robust networking stacks. Since 2018, though, Wireguard has been the go-to solution; it has a modern architecture, secure cryptography, and good performance.

There’s only one problem: it is relatively difficult to set up. Not impossible, of course. But it is a bit difficult, depending on what you want to accomplish.

How Difficult?

You must set up a wireguard server and one or more clients. You’ll need to pick a range of IP addresses. You might need to turn on routing. You have to generate keys. You might need to configure DNS and other routing options. You’ll certainly need to modify firewall rules. You’ll also need to distribute keys.

None of these steps are terribly difficult, but it is a lot to keep straight. The wg program and wg-quick script do most of the work, but you have a lot of decisions and configuration management to keep straight.

Browse the official “quick start,” and you’ll see that it isn’t all that quick. The wg-quick script is better but only handles some use cases. If you want really limited use cases, there are third-party tools to do a lot of the rote work, but if you need to change anything, you’ll still need to figure it all out.

That being said, once you have it set up, it pretty much works without issue and works well. But that initial setup can be very frustrating. Continue reading “Linux Fu: Easy And Easier Virtual Networking”

Supercon 2022: [Liz McFarland] Builds Golden Wings, Shows You How

June 13, 2023 by 7 Comments

Are you, by any chance, wondering about giving yourself wings? You should listen to [Liz McFarland] sharing her experience building a Wonder Woman suit, and not just any – the Golden Eagle suit from Wonder Woman 1984, adorned with a giant pair of wings. If a suit like that is in your plans, you’ll be warmly welcomed at a cosplay convention – and [Liz] had her sights on the San Diego Comic Con. With an ambitious goal of participating in the Comic Con’s cosplay contest, the suit had to be impressive – and impressive, it indeed was, not just for its looks, but for its mechanics too.

[Liz] tells us everything – from producing the wings and painting them, to keeping them attached to the body while distributing the weight, and of course, things like on-venue nuances and safety with regards to other participants. The dark side of cosplay building reality isn’t hidden either – talking, of course, about the art of staying within a reasonably tight budget. This build takes advantage of a hackerspace that [Liz] is an active member in – the [Crash Space] in LA. Everything is in – lasercutting, 3D printing, and even custom jigs for bending wing-structual PVC pipes play a role.

It would have been a travesty to not have the wings move at will, of course, and [Liz] had all the skills you could want for making the wings complete. She went for two linear actuators, walking us through the mechanical calculations and considerations required to have everything fit together. It’s not easy to build a set of wings on its own, let alone one that moves and doesn’t crumble as you use it – if you have already attempted bringing mechanical creations like this into life, you can see the value in what [Liz] shares with us, and if you haven’t yet delved into it, this video will help you avoid quite a few pitfalls while setting an example you can absolutely reach.

The suit was a resounding success at the con, and got [Liz] some well-earned awards – today, the suit’s story is here for the hackers’ world. Now, your cosplay aspirations have an inspiring real-life journey to borrow from, and we thank [Liz] for sharing it with us.

Continue reading “Supercon 2022: [Liz McFarland] Builds Golden Wings, Shows You How”

Passionate Hams Make Their Mark On The Hack Chat

June 12, 2023 by 63 Comments

Let’s be honest — there are some not very pleasant stereotypes associated with amateur radio, at least if you ask outsiders. Hams are often thought of as being in two camps: old guys who can’t figure out modern technology or conspiracy theorists who think their knowledge of radio will give them an edge after the world becomes a post-apocalyptic hellscape. We’ll leave it to you to decide which is the worse brush to be painted with.

As is often the case, the best way to fight such ignorance is with education and outreach. Events like our weekly Hack Chat are a perfect platform for that, as it allows the curious to ask questions and get answers directly from subject matter experts. This is precisely why we invited Mark Hughes and Beau Ambur to helm last week’s Chat. The fact that they’re both relatively recent licensees makes them uniquely qualified to shed some light on what it’s like to become part of the ham radio community in the 21st century. As an added bonus, they’re both sharp and articulate technologists — about as far as you can get from the mental image of the doddering old granddad who prefers the simplicity of the Morse key to those newfangled smarty-phones.

Continue reading “Passionate Hams Make Their Mark On The Hack Chat”

Hackaday Links Column Banner

Hackaday Links: June 11, 2023

June 11, 2023 by 20 Comments

As Tom Nardi mentioned in this week’s podcast, the Northeast US is pretty apocalyptically socked in with smoke from wildfires in Canada. It’s what we here in Idaho call “August,” so we have plenty of sympathy for what they’re going through out there. People are turning to technology to ease their breathing burden, with reports that Tesla drivers are activating the “Bioweapon Defense Mode” of their car’s HVAC system. We had no idea this mode existed, honestly, and it sounds pretty cool — the cabin air system apparently shuts off outside air intake and runs the fan at full speed to keep the cabin under positive pressure, forcing particulates — or, you know, anthrax — to stay outside. We understand there’s a HEPA filter in the mix too, which probably does a nice job of cleaning up the air in the cabin. It’s a clever idea, and hats off to Tesla for including this mode, although perhaps the name is a little silly. Here’s hoping it’s not one of those subscription services that can get turned off at a moment’s notice, though.

Continue reading “Hackaday Links: June 11, 2023”