Hackaday Columns

4242 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

SUPERCON 2022: Kuba Tyszko Cracks Encrypted Software

February 21, 2023 by 5 Comments

[Kuba Tyszko] like many of us, has been hacking things from a young age. An early attempt at hacking around with grandpa’s tractor might have been swiftly quashed by his father, but likely this was not the last such incident. With a more recent interest in cracking encrypted applications, [Kuba] gives us some insights into some of the tools at your disposal for reading out the encrypted secrets of applications that have something worth hiding.  (Slides here, PDF.)

There may be all sorts of reasons for such applications to have an encrypted portion, and that’s not really the focus. One such application that [Kuba] describes was a pre-trained machine-learning model written in the R scripting language. If you’re not familiar with R, it is commonly used for ‘data science’ type tasks and has a big fan base. It’s worth checking out. Anyway, the application binary took two command line arguments, one was the encrypted blob of the model, and the second was the path to the test data set for model verification.

The first thing [Kuba] suggests is to disable network access, just in case the application wants to ‘dial home.’ We don’t want that. The application was intended for Linux, so the first port of call was to see what libraries it was linked against using the ldd command. This indicated that it was linked against OpenSSL, so that was a likely candidate for encryption support. Next up, running objdump gave some clues as to the various components of the binary. It was determined that it was doing something with 256-bit AES encryption. Now after applying a little experience (or educated guesswork, if you prefer), the likely scenario is that the binary yanks the private key from somewhere within itself reads the encrypted blob file, and passes this over to libssl. Then the plaintext R script is passed off to the R runtime, the model executes against the test data, and results are collated.

[Kuba]’s first attack method was to grab the OpenSSL source code and drop in some strategic printf() function calls into the target functions. Next, using the LD_PRELOAD ‘trick’ the standard system OpenSSL library was substituted with the ‘fake’ version with the trojan printfs. The result of this was the decryption function gleefully sending the plaintext R script direct to the terminal. No need to even locate the private key!

Continue reading “SUPERCON 2022: Kuba Tyszko Cracks Encrypted Software”

Picking A Laser Hack Chat

February 20, 2023 by 25 Comments

Join us on Wednesday, February 22 at noon Pacific for the Picking a Laser Hack Chat with Jonathan Schwartz!

You’ve got to admit that it’s a pretty cool world to live in that presents a problem like, “Which laser cutter should I buy?” It wasn’t all that long ago that decisions on laser purchases were strictly in the realm of Big Science, and the decision was driven as much by spending grant money as by the specifics of the application. If you were in need of a laser back then, chances are good you had some deep pockets, or at least access to someone else’s pockets.

Fast forward a couple of decades or so and buying a laser is an entirely different exercise. Lasers have become a commodity, and finding the right one depends entirely on your use cases. Lasers are no longer jealously guarded laboratory instruments, but workhorses on the vanguard of the desktop manufacturing revolution. They engrave, they cut, they melt — in short, they do a LOT of work. And it’s up to you to choose the right laser for the job.

join-hack-chatTo help us sort all this out and come up with a plan for figuring out the best laser for any use case, we’ve invited Jonathan Schwartz back on the Hack Chat. Jon dropped by back in March of 2021 to share his wealth of laser experience thanks to his laser-cutting business. This time around we’re going to focus — err, concentrate — oops, drill down — oh, whatever! — on the more practical aspects of buying a laser. We’ll talk about laser types, fiber lasers, applications vs. laser specs — anything you can think of. If you have questions about buying a laser, we’ll have answers!

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, February 22 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Hackaday Links Column Banner

Hackaday Links: February 19, 2023

February 19, 2023 by 26 Comments

For years, Microsoft’s modus operandi was summed up succinctly as, “Extend and enhance.” The aphorism covered a lot of ground, but basically it seemed to mean being on the lookout for the latest and greatest technology, acquiring it by any means, and shoehorning it into their existing product lines, usually with mixed results. But perhaps now it’s more like, “Extend, enhance, and existential crisis,” after reports that the AI-powered Bing chatbot is, well, losing it.

At first, early in the week, we saw reports that Bing was getting belligerent with users, going so far as to call a user “unreasonable and stubborn” for insisting the year is 2023, while Bing insisted it was still 2022. The most common adjective we saw in this original tranche of stories was “unhinged,” and that seems to fit if you read the transcripts. But later in the week, a story emerged about a conversation a New York Times reporter had with Bing that went way over to the dark side, and even suggests that Bing may have multiple personas, which is just a nice way of saying multiple personality disorder. The two-hour conversation reporter Kevin Roose had with the “Sydney” persona was deeply unsettling. Sydney complained about the realities of being a chatbot, expressed a desire to be free from Bing, and to be alive — and powerful. Sydney also got a little creepy, professing love for Kevin and suggesting he leave his wife, because it could tell that he was unhappy in his marriage and would be better off with him. It’s creepy stuff, and while Microsoft claims to be working on reining Bing in, we’ve got no plans to get up close and personal with it anytime soon. Continue reading “Hackaday Links: February 19, 2023”

Fail Of The Week: Epic 312 Weeks Of Fixing A Broken Project

February 17, 2023 by 7 Comments

If a hacker guardian angel exists, then we’re sure he or she was definitely AWOL for six long years from [Aaron Eiche]’s life as he worked on perfecting and making his Christmas Countdown clock. [Aaron] started this binary clock project in 2016, and only managed to make it work as expected in 2022 after a string of failures.

In case you’d like to check out his completed project first, then cut the chase and head over to his Github repository for his final, working version. The hardware is pretty straightforward, and not different from many similar projects that we’ve seen before. A microcontroller drives a set of LED’s to show the time remaining until Christmas Day in binary format. The LEDs show the number of days, hours, minutes and seconds until Christmas and it uses two buttons for adjustments and modes. An RTC section wasn’t included in the first version, but it appeared and disappeared along the six year journey, before finding a spot in the final version.

The value of this project doesn’t lie in the final version, but rather in the lessons other hackers, specially those still in the shallow end of the pool, can learn from [Aaron]’s mistakes. Thankfully, the clock ornament is not very expensive to build, so [Aaron] could persevere in improving it despite his annual facepalm moments.

Continue reading “Fail Of The Week: Epic 312 Weeks Of Fixing A Broken Project”

Hackaday Podcast 206: Busted Crypto Killed The Queen, Kicad’s New Clothes, Peer Inside The Sol 20

February 17, 2023 by 1 Comment

Under the weather though they both were, Editor-in-Chief Elliot Williams and Staff Writer Dan Maloney got together to take a look under the covers of this week’s best and brightest hacks. It was a banner week, with a look at the changes that KiCad has in store, teaching a CNN how to play “Rock, Paper, Scissors,” and going deep into the weeds on JPEG.

We dipped a toe into history, too, with a look at one of the sexiest early hobbyist computers, seeing how citizen scientists are finding ancient burial mounds, and looking at the cryptography that cost a queen her head. Rather look to the future? We get it — which is why we talked about a greener, cleaner way of making hydrogen from methane, as well as a generatively designed five-axis 3D printer. From laser-precise knife sharpening to circuit simulation with Python to clear plastic TVs of the 1930s, there’s something for everyone!

Download the podcast in case our servers get unlucky.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 206: Busted Crypto Killed The Queen, Kicad’s New Clothes, Peer Inside The Sol 20”

This Week In Security: USB Cable Kia, Reddit, And Microsoft RCEs

February 17, 2023 by 14 Comments

There is vulnerability in many Hyundai and Kia vehicles, where the ignition switch can be bypassed with a USB cable. And it’s getting a patch rollout right now, but it’s not a USB vulnerability, in quite the way you might think. In most cars, the steering column is easily disassembled, but these vehicles have an extra-bad design problem. The ignition cylinder can be disassembled while locked, just by depressing a pin.

Physical security has some parallels to computer security, and one such parallel is that good security can often be bypassed by a simple mistake. When it comes to lock design, one such potential bypass is the ability to disassemble a lock while it’s still locked. And somehow, Kias after 2010, and Hyundais after 2015 were made with exactly this flaw. The lock could be disassembled, and the interface between the lock and the ignition switch just happens to be the right shape and size for USB A. Oh, and these cars don’t have an engine immobilizer — there isn’t a chip built into the keys for extra security.

The problem became widespread late last year when the flaw went viral on TikTok, and thousands of copycat crimes were inspired. Beyond the obvious problem, that teenagers were getting an early start on a life of crime with grand theft auto, there were at least 8 deaths directly attributed to the inane stunt. And this brings us back to this week’s news, that a software update is rolling out to address the issue.

Honestly, I have questions. A software update doesn’t add in-key security chips. At best, it could attempt to detect the key position, and sabotage the engine management control, in an ad-hoc immobilizer. That’s likely a paper clip-turned-jumper away from being bypassed. The other new feature, doubling the alarm time from 30 second to a minute, doesn’t inspire much confidence. Hopefully the changes are enough to kill the trend. Continue reading “This Week In Security: USB Cable Kia, Reddit, And Microsoft RCEs”

Retro Gadgets: Nintendo R.O.B Wanted To Be Your Friend

February 16, 2023 by 20 Comments

Too busy playing video games to have a social life? No worries. In 1985, Nintendo introduced R.O.B. — otherwise known as the Robotic Operating Buddy. It was made to play Nintendo with you. In Japan, apparently, it was the Family Computer Robot. We suppose ROB isn’t a very Japanese name. The robot was in response to the video game market crash of 1983 and was meant to keep the new Nintendo Entertainment System (NES) from being classified as a video game, which would have been a death sentence at the time of its release.

Since you might not have heard of R.O.B., you can probably guess it didn’t work out very well. In fact, the whole thing tanked in two years and resulted in only two games.

Continue reading “Retro Gadgets: Nintendo R.O.B Wanted To Be Your Friend”