Hackaday Columns

4348 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

Hack Simple

May 27, 2023 by 7 Comments

Here at Hackaday, we definitely love to celebrate the hard hacks: the insane feats of reverse engineering, the physics-defying flights of fancy, or the abuse of cutting edge technology. But today I’d like to raise a rhetorical glass in tribute of the simple hacks. Because, to be perfectly honest, the vast majority of my hacks are simple hacks, and it’s probably the same for you too. And these often go unsung because, well, they’re simple. But that doesn’t mean that something simple can’t be helpful.

Case in point: an ESP8266 press-buttons device that we featured this week. It doesn’t do much. It’s main feature is that it connects to a home automation network over WiFi and enables you to flip three relays. Wires coming off the board are to be soldered to the not-yet-smart device in question, simply connected to each side of the button you’d like to press. In the example, a coffee machine was turned on and the “go” button pressed, automating one of the most essential kitchen rituals. While recording the podcast, I realized that I’ve built essentially this device and have it controlling our house’s heating furnace.

For the experienced hacker, there’s not much here. It’s a simple board design, the software heavily leverages ESPHome, so there’s not much work on that front either. But imagine that you lacked any of the wide-ranging skills that it takes to make such a device: PCB layout, ESP8266 software wrangling, or the nuances of designing with relays. You could just as easily build this device wrong as right. The startup costs are non-trivial.

Making a simple design like this available to the public isn’t a technical flex, and it’s not contributing to the cutting edge. But it just might be giving someone their first taste of DIY home automation, and a sweet taste of success. There’s not much easier than finding a switch and soldering on two wires, but if that’s the spark that pushes them on their path to greater hacks, that’s awesome. And even if it doesn’t, at least it’s another appliance under user control, connected to a private WiFi network rather than spying you out and phoning home to Big Toaster.

So here’s to the simple hacks!

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

Learning 3D Printing Best Practices From A Pro

May 26, 2023 by 13 Comments

It might seem like 3D printing is a thoroughly modern technology, but the fact is, it’s been used in the industry for decades. The only thing that’s really new is that the printers have become cheap and small enough for folks like us to buy one and plop it on our workbench. So why not take advantage of all that knowledge accumulated by those who’ve been working in the 3D printing field, more accurately referred to as additive manufacturing, since before MakerBot stopped making wooden printers?

That’s why we asked Eric Utley, an applications engineer with Protolabs, to stop by the Hack Chat this week. With over 15 years of experience in additive manufacturing, it’s fair to say he’s seen the technology go through some pretty big changes. Hes worked on everything from the classic stereolithography (SLA) to the newer Multi Jet Fusion (MJF) printers, with a recent focus on printing in metals such as Inconel and aluminum. Compared to the sort of 3D printers he’s worked with, we’re basically playing with hot, semi-melted, LEGOs — but that doesn’t mean some of the lessons he’s learned can’t be applied at the hobbyist level. Continue reading “Learning 3D Printing Best Practices From A Pro”

Hackaday Podcast 220: Transparent Ice, Fake Aliens, And Bendy Breadboards

May 26, 2023 by 7 Comments

You can join Elliot and Al as they get together to talk about their favorite hacks of the week. There’s news about current contests, fake alien messages, flexible breadboards, hoverboards, low-tech home automation, and even radioactive batteries that could be a device’s best friend.

We have a winner in the What’s that Sound competition last week, which was, apparently, a tough one. You’ll also hear about IC fabrication, FPGAs, and core memory. Lots to talk about, including core memory, hoverboards, and vacuum tubes.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Or download all the things!

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 220: Transparent Ice, Fake Aliens, And Bendy Breadboards”

This Week In Security: Gitlab, KeyPassMini, And Horse

May 26, 2023 by 6 Comments

There’s a really nasty CVSS 10.0 severity vulnerability in Gitlab 16.0.0. The good news is that this is the only vulnerable version, and the fix came a mere two days after the vulnerable release. If you happened to be very quick to go to 16.0.0, then be very quick to get the fix, because CVE-2023-2825 looks like a bad one.

An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.

That’s a very specific set of requirements for vulnerability, so it seems like hardly any installs would be vulnerable. The rest of the story is that regular users can create groups, and many installs allow for open user registration. So if you’re running Gitlab 16.0.0, update now!

KeyPassMini

A Redditor got a surprising notice that someone attempted to access a bank account, but failed two-factor authentication. That seemed odd, and led the Redditor down the rabbithole of auditing applications. And one iOS app in particular stood out as maybe problematic — KeyPassMini.

The app was a mobile client for KeyPass, the password manager. The problem was some analytics. It looks like KeyPassMini was bundling up some system information and uploading it to a server controlled by the creator. Analytics are often unpopular, but this app was including the system clipboard contents in the uploaded data. Yikes! And it gets worse: The app does password fills by using that same clipboard, so some of the protected passwords may have been scooped up into that analytics data. And sent unencrypted. Oof.

Now, the app author has pulled the plug on the app altogether, and responded on the old Github project page. It’s a bit odd, but it’s perfectly believable that there were no ill intentions here. Regardless, code to send the clipboard is a big problem, and definitely undoes a lot of trust in a project.

And KeyPass itself has a problem, though much less worrying. KeyPass attempts to keep sensitive data out of its own memory when possible. This approach aims to protect even in the event of a compromised machine. [vdohney] on Sourceforge discovered that there is a channel to recover the master password, by being just a bit clever. When a user types in the master password, by default, KeyPass will show the last letter typed, and replace the previous letters with bullets. But each iteration of that string ends up in program memory, so a privileged attacker can get a memory dump, look for the bullet characters, and find a set of leftover strings like •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. It’s an easy password grab. Now remember, this essentially implies an attacker has memory access on your system, so it’s not a gaping weakness in KeyPass.

As you can see from the POC on GitHub, the problem is that a .NET text box keeps the strings in memory, so it probably hits both Windows and Linux users under Mono. The proposed solution that the KeyPass team is taking is to poison the well with enough random characters that retrieving the correct password is a lot harder. It’s still getting fixed in the next release.

Horse Shell for MIPS Routers

Checkpoint Research brings us news of the Horse Shell, a bit of malware specifically for MIPS architecture routers running Linux. It’s been found in TP-Link firmware images so far, but as so many of those routers are essentially based on the same Linux SDK, the malware appears to be applicable to many models. The exact firmware images being examined were found in a collection of tools used by Camaro Dragon, a rather catchy name for a Chinese APT group.

The firmware images have some of the normal bits you would expect, like data collection, remote shell, and remote proxy support. They have some really sneaky tricks, too, like storing part of the data on the partition reserved for WiFi calibration data. One has to wonder if hijacking that partition negatively affects the router’s wireless performance. In the firmware images examined, the quickest tell is to go to the firmware upgrade page. If it’s blank, without a form to upload new firmware, you may have the malicious image.

WordPress

WordPress 6.2.1 has a security fix, that is then improved upon in 6.2.2, where block themes could parse user-generated shortcodes. A shortcode is tags inside [brackets], that gets replaced by more complicated data. We use a code shortcode all the time here on Hackaday, to try to get source code to render nicely, angle brackets and all.

It turns out, the fix in 6.2.1 went a little overboard, breaking quite a few sites by disabling shortcodes in block themes altogether. The situation in 6.2.2 is a bit better, with most of the problems being dealt with. Sometimes it’s hard to tell the bugs and the features apart.

And a WordPress plugin, Beautiful Cookie Consent Banner, is under active attack for a Cross-Site Scripting vulnerability. The attack is odd, as WordPress.org shows just 40,000 active installs, and almost 1.5 million sites have been sent the malicious payload to try to exploit the plugin. And the kicker? It looks like the payload on this attack is a dud, and fails to actually infect a vulnerable site. It can still goober a vulnerable site, so make sure to check your plugins.

Bits and Bytes

Speaking of plugins, be careful what VScode plugins you use. They’re not all friendly. Microsoft has been working to keep malicious plugins off the official marketplace, but that arms race never seems to have an end. And as such, there were a couple known malicious plugins with nearly 50,000 installs.

For some in-depth fun, check out this PDF paper on Android Fingerprint Reader attacks. It seems simple, right? Take a screenshot of a finger, compare it to a known data set, and lock the phone if the test fails too many times. It is, of course, not quite that simple. Researchers formulated two loopholes, Cancel-After-Match-Fail and Match-After-Lock, both of which abuse user-friendly features to manage way more attempts at a fingerprint read. Read the paper for the juicy details.

And finally, Troy Hunt had some fun at the expense of a scammer. Troy’s wife was selling a fridge on Gumtree, and they decided to play along with a suspicious “buyer”. Turns out, it’s the old agent fee scam. I’ll give you the money you asked for, plus $800 to cover the fee. Can you forward that extra money on? But of course, the Paypal confirmation message was faked, and there was no money paid. Troy managed to get an impressive bit of information, including that the scam is actually being run out of, you guessed it, Nigeria. Shipping would be a pain. ><

Linux Fu: Making Progress

May 24, 2023 by 12 Comments

The computer world looks different from behind a TeleType or other hardcopy terminal. Things that tend to annoy people about Unix or Linux these days were perfectly great when you were printing everything the computer said to you. Consider the brevity of most basic commands. When you copy a file, for example, it doesn’t really tell you much other than it returns you to the prompt when it is done. If you are on a modern computer working with normal-sized files locally, not a big deal. But if you are over a slow network or with huge files, it would be nice to have a progress bar. Sure, you could write your own version of copy, but wouldn’t it be nice to have some more generic options?

One Way

The pv program can do some of the things you want. It monitors data through a pipe or, at least through its standard output. Think of it as cat with a meter. Suppose you want to write a diskimage to /dev/sdz:

cat diskz.img >/dev/sdz

But you could also do:

pv diskz.img >/dev/sdz

By default, pv will show a progress bar, an elapsed time, an estimated end time, a rate, and a total number of bytes. You can turn any of that off or add things using command line options. You can also specify things like the size of the terminal if it should count lines instead of bytes, and, in the case where the program doesn’t know what it is reading, the expected size of the transfer.

Continue reading “Linux Fu: Making Progress”

Supercon 2022: Nick Poole Makes A Jolly Wrencher Tube

May 23, 2023 by 5 Comments

[Nick Poole] shared his circuitous journey into the obscure world of homemade vacuum tubes on the Supercon 2022 stage. It began innocently enough when he saw [Usagi Electric]’s single bit computer vacuum tube computer, which uses dozens of vacuum tubes. He got to wondering, could you make vacuum-tube-like devices containing multiple elements? There are some examples, like the 256-bit memory Selectron tube from the 1950’s, but nothing general purpose like a 555 timer or quad NAND gate packages. Unencumbered by a deep understanding of how vacuum tubes work, [Nick] proceeds to fill this void by imagining Integrated Thermionic, a fictitious company that exists in an alternate history where transistors were not invented and the vacuum tube reigns supreme. He also showcases a variety of innovative products that Integrated Thermionics manufactured over the decades, including surface mount tubes.

Continue reading “Supercon 2022: Nick Poole Makes A Jolly Wrencher Tube”

Dear Ubuntu…

May 22, 2023 by 279 Comments

Dear Ubuntu,

I hope this letter finds you well. I want to start by saying that our time together has been one of creativity and entertainment, a time in which you gave me the tools to develop a new career, to run a small electronics business, make fun things, and to write several thousand articles for Hackaday and other publications, but for all that it’s sadly time for our ways to part. The magic that once brought us together has faded, and what remains is in danger of becoming a frustration.

In our early days as an item you gave me for the first time a Linux distro that was complete, fast, and easy to use without spending too much time at the CLI or editing config files to make things happen; you gave me a desktop that was smooth and uncluttered, and you freed me from all those little utilities that were required to make Windows usable. You replaced the other distros I’d been using, you dual-booted with my Windows machines, and pretty soon you supplanted the Microsoft operating system entirely.

Ubuntu and me and a trusty Dell laptop, Oxford Hackspace, 2017.
Me and Ubuntu in 2017, good times.

We’ve been together for close to two decades now, and in that time we’ve looked each other in the eye across a variety of desktop and laptop computers. My trusty Dell Inspiron 640 ran you for over a decade through several RAM, HDD, and SSD upgrades, and provided Hackaday readers with the first few years of my writing. Even the Unity desktop couldn’t break our relationship, those Linux Mint people weren’t going to tear us asunder! You captured my text, edited my videos and images, created my PCBs and CAD projects, and did countless more computing tasks. Together we made a lot of people happy, and for that I will always be grateful. Continue reading “Dear Ubuntu…”