This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.
In this week’s podcast, non-brothers Elliot Williams and Al Williams talk about our favorite hacks of the week. Elliot’s got analog on the brain, courtesy of the ongoing Op Amp Contest, and Al is all about the retrocomputers, from a thrift-store treasure to an old, but still incredibly serviceable, voice synthesizer. Both agree that they love clever uses of mechanical parts and that nobody should fear the FET.
Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
Last week we briefly mentioned a vulnerability in the Papercut software, and more details and a proof of concept have been published. The vulnerability is one known as session puzzling. That’s essentially where a session variable is used for multiple purposes, or gets incorrectly set. In Papercut, it was possible to trigger the SetupCompleted class on a server that had already finished that initial setup process. And part of SetupCompleted validated the session of the current user. In a normal first-setup case, that might make sense, but as anyone could trigger that code, it allowed anonymous users to jump straight to admin.
The other half of the exploit leverages the “print script” feature, which lets admins write code that runs on printing. A simple java.lang.Runtime.getRuntime().exec('calc.exe'); does the trick to jump from web interface to remote code execution. The indicators of compromise are reasonable generic, including User "admin" logged into the administration interface. and Admin user "admin" modified the print script on printer "".. A Shodan search turns up around 1,700 Papercut servers accessible from the Internet, which prompts the painfully obvious observation that your internal print auditing solution’s web interface definitely should not be exposed online.
Apache Superset
Superset is a nifty data visualization tool for showing charts, graphs, and all sorts of pretty data sets on a dashboard. It also has some weirdness with using web sessions for user management. The session is stored on the user side in a cookie, signed with a secret key. This works great, unless the key used is particularly weak. And guess what, the default configuration of Superset uses a pre-populated secret key. thisismysecretkey is arguably a bad key to start with, but it turns out it’s also shared by more than 70% of the accessible Superset servers.
Hydrogen is a useful gas. Whether you want to float an airship, fuel a truck, or heat an industrial process, hydrogen can do the job. However, producing it is currently a fraught issue. While it can be produced cleanly using renewable energy, it’s often much cheaper to split it out of hydrocarbon fuels using processes that generate significant pollution.
Tinkercad is like the hamburger helper of 3D design. You hate to admit you use it, and you know you should put in more effort, but — darn it — it’s easy, and it tastes pretty good. While I use a number of CAD programs for serious work, sometimes, when I just want a little widget like a flange for my laser cutter’s exhaust, it is just easier to do it in a few minutes with Tinkercad. However, I heard someone complaining the other day that it wasn’t of any use anymore because they took away custom shape generators. That statement is only partially true. Codeblocks allow you to easily create custom parametric items for use in Tinkercad.
There was a time when you could write Javascript to create custom shapes, and it is true that they removed that feature. However, they replaced it with Codeblocks which is much easier to use for their target audience — young students — and still very powerful.
If you’ve used parametric design in a professional package or even used something like OpenSCAD, you probably don’t need to be sold on the benefit. This is, of course, a simple form of it, but the idea is to define things as mathematical relationships. As an example, suppose you have a front panel with two rows of four holes for switches evenly spaced and centered. That would be easy to draw. But if you later decide the top row needs five holes and the bottom only needs three, it will be a fair amount of work. But if you have the math defining it right, you change a few variables, and the computer does the rest. Continue reading “Parametric Design With Tinkercad”→
Remember fax machines? They used to be all the rage, and to be honest it was pretty cool to be able to send images back and forth over telephone lines. By the early 2000s, pretty much everyone had some kind of fax capability, whether thanks to a dedicated fax machine, a fax modem, or an all-in-one printer. But then along came the smartphone that allowed you to snap a picture of a document and send it by email or text, and along with the decrease in landline subscriptions, facsimile has pretty much become a technological dead end.
But long before fax machines became commonplace, there was a period during which sending images by wire was a very big deal indeed. So much so that General Motors produced “Spot News,” a short film to demonstrate how newspapers leveraged telephone technology to send photographs from the field. The film is very much of the “March of Progress” genre, and seems to be something that would have been included along with the newsreels and Looney Tunes between the double feature films. It shows a fictional newsroom in The Big City, where a cub reporter gets a hot tip about an airplane stunt about to be attempted out in the sticks. The editor doesn’t want to miss out on a scoop, so he sends a photographer and a reporter to the remote location to cover the stunt, along with a technology-packed photographic field car. Continue reading “Retrotechtacular: Putting Pictures On The Wire In The 1930s”→
Off-the-shelf stock parts are the blocks from which we build mechanical projects. And while plenty of parts have dedicated uses, I enjoy reusing them in ways that challenge what they were originally meant for while respecting the constraints of their construction. Building off of my piece from last time, I’d like to add to your mechanical hacking palette with four more ways we can re-use some familiar off-the-shelf parts. Continue reading “The BSides: More Curious Uses Of Off-the-shelf Parts”→
Mark it on your calendars, folks — this is the week that the term RUD has entered the public lexicon. Sure, most of our community already knows the acronym for “rapid unscheduled disassembly,” and realizes its tongue-in-cheek nature. But given that the term has been used by Elon Musk and others to describe the ignominious end of the recent Starship test flight, it seems like RUD will catch on in the popular press. But while everyone’s attention was focused on the spectacular results of manually activating Starship’s flight termination system to end its by-then uncontrolled flight at a mere 39 km, perhaps the more interesting results of the launch were being seen in and around the launch pad on Boca Chica. That’s where a couple of hundred tons of pulverized reinforced concrete rained down, turned to slag and dust by the 33 Raptor engines on the booster. A hapless Dodge Caravan seemed to catch the worst of the collateral damage, but the real wrath of those engines was focused on the Orbital Launch Mount, which now has a huge crater under it.