This Week In Security: Git Deep Dive, Mailchimp, And SPF

January 20, 2023 by Jonathan Bennett 10 Comments

First up, git has been audited. This was an effort sponsored by the Open Source Technology Improvement Fund (OSTIF), a non-profit working to improve the security of Open Source projects. The audit itself was done by researchers from X41 and GitLab, and two critical vulnerabilities were found, both caused by the same bad coding habit — using an int to hold buffer lengths.

On modern systems, a size_t is always unsigned, and the same bit length as the architecture bit-width. This is the proper data type for string and buffer lengths, as it is guaranteed not to overflow when handling lengths up to the maximum addressable memory on the system. On the other hand, an int is usually four bytes long and signed, with a maximum value of 2^31-1, or 2147483647 — about 2 GB. A big buffer, but not an unheard amount of data. Throw something that large at git, and it will break in unexpected ways.

Our first example is CVE-2022-23521, an out of bounds write caused by an int overflowing to negative. A .gitattributes file can be committed to a repository with a modified git client, and then checking out that repository will cause the num_attrs variable to overflow. Push the overflow all the way around to a small negative number, and git will then vastly under-allocate the attributes buffer, and write all that data past the end of the allocated buffer.

CVE-2022-41903 is another signed integer overflow, this time when a pretty print format gets abused to do something unexpected. Take a look at this block of code:

Continue reading “This Week In Security: Git Deep Dive, Mailchimp, And SPF” →

Linux Fu: UEFI Booting

January 19, 2023 by Al Williams 30 Comments

Unless your computer is pretty old, it probably uses UEFI (Unified Extensible Firmware Interface) to boot. The idea is that a bootloader picks up files from an EFI partition and uses them to start your operating system. If you use Windows, you get Windows. If you use Linux, there’s a good chance you’ll use Grub which may or may not show you a menu. The problem with Grub is you have to do a lot of configuration to get it to do different things. Granted, distros like Ubuntu have tools that go through and do much of the work for you and if you are satisfied with that, there’s no harm in using Grub to boot and manage multiple operating systems.

An alternative would be rEFInd, which is a nice modern UEFI boot manager. If you are still booting through normal (legacy) BIOS, the installation might be a hassle. But, in general, rEFInd, once installed, just automatically picks up most things, including Windows, Mac, and Linux operating systems and kernels. The biggest reasons you might change the configuration is if you want to hide some things you don’t care about or change the visual theme.

Continue reading “Linux Fu: UEFI Booting” →

Retro Gadgets: Tired Of The Beatles On 8 Track? Try The Police

January 18, 2023 by Al Williams 48 Comments

In the 1970s, 8-track audio players were very popular, especially in cars. For a couple of bucks, you could have the latest album, and you didn’t have to flip the tape in the middle of a drive like you did with a cassette. We’ve seen plenty of 8-tracks and most of us a certain age have even owned a few players. But we couldn’t find anyone who would admit to owning the Bearcat 8 Track Scanner, as seen in the 1979 Popular Electronics ad below.

Continue reading “Retro Gadgets: Tired Of The Beatles On 8 Track? Try The Police” →

All About USB-C: High-Speed Interfaces

January 17, 2023 by Arya Voronova 40 Comments

One amazing thing about USB-C is its high-speed capabilities. The pinout gives you four high-speed differential pairs and a few more lower-speed pairs, which let you pump giant amounts of data through a connector smaller than a cent coin. Not all devices take advantage of this capability, and they’re not required to – USB-C is designed to be accessible for every portable device under the sun. When you have a device with high-speed needs exposed through USB-C, however, it’s glorious just how much USB-C can give you, and how well it can work.

The ability to get a high-speed interface out of USB-C is called an Alternate Mode, “altmode” for short. The three altmodes you can encounter nowadays are USB3, DisplayPort and Thunderbolt, there’s a few that have faded into obscurity like HDMI and VirtualLink, and some are up and coming like USB4. Most altmodes require digital USB-C communication, using a certain kind of messages over the PD channel. That said, not all of them do – the USB3 is the simplest one. Let’s go through what makes an altmode tick. Continue reading “All About USB-C: High-Speed Interfaces” →

2022 FPV Contest: Congratulations To The Winners!

January 16, 2023 by Elliot Williams 6 Comments

We wanted to see what the Hackaday crowd was up to in first-person view tech, and you didn’t disappoint! Commercial FPV quads have become cheap enough these days that everyone and their mom got one for Christmas, so it was fantastic to see the DIY spirit in these projects. Thanks to everyone who entered.

The Winners

None of the entries do the DIY quite as thoroughly as [JP Gleyzes]’s “poor man’s FPV journey”. This is actually three hacks in one, with DIY FPV goggles made from cheap optics and 3D printed additions, a USB joystick to PPM adapter to use arbitrary controllers with an RC transmitter, and even a fully DIY Bluetooth-based controller for a popular flight simulator. [JP] has done everything but build his own drone, and all the files are there for you to use, whether you’re goal is to do it on the cheap, or to do something new.

If you want to build your own drone from scratch, though, ESP32 Drone project has you covered. At least, mostly. This build isn’t entirely finished yet, and it’s definitely got some crash-testing still in its future, but the scope and accessibility of the project is what caught our eyes. The goal is to make a lightweight indoor quad around parts we can all get easily and cheaply, completely scratch-built. This drone is meant to be controlled by a smartphone, and the coolest parts for us are the ESP_Drone and ESPStream software that run on the drone and your phone respectively. Congrats to [Jon VB]! Now get that thing in the air.

And if you’re looking for a tidy little build, [Tobias]’s Mini FPV Speed Tank doesn’t disappoint. It’s a palm-sized mini tank, but this thing hauls, and looks like a ton of fun to drive around. It uses an absolutely tiny RP2040 module, an equally tiny receiver, and a nano FPV camera and transmitter to keep it compact. The 3D-printed frame and tracks are so nice that we’re not even complaining that the FPV rig is simply rubber-banded on top of the battery. This looks like a super fun build.

Each of these three projects have won a $150 Digi-Key shopping spree to help out with parts in this, or your next project. Thanks again to Digi-Key for sponsoring!

Continue reading “2022 FPV Contest: Congratulations To The Winners!” →

Machining With Electricity Hack Chat

January 16, 2023 by Dan Maloney 12 Comments

Join us on Wednesday, January 18 at noon Pacific for the Machining with Electricity Hack Chat with Daniel Herrington!

With few exceptions, metalworking has largely been about making chips, and finding something hard enough and tough enough to cut those chips has always been the challenge. Whether it’s high-speed steel, tungsten carbide, or even little chunks of rocks like garnet or diamond, cutting metal has always used a mechanical interaction between tool and stock, often with spectacular results.

But then, some bright bulb somewhere realized that electricity could be used to remove metal from a workpiece in a controlled fashion. Whether it’s using electric sparks to erode metal — electric discharge machining (EDM) — or using what amounts to electroplating in reverse — electrochemical machining (ECM) — electrical machining methods have made previously impossible operations commonplace.

While the technology behind ExM isn’t really that popular in the hobby machine shop yet, a lot of the equipment needed and the methods to make it all work are conceivably DIY-able. But the first step toward that is understanding how it all works, and we’re lucky enough to have Daniel Herrington stop by the Hack Chat to help us out with that. Daniel is CEO and founder of Voxel Innovations, a company that’s on the cutting edge of electrochemical machining with its pulsed ECM technology. There’s a lot to unpack, so make sure you stop by so we can all get up to speed on what’s up with using electricity to do the machining.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, January 18 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

Hackaday Links: January 15, 2023

January 15, 2023 by Dan Maloney 18 Comments

It looks like the Martian winter may have claimed another victim, with reports that Chinese ground controllers have lost contact with the Zhurong rover. The solar-powered rover was put into hibernation back in May 2022, thanks to a dust storm that kicked up a couple of months before the start of local winter. Controllers hoped that they would be able to reestablish contact with the machine once Spring rolled around in December, but the rover remains quiet. It may have suffered the same fate as Opportunity, which had its solar panels covered in dust after a planet-wide sandstorm and eventually gave up the ghost.

What’s worse, it seems like the Chinese are having trouble talking to the Tianwen-1 orbiter, too. There are reports that controllers can’t download data from the satellite, which is a pity because it could potentially be used to image the Zhurong landing site in Utopia Planitia to see what’s up. All this has to be taken with a grain of dust, of course, since the Chinese aren’t famously transparent with their space program. But here’s hoping that both the rover and the orbiter beat the odds and start doing science again soon.

Continue reading “Hackaday Links: January 15, 2023” →