Hackaday Columns

4255 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

Hackaday Links Column Banner

Hackaday Links: January 15, 2023

January 15, 2023 by 18 Comments

It looks like the Martian winter may have claimed another victim, with reports that Chinese ground controllers have lost contact with the Zhurong rover. The solar-powered rover was put into hibernation back in May 2022, thanks to a dust storm that kicked up a couple of months before the start of local winter. Controllers hoped that they would be able to reestablish contact with the machine once Spring rolled around in December, but the rover remains quiet. It may have suffered the same fate as Opportunity, which had its solar panels covered in dust after a planet-wide sandstorm and eventually gave up the ghost.

What’s worse, it seems like the Chinese are having trouble talking to the Tianwen-1 orbiter, too. There are reports that controllers can’t download data from the satellite, which is a pity because it could potentially be used to image the Zhurong landing site in Utopia Planitia to see what’s up. All this has to be taken with a grain of dust, of course, since the Chinese aren’t famously transparent with their space program. But here’s hoping that both the rover and the orbiter beat the odds and start doing science again soon.

Continue reading “Hackaday Links: January 15, 2023”

Too Many Pixels

January 14, 2023 by 39 Comments

Sometimes simpler is more impressive than complicated, and part of this is certainly due to Arthur C. Clarke’s third law: “Any sufficiently advanced technology is indistinguishable from magic.”. It’s counter-intuitive, though, that a high-tech project would seem any less amazing than a simpler one, but hear me out.

I first noticed this ages ago, when we were ripping out the blue laser diodes from Casio XJ-A130 laser projectors back when this was the only way to get a powerful blue laser diode. Casio had bought up the world’s supply of the 1.5 W Nichias, and was putting 24 of them in each projector, making them worth more dead than alive, if you know what I mean. Anyway, we were putting on a laser show, and the bright blue diode laser was just what we needed.

RGB Laser show
A sweeter setup than mine, but you get the idea. 

Color laser setups take three or more different lasers, combine the beams, and then bounce them off of mirrors attached to galvos. Steer the mirrors around, and you can project vector images. It’s pretty cool tech, and involves some serious fine-tuning, but the irony here is that we were tearing apart a device with 788,736 microscopic DLP mirrors to point the lasers through just two. And yet, a DIY laser show is significantly cooler than just putting up your powerpoint on the office wall.

The same thing goes for 2D plotting machines like the AxiDraw. The astonishing tech behind any old laser printer is mind-numbing. Possibly literally. Why else would we think that art drawn out by a pen in the hands of a stepper-powered robot is cooler than the output of a 1600 DPI unit coming from HP’s stable? I mean, instead of running an hours-long job to put ink on paper with a pen, my Laserjet puts out an image in ten seconds. But it’s just not as much fun.

So here we are, in an age where there’s so darn much magic all around us, in the form of sufficiently advanced technology, that comprehensible devices are actually more impressive. And my guess is that it’s partly because it’s not surprising when a device that’s already magic does something magical. I mean, that’s just what it’s supposed to do. Duh!

But when something beautiful emerges from a pair of mirrors epoxied to shafts on springs turned by copper coils, that’s real magic.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

Hackaday Podcast 201: Faking A Transmission, Making Nuclear Fuel, And A Slidepot With A Twist

January 13, 2023 by 2 Comments

Even for those with paraskevidekatriaphobia, today is your lucky day as Editor-in-Chief Elliot Williams and Staff Writer Dan Maloney sit under ladders with umbrellas while holding black cats to talk about the week in awesome hacks. And what a week it was, with a Scooby Doo code review, mushrooms in your PCBs, and the clickiest automatic transmission that never was. Have you ever flashed the firmware on a $4 wireless sensor? Maybe you should try. Wondering how to make a rotary Hall sensor detect linear motion? We’ll answer that too. Will AI muscle the dungeon master out of your D&D group? That’s a hard no. We’ll talk about a new RISC-V ESP32, making old video new again, nuclear reactor kibble, and your least satisfying repair jobs. And yes, everyone can relax — I’m buying her a new stove.

Download the podcast in case our servers get unlucky.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 201: Faking A Transmission, Making Nuclear Fuel, And A Slidepot With A Twist”

This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM

January 13, 2023 by 7 Comments

This week we start with a Remote Code Execution (RCE) vulnerability that has potential to be a real pain for sysadmins. Cacti, the system monitoring and graphing solution, has a pair of bugs that chain together to allow an attacker with unauthenticated access to the HTTP/S port to trivially execute bash commands. The first half of this attack is an authentication bypass, and it’s embarrassingly trivial. The Cacti authentication code trusts the Forwarded-For: header in the request. Set it to the server’s IP, and the authentication code treats it like a localhost request, bypassing any real authentication process.

The second half is found in the remote_agent.php endpoint, where the poller_id is set by the user and treated as a string. Then, if the right host_id and local_data_id item is triggered, that string is concatenated into a proc_open() function call. The string isn’t sanitized, so it’s trivial enough to include a second command to run, dropping a webshell, for instance.

Version 1.2.23 of Cacti contains the fix, and released on the 2nd. This one is likely to be exploited, and if automated exploitation hasn’t started already, it likely will soon. So if you have a Cacti install, go double-check that the interface isn’t exposed to the world.

JSON Web Token

Researchers at Unit 42 found an exploit that can be used to achieve an RCE in the JsonWebToken project. The issue is this library’s verify() function, which takes arguments of the token to check, the key to use, and options. If there aren’t any algorithms specified in the options object, then the key is processed as a PEM string. The toString() method of that key is called during the actual check, and the assumption is that it’s either a string or buffer. But what if the key passed in to the verify() function was actually a complex object, bringing it’s own toString() method along to play. At that point, we have arbitrary code execution. And if this code is running on the server-side under node.js, that means a popped server.

But wait, it’s not that simple, right? It’s not like a valid JWT can contain an arbitrary object — that would be a problem all on its own. So CVE-2022-23529 is a stepping-stone. It’s insecure code, but the rest of the application has to have another vulnerability for this one to be reachable. Continue reading “This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM”

Art of 3D printer in the middle of printing a Hackaday Jolly Wrencher logo

3D Printering: Can You Ever Have Enough Vitamins?

January 12, 2023 by 66 Comments

As a community we owe perhaps more than we realise to the RepRap project. From it we get not only a set of open-source printer designs, but that 3D printing at our level has never become dominated by proprietary manufacturers in the way that for example paper printing is. The idea of a printer that can reproduce itself has never quite been fully realised though, because of what the RepRap community refer to as “vitamins“.

These are the mass-produced parts such as nuts, bolts, screws, and other parts which a RepRap printer can’t (yet) create for itself. It’s become a convenience among some of my friends to use this term in general for small pieces of hardware, which leads me to last week. I had a freshly printed prototype of one of my projects, and my hackerspace lacked the tiny self-tapping screws necessary for me to assemble it. Where oh where, was my plaintive cry, are the vitamins!

So my hackerspace is long on woodscrews for some reason, and short on machine screws and self-tappers. And threaded inserts for that matter, but for some reason it’s got a kit of springs. I’m going to have to make an AliExpress order to fix this, so the maybe I need you lot to help me. Just what vitamins does a a lone hardware hacker or a hackerspace need? Continue reading “3D Printering: Can You Ever Have Enough Vitamins?”

Supercon 2022: Samy Kamkar’s Glowing Breath

January 10, 2023 by 6 Comments

Sometimes the journey itself is the destination. This one started when [Samy] was 10 and his mom bought a computer. He logged on to IRC to talk with people about the X-Files and was WinNuked. Because of that experience, modulo a life of hacking and poking and playing, the talk ends with a wearable flex-PCB Tesla coil driving essentially a neon sign made from an ampule of [Samy]’s own breath around his neck. Got that? Buckle up, it’s a rollercoaster.

Continue reading “Supercon 2022: Samy Kamkar’s Glowing Breath”

All About USB-C: Power Delivery

January 9, 2023 by 65 Comments

USB-C eliminates proprietary barrel plug chargers that we’ve been using for laptops and myriads of other devices. It fights proprietary phone charger standards by explicitly making them non-compliant, bullying companies into making their devices work with widely available chargers. As a hobbyist, you no longer need to push 3 A through tiny MicroUSB connectors and underspecced cables to power a current-hungry Pi 4. Today, all you need is a USB-C socket with two resistors – or a somewhat special chip in case the resistors don’t quite get you where you want to be.

You get way more bang for your buck with USB-C. This applies to power too; after all, not all devices will subsist on 15 W – some will want more. If 15 W isn’t enough for your device, let’s see how we can get you beyond.

Reaching Higher

USB-C power supplies always support 5 V and some are limited to that, but support for higher voltages is where it’s at. The usual voltage steps of USB-C are 5 V, 9 V, 15 V and 20 V ; 12V support is optional and is more of a convention. These steps are referred to as SPR, and EPR adds 28 V, 36 V and 48 V steps into the mix – for up to 240 W; necessitating new cables, but being fully backwards and forwards compatible, and fully safe to use due to cable and device checks that USB-C lets you perform.

A charger has to support all steps below its highest step, which means that 20 V-capable chargers also have to support 5 V, 9 V, and 15 V as well – in practice, most of them indeed do, and only some might skip a step or two. You can also get voltages in-between, down to 3.3 V, even, using a PD standard called PPS (or the AVS standard for EPR-range chargers) – it’s not a requirement, but you’ll find that quite a few USB-C PSUs will oblige, and PPS support is usually written on the label. Continue reading “All About USB-C: Power Delivery”