Hackaday Columns

4686 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

Open-Source AR Hack Chat

May 29, 2023 by No comments

Join us on Wednesday, May 31 at noon Pacific for the Open-Source AR Hack Chat with Raj Nakaraja!

We may live in a soup of electromagnetic waves that range in wavelength from the diameter of Jupiter down to a fraction of the radius of a hydrogen atom, but our eyeballs have evolved to only let us sense a tiny slice of that spectrum. That’s too bad, really, because there’s a lot going on in the rest of the spectrum that could potentially inform our ROYGBIV-centric view of the world. Think of the possibilities of being able to see UV the way an insect does, or being able to watch the radiation pattern of an antenna and make adjustments on the fly. Sounds like a job for augmented reality.

join-hack-chatIf seeing the world with different eyes sounds as cool to you as it does to us, you won’t want to miss Raj Nakaraja’s stop by the Hack Chat. Raj is head of engineering at Brilliant Labs, an augmented reality company that’s looking to bring AR into the mainstream. They’ve got some cool ideas about AR, and we’re going to take the opportunity to talk to Raj about open-source AR in general, Brilliant’s products specifically, and how AR can be incorporated into not only our projects, but into our lives as well.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, May 31 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Hackaday Links Column Banner

Hackaday Links: May 28, 2023

May 28, 2023 by 20 Comments

The Great Automotive AM Radio War of 2023 rages on, with the news this week that Ford has capitulated, at least for now. You’ll recall that the opening salvo came when the US automaker declared that AM radio was unusable in their EV offerings thanks to interference generated by the motor controller. Rather than fixing the root problem, Ford decided to delete the AM option from their EV infotainment systems, while letting their rolling EMI generators just keep blasting out interference for everyone to enjoy. Lawmakers began rattling their sabers in response, threatening legislation to include AM radio in every vehicle as a matter of public safety. Ford saw the writing on the wall and reversed course, saying that AM is back for at least the 2024 model year, and that vehicles already delivered without it will get a fix via software update.

Continue reading “Hackaday Links: May 28, 2023”

Hack Simple

May 27, 2023 by 7 Comments

Here at Hackaday, we definitely love to celebrate the hard hacks: the insane feats of reverse engineering, the physics-defying flights of fancy, or the abuse of cutting edge technology. But today I’d like to raise a rhetorical glass in tribute of the simple hacks. Because, to be perfectly honest, the vast majority of my hacks are simple hacks, and it’s probably the same for you too. And these often go unsung because, well, they’re simple. But that doesn’t mean that something simple can’t be helpful.

Case in point: an ESP8266 press-buttons device that we featured this week. It doesn’t do much. It’s main feature is that it connects to a home automation network over WiFi and enables you to flip three relays. Wires coming off the board are to be soldered to the not-yet-smart device in question, simply connected to each side of the button you’d like to press. In the example, a coffee machine was turned on and the “go” button pressed, automating one of the most essential kitchen rituals. While recording the podcast, I realized that I’ve built essentially this device and have it controlling our house’s heating furnace.

For the experienced hacker, there’s not much here. It’s a simple board design, the software heavily leverages ESPHome, so there’s not much work on that front either. But imagine that you lacked any of the wide-ranging skills that it takes to make such a device: PCB layout, ESP8266 software wrangling, or the nuances of designing with relays. You could just as easily build this device wrong as right. The startup costs are non-trivial.

Making a simple design like this available to the public isn’t a technical flex, and it’s not contributing to the cutting edge. But it just might be giving someone their first taste of DIY home automation, and a sweet taste of success. There’s not much easier than finding a switch and soldering on two wires, but if that’s the spark that pushes them on their path to greater hacks, that’s awesome. And even if it doesn’t, at least it’s another appliance under user control, connected to a private WiFi network rather than spying you out and phoning home to Big Toaster.

So here’s to the simple hacks!

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

Learning 3D Printing Best Practices From A Pro

May 26, 2023 by 13 Comments

It might seem like 3D printing is a thoroughly modern technology, but the fact is, it’s been used in the industry for decades. The only thing that’s really new is that the printers have become cheap and small enough for folks like us to buy one and plop it on our workbench. So why not take advantage of all that knowledge accumulated by those who’ve been working in the 3D printing field, more accurately referred to as additive manufacturing, since before MakerBot stopped making wooden printers?

That’s why we asked Eric Utley, an applications engineer with Protolabs, to stop by the Hack Chat this week. With over 15 years of experience in additive manufacturing, it’s fair to say he’s seen the technology go through some pretty big changes. Hes worked on everything from the classic stereolithography (SLA) to the newer Multi Jet Fusion (MJF) printers, with a recent focus on printing in metals such as Inconel and aluminum. Compared to the sort of 3D printers he’s worked with, we’re basically playing with hot, semi-melted, LEGOs — but that doesn’t mean some of the lessons he’s learned can’t be applied at the hobbyist level. Continue reading “Learning 3D Printing Best Practices From A Pro”

Hackaday Podcast 220: Transparent Ice, Fake Aliens, And Bendy Breadboards

May 26, 2023 by 7 Comments

You can join Elliot and Al as they get together to talk about their favorite hacks of the week. There’s news about current contests, fake alien messages, flexible breadboards, hoverboards, low-tech home automation, and even radioactive batteries that could be a device’s best friend.

We have a winner in the What’s that Sound competition last week, which was, apparently, a tough one. You’ll also hear about IC fabrication, FPGAs, and core memory. Lots to talk about, including core memory, hoverboards, and vacuum tubes.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Or download all the things!

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 220: Transparent Ice, Fake Aliens, And Bendy Breadboards”

This Week In Security: Gitlab, KeyPassMini, And Horse

May 26, 2023 by 6 Comments

There’s a really nasty CVSS 10.0 severity vulnerability in Gitlab 16.0.0. The good news is that this is the only vulnerable version, and the fix came a mere two days after the vulnerable release. If you happened to be very quick to go to 16.0.0, then be very quick to get the fix, because CVE-2023-2825 looks like a bad one.

An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups.

That’s a very specific set of requirements for vulnerability, so it seems like hardly any installs would be vulnerable. The rest of the story is that regular users can create groups, and many installs allow for open user registration. So if you’re running Gitlab 16.0.0, update now!

KeyPassMini

A Redditor got a surprising notice that someone attempted to access a bank account, but failed two-factor authentication. That seemed odd, and led the Redditor down the rabbithole of auditing applications. And one iOS app in particular stood out as maybe problematic — KeyPassMini.

The app was a mobile client for KeyPass, the password manager. The problem was some analytics. It looks like KeyPassMini was bundling up some system information and uploading it to a server controlled by the creator. Analytics are often unpopular, but this app was including the system clipboard contents in the uploaded data. Yikes! And it gets worse: The app does password fills by using that same clipboard, so some of the protected passwords may have been scooped up into that analytics data. And sent unencrypted. Oof.

Now, the app author has pulled the plug on the app altogether, and responded on the old Github project page. It’s a bit odd, but it’s perfectly believable that there were no ill intentions here. Regardless, code to send the clipboard is a big problem, and definitely undoes a lot of trust in a project.

And KeyPass itself has a problem, though much less worrying. KeyPass attempts to keep sensitive data out of its own memory when possible. This approach aims to protect even in the event of a compromised machine. [vdohney] on Sourceforge discovered that there is a channel to recover the master password, by being just a bit clever. When a user types in the master password, by default, KeyPass will show the last letter typed, and replace the previous letters with bullets. But each iteration of that string ends up in program memory, so a privileged attacker can get a memory dump, look for the bullet characters, and find a set of leftover strings like •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d. It’s an easy password grab. Now remember, this essentially implies an attacker has memory access on your system, so it’s not a gaping weakness in KeyPass.

As you can see from the POC on GitHub, the problem is that a .NET text box keeps the strings in memory, so it probably hits both Windows and Linux users under Mono. The proposed solution that the KeyPass team is taking is to poison the well with enough random characters that retrieving the correct password is a lot harder. It’s still getting fixed in the next release.

Horse Shell for MIPS Routers

Checkpoint Research brings us news of the Horse Shell, a bit of malware specifically for MIPS architecture routers running Linux. It’s been found in TP-Link firmware images so far, but as so many of those routers are essentially based on the same Linux SDK, the malware appears to be applicable to many models. The exact firmware images being examined were found in a collection of tools used by Camaro Dragon, a rather catchy name for a Chinese APT group.

The firmware images have some of the normal bits you would expect, like data collection, remote shell, and remote proxy support. They have some really sneaky tricks, too, like storing part of the data on the partition reserved for WiFi calibration data. One has to wonder if hijacking that partition negatively affects the router’s wireless performance. In the firmware images examined, the quickest tell is to go to the firmware upgrade page. If it’s blank, without a form to upload new firmware, you may have the malicious image.

WordPress

WordPress 6.2.1 has a security fix, that is then improved upon in 6.2.2, where block themes could parse user-generated shortcodes. A shortcode is tags inside [brackets], that gets replaced by more complicated data. We use a code shortcode all the time here on Hackaday, to try to get source code to render nicely, angle brackets and all.

It turns out, the fix in 6.2.1 went a little overboard, breaking quite a few sites by disabling shortcodes in block themes altogether. The situation in 6.2.2 is a bit better, with most of the problems being dealt with. Sometimes it’s hard to tell the bugs and the features apart.

And a WordPress plugin, Beautiful Cookie Consent Banner, is under active attack for a Cross-Site Scripting vulnerability. The attack is odd, as WordPress.org shows just 40,000 active installs, and almost 1.5 million sites have been sent the malicious payload to try to exploit the plugin. And the kicker? It looks like the payload on this attack is a dud, and fails to actually infect a vulnerable site. It can still goober a vulnerable site, so make sure to check your plugins.

Bits and Bytes

Speaking of plugins, be careful what VScode plugins you use. They’re not all friendly. Microsoft has been working to keep malicious plugins off the official marketplace, but that arms race never seems to have an end. And as such, there were a couple known malicious plugins with nearly 50,000 installs.

For some in-depth fun, check out this PDF paper on Android Fingerprint Reader attacks. It seems simple, right? Take a screenshot of a finger, compare it to a known data set, and lock the phone if the test fails too many times. It is, of course, not quite that simple. Researchers formulated two loopholes, Cancel-After-Match-Fail and Match-After-Lock, both of which abuse user-friendly features to manage way more attempts at a fingerprint read. Read the paper for the juicy details.

And finally, Troy Hunt had some fun at the expense of a scammer. Troy’s wife was selling a fridge on Gumtree, and they decided to play along with a suspicious “buyer”. Turns out, it’s the old agent fee scam. I’ll give you the money you asked for, plus $800 to cover the fee. Can you forward that extra money on? But of course, the Paypal confirmation message was faked, and there was no money paid. Troy managed to get an impressive bit of information, including that the scam is actually being run out of, you guessed it, Nigeria. Shipping would be a pain. ><

Linux Fu: Making Progress

May 24, 2023 by 12 Comments

The computer world looks different from behind a TeleType or other hardcopy terminal. Things that tend to annoy people about Unix or Linux these days were perfectly great when you were printing everything the computer said to you. Consider the brevity of most basic commands. When you copy a file, for example, it doesn’t really tell you much other than it returns you to the prompt when it is done. If you are on a modern computer working with normal-sized files locally, not a big deal. But if you are over a slow network or with huge files, it would be nice to have a progress bar. Sure, you could write your own version of copy, but wouldn’t it be nice to have some more generic options?

One Way

The pv program can do some of the things you want. It monitors data through a pipe or, at least through its standard output. Think of it as cat with a meter. Suppose you want to write a diskimage to /dev/sdz:

cat diskz.img >/dev/sdz

But you could also do:

pv diskz.img >/dev/sdz

By default, pv will show a progress bar, an elapsed time, an estimated end time, a rate, and a total number of bytes. You can turn any of that off or add things using command line options. You can also specify things like the size of the terminal if it should count lines instead of bytes, and, in the case where the program doesn’t know what it is reading, the expected size of the transfer.

Continue reading “Linux Fu: Making Progress”