Hackaday Columns

4666 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

Hackaday Podcast 201: Faking A Transmission, Making Nuclear Fuel, And A Slidepot With A Twist

January 13, 2023 by 2 Comments

Even for those with paraskevidekatriaphobia, today is your lucky day as Editor-in-Chief Elliot Williams and Staff Writer Dan Maloney sit under ladders with umbrellas while holding black cats to talk about the week in awesome hacks. And what a week it was, with a Scooby Doo code review, mushrooms in your PCBs, and the clickiest automatic transmission that never was. Have you ever flashed the firmware on a $4 wireless sensor? Maybe you should try. Wondering how to make a rotary Hall sensor detect linear motion? We’ll answer that too. Will AI muscle the dungeon master out of your D&D group? That’s a hard no. We’ll talk about a new RISC-V ESP32, making old video new again, nuclear reactor kibble, and your least satisfying repair jobs. And yes, everyone can relax — I’m buying her a new stove.

Download the podcast in case our servers get unlucky.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 201: Faking A Transmission, Making Nuclear Fuel, And A Slidepot With A Twist”

This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM

January 13, 2023 by 7 Comments

This week we start with a Remote Code Execution (RCE) vulnerability that has potential to be a real pain for sysadmins. Cacti, the system monitoring and graphing solution, has a pair of bugs that chain together to allow an attacker with unauthenticated access to the HTTP/S port to trivially execute bash commands. The first half of this attack is an authentication bypass, and it’s embarrassingly trivial. The Cacti authentication code trusts the Forwarded-For: header in the request. Set it to the server’s IP, and the authentication code treats it like a localhost request, bypassing any real authentication process.

The second half is found in the remote_agent.php endpoint, where the poller_id is set by the user and treated as a string. Then, if the right host_id and local_data_id item is triggered, that string is concatenated into a proc_open() function call. The string isn’t sanitized, so it’s trivial enough to include a second command to run, dropping a webshell, for instance.

Version 1.2.23 of Cacti contains the fix, and released on the 2nd. This one is likely to be exploited, and if automated exploitation hasn’t started already, it likely will soon. So if you have a Cacti install, go double-check that the interface isn’t exposed to the world.

JSON Web Token

Researchers at Unit 42 found an exploit that can be used to achieve an RCE in the JsonWebToken project. The issue is this library’s verify() function, which takes arguments of the token to check, the key to use, and options. If there aren’t any algorithms specified in the options object, then the key is processed as a PEM string. The toString() method of that key is called during the actual check, and the assumption is that it’s either a string or buffer. But what if the key passed in to the verify() function was actually a complex object, bringing it’s own toString() method along to play. At that point, we have arbitrary code execution. And if this code is running on the server-side under node.js, that means a popped server.

But wait, it’s not that simple, right? It’s not like a valid JWT can contain an arbitrary object — that would be a problem all on its own. So CVE-2022-23529 is a stepping-stone. It’s insecure code, but the rest of the application has to have another vulnerability for this one to be reachable. Continue reading “This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM”

Art of 3D printer in the middle of printing a Hackaday Jolly Wrencher logo

3D Printering: Can You Ever Have Enough Vitamins?

January 12, 2023 by 66 Comments

As a community we owe perhaps more than we realise to the RepRap project. From it we get not only a set of open-source printer designs, but that 3D printing at our level has never become dominated by proprietary manufacturers in the way that for example paper printing is. The idea of a printer that can reproduce itself has never quite been fully realised though, because of what the RepRap community refer to as “vitamins“.

These are the mass-produced parts such as nuts, bolts, screws, and other parts which a RepRap printer can’t (yet) create for itself. It’s become a convenience among some of my friends to use this term in general for small pieces of hardware, which leads me to last week. I had a freshly printed prototype of one of my projects, and my hackerspace lacked the tiny self-tapping screws necessary for me to assemble it. Where oh where, was my plaintive cry, are the vitamins!

So my hackerspace is long on woodscrews for some reason, and short on machine screws and self-tappers. And threaded inserts for that matter, but for some reason it’s got a kit of springs. I’m going to have to make an AliExpress order to fix this, so the maybe I need you lot to help me. Just what vitamins does a a lone hardware hacker or a hackerspace need? Continue reading “3D Printering: Can You Ever Have Enough Vitamins?”

Supercon 2022: Samy Kamkar’s Glowing Breath

January 10, 2023 by 6 Comments

Sometimes the journey itself is the destination. This one started when [Samy] was 10 and his mom bought a computer. He logged on to IRC to talk with people about the X-Files and was WinNuked. Because of that experience, modulo a life of hacking and poking and playing, the talk ends with a wearable flex-PCB Tesla coil driving essentially a neon sign made from an ampule of [Samy]’s own breath around his neck. Got that? Buckle up, it’s a rollercoaster.

Continue reading “Supercon 2022: Samy Kamkar’s Glowing Breath”

All About USB-C: Power Delivery

January 9, 2023 by 65 Comments

USB-C eliminates proprietary barrel plug chargers that we’ve been using for laptops and myriads of other devices. It fights proprietary phone charger standards by explicitly making them non-compliant, bullying companies into making their devices work with widely available chargers. As a hobbyist, you no longer need to push 3 A through tiny MicroUSB connectors and underspecced cables to power a current-hungry Pi 4. Today, all you need is a USB-C socket with two resistors – or a somewhat special chip in case the resistors don’t quite get you where you want to be.

You get way more bang for your buck with USB-C. This applies to power too; after all, not all devices will subsist on 15 W – some will want more. If 15 W isn’t enough for your device, let’s see how we can get you beyond.

Reaching Higher

USB-C power supplies always support 5 V and some are limited to that, but support for higher voltages is where it’s at. The usual voltage steps of USB-C are 5 V, 9 V, 15 V and 20 V ; 12V support is optional and is more of a convention. These steps are referred to as SPR, and EPR adds 28 V, 36 V and 48 V steps into the mix – for up to 240 W; necessitating new cables, but being fully backwards and forwards compatible, and fully safe to use due to cable and device checks that USB-C lets you perform.

A charger has to support all steps below its highest step, which means that 20 V-capable chargers also have to support 5 V, 9 V, and 15 V as well – in practice, most of them indeed do, and only some might skip a step or two. You can also get voltages in-between, down to 3.3 V, even, using a PD standard called PPS (or the AVS standard for EPR-range chargers) – it’s not a requirement, but you’ll find that quite a few USB-C PSUs will oblige, and PPS support is usually written on the label. Continue reading “All About USB-C: Power Delivery”

Hackaday Links Column Banner

Hackaday Links: January 8, 2023

January 8, 2023 by 12 Comments

Something odd is afoot in the mountains around Salt Lake City, Utah, at least according to local media reports of remote radio installations that have been popping up for at least the past year. The installations consist of a large-ish solar panel, a weatherproof box full of batteries — and presumably other electronics, including radios — and a mast bearing at least one antenna. Local officials aren’t quite sure who these remote setups belong to or what they’re intended to do, but the installations obviously represent a huge investment in resources.

The one featured in the story was located near the summit of Twin Peaks, which is about 11,000 feet (3,300 meters) in elevation, which with that much gear was probably a hell of a hike. Plus, the owner took great pains to make sure the site would withstand the weather, with antenna mast guy wires that must have required lugging a pretty big drill up with them. There aren’t any photos of the radios in the enclosure, but one photo shows a 900-MHz LORA antenna, while another shows what appears to be a panel antenna, perhaps pointing toward another site. So maybe a LORA mesh network? Some comments in the Twitter thread show most people are convinced this is a Helium crypto mining rig, but the Helium Explorer doesn’t show any hotspots listed in that area. Either way, the owners are out of luck, since their gear is being removed if it’s on public land.

Continue reading “Hackaday Links: January 8, 2023”

Happy New Year, Hackaday!

January 7, 2023 by 4 Comments

[Tom Nardi] and I were talking on the podcast about 2022, and how it went from the hacker’s perspective. As the global chip shortage entered its second full year, we both thought back on the ways that we all had to adapt and work around the fact that we just couldn’t get the parts we were accustomed to picking up with ease.

What had previously been an infinite supply of knockoff Arduino clones and STM32 Blue Pill boards all of a sudden just dried up. Sometimes you just couldn’t get the DAC chip you wanted, or at least not without many weeks’ lead time, and even then, it’d cost you. Raspberry Pi single-board computers became hard to find. PCB designs had to change and new SDKs needed to be learned. I know I had to grab twice for unfamiliar microcontroller platforms this year.

We hacked around the problems. It would be absurd to say that the chip shortage wasn’t a pain in the posterior, but in the end we all managed to carry on and keep creating. We created more flexible footprints, learned to design around what we could get, and definitely had to do more planning. We pulled parts for projects out of the junk box or shelf stock. Or, as Tom noted, we did what everyone in the parts of the world who aren’t as fortunate to get free expedited shipping does – we made do.

Making do often meant learning new environments, questioning old habits, and double-checking pinouts. But if you’re like me, not all of that time was wasted. Sometimes it’s good to get shaken out of comfy workflows, even if by force. So while we wish you parts-in-stock and easy availability for 2023, don’t forget the lessons learned from 2022. Stay scrappy, Hackaday!

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!