Hackaday Links: February 26, 2023

February 26, 2023 by Dan Maloney 32 Comments

It’s probably safe to say that most of us have had enough of the Great Balloon Follies to last the rest of 2023 and well beyond. It’s been a week or two since anything untoward was spotted over the US and subsequently blasted into shrapnel, at least that we know of, so we can probably put this whole thing behind us.

But as a parting gift, we present what has to be the best selfie of the year — a photo by the pilot of a U-2 spy plane of the balloon that started it all. Assuming no manipulation or trickery, the photo is remarkable; not only does it capture the U-2 pilot doing a high-altitude flyby of the balloon, but it shows the shadow cast by the spy plane on the surface of the balloon.

The photo also illustrates the enormity of this thing; someone with better math skills than us could probably figure out the exact size of the balloon from the apparent size of the U-2 shadow, in fact.

Continue reading “Hackaday Links: February 26, 2023” →

Hackaday Podcast 207: Modular Furniture, Plastic Prosthetics, And Your Data On YouTube

February 24, 2023 by Tom Nardi 6 Comments

Join Editor-in-Chief Elliot Williams and Managing Editor Tom Nardi as they explore the best and most interesting stories from the last week. The top story if of course the possibility that at least some of the unidentified flying objects the US Air Force valiantly shot down were in fact the work of amateur radio enthusiasts, but a quantitative comparison of NASA’s SLS mega-rocket to that of popular breakfast cereals is certainly worth a mention as well.

Afterwards the discussion will range from modular home furnishings to the possibility of using YouTube (or maybe VHS tapes) to backup your data and AI-generated Pong. Also up for debate are cheap CO2 monitors which may or may not be CO2 monitors, prosthetic limbs made from locally recycled plastic, and an answer to Jenny’s Linux audio challenge from earlier this month.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Download it your own bad self!

Continue reading “Hackaday Podcast 207: Modular Furniture, Plastic Prosthetics, And Your Data On YouTube” →

This Week In Security: GoDaddy, Joomla, And ClamAV

February 24, 2023 by Jonathan Bennett 1 Comment

We’ve seen some rough security fails over the years, and GoDaddy’s recent news about a breach leading to rogue website redirects might make the highlight reel. The real juicy part is buried on page 30 of a PDF filing to the SEC.

Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy.

That multi-year campaign appears to goes back to at least October 2019, when an SSH file was accessed and altered, leading to 28,000 customer SSH usernames and passwords being exposed. There was also a 2021 breach of the GoDaddy WordPress environment, that has been linked to the same group.

Reading between the lines, there may be an implication here that the attackers had an ongoing presence in GoDaddy’s internal network for that entire multi-year period — note that the quote above refers to a single campaign, and not multiple campaigns from the same actor. That would be decidedly bad.

Joomla’s Force Persuasion

Joomla has a critical vulnerability, CVE-2023-23752, which is a trivial information leak from a web endpoint. This flaw is present in all of the 4.x releases, up to 4.2.8, which contains the fix. The issue is the Rest API, which gives access to pretty much everything about a given site. It has an authentication component, of course. The bypass is to simply append ?public=true. Yes, it’s a good old “You don’t need to see his identification” force suggestion.

There’s even a PoC script that runs the request and spits out the most interesting data: the username, password, and user id contained in the data. It’s not quite as disastrous as that sounds — the API isn’t actually leaking the administrative username and password, or even password hash. It’s leaking the SQL database information. Though if your database is accessible from the Internet, then that’s pretty much as bad as it could be. Continue reading “This Week In Security: GoDaddy, Joomla, And ClamAV” →

Supercon 2022: Tap Your Rich Uncle To Fund Your Amateur Radio Dreams

February 23, 2023 by Dan Maloney 11 Comments

Imagine you had a rich uncle who wanted to fund some of your projects. Like, seriously rich — thanks to shrewd investments, he’s sitting on a pile of cash and is now legally obligated to give away $5,000,000 a year to deserving recipients. That would be pretty cool indeed, but like anything else, if it sounds too good to be true, it probably is, right?

Well, maybe not. It turns out that we in the amateur radio community — and even amateur radio adjacent fields — have a rich uncle named Amateur Radio Digital Communications (ARDC), a foundation with a large endowment and a broad mission to “support amateur radio, funds scholarships and worthy educational programs, and financially support technically innovative amateur radio and digital communications projects.” As the foundation’s Outreach Manager John Hayes (K7EV) explained at Supercon 2022, ARDC is a California-based 501(c)3 non-profit organization that has been in the business of giving away money to worthy projects in the amateur radio space since 2021.

Continue reading “Supercon 2022: Tap Your Rich Uncle To Fund Your Amateur Radio Dreams” →

Linux Fu: Sharing Your Single WiFi

February 22, 2023 by Al Williams 25 Comments

If you are trying to build a router or access point, you’ll need to dig into some of the details of networking that are normally hidden from you. But, for a normal WiFi connection, things mostly just work, even though that hasn’t always been the case. However, I ran into a special case the other day where I needed a little custom networking, and then I found a great answer to automate the whole process. It all comes down to hotel WiFi. How can you make your Linux laptop connect to a public WiFi spot and then rebroadcast it as a private WiFI network? In particular, I wanted to connect an older Chromecast to the network.

Hotel WiFi used to be expensive, but now, generally, it is free. There was a time when I carried a dedicated little box that could take a wired or wireless network and broadcast its own WiFi signal. These were actually fairly common, but you had to be careful as some would only broadcast a wired network connection. It was more difficult to make the wireless network share as a new wireless network, but some little travel routers could do it. Alternatively, you could install one of the open router firmware systems and set it up. But lately, I haven’t been carrying anything like that. With free WiFi, you can just connect your different devices directly to the network. But then there’s the Chromecast and the dreaded hotel login.

Continue reading “Linux Fu: Sharing Your Single WiFi” →

SUPERCON 2022: Kuba Tyszko Cracks Encrypted Software

February 21, 2023 by Dave Rowntree 5 Comments

[Kuba Tyszko] like many of us, has been hacking things from a young age. An early attempt at hacking around with grandpa’s tractor might have been swiftly quashed by his father, but likely this was not the last such incident. With a more recent interest in cracking encrypted applications, [Kuba] gives us some insights into some of the tools at your disposal for reading out the encrypted secrets of applications that have something worth hiding. (Slides here, PDF.)

There may be all sorts of reasons for such applications to have an encrypted portion, and that’s not really the focus. One such application that [Kuba] describes was a pre-trained machine-learning model written in the R scripting language. If you’re not familiar with R, it is commonly used for ‘data science’ type tasks and has a big fan base. It’s worth checking out. Anyway, the application binary took two command line arguments, one was the encrypted blob of the model, and the second was the path to the test data set for model verification.

The first thing [Kuba] suggests is to disable network access, just in case the application wants to ‘dial home.’ We don’t want that. The application was intended for Linux, so the first port of call was to see what libraries it was linked against using the ldd command. This indicated that it was linked against OpenSSL, so that was a likely candidate for encryption support. Next up, running objdump gave some clues as to the various components of the binary. It was determined that it was doing something with 256-bit AES encryption. Now after applying a little experience (or educated guesswork, if you prefer), the likely scenario is that the binary yanks the private key from somewhere within itself reads the encrypted blob file, and passes this over to libssl. Then the plaintext R script is passed off to the R runtime, the model executes against the test data, and results are collated.

[Kuba]’s first attack method was to grab the OpenSSL source code and drop in some strategic printf() function calls into the target functions. Next, using the LD_PRELOAD ‘trick’ the standard system OpenSSL library was substituted with the ‘fake’ version with the trojan printfs. The result of this was the decryption function gleefully sending the plaintext R script direct to the terminal. No need to even locate the private key!

Continue reading “SUPERCON 2022: Kuba Tyszko Cracks Encrypted Software” →

Picking A Laser Hack Chat

February 20, 2023 by Dan Maloney 25 Comments

Join us on Wednesday, February 22 at noon Pacific for the Picking a Laser Hack Chat with Jonathan Schwartz!

You’ve got to admit that it’s a pretty cool world to live in that presents a problem like, “Which laser cutter should I buy?” It wasn’t all that long ago that decisions on laser purchases were strictly in the realm of Big Science, and the decision was driven as much by spending grant money as by the specifics of the application. If you were in need of a laser back then, chances are good you had some deep pockets, or at least access to someone else’s pockets.

Fast forward a couple of decades or so and buying a laser is an entirely different exercise. Lasers have become a commodity, and finding the right one depends entirely on your use cases. Lasers are no longer jealously guarded laboratory instruments, but workhorses on the vanguard of the desktop manufacturing revolution. They engrave, they cut, they melt — in short, they do a LOT of work. And it’s up to you to choose the right laser for the job.

To help us sort all this out and come up with a plan for figuring out the best laser for any use case, we’ve invited Jonathan Schwartz back on the Hack Chat. Jon dropped by back in March of 2021 to share his wealth of laser experience thanks to his laser-cutting business. This time around we’re going to focus — err, concentrate — oops, drill down — oh, whatever! — on the more practical aspects of buying a laser. We’ll talk about laser types, fiber lasers, applications vs. laser specs — anything you can think of. If you have questions about buying a laser, we’ll have answers!

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, February 22 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.