Hackaday Columns

4662 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

This Week In Security: IoT In The Hot Tub, App Double Fail, And FreeBSD BadBeacon

June 24, 2022 by 3 Comments

[Eaton Zveare] purchased a Jacuzzi hot tub, and splurged for the SmartTub add-on, which connects the whirlpool to the internet so you can control temperature, lights, etc from afar. He didn’t realize he was about to discover a nightmare of security problems. Because as we all know, in IoT, the S stands for security. In this case, the registration email came from smarttub.io, so it was natural to pull up that URL in a web browser to see what was there. The page presented a login prompt, so [Eaton] punched in the credentials he had just generated. “Unauthorized” Well that’s not surprising, but what was very odd was the flash of a dashboard that appeared just before the authorization complaint. Could that have been real data that was unintentionally sent? A screen recorder answered that question, revealing that there was indeed a table loaded up with valid-looking data.

Digging around in the page’s JavaScript comes up with the login flow. The page uses the Auth0 service to handle logins, and that service sends back an access token. The page sends that access token right back to the Auth0 service to get user privileges. If the logged in user isn’t an admin, the redirect happens. However, we already know that some real data gets loaded. It appears that the limitations to data is all implemented on the client side, and the backend only requires a valid access token for data requests. What would happen if the response from Auth0 were modified? There are a few approaches to accomplish this, but he opted to use Fiddler. Rewrite the response so the front-end believes you’re an admin, and you’re in.

This approach seems to gain admin access to all of the SmartTub admin controls, though [Eaton] didn’t try actually making changes to see if he had write access, too. This was enough to demonstrate the flaw, and making changes would be flirting with that dangerous line that separates research from computer crime. The real problem started when he tried to disclose the vulnerability. SmartTub didn’t have a security contact, but an email to their support email address did elicit a reply asking for details. And after details were supplied, complete radio silence. Exasperated, he finally turned to Auth0, asking them to intervene. Their solution was to pull the plug on one of the two URL endpoints. Finally, after six months of trying to inform Jacuzzi and SmartTub of their severe security issues, both admin portals were secured.

Continue reading “This Week In Security: IoT In The Hot Tub, App Double Fail, And FreeBSD BadBeacon”

Sea Level Rise From Melting Ice Sheets Could Soon Be Locked In

June 23, 2022 by 124 Comments

Where today we talk broadly of climate change and it’s various effects, the conversation was once simpler. We called it “global warming” and fretted about cooking outside in the summer and the sea level rise that would claim so many of our favorite cities.

Scientists are now concerned that sea level rises could be locked in, as ice sheets and glaciers pass “tipping points” beyond which their loss cannot be stopped. Research is ongoing to determine how best we can avoid these points of no return.

Continue reading “Sea Level Rise From Melting Ice Sheets Could Soon Be Locked In”

Linux Fu: Roll With The Checksums

June 22, 2022 by 14 Comments

We are often struck by how often we spend time trying to optimize something when we would be better off just picking a better algorithm. There is the old story about the mathematician Gauss who, when in school, was given busy work to add the integers from 1 to 100. While the other students laboriously added each number, Gauss realized that 100+1 is 101 and 99 + 2 is also 101. Guess what 98 + 3 is? Of course, 101. So you can easily find that there are 50 pairs that add up to 101 and know the answer is 5,050. No matter how fast you can add, you aren’t likely to beat someone who knows that algorithm. So here’s a question: You have a large body of text and you want to search for it. What’s the best way?

Continue reading “Linux Fu: Roll With The Checksums”

Linux Fu: Docking Made Easy

June 21, 2022 by 20 Comments

Most computer operating systems suffer from some version of “DLL hell” — a decidedly Windows term, but the concept applies across the board. Consider doing embedded development which usually takes a few specialized tools. You write your embedded system code, ship it off, and forget about it for a few years. Then, the end-user wants a change. Too bad the compiler you used requires some library that has changed so it no longer works. Oh, and the device programmer needs an older version of the USB library. The Python build tools use Python 2 but your system has moved on. If the tools you need aren’t on the computer anymore, you may have trouble finding the install media and getting it to work. Worse still if you don’t even have the right kind of computer for it anymore.

One way to address this is to encapsulate all of your development projects in a virtual machine. Then you can save the virtual machine and it includes an operating system, all the right libraries, and basically is a snapshot of how the project was that you can reconstitute at any time and on nearly any computer.

In theory, that’s great, but it is a lot of work and a lot of storage. You need to install an operating system and all the tools. Sure, you can get an appliance image, but if you work on many projects, you will have a bunch of copies of the very same thing cluttering things up. You’ll also need to keep all those copies up-to-date if you need to update things which — granted — is sort of what you are probably trying to avoid, but sometimes you must.

Docker is a bit lighter weight than a virtual machine. You still run your system’s normal kernel, but essentially you can have a virtual environment running in an instant on top of that kernel. What’s more, Docker only stores the differences between things. So if you have ten copies of an operating system, you’ll only store it once plus small differences for each instance.

The downside is that it is a bit tough to configure. You need to map storage and set up networking, among other things. I recently ran into a project called Dock that tries to make the common cases easier so you can quickly just spin up a docker instance to do some work without any real configuration. I made a few minor changes to it and forked the project, but, for now, the origin has synced up with my fork so you can stick with the original link.

Continue reading “Linux Fu: Docking Made Easy”

Automate The Freight: The Convenience Store That Comes To Your Door

June 20, 2022 by 45 Comments

For as popular as they became during the COVID-19 lockdowns, grocery delivery services like InstaCart rely on a basic assumption to work: that customers know exactly what they want when they order. Once that hurdle is overcome, the transaction is simple — the driver accepts the job, drives to the store to pick up the order, and takes it to the customer. It requires the use of a fair amount of technology to coordinate everything, but by and large it works, and customers are generally willing to pay for the convenience.

But what if you could cut out that step where the driver goes to pick up your order? What if instead of paying someone to pick and pack your order and bring it to your front step, you just ordered up the whole store instead? That’s the idea behind Robomart, which seeks to deploy a fleet of mobile stores for when the convenience store isn’t quite convenient enough.  And the way the company is choosing to roll out its service, not to mention the business model itself, may hold key lessons for other delivery automation platforms.

Continue reading “Automate The Freight: The Convenience Store That Comes To Your Door”

Hackaday Links Column Banner

Hackaday Links: June 19, 2022

June 19, 2022 by 11 Comments

The James Webb Space Telescope has had a long and sometimes painful journey from its earliest conception to its ultimate arrival at Lagrange point L2 and subsequent commissioning. Except for the buttery-smooth launch and deployment sequence, things rarely went well for the telescope, which suffered just about every imaginable bureaucratic, scientific, and engineering indignity during its development. But now it’s time to see what this thing can do — almost. NASA has announced that July 12 will be “Image Release Day,” which will serve as Webb’s public debut. The relative radio silence from NASA on Webb since the mirror alignment was completed — apart from the recent micrometeoroid collision, of course — suggests the space agency has been busy with “first light” projects. So there’s good reason to hope that the first released images from Webb will be pretty spectacular. The images will drop at 10:30 AM EDT, so mark your calendars and prepare to be wowed. Hopefully.

Continue reading “Hackaday Links: June 19, 2022”

Hackaday Podcast 173: EMF Camp Special Edition

June 17, 2022 by No comments

With Editor-in-Chief Elliot Williams enjoying some time off, Managing Editor Tom Nardi is flying solo for this special edition of the Hackaday Podcast. Thanks to our roving reporter Jenny List, we’ll be treated to several interviews conducted live from EMF Camp — a European outdoor hacker camp the likes of which those of us in the United States can only dream of. After this special segment, Hackaday contributors Al Williams and Ryan Flowers will stop by to talk about their favorite stories from the week during what may be the longest Quick Hacks on record. There’s a few extra surprises hidden in this week’s program…but if we told you everything, it would ruin the surprise. Listen closely, you never know what (or who) you might hear.

Direct Download link

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 173: EMF Camp Special Edition”