Hackaday Links: March 27, 2022

March 27, 2022 by Dan Maloney 15 Comments

Remember that time back in 2021 when a huge container ship blocked the Suez Canal and disrupted world shipping for a week? Well, something a little like that is playing out again, this time in the Chesapeake Bay outside of the Port of Baltimore, where the MV Ever Forward ran aground over a week ago as it was headed out to sea. Luckily, the mammoth container ship isn’t in quite as narrow a space as her canal-occluding sister ship Ever Given was last year, so traffic isn’t nearly as impacted. But the recovery operation is causing a stir, and refloating a ship that was drawing 13 meters when it strayed from the shipping channel into a muddy-bottomed area that’s only about 6 meters deep is going to be quite a feat of marine engineering. Merchant Marine YouTuber Chief MAKOi has a good rundown of what’s going on, and what will be required to get the ship moving again.

With the pace of deep-space exploration increasing dramatically of late, and with a full slate of missions planned for the future, it was good news to hear that NASA added another antenna to its Deep Space Network. The huge dish antenna, dubbed DSS-53, is the fourteenth dish in the DSN network, which spans three sites: Goldstone in California; outside of Canberra in Australia; and in Madrid, where the new dish was installed. The 34-meter dish will add 8% more capacity to the network; that may not sound like much, but with the DSN currently supporting 40 missions and with close to that number of missions planned, every little bit counts. We find the DSN fascinating, enough so that we did an article on the system a few years ago. We also love the insider’s scoop on DSN operations that @Richard Stephenson, one of the Canberra operators, provides.

Does anybody know what’s up with Benchy? We got a tip the other day that the trusty benchmarking tugboat model has gone missing from several sites. It sure looks like Sketchfab and Thingiverse have deleted their Benchy files, while other sites still seem to allow access. We poked around a bit but couldn’t get a clear picture of what’s going on, if anything. If anyone has information, let us know in the comments. We sure hope this isn’t some kind of intellectual property thing, where you’re going to have to cough up money to print a Benchy.

Speaking of IP protections, if you’ve ever wondered how far a company will go to enforce its position, look no further than Andrew Zonenberg’s “teardown” of an anti-counterfeiting label that Hewlett Packard uses on their ink cartridges. There’s a dizzying array of technologies embedded inside what appears to be a simple label. In addition to the standard stuff, like the little cuts that make it difficult to peel a tag off one item and place it on another — commonly used to thwart “price swapping” retail thefts — there’s an almost holographic area of the label. Zooming in with a microscope, the color-shifting image appears to be made from tiny hexagonal cells that almost look like the pixels in an e-ink display. Zooming in even further, the pixels offer an even bigger (smaller) surprise. Take a look, and marvel at the effort involved in making sure you pay top dollar for printer ink.

And finally, we got a tip a couple of weeks ago on a video about jerry cans. If that sounds boring, stop reading right now — this one won’t reach you. But if you’re even marginally interested in engineering design and military history, make sure you watch this video. What is now known to the US military as “Can, Gasoline, Military 5-Gallon (S/S by MIL-C-53109)” and colloquially known as the NATO jerry can, started life as the Wehrmacht-Einheitskanister, a 20-liter jug whose design addresses a long list of specifications, from the amount of liquid it could contain to how the cans would be carried. The original could serve as a master class in good design, and some of the jugs that were built in the 1940s are still in service and actively sought by collectors of militaria. Cheap knockoffs are out there, of course, but after watching this video, we’ve developed a taste for jerry cans that only the original will sate.

Inspiring Hacks, Unfinished Hacks

March 26, 2022 by Elliot Williams 5 Comments

We got a tip this week, and the tipster’s comments were along the lines of “this doesn’t look like it’s a finished work yet, but I think it’s pretty cool anyway”. And that was exactly right. The work in question is basically attaching a simple webcam to a CNC router and then having at it with OpenCV, and [vector76]’s application was cutting out freeform hand-drawn curves from wood. To amuse his daughter.

But there’s no apology necessary for presenting a work in progress. Unfinished hacks are awesome! They leave room for further improvement and interpretation. They are like an unfinished story, inviting the hacker to dream up their own end. At least that’s how this one worked on me.

My mind went racing — adding smart and extensible computer vision to a CNC router enables not only line tracing, but maybe smarter edge finding, broken tool detection, and who knows what else. With the software end so flexible these days, and the additional hardware demands so minimal, it’s an invitation. It’s like Pavlov ringing that bell, and I’m the dog-hacker. Or something.

So remember this when you get half done with a project, get to a workable first-stage demo, but you haven’t chased down each and every possibility. Leaving something up to other hackers’ imagination can be just as powerful. Your proof of concept doesn’t have to be the mother of all demos — sometimes just a working mouse will suffice.

Hackaday Podcast 161: Laser Lithography, Centurion Hard Drive, And Mad BGA Soldering

March 25, 2022 by Dan Maloney No comments

Join Hackaday Editor-in-Chief Elliot Williams and Staff Writer Dan Maloney for an audio tour of the week’s top stories and best hacks. We’ll look at squeezing the most out of a coin cell, taking the first steps towards DIY MEMS fabrication, and seeing if there’s any chance that an 80’s-vintage minicomputer might ride again. How small is too small when it comes to chip packages? We’ll find out, and discover the new spectator sport of microsoldering while we’re at it. Find out what’s involved in getting a real dead-tree book published, and watch a hacker take revenge on a proprietary memory format — and a continuous glucose monitor, too.

Or Direct Download, like you’ve got something to prove!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Continue reading “Hackaday Podcast 161: Laser Lithography, Centurion Hard Drive, And Mad BGA Soldering” →

This Week In Security: Browser In The Browser, Mass Typo-squatting, And /dev/random Upgrades

March 25, 2022 by Jonathan Bennett 19 Comments

For every very clever security protocol that keeps people safe, there’s a stupid hack that defeats it in an unexpected way. Take OAuth for instance. It’s the technology that sites are using when they offer to “log in with Facebook”. It’s a great protocol, because it lets you prove your identity using a trusted third party. You don’t have to use a password at whatever site you’re trying to use, you just to be logged in to your Google/Facebook/Apple account, and click the button to allow access. If you’re not logged in, the pop-up window prompts for your username and password, which of course is one way phishing attacks try to steal passwords. So we tell people to look at the URL, and make sure they are actually signing in to the proper site.

The stupid hack that isn’t stupid, because it works: Recreating the browser window in HTML/CSS. Yep, it’s pretty straightforward to add a div to your site, and decorate it to look just like a browser window, just like an OAuth pop-up. In the appropriate place goes an iframe pointing to the actual phishing form. It looks convincing, but once you’re aware of the game, there’s a dead giveaway — try to move the OAuth window outside the browser window that spawned it. Websites can’t draw outside the browser window or over its window decorations, so this limitation makes it easy to confirm whether this hack is in play. The other saving grace is that a password manager isn’t fooled by this trick at all.

Via: Ars Technica

Typo-squatting At Scale

There’s a typo-squatting campaign going on at NPM, primarily targeted at Azure users. NPM has a packaging feature called “scoped packages”. A scope starts with the at sign, and indicates packages intentionally grouped together. In this case the scope is @azure, including packages like @azure/core-tracing, with over 1.5 million weekly downloads. The typo? Just drop the scope. NPM considers it completely acceptable to have both the @azure/core-tracing and core-tracing packages — in fact, it’s a feature of the scoping system. But forget to include the scope, and you may get a malicious package instead. Over 200 packages were targeted in this way, but have since been pulled by NPM.

The payload was strictly reconnaissance, grabbing directory listings, IP addresses, and the like. It’s likely that the information would be used to craft more malicious future updates, though no such behavior has been observed. This is likely due to how rapidly these packages were caught and removed — after only about two days. The domain used for data collection is 425a2.rt11.ml, so that string showing up in a DNS log somewhere is an indicator that one of these packages were installed.

Lapsus$ Strikes Again, Again

The loose collection of hackers knows as Lapsus$ have potentially scored breaches at both Microsoft and Okta. KrebsonSecurity has a bit more information about the group and the Microsoft case. The group seems to be doing some of their coordination over a Telegram channel, which is open for anyone to join. The group boasted of their exploits on this channel, and Microsoft respondents found and cut their access during the data exfiltration. A 10 GB file has been released containing partial source to Bing search, Bing Maps, and Cortana.

The Okta situation is even murkier, as the released screenshots indicate access back in late January. The access seems to have been limited to a administrative portal, via a Support Engineer’s account. Okta has gone out of their way to assure everyone that there was no actual breach, and the rogue access was quickly dealt with. This seems to be a bit disingenuous, as Lapsus$ was after companies making use of Okta services, and didn’t need to compromise their systems any further. Okta provides access management for other companies, like Cloudflare. There’s likely been some quiet infiltration happening in the months since this happened.

Linux Gets More Random

[Jason Donenfeld], kernel hacker and main developer of Wireguard, has worked recently on the Linux random number generator. A few changes landed in release 5.17, and more are coming in 5.18. He was kind enough to write up some of the interesting changes for our education. He considers his most important contribution to be documentation. I can confirm, among the most frustrating problems a programmer can face is when the documentation has bit-rotted to uselessness.

One of the biggest user-facing changes was the attempt to unify /dev/random and /dev/urandom. We say attempt, because this change caused multiple failures to boot on the kernel’s test setup. Apparently some architectures, specifically when being virtualized, have no method of generating high quality randomness during boot. There next killer feature is the new add_vmfork_randomness() call, that allows a newly cloned virtual machine to request a regeneration of its randomness pool. Without a call like this, the first few random numbers generated by the kernel after a VM fork would be identical — obviously a problem.

Internally, the randomness code retires the venerable SHA-1 algorithm, replacing it with the more modern BLAKE2 hash function. An interesting advantage is that BLAKE2 is intentionally a very fast algorithm, so the kernel gains a bit of performance when generating random numbers. The rest of the changes delve into more complicated cryptography considerations. Definitely worth reading if you’re interested.

Western Digital NAS RCE

We’ve covered plenty of vulnerabilties and attacks in NAS boxes from QNAP and Synology, but this week it’s Western Digital getting in on the action. Thankfully it’s research from NCC Group, demonstrated at Pwn2Own 2021, and fixed in a January update. This Remote Code Execution (RCE) vulnerability is in how the NAS handles the Apple Filing Protocol (AFP), and was actually a problem in the Netatalk project. AFP supports storing file metadata as a separate file, for the sake of compatibility. These files are in the AppleDouble format, are take the name of their parent file, prepended with a ._. The kicker is that these files can also be accessed using the Windows SMB protocol, allowing direct manipulation of the metadata file. The function that parses the metadata file does indeed detect a malformed data structure, and logs an error to that effect, but fails to fail — it goes ahead and processes the bad data.

This continue-on-error is the central flaw, but actually building an exploit required a data leak to defeat the address layout randomization in place on the device. A simpler first step was to write memory locations into the AppleDouble file, and use SMB access to read it. With the leaked address in hand, the full exploit was easy. This would be bad enough, but these devices ship with a “Public” share world-accessible over SMB and AFP. This configuration makes it a pre-auth RCE. And this demonstrates the purpose of Pwn2Own — it was discovered, made the researchers a bit of money, and was fixed before the details were made public.

REMOTICON 2021 // Jay Doscher Proves Tinkercad Isn’t Just For Kids

March 24, 2022 by Michael Shaub 20 Comments

We invited [Jay Doscher] to give us a view into his process designing 3D printed parts for the impressive array of cyberdecks we’ve covered since 2019.

[Jay] got his start as a maker through woodworking in high school, getting satisfaction from bringing something from idea to reality. After a more recent class in blacksmithing and ax-making showed him what he could do when really focused, his hardware hacking really took off and his line of cyberdecks and other portable computers was born.

If you’ve heard of Tinkercad, you probably think it’s just for kids. While designed as an educational tool, [Jay] found that Autodesk’s younger sibling to the professionally powered (and priced) Fusion 360 had everything needed for making cyberdecks. If you’re willing to work around a few limitations, at the low-low price of free, Tinkercad might be right for you too.

What limitations? To start, Tinkercad is only available in a browser and online. There’s also no guarantee that it will remain free, but [Jay] notes that with its educational focus that is likely to remain the case. There is no library of common components to import while modeling. And, when your model is complete the options for exporting are limited to 2D SVGs and 3D STL, OBJ, and gaming-focused GBL formats. [Jay] has converted those to other formats for laser cutting and the STEP file a machine shop is expecting but admits that it’s something that adds complexity and is an annoyance.

In the talk, [Jay] discusses moving from his initial “cringy” explorations with Tinkercad, to his first cyberdeck, a little history on that term, and the evolution of his craft. It’s mostly a hands-on demo of how to work with Tinkercad, full of tips and tricks for the software itself and implications for 3D printing yourself, assembly, and machining by others.

While quite limited, Tinkercad still allows for boolean operations to join two volumes or the subtraction of one from another. [Jay] does a wonderful job of unpeeling the layers of operations, showing how combinations of “solids” and “holes” generated a complex assembly with pockets, stepped holes for fasteners, and multiple aligned parts for his next cyberdeck. Even if you already have a favorite CAD tool, another approach could expand your mind just like writing software in Strange Programming Languages can.

Continue reading “REMOTICON 2021 // Jay Doscher Proves Tinkercad Isn’t Just For Kids” →

Two-Dimensional Polymer Is A New Ultra-Strong Material

March 23, 2022 by Lewin Day 26 Comments

Plastics, by and large, are well-understood materials. Not as strong as most metals, but often much lighter, these man-made polymers have found innumerable applications that have revolutionized the way we live. The properties of plastics have been improved in many ways over the years, with composite materials like fiberglass and carbon fiber proving to have strength and lightness far beyond the simple properties of basic polymers alone.

However, a group of engineers at MIT have been working on a revolutionary type of polymer that promises greater strength then ever before while remaining remarkably light weight. It’s all down to the material’s two-dimensional molecular structure, something once thought to be prohibitively difficult in the world of polymer science.

Continue reading “Two-Dimensional Polymer Is A New Ultra-Strong Material” →

Hackaday Links: March 20, 2022

March 20, 2022 by Dan Maloney 5 Comments

Well, that de-escalated quickly! It was less than a week ago that the city of Shenzhen, China was put on lockdown due to a resurgence of COVID-19 in the world’s electronics manufacturing epicenter. This obviously caused no small amount of alarm up and down the electronics supply chain, promising to once again upset manufacturers seeking everything from PCBs to components to complete electronic assemblies. But just a few days later, the Chinese government announced that the Shenzhen lockdown was over. At least partially, that is — factories and public transportation have been reopened in five of the city’s districts, with iPhone maker Foxconn, one of the bigger players in Shenzhen, given the green light to partially reopen. What does this mean for hobbyists’ ability to get cheap PCBs made quickly? That’s hard to say, at least at this point. Please feel free to share your experiences with any supply chain disruptions in the comments below.

Better news from a million miles away, as NASA announced that the James Webb Space Telescope finished the first part of its complex mirror alignment procedure. The process, which uses the complex actuators built into each of the 18 hexagonal mirror segments, slightly moves each mirror to align them all into one virtual optical surface. The result is not only the stunning “selfie” images we’ve been seeing, but also a beautiful picture of the star Webb has been focusing on as a target. The video below explains the process in some detail, along with sharing that the next step is to move the mirrors in and out, or “piston” them, so that the 18 separate wavefronts all align to send light to the instruments in perfect phase. Talk about precision!

Is a bog-standard Raspberry Pi just not tough enough for your application? Do you need to run DOOM on a platform that can take a few g of vibration and still keep working? Sick of your Pi-based weather station breaking own when it gets a little wet or too hot? Then you’ll want to take a look at the DuraCOR Pi, a ruggedized chassis containing a Pi CM4 that’s built for extreme environments. The machine is in a tiny IP67-rated case and built to MIL-STD specs with regard to vibration, temperature, humidity, and EMI conditions. This doesn’t really seem like something aimed at the hobbyist market — it’s marketed by Curtiss-Wright Defense Solutions, a defense contractor that traces its roots all the way back to a couple of bicycle mechanics from Ohio that learned how to fly. So this Pi is probably more like something you’d spec if you were building a UAV or something like that. Still, it’s cool to know such things are out there.

BrainLubeOnline has a fun collection of X-rays. With the exception of a mouse — the other kind — everything is either electronic or mechanical, which makes for really interesting pictures. Seeing the teeth on a gear or the threads on a screw, and seeing right through the object, shows the mechanical world in a whole new light — literally.

And finally, would you buy a car that prevents you from opening the hood? Most of us probably wouldn’t, but then again, most of us probably wouldn’t buy a Mercedes EQS 580 electric sedan. Sarah from Sarah -n- Tuned on YouTube somehow got a hold of one of these babies, which she aptly describes as a “German spaceship,” and took it for a test drive, including a “full beans” acceleration test. Just after that neck-snapping ride, at about the 7:20 mark in the video below, she asks the car’s built-in assistant to open the hood, a request the car refused by saying, “The hood may only be opened by a specialist workshop.” Sarah managed to get it open anyway, and it’s not a frunk — it’s home to one of the two motors that power the car, along with all kinds of other goodies.