Hackers, Fingerprints, Laptops, And Stickers

January 22, 2022 by Elliot Williams 76 Comments

A discussion ensued about our crazy hacker ways the other night. I jokingly suggested that with as many stickers as we each had on our trusty companion machines, they might literally be as unique as a fingerprint. Cut straight to nerds talking too much math.

First off, you could wonder about the chances of two random hackers having the same sticker on their laptop. Say, for argument’s sake, that globally there are 2,000 stickers per year that are cool enough to put on a laptop. (None of us will see them all.) If a laptop lasts five years, that’s a pool of 10,000 stickers to draw from. If you’ve only got one sticker per laptop, that’s pretty slim odds, even when the laptops are of the same vintage.

Real hackers have 20-50 stickers per laptop — at least in our sample of “real hackers”. Here, the Birthday Paradox kicks in and helps us out. Each additional sticker provides another shot at matching, and an extra shot at being matched. So while you and I are unlikely to have the same birthday, in a room full of 42 people, it’s 90% likely that someone will have their birthday matched. With eight of us in the room, that’s 240 stickers that could match each other. (9999 / 10000) ^ (240 * 210 / 2) = about an eight percent chance of no match, so a better than 90% chance that we’d have at least one matching sticker.

But that doesn’t answer the original question: are our be-stickered laptops unique, like fingerprints or snowflakes? There, you have to match each and every sticker on the laptop — a virtually impossible task, and while there were eight of us in the room, that’s just not enough to get any real juice from the Birthday Paradox. (1/10,000) ^ 30 = something with -120 in the exponent. More than all the atoms in the universe, much less hackers in a room, whether you take things to the eighth power or not.

I hear you mumbling “network effects”. We’ve all gone to the same conferences, and we have similar taste in stickers, and maybe we even trade with each other. Think six degrees of separation type stuff. Indeed, this was true in our room. A few of us had the same stickers because we gave them to each other. We had a lot more matches than you’d expect, even though we were all unique.

So while the math for these network effects is over my head, I think it says something deeper about our trusty boxen, their stickers, and their hackers. Each sticker also comes with a memory, and our collected memories make us unique like our laptops. But matching stickers are also more than pure Birthday Paradoxes, they represent the shared history of friends.

Wear your laptop stickers with pride!

Hackaday Podcast 152: 555 Timer Extravaganza, EMF Chip Glitching 3 Ways, A Magnetic Mechanical Keyboard, And The Best Tricorder Ever

January 21, 2022 by Tom Nardi No comments

Join Hackaday Editor-in-Chief Elliot Williams and Managing Editor Tom Nardi as they bring you up to speed on the best stories and projects from the week. There’s some pretty unfortunate news for the physical media aficionados in the audience, but if you’re particularly keen on 50 year old integrated circuits, you’ll love hearing about the winners of the 555 Timer Contest. We’ll take a look at a singing circuit sculpture powered by the ESP32, extol the virtues of 3D printed switches, follow one hacker’s dream of building the ultimate Star Trek tricorder prop, and try to wrap our heads around how electronic devices can be jolted into submission. Stick around to the end as we take a close look at some extraordinary claims about sniffing out computer viruses, and wrap things up by wondering why everyone is trying to drive so far.

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct Download (65 MB)

Continue reading “Hackaday Podcast 152: 555 Timer Extravaganza, EMF Chip Glitching 3 Ways, A Magnetic Mechanical Keyboard, And The Best Tricorder Ever” →

This Week In Security: NetUSB, HTTP.sys, And 2013’s CVE Is Back

January 21, 2022 by Jonathan Bennett 2 Comments

Let’s imagine a worst case situation for home routers. It would have to start with a port unintentionally opened to the internet, ideally in a popular brand, like Netgear. For fun, let’s say it’s actually a third-party kernel module, that is in multiple router brands. This module would then need a trivial vulnerability, say an integer overflow on the buffer size for incoming packets. This flaw would mean that the incoming data would write past the end of the buffer, overwriting whatever kernel data is there. So far, this exactly describes the NetUSB flaw, CVE-2021-45608.

Because red teams don’t get their every wish, there is a catch. While the overflow is exceptionally easy to pull off, there isn’t much wiggle room on where the data gets written. There’s no remote code execution Proof of Concept (PoC) yet, and [Max Van Amerongen], who discovered the flaw, says it would be difficult but probably not impossible to pull off. All of this said, it’s a good idea to check your router for open ports, particularly non-standard port numbers. If you have a USB port on your router, check for updates.

Windows HTTP.sys Problem

A serious problem has been announced in Windows Server 2019 and Windows 10, with some versions vulnerable in their default configurations. The problem is in how Windows handles HTTP Trailer packets, which contain extra information at the end of normal HTTP transfers. There is a PoC available that demonstrates a crash. It appears that an additional information leak vulnerability would have to be combined with this one to produce a true exploit. This seems to be a different take on CVE-2021-31166, essentially exploiting the same weakness, and working around the incomplete fix. This issue was fixed in the January patch set for Windows, so make sure you’re covered. Continue reading “This Week In Security: NetUSB, HTTP.sys, And 2013’s CVE Is Back” →

Remoticon 2021 // Debra Ansell Connects PCB In Ways You Didn’t Expect

January 20, 2022 by Elliot Williams 21 Comments

“LEDs improve everything.” Words to live by. Most everything that Debra Ansell of [GeekMomProjects] makes is bright, bold, and blinky. But if you’re looking for a simple string of WS2812s, you’re barking up the wrong tree. In the last few years, Debra has been making larger and more complicated assemblies, and that has meant diving into the mechanical design of modular PCBs. In the process Debra has come up with some great techniques that you’ll be able to use in your own builds, which she shared with us in a presentation during the 2021 Hackaday Remoticon.

She starts off with a quick overview of the state of play in PCB art, specifically of the style that she’s into these days: three dimensional constructions where the physical PCB itself is a sculptural element of the project. She’s crossing that with the popular triangle-style wall hanging sculpture, and her own fascination with “inner glow” — side-illuminated acrylic diffusers. Then she starts taking us down the path of creating her own wall art in detail, and this is where you need to listen up. Continue reading “Remoticon 2021 // Debra Ansell Connects PCB In Ways You Didn’t Expect” →

Congratulations Winners Of The 555 Timer Contest!

January 20, 2022 by Elliot Williams 25 Comments

Sometimes the best inspiration is limitation. The 555 timer does “one thing” — compares a voltage to a couple thresholds and outputs a signal accordingly. It’s two comparators, a voltage ladder, and a flip-flop. And yet, it’s the most sold single chip of all time, celebrating its 50th birthday this year! So when Hackaday runs a 555 Timer Contest, hackers of all stripes come out with their best work to show their love for the Little DIP That Could.

The Winners

Far and away the favorite entry was the Giant 555 Timer by [Rudraksha Vegad]. Every one of our judges rated it in the top five, and it took top honors twice. On its face, this is a simple “giant 555 in a box” build, but have a look under the hood. Each sub-module that makes up the 555 — comparators, flip-flop, and amplifier — are made from salvaged discrete parts in actual breadboard fashion, soldered to brass nails hammered into wood. As an end product, it’s a nice piece of woodworking, but as a process of creation, it’s a masterwork in understanding the 555 at its deepest level. We should all make one!

The Menorah555 is a simple design with some very nice tricks up its sleeve. Perhaps the cutest of which is pulling the central candle out and lighting the others with it — a trick that involves a supercapacitor and reed switches. Each of the candle lighting circuits, however, use a 555 timer both for its intended purpose of providing a timed power-on reset pulse, and another 555 is used as a simple flip-flop. It’s a slick design, and a great user interaction.

The Cyclotone Mechanical Punk Console Sequencer is a rotating tower of circuit sculpture and noisemakers. This one looks great, is amazingly well documented in the video series, and uses a billion clever little tricks along the way. The 555’s role? Each of the four levels is the classic Atari Punk Console circuit.

All three of these projects win a $150 shopping spree at Digi-Key. That’s a lot of timers!

Continue reading “Congratulations Winners Of The 555 Timer Contest!” →

Identifying Malware By Sniffing Its EM Signature

January 19, 2022 by Tom Nardi 17 Comments

The phrase “extraordinary claims require extraordinary evidence” is most often attributed to Carl Sagan, specifically from his television series Cosmos. Sagan was probably not the first person to put forward such a hypothesis, and the show certainly didn’t claim he was. But that’s the power of TV for you; the term has since come to be known as the “Sagan Standard” and is a handy aphorism that nicely encapsulates the importance of skepticism and critical thinking when dealing with unproven theories.

It also happens to be the first phrase that came to mind when we heard about Obfuscation Revealed: Leveraging Electromagnetic Signals for Obfuscated Malware Classification, a paper presented during the 2021 Annual Computer Security Applications Conference (ACSAC). As described in the mainstream press, the paper detailed a method by which researchers were able to detect viruses and malware running on an Internet of Things (IoT) device simply by listening to the electromagnetic waves being emanated from it. One needed only to pass a probe over a troubled gadget, and the technique could identify what ailed it with near 100% accuracy.

Those certainly sound like extraordinary claims to us. But what about the evidence? Well, it turns out that digging a bit deeper into the story uncovered plenty of it. Not only has the paper been made available for free thanks to the sponsors of the ACSAC, but the team behind it has released all of code and documentation necessary to recreate their findings on GitHub.

Unfortunately we seem to have temporarily misplaced the $10,000 1 GHz Picoscope 6407 USB oscilloscope that their software is written to support, so we’re unable to recreate the experiment in full. If you happen to come across it, please drop us a line. But in the meantime we can still walk through the process and try to separate fact from fiction in classic Sagan style.

Continue reading “Identifying Malware By Sniffing Its EM Signature” →

Illustrated Kristina with an IBM Model M keyboard floating between her hands.

Keebin’ With Kristina: The One With The Tri-lingual Typewriter

January 18, 2022 by Kristina Panos 5 Comments

Isn’t it just fantastic when a project finally does what you wanted it to do in the first place? [Simon Merrett] isn’t willing to compromise when it comes to the Aerodox. His original vision for the keyboard was a wireless, ergonomic split that could easily switch between a couple of PCs. Whereas some people are more into making layout after layout, [Simon] keeps pushing forward with this same design, which is sort of a mashup between the ErgoDox and the Redox, which is itself a wireless version of the ErgoDox.

The Aerodox has three nRF51822 modules — one for the halves to communicate, one for the control half to send key presses, and a third on the receiver side. [Simon] was using two AA cells to power each one, and was having trouble with the range back to the PC.

The NRFs want 3.3 V, but will allegedly settle for 2 V when times are hard. [Simon] added a boost converter to give each a solid 3.3 V, and the Aerodox became reliable enough to be [Simon]’s daily driver. But let’s go back to the as-yet-unrealized potential part.

Continue reading “Keebin’ With Kristina: The One With The Tri-lingual Typewriter” →