This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.
For a happy weekend away in early September, I joined a few of my continental friends for the NewLine event organised by Hackerspace Gent in Belgium. You may have seen some of the resulting write-ups here, and for me the trip is as memorable for the relaxing weekend break it gave me in a mediaeval city as it is for the content of the talks and demonstrations. We took full advantage of the warm weather to have some meals out on café terraces, and it was on the way to one of them that my interest was captured by something unexpected. There at the end of the street was a cannon, not the normal-size cannon you’ll see tastefully arranged around historical military sites the world over, but a truly massive weapon. I had stumbled upon Dulle Griet, one of very few surviving super-sized 15th century siege cannons. It even had a familiar feel to it, being a sister to the very similar Mons Meg at Edinburgh Castle in Scotland.
Hackaday editors Mike and Elliot Williams catch up on a week’s worth of hacks. It turns out there are several strange radio bands that don’t require a license, and we discuss this weekend’s broadcast where you can listen in. It’s unlikely you’ve ever seen the website check-box abused quite like this: it’s the display for playing Doom! Just when you thought you’d seen all the ESP32’s tricks it gets turned into a clock styled after Out Run. Mike geeks out over how pianos work, we’re both excited to have Jeremy Fielding giving a Keynote talk at Remoticon, and we wrap things up with a chat about traffic rules in space.
Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
The government of Argentina has a national ID card system, and as a result maintains a database containing data on every citizen in the country. What could possibly go wrong? Predictably, an attacker has managed to gain access to the database, and is offering the entire dataset for sale. The Argentinian government has claimed that this wasn’t a mass breach, and only a handful of credentials were accessed. This seems to be incorrect, as the seller was able to provide the details of an arbitrary citizen to the journalists investigating the story.
Patch Tuesday
Microsoft has released their monthly round of patches for October, and there are a couple doozies. CVE-2021-40486 is an RCE in Microsoft Word, and this flaw can trigger via the preview pane. CVE-2021-38672 and CVE-2021-40461 are both RCE vulnerabilities in Hyper-V. And finally, CVE-2021-40449 is a privilege upgrade actively being used in the wild, more on that in a moment. Oh, and you thought the Print Nightmare was over? CVE-2021-36970 is yet another print spooler vulnerability. The unfortunate thing about the list of Microsoft vulnerabilities is that there is hardly any information available about them.
On the other hand, Apple just patched CVE-2021-30883, a 0-day that’s being actively exploited in iOS. With the release of the fix, [Saar Amar] has put together a very nice explanation of the bug with PoC. It’s a simple integer overflow when allocating a buffer, leading to an arbitrary memory write. This one is particularly nasty, because it’s not gated behind any permissions, and can be triggered from within app sandboxes. It’s being used in the wild already, so go update your iOS devices now.
Kaspersky brings us a report on a CVE-2021-40449 being used in the wild. It’s part of an attack they’re calling MysterySnail, and seems to originate from IronHusky out of China. The vulnerability is a use-after-free, and is triggered by making a the ResetDC API call that calls its own callback. This layer of recursive execution results in an object being freed before the outer execution has finished with it.
Since the object can now be re-allocated and controlled by the attacker code, the malformed object allows the attacker to run their code in kernel space, achieving privilege escalation. This campaign then does some data gathering and installs a Remote Access Trojan. Several Indicators of Compromise are listed as part of the write-up.
Off to the Races
Google’s Project Zero is back with a clever Linux Kernel hack, an escalation of privilege triggered by a race condition in the pseudoterminal device. Usually abbreviated PTY, this kernel device can be connected to userspace applications on both ends, making for some interesting interactions. Each end has a struct that reflects the status of the connection. The problem is that TIOCSPGRP, used to set the process group that should be associated with the terminal, doesn’t properly lock the terminal’s internal state.
As a result, calling this function on both sides at the same time is a race condition, where the reference count can be corrupted. Once the reference count is untrustworthy, the whole object can be freed, with a dangling pointer left in the kernel. From there, it’s a typical use-after-free bug. The post has some useful thoughts about hardening a system against this style of attack, and the bug was fixed December 2020.
AI vs Pseudorandom Numbers
[Mostafa Hassan] of the NCC Group is doing some particularly fascinating research, using machine learning to test pseudorandom number generators. In the first installment, he managed to break the very simple xorshift128 algorithm. Part two tackles the Mersenne Twister, which also falls to the neural network. Do note that neither of these are considered cryptographic number generators, so it isn’t too surprising that a ML model can determine their internal state. What will be most interesting is the post to come, when he tackles other algorithms thought to be secure. Watch for that one in a future article.
L0phtcrack Becomes Open Source
In a surprise to me, the L0phtcrack tool has been released as open source. L0phtcrack is the password cracking/auditing tool created by [Mudge] and company at L0pht Heavy Industries, about a billion years ago. Ownership passed to @stake, which was purchased by Symantec in 2004. Due to export regulations, Symantec stopped selling the program, and it was reacquired by the original L0pht team.
In April 2020, Terahash announced that they had purchased rights to the program, and began selling and supporting it as a part of their offerings. Terahash primarily builds GPU based cracking hardware, and has been hit exceptionally hard by the chip shortage. As a result of Terahash entering bankruptcy protection, the L0phtcrack ownership has reverted back to L0pht, and version 7.2.0 has been released as Open Source.
It’s usual for a Hackaday scribe to read hundreds of web pages over a typical week as we traverse the world in search of the good stuff to bring you. Sometimes they’re obvious Hackaday stories but as you’ll all no doubt understand we often end up on wild tangents learning about stuff we never expected to be excited about. Thus it was last week that I happened upon a GQ piece charting the dwindling remains of the communes set up in rural California by hippies during the counterculture years.
With only a few ageing residents who truly embraced the back-to-the-land dream remaining, these adventurously-designed home-made houses are gently decaying into the forest. It’s a disappearing world, but it’s also close to home for me as someone who crew up on a self-sufficiency smallholding in the 1970s. My parents may not have been hippies in the way those of everyone else in that scene at the time seemed to be, but I learned all my curiosity and hacking skills in the many opportunities presented to a small child by an unruly combination of small farm and metalworking business. There’s part of me that would build a hippy home in a Californian forest in a heartbeat, and throw myself with gusto into subsistence vegetable growing to get me through each winter.
It’s coming up fast — Hackaday Remoticon 2021 is just a few weeks away, and we’re working around the clock to load up the weekend with awesome and inspiring talks that are bound to get the creative juices racing through your crazy straw brain.
Come and practice your neuroplasticity with us on November 19th and 20th. Remoticon is free-as-in-beer this year, unless you want a t-shirt. Even then, $25 is peanuts, because we’re sure that you’ll find a few talks that are priceless, and you’ll have a cool shirt to remember them by. Grab your ticket right now! We’ll wait.
A few days ago we announced mechanical engineering marvel Jeremy Fielding as our second keynote speaker. Passion is paramount to all projects, and Jeremy’s passion is making things move. He’s a renaissance man with a quiver full of self-taught skills, and is sure to bring enthusiasm to his keynote talk, which focuses on building hardware that moves, and how to handle the mechatronic mysteries that arise when trying to scale things up.
For now, let us indulge you with a preview of the second round of talks and speakers that we’ll be showcasing on November 19th and 20th. There’s plenty more where these came from, and we’ll be serving up fresh samples all the way until Remoticon weekend.
If you or someone you know is diabetic, it is a good bet that a glucose meter is a regular fixture in your life. They are cheap and plentiful, but they are actually reasonably high tech — well, at least parts of them are.
The meters themselves don’t seem like much, but that’s misleading. A battery, a few parts, a display, and enough of a controller to do things like remember readings appears to cover it all. You wouldn’t be surprised, of course, that you can get the whole affair “on a chip.” But it turns out, the real magic is in the test strip and getting a good reading from a strip requires more metrology than you would think. A common meter requires a precise current measurement down to 10nA. The reading has to be adjusted for temperature, too. The device is surprisingly complex for something that looks like a near-disposable piece of consumer gear.
Of course, there are announcements all the time about new technology that won’t require a needle stick. So far, none of those have really caught on for one reason or another, but that, of course, could change. GlucoWatch G2, for example, was a watch that could read blood glucose, but — apparently — was unable to cope with perspiration.
For the purposes of this article, I’m only going to talk about the traditional meter: you insert a test strip, prick your finger, and let the test strip soak up a little bit of blood.
Our trip through the world of audio technology has taken us step-by step from your ears into a typical home Hi-Fi system. We’ve seen the speakers and the amplifier, now it’s time to take a look at what feeds that amplifier.
Here, we encounter the first digital component in our journey outwards from the ear, the Digital to Analogue Converter, or DAC. This circuit, which you’ll find as an integrated circuit, takes the digital information and turns it into the analogue voltage required by the amplifier.
There are many standards for digital audio, but in this context that used by the CD is most common. CDs sample audio at 44.1 kHz 16 bit, which is to say they express the level as a 16-bit number 44100 times per second for each of the stereo channels. There’s an electrical standard called i2s for communicating this data, consisting of a serial data line, a clock line, and an LRclock line that indicates whether the current data is for the left or the right channel. We covered i2s in detail back in 2019, and should you peer into almost any consumer digital audio product you’ll find it somewhere. Continue reading “Know Audio: It All Depends On The DAC”→
In a surprise to me, 
