Hackaday Columns

4128 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

This Week In Security: Twilio, PongoTV, And BootHole

July 31, 2020 by 5 Comments

Twilio, the cloud provider for all things telecom, had an embarrassing security fail a couple weeks ago. The problem was the Amazon S3 bucket that Twilio was using to host part of their public facing content. The bucket was configured for public read-write access. Anyone could use the Amazon S3 API to make changes to the files stored there.

The files in question were protected behind Cloudflare’s CDN, but there’s a catch to Cloudflare’s service. If you know the details of the service behind Cloudflare, it can often be interacted with directly. In many cases, knowing the IP address of the server being protected is enough to totally bypass Cloudflare altogether. In this case, the service behind the CDN is Amazon’s S3. Any changes made to the files there are picked up by the CDN.

Someone discovered the insecure bucket, and modified a Javascript file that is distributed as part of the Twilio JS SDK. That modification was initially described as “non-malicious”, but in the official incident report, Twilio states that the injected code is part of an ongoing magecart campaign carried out against misconfigured S3 buckets.
Continue reading “This Week In Security: Twilio, PongoTV, And BootHole”

Learn Software Reverse Engineering: Ghidra Class Videos From HackadayU Now Available!

July 30, 2020 by 6 Comments

The HackadayU video series on learning to use Ghidra is now available!

Ghidra is a tool for reverse engineering software binaries — you may remember that it was released as Open Source by the NSA last year. It does an amazing job of turning compiled binaries that tell the computer how to operate into human-readable C code. The catch is that there’s a learning curve to making the most out of what Ghidra gives you. Enter the Introduction to Reverse Engineering with Ghidra class led by Matthew Alt as part of the HackadayU series. This set of four one-hour virtual classroom videos were just made available so that you can take the course at your own pace.

Matthew has actually been schooling us for a while. He’s also known as [wrongbaud] and we’ve been spending a lot of time covering his reverse engineering projects, including the teardowns of NES-on-a-chip hardware and his excellent hacker’s guide to JTAG. His HackadayU class continues that legacy by pulling together course materials for a high-quality hands-on walk through Ghidra. You’ll get a dose of computer architecture, the compilation process, ELF file structure, and x86_64 instructions sets along the way. He’s done a superb job of making example code for the coursework available.

While this was the first HackadayU course, there are more on the way. Anool Mahidharia just finished teaching KiCAD & FreeCAD 101 and videos will be published a soon as the editing process is complete. The fall lineup of classes is shaping up nicely and will be announced soon. As a sneak peak, we have instructors working on classes covering tiny machine learning, a second set of classes on Ghidra reverse engineering, a protocol deep dive (I2C, SPI, one-wire, JTAG etc.), Linux on Raspberry Pi, building interactive art, and all about LEDs, and an intro to design with Rhino. Keep your eye on Hackaday for more info as classes are added to the schedule.

Continue reading “Learn Software Reverse Engineering: Ghidra Class Videos From HackadayU Now Available!”

Ask Hackaday: Why Did GitHub Ship All Our Software Off To The Arctic?

July 29, 2020 by 95 Comments

If you’ve logged onto GitHub recently and you’re an active user, you might have noticed a new badge on your profile: “Arctic Code Vault Contributor”. Sounds pretty awesome right? But whose code got archived in this vault, how is it being stored, and what’s the point?

Continue reading “Ask Hackaday: Why Did GitHub Ship All Our Software Off To The Arctic?”

Falcon 9 Beats Shuttle’s Reflight Record, But Still Has A Long Way To Go

July 27, 2020 by 77 Comments

Put simply, the goal of any reusable booster is to reduce the cost of getting a payload into space. The comparison is often made to commercial aviation: if you had to throw away the airliner after every flight, nobody could afford the tickets. The fact that the plane can be refueled and flown again and again allows operators to amortize its high upfront cost.

In theory, the same should hold true for orbital rockets. With enough flight experience, you can figure out which parts of the vehicle will need replacement or repair, and how often. Assuming the fuel is cheap enough and the cost of refurbishment doesn’t exceed that of building a new one, eventually the booster will pay for itself. You just need a steady stream of paying customers, which is hardly a challenge given how much we rely on our space infrastructure.

But there’s a catch. For the airliner analogy to really work, whatever inspections and repairs the rocket requires between missions must be done as quickly as possible. The cost savings from reuse aren’t nearly as attractive if you can only fly a few times a year. The key to truly making space accessible isn’t just building a reusable rocket, but attaining rapid reusability.

Which is precisely where SpaceX currently finds themselves. Over the years they’ve mastered landing the Falcon 9’s first stage, and they’ve even proven that the recovered boosters can be safely reused for additional flights. But the refurbishment process is still fairly lengthy. While their latest launch officially broke the record for fastest reflight of a space vehicle that had previously been set by Space Shuttle Atlantis, there’s still a lot of work to be done if SpaceX is ever going to fly their rockets like airplanes.

Continue reading “Falcon 9 Beats Shuttle’s Reflight Record, But Still Has A Long Way To Go”

Ideas To Prototypes Hack Chat With Nick Bild

July 27, 2020 by 1 Comment

Join us on Wednesday, July 29 at noon Pacific for the Ideas to Prototypes Hack Chat with Nick Bild!

For most of us, ideas are easy to come by. Taking a shower can generate half of dozen of them, the bulk of which will be gone before your hair is dry. But a few ideas will stick, and eventually make it onto paper or its electronic equivalent, to be played with and tweaked until it coalesces into a plan. And a plan, if we’re lucky, is what’s needed to put that original idea into action, to bring it to fruition and see just what it can do.

No matter what you’re building, the ability to turn ideas into prototypes is what moves projects forward, and it’s what most of us live for. Seeing something on the bench or the shop floor that was once just a couple of back-of-the-napkin sketches, and before that only an abstract concept in your head, is immensely satisfying.

The path from idea to prototype, however, is not always a smooth one, as Nick Bild can attest. We’ve been covering Nick’s work for a while now, starting with his “nearly practical” breadboard 6502 computer, the Vectron, up to his recent forays into machine learning with ShAIdes, his home-automation controlling AI sunglasses. On the way we’ve seen his machine-learning pitch predictor, dazzle-proof glasses, and even a wardrobe-malfunction preventer.

All of Nick’s stuff is cool, to be sure, but there’s a method to his productivity, and we’ll talk about that and more in this Hack Chat. Join us as we dive into Nick’s projects and find out what he does to turn his ideas into prototypes.

join-hack-chatOur Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, July 29 at 12:00 PM Pacific time. If time zones have you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about. Continue reading “Ideas To Prototypes Hack Chat With Nick Bild”

Hackaday Links Column Banner

Hackaday Links: July 26, 2020

July 26, 2020 by 12 Comments

An Australian teen is in hot water after he allegedly exposed sensitive medical information concerning COVID-19 patients being treated in a local hospital. While the authorities in Western Australia were quick to paint the unidentified teen as a malicious, balaclava-wearing hacker spending his idle days cracking into secure systems, a narrative local media were all too willing to parrot, reading down past the breathless headlines reveals the truth: the teen set up an SDR to receive unencrypted POCSAG pager data from a hospital, and built a web page to display it all in real-time. We’ve covered the use of unsecured pager networks in the medical profession before; this is a well-known problem that should not exactly take any infosec pros by surprise. Apparently authorities just hoped that nobody would spend $20 on an SDR and an afternoon putting it all together rather than address the real problem, and when found out they shifted the blame onto the kid.

Speaking of RF hacking, even though the 2020 HOPE Conference is going virtual, they’ll still be holding the RF Hacking Village. It’s not clear from the schedule how exactly that will happen; perhaps like this year’s GNU Radio Conference CTF Challenge, they’ll be distributing audio files for participants to decode. If someone attends HOPE, which starts this weekend, we’d love to hear a report on how the RF Village — and the Lockpicking Village and all the other attractions — are organized. Here’s hoping it’s as cool as DEFCON Safe Mode’s cassette tape mystery.

It looks like the Raspberry Pi family is about to get a big performance boost, with Eben Upton’s announcement that the upcoming Pi Compute Module 4 will hopefully support NVMe storage. The non-volatile memory express spec will allow speedy access to storage and make the many hacks Pi users use to increase access speed unnecessary. While the Compute Modules are targeted at embedded system designers, Upton also hinted that NVMe support might make it into the mainstream Pi line with a future Pi 4A.

Campfires on the sun? It sounds strange, but that’s what solar scientists are calling the bright spots revealed on our star’s surface by the newly commissioned ESA/NASA Solar Orbiter satellite. The orbiter recently returned its first images of the sun, which are extreme closeups of the roiling surface. They didn’t expect the first images, which are normally used to calibrate instruments and make sure everything is working, to reveal something new, but the (relatively) tiny bright spots are thought to be smaller versions of the larger solar flares we observe from Earth. There are some fascinating images coming back from the orbiter, and they’re well worth checking out.

And finally, although it’s an old article and has nothing to do with hacking, we stumbled upon Tim Urban’s look at the mathematics of human relations and found it fascinating enough to share. The gist is that everyone on the planet is related, and most of us are a lot more inbred than we would like to think, thanks to the exponential growth of everyone’s tree of ancestors. For example, you have 128 great-great-great-great-great-grandparents, who were probably alive in the early 1800s. That pool doubles in size with every generation you go back, until we eventually — sometime in the 1600s — have a pool of ancestors that exceeds the population of the planet at the time. This means that somewhere along the way, someone in your family tree was hanging out with someone else from a very nearby branch of the same tree. That union, likely between first or second cousins, produced the line that led to you. This is called pedigree collapse and it results in the pool of ancestors being greatly trimmed thanks to sharing grandparents. So the next time someone tells you they’re descended from 16th-century royalty, you can just tell them, “Oh yeah? Me too!” Probably.

Stop Bad Laws Before They Start

July 25, 2020 by 88 Comments

With everything else going on this summer, you might be forgiven for not keeping abreast of new proposed regulatory frameworks, but if you’re interested in software-defined radio (SDR) or even reflashing your WiFi router, you should. Right now, there’s a proposal to essentially prevent you from flashing your own firmware/software to any product with a radio in it before the European Commission. This obviously matters to Europeans, but because manufacturers often build hardware to the strictest global requirements, it may impact everyone. What counts as radio equipment? Everything from WiFi routers to wearables, SDR dongles to shortwave radios.

The idea is to prevent rogue reconfigurable radios from talking over each other, and prevent consumers from bricking their routers and radios. Before SDR was the norm, and firmware was king, it was easy for regulators to test some hardware and make sure that it’s compliant, but now that anyone can re-flash firmware, how can they be sure that a radio is conformant? Prevent the user from running their own firmware, naturally. It’s pretty hard for Hackaday to get behind that approach.

The impact assessment sounds more like advertising copy for the proposed ruling than an honest assessment, but you should give it a read because it lets you know where the commission is coming from. Reassuring is that they mention open-source software development explicitly as a good to be preserved, but their “likely social impacts” include “increased security and safety” and they conclude that there are no negative environmental impacts. What do you do when the manufacturer no longer wants to support the device? I have plenty of gear that’s no longer supported by firmware updates that is both more secure and simply not in the landfill because of open-source firmware.

Similarly, “the increased capacity of the EU to autonomously secure its products is also likely to help the citizens to better protect their information-related rights” is from a bizarro world where you can trust Xiaomi’s home-automation firmware to not phone home, but can’t trust an open-source replacement.

Public comment is still open, and isn’t limited to European citizens. As mentioned above, it might affect you even if you’re not in the EU, so feel free to make your voice heard. You have until September, and you’ll be in some great company if you register your complaints. Indeed, reading through the public comments is quite heartening: Universities, researchers, and hackers alike have brought up reasons to steer clear of the proposed approach. We hope that the commission hears us.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!