Hackaday Columns

4126 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

Brainstorming COVID-19 Hack Chat

April 6, 2020 by 15 Comments

Join us on Wednesday, April 8 at noon Pacific for the Brainstorming COVID-19 Hack Chat!

The COVID-19 pandemic has been sweeping across the globe now for three months. In that time it has encountered little resistance in its advances, being a novel virus with just the right mix of transmissibility and virulence that our human immune systems have never encountered. The virus is racking up win after win across the world, crippling public health and medical systems, shutting down entire economies, and forcing billions of people into isolation for the foreseeable future.

While social distancing is certainly an effective way to limit the spread of the disease, it feels more like hiding than fighting. Bored and stuck at home, millions of fertile minds are looking for an outlet for this frustration, a more affirmative way to fight the good fight and build solutions that the world sorely needs. And thus we’ve seen the outpouring of designs, ideas, and prototypes of everything from social distancing helpers to personal protective equipment (PPE) hacks.

In this Hack Chat, we’ll try to provide a framework around which hackers can start to turn their ideas into COVID-19 solutions. There are a ton of problems right now, but the most acute and most approachable seem to revolve around making sure healthcare providers have the PPE they need to do their job safely. Hacking at the edges of managing social distancing seems doable, too, both in terms of helping people keep a healthy distance from each other and in managing the isolation that causes. And let’s not forget about managing boredom; idle hands lead to idle minds, and staying healthy mentally is just as important as good handwashing and nutrition.

Join us on Wednesday for this group-led Hack Chat and bring your best ideas for attacking COVID-19 head-on.

join-hack-chatOur Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, April 8 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Continue reading “Brainstorming COVID-19 Hack Chat”

Navigating Self-Driving Cars By Looking At What’s Underneath The Road

April 6, 2020 by 51 Comments

When you put a human driver behind the wheel, they will use primarily their eyes to navigate. Both to stay on the road and to use any navigation aids, such as maps and digital navigation assistants. For self-driving cars, tackling the latter is relatively easy, as the system would use the same information in a similar way: when to to change lanes, and when to take a left or right. The former task is a lot harder, with situational awareness even a challenge for human drivers.

In order to maintain this awareness, self-driving and driver-assistance systems use a combination of cameras, LIDAR, and other sensors. These can track stationary and moving objects and keep track of the lines and edges of the road. This allows the car to precisely follow the road and, at least in theory, not run into obstacles or other vehicles. But if the weather gets bad enough, such as when the road is covered with snow, these systems can have trouble coping.

Looking for ways to improve the performance of autonomous driving systems in poor visibility, engineers are currently experimenting with ground-penetrating radar. While it’s likely to be awhile before we start to see this hardware on production vehicles, the concept already shows promise. It turns out that if you can’t see whats on the road ahead of you, looking underneath it might be the next best thing. Continue reading “Navigating Self-Driving Cars By Looking At What’s Underneath The Road”

Hackaday Links Column Banner

Hackaday Links: April 5, 2020

April 5, 2020 by 8 Comments

Git is powerful, but with great power comes the ability to really bork things up. When you find yourself looking at an inscrutable error message after an ill-advised late-night commit, it can be a maximum pucker-factor moment, and keeping a clear enough head to fix the problem can be challenging. A little proactive social engineering may be in order, which is why Jonathan Bisson wrote git-undo, a simple shell script that displays the most common un-borking commands he’s likely to need. There are other ways to prompt yourself through Git emergencies, like Oh Shit, Git (or for the scatologically sensitive, Dangit Git), but git-undo has the advantage of working without an Internet connection.

Suddenly find yourself with a bunch of time on your hands and nothing to challenge your skills? Why not try to write a program in a single Tweet? The brainchild of Dominic Pajak, the BBC Micro Bot Twitter account accepts tweets and attempts to run them as BASIC programs on a BBC Microcomputer emulator, replying with the results of the program. It would seem that 280 characters would make it difficult to do anything interesting, but check out some of the results. Most are graphic displays, some animated, and with an unsurprising number of nods to 1980s pop culture. Some are truly impressive, though, like Conway’s Game of Life written by none other than Eben Upton.

The COVID-19 pandemic is causing all sorts of cultural shifts, but we didn’t expect to see much change in the culture of a community that’s been notoriously resistant to change for over a century: amateur radio. One of the most basic facts of life in the amateur radio world is that you need a license to participate, with governments regulating the process. But as a response to the pandemic, Spain has temporarily lifted licensing requirements for amateur radio operators. Normally, an unlicensed person is only allowed to operate on amateur bands under the direct supervision of a licensed amateur. The rules change allows unlicensed operators to use a station without supervision and is intended to give schoolchildren trapped at home an educational experience. In another change, some countries are allowing special callsign suffixes, like “STAYHOME,” to raise awareness during the pandemic. And the boom in interest in amateur radio since the pandemic started is remarkable; unfortunately, finding a way to take your test in a socially distant world is quite a trick. Our friend Josh Nass (KI6NAZ) has some thoughts about testing under these conditions that you might find interesting.

And finally, life goes on during all this societal disruption, and every new life deserves to be celebrated. And when Lauren Devinck made her appearance last month, her proud parents decided to send out unique birth announcement cards with a printed circuit board feature. The board is decorative, not functional, but adds a distinctive look to the card. The process of getting the boards printed was non-trivial; it turns out that free-form script won’t pass most design rule tests, and that panelizing them required making some compromises. We think the finished product is classy, but can’t help but think that a functional board would have really made a statement. Regardless, we welcome Lauren and congratulate her proud parents.

Can Solid Save The Internet?

April 4, 2020 by 32 Comments

We ran an article on Solid this week, a project that aims to do nothing less than change the privacy and security aspects of the Internet as we use it today. Sir Tim Berners-Lee, the guy who invented the World Wide Web as a side project at work, is behind it, and it’s got a lot to recommend it. I certainly hope they succeed.

The basic idea is that instead of handing your photos, your content, and your thoughts over to social media and other sharing platforms, you’d store your own personal data in a Personal Online Data (POD) container, and grant revocable access to these companies to access your data on your behalf. It’s like it’s your own website contents, but with an API for sharing parts of it elsewhere.

This is a clever legal hack, because today you give over rights to your data so that Facebook and Co. can display them in your name. This gives them all the bargaining power, and locks you into their service. If instead, you simply gave Facebook a revocable access token, the power dynamic shifts. Today you can migrate your data and delete your Facebook account, but that’s a major hassle that few undertake.

Mike and I were discussing this on this week’s podcast, and we were thinking about the privacy aspects of PODs. In particular, whatever firm you use to socially share your stuff will still be able to snoop you out, map your behavior, and target you with ads and other content, because they see it while it’s in transit. But I failed to put two and two together.

The real power of a common API for sharing your content/data is that it will make it that much easier to switch from one sharing platform to another. This means that you could easily migrate to a system that respects your privacy. If we’re lucky, we’ll see competition in this space. At the same time, storing and hosting the data would be portable as well, hopefully promoting the best practices in the providers. Real competition in where your data lives and how it’s served may well save the Internet. (Or at least we can dream.)

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter.

Want this type of article to hit your inbox every Friday morning? You should sign up!

Hackaday Podcast 061: Runaway Soldering Irons, Open Source Ventilators, 3D Printed Solder Stencils, And Radar Motion

April 3, 2020 by 2 Comments

Hackaday editors Mike Szczys and Elliot Williams sort through the hardware hacking gems of the week. There was a kerfuffle about whether a ventilator data dump from Medtronics was open source or not, and cool hacks from machine-learning soldering iron controllers to 3D-printing your own solder paste stencils. A motion light teardown shows it’s not being done with passive-infrared, we ask what’s the deal with Tim Berners-Lee’s decentralized internet, and we geek out about keyboards that aren’t QWERTY.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 061: Runaway Soldering Irons, Open Source Ventilators, 3D Printed Solder Stencils, And Radar Motion”

This Week In Security: OpenWrt, ZOOM, And Systemd

April 3, 2020 by 21 Comments

OpenWrt announced a problem in opkg, their super-lightweight package manager. OpenWrt’s target hardware, routers, make for an interesting security challenge. A Linux install that fits in just 4 MB of flash memory is a minor miracle in itself, and many compromises had to be made. In this case, we’re interested in the lack of SSL: a 4 MB install just can’t include SSL support. As a result, the package manager can’t rely on HTTPS for secure downloads. Instead, opkg first downloads a pair of files: A list of packages, which contains a SHA256 of each package, and then a second file containing an Ed25519 signature. When an individual package is installed, the SHA256 hash of the downloaded package can be compared with the hash provided in the list of packages.


It’s a valid approach, but there was a bug, discovered by [Guido Vranken], in how opkg reads the hash values from the package list. The leading space triggers some questionable pointer arithmetic, and as a result, opkg believes the SHA256 hash is simply blank. Rather than fail the install, the hash verification is simply skipped. The result? Opkg is vulnerable to a rather simple man in the middle attack.

OpenWrt doesn’t do any automatic installs or automatic updates, so this vulnerability will likely not be widely abused, but it could be used for a targeted attack. An attacker would need to be in a position to MitM the router’s internet connection while software was being installed. Regardless, make sure you’re running the latest OpenWrt release to mitigate this issue. Via Ars Technica.

Wireguard V1.0

With the Linux Kernel version 5.6 being finally released, Wireguard has finally been christened as a stable release. An interesting aside, Google has enabled Wireguard in their Generic Kernel Image (GKI), which may signal more official support for Wireguard VPNs in Android. I’ve also heard reports that one of the larger Android ROM development communities is looking into better system-level Wireguard support as well.

Javascript in Disguise

Javascript makes the web work — and has been a constant thorn in the side of good security. For just an example, remember Samy, the worm that took over Myspace in ’05. That cross-site scripting (XSS) attack used a series of techniques to embed Javascript code in a user’s profile. Whenever that profile page was viewed, the embedded JS code would run, and then replicate itself on the page of whoever had the misfortune of falling into the trap.

Today we have much better protections against XSS attacks, and something like that could never happen again, right? Here’s the thing, for every mitigation like Content-Security-Policy, there is a guy like [theMiddle] who’s coming up with new ways to break it. In this case, he realized that a less-than-perfect CSP could be defeated by encoding Javascript inside a .png, and decoding it to deliver the payload.

Systemd

Ah, systemd. Nothing seems to bring passionate opinions out of the woodwork like a story about it. In this case, it’s a vulnerability found by [Tavis Ormandy] from Google Project Zero. The bug is a race condition, where a cached data structure can be called after it’s already been freed. It’s interesting, because this vulnerability is accessible using DBus, and could potentially be used to get root level access. It was fixed with systemd v220.

Mac Firmware

For those of you running MacOS on Apple hardware, you might want to check your firmware version. Not because there’s a particularly nasty vulnerability in there, but because firmware updates fail silently during OS updates. What’s worse, Apple isn’t publishing release notes, or even acknowledging the most recent firmware version. A crowd-sourced list of the latest firmware versions is available, and you can try to convince your machine to try again, and hope the firmware update works this time.

Anti-Rubber-Ducky

Google recently announced a new security tool, USB Keystroke Injection Protection. I assume the nickname, UKIP, isn’t an intentional reference to British politics. Regardless, this project is intended to help protect against the infamous USB Rubber Ducky attack, by trying to differentiate a real user’s typing cadence, as opposed to a malicious device that types implausibly quickly.

While the project is interesting, there are already examples of how to defeat it that amount to simply running the scripts with slight pauses between keystrokes. Time will tell if UKIP turns into a useful mitigation tool. (Get it?)

SMBGhost

Remember SMBGhost, the new wormable SMB flaw? Well, there is already a detailed explanation and PoC. This particular PoC is a local-only privilege escalation, but a remote code execution attack is like inevitable, so go make sure you’re patched!

Stay Smarter Than Your Smart Speaker

April 1, 2020 by 56 Comments

Smart speakers have always posed a risk to privacy and security — that’s just the price we pay for getting instant answers to life’s urgent and not-so-urgent questions the moment they arise. But it seems that many owners of the 76 million or so smart speakers on the active install list have yet to wake up to the reality that this particular trick of technology requires a microphone that’s always listening. Always. Listening.

With so much of the world’s workforce now working from home due to the global SARS-CoV-2 pandemic, smart speakers have suddenly become a big risk for business, too — especially those where confidential conversations are as common and crucial as coffee.

Imagine the legions of lawyers out there, suddenly thrust from behind their solid-wood doors and forced to set up ramshackle sub rosa sanctuaries in their homes to discuss private matters with their equally out-of-sorts clients. How many of them don’t realize that their smart speaker bristles with invisible thorns, and is even vulnerable to threats outside the house? Given the recent study showing that smart speakers can and do activate accidentally up to 19 times per day, the prevalence of the consumer-constructed surveillance state looms like a huge crisis of confidentiality.

So what are the best practices of confidential work in earshot of these audio-triggered gadgets?

Continue reading “Stay Smarter Than Your Smart Speaker”