This Week In Security: SAD DNS, Incident Documentation Done Well, And TCL Responds

November 20, 2020 by Jonathan Bennett 6 Comments

One of the big stories from the past few days is the return of DNS cache poisoning. The new attack has been dubbed SADDNS, and the full PDF whitepaper is now available. When you lookup a website’s IP address in a poisoned cache, you get the wrong IP address.

This can send you somewhere malicious, or worse. The paper points out that DNS has suffered a sort of feature creep, picking up more and more responsibilities. The most notable use of DNS that comes to mind is LetsEncrypt using DNS as the mechanism to prove domain ownership, and issue HTTPS certificates.

DNS Cache poisoning is a relatively old attack, dating from 1993. The first iteration of the attack was simple. An attacker that controlled an authoritative DNS server could include extra DNS results, and those extra results would be cached as if they came from an authoritative server. In 1997 it was realized that the known source port combined with a non-random transaction ID made DNS packet spoofing rather trivial. An attacker simply needs to spoof a DNS response with the appropriate txID, at the appropriate time to trick a requester into thinking it’s valid. Without the extra protections of TCP connections, this was an easy task. The response was to randomize the txID in each connection.

I have to take a moment to talk about one of my favorite gotchas in statistics. The Birthday paradox. The chances that two randomly selected people share a birthday is 1 in 365. How many people have to be in a room together to get a 50% chance of two of them sharing a birthday? If you said 182, then you walked into the paradox. The answer is 23. Why? Because we’re not looking for a specific birthday, we’re just looking for a collision between dates. Each non-matching birthday that walks into the room provides another opportunity for the next one to match.

This is the essence of the DNS birthday attack. An attacker would send a large number of DNS requests, and then immediately send a large number of spoofed responses, guessing random txIDs. Because only one collision is needed to get a poisoned cache, the chances of success go up rapidly. The mitigation was to also randomize the DNS source port, so that spoof attempts had to have both the correct source port and txID in the same attempt. Continue reading “This Week In Security: SAD DNS, Incident Documentation Done Well, And TCL Responds” →

Easy IoT Logging Options For The Beginner

November 19, 2020 by Lewin Day 20 Comments

If a temperature sensor takes a measurement in the woods but there’s nobody around to read it, is it hot out?

If you’ve got a project that’s collecting data, you might have reasons to put it online. Being able to read your data from anywhere has its perks, after all, and it’s key to building smarter interconnected systems, too. Plus, you can tell strangers the humidity in your living room while you’re out at the pub, and they’ll be really impressed.

Taking the leap into the Internet of Things can be daunting however, with plenty of competing services and options from the basic to the industrial-strength available. Today, we’re taking a look at two options for logging data online that are accessible to the beginner. Continue reading “Easy IoT Logging Options For The Beginner” →

How To Get Into Cars: Offroading Mods

November 18, 2020 by Lewin Day 44 Comments

While plenty of automotive enthusiasts are all about carving corners at the local track days, it’s a special breed that leaves tarmac behind for the dusty trail ahead. If your chosen ride is of the four-wheelin’ variety, here’s how you can modify it to dominate the dirt and mud.

Handling The Terrain

Building a good offroad rig requires a very different focus than building a car for street performance. A screaming high-performance engine is of no use when your tires are spinning in the air because you’re stuck in deep sand or on top of a pointy rock. Instead, four wheelers are concerned with a whole different set of parameters. Ground clearance is key to getting over obstacles without getting stuck, and good articulation is key to keeping your wheels on the ground and pushing you forward in deep ruts and on crazy angles. You’ll also want plenty of low-down torque, and tyres that can grip up in all conditions without snagging a puncture. It’s a whole different ballgame, so read on!

Continue reading “How To Get Into Cars: Offroading Mods” →

Bare-Metal STM32: From Power-Up To Hello World

November 17, 2020 by Maya Posch 59 Comments

Some may ask why you’d want to program a Cortex-M microcontroller like the STM32 series using nothing but the ARM toolchain and the ST Microelectronics-provided datasheet and reference manual. If your first response to that question wasn’t a panicked dive towards the nearest emergency exit, then it might be that that question has piqued your interest. Why, indeed?

Definitely, one could use any of the existing frameworks to program an STM32 MCU, whether the ST HAL framework, plain CMSIS, or even something more Arduino-flavored. Yet where is the fun in that, when at the end of the day one is still fully dependent on that framework’s documentation and its developers? More succinctly, if the contents of the STM32 reference manuals still look like so much gibberish, does one really understand the platform?

Let’s take a look at how bare-metal STM32 programming works, and make the most basic example run, shall we? Continue reading “Bare-Metal STM32: From Power-Up To Hello World” →

Harnessing Your Creativity Hack Chat

November 16, 2020 by Dan Maloney No comments

Join us on Wednesday, November 18th at noon Pacific for the Harnessing Your Creativity Hack Chat with Leo Fernekes!

(Note: this Hack Chat was rescheduled from 10/14/2020.)

You’re sitting at your bench, surrounded by the tools of the trade — meters and scopes, power supplies and hand tools, and a well-stocked parts bin. Your breadboard is ready, your fingers are itching to build, and you’ve got everything you need to get started, but — nothing happens. Something is missing, and if you’re like many of us, it’s the one thing you can’t get from eBay or Amazon: the creative spark that makes innovation happen.

Creativity is one of those things that’s difficult to describe, and is often noticed most when it’s absent. Hardware hacking requires great buckets of creativity, and it’s not always possible to count on it being there exactly when it’s called for. It would be great if you could somehow reduce creativity to practice and making it something as easy to source for every project as any other commodity.

While Leo Fernekes hasn’t exactly commoditized creativity, judging from the breadth of projects on his YouTube channel, he’s got a pretty good system for turning ideas into creations. We’ve featured a few of his builds on our pages, like a discrete transistor digital clock, the last continuity tester you’ll ever need, and his somewhat unconventional breadboarding techniques. Leo’s not afraid to fail and share the lessons learned, either.

His projects, though, aren’t the whole story here: it’s his process that we’re going to discuss. Leo joins us for this Hack Chat to poke at the creative process and see what can be done to remain rigorous and systematic in your approach but still make the process creative and flexible. Join us with your questions about finding the inspiration you need to turn parts and skills into finished projects that really innovate.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, November 18 at 12:00 PM Pacific time. If time zones baffle you as much as us, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Continue reading “Harnessing Your Creativity Hack Chat” →

3D Printering: The Things Printers (Don’t) Do

November 16, 2020 by Donald Papp 56 Comments

3D printers are amazing things, but if one judges solely by the successes that get showcased online, it can look as through anything at all is possible. Yet in many ways, 3D printers are actually quite limited. Because success looks easy and no one showcases failure, people can end up with lopsided ideas of what is realistic. This isn’t surprising; behind every shining 3D print that pushes the boundaries of the technology, there are misprints and test pieces piled just out of sight.

If you have ever considered getting into 3D printing, or are wondering what kinds of expectations are realistic, read on because I am going to explain where objects come from, and how to recognize whether something is a good (or bad) fit for 3D printing. The important thing to understand is that printers have limitations, and to get a working idea of what those limitations are. The result will be a better understanding of what they can do, and what problems they can reliably solve.

3D Printers Have Limits

I recently had a talk with someone who wanted to know if a 3D printer could help with a problem they had. As I listened to them describe their needs, I realized I had in a way heard it all before many times.

My colleague actually had a fairly good idea of what printers could do, in theory. But they had very little grasp of what printers did not do, and that disconnect left them a bit adrift when it came to practical applications. To help address this gap, here are some tips that can give anyone a working understanding of the things 3D printers do not do well. Continue reading “3D Printering: The Things Printers (Don’t) Do” →

Hackaday Links: November 15, 2020

November 15, 2020 by Dan Maloney 13 Comments

Now that we drive around cars that are more like mobile data centers than simple transportation, there’s a wealth of data to be harvested when the inevitable crashes occur. After a recent Tesla crash on a California highway, a security researcher got a hold of the car’s “black box” and extracted some terrifying insights into just how bad a car crash can be. The interesting bit is the view of the crash from the Tesla’s forward-facing cameras with object detection overlays. Putting aside the fact that the driver of this car was accelerating up to the moment it rear-ended the hapless Honda with a closing speed of 63 MPH (101 km/h), the update speeds on the bounding boxes and lane sensing are incredible. The author of the article uses this as an object lesson in why Level 2 self-driving is a bad idea, and while I agree with that premise, the fact that self-driving had been disabled 40 seconds before the driver plowed into the Honda seems to make that argument moot. Tech or not, someone this unskilled or impaired was going to have an accident eventually, and it was just bad luck for the other driver.

Last week I shared a link to Scan the World, an effort to 3D-scan and preserve culturally significant artifacts and create a virtual museum. Shortly after the article ran we got an email from Elisa at Scan the World announcing their “Unlocking Lockdown” competition, which encourages people to scan cultural artifacts and treasures directly from their home. You may not have a Ming Dynasty vase or a Grecian urn on display in your parlor, but you’ve probably got family heirlooms, knick-knacks, and other tchotchkes that should be preserved. Take a look around and scan something for posterity. And I want to thank Elisa for the link to the Pompeiian bread that I mentioned.

The Defense Advanced Research Projects Agency (DARPA)has been running an interesting challenge for the last couple of years: The Subterranean (SubT) Challenge. The goal is to discover new ways to operate autonomously below the surface of the Earth, whether for mining, search and rescue, or warfare applications. They’ve been running different circuits to simulate various underground environments, with the most recent circuit being a cave course back in October. On Tuesday November 17, DARPA will webcast the competition, which features 16 teams and their autonomous search for artifacts in a virtual cave. It could make for interesting viewing.

If underground adventures don’t do it for you, how about going upstairs? LeoLabs, a California-based company that specializes in providing information about satellites, has a fascinating visualization of the planet’s satellite constellation. It’s sort of Google Earth but with the details focused on low-earth orbit. You can fly around the planet and watch the satellites whiz by or even pick out the hundreds of spent upper-stage rockets still up there. You can lock onto a specific satellite, watch for near-misses, or even turn on a layer for space debris, which honestly just turns the display into a purple miasma of orbiting junk. The best bit, though, is the easily discerned samba-lines of newly launched Starlink satellites.

A doorbell used to be a pretty simple device, but like many things, they’ve taken on added complexity. And danger, it appears, as Amazon Ring doorbell users are reporting their new gadgets going up in flame upon installation. The problem stems from installers confusing the screws supplied with the unit. The longer wood screws are intended to mount the device to the wall, while a shorter security screw secures the battery cover. Mix the two up for whatever reason, and the sharp point of the mounting screw can find the LiPo battery within, with predictable results.

And finally, it may be the shittiest of shitty robots: a monstrous robotic wolf intended to scare away wild bears. It seems the Japanese town of Takikawa has been having a problem with bears lately, so they deployed a pair of these improbable looking creatures to protect themselves. It’s hard to say what’s the best feature: the flashing LED eyes, the strobe light tail, the fact that the whole thing floats in the air atop a pole. Whatever it is, it seems to work on bears, which is probably good enough. Take a look in the video below the break.

Continue reading “Hackaday Links: November 15, 2020” →