Hackaday Podcast 057: Dismantled LCD Panels, Unexpected Dynamometer, A Flappy POV, And Dastardly Encryption

Hackaday editors Mike Szczys and Elliot Williams are onto an LCD and motors kick this week. Two different LCD screen teardowns caught our eye as one lets you stare into the void while using your iMac and the other tries to convince us to be not afraid of de-laminating the LCD stackup. On the motors front, it’s all about using magnets and coils in slightly different ways; there’s a bike generator that uses a planar alternator design, a dynamometer for testing motor power that itself is built from a motor, and a flex-PCB persistence of vision display that’s a motor/display hybrid. We round out the episode with talk of the newly revealed espionage saga that was Crypto AG, and riveting discussion of calculators, both real and virtual.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Continue reading “Hackaday Podcast 057: Dismantled LCD Panels, Unexpected Dynamometer, A Flappy POV, And Dastardly Encryption”

This Week In Security: Let’s Encrypt Revocation, Ghostcat, And The RIDLer

Let’s Encrypt recently celebrated their one billionth certificate. That’s over 190 million websites currently secured, and thirteen full-time staff. The annual budget for Lets Encrypt is an eye-watering $3.3+ million, covered by sponsors like Mozilla, Google, Facebook, and the EFF.

A cynic might ask if we need to rewind the counter by the three million certificates Let’s Encrypt recently announced they are revoking as a result of a temporary security bug. That bug was in the handling of the Certificate Authority Authorization (CAA) security extension. CAA is a recent addition to the X.509 standard. A domain owner opts in by setting a CAA field in their DNS records, specifying a particular CA that is authorized to issue certificates for their domain. It’s absolutely required that when a CA issues a new certificate, it checks for a CAA record, and must refuse to issue the certificate if a different authority is listed in the CAA record.

The CAA specification specifies eight hours as the maximum time to cache the CAA check. Let’s Encrypt uses a similar automated process to determine domain ownership, and considers those results to be valid for 30 days. There is a corner case where the Let’s Encrypt validation is still valid, but the CAA check needs to be re-performed. For certificates that cover multiple domains, that check would need to be performed for each domain before the certificate can be issued. Rather validating each domain’s CAA record, the Let’s Encrypt validation system was checking one of those domain names multiple times. The problem was caught and fixed on the 28th.

The original announcement gave administrators 36 hours to manually renew their affected certificates. While just over half of the three million target certificates have been revoked, an additional grace period has been extended for the over a million certs that are still in use. Just to be clear, there aren’t over a million bad certificates in the wild, and in fact, only 445 certificates were minted that should have been prevented by a proper CAA check.

Ghostcat

Apache Tomcat, the open source Java-based HTTP server, has had a vulnerability for something like 13 years. AJP, the Apache JServ Protocol, is a binary protocol designed for server-to-server communication. An example use case would be an Apache HTTP server running on the same host as Tomcat. Apache would serve static files, and use AJP to proxy dynamic requests to the Tomcat server.

Ghostcat, CVE-2020-1938, is essentially a default configuration issue. AJP was never designed to be exposed to untrusted clients, but the default Tomcat configuration enables the AJP connector and binds it to all interfaces. An attacker can craft an AJP request that allows them to read the raw contents of webapp files. This means database credentials, configuration files, and more. If the application is configured to allow file uploads, and that upload location is in the folder accessible to the attacker, the result is a full remote code execution exploit chain for any attacker.

The official recommendation is to disable AJP if you’re not using it, or bind it to localhost if you must use it. At this point, it’s negligence to leave ports exposed to the internet that aren’t being used.

Have I Been P0wned

You may remember our coverage of [Troy Hunt] over at haveibeenpwned.com. He had made the decision to sell HIBP, as a result of the strain of running the project solo for years. In a recent blog post, [Troy] reveals the one thing more exhausting that running HIBP: trying to sell it. After a potential buyer was chosen, and the deal was nearly sealed, the potential buyer went through a restructuring. At the end of the day, the purchase no longer made sense for either party, and they both walked away, leaving HIBP independent. It sounds like the process was stressful enough that HIBP will remain a independent entity for the foreseeable future.

You Were Warned

Remember the Microsoft Exchange vulnerability from last week? Attack tools have been written, and the internet-wide scans have begun.

Ridl Me This, Chrome

We’ve seen an abundance of speculative execution vulnerabilities over the last couple of years. While these problems are technically interesting, there has been a bit of a shortage of real-world attacks that leverage those vulnerabilities. Well, thanks to a post over at Google’s Project Zero, that dearth has come to an end. This attack is a sandbox escape, meaning it requires a vulnerability in the Chrome JS engine to be able to pull it off.

To understand how Ridl plays into this picture, we have to talk about how the Chrome sandbox works. Each renderer thread runs with essentially zero system privileges, and sends requests through Mojo, an inter-process communication system. Mojo uses a 128 bit numbering system to both identify and secure those IPC endpoints.

Once an attacker has taken over the unprivileged sandbox process, the next step is to figure out the port name of an un-sandboxed Mojo port. The trick is to get that privileged process to access its Mojo port name repeatedly, and then capture an access using Ridl. Once the port is known, the attacker has essentially escaped the sandbox.

The whole read is interesting, and serves as a great example of the sorts of attacks enabled by speculative execution leaks.

Art of 3D printer in the middle of printing a Hackaday Jolly Wrencher logo

3D Printering: Getting Started Is (Still) Harder Than It Needs To Be

Stop me if this sounds familiar. You are interested in 3D printing but lacked a clear idea of what was involved. Every time you looked into it, it returned to the back burner because after spending your limited free time researching, it still looked like a part time job just to get up to speed on the basics. If this is you, then you’re exactly the reason I say the following: despite 3D printing being more accessible than ever, getting started remains harder than it needs to be. It’s a shame, because there are smart, but busy, people just waiting for that to change.

A highly technical friend and colleague of mine had, off and on, been interested in 3D printing for some time. He had questions, but also didn’t have a very good understanding of the basics because it’s clumsy and time-consuming to research something when one doesn’t even know the right terms.

I told him to video call me. Using my phone I showed him the everyday process, from downloading a model to watching the first layer get put down by the printer. He had researched getting started before, but our call was honestly the first time he had ever seen a 3D printer’s actual workflow, showing hands-on what was involved from beginning to end. It took less than twenty minutes to give him a context into which he could fit everything else, and from where he felt comfortable seeking more information. I found out later, when I politely inquired whether he had found our talk useful, that he had ordered a Prusa MK3S printer later that same day.

It got me thinking. What from our call was important and useful, but not available elsewhere? And why not?

Continue reading “3D Printering: Getting Started Is (Still) Harder Than It Needs To Be”

Inputs Of Interest: My First Aggressively Ergonomic Keyboard

Ever since my RSI surgery, I’ve had to resort to using what I call my compromise keyboard — a wireless rubber dome affair with a gentle curvature to the keys. It’s far from perfect, but it has allowed me to continue to type when I thought I wouldn’t be able to anymore.

This keyboard has served me well, but it’s been nearly three years since the surgery, and I wanted to go back to a nice, clicky keyboard. So a few weeks ago, I dusted off my 1991 IBM Model M. Heck, I did more than that — I ordered a semi-weird hex socket (7/32″) so I could open it up and clean it properly.

And then I used it for half a day or so. It was glorious to hear the buckling springs singing again, but I couldn’t ignore the strain I felt in my pinkies and ring fingers after just a few hours. I knew I had to stop and retire it for good if I wanted to keep being able to type.

Continue reading “Inputs Of Interest: My First Aggressively Ergonomic Keyboard”

The Last Scientific Calculator?

There was a time when being an engineering student meant you had a sword. Well, really it was a slide rule hanging from your belt, but it sounds cooler to call it a sword. The slide rule sword gave way to calculators hanging from your belt loop, and for many engineers that calculator was from HP. Today’s students are more likely to have a TI or Casio calculator, but HP is still in there with the HP Prime. It is hard to call it a calculator since the latest variant has a 528 MHz ARM Cortex A7, 256 MB of RAM, and 512 MB of ROM. But if you can’t justify a $150 calculator, there are some cheap and even free options out there to get the experience. To start with, HP has a free app that runs on Windows or Mac that works just like the calculator. Of course, that’s free as in no charge, not free as in open source. But still, it will run under Wine with no more than the usual amount of coaxing.

You might wonder why you need a calculator on your computer, and perhaps you don’t. However, the HP Prime isn’t just your 1980s vintage calculator. It also has an amazing number of applications including a complete symbolic math system based on xCAS/Giac. It is also programmable using a special HP language that is sort of like Basic or Pascal. Other applications include plotting, statistics, solvers, and even a spreadsheet that can hold up to 10,000 rows and 676 columns.

Portability

It is easy to think that HP provides the free PC software so you’ll go out and buy the real calculator, and that may be part of it. However, you can also get official apps for Android and iOS. They aren’t free, but they are relatively inexpensive. On iOS the cost right now is $25 and on Android it is $20. There are also “lite” versions that are free.

Continue reading “The Last Scientific Calculator?”

On-Demand Manufacturing Hack Chat

Join us on Wednesday, March 4 at noon Pacific for the On-Demand Manufacturing Hack Chat with Dan Emery!

The classical recipe for starting a manufacturing enterprise is pretty straightforward: get an idea, attract investors, hire works, buy machines, put it all in a factory, and profit. Things have been this way since the earliest days of the Industrial Revolution, and it’s a recipe that has largely given us the world we have today, for better and for worse.

One of the downsides of this model is the need for initial capital to buy the machines and build the factory. Not every idea will attract the kind of money needed to get off the ground, which means that a lot of good ideas never see the light of day. Luckily, though, we live in an age where manufacturing is no longer a monolithic process. You can literally design a product and have it tested, manufactured, and sold without ever taking one shipment of raw materials or buying a single machine other than the computer that makes this magic possible.

As co-founder of Ponoko, Dan Emery is in the thick of this manufacturing revolution. His company capitalizes on the need for laser cutting, whether it be for parts used in rapid prototyping or complete production runs of cut and engraved pieces. Their service is part of a wider ecosystem that covers almost every additive and subtractive manufacturing process, including 3D-printing, CNC machining, PCB manufacturing, and even final assembly and testing, providing new entrepreneur access to tools and processes that would have once required buckets of cash to acquire and put under one roof.

Join us as we sit down with Derek and discuss the current state of on-demand manufacturing and what the future holds for it. We’ll talk about Ponoko’s specific place in this ecosystem, and what role outsourced laser cutting could play in getting your widget to market. We’ll also take a look at how Ponoko got started and how it got where it is today, as well as anything else that comes up.

join-hack-chatOur Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, March 4 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Hackaday Links Column Banner

Hackaday Links: March 1, 2020

Talk about buried treasure: archeologists in Germany have – literally – unearthed a pristine Soviet spy radio, buried for decades outside of Cologne. While searching for artifacts from a Roman empire settlement, the archeologists found a pit containing the Soviet R-394KM transceiver, built in 1987 and apparently buried shortly thereafter without ever being used. It was found close to a path in the woods and not far from several sites of interest to Cold War-era spies. Curiously, the controls on the radio are labeled not in Cyrillic characters, but in the Latin alphabet, suggesting the radio was to be used by a native German speaker. The area in which it was found is destined to be an open-cast lignite mine, which makes us think that other Cold War artifacts may have fallen victim to the gore-covered blades of Bagger 288.

Good news for Betelgeuse fans, bad news for aficionados of cataclysmic cosmic explosions: it looks like the red giant in Orion isn’t going to explode anytime soon. Betelgeuse has been dimming steadily and rapidly since October of 2019; as a variable star such behavior is expected, but the magnitude of its decline was seen by some astronomers as a sign that the star was reaching the point in its evolution where it would go supernova. Alas, Betelgeuse started to brighten again right on schedule, suggesting that the star is not quite ready to give up the ghost. We’d have loved to witness a star so bright it rivals the full moon, but given the times we live in, perhaps it’s best not to have such a harbinger of doom appear.

If you plan to be in the Seattle area as the winter turns to spring, you might want to check out the Vintage Computer Fair Pacific Northwest. We visited back during the show’s first year and had a good time, and the Living Computers: Museum + Labs, where the event is held, is not to be missed. The Museum of Flight is supposed to be excellent as well, and not far away.

Mozilla announced this week that Firefox would turn on DNS over HTTPS (DoH) by default in the United States. DoH encrypts the DNS requests that are needed to translate a domain name to an IP address, which normally travel in clear text and are therefore easily observed. Easily readable DNS transactions are also key to content blockers, which has raised the hackles of regulators and legislators over the plan, who are singing the usual “think of the children” song. That DoH would make user data collection and ad-tracking harder probably has nothing to do with their protests.

And finally, sad news from California as daredevil and amateur rocketeer “Mad” Mike Hughes has been killed in a crash of his homemade rocket. The steam-powered rocket was to be a follow-up to an earlier, mostly successful flight to about 1,900 feet (580 m), and supposed to reach about 5,000 feet (1.5 km) at apogee. But in an eerily similar repeat of the mishap that nearly killed Evel Knievel during his Snake River Canyon jump in 1974, Mike’s parachute deployed almost as soon as his rocket left the launch rails. The chute introduced considerable drag before being torn off the rocket by the exhaust plume. The rocket continued in a ballistic arc to a considerable altitude, but without a chute Mike’s fate was sealed. Search for the video at your own peril, as it’s pretty disturbing. We never appreciated Mike’s self-professed Flat Earth views, but we did like his style. We suppose, though, that such an ending was more likely than not.