This Week In Security: Exim, Apple Sign-in, Cursed Wallpaper, And Nuclear Secrets

June 5, 2020 by Jonathan Bennett 9 Comments

So first off, remember the Unc0ver vulnerability/jailbreak from last week? In the 13.5.1 iOS release, the underlying flaw was fixed, closing the jailbreak. If you intend to jailbreak your iOS device, make sure not to install this update. That said, the normal warning applies: Be very careful about running out-of-date software.

Apple Sign In

An exploit in Apple’s web authentication protocol was fixed in the past week . Sign In With Apple is similar to OAuth, and allows using an Apple account to sign in to other sites and services. Under the hood, a JSON Web Token (JWT) gets generated and passed around, in order to confirm the user’s identity. In theory, this scheme even allows authentication without disclosing the user’s email address.

So what could go wrong? Apparently a simple request for a JWT that’s signed with Apple’s public key will automatically be approved. Yeah, it was that bad. Any account linked to an Apple ID could be trivially compromised. It was fixed this past week, after being found and reported by [Bhavuk Jain]. Continue reading “This Week In Security: Exim, Apple Sign-in, Cursed Wallpaper, And Nuclear Secrets” →

3D Printering: Sticky Resin Prints And How To Fix Them

June 4, 2020 by Donald Papp 39 Comments

After going through all the trouble of printing a part in resin, discovering it feels sticky or tacky to the touch is pretty unwelcome. Giving the model some extra ultraviolet (UV) curing seems like it should fix the problem, but it probably does not. So, what can be done?

The best thing to do with a sticky print is to immediately re-wash it in clean isopropyl alcohol (IPA) before the UV present in ambient light cures stray resin. If the part remains sticky after it is dry, more aggressive steps can be taken.

We’ll get into those more extreme procedures shortly, but first let’s understand a bit more about how resin works, then look at how that applies to preventing and removing tacky surfaces on finished prints. Continue reading “3D Printering: Sticky Resin Prints And How To Fix Them” →

Hackaday Prize And UCPLA Are Driving Assistive Technology Forward

June 3, 2020 by Kristina Panos 1 Comment

Take a second to imagine all the people in your life. Your family, friends, coworkers. Your buddies down at the hackerspace, and anyone you chat with on IO and over the airwaves. Statistically speaking, one in four of these people has a disability of some kind, and needs help doing everyday things that you might not think twice about — simple things like opening doors or interacting with computers. Or maybe that one in four is you.

For the past 75 years, United Cerebral Palsy of LA (UCPLA) have been helping people with various developmental and intellectual disabilities to live independently with dignity. They work directly with members of the disabled community to develop assistive technology that is both affordable and dependable. UCPLA helps the disabled community with everything from employment to providing a creative outlet, and gives them the tools to do these things and more. Their mission is to help people be as independent as possible so they can feel good about themselves and enjoy a life without limits.

The people behind this non-profit are all about inclusion, access, and opportunity, and this is why we are proud to partner with UCPLA for the 2020 Hackaday Prize. With the world in upheaval, there is no better time to build a better future for everyone. You never know when you might need assistive technology. In addition to the open challenge that calls for everyone to work on a design, this year there is also a Dream Team challenge which offers a $3,000 per month stipend over the next two months to work on a team addressing one specific challenge. Apply for that asap!

What kind of challenges has UCPLA outlined for the Hackaday Prize? Let’s dive in and find out, and we’ll also hear from the UCPLA team in a Q&A video at the end of the article.

Continue reading “Hackaday Prize And UCPLA Are Driving Assistive Technology Forward” →

Surviving The Pandemic As A Hacker: Peering Behind The Mask

June 3, 2020 by Jenny List 30 Comments

We’re now several months into the global response to the COVID-19 pandemic, with most parts of the world falling somewhere on the lockdown/social distancing/opening up path.

It’s fair to say now that while the medical emergency has not passed, the level of knowledge about it has changed significantly. When communities were fighting to slow the initial spead, the focus was on solving the problem of medical protection gear and other equipment shortages at all costs with some interesting yet possibly hazardous solutions. Now the focus has moved towards protecting the general public when they do need to venture out, and as society learns to get life moving again with safety measures in place.

So, we all need masks of some sort. What type to do you need? Is one type better than another? And how do we all get them when everyone suddenly needs what was once a somewhat niche item?

Continue reading “Surviving The Pandemic As A Hacker: Peering Behind The Mask” →

Inputs Of Interest: ErgoDox Post-Mortem

June 2, 2020 by Kristina Panos 18 Comments

In the last installment, I told you I was building an open-source, split, ortholinear keyboard called the ErgoDox. I’m doing this because although I totally love my Kinesis Advantage, it has made me want to crack my knuckles and explore the world of split keyboards. Apparently there are several of you who want to do the same, as evidenced by your interest in the I’m Building an ErgoDox! project on IO. Thank you!

Well boys and girls, the dust has settled, the soldering iron has cooled, and the keycaps are in place. The ErgoDox is built and working. Now that it’s all said and done, let me tell you how it went. Spoiler alert: not great. But I got through it, and it keyboards just like it’s supposed to. I’m gonna lay this journey out as it happened, step by step, so you can live vicariously through my experience.

Continue reading “Inputs Of Interest: ErgoDox Post-Mortem” →

Linux Fu: Raspberry Pi Desktop Headless

June 1, 2020 by Al Williams 32 Comments

It seems to me there are two camps when it comes to the Raspberry Pi. Some people use them as little PCs or even laptops with a keyboard and screen connected. But many of us use them as cheap Linux servers. I’m in the latter camp. I have probably had an HDMI plug in a Pi only two or three times if you don’t count my media streaming boxes. You can even set them up headless as long as you have an Ethernet cable or are willing to edit the SD card before you boot the machine for the first time.

However, with the Raspberry Pi 4, I wanted to get to a desktop without fishing up a spare monitor. I’ll show you two ways to get a full graphical KDE desktop running with nothing more than a network connection.

The same principle applies to most other desktop environments, but I am using KDE and Ubuntu on the Pi, even though something lighter would probably perform better. But before we get there, let’s talk about how X11 has had a big identity crisis over the years.

The Plan

There are many ways to remotely access X programs, many of which are rarely used today. However, for this purpose, we are going to use SSH tunneling along with some special tricks to get the entire desktop running. It is easy to just run a single X program over SSH, and you’ve probably done that often. If so, you can skip to the next section.

Continue reading “Linux Fu: Raspberry Pi Desktop Headless” →

Physical Security Hack Chat With Deviant Ollam

June 1, 2020 by Dan Maloney 1 Comment

Join us on Wednesday, June 3 at noon Pacific for the Physical Security Hack Chat with Deviant Ollam!

You can throw as many resources as possible into securing your systems — patch every vulnerability religiously, train all your users, monitor their traffic, eliminate every conceivable side-channel attack, or even totally air-gap your system — but it all amounts to exactly zero if somebody leaves a door propped open. Or if you’ve put a $5 padlock on a critical gate. Or if your RFID access control system is easily hacked. Ignore details like that and you’re just inviting trouble in.

Once the black-hats are on the inside, their job becomes orders of magnitude easier. Nothing beats hands-on access to a system when it comes to compromising it, and even if the attacker isn’t directly interfacing with your system, having him or her on the inside makes social engineering attacks that much simpler. System security starts with physical security, and physical security starts with understanding how to keep the doors locked.

To help us dig into that, Deviant Ollam will stop by the Hack Chat. Deviant works as a physical security consultant and he’s a fixture on the security con circuit and denizen of many lockpicking villages. He’s well-versed in what it takes to keep hardware safe from unauthorized visits or to keep it from disappearing entirely. From CCTV systems to elevator hacks to just about every possible way to defeat a locked door, Deviant has quite a bag of physical security tricks, and he’ll share his insights on keeping stuff safe in a dangerous world.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, June 3 at 12:00 PM Pacific time. If time zones have you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.