Hackaday Columns

4658 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

Can Solid Save The Internet?

April 4, 2020 by 32 Comments

We ran an article on Solid this week, a project that aims to do nothing less than change the privacy and security aspects of the Internet as we use it today. Sir Tim Berners-Lee, the guy who invented the World Wide Web as a side project at work, is behind it, and it’s got a lot to recommend it. I certainly hope they succeed.

The basic idea is that instead of handing your photos, your content, and your thoughts over to social media and other sharing platforms, you’d store your own personal data in a Personal Online Data (POD) container, and grant revocable access to these companies to access your data on your behalf. It’s like it’s your own website contents, but with an API for sharing parts of it elsewhere.

This is a clever legal hack, because today you give over rights to your data so that Facebook and Co. can display them in your name. This gives them all the bargaining power, and locks you into their service. If instead, you simply gave Facebook a revocable access token, the power dynamic shifts. Today you can migrate your data and delete your Facebook account, but that’s a major hassle that few undertake.

Mike and I were discussing this on this week’s podcast, and we were thinking about the privacy aspects of PODs. In particular, whatever firm you use to socially share your stuff will still be able to snoop you out, map your behavior, and target you with ads and other content, because they see it while it’s in transit. But I failed to put two and two together.

The real power of a common API for sharing your content/data is that it will make it that much easier to switch from one sharing platform to another. This means that you could easily migrate to a system that respects your privacy. If we’re lucky, we’ll see competition in this space. At the same time, storing and hosting the data would be portable as well, hopefully promoting the best practices in the providers. Real competition in where your data lives and how it’s served may well save the Internet. (Or at least we can dream.)

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter.

Want this type of article to hit your inbox every Friday morning? You should sign up!

Hackaday Podcast 061: Runaway Soldering Irons, Open Source Ventilators, 3D Printed Solder Stencils, And Radar Motion

April 3, 2020 by 2 Comments

Hackaday editors Mike Szczys and Elliot Williams sort through the hardware hacking gems of the week. There was a kerfuffle about whether a ventilator data dump from Medtronics was open source or not, and cool hacks from machine-learning soldering iron controllers to 3D-printing your own solder paste stencils. A motion light teardown shows it’s not being done with passive-infrared, we ask what’s the deal with Tim Berners-Lee’s decentralized internet, and we geek out about keyboards that aren’t QWERTY.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 061: Runaway Soldering Irons, Open Source Ventilators, 3D Printed Solder Stencils, And Radar Motion”

This Week In Security: OpenWrt, ZOOM, And Systemd

April 3, 2020 by 21 Comments

OpenWrt announced a problem in opkg, their super-lightweight package manager. OpenWrt’s target hardware, routers, make for an interesting security challenge. A Linux install that fits in just 4 MB of flash memory is a minor miracle in itself, and many compromises had to be made. In this case, we’re interested in the lack of SSL: a 4 MB install just can’t include SSL support. As a result, the package manager can’t rely on HTTPS for secure downloads. Instead, opkg first downloads a pair of files: A list of packages, which contains a SHA256 of each package, and then a second file containing an Ed25519 signature. When an individual package is installed, the SHA256 hash of the downloaded package can be compared with the hash provided in the list of packages.


It’s a valid approach, but there was a bug, discovered by [Guido Vranken], in how opkg reads the hash values from the package list. The leading space triggers some questionable pointer arithmetic, and as a result, opkg believes the SHA256 hash is simply blank. Rather than fail the install, the hash verification is simply skipped. The result? Opkg is vulnerable to a rather simple man in the middle attack.

OpenWrt doesn’t do any automatic installs or automatic updates, so this vulnerability will likely not be widely abused, but it could be used for a targeted attack. An attacker would need to be in a position to MitM the router’s internet connection while software was being installed. Regardless, make sure you’re running the latest OpenWrt release to mitigate this issue. Via Ars Technica.

Wireguard V1.0

With the Linux Kernel version 5.6 being finally released, Wireguard has finally been christened as a stable release. An interesting aside, Google has enabled Wireguard in their Generic Kernel Image (GKI), which may signal more official support for Wireguard VPNs in Android. I’ve also heard reports that one of the larger Android ROM development communities is looking into better system-level Wireguard support as well.

Javascript in Disguise

Javascript makes the web work — and has been a constant thorn in the side of good security. For just an example, remember Samy, the worm that took over Myspace in ’05. That cross-site scripting (XSS) attack used a series of techniques to embed Javascript code in a user’s profile. Whenever that profile page was viewed, the embedded JS code would run, and then replicate itself on the page of whoever had the misfortune of falling into the trap.

Today we have much better protections against XSS attacks, and something like that could never happen again, right? Here’s the thing, for every mitigation like Content-Security-Policy, there is a guy like [theMiddle] who’s coming up with new ways to break it. In this case, he realized that a less-than-perfect CSP could be defeated by encoding Javascript inside a .png, and decoding it to deliver the payload.

Systemd

Ah, systemd. Nothing seems to bring passionate opinions out of the woodwork like a story about it. In this case, it’s a vulnerability found by [Tavis Ormandy] from Google Project Zero. The bug is a race condition, where a cached data structure can be called after it’s already been freed. It’s interesting, because this vulnerability is accessible using DBus, and could potentially be used to get root level access. It was fixed with systemd v220.

Mac Firmware

For those of you running MacOS on Apple hardware, you might want to check your firmware version. Not because there’s a particularly nasty vulnerability in there, but because firmware updates fail silently during OS updates. What’s worse, Apple isn’t publishing release notes, or even acknowledging the most recent firmware version. A crowd-sourced list of the latest firmware versions is available, and you can try to convince your machine to try again, and hope the firmware update works this time.

Anti-Rubber-Ducky

Google recently announced a new security tool, USB Keystroke Injection Protection. I assume the nickname, UKIP, isn’t an intentional reference to British politics. Regardless, this project is intended to help protect against the infamous USB Rubber Ducky attack, by trying to differentiate a real user’s typing cadence, as opposed to a malicious device that types implausibly quickly.

While the project is interesting, there are already examples of how to defeat it that amount to simply running the scripts with slight pauses between keystrokes. Time will tell if UKIP turns into a useful mitigation tool. (Get it?)

SMBGhost

Remember SMBGhost, the new wormable SMB flaw? Well, there is already a detailed explanation and PoC. This particular PoC is a local-only privilege escalation, but a remote code execution attack is like inevitable, so go make sure you’re patched!

Stay Smarter Than Your Smart Speaker

April 1, 2020 by 56 Comments

Smart speakers have always posed a risk to privacy and security — that’s just the price we pay for getting instant answers to life’s urgent and not-so-urgent questions the moment they arise. But it seems that many owners of the 76 million or so smart speakers on the active install list have yet to wake up to the reality that this particular trick of technology requires a microphone that’s always listening. Always. Listening.

With so much of the world’s workforce now working from home due to the global SARS-CoV-2 pandemic, smart speakers have suddenly become a big risk for business, too — especially those where confidential conversations are as common and crucial as coffee.

Imagine the legions of lawyers out there, suddenly thrust from behind their solid-wood doors and forced to set up ramshackle sub rosa sanctuaries in their homes to discuss private matters with their equally out-of-sorts clients. How many of them don’t realize that their smart speaker bristles with invisible thorns, and is even vulnerable to threats outside the house? Given the recent study showing that smart speakers can and do activate accidentally up to 19 times per day, the prevalence of the consumer-constructed surveillance state looms like a huge crisis of confidentiality.

So what are the best practices of confidential work in earshot of these audio-triggered gadgets?

Continue reading “Stay Smarter Than Your Smart Speaker”

Fail Of The Week: How Not To Die Of Boredom During Isolation

April 1, 2020 by 26 Comments

They say you can’t actually die from boredom, but put a billion or so people into self-isolation, and someone is bound to say, “Hold my beer and watch this.” [Daniel Reardon]’s brush with failure, in the form of getting magnets stuck up his nose while trying to invent a facial touch reminder, probably wasn’t directly life-threatening, but it does underscore the need to be especially careful these days.

The story begins with good intentions and a small stack of neodymium magnets. [Daniel]’s idea for a sensor to warn one of impending face touches was solid: a necklace with magnetic sensors and wristbands studded with magnets. Sounds reasonable enough; one can easily see a compact system that sounds an alarm when a hand subconsciously crosses into the Danger Zone while going in for a scratch. Lacking any experience in circuits, though, [Daniel] was unable to get the thing working, so he started playing with the magnets instead. One thing led to another, and magnets were soon adorning his earlobes, and then his nostrils. Unfortunately, two magnets became locked on either side of his septum, as did two others meant to neutralize the pull of the first pair. So off [Daniel] went to the emergency department for a magnetectomy.

Of course it’s easy to laugh at someone’s misfortune, especially when self-inflicted. And the now-degaussed [Daniel] seems to be a good sport about the whole thing. But the important thing here is that we all do dumb things, and hackers need to be especially careful these days. We often work with sharp, pointy, sparky, toxic, or flammable things, and if we don’t keep our wits about us, we could easily end up in an ER somewhere. Not only does that risk unnecessary exposure to COVID-19, but it also takes medical resources away from people who need it more than you do.

By all means, we should be hacking away these idle hours. Even if it’s not in support of COVID-19 solutions, continuing to do what we do is key to our mental health and well-being. But we also need to be careful, to not stretch dangerously beyond our abilities, and to remember that the safety net that’s normally there to catch us is full of holes now.

Thanks to [gir.st] for the tip — you actually were the only one to send this in.

SOLID Promises A New Approach To How The Web Works

March 30, 2020 by 71 Comments

As it stands on the modern Internet, your data is no longer your own. Your emails, photos, and posts all live on servers owned by large corporations. Their policies give them access to your data, which is mined to generate advertising revenue. And if you want your data back, there are innumerable hoops to jump through. Want it deleted entirely? Good luck.

Tim Berners-Lee, original creator of the World Wide Web, is behind the project.

Sir Tim Berners-Lee, as the original creator of what became the Web, has drawn issue with the current state of play. To move the ball on the issue, he’s been working on a design for decentralized internet and the efforts have led to the establishment of the Solid project. The goal is to rectify online privacy and ownership issues and give users greater control over their personal data.

The big question is how do you do that? When SOLID was announced last year there were few if any details on the approach taken by the program. But since then, more details have surface and you can even take an early version of the program for a spin. Let’s take a look.

Continue reading “SOLID Promises A New Approach To How The Web Works”

Laser Artistry Hack Chat

March 30, 2020 by 2 Comments

Join us on Wednesday, April 1 at noon Pacific for the Laser Artistry Hack Chat with Seb Lee-Delisle!

It’s hard to forget the first time you see a laser light show. A staple at concerts starting in the 1980s, seeing a green laser lance out over the heads of tens of thousands of screaming fans to trace out an animated figure or pulsating geometric shapes was pure fascination, and wondering how it was all done was half the fun. As we all know now, it was all done with mirrors, tiny and connected to low-inertia galvanometers capable of the twitchiest of movements, yet precise enough to position the beam of light exactly where it needed to be to create the desired illusion. It was engineering, science, and art all wrapped up into one package.

Fast forward to the present day, and laser show technology has certainly advanced. Bulky laser tubes have been replaced by solid-state devices, more colors are available, and galvo designs have improved. The art and artistry of the laserist have grown with the tech, which is where our guest Seb Lee-Delisle comes into his own. We’ve featured some of Seb’s work before, like an Asteroids laser vector display and enormous public laser displays. And now he’ll stop by to talk about how the art and the tech combine in his hands to produce something much greater than the sum of its parts.

join-hack-chatOur Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, April 1 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Continue reading “Laser Artistry Hack Chat”