Hackaday Columns

4663 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

Hackaday Podcast 033: Decompressing From Camp, Nuclear Stirling Engines, Carphone Or Phonecar, And ArduMower

August 30, 2019 by 4 Comments

Hackaday Editors Mike Szczys and Elliot Williams are back from Chaos Communication Camp, and obviously had way too much fun. We cover all there was to see and do, and dig into the best hacks from the past week. NASA has a cute little nuclear reactor they want to send to the moon, you’ve never seen a car phone quite like this little robot, and Ardupilot (Ardurover?) is going to be the lawn mowing solution of the future. Plus you need to get serious about debugging embedded projects, and brush up on your knowledge of the data being used to train facial recognition neural networks.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 033: Decompressing From Camp, Nuclear Stirling Engines, Carphone Or Phonecar, And ArduMower”

This Week In Security: VPN Gateways, Attacks In The Wild, VLC, And An IP Address Caper

August 30, 2019 by 7 Comments

We’ll start with more Black Hat/DEFCON news. [Meh Chang] and [Orange Tsai] from Devcore took a look at Fortinet and Pulse Secure devices, and found multiple vulnerabilities. (PDF Slides) They are publishing summaries for that research, and the summary of the Fortinet research is now available.

It’s… not great. There are multiple pre-authentication vulnerabilities, as well as what appears to be an intentional backdoor.

CVE-2018-13379 abuses an snprintf call made when requesting a different language for the device login page. Snprintf is an alternative to sprintf, but intended to prevent buffer overflows by including the maximum string length to write to the target buffer, which sounds like a good idea but can lead to malicious truncation.

The code in question looks like snprintf(s, 0x40, "/migadmin/lang/%s.json", lang);.
When loading the login page, a request is made for a language file, and the file is sent to the user. At first look, it seems that this would indeed limit the file returned to a .json file from the specified folder. Unfortunately, there is no further input validation on the request, so a language of ../../arbitrary is considered perfectly legitimate, escaping the intended folder.  This would leak arbitrary json files, but sincesnprintf doesn’t fail if it exceeds the specified length, sending a request for a lang that’s long enough results in the “.json” extension not being appended to the request either.

A metasploit module has been written to test for this vulnerability, and it requests a lang of /../../../..//////////dev/cmdb/sslvpn_websession. That’s just long enough to force the json extension to fall off the end of the string, and it is Unix convention is to ignore the extra slashes in a path. Just like that, the Fortigate is serving up any file on its filesystem just for asking nice.

More worrying than the snprintf bug is the magic value that appears to be an intentional backdoor. A simple 14 character string sent as an http query string bypasses authentication and allows changing any user’s password — without any authentication. This story is still young, it’s possible this was intended to have a benign purpose. If it’s an honest mistake, it’s a sign of incompetence. If it’s an intentional backdoor, it’s time to retire any and all Fortinet equipment you have.

Pulse Secure VPNs have a similar pre-auth arbitrary file read vulnerability. Once the full report is released, we’ll cover that as well.

Exploitation in the Wild

But wait, there’s more. Hide your kids, hide your wife. Webmin, Pulse Secure, and Fortigate are already being exploited actively in the wild, according to ZDNet. Based on reports from Bad Packets, the Webmin backdoor was being targeted in scans within a day of announcement, and exploited within three days of the announcement. There is already a botnet spreading via this backdoor. It’s estimated that there are around 29,000 vulnerable Internet-facing servers.

Both Pulse Secure and Fortinet’s Fortigate VPN appliances are also being actively targeted. Even though the vulnerabilities were reported first to the vendors, and patched well in advance of the public disclosure, thousands of vulnerable devices remain. Apparently routers and other network appliance hardware are fire-and-forget solutions, and often go without important security updates.

VLC is Actually Vulnerable This Time

The VLC media player has released a new update, fixing 11 CVEs. These CVEs are all cases of mishandling malformed media files, and are only exploitable by opening a malicious file with VLC. Be sure to go update VLC if you have it installed. Even though no arbitrary code execution has been demonstrated for any of these issues, it’s likely that it will eventually happen.

Gray Market IP Addresses

With the exhaustion of IPv4 addresses, many have begun using alternative methods to acquire address space, including the criminal element. Krebs on Security details his investigation into one such story: Residential Networking Solutions LLC (Resnet). It all started with an uptick in fraudulent transactions originating from Resnet residential IP addresses. Was this a real company, actually providing internet connectivity, or a criminal enterprise?

Following Pigs: Building An Injectable Livestock Tracking System

August 27, 2019 by 43 Comments

I’m often asked to design customer and employee tracking systems. There are quite a few ways to do it, and it’s an interesting intersection of engineering and ethics – what information is reasonable to collect in different contexts, anonymizing and securely storing it, and at a fundamental level whether the entire system should exist at all.

On one end of the spectrum, a system that simply counts the number of people that are in your restaurant at different times of day is pretty innocuous and allows you to offer better service. On the other end, when you don’t pay for a mobile app, generally that means your private data is the product being bought and sold. Personally, I find that the whole ‘move fast and break things’ attitude, along with a general disregard for the privacy of user data, has created a pretty toxic tech scene. So until a short while ago, I refused to build invasive tracking systems – then I got a request that I simply couldn’t put aside…

Continue reading “Following Pigs: Building An Injectable Livestock Tracking System”

The Amazon Dash Button: A Retrospective

August 27, 2019 by 38 Comments

The Internet of Things will revolutionize everything! Manufacturing? Dog walking? Coffee bean refilling? Car driving? Food eating? Put a sensor in it! The marketing makes it pretty clear that there’s no part of our lives which isn’t enhanced with The Internet of Things. Why? Because with a simple sensor and a symphony of corporate hand waving about machine learning an iPhone-style revolution is just around the corner! Enter: Amazon Dash, circa 2014.

The first product in the Dash family was actually a barcode scanning wand which was freely given to Amazon Fresh customers and designed to hang in the kitchen or magnet to the fridge. When the Fresh customer ran out of milk they could scan the carton as it was being thrown away to add it to their cart for reorder. I suspect these devices were fairly expensive, and somewhat too complex to be as frequently used as Amazon wanted (thus the extremely limited launch). Amazon’s goal here was to allow potential customers to order with an absolute minimum of friction so they can buy as much as possible. Remember the “Buy now with 1-Click” button?

That original Dash Wand was eventually upgraded to include a push button activated Alexa (barcode scanner and fridge magnet intact) and is generally available. But Amazon had pinned its hopes on a new beau. Mid 2015 Amazon introduced the Dash Replenishment Service along with a product to be it’s exemplar – the Dash Button. The Dash Button was to be the 1-Click button of the physical world. The barcode-scanning Wands require the user to remember the Wand was nearby, find a barcode, scan it, then remember to go to their cart and order the product. Too many steps, too many places to get off Mr. Bezos’ Wild Ride of Commerce. The Dash Buttons were simple! Press the button, get the labeled product shipped to a preconfigured address. Each button was purchased (for $5, with a $5 coupon) with a particular brand affinity, then configured online to purchase a specific product when pressed. In the marketing materials, happy families put them on washing machines to buy Tide, or in a kitchen cabinet to buy paper towels. Pretty clever, it really is a Buy now with 1-Click button for the physical world.

There were two versions of the Dash button. Both have the same user interface and work in fundamentally the same way. They have a single button (the software can recognize a few click patterns), a single RGB LED (‘natch), and a microphone (no, it didn’t listen to you, but we’ll come back to this). They also had a WiFi radio. Version two (silently released in 2016) added Bluetooth and completely changed the electrical innards, though to no user facing effect.

In February 2019, Amazon stopped selling the Dash Buttons. Continue reading “The Amazon Dash Button: A Retrospective”

Linux Fu: It’s A Trap!

August 26, 2019 by 14 Comments

It is easy to think that a Linux shell like Bash is just a way to enter commands at a terminal. But, in fact, it is also a powerful programming language as we’ve seen from projects ranging from web servers to simple utilities to make dangerous commands safer. Like most programming languages, though, there are multiple layers of complexity. You can spend a little time and get by or you can invest more time and learn about the language and, hopefully, write more robust programs.

Continue reading “Linux Fu: It’s A Trap!”

Parallax Update Hack Chat

August 26, 2019 by 8 Comments

Join us on Wednesday, August 28th at noon Pacific for the Parallax Update Hack Chat with Chip and Ken Gracey!

For a lot of us, our first exposure to the world of microcontrollers was through the offerings of Parallax, Inc. Perhaps you were interested in doing something small and light, and hoping to leverage your programming skills from an IBM-PC or an Apple ][, you chanced upon the magic of the BASIC Stamp. Or maybe you had a teacher who built a robotics class around a Boe-Bot, or you joined a FIRST Robotics team that used some Parallax sensors.

Whatever your relationship with Parallax products is, there’s no doubting that they were at the forefront of the hobbyist microcontroller revolution. Nor can you doubt that Parallax is about a lot more than BASIC Stamps these days. Its popular multicore Propeller chip has been gaining a passionate following since its 2006 introduction and has found its way into tons of projects, many of which we’ve featured on Hackaday. And now, its long-awaited successor, the Propeller 2, is almost ready to hit the market.

The Gracey brothers have been the men behind Parallax from the beginning, with Chip designing all the products and Ken running the business. They’ll be joining us on the Hack Chat to catch us up on everything new at Parallax, and to give us the lowdown on the P2. Be sure to stop be with your Parallax questions, or just to say hi.

join-hack-chatOur Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, August 28 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Hackaday Links Column Banner

Hackaday Links: August 25, 2019

August 25, 2019 by 7 Comments

Doesn’t the Z-axis on 3D-printers seem a little – underused? I mean, all it does is creep up a fraction of a millimeter as the printer works through each slice. It would be nice if it could work with the other two axes and actually do something interesting. Which is exactly what’s happening in the nonplanar 3D-printing methods being explored at the University of Hamburg. Printing proceeds normally up until the end, when some modifications to Slic3r allow smooth toolpaths to fill in the stairsteps and produce a smooth(er) finish. It obviously won’t work for all prints or printers, but it’s nice to see the Z-axis finally pulling its weight.

If you want to know how something breaks, best to talk to someone who looks inside broken stuff for a living. [Roger Cicala] from LensRentals.com spends a lot of time doing just that, and he has come to some interesting conclusions about how electronics gear breaks. For his money, the prime culprit in camera and lens breakdowns is side-mounted buttons and jacks. The reason why is obvious once you think about it: components mounted perpendicular to the force needed to operate them are subject to a torque. That’s a problem when the only thing holding the component to the board is a few SMD solder pads. He covers some other interesting failure modes, too, and the whole article is worth a read to learn how not to design a robust product.

In the seemingly neverending quest to build the world’s worst Bitcoin mining rig, behold the 8BitCoin. It uses the 6502 processor in an Apple ][ to perform the necessary hashes, and it took a bit of doing to port the 32-bit SHA256 routines to an 8-bit platform. But therein lies the hack. But what about performance? Something something heat death of the universe…

Contributing Editor [Tom Nardi] dropped a tip about a new online magazine for people like us. Dubbed Paged Out!, the online quarterly ‘zine is a collection of contributed stories from hackers, programmers, retrocomputing buffs, and pretty much anyone with something to say. Each article is one page and is formatted however the author wants to, which leads to some interesting layouts. You can check out the current issue here; they’re still looking for a bunch of articles for the next issue, so maybe consider writing up something for them – after you put it on Hackaday.io, of course.

Tipline stalwart [Qes] let us know about an interesting development in semiconductor manufacturing. Rather than concentrating on making transistors smaller, a team at Tufts University is making transistors from threads. Not threads of silicon, or quantum threads, or threads as a metaphor for something small and high-tech. Actual threads, like for sewing. Of course, there’s plenty more involved, like carbon nanotubes — hey, it was either that or graphene, right? — gold wires, and something called an ionogel that holds the whole thing together in a blob of electrolyte. The idea is to remove all rigid components and make truly flexible circuits. The possibilities for wearable sensors could be endless.

And finally, here’s a neat design for an ergonomic utility knife. It’s from our friend [Eric Strebel], an industrial designer who has been teaching us all a lot about his field through his YouTube channel. This knife is a minimalist affair, designed for those times when you need more than an X-Acto but a full utility knife is prohibitively bulky. [Eric’s] design is a simple 3D-printed clamshell that holds a standard utility knife blade firmly while providing good grip thanks to thoughtfully positioned finger depressions. We always get a kick out of watching [Eric] design little widgets like these; there’s a lot to learn from watching his design process.

Thanks to [JRD] and [mgsouth] for tips.