This Week In Security: Selfblow, Encryption Backdoors, Killer Apps, And The VLC Apocalypse That Wasn’t

July 26, 2019 by Jonathan Bennett 18 Comments

Selfblow (Don’t google that at work, by the way) is a clever exploit by [Balázs Triszka] that affects every Nvidia Tegra device using the nvtboot bootloader — just about all of them except the Nintendo Switch. It’s CVE 2019-5680, and rated at an 8.2 according to Nvidia, but that high CVE rating isn’t entirely reflective of the reality of the situation. Taking advantage of the vulnerability means writing to the boot device, which requires root access, as well as a kernel flag set to expose the boot partitions to userspace. This vulnerability was discovered as part of an effort by [Balázs] and other LineageOS developers to build an open source bootloader for Nvidia Tegra devices.

The Tegra boot process is a bit different, having several stages and a dedicated Boot and Power Management CPU (BPMP). A zero-stage ROM loads nvtboot to memory and starts it executing on the BPMP. One of the tasks of nvtboot is to verify the signature of the next bootloader step, nvtboot-cpu. The file size and memory location are embedded in the nvtboot-cpu header. There are two problems here that together make this vulnerability possible. The first is that the bootloader binary is loaded to its final memory location before the signature verification is performed. The code is written to validate the bootloader signature before starting it executing on the primary CPU, so all is well, right? Continue reading “This Week In Security: Selfblow, Encryption Backdoors, Killer Apps, And The VLC Apocalypse That Wasn’t” →

CampZone 2019 Badge Is Begging To Become A Huge Billboard

July 25, 2019 by Jenny List 16 Comments

What has 256 full-colour LEDs, everyone’s favorite Lithium battery form factor, wireless connectivity, and hangs around your neck? It’s the CampZone 2019 badge that turns all attendees into a really fun billboard — but can the attendees hack themselves into one massive display?

One of Europe’s larger events for the gaming community, CampZone is hosted in Netherlands and runs from July 26th to August 5th. It’s a typical large summer camp, and caters for those who intersect gaming and hacking with HackZone, a decent sized hacker camp within a camp. I’ve been fortunate enough to get my hands on a CampZone 2019 badge, dubbed the I-Pane, let’s take a look at what they managed to pack into this electronic conference badge.

Continue reading “CampZone 2019 Badge Is Begging To Become A Huge Billboard” →

One Week Left For Supercon Talk And Workshop Submissions

July 25, 2019 by Elliot Williams No comments

The Hackaday Superconference is the highest density of the coolest hackers anywhere. Other events may be bigger, but we’ll be so bold to say that none are better. If you love Hackaday, and we know you do, you should really come join us in November in Pasadena, CA.

Far and away the best way to participate in a conference is to participate in the conference. This is your chance to give a presentation or a workshop and share your hard-earned knowledge, your crazy hacks, or entertaining tales of hardware heroism with a crowd that gets it. And you get free admission if we pick your talk for the big show.

One of my favorite tales from Supercon was meeting Jennifer Wang at her (and my!) first Supercon. She was a longtime Hackaday reader, and was honestly a little bit awed to meeting all of the great people there in person. By the next Supercon, she was giving a presentation about her IMU-based machine learning Harry Potter wand and inspiring the rest of us with her love of the cool things you can do with sensors and code. It’s one of the most honest and informative talks on machine learning I’ve seen!

You’ve got your story to share too, right? You’ve also got one week to put a proposal for a talk together. You can do this!

See you at Supercon!

The Great Moon Hoax — No Not That One!

July 23, 2019 by Al Williams 65 Comments

Humans first walked on the moon 50 years ago, yet there are some people who don’t think it happened. This story is not about them. It turns out there was another great conspiracy theory involving a well-known astronomer, unicorns, and humanoids with bat wings. This one came 134 years before the words “We chose to go to the moon” were uttered.

The 1835 affair — known as the Great Moon Hoax — took the form of six articles published in The Sun, a newspaper in New York City. Think of it like “War of the Worlds” but in newspaper form — reported as if true but completely made up. Although well-known astronomer John Herschel was named in the story, he wasn’t actually involved in the hoax. Richard Adams Locke was the reporter who invented the story. His main goal seemed to be to sell newspapers, but he also may have been poking fun at some of the more outlandish scientific claims of the day.

Continue reading “The Great Moon Hoax — No Not That One!” →

The South American Power Outage That Plunged 48 Million Into Blackout

July 22, 2019 by Bryan Cockfield 44 Comments

A massive power outage in South America last month left most of Argentina, Uruguay, and Paraguay in the dark and may also have impacted small portions of Chile and Brazil. It’s estimated that 48 million people were affected and as of this writing there has still been no official explanation of how a blackout of this magnitude occurred.

While blackouts of some form or another are virtually guaranteed on any power grid, whether it’s from weather events, accidental damage to power lines and equipment, lightning, or equipment malfunctioning, every grid will eventually see small outages from time to time. The scope of this one, however, was much larger than it should have been, but isn’t completely out of the realm of possibility for systems that are this complex.

Initial reports on June 17th cite vague, nondescript possible causes but seem to focus on transmission lines connecting population centers with the hydroelectric power plant at Yacyretá Dam on the border of Argentina and Paraguay, as well as some ongoing issues with the power grid itself. Problems with the transmission line system caused this power generation facility to become separated from the rest of the grid, which seems to have cascaded to a massive power failure. One positive note was that the power was restored in less than a day, suggesting at least that the cause of the blackout was not physical damage to the grid. (Presumably major physical damage would take longer to repair.) Officials also downplayed the possibility of cyber attack, which is in line with the short length of time that the blackout lasted as well, although not completely out of the realm of possibility.

This incident is exceptionally interesting from a technical point-of-view as well. Once we rule out physical damage and cyber attack, what remains is a complete failure of the grid’s largely automatic protective system. This automation can be a force for good, where grid outages can be restored quickly in most cases, but it can also be a weakness when the automation is poorly understood, implemented, or maintained. A closer look at some protective devices and strategies is warranted, and will give us greater insight into this problem and grid issues in general. Join me after the break for a look at some of the grid equipment that is involved in this system.

Continue reading “The South American Power Outage That Plunged 48 Million Into Blackout” →

Crowd Supply Hack Chat With Josh Lifton

July 22, 2019 by Dan Maloney 2 Comments

Join us on Wednesday, July 24th at noon Pacific for the Crowd Supply Hack Chat with Josh Lifton!

When you’re ready to take your Next Big Idea from a project to a product, you face problems that don’t normally present themselves to the hobbyist. Building one of something is quite different from building many of them, and soon you’re dealing with issues with parts suppliers, PCB fabrication, assembly, packaging, shipping, marketing, and support.

It takes a lot to get your idea to market, and a guiding hand would be most welcome to the budding hardware tycoon. That’s the logic behind Crowd Supply, the Portland-based crowdfunding and mentoring company. Josh Lifton is its CEO, and he’ll drop by the Hack Chat to answer all your questions about how crowdfunding works, what Crowd Supply offers to help creators, and what the fundamentals of a successful project are.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday July 24 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

[Photo credit: Jon House, Portland Tribune]

Hackaday Links: July 21, 2019

July 21, 2019 by Dan Maloney 17 Comments

Ordering a PCB used to be a [Henry Ford]-esque experience: pick any color you like, as long as it’s green. We’ve come a long way in the “express yourself” space with PCBs, with slightly less than all the colors of the rainbow available, and some pretty nice silkscreening options to boot. But wouldn’t it be nice to get full-color graphics on a PCB? Australian company Little Bird thinks so, and they came up with a method to print graphics on a board. The results from what looks like a modified inkjet printer are pretty stunning, if somewhat limited in application. But I bet you could really make a splash with these in our Beautiful Hardware contest.

The 50th anniversary of the Apollo 11 landing has come and gone with at least as much fanfare as it deserves. Part of that celebration was Project Egress, creation of a replica of the Columbia crew hatch from parts made by 44 hackers and makers. Those parts were assembled on Thursday by [Adam Savage] at the National Air and Space Museum in an event that was streamed live. A lot of friends of Hackaday were in on the build and were on hand, like [Fran Blanche], [John Saunders], [Sophy Wong], and [Estefannie]. The Smithsonian says they’ll have a recording of the stream available soon, so watch this space if you’re interested in a replay.

From the “Don’t try this at home” department, organic chemist [Derek Lowe] has compiled a “Things I won’t work with” list. It’s real horror show stuff that regales the uninitiated with all sorts of chemical nightmares. Read up on chlorine trifluoride, an oxidizer of such strength that it’s hypergolic with anything that even approaches being fuel. Wet sand? Yep, bursts into flames on contact. Good reading.

Continuing the safety theme, machinist [Joe Pieczynski] offers this lathe tip designed to keep you in possession of a full set of fingers. He points out that the common practice of using a strip of emery cloth to polish a piece of round stock on either a wood or metal lathe can lead to disaster if the ends of the strip are brought into close proximity, whereupon it can catch and act like a strap wrench. Your fingers don’t stand a chance against such forces, so watch out. [Joe] doesn’t share any gory pictures of what can happen, but they’re out there. Only the brave need to Google “degloving injury.” NSFL – you’ve been warned.

On a happier note, wouldn’t it be nice to be able to print water-clear parts on a standard 3D printer? Sure it would, but the “clear” filaments and resins all seem to result in parts that are, at best, clearish. Industrial designer [Eric Strebel] has developed a method of post-processing clear SLA prints. It’s a little wet sanding followed by a top coat of a super stinky two-part urethane clearcoat. Fussy work, but the results are impressive, and it’s a good technique to file away for someday.