Hackaday Podcast Episode 291: Walking In Space, Lead In The Earth, And Atoms Under The DIY Microscope

October 4, 2024 by Al Williams 2 Comments

What have you missed on Hackaday this week? Elliot Williams and Al Williams compare notes on their favorites from the week, and you are invited. The guys may have said too much about the Supercon badge this year — listen in for a few hints about what it will be about.

For hacks, you’ll hear about scanning tunneling microscopes, power management for small Linux systems, and lots of inertial measurement units. The guys talked about a few impossible hacks for consumer electronics, from hacking a laptop, to custom cell phones.

Of course, there are plenty more long-form articles of the week, including a brief history of what can go wrong on a spacewalk and how to get the lead out (of the ground). Don’t forget to take a stab at the What’s That Sound competition and maybe score a sweet Hackaday Podcast T-shirt.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Use this link to teleport a DRM-free MP3 to your location.

Continue reading “Hackaday Podcast Episode 291: Walking In Space, Lead In The Earth, And Atoms Under The DIY Microscope” →

This Week In Security: Zimbra, DNS Poisoning, And Perfctl

October 4, 2024 by Jonathan Bennett 6 Comments

Up first this week is a warning for the few of us still brave enough to host our own email servers. If you’re running Zimbra, it’s time to update, because CVE-2024-45519 is now being exploited in the wild.

That vulnerability is a pretty nasty one, though thankfully requires a specific change from default settings to be exposed. The problem is in postjournal. This logging option is off by default, but when it’s turned on, it logs incoming emails. One of the fields on an incoming SMTP mail object is the RCPT TO: field, with the recipients made of the to, cc, and bcc fields. When postjournal logs this field, it does so by passing it as a bash argument. That execution wasn’t properly sanitized, and wasn’t using a safe call like execvp(). So, it was possible to inject commands using the $() construction.

The details of the attack are known, and researchers are seeing early exploratory attempts to exploit this vulnerability. At least one of these campaigns is attempting to install webshells, so at least some of those attempts have teeth. The attack seems to be less reliable when coming from outside of the trusted network, which is nice, but not something to rely on.

New Tool Corner

What is that binary doing on your system? Even if you don’t do any security research, that’s a question you may ask yourself from time to time. A potential answer is WhoYouCalling. The wrinkle here is that WYC uses the Windows Event Tracing mechanism to collect the network traffic strictly from the application in question. So it’s a Windows only application for now. What you get is a packet capture from a specific executable and all of its children processes, with automated DNS capture to go along. Continue reading “This Week In Security: Zimbra, DNS Poisoning, And Perfctl” →

Supercon 2023: [Cory Doctorow] With An Audacious Plan To Halt The Internet’s Enshittification And Throw It Into Reverse

October 3, 2024 by Navarre Bartz 69 Comments

Those of us old enough to remember BBS servers or even rainbow banners often go down the nostalgia hole about how the internet was better “back in the day” than it is now as a handful of middlemen with a stranglehold on the way we interact with information, commerce, and even other people. Where’s the disintermediated future we were promised? More importantly, can we make a “new good web” that puts users first? [Cory Doctorow] has a plan to reverse what he’s come to call enshittification, or the lifecycle of the extractionist tech platform, and he shared it with us as the Supercon 2023 keynote.

As [Doctorow] sees it, there’s a particular arc to every evil platform’s lifecycle. First, the platform will treat its users fairly and provide enough value to accumulate as many as possible. Then, once a certain critical mass is reached, the platform pivots to exploiting those users to sell them out to the business customers of the platform. Once there’s enough buy-in by business customers, the platform squeezes both users and businesses to eke out every cent for their investors before collapsing in on itself.

Doctorow tells us, “Enshittification isn’t inevitable.” There have been tech platforms that rose and fell without it, but he describes a set of three criteria that make the process unavoidable.

Lack of competition in the market via mergers and acquisitions
Companies change things on the back end (“twiddle their knobs”) to improve their fortunes and have a united, consolidated front to prevent any lawmaking that might constrain them
Companies then embrace tech law to prevent new entrants into the market or consumer rights (see: DMCA, etc.)

Continue reading “Supercon 2023: [Cory Doctorow] With An Audacious Plan To Halt The Internet’s Enshittification And Throw It Into Reverse” →

FLOSS Weekly Episode 803: Unconferencing With OggCamp

October 2, 2024 by Jonathan Bennett 3 Comments

This week Jonathan Bennett and and Simon Phipps chat with Gary Williams about OggCamp! It’s the Free Software and Free culture unconference happening soon in Manchester! What exactly is an unconference? How long has OggCamp been around, and what should you expect to see there? Listen to find out!

Continue reading “FLOSS Weekly Episode 803: Unconferencing With OggCamp” →

Retrotechtacular: Another Thing Your TV No Longer Needs

October 2, 2024 by Jenny List 23 Comments

As Hackaday writers we don’t always know what our colleagues are working on until publication time, so we all look forward to seeing what other writers come up with. This week it was [Al Williams] with “Things Your TV No Longer Needs“, a range of gadgets from the analogue TV era, now consigned to the history books. On the bench here is a device that might have joined them, so in taking a look at it now it’s by way of an addendum to Al’s piece.

When VHF Was Not Enough

In a Dutch second-had store while on my hacker camp travels this summer, I noticed a small grey box. It was mine for the princely sum of five euros, because while I’d never seen one before I was able to guess exactly what it was. The “Super 2” weighing down my backpack was a UHF converter, a set-top box from before set-top boxes, and dating from the moment around five or six decades ago when that country expanded its TV broadcast network to include the UHF bands. If your TV was VHF it couldn’t receive the new channels, and this box was the answer to connecting your UHF antenna to that old TV.

It’s a relatively small plastic case about the size of a chunky paperback book, on the front of which is a tuning knob and scale in channels and MHz, on the top of which are a couple of buttons for VHF and UHF, and on the back are a set of balanced connectors for antennas and TV set. It’s mains powered, so there’s a mains lead with an older version of the ubiquitous European mains plug. Surprisingly it comes open with a couple of large coin screws on the underside, so it’s time to take a look inside. Continue reading “Retrotechtacular: Another Thing Your TV No Longer Needs” →

Supercon 2023: Thea Flowers Renders KiCad Projects On The Web

October 1, 2024 by Arya Voronova 8 Comments

Last year’s Supercon, we’ve had the pleasure of hosting Thea [Stargirl] Flowers, who told us about her KiCanvas project, with its trials, its tribulations, and its triumphs. KiCanvas brings interactive display of KiCad boards and schematics into your browser, letting you embed your PCB’s information right into your blog post or online documentation.

Give the KiCanvas plugin a URL to your KiCad file, and it will render your file in the browser, fully on the fly. There’s no .jpg to update and re-upload, no jobs to re-run each time you find a mistake and update your board – your files are always up to date, and your audience is always able to check it out without launching KiCad.

Images are an intuitive representation for schematics and PCB files, but they’re letting hackers down massively. Thea’s KiCanvas project is about making our KiCad projects all that more accessible to newcomers, and it’s succeeded – nowadays, you can encounter KiCanvas schematic embeds in the wild on various hackers’ blogs. The Typescript code didn’t write itself, and neither was it easy – she’s brought a fair few war stories to the DesignLab stage.

A hacker’s passion to share can move mountains. Thea’s task was a formidable one, too – KiCad is a monumental project with a decades-long history. There are quite respectable reasons for someone to move this particular mountain – helping you share your projects quickly but extensively, and letting people learn about your projects without breaking a sweat.

Continue reading “Supercon 2023: Thea Flowers Renders KiCad Projects On The Web” →

Supercon 2023 – Going Into Deep Logic Waters With The Pico’s PIO And The Pi’s SMI

September 30, 2024 by Lewin Day 6 Comments

The Raspberry Pi has been around for over a decade now in various forms, and we’ve become plenty familiar with the Pi Pico in the last three years as well. Still, these devices have a great deal of potential if you know where to look. If you wade beyond the official datasheets, you might even find more than you expected.

Kumar is presently a software engineer with Google, having previously worked for Analog Devices earlier in his career. But more than that, Kumar has been doing a deep dive into maxing out the capabilities of the Raspberry Pi and the Pi Pico, and shared some great findings in an excellent talk at the 2023 Hackaday Supercon.

Continue reading “Supercon 2023 – Going Into Deep Logic Waters With The Pico’s PIO And The Pi’s SMI” →