Hackaday Columns

4638 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

This Week In Security: Echospoofing, Ransomware Records, And Github Attestations

August 2, 2024 by 5 Comments

It’s a bit of bitter irony, when a security product gets used maliciously, to pull off the exact attack it was designed to prevent. Enter Proofpoint, and the EchoSpoofing attack. Proofpoint offers an email security product, filtering spam and malicious incoming emails, and also handling SPF, DKIM, and DMARC headers on outgoing email. How does an external service provide those email authentication headers?

One of the cardinal sins of running an email server is to allow open relaying. That’s when anyone can forward email though an SMTP server without authentication. What we have here is two nearly open relays, that wound up with spoofed emails getting authenticated just like the real thing. The first offender is Microsoft’s Office365, which seems to completely skip checking for email spoofing when using SMTP relaying from an allowed IP address. This means a valid Office365 account allows sending emails as any address. The other half relies on the way Proofpoint works normally, accepting SMTP traffic from certain IP addresses, and adding the authentication headers to those emails. There’s an option in Proofpoint to add the Microsoft Office 365 servers to that list, and apparently quite a few companies simply select that option.

The end result is that a clever spammer can send millions of completely legitimate looking emails every day, that look very convincing even to sophisticated users. At six months of activity, averaging three millions emails a day, this campaign managed just over half a billion malicious emails from multiple high-profile domains.

The good news here is that Proofpoint and Guardio discovered the scheme, and worked with Microsoft to develop the X-OriginatorOrg header that is now applied to every email sent from or through the Office365 servers. This header marks the account tenant the email belongs to, giving vendors like Proofpoint a simple way to determine email validity. Continue reading “This Week In Security: Echospoofing, Ransomware Records, And Github Attestations”

Programming Ada: Implementing The Lock-Free Ring Buffer

August 1, 2024 by 20 Comments

In the previous article we looked at designing a lock-free ring buffer (LFRB) in Ada, contrasting and comparing it with the C++-based version which it is based on, and highlighting the Ada way of doing things. In this article we’ll cover implementing the LFRB, including the data request task that the LFRB will be using to fill the buffer with. Accompanying the LFRB is a test driver, which will allow us to not only demonstrate the usage of the LFRB, but also to verify the correctness of the code.

This test driver is uncomplicated: in the main task it sets up the LFRB with a 20 byte buffer, after which it begins to read 8 byte sections. This will trigger the LFRB to begin requesting data from the data request task, with this data request task setting an end-of-file (EoF) state after writing 100 bytes. The main task will keep reading 8-byte chunks until the LFRB is empty. It will also compare the read byte values with the expected value, being the value range of 0 to 99.

Continue reading “Programming Ada: Implementing The Lock-Free Ring Buffer”

FLOSS Weekly Episode 794: Release Them All With JReleaser

July 31, 2024 by No comments

This week Jonathan Bennett and Katherine Druckman chat with Andres Almiray about JReleaser, the Java release automation tool that’s for more than just Java, and more than just releases. What was the original inspiration for the tool? And how does JReleaser help avoid a string of commits trying to fix GitHub Actions? Listen to find out!

Continue reading “FLOSS Weekly Episode 794: Release Them All With JReleaser”

Programming Ada: Designing A Lock-Free Ring Buffer

July 30, 2024 by 7 Comments

Ring buffers are incredibly useful data structures that allow for data to be written and read continuously without having to worry about where the data is being written to or read from. Although they present a continuous (ring) buffer via their API, internally a definitely finite buffer is being maintained. This makes it crucial that at no point in time the reading and writing events can interfere with each other, something which can be guaranteed in a number of ways. Obviously the easiest solution here is to use a mutual exclusion mechanism like a mutex, but this comes with a severe performance penalty.

A lock-free ring buffer (LFRB) accomplishes the same result without something like a mutex (lock), instead using a hardware feature like atomics. In this article we will be looking at how to design an LFRB in Ada, while comparing and contrasting it with the C++-based LFRB that it was ported from. Although similar in some respects, the Ada version involves Ada-specific features such as access types and the rendezvous mechanism with task types (‘threads’).

Continue reading “Programming Ada: Designing A Lock-Free Ring Buffer”

Hacker Tactic: Multi-Design Panels

July 29, 2024 by 12 Comments

Last time, we talked about single-PCB-design panels, all the cool aspects of it, including some cost savings and handling convenience. Naturally, you might wonder, and many did – can you put multiple different PCBs on a single panel? The answer is “yes, without a doubt!” The tool we used last time, KiKit, will not be as helpful here, so we’ll be looking elsewhere.

Making multi-PCB panels can help you save money, naturally, but it can also make your assembly a whole lot easier, and it can bring you hacking to a whole new level. It sure helped with mine! You might have already learned that some fabs scoff at multi-design panels and add surcharges. Well, you’ll be delighted to learn that there are more hacker-friendly fabs out there, too.

Developing PCBs In Bulk

So far, I’ve worked on about 300 different PCB designs, with half of them available in my monorepo. I’ve assembled and tested just about half of these. You might guess that this would cost a lot of money, and that assembly would take a fair bit of time, but I have some tricks up my sleeve. For a start, you can easily order PCBs 10-12 times more cheaply if you do multi-panel.

Continue reading “Hacker Tactic: Multi-Design Panels”

Hackaday Links Column Banner

Hackaday Links: July 28, 2024

July 28, 2024 by 14 Comments

What is this dystopia coming to when one of the world’s largest tech companies can’t find a way to sufficiently monetize a nearly endless stream of personal data coming from its army of high-tech privacy-invading robots? To the surprise of almost nobody, Amazon is rolling out a paid tier to their Alexa service in an attempt to backfill the $25 billion hole the smart devices helped dig over the last few years. The business model was supposed to be simple: insinuate an always-on listening device into customers’ lives to make it as easy as possible for them to instantly gratify their need for the widgets and whatsits that Amazon is uniquely poised to deliver, collecting as much metadata along the way as possible; multiple revenue streams — what could go wrong? Apparently a lot, because the only thing people didn’t do with Alexa was order stuff. Now Amazon is reportedly seeking an additional $10 a month for the improved AI version of Alexa, which will be on top of the ever-expanding Amazon Prime membership fee, currently at an eye-watering $139 per year. Whether customers bite or not remains to be seen, but we think there might be a glut of Echo devices on the second-hand market in the near future. We hate to say we told you so, but — ah, who are we kidding? We love to say we told you so.

Continue reading “Hackaday Links: July 28, 2024”

Hacker Olympics

July 27, 2024 by 26 Comments

The opening ceremony of the Summer Olympics is going on today. It’s an over-the-top presentation meant to draw people into sport. And for the next few weeks, we’ll be seeing people from all across the world competing in their chosen physical activities. There will be triumph and defeat, front-runners who nonetheless lag behind on that day, and underdogs who sneak ahead. In short, a lot of ado about sport, and I don’t necessarily think that’s a bad thing. Sports are fun.

But where is the Hacker Olympics? Or even more broadly the Science Olympics or Engineering Olympics? Why don’t we celebrate the achievements of great thinkers, planners, and builders the same way that we celebrate fast runners or steady shooters? With all the pomp and showmanship and so on?

Here at Hackaday, we try our best! When we see a cool hack, we celebrate it. But we’re one little blog, with about a millionth the budget of the International Olympic Commission. However, we have you all as our biggest multiplier. It would be awesome if we could take over the entire city of Paris in celebration of science and engineering, but until then, if you see something smart, share it with us. And if you see something on Hackaday that you think was awesome, share it with your friends.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!