KiCad Team Releases Warning Regarding Domain Name

October 20, 2021 by Jim Heaney 23 Comments

On October 19th, [Seth_h] from the KiCad Project posted on the KiCad forums that the project’s original domain name kicad-pcb.org has been unexpectedly sold to a third party, and urged members of the community to avoid any links to this old website.

KiCad has used the domain kicad-pcb.org since 2012 as the official source for information on and downloads of their popular open-source electronics design software. Unfortunately, the original domain name was purchased before KiCad was formalized as an organization, so it was not directly under their control. This all came to head when the old domain name was unexpectedly sold to an unnamed third party that was not affiliated with the project. Currently, the old domain is just a website covered in ads, but the KiCad team fears that it may be used maliciously in the future.

With KiCad’s popularity, thousands of tutorials, articles, and project guides over the years have included links to the old KiCad domain. A Google search in October 2021 found more than 19,000 instances of the old domain spread across the internet. [Seth_h] has called upon the community to make every effort possible to update old links, reducing the chance that people stumble across the wrong website.

[Editor’s Note: We think we got ’em all, let us know if we missed any.]

Luckily, Digikey has swooped in to help save the day. They purchased a new domain, kicad.org, from squatters and donated it to the KiCad Project. (Update: Digi-key donated the KiCad.org domain back in October of 2020 after noticing fishy squatters going back to at least 2016) [Seth_h] explains in his post that a number of safeguards have been put in place to prevent this from happening in the future, including not having the domain name owned by a single person, and having all KiCad trademarks registered to the Linux Foundation.

There’s a good reason why KiCad has gotten so popular, it is packed full of great features for PCB design. Check out our coverage of some of the new features we are most excited for in KiCad 6.0 here.

Better History Through X-Rays

October 15, 2021 by Al Williams 7 Comments

Even if you aren’t a giant history buff, you probably know that the French royal family had some difficulties in the late 1700s. The end of the story saw the King beheaded and, a bit later, his wife the famous Marie Antoinette suffered the same fate. Marie wrote many letters to her confidant, and probable lover, Swedish count Axel von Fersen. Some of those letters have survived to the present day — sort of. An unknown person saw fit to blot out parts of the surviving letters with ink, rendering them illegible. Well, that is, until now thanks to modern x-ray technology.

Anne Michelin from the French National Museum of Natural History and her colleagues were able to foil the censor and they even have a theory as to the ink blot’s origin: von Fersen, himself! The technique used may enable the recovery of other lost portions of historical documents and was published in the journal Science Advances.

Continue reading “Better History Through X-Rays” →

This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger

October 15, 2021 by Jonathan Bennett 10 Comments

Apache 2.4.50 included a fix for CVE-2021-41773. It has since been discovered that this fix was incomplete, and this version is vulnerable to a permutation of the same vulnerability. 2.4.51 is now available, and should properly fix the vulnerability.

The original exploit used .%2e/ as the magic payload, which is using URL encoding to sneak the extra dot symbol through as part of the path. The new workaround uses .%%32%65/. This looks a bit weird, but makes sense when you decode it. URL encoding uses UTF-8, and so %32 decodes to 2, and %65 to e. Familiar? Yep, it’s just the original vulnerability with a second layer of URL encoding. This has the same requirements as the first iteration, cgi-bin has to be enabled for code execution, and require all denied has to be disabled in the configuration files. Continue reading “This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger” →

Why Wait For Apple? Upgrade Your IPhone With USB-C Today!

October 15, 2021 by Jenny List 22 Comments

Apple iPhones ship with the company’s Lightning cable, a capable and robust connector, but one that’s not cheap and is only useful for the company’s products. When the competition had only micro-USB it might have made sense, but now that basically all new non-fruity phones ship with USB-C, that’s probably the right way to go.

[Ken Pilonell] has addressed this by modifying his iPhone to sport a USB connector. The blog post and the first video below the break show us the proof of concept, but an update in the works and a teaser video show that he made it.

We’re a bit hazy on the individual iPhone model involves, but the essence of the work involves taking the internals of a Lightning-to-USB-C cable and hooking it up to the phone’s internal Lightning port. The proof-of-concept does it by putting the Apple flexible PCB outside the phone and plugging the cable part in directly, but it seems his final work involves a custom flexible board on which the reverse-engineered USB-C converter parts are mounted along with the USB-C socket itself. We see a glimpse of machining the slot in the phone’s case to USB-C dimensions, and we can’t wait for the full second installment.

It’s purely coincidental, but this comes against a backdrop of the European Union preparing to mandate USB-C on all applicable devices.

Continue reading “Why Wait For Apple? Upgrade Your IPhone With USB-C Today!” →

Thingiverse Data Leaked — Check Your Passwords

October 14, 2021 by Jenny List 40 Comments

Every week seems to bring another set of high-profile data leaks, and this time it’s the turn of a service that should be of concern to many in our community. A database backup from the popular 3D model sharing website Thingiverse has leaked online, containing 228,000 email addresses, full names, addresses, and passwords stored as unsalted SHA-1 or bcrypt hashes. If you have an account with Thingiverse it is probably worth your while to head over to Have I Been Pwned to search on your email address, and just to be sure you should also change your password on the site. Our informal testing suggests that not all accounts appear to be contained in the leak, which appears to relate to comments left on the site.

Aside from the seriousness of a leak in itself, the choice of encryption should raise a few eyebrows. Both SHA-1 and bcrypt can be considered broken or at best vulnerable to attack here in 2021, so much so that for any website to have avoided migration to a stronger algorithm indicates a very poor attention to website security on the part of Thingiverse. We’d like to think that it would serve as a salutary warning to other website operators in our field, to review and upgrade their encryption, but we suspect readers will agree that this won’t be the last time we report on such a leak and nervously check our own login details.

Nicolas Bras and his homemade musical instruments

Hacked Set Of Instruments Saves Musician’s Gigs

October 8, 2021 by Dan Maloney 19 Comments

Most of the horror stories you hear about air travel seem to center around luggage. Airlines do an admirable job of getting people safely to their destinations, but checked baggage is a bit of a crapshoot — it could be there when you land, it could end up taking the scenic route, or it could just plain disappear. That’s bad enough when it contains your clothes, but when it contains your livelihood? Talk about stress!

This was the position musician [Nicolas Bras] found himself in after a recent trip. [Nicolas] was heading for a gig, but thanks to Brussels Airlines, his collection of musical instruments went somewhere else. There was nothing he could do to salvage that evening’s gig, but he needed to think about later engagements. Thankfully, [Nicolas] specializes in DIY musical instruments, made mostly with PVC tubes and salvaged parts from commercial instruments, so the solution to his problem was completely in his hands.

Fair warning to musical instrument aficionados — harvest the neck from a broken ukelele is pretty gruesome stuff. Attached to a piece of pallet wood and equipped with piezo pickups, the neck became part of a bizarre yet fascinating hybrid string instrument. A selection of improvised wind instruments came next, made from PVC pipes and sounding equally amazing; we especially liked the bass chromojara, sort of a flute with a didgeridoo sound to it. The bicycle pump beatbox was genius too, and really showed that music is less about the fanciness of your gear and more about the desire — and talent — to make it with whatever comes to hand.

Here’s hoping that [Nicolas] is eventually reunited with his gear, but hats off to him in the meantime for hacking up replacements. And if he looks familiar, that’s because we’ve seen some of his work before, like his sympathetic nail violin and “Popcorn” played on PVC pipes.

Continue reading “Hacked Set Of Instruments Saves Musician’s Gigs” →

This Week In Security: Apache Nightmare, REvil Arrests? And The Ultimate RickRoll

October 8, 2021 by Jonathan Bennett 14 Comments

The Apache HTTP Server version 2.4.49 has a blistering vulnerability, and it’s already being leveraged in attacks. CVE-2021-41773 is a simple path traversal flaw, where the %2e encoding is used to bypass filtering. Thankfully the bug was introduced in 2.4.49, the latest release, and a hotfix has already been released, 2.4.50.

curl --data "echo;id" 'http://127.0.0.1:80/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'

If that returns anything other than a 403 error, your server may be vulnerable. It’s worth pointing out that Apache is shipped with a configuration block that mitigates this vulnerability.

# Deny access to the entirety of your server's filesystem. You must # explicitly permit access to web content directories in other # blocks below. # <Directory /> AllowOverride none Require all denied </Directory>

The Day The Internet Stood Still

You might have noticed a bit of a kerfluffel on the Internet on Monday. Facebook dropped out for nearly six hours. While the break was nice for some, it was a major problem for others. What exactly happened? The most apparent cause was that the Facebook.com domain was returning nxdomain to DNS lookups. This led to some fun tweets, with screen caps showing Facebook.com for sale.
Continue reading “This Week In Security: Apache Nightmare, REvil Arrests? And The Ultimate RickRoll” →

Hackaday

News

3615 Articles

KiCad Team Releases Warning Regarding Domain Name

Better History Through X-Rays

This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger

Why Wait For Apple? Upgrade Your IPhone With USB-C Today!

Thingiverse Data Leaked — Check Your Passwords

Hacked Set Of Instruments Saves Musician’s Gigs

This Week In Security: Apache Nightmare, REvil Arrests? And The Ultimate RickRoll

The Day The Internet Stood Still

Search

Never miss a hack

If you missed it

Medieval Iron, Survivorship Bias And Modern Metallurgy

Lithium-Ion Batteries: WHY They Demand Respect

Expert Systems: The Dawn Of AI

Analog Surround Sound Was Everywhere, But You Probably Didn’t Notice

The Channel Crossing Bridge That Never Was

Our Columns

Jenny’s Daily Drivers: ReactOS 0.4.15

This Week In Security: Vibecoding, Router Banning, And Remote Dynamic Dependencies

The Time Of Year For Things That Go Bump In The Night

FLOSS Weekly Episode 853: Hardware Addiction; Don’t Send Help

This Reactor Is On Fire! Literally…

The Day The Internet Stood Still

Search

Never miss a hack

Subscribe

If you missed it

Our Columns