News

3649 Articles

Competitive Surface Mount Soldering Comes To Supercon

October 26, 2018 by 26 Comments

Who will show the best soldering skills at the Hackaday Superconference next week? We have a little — in fact, a very little — challenge for you: solder surface mount components down to a tiny 0201 package. This is the SMD Soldering Challenge and successfully finishing the board at all shows off the best of hand soldering skills, but during the weekend we’ll also keep a running leader board.

Ballpoint pen for scale

For the event we’re using the SMD Challenge board by MakersBox which utilizes a SOIC8 ATtiny85 to drive LED/resistor pairs in 1206, 0805, 0603, 0402, and 0201 packages. There will be a 5 minute inspection time at the start of the heat to open the kit, get familiar with the board, and confirm that you have all of the components and tools you need. We suggest not sneezing while placing that 0201 part down on the board — there is a spare set of 0201 parts only in the kit so you might get one extra chance with the smallest parts if you need it, but replacements will not be provided for parts lost during the heat.

There will be eight heats of six people participating so make sure you get signed up as soon as you get to Supercon. You can only compete once and you must use our soldering iron and solder. We will also have magnifiers, tweezers, flux, and desoldering braid on hand. You can bring reasonable tools and other support materials; Supercon staff running the challenge are the arbiters of “reasonable” in this case.

Scoring is based on time, completion, functionality (of the circuits you attempted to complete), neatness, and solder joint quality. If the top score is a tie, the fastest time across all the heats will be the winner. The official rules are on the event page so take a moment to look them over.

Don’t think it is going to be easy. Here’s a quote from the SMD Challenge board project page:

Be warned that trying to hand solder a 0201 package, which is just slightly larger than a grain of sand, may be considered evidence of insanity and get you committed to bad places by your loved ones and/or arch nemesis

The real prize is the bragging rights of being the Hackaday soldering virtuoso. Do you have what it takes? Someone reading this right now will be. But the first step is to show up at the Hackaday Superconference. See you there and good luck!

DMCA Review: Big Win For Right To Repair, Zero For Right To Tinker

October 26, 2018 by 35 Comments

This year’s Digital Millennium Copyright Act (DMCA) triennial review (PDF, legalese) contained some great news. Particularly, breaking encryption in a product in order to repair it has been deemed legal, and a previous exemption for reverse engineering 3D printer firmware to use the filament of your choice has been broadened. The infosec community got some clarification on penetration testing, and video game librarians and archivists came away with a big win on server software for online games.

Moreover, the process to renew a previous exemption has been streamlined — one used to be required to reapply from scratch every three years and now an exemption will stand unless circumstances have changed significantly. These changes, along with recent rulings by the Supreme Court are signs that some of the worst excesses of the DMCA’s anti-circumvention clause are being walked back, twenty years after being enacted. We have to applaud these developments.

However, the new right to repair clause seems to be restricted to restoring the device in question to its original specifications; if you’d like to hack a new feature into something that you own, you’re still out of luck. And while this review was generally favorable of opening up technology to enable fair use, they didn’t approve Bunnie Huang’s petition to allow decryption of the encryption method used over HDMI cables, so building your own HDMI devices that display encrypted streams is still out. And the changes to the 3D printer filament exemption is a reminder of the patchwork nature of this whole affair: it still only applies to 3D printer filament and not other devices that attempt to enforce the use of proprietary feedstock. Wait, what?

Finally, the Library of Congress only has authority to decide which acts of reverse engineering constitute defeating anti-circumvention measures. This review does not address the tools and information necessary to do so. “Manufacture and provision of — or trafficking in — products and services designed for the purposes of circumvention…” are covered elsewhere in the code. So while you are now allowed decrypt your John Deere software to fix your tractor, it’s not yet clear that designing and selling an ECU-unlocking tool, or even e-mailing someone the decryption key, is legal.

Could we hope for more? Sure! But making laws in a country as large as the US is a balancing act among many different interests, and the Library of Congress’s ruling is laudably clear about how they reached their decisions. The ruling itself is worth a read if you want to dive in, but be prepared to be overwhelmed in apparent minutiae. Or save yourself a little time and read on — we’ve got the highlights from a hacker’s perspective.

Continue reading “DMCA Review: Big Win For Right To Repair, Zero For Right To Tinker”

HTTPS For The Internet Of Things

October 21, 2018 by 42 Comments

Every day, we’re connecting more and more devices over the internet. No longer does a household have a single connected computer — there are smartphones, tablets, HVAC systems, deadbolts — you name it, it’s been connected. As the Internet of Things proliferates, it has become readily apparent that security is an issue in this space. [Andreas Spiess] has been working on this very problem, by bringing HTTPS to the ESP8266 and ESP32. 

Being the most popular platform for IOT devices, it makes sense to start with the ESP devices when improving security. In his video, [Andreas] starts at the beginning, covering the basics of SSL, before branching out into how to use these embedded systems with secure cloud services, and the memory requirements to do so. [Andreas] has made the code available on GitHub so it can be readily included in your own projects.

Obviously implementing increased security isn’t free; there’s a cost in terms of processing power, memory, and code complexity. However, such steps are crucial if IOT devices are to become trusted in wider society. A malfunctioning tweeting coffee pot is one thing, but being locked out of your house is another one entirely.

We’ve seen other takes on ESP8266 security before, too. Expect more to come as this field continues to expand.

[Thanks to Baldpower for the tip!]

US Announces Withdraw From Postal Treaty; International Shipping Prices Expected To Rise

October 17, 2018 by 154 Comments

The United States has announced plans to withdraw from a 144-year postal treaty that sets lower international shipping rates. The US claims this treaty gives countries like China and Singapore an unfair advantage that floods the US market with cheap packages. The BBC reports the withdraw of this treaty will increase shipping costs from China by between 40% and 70%.

The treaty in question is the Universal Postal Union, which established that each country should retain all money it has collected for international postage. The US Chamber of Commerce has said this treaty, ‘leads to the United States essentially paying for Chinese shipping’. This is especially true since 2010, when the US Postal Service entered an agreement with eBay Greater China & Southeast Asia and the China Post Express & Logistics Corporation. This agreement established e-packet delivery where packages weighing up to 2 kg would be delivered at lower prices. If you have ordered inexpensive products shipped from abroad, it is likely the e-packet price that made this possible.

This will affect businesses that capitalize on imports and exports; the storefronts on Amazon and eBay that resell Chinese goods rely on cheap shipping from China. It will also affect companies based outside of the United States that ship to US customers. Small businesses within the US who manufacture at low enough quantities to get their components/raw-materials shipped under the e-packet rates will also see a hit. An increase in shipping costs will mean higher prices for all of these products.

The move is also being justified as a way to even the playing field for US manufacturers who are shipping from within the US and may be paying higher rates to ship to the same customers as foreign-bought goods. It is the latest development in a growing trade war between the US and China which has already seen several rounds of tarrifs on goods like electronics, and even 3D printing filament. It’s hard to see how the compounding effect of these will be anything but higher prices for consumers. Manufacturers seeing the pinch on raw materials and components will pass this on to customers who will also soon see higher shipping prices than they are used to.

LibSSH Vuln: You Don’t Need To See My Authentication

October 16, 2018 by 19 Comments

Another day, another CVE (Common Vulnerabilities and Exposures). Getting a CVE number assigned to a vulnerability is a stamp of authenticity that you have a real problem on your hands. CVE-2018-10933 is a worst case scenario for libssh.  With a single response, an attacker can completely bypass authentication, giving full access to a system.

Before you panic and yank the power cord on your server, know that libssh is not part of OpenSSH. Your Linux box almost certainly uses OpenSSH as the SSH daemon, and that daemon is not vulnerable to this particular problem. Libssh does show up in a few important places, the most notable is probably Github and their security team already announced their implementation was not vulnerable.

Libssh has released a new version that fixes the problem. Stick around for the details after the break.

Continue reading “LibSSH Vuln: You Don’t Need To See My Authentication”

FIDO2 Authentication In All The Colors

October 16, 2018 by 14 Comments

Here at Hackaday, we have a soft spot for security dongles. When a new two-factor-authentication dongle is open source, uses USB and NFC, and supports FIDO2, the newest 2FA standard, we take notice. That just happens to be exactly what [Conor Patrick] is funding on Kickstarter.

We’ve looked at [Conor]’s first generation hardware key, and the process of going from design to physical product.  With that track record, the Solo security key promises to be more than the vaporware that plagues crowdfunding services.

Another player, Yubikey, has also recently announced a new product that supports FIDO2 and NFC. While Yubikey has stepped away from their early open source policy, Solo is embracing the open source ethos. The Kickstarter promises the release of both the software and hardware design as fully open, using MIT and CC BY-SA licenses.

For more information, see the blog post detailing the project goals and initial design process.  As always, caveat emptor, but this seems to be a crowdfunding project worth taking a look at.

Hams See Dark Side Of The Moon Without Pink Floyd

October 15, 2018 by 36 Comments

Ham radio operators bouncing signals off the moon have become old hat. But a ham radio transmitter on the Chinese Longjiang-2 satellite is orbiting the moon and has sent back pictures of the Earth and the dark side of the moon. The transceiver’s main purpose is to allow hams to downlink telemetry and relay messages via lunar orbit.

While the photo was received by the Dwingeloo radio telescope, reports are that other hams also picked up the signal. The entire affair has drawn in hams around the world. Some of the communications use a modulation scheme devised by [Joe Taylor, K1JT] who also happens to be a recipient of a Nobel prize for his work with pulsars. The Dwingeloo telescope has several ham radio operators including [PA3FXB] and [PE1CHQ].

Continue reading “Hams See Dark Side Of The Moon Without Pink Floyd”