How Hackerspaces Spend Money

January 1, 2018 by Adam Fabio 13 Comments

Running a hackerspace is no easy task. One of the biggest issues is money — how to collect in dues and donations, managing it, and how to spend it. Everyone has different interests and would like to see the budget go to their favorite project or resource. Milwaukee Makerspace has come up with a novel way to handle this. Members pay $40 a month in dues. $35 of that goes into the general budget. The member themselves can pick where the last $5 goes.

Using the hackerspace’s software, members chose where their $5 goes each month. It can all be spent in one area or split up among different resources at the hackerspace. Members choose from many different interests like the 3D printing area, the laser lab, the forge, or specific projects like the power racing series. This results in a budget for each area which can be used for materials and parts. It also gives the hackerspace board of directors information on which resources people are interested in, and which they aren’t.

In the current budget, no one is supporting the anodizing area, but lots of people are supporting the laser lab. This is just the sort of information the board could use when planning. Perhaps they could store the anodizing tools and expand the laser lab. Click through to the link above and see how this year’s cash voting panned out.

Of course, all this only works if you have a hackerspace with plenty of active members. In Milwaukee’s case, they have about 300 members. Would this work for your hackerspace? Let us know down in the comments!

Have Your Own 200 Water Street Digital Clock

December 31, 2017 by Jenny List 11 Comments

On the front of a building in New York City, above a branch of the ubiquitous Starbucks coffee chain, there is a clock. It is no ordinary clock, the 200 Water Street clock is an art installation created by the artist [Rudolph de Harak], and consists of 72 lighted numbers which are illuminated in sequence to show hours, minutes, and seconds. It is a landmark of sufficient fame that [Jason Ben Nathan] and [Eldar Slobodyan], Cornell University students of [Bruce Land], decided to make their own tribute to it as their course project.

Water Street clock at night [via NYC ♥ NYC]

It’s a fairly straightforward build, thanks to the use of Adafruit Dotstar multicolour LED strips which are populated with APA102 pixels. Behind the scenes is a PIC32 microcontroller, and the time information comes from an off-the-shelf 60kHz WWVB time signal receiver. There is also a temperature sensor, for a handy second function.

The front panel is a piece of ply with the required numbers nicely laser-cut. All the schematics and code are available, should you fancy your hand at building your own version of the clock.

If you are curious about the real-life clock here’s an image. But you get a much more interesting perspective if you stand in front of it. If you just can’t go there, get an approximation through the wonders of Google Street View.

34C3: Hacking Into A CPU’s Microcode

December 28, 2017 by Elliot Williams 67 Comments

Inside every modern CPU since the Intel Pentium fdiv bug, assembly instructions aren’t a one-to-one mapping to what the CPU actually does. Inside the CPU, there is a decoder that turns assembly into even more primitive instructions that are fed into the CPU’s internal scheduler and pipeline. The code that drives the decoder is the CPU’s microcode, and it lives in ROM that’s normally inaccessible. But microcode patches have been deployed in the past to fix up CPU hardware bugs, so it’s certainly writeable. That’s practically an invitation, right? At least a group from the Ruhr University Bochum took it as such, and started hacking on the microcode in the AMD K8 and K10 processors.

The hurdles to playing around in the microcode are daunting. It turns assembly language into something, but the instruction set that the inner CPU, ALU, et al use was completely unknown. [Philip] walked us through their first line of attack, which was essentially guessing in the dark. First they mapped out where each x86 assembly codes went in microcode ROM. Using this information, and the ability to update the microcode, they could load and execute arbitrary microcode. They still didn’t know anything about the microcode, but they knew how to run it.

So they started uploading random microcode to see what it did. This random microcode crashed almost every time. The rest of the time, there was no difference between the input and output states. But then, after a week of running, a breakthrough: the microcode XOR’ed. From this, they found out the syntax of the command and began to discover more commands through trial and error. Quite late in the game, they went on to take the chip apart and read out the ROM contents with a microscope and OCR software, at least well enough to verify that some of the microcode operations were burned in ROM.

The result was 29 microcode operations including logic, arithmetic, load, and store commands — enough to start writing microcode code. The first microcode programs written helped with further discovery, naturally. But before long, they wrote microcode backdoors that triggered when a given calculation was performed, and stealthy trojans that exfiltrate data encrypted or “undetectably” through introducing faults programmatically into calculations. This means nearly undetectable malware that’s resident inside the CPU. (And you think the Intel Management Engine hacks made you paranoid!)

[Benjamin] then bravely stepped us through the browser-based attack live, first in a debugger where we could verify that their custom microcode was being triggered, and then outside of the debugger where suddenly xcalc popped up. What launched the program? Calculating a particular number on a website from inside an unmodified browser.

He also demonstrated the introduction of a simple mathematical error into the microcode that made an encryption routine fail when another particular multiplication was done. While this may not sound like much, if you paid attention in the talk on revealing keys based on a single infrequent bit error, you’d see that this is essentially a few million times more powerful because the error occurs every time.

The team isn’t done with their microcode explorations, and there’s still a lot more of the command set left to discover. So take this as a proof of concept that nearly completely undetectable trojans could exist in the microcode that runs between the compiled code and the CPU on your machine. But, more playfully, it’s also an invitation to start exploring yourself. It’s not every day that an entirely new frontier in computer hacking is bust open.

34C3: The First Day Is A Doozy

December 27, 2017 by Elliot Williams 8 Comments

It’s 5 pm, the sun is slowly setting on the Leipzig conference center, and although we’re only halfway through the first day, there’s a ton that you should see. We’ll report some more on the culture of the con later — for now here’s just the hacks. Continue reading “34C3: The First Day Is A Doozy” →

The Most Tasteful Of Christmas Sweaters Come With A Trainset

December 25, 2017 by Jenny List 3 Comments

Ah, Christmas, the time of festive good cheer, cherubic carol-singers standing in the crunchy snow, church bells ringing out across the frozen landscape, Santa Claus in his red suit flying down the chimney with a sack of presents, the scent of Christmas meals cooking heavy upon the air, and a Canadian guy wearing a trainset.

Wait a minute, we hear you say, a Canadian guy wearing a trainset? That’s right, not satisfied with the sheer awfulness of his ugly Christmas sweater on its own, [BD594] made it extra-special by incorporating a working Christmas tree trainset into the ensemble. As if the discovery that Christmas tree trainsets are a thing was not enough, we are treated to the spectacle of one on a plywood ring suspended from a particularly obnoxious Christmas-themed garment. Not all hacks are in good taste, and in fairness we have to note that this one is tagged as comedy rather than railroad engineering.

You can view the result in the video below the break. It’s short on technical detail, which is a slight shame as even though there are few mysteries in powering a small trainset it might be interesting to know how the method used to suspend the baseboard. We’d suspect a harness underneath that jumper, as Christmas garments are built for looks rather than strength.

Continue reading “The Most Tasteful Of Christmas Sweaters Come With A Trainset” →

Hackaday At 34C3

December 24, 2017 by Elliot Williams 19 Comments

It’s that time of year. While the rest of the Christmas-celebrating world sits around and plays with the toys that they got out from under the tree, German nerds head off to the biggest European hacker con: the 34th annual Chaos Communications Congress, running Dec. 27th through 30th.

The CCC is both a grandparent among hacker cons, and the most focused on using technology to improve the world and bringing folks together. (The “communications” in the name is a dead giveaway.) This year’s motto, “tuwat!” is slangy-dialecty for “do something!” and is call to get up off the couch and use your super-powers for good.

If you can’t get over to Leipzig to join us, you’ll be able to read our extensive coverage starting up shortly after the opening ceremonies, and probably stretching well into 2018. And since the CCC media folks manage to stream every talk, hackers all over the world can follow along live. Most talks are in English, so get together with folks in your hackspace and have a video night!

And if you are in Leipzig, be on the lookout for [Elliot] who will be wandering around, attending workshops, and writing down as much as possible. Show me something cool, rave about a particularly good talk, or just say “hi”.

Fairy Dust clipart courtesy [sonoftroll].

Edward Snowden Introduces Baby Monitor For Spies

December 24, 2017 by Tom Nardi 25 Comments

Famed whistleblower [Edward Snowden] has recently taken to YouTube to announce Haven: an Open Source application designed to allow security-conscious users turn old unused Android smartphones and tablets into high-tech monitoring devices for free. While arguably Haven doesn’t do anything that wasn’t already possible with software on the market, the fact that it’s Open Source and designed from the ground up for security does make it a bit more compelling than what’s been available thus far.

Developed by the Freedom of the Press Foundation, Haven is advertised as something of a role-reversal for the surveillance state. Instead of a smartphone’s microphone and camera spying on its owner, Haven allows the user to use those sensors to perform their own monitoring. It’s not limited to the camera and microphone either, Haven can also pull data from the smartphone’s ambient light sensor and accelerometer to help determine when somebody has moved the device or entered the room. There’s even support for monitoring the device’s power status: so if somebody tries to unplug the device or cut power to the room, the switch over to the battery will trigger the monitoring to go active.

Thanks to the Open Source nature of Haven, it’s hoped that continued development (community and otherwise) will see an expansion of the application’s capabilities. To give an example of a potential enhancement, [Snowden] mentions the possibility of using the smartphone’s barometer to detect the opening of doors and windows.

With most commercially available motion activated monitor systems, such as Nest Cam, the device requires a constant Internet connection and a subscription. Haven, on the other hand, is designed to do everything on the local device without the need for a connection to the Internet, so an intruder can’t just knock out your Wi-Fi to kill all of your monitoring. Once Haven sees or hears something it wants you to know about it can send an alert over standard SMS, or if you’re really security minded, the end-to-end encrypted Signal.

The number of people who need the type of security Haven is advertised as providing is probably pretty low; unless you’re a journalist working on a corruption case or a revolutionary plotting a coup d’etat, you’ll probably be fine with existing solutions. That being said, we’ve covered on our own pages many individuals who’ve spent considerable time and effort rolling their own remote monitoring solutions which seem to overlap the goals of Haven.

So even if your daily life is more John Doe than James Bond, you may want to check out the GitHub page for Haven or even install it on one of the incredibly cheap Android phones that are out there and take it for a spin.

Continue reading “Edward Snowden Introduces Baby Monitor For Spies” →