News

3384 Articles

Ortur Laser Will Go Open-Source

July 18, 2022 by 76 Comments

Well, that was fast! Last week, we wrote about a video by [Norbert Heinz] where he called out the Ortur laser engravers for apparently using the GPL-licensed grbl firmware without providing the source code and their modifications to it, as required by the license. Because open source and grbl are dear to our hearts and CNC machines, we wrote again about Norbert’s efforts over the weekend, speculating that it might just be unfamiliarity with the open source license requirements on Ortur’s part.

Because of [Norbert]’s persistance and publicity around the issue, the support ticket finally reached the right person within Ortur, and within two or three days [Gil Araújo], Support Admin at Ortur, managed to convince the company that going fully open source was the right thing to do. What remains is the question of how to do it, operationally.

So [Gil] asked [Norbert] to ask Hackaday: what do you want from Ortur on this, and how should they proceed? Via e-mail, he asked in particular for best practices on setting up the repository and making the code actually useful to non-programmer types. He said that he looked around at the other laser engraver companies, and didn’t find any good examples of others doing the Right Thing™, so he asked [Norbert] to ask us. And now we’re asking you!

Have you got any good examples of companies using open-source firmware, modifying it, and making it available for their users? Is a simple Github repo with a README enough, or should he spend some time on making it user-friendly for the non-coders out there? Or start with the former and work toward the latter as a goal? I’m sure [Gil] will be reading the comments, so be constructive! You’ll be helping a laser engraver company take its first steps into actually engaging with the open source community.

We said it before, and we’ll say it again. Good job [Norbert] for taking Ortur to task here, but also by doing so in a way that leaves them the option of turning around and doing the right thing. This also highlights that companies aren’t monolithic beasts – sometimes it takes getting your cause heard by just the right person within a company to change the response from a “this is a business secret” to “how should we set up our Github?” And kudos for [Gil] and Ortur for listening to their users!

The 2022 Hackaday Supercon Is On! And The Call For Proposals Is Open

July 18, 2022 by 42 Comments

After two years in remote mode, we’re very excited to announce that this year’s Hackaday Supercon will be coming back, live! Join us Nov. 4th, 5th, and 6th in sunny Pasadena, CA for three days of hacks, talks, and socializing with the Hackaday community. And we’d love to see and hear in person what you’ve been up to for the last two years – so start brainstorming what you’re going to talk about now and fill out the call for proposals.

Supercon is On!

We’ll be starting off on Friday Nov. 4th with early-bird registration, a mellow afternoon of badge-hacking and workshops, and a party to kick off the con. Saturday and Sunday will be the full enchilada: two tracks of talks, hacking stations and food set up in the alley, and workshops aplenty. (Just thinking about hacking in the alley and sharing tacos afterward again brings a tear of joy to my eye.) We’ll close up Sunday night with the 2022 Hackaday Prize Awards and a chance to demo the weekend’s badge hacking on stage.

If you haven’t ever been to a Supercon before, it’s Hackaday in real life. People bring hacks to show and share, projects to work on, and their ideas that are too big to fit in the overhead compartment anyway. The crowd is awesome. There are seasoned pros, famous YouTubers, and brand-new hackers to boot. But yet it’s not overwhelming – Supercon is too big to fit in your living room, but it’s nonetheless cozy. The folks in attendance are all fantastic and you’ll stumble into the most awesome conversations.

It’s a weekend you don’t want to miss, so start figuring out how you’re going to get to Pasadena now.

We’ll be putting tickets on sale soon, and while we can’t see into the future, they have sold out every year, so keep your eyes on Hackaday to get yours. And of course, speakers don’t need no stinking tickets. Continue reading “The 2022 Hackaday Supercon Is On! And The Call For Proposals Is Open”

strut mounted on lathe

Turning Irregular Shapes

July 16, 2022 by 33 Comments

In case you’re not closely following Egyptian Machinist YouTube, you may have missed [Hydraulic House]. It’s gotten even harder to find him since he started posting under[بيت الهيدروليك]. Don’t let the Arabic put you off, he delivers it all in pantomime.

A recent drop is “How To Turn Irregular Shapes On The Lathe“.  We’re not sure, but think the part he’s working on is the front suspension of a  3 wheeled auto-rickshaw. The first metal at the center is over 30cm from the bottom. No problem, he just makes a long driven dead center from a bit of scrap material and goes on with his business.

By no means is this the only cool video.  We liked his video on a remote pumped hydraulic jack  and one on making your own hydraulic valves.

If you’re into machinist-y things, don’t miss him. Every video is full of pretty nifty tricks, sometimes made with a zany disregard of some basics like “maybe better to have done the welding before mounting in the lathe”, turning with a cutoff tool (I think), and occasionally letting go of the chuck key. It’s definitely ‘oh, get on with it’ machine shop work.

We love videos from professionals in the developing world making with relatively simple tools. Often hobby hackers are in the same position, milling with a lathe and some patience instead of a giant Okuma. Not long ago we posted this article about making helical parts , with the same ‘imagination and skill beats more machinery any day’ vibe.

Continue reading “Turning Irregular Shapes”

This Week In Security: Retbleed, Post-Quantum, Python-atomicwrites, And The Mysterious Cuteboi

July 15, 2022 by 11 Comments

Yet another entry in the “why we can’t have nice things” category, Retbleed was announced this week, as yet another speculative execution vulnerability. This one is mitigated in hardware for AMD’s Zen 3 and Intel Generation 9 and later. For earlier devices the performance hit in mitigation is quite painful. What exactly makes this different from previous weaknesses, and why didn’t the previous mitigations cover this problem?
Continue reading “This Week In Security: Retbleed, Post-Quantum, Python-atomicwrites, And The Mysterious Cuteboi”

NASA’s Flying Telescope Is Winding Down Operations

July 11, 2022 by 13 Comments

NASA’s Hubble Space Telescope is arguably the best known and most successful observatory in history, delivering unprecedented images that have tantalized the public and astronomers alike for more than 30 years. But even so, there’s nothing particularly special about Hubble. Ultimately it’s just a large optical telescope which has the benefit of being in space rather than on Earth’s surface. In fact, it’s long been believed that Hubble is not dissimilar from contemporary spy satellites operated by the National Reconnaissance Office — it’s just pointed in a different direction.

There are however some truly unique instruments in NASA’s observational arsenal, and though they might not have the name recognition of the Hubble or James Webb Space Telescopes, they still represent incredible feats of engineering. This is perhaps best exemplified by the Stratospheric Observatory for Infrared Astronomy (SOFIA), an airborne infrared telescope built into a retired airliner that is truly one-of-a-kind.

Unfortunately this unique aerial telescope also happens to be exceptionally expensive to operate; with an annual operating cost of approximately $85 million, it’s one of the agency’s most expensive ongoing astrophysics missions. After twelve years of observations, NASA and their partners at the German Aerospace Center have decided to end the SOFIA program after its current mission concludes in September.

With the telescope so close to making its final observations, it seems a good time to look back at this incredible program and why the US and German space centers decided it was time to put SOFIA back in the hangar.

Continue reading “NASA’s Flying Telescope Is Winding Down Operations”

This Week In Security:Breaking CACs To Fix NTLM, The Biggest Leak Ever, And Fixing Firefox By Breaking It

July 8, 2022 by 16 Comments

To start with, Microsoft’s June Security Patch has a fix for CVE-2022-26925, a Man-In-The-Middle attack against NTLM. According to NIST, this attack is actively being exploited in the wild, so it landed on the KEV (Known Exploited Vulnerabilities) Catalog. That list tracks the most important vulnerabilities to address, and triggers a mandated patch install no later than July 22nd. The quirk here is that the Microsoft Patch that fixes CVE-2022-26925 also includes a fix for a couple certificate vulnerabilities including CVE-2022-2693, Certifried. That vulnerability was one where a machine certificate could be renamed to the same as a domain controller, leading to organization-wide compromise.

The fix that rolled out in June now requires that a “strong certificate mapping” be in place to tie a user to a certificate. Having the same common name is no longer sufficient, and a secure value like the Security IDentifier (SID) must be mapped from certificate to user in Active Directory. The patch puts AD in a compatibility mode, which accepts the insecure mapping, so long as the user account predates the security certificate. This has an unintended consequence of breaking how the US Government uses CACs (Common Access Cards) to authenticate their users. Government agencies typically start their onboarding by issuing a CAC, and then establishing an AD account for that user. That makes the certificate older, which means the newest patch rejects it. Thankfully there’s a registry key that can be set, allowing the older mapping to still work, though likely with a bit of a security weakness opened up as a result. Continue reading “This Week In Security:Breaking CACs To Fix NTLM, The Biggest Leak Ever, And Fixing Firefox By Breaking It”

This Week In Security: Zimbra RCE, Routers Under Attack, And Old Tricks In WebAssembly

July 1, 2022 by 8 Comments

There’s a problem in the unrar utility, and as a result, the Zimbra mail server was vulnerable to Remote Code Execution by simply sending an email. So first, unrar is a source-available command-line application made by RarLab, the same folks behind WinRAR. CVE-2022-30333 is the vulnerability there, and it’s a classic path traversal on archive extraction. One of the ways this attack is normally pulled off is by extracting a symlink to the intended destination, which then points to a location that should be restricted. unrar has code hardening against this attack, but is sabotaged by its cross-platform support. On a Unix machine, the archive is checked for any symbolic links containing the ../ pattern. After this check is completed, a function runs to convert any Windows paths to Unix notation. As such, the simply bypass is to include symlinks using ..\ traversal, which don’t get caught by the check, and then are converted to working directories.

That was bad enough, but Zimbra made it worse by automatically extracting .rar attachments on incoming emails, in order to run a virus and spam check. That extraction isn’t sandboxed, so an attacker’s files are written anywhere on the filesystem the zimbra user can write. It’s not hard to imagine how this turns into a full RCE very quickly. If you have an unrar binary based on RarLab code, check for version 6.1.7 or 6.12 of their binary release. While Zimbra was the application specifically called out, there are likely to be other cases where this could be used for exploitation.
Continue reading “This Week In Security: Zimbra RCE, Routers Under Attack, And Old Tricks In WebAssembly”