News

3612 Articles

Saying Goodbye To Don Lancaster

July 2, 2023 by 64 Comments

The electronics world has lost a guru. On June 7th this year, Don Lancaster passed away. [Brad] from Tech Time Traveller paid tribute to Don in a recent video. Don Lancaster was perhaps best known as the designer of the TV Typewriter.  The Typewriter drew characters on a TV screen when the user typed on a keyboard. It was the fundamental part of a simple terminal. This was quite an accomplishment in 1973 when the article was first published.

Don embodied the hacker spirit by figuring out low-cost (cheap) ways to overcome obstacles. His genius was his ability to communicate his methods in a way even non-technical people could understand. Keyboards are a great example. Back in the 1970’s a simple keyboard cost hundreds of dollars. Don figured out how to build one from scratch and published an article explaining how to do it.

Like many people we cover here on Hackaday, Don was quite a character. His website layout hasn’t changed much since the 1990’s, but the content has grown. To say he was a prolific writer would be an understatement. PostScript, Magic Sinewaves, and patents are just a few of his favorite topics. Don’s recent work involved the research of prehistoric canals in the American Southwest.

Everyone here at Hackaday sends our deepest condolences to Don’s family.

Continue reading “Saying Goodbye To Don Lancaster”

Rocky Strikes Back At Red Hat

June 30, 2023 by 56 Comments

The world of Linux has seen some disquiet over recent weeks following the decision of Red Hat to restrict source code distribution for Red Hat Enterprise Linux (RHEL) to only their paying customers. We’re sure that there will be plenty of fall-out to come from this news, but what can be done if your project relies upon access to those Red Hat sources?

The Red-Hat-derived Rocky Linux distro relies on access to RHEL source, so the news could have been something of a disaster. Fortunately for Rocky users though, they appear to have found a reliable way to bypass the restriction and retain access to those RHEL sources. Red Hat would like anyone wanting source access to pay them handsomely for the privilege, but the Rocky folks have spotted a way to bypass this. Using readily available cloud images they can spin up a RHEL system and use it to download their sources, and they can do this as an automated process.

We covered this story as it unfolded last week, and it seemed inevitable then that something of this nature would be found, as for all Red Hat’s wishes a GPL-licensed piece of code can’t be prevented from being shared. So Rocky users and the wider community will for now retain access to the code, but will Red Hat strike back? It’s inevitable that there will be a further backlash from the community against any such moves, but will Red Hat be foolhardy enough to further damage their standing in this regard? They’re certainly not the only large distro losing touch with their users.

This Week In Security:Camaro Dragon, RowPress, And RepoJacking

June 30, 2023 by 4 Comments

Malicious flash drives have come a long ways since the old days of autorun infections. It’s not an accident that Microsoft has tightened down the attack surface available of removable media. So how exactly did a malicious flash drive lead to the compromise of a European hospital? Some sophisticated firmware on the drive? A mysterious zero day? Nope, just hidden files, and an executable using the drive name and icon. Some attacker discovered that a user trying to access a flash drive, only to be presented with what looks like the same flash drive icon, will naturally try to access it again, running an .exe in the process.

That executable runs a signed Symantec binary, included on the drive, and sideloads an OCX that hijacks the process. From there, the computer is infected, as well as any other flash drives in the machine. Part of the obfuscation technique is an odd chain of executables, executed recursively for a hundred copies. Naturally once the infection has rooted itself in a given machine, it takes commands from a C&C server, and sends certain files out to its waiting overlords. Checkpoint Research has attributed this campaign to Camaro Dragon, a name straight from the 80s that refers to a Chinese actor with an emphasis on espionage. Continue reading “This Week In Security:Camaro Dragon, RowPress, And RepoJacking”

Meshtastic For The Greater Good

June 26, 2023 by 62 Comments

Last week, my city was hit by a tornado. That’s not surprising here in Oklahoma, and thankfully this event was an F0 or possibly even an EF0 — a really weak tornado. Only a couple roofs collapsed, though probably half the houses in town are going to need roof repairs, thanks to the combination of huge hail and high winds. While it wasn’t too bad, power did go down in a few places around town, and this led to an interesting series of events.

Chat messages were coming in like this: “That was a [power] flicker, yeah. Even took down my Internet.” Followed by “Whee, [fiber Internet] got knocked out and now Starlink has too many clouds in the way.” And after ten minutes of silence, we got a bit worried to see “Time to hide under a bed. … Is cell service back?” It is a bit spooky to think about trying to help neighbors and friends after a disaster, in the midst of the communication breakdown that often follows. If he had needed help, and had no working communications, how long would it have taken for us to go check on him?
Continue reading “Meshtastic For The Greater Good”

Ventbot fans with 3D printed brackets and control circuit board with ESP32 breakout and multicolored 3D printed cases

Ventbots Are Fans Of HVAC And Home Automation

June 24, 2023 by 21 Comments

[WJCarpenter] had a common HVAC problem; not all the rooms got to a comfortable temperature when the heater was working to warm up their home. As often happens with HVAC systems, the rooms farthest from the heat source and/or with less insulation needed a boost of heat in the winter and cooling in the summer too. While [WJCarpenter] is a self-reported software person, not a hardware person, you will enjoy going along on the journey to build some very capable vent boosters that require a mix of each.

Ventbot control circuit board with ESP32 breakout in a red 3D printed case

There’s a great build log on hackaday.io here, but for those who need more of a proper set of instructions, there’s a step-by-step guide that should allow even a beginner hardware hacker to complete the project over on Instructables. There you’ll find everything you need to build ESPHome controlled, 3D printed, PC fan powered vent boosters. While they can be integrated into Home Assistant, we were interested to learn that ESPHome allows these to run stand-alone too, each using its own temperature and pressure sensor.

The many iterations of hardware and software show, resulting in thoughtful touches like a startup sequence that checks for several compatible temperature sensors and a board layout that accommodates different capacitor lead spacings. Along the way, [WJCarpenter] also graphed the noise level of different fans running at multiple speeds and the pressure sensor readings against the temperatures to see if they could be used as more reliable triggers for the fans. (spoiler, they weren’t) There are a bunch of other tips to find along the way, so we highly recommend going through all that [WJCarpenter] has shared if you want to build your own or just want some tips on how to convert a one-off project to something that a wider audience can adapt to their own needs.

Ventbot graphing of temperature, pressure, and fan noise

See a video after the break that doesn’t show the whole project but includes footage of the start-up sequence that tests each fan’s tachometer and the customizable ramp-up and ramp-down settings. Continue reading “Ventbots Are Fans Of HVAC And Home Automation”

Et Tu, Red Hat?

June 23, 2023 by 94 Comments

Something odd happened to git.centos.org last week. That’s the repository where Red Hat has traditionally published the source code to everything that’s a part of Red Hat Enterprise Linux (RHEL) to fulfill the requirements of the GPL license. Last week, those packages just stopped flowing. Updates weren’t being published. And finally, Red Hat has published a clear answer to why:

Red Hat has decided to continue to use the Customer Portal to share source code with our partners and customers, while treating CentOS Stream as the venue for collaboration with the community.

Sounds innocuous, but what’s really going on here? Let’s have a look at the Red Hat family: RHEL, CentOS, and Fedora.

RHEL is the enterprise Linux distribution that is Red Hat’s bread and butter. Fedora is RHEL’s upstream distribution, where changes happen fast and things occasionally break. CentOS started off as a community repackaging of RHEL, as allowed under the GPL and other Open Source licenses, for people who liked the stability but didn’t need the software support that you’re paying for when you buy RHEL.

Red Hat took over the reigns of CentOS back in 2014, and then imposed the transition to CentOS Stream in 2020, to some consternation. This placed CentOS Stream between the upstream Fedora, and the downstream RHEL. Some people missed the stability of the old CentOS, and in response a handful of efforts spun up to fill the gap, like Alma Linux and Rocky Linux. These projects took the source from git.centos.org, and rebuilt them into usable community operating systems, staying closer to RHEL in the process.

Red Hat has published a longer statement elaborating on the growth of CentOS Stream, but it ends with an interesting statement: “Red Hat customers and partners can access RHEL sources via the customer and partner portals, in accordance with their subscription agreement.” What exactly is in that subscription agreement? Well according to Alma Linux, “the way we understand it today, Red Hat’s user interface agreements indicate that re-publishing sources acquired through the customer portal would be a violation of those agreements.” Continue reading “Et Tu, Red Hat?”

This Week In Security: NOAuth, MiniDLNA, And Ticket To Ride

June 23, 2023 by 4 Comments

There’s a fun logic flaw in how multiple online services handle OAuth logins, that abuses Microsoft’s Azure Active Directory service to allow account takeovers. The problem is how a site handles the “Sign In With Microsoft” option, when there’s an existing account under the same email address. This is an irritating problem for an end-user, when a site offers multiple sign-in options. Trying to remember which option was used to set up an account is a struggle, so many services automatically merge accounts.

The problem is that the Microsoft Azure authentication information includes an email address, but Microsoft hasn’t done any verification that the account in question actually controls that address. And in fact, it’s trivial for the Azure admin to change that address at whim. So if the service accepts that email address as authoritative, and auto-merges the accounts, it’s a trivial account takeover. And it’s more than just a theoretical problem, as researchers at descope were able to demonstrate the attack, and have found multiple medium and large services that were vulnerable, as well as at least two authentication providers that themselves were vulnerable to this attack.

Microsoft has pushed updates to the Azure AD service to make the issue easier to avoid, though it seems that the unverified “email” field is still being sent on authentication transactions. There is a new flag, “RemoveUnverifiedEmailClaim” that eliminates the issue, and is enabled by default for new applications. Unfortunately this means that existing vulnerable applications will continue to be vulnerable until fixed on the application side. Continue reading “This Week In Security: NOAuth, MiniDLNA, And Ticket To Ride”