News

3651 Articles

Hackaday Podcast 226: Ice, Snow, And Cooling Paint In July

July 7, 2023 by 3 Comments

This week, Editor-in-Chief Elliot Williams and Al Williams shoot the breeze about all things Hackaday. We start off with some fond remembrances of Don Lancaster, a legendary hardware hacker who passed away last month. There’s also news about the Hackaday Prize (the tool competition) and a rant about fast computers and slow software, a topic that drew many comments this week.

In the What’s That Sound event, Al proves he’s more of a Star Trek fan than a videogamer. But there were plenty of correct answers, but only one winner: [Wybrandus]. There’s always next week, so keep playing!

Elliot may be dreaming of cooler weather since he talks about ice sculptures, snow measurements, and a paint that can make things cooler. We don’t know what Al is dreaming about, but he is worried about his fuses, and the ins and out of open source licensing.

Along the way, you’ll hear about personal vehicles, sky cameras, and zapping weeds with extreme solar power. As usual, there is an eclectic mix of other posts. What has the Hackaday crew been up to? Field trips! Hear about Dan Maloney’s visit to the SNOTEL network to measure snowfall and a report from Al and Bil Herd’s trip to the Vintage Computer Festival Southwest.

What to read along? The links below will get you started. Don’t forget to tell us what you think in the comments!

Or, download a copy for posterity to file away in your archive.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 226: Ice, Snow, And Cooling Paint In July”

This Week In Security: Bogus CVEs, Bogus PoCs, And Maybe A Bogus Breach

July 7, 2023 by 3 Comments

It appears we have something of a problem. It’s not really a new problem, and shouldn’t be too surprising, but it did pop up again this week: bogus CVEs. Starting out in the security field? What’s the best way to jump-start a career? Getting a CVE find to your name certainly can’t hurt. And as a result, you get very junior security researchers looking for and reporting novel security vulnerabilities of sometimes dubious quality. Sometimes that process looks a lot like slinging reports against the wall to see what sticks. Things brings us to an odd bug report in the OBS Studio project.

A researcher put together a script to look for possible password exposure on Github projects, and it caught a configuration value named “password” in a .ini file, being distributed in the project source. Obvious credential leak in Git source, right? Except for the little detail that it was in the “locale” folder, and the files were named ca-es.ini, ja-jp.ini, and similar. You may be in on the joke by now, but if not, those are translation strings. It wasn’t leaked credentials, it was various translations of the word “password”. This sort of thing happens quite often, and from the viewpoint of a researcher looking at results from an automated tool, it can be challenging to spend enough time with each result to fully understand the code in question. It looks like this case includes a language barrier, making it even harder to clear up the confusion.

Things took a turn for the worse when a CVE was requested. The CVE Numbering Authority (CNA) that processed the request was MITRE, which issued CVE-2023-34585. It was a completely bogus CVE, and thankfully a more complete explanation from OBS was enough to convince the researcher of his error. That, however, brings us back to CVE-2023-36262, which was published this week. It’s yet another CVE, for the same non-issue, and even pointing at the same GitHub issue where the alleged bug is debunked. There’s multiple fails here, but the biggest disappointment is MITRE, for handing out CVEs twice for the same issue. Shout-out to [Netspooky] on Twitter for spotting this one. Continue reading “This Week In Security: Bogus CVEs, Bogus PoCs, And Maybe A Bogus Breach”

Remote Driving Controversial In UK, But It’s Already Here

July 5, 2023 by 46 Comments

The automotive industry is rushing towards autonomous vehicles as a futuristic ideal. They haven’t got the autonomous part sorted just yet. However, as part of this push, the technology to drive vehicles remotely via video link has become mature.

In the United Kingdom, there has been great controversy on whether this should be allowed, particularly for vehicles piloted by individuals outside the country’s borders. That came to a head with a Law Commission repot published earlier this year, but since then, innovative companies have continued to work on remote driving regardless. Let’s dive in to the current state of play.

Continue reading “Remote Driving Controversial In UK, But It’s Already Here”

Cooling Paint You Can Actually Make

July 3, 2023 by 60 Comments

[NightHawkInLight] has been working on radiative sky paint. (Video, embedded below.) That’s a coating that radiates heat in the infrared spectrum at a wavelength that isn’t readily absorbed or reflected by the atmosphere. The result is a passive system that keeps materials a few degrees cooler in direct sunlight than an untreated piece in the shade. That sounds a bit like magic, but apparently the math checks out.

Continue reading “Cooling Paint You Can Actually Make”

Saying Goodbye To Don Lancaster

July 2, 2023 by 64 Comments

The electronics world has lost a guru. On June 7th this year, Don Lancaster passed away. [Brad] from Tech Time Traveller paid tribute to Don in a recent video. Don Lancaster was perhaps best known as the designer of the TV Typewriter.  The Typewriter drew characters on a TV screen when the user typed on a keyboard. It was the fundamental part of a simple terminal. This was quite an accomplishment in 1973 when the article was first published.

Don embodied the hacker spirit by figuring out low-cost (cheap) ways to overcome obstacles. His genius was his ability to communicate his methods in a way even non-technical people could understand. Keyboards are a great example. Back in the 1970’s a simple keyboard cost hundreds of dollars. Don figured out how to build one from scratch and published an article explaining how to do it.

Like many people we cover here on Hackaday, Don was quite a character. His website layout hasn’t changed much since the 1990’s, but the content has grown. To say he was a prolific writer would be an understatement. PostScript, Magic Sinewaves, and patents are just a few of his favorite topics. Don’s recent work involved the research of prehistoric canals in the American Southwest.

Everyone here at Hackaday sends our deepest condolences to Don’s family.

Continue reading “Saying Goodbye To Don Lancaster”

Rocky Strikes Back At Red Hat

June 30, 2023 by 56 Comments

The world of Linux has seen some disquiet over recent weeks following the decision of Red Hat to restrict source code distribution for Red Hat Enterprise Linux (RHEL) to only their paying customers. We’re sure that there will be plenty of fall-out to come from this news, but what can be done if your project relies upon access to those Red Hat sources?

The Red-Hat-derived Rocky Linux distro relies on access to RHEL source, so the news could have been something of a disaster. Fortunately for Rocky users though, they appear to have found a reliable way to bypass the restriction and retain access to those RHEL sources. Red Hat would like anyone wanting source access to pay them handsomely for the privilege, but the Rocky folks have spotted a way to bypass this. Using readily available cloud images they can spin up a RHEL system and use it to download their sources, and they can do this as an automated process.

We covered this story as it unfolded last week, and it seemed inevitable then that something of this nature would be found, as for all Red Hat’s wishes a GPL-licensed piece of code can’t be prevented from being shared. So Rocky users and the wider community will for now retain access to the code, but will Red Hat strike back? It’s inevitable that there will be a further backlash from the community against any such moves, but will Red Hat be foolhardy enough to further damage their standing in this regard? They’re certainly not the only large distro losing touch with their users.

This Week In Security:Camaro Dragon, RowPress, And RepoJacking

June 30, 2023 by 4 Comments

Malicious flash drives have come a long ways since the old days of autorun infections. It’s not an accident that Microsoft has tightened down the attack surface available of removable media. So how exactly did a malicious flash drive lead to the compromise of a European hospital? Some sophisticated firmware on the drive? A mysterious zero day? Nope, just hidden files, and an executable using the drive name and icon. Some attacker discovered that a user trying to access a flash drive, only to be presented with what looks like the same flash drive icon, will naturally try to access it again, running an .exe in the process.

That executable runs a signed Symantec binary, included on the drive, and sideloads an OCX that hijacks the process. From there, the computer is infected, as well as any other flash drives in the machine. Part of the obfuscation technique is an odd chain of executables, executed recursively for a hundred copies. Naturally once the infection has rooted itself in a given machine, it takes commands from a C&C server, and sends certain files out to its waiting overlords. Checkpoint Research has attributed this campaign to Camaro Dragon, a name straight from the 80s that refers to a Chinese actor with an emphasis on espionage. Continue reading “This Week In Security:Camaro Dragon, RowPress, And RepoJacking”