News

3617 Articles

All Your Pixels Are (Probably Not) Belong To Pantone

October 29, 2022 by 80 Comments

There’s a piece of news floating around the open IP and allied communities at the moment which appears to have caused some consternation. It comes from Adobe, who have announced that due to an end of their licensing deal with Pantone LLC, PSD images loaded into Photoshop will have pixels containing unlicensed Pantone colours replaced with black. What, Pantone owns colours now? Are we expected to pay a royalty every time we take a picture of a blue sky? It’s natural to react with suspicion when hearing a piece of news like this, but for once we think this might not be the unreasonable intellectual property land grab it may first appear. To illustrate this, it’s necessary to explain what Pantone does, and what they don’t do. Continue reading “All Your Pixels Are (Probably Not) Belong To Pantone”

showing the connector after its torn down from the side of the wire solder points, showing how thin are the metal pads, and also that one wire has already broken off

NVIDIA Power Cables Are Melting, This May Be Why

October 28, 2022 by 57 Comments

NVIDIA has recently released their lineup of 40-series graphics cards, with a novel generation of power connectors called 12VHPWR. See, the previous-generation 8-pin connectors were no longer enough to satiate the GPU’s hunger. Once cards started getting into the hands of users, surprisingly, we began seeing pictures of melted 12VHPWR plugs and sockets online — specifically, involving ATX 8-pin GPU power to 12VHPWR adapters that NVIDIA provided with their cards.

Now, [Igor Wallossek] of igor’sLAB proposes a theory about what’s going on, with convincing teardown pictures to back it up. After an unscheduled release of plastic-scented magic smoke, one of the NVIDIA-provided connectors was destructively disassembled. Turned out that these connectors weren’t crimped like we’re used to, but instead, the connectors had flat metal pads meant for wires to solder on. For power-carrying connectors, there are good reasons this isn’t the norm. That said, you can make it work, but chances are not in favor of this specific one.

The metal pads in question seem to be far too thin and structurally unsound, as one can readily spot, their cross-section is dwarfed by the cross-section of cables soldered to them. This would create a segment of increased resistance and heat loss, exacerbated by any flexing of the thick and unwieldy cabling. Due to the metal being so thin, the stress points seem quite flimsy, as one of the metal pads straight up broke off during disassembly of the connector.

If this theory is true, the situation is a blunder to blame on NVIDIA. On the upside, the 12VHPWR standard itself seems to be viable, as there are examples of PSUs with native 12HPWR connections that don’t exhibit this problem. It seems, gamers with top-of-the-line GPUs can now empathize with the problems that we hackers have been seeing in very cheap 3D printers.

2022 Supercon: Schedule Released, And [Odd Jayy]

October 26, 2022 by 14 Comments

It’s finally time! We’ve put together the 2022 Supercon Schedule, and you can check out all the talks, workshops, and events in one place – right now.

Badge hacking heating up (photo by @hackerwarehouse)

It all starts off with breakfast on Friday morning to power you up for a full day of badge hacking, workshops, and general mixing and mingling before the Friday night party. Fridays are significantly less formal, but swing by Supplyframe HQ any time to get registered, get your badge, and get a mellow head start on Supercon.

Saturday morning, the talks begin! After a brief introduction and welcome, keynote speaker Joe Grand takes the stage to kick things off. And from then on, it’s two tracks of talks on two stages until your brain explodes. Or at least until the Hackaday Prize Awards ceremony at 7:00 PM, followed by the awards after-party.

Pull yourself out of bed Sunday morning for another full day of stellar talks. And squeeze in some more last minute badge-hacking time somehow, because we close up Sunday evening with the always entertaining badge hacking contest and awards.

Jorvon [Odd Jayy] Moss to Speak

Plus, we’ve got one last bit of great news: Jorvon [Odd Jayy] Moss is giving a talk on his adventures in making companion robots, and his latest forays into adding more intelligence into his animatronic and artistic creations.

So if you haven’t bought your tickets yet, do it. ‘Nuff said. See you at Supercon!

And if you’re not able to make it live, all of the talks on the LACM Stage will be streamed live on our YouTube channel, and you can join in the discussion over at the Hackaday Discord server or on Hackaday.io’s Supercon Chat channel. And all the talks that we can’t stream, we’re recording for later release, so you can always catch up later.

3D Printing Gets Small In A Big Way

October 26, 2022 by 8 Comments

If you have a 3D printer in your workshop, you probably fret more about how to get bigger objects out of it. However, the University of Amsterdam has a new technique that allows for fast large-scale printing with sub-micron resolution. The technique is a hybrid of photolithography and stereolithography.

One of the problems with printing with fine detail is that print times become very long. However, the new technique claims to have “acceptable production time.” Apparently, bioprinting applications are very much of interest to the technology’s first licensee. There is talk of printing, for example, a kidney scaffold in several hours or a full-sized heart scaffold in less than a day.

Another example application is the production of a chromatography instrument with 200 micron channels and 20 micron restrictions. This requires a printer capable of very fine detail. There are also applications in semiconductors and mechanical metamaterials. Of course, we always take note of photolithography processes because we use them to make PC boards and even integrated circuits. A desktop printer that could do photolithography might open up new ideas for producing electronic circuitry.

If you want to play with photolithography today, [Ben Krasnow] has some advice. Of course, there are several ways to produce PC boards, even with a garden-variety 3D printer.

This Week In Security: Linux WiFi, Fortinet, Text4Shell, And Predictable GUIDs

October 21, 2022 by 18 Comments

Up first this week is a quintet of vulnerabilities in the Linux kernel’s wireless code. It started with [Soenke Huster] from TU Darmstadt, who found a buffer overwrite in mac80211 code. The private disclosure to SUSE kernel engineers led to a security once-over of this wireless framework in the kernel, and some other nasty bugs were found. A couple result in Denial-of-Service (DOS), but CVE-2022-41674, CVE-2022-42719, and CVE-2022-42720 are Remote Code Execution vulnerabilities. The unfortunate bit is that these vulnerabilities are triggered on processing beacon frames — the wireless packets that announce the presence of a wireless network. A machine doesn’t have to be connected or trying to connect to a network, but simply scanning for networks can lead to compromise.

The flaws were announced on the 13th, and were officially fixed in the mainline kernel on the 15th. Many distros shipped updates on the 14th, so the turnaround was quite quick on this one. The flaws were all memory-management problems, which has prompted a few calls for the newly-merged Rust framework to get some real-world use sooner rather than later.

Fortinet

Much of Fortinet’s lineup, most notable their Fortigate firewalls, has a pre-auth authentication bypass on the administrative HTTP/S interface. Or plainly, if you can get to the login page, you can break in without a password. That’s bad, but at this point, you *really* shouldn’t have any administrative interfaces world-accessible on any hardware. Updated firmware is available.

More than just a couple days have passed, so we have some idea of the root problem and how it was fixed. It’s a simple one — the Forwarded HTTP headers on an incoming request are unintentionally trusted. So just send a request with Forwarded:for and Forwarded:by set to 127.0.0.1, and it falls through into code logic intended for internal API calls. Add a trusted SSH key, and pop, you’re in. Whoops. Continue reading “This Week In Security: Linux WiFi, Fortinet, Text4Shell, And Predictable GUIDs”

2022 Hackaday Supercon: Final Talks Announced

October 20, 2022 by 2 Comments

The third and final round of the 2022 Supercon talks announcements brings us closer to a complete picture of the full spectrum of hacking awesomeness taking the stage in just a few weeks. (And we haven’t even announced the keynote yet!)

Supercon is the Ultimate Hardware Conference and you need to be there! We’ll continue to announce speakers and workshops over the next couple weeks. Supercon will sell out so get your tickets now before it’s too late. And stay tuned for the next round of talk reveals next week! Continue reading “2022 Hackaday Supercon: Final Talks Announced”

This Week In Security: Npm Timing Leak, Siemens Universal Key, And PHP In PNG

October 14, 2022 by 12 Comments

First up is some clever wizardry from the [Aqua Nautilus] research team, who discovered a timing attack that leaks information about private npm packages. The setup is this, npm hosts both public and private node.js packages. The public ones are available to everyone, but the private packages are “scoped”, meaning they live within a private namespace, “@owner/packagename” and are inaccessible to the general public. Trying to access the package results in an HTTP 404 error — the same error as trying to pull a package that doesn’t exist.


The clever bit is to keep trying, and really pay attention to the responses. Use npm’s API to request info on your target package, five times in a row. If the package name isn’t in use, all five requests will take the expected amount of time. That request lands at the service’s backend, a lookup is performed, and you get the response. On the flipside if your target package does exist, but is privately scoped, the first request returns with the expected delay, and the other four requests return immediately. It appears that npm has front-end that can cache a 404 response for a private package. That response time discrepancy means you can map out the private package names used by a given organization in their private scope.

Now this is all very interesting, but it turns into a plausible attack when combined with typosquatting and dependency confusion issues. Those attacks are two approaches to the same goal, get a node.js deployment to run a malicious package instead of the legitimate one the developer intended. One depends on typos, but dependency confusion just relies on a developer not explicitly defining the scope of a package.

Continue reading “This Week In Security: Npm Timing Leak, Siemens Universal Key, And PHP In PNG”