Slider

4493 Articles

This Week In Security: Password Sanity, Tank Hacking, And The Mystery 9.9

September 27, 2024 by 15 Comments

It looks like there’s finally hope for sane password policies. The US National Institue of Standards and Technology, NIST, has released a draft of SP 800-63-4, the Digital Identity Guideline.

There’s password guidance in there, like “SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords” and “SHALL NOT require users to change passwords periodically.” NIST approved passwords must be at least 8 characters long, with a weaker recommendation of at least 15 characters. Security questions like name of first pet get the axe. And it’s strongly recommended that all ASCII and Unicode characters should be acceptable for passwords.

This is definitely moving in the right direction. NIST guidelines are only binding for government services and contractors, though they do eventually get picked up by banks and other industries. So there’s hope for sane password policies eventually.

Tank Hacking

Researchers at Bitsight are interested in infrastructure security, and they opted to take a closer look at Automatic Tank Gauging (ATG) systems. Those are found at gas stations, as well as any other facility that needs automated monitoring of liquids or gasses in a tank. There is an actual ATG message format, originally designed for RS-232 serial, and woefully unprepared for the interconnected present. The protocol allows for an optional security code, but it maxes out at only six alpha-numeric characters.

Among the vulnerabilities getting announced today, we have a pair of CVSS 10 command injection flaws, a quartet of 9.8 authentication bypass flaws, with one of those being a hardcoded credential — AKA a backdoor. The other CVSS9+ flaw is a SQL injection, with a trio of slightly less serious flaws. Continue reading “This Week In Security: Password Sanity, Tank Hacking, And The Mystery 9.9”

An Ode To The SAO

September 26, 2024 by 23 Comments

There are a lot of fantastic things about Hackaday Supercon, but for me personally, the highlight is always seeing the dizzying array of electronic bits and bobs that folks bring with them. If you’ve never had the chance to join us in Pasadena, it’s a bit like a hardware show-and-tell, where half the people you meet are eager to pull some homemade gadget out of their bag for an impromptu demonstration. But what’s really cool is that they’ve often made enough of said device that they can hand them out to anyone who’s interested. Put simply, it’s very easy to leave Supercon with a whole lot more stuff than when you came in with.

Most people would look at this as a benefit of attending, which of course it is. But in a way, the experience bummed me out for the first couple of years. Sure, I got to take home a literal sack of incredible hardware created by members of our community, and I’ve cherished each piece. But I never had anything to give them in return, and that didn’t quite sit right with me.

So last year I decided to be a bit more proactive and make my own Simple Add-On (SAO) in time for Supercon 2023. With a stack of these in my bag, I’d have a personalized piece of hardware to hand out that attendees could plug right into their badge and enjoy. From previous years I also knew there was something of an underground SAO market at Supercon, and that I’d find plenty of people who would be happy to swap one for their own add-ons for mine.

To say that designing, building, and distributing my first SAO was a rewarding experience would be something of an understatement. It made such an impression on me that it ended up helping to guide our brainstorming sessions for what would become the 2024 Supercon badge and the ongoing SAO Contest. Put simply, making an SAO and swapping it with other attendees adds an exciting new element to a hacker con, and you should absolutely do it.

So while you’ve still got time to get PCBs ordered, let’s take a look at some of the unique aspects of creating your own Simple Add-On.

Continue reading “An Ode To The SAO”

2024 Hackaday Superconference Speakers, Round Two

September 25, 2024 by 1 Comment

It’s honestly amazing the range of fascinating talks we have lined up for this year’s Supercon. From art robots that burp and belch to gliders returning from near-space, from hardcore DSP to DIY PCBs, and sketching with machines, Hackaday’s Supercon is like nothing else out there.

And in case you’re already coming, you don’t have a talk slot reserved, but you’ve still got something that you want to say, please sign yourself up for a Lightning Talk! In the spirit of the Lightning, we’ll be taking submissions up to the absolute last minute, and we will fit in as many short talks as possible, but when it does fill up, we’ll be giving priority to those who got in first.

We’ve got one more speaker announce coming up, and of course our keynote speaker and the badge reveal. Supercon will sell out so get your tickets now before it’s too late. So without further ado, here is our next round of stellar speakers!

Continue reading “2024 Hackaday Superconference Speakers, Round Two”

Tech In Plain Sight: Zipper Bags

September 25, 2024 by 23 Comments

You probably think of them as “Ziploc” bags, but, technically, the generic term is zipper bag. Everything from electronic components to coffee beans arrive in them. But they weren’t always everywhere, and it took a while for them to find their niche.

Image from an early Madsen patent

A Dane named Borge Madsen was actually trying to create a new kind of zipper for clothes in the 1950s and had several patents on the technology. The Madsen zipper consisted of two interlocking pieces of plastic and a tab to press them together. Unfortunately, the didn’t work very well for clothing.

A Romanian immigrant named Max Ausnit bought the rights to the patent and formed Flexigrip Inc. He used the zippers on flat vinyl pencil cases and similar items. However, these still had the little plastic tab that operated like a zipper pull. While you occasionally see these in certain applications, they aren’t what you think of when you think of zipper bags.

Zipping

Ausnit’s son, Steven, figured out how to remove the tab. That made the bags more robust, a little handier to use, and it also rendered them less expensive to produce. Even so, cost was a barrier because the way they were made was to heat seal the zipper portion to the bags.

That changed in the 1960s when the Ausnits learned of a Japanese company, Seisan Nippon Sha, that had a process to integrate the bags and zippers in one step which slashed the production cost in half. Flexigrip acquired the rights in the United States and created a new company, Minigrip, to promote this type of bag.

Continue reading “Tech In Plain Sight: Zipper Bags”

Supercon 2023: The Road To Writing Great Step-by-Step Instructions

September 24, 2024 by 6 Comments

IKEA is known as a purveyor of build-it-yourself flatpack furniture. LEGO is known as a purveyor of build-it-yourself toys. Both are known for their instructions. The latter’s are considered incredibly clear and useful, while the former’s are often derided as arcane and confusing—though the major difference between the two is color printing.

These two companies are great examples of why instructions are important. Indeed, Sonya Vasquez has learned this lesson well, and came down to Supercon 2023 to tell us all about it. Prepare to learn all about how to write great step-by-step instructions that enable greatness and never frustrate the end user.

Continue reading “Supercon 2023: The Road To Writing Great Step-by-Step Instructions”

Fukushima Daiichi: Cleaning Up After A Nuclear Accident

September 23, 2024 by 47 Comments

On 11 March, 2011, a massive magnitude 9.1 earthquake shook the west coast of Japan, with the epicenter located at a shallow depth of 32 km,  a mere 72 km off the coast of Oshika Peninsula, of the Touhoku region. Following this earthquake, an equally massive tsunami made its way towards Japan’s eastern shores, flooding many kilometers inland. Over 20,000 people were killed by the tsunami and earthquake, thousands of whom were dragged into the ocean when the tsunami retreated. This Touhoku earthquake was the most devastating in Japan’s history, both in human and economic cost, but also in the effect it had on one of Japan’s nuclear power plants: the six-unit Fukushima Daiichi plant.

In the subsequent Investigation Commission report by the Japanese Diet, a lack of safety culture at the plant’s owner (TEPCO) was noted, along with significant corruption and poor emergency preparation, all of which resulted in the preventable meltdown of three of the plant’s reactors and a botched evacuation. Although afterwards TEPCO was nationalized, and a new nuclear regulatory body established, this still left Japan with the daunting task of cleaning up the damaged Fukushima Daiichi nuclear plant.

Removal of the damaged fuel rods is the biggest priority, as this will take care of the main radiation hazard. This year TEPCO has begun work on removing the damaged fuel inside the cores, the outcome of which will set the pace for the rest of the clean-up.

Continue reading “Fukushima Daiichi: Cleaning Up After A Nuclear Accident”

Hackaday Links Column Banner

Hackaday Links: September 22, 2024

September 22, 2024 by 13 Comments

Thanks a lot, Elon. Or maybe not, depending on how this report that China used Starlink signals to detect low-observable targets pans out. There aren’t a lot of details, and we couldn’t find anything approximating a primary source, but it seems like the idea is based on forward scatter, which is when waves striking an object are deflected only a little bit. The test setup for this experiment was a ground-based receiver listening to the downlink signal from a Starlink satellite while a DJI Phantom 4 Pro drone was flown into the signal path. The drone was chosen because nobody had a spare F-22 or F-35 lying around, and its radar cross-section is about that of one of these stealth fighters. They claim that this passive detection method was able to make out details about the drone, but as with most reporting these days, this needs to be taken with an ample pinch of salt. Still, it’s an interesting development that may change things up in the stealth superiority field.

Continue reading “Hackaday Links: September 22, 2024”