Matt Venn speaking at Supercon 2022

Supercon 2022: Matt Venn’s Tiny Tapeout Brings Chip Design To The Masses

Not that long ago, rolling your own printed circuit boards was difficult, time-consuming and expensive. But thanks to an army of cheap, online manufacturing services as well as high-quality free design software, any hobbyist can now make boards to rival those made by pros. A similar shift might be underway when it comes to chip design: affordable manufacturing options and a set of free software tools are slowly bringing custom chips into the realm of hackers and hobbyists. One of those working hard to democratize chip design is Matt Venn, who’s been telling us all about his current big project, called Tiny Tapeout, in his talk at Remoticon 2022.

Matt’s quest to bring IC design to the masses started in 2020, when the first open-source compatible Process Design Kit (PDK) was released to the public. A PDK is a collection of files, normally only available under strict non-disclosure agreements, that describe all the features of a specific chip manufacturing process and enable you to make a design. With this free PDK in hand and a rag-tag collection of free software tools, Matt set out to design his first chip, a VGA clock, which he taped out (released to manufacturing) in July 2020. Continue reading “Supercon 2022: Matt Venn’s Tiny Tapeout Brings Chip Design To The Masses”

All About USB-C: Talking Low-Level PD

In this USB-C series, we’ve covered quite a bit of USB-C – things that are well known, things that should be  better known, and a couple things that just appeared online for the first time. We’ve covered almost everything in some depth except USB Power Delivery. I’ve described the process a bit in the “Power” article, but that was mostly about how to use PD by simply buying the right solution. However, that’s not enough for a hacker. Let’s see if we can make our own PD trigger board. Continue reading “All About USB-C: Talking Low-Level PD”

Methane Pyrolysis: Producing Green Hydrogen Without Carbon Emissions

Generally, when we talk about the production of hydrogen, the discussion is about either electrolysis of water into oxygen and hydrogen, or steam methane reforming (SMR). Although electrolysis is often mentioned – as it can create hydrogen using nothing but water and electricity – SMR is by far the most common source of hydrogen. Much of this is due to the low cost and high efficiency of SMR, but a major disadvantage of SMR is that large amounts of carbon dioxide are released, which offsets some of the benefits of using hydrogen as a fuel in the first place.

Although capturing this CO2 can be considered as a potential solution here, methane pyrolysis is a newer method that promises to offer the same benefits as SMR while also producing hydrogen and carbon, rather than CO2. With the many uses for hydrogen in industrial applications and other fields, such as the manufacturing of fertilizer, a direct replacement for SMR that produces green hydrogen would seem almost too good to be true.

What precisely is this methane pyrolysis, and what can be expect from it the coming years?

Continue reading “Methane Pyrolysis: Producing Green Hydrogen Without Carbon Emissions”

Hackaday Links Column Banner

Hackaday Links: February 12, 2023

So, maybe right now isn’t the best time to get into the high-altitude ballooning hobby? At least in the US, which with the downing of another — whatever? — over Alaska, seems to have taken a “Sidewinders first, threat identification later” approach to anything that floats by. The latest incident involved an aircraft of unknown type, described as “the size of a small car” — there’s that units problem again — that was operating over Prudhoe Bay off the northern coast of Alaska. The reason that was given for this one earning a Sidewinder was that it was operating much lower than the balloon from last week, only about 40,000 feet, which is well within the ceiling of commercial aviation. It was also over sea ice at the time of the shootdown, making the chance of bothering anyone besides a polar bear unlikely. We’re not taking any political position on this whole thing, but there certainly are engineering and technical aspects of these shootdowns that are pretty interesting, as well as the aforementioned potential for liability if your HAB goes astray. Nobody ever really benefits from having an international incident on their resume, after all.

Continue reading “Hackaday Links: February 12, 2023”

Hackaday Podcast 205: Hackaday Berlin, So Many Sundials, And Ovens Pinging Google

Editor-in-Chief Elliot Williams and Managing Editor Tom Nardi start this week’s episode off with the announcement of Hackaday Berlin on March 25th. It’s been quite some time since we’ve been on the other side of the pond, because we had to cancel 2020’s Hackaday Belgrade due to COVID-19, so excitement is high for all three days of this “one-day” event.

After a new What’s that Sound, discussion moves on to an impressive collection of DIY sundials, the impact filament color has on the strength of 3D printed parts, the incredible retrocomputer replicas of Michael Gardi, and the Arduino FPGA that you’ve probably never heard of. We’ll wrap things up with the unexpected difficulties of mixing multiple cheap audio sources in Linux, and try to figure out why our kitchen appliances need to be connected to the Internet.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in  the comments!

Download all the bits!

Continue reading “Hackaday Podcast 205: Hackaday Berlin, So Many Sundials, And Ovens Pinging Google”

This Week In Security: ImageMagick, VBulletin, And Dota 2

There are a few binaries that wind up running in a bunch of places, silently do their jobs, and being easily forgotten about. ImageMagick is used on many servers for image conversion and resizing, and tends to run automatically on uploaded images. Easily forgotten, runs automatically, and with arbitrary inputs. Yep, perfect target for vulnerability hunting. And the good folks at Metabase found two of them.

First up is CVE-2022-44267, a Denial of Service, when ImageMagick tries to process a rigged PNG that contains a textual chunk. This data type is usually used for metadata, and can include a profile entry for something like EXIF data. If this tag is specified inside a text chunk, ImageMagick looks to the given value as a filename for finding that profile data. And notably, if that value is a dash -, it tries to read from standard input. If the server’s image processing flow doesn’t account for that quirk, and virtually none of them likely do, this means the ImageMagick process hangs forever, waiting for the end of input. So while that’s not usually a critical problem, it could be used for a resource exhaustion attack.

But the real problem is CVE-2022-44268. It’s the same trick, but instead of using - to indicate standard input, the processed image refers to a file on the server filesystem. If the file exists, and can be read, the contents are included in the image output. If the attacker has access to the image, it’s a slick data leak — and obviously a real security problem. If a server doesn’t have tight file permissions and isolation, there’s plenty of sensitive information to be found and abused.

The fix landed back in October 2022, and was part of the 7.1.0-52 release. There’s a bit of uncertainty about which versions are vulnerable, but I wouldn’t trust anything older than that version. It’s a pretty straightforward flaw to understand and exploit, so there’s a decent chance somebody figured it out before now. The file exfiltration attack is the one to watch out for. It looks like there’s an Indicator of Compromise (IoC) for those output PNGs: “Raw profile type”. Continue reading “This Week In Security: ImageMagick, VBulletin, And Dota 2”

Ski Season Sees Apple’s Crash Detection System Fire Deluge Of False Positives

Smartphone features used to come thick and fast. Cameras proliferated, navigation got added, and then Apple changed the game by finally making touch computing just work. Since then, truly new features have slowed to a trickle, but Apple’s innovative crash detection system has been a big deal where safety is concerned.

The problem? It’s got a penchant for throwing false positives when iPhone and Apple Watch users are in no real danger at all. We first covered this problem last year, but since then, the wintery season has brought yet more issues for already-strained emergency responders.

Continue reading “Ski Season Sees Apple’s Crash Detection System Fire Deluge Of False Positives”