Slider

4980 Articles

What Makes A Hacker

October 23, 2017 by 114 Comments

I think I can sum up the difference between those of us who regularly visit Hackaday and the world of non-hackers. As a case study, here is a story about how necessity is the mother of invention and the people who invent.

Hackaday has overlap with sites like Pinterest and Instructables but there is one vital difference, we choose to create something new and beautiful with the materials at hand. Often these tools and techniques are very simple. We look to make things elegant by reducing the unnecessary clutter, not adding glitter. If something could be built with a 555 timer we will let you know. If there is a better choice for a processor, we will tell you.

My first real work commute was a forty-minute eastward drive every morning and a forty-minute westward drive every evening. This route pointed my car directly into the sun twice a day. Staring into a miasma of incandescent plasma for an hour and a half a day isn’t fun, and probably isn’t safe, but we can fix that.

Continue reading “What Makes A Hacker”

MakerBot Really Wants You To Like Them Again

October 23, 2017 by 76 Comments

For the last couple years, a MakerBot press release has generally signaled that more pink slips were going to be heading out to the already shell-shocked employees at their NYC factory. But just last week something that could almost pass as good news came out of the once mighty 3D printer manufacturer, the unveiling of “MakerBot Labs”. A number of mainstream tech sites heralded this as MakerBot’s first steps back into the open source community that launched it nearly a decade ago; signs of a newer and more thoughtful MakerBot.

Reading the announcement for “MakerBot Labs”, you can almost believe it. All the buzz words are there, at least. In fact, if this announcement came from anyone else, in any other field, I’d probably be on board. Sharing knowledge and listening to the community is essential if you want to connect with hackers and makers. But this is MakerBot, and they’ve dug themselves into a very deep hole over the years.

The spectacular fall from grace that MakerBot has experienced, from industry leader to afterthought, makes this hat-in-hand peace offering hard to take seriously. It reads like a company making a last ditch effort to win back the users they were so sure they didn’t need just a few years ago. There is now a whole new generation of 3D printer owners who likely have never even seen a MakerBot printer, and it’s hard to imagine there’s still enough innovation and life in the company to turn that around before they completely fade into obscurity.

Continue reading “MakerBot Really Wants You To Like Them Again”

Books You Should Read: The Cuckoo’s Egg

October 19, 2017 by 63 Comments

The mid-1980s were a time of drastic change. In the United States, the Reagan era was winding down, the Cold War was heating up, and the IBM PC was the newest of newnesses. The comparatively few wires stitching together the larger university research centers around the world pulsed with a new heartbeat — the Internet Protocol (IP) — and while the World Wide Web was still a decade or so away, The Internet was a real place for a growing number of computer-savvy explorers and adventurers, ready to set sail on the virtual sea to explore and exploit this new frontier.

In 1986, having recently lost his research grant, astronomer Clifford Stoll was made a computer system admin with the wave of a hand by the management of Lawrence Berkeley Laboratory’s physics department. Commanded to go forth and administer, Stoll dove into what appeared to be a simple task for his first day on the job: investigating a 75-cent error in the computer account time charges. Little did he know that this six-bit overcharge would take over his life for the next six months and have this self-proclaimed Berkeley hippie rubbing shoulders with the FBI, the CIA, the NSA, and the German Bundeskriminalamt, all in pursuit of the source: a nest of black-hat hackers and a tangled web of international espionage.

Continue reading “Books You Should Read: The Cuckoo’s Egg”

Spy Tech: Stealing A Moon Probe

October 19, 2017 by 63 Comments

Ever hear of the Soviet Luna program? In the west, it was often called Lunik, if you heard about it at all. Luna was a series of unmanned moon probes launched between 1959 and 1976. There were at least 24 of them, and 15 were successful. Most of the failures were not reported or named. Luna craft have a number of firsts, but the one we are interested in is that it may have been the first space vehicle to be stolen — at least temporarily — in a cold war caper worthy of a James Bond novel.

Luna-1 Payload

Around 1960, the Soviet Union toured several countries with exhibits of their industrial and technological accomplishments. One of the items on display was the upper stage of a Luna vehicle with windows cut out to show the payload inside. At first, the CIA suspected the vehicle was just a model. But they wanted to be sure.

The story is laid out in a CIA document from 1967 that was only declassified in 1994. Even then, the document has a lot of redactions in it. The paper is sparse on how they managed it, but when the exhibit closed — somehow — a group of intelligence operatives wound up inside the exhibition hall alone for 24 hours.

What they found was surprising. While the engine and most of the avionics were gone, the vehicle was the real article. They took measurements and photos, hoping that analysis would reveal more about the vehicle’s performance characteristics.

Here’s where you start getting into the redacted material. The team was able to get something from the probe — probably machine tooling marks — but there wasn’t enough detail to identify where and how they were made. They decided to get a team specializing in this kind of analysis to examine it more closely.

Continue reading “Spy Tech: Stealing A Moon Probe”

Practical Public Key Cryptography

October 18, 2017 by 25 Comments

Encryption is one of the pillars of modern-day communications. You have devices that use encryption all the time, even if you are not aware of it. There are so many applications and systems using it that it’s hard to begin enumerating them. Ranging from satellite television to your mobile phone, from smart power meters to your car keys, from your wireless router to your browser, and from your Visa to your Bitcoins — the list is endless.

One of the great breakthroughs in the history of encryption was the invention of public key cryptography or asymmetrical cryptography in the 70’s. For centuries traditional cryptography methods were used, where some secret key or scheme had to be agreed and shared between the sender and the receiver of an encrypted message.

Asymmetric cryptography changed that. Today you can send an encrypted message to anyone. This is accomplished by the use of a pair of keys: one public key and one private key. The key properties are such that when something is encrypted with the public key, only the private key can decrypt it and vice-versa. In practice, this is usually implemented based on mathematical problems that admit no efficient solution like certain integer factorization, discrete logarithm and elliptic curve relationships.

But the game changer is that the public key doesn’t have to be kept secret. This allows cryptography to be used for authentication — proving who someone is — as well as for encryption, without requiring you to have previously exchanged secrets. In this article, I’ll get into the details of how to set yourself up so that anyone in the world is able to send you an e-mail that only you can read.
Continue reading “Practical Public Key Cryptography”

Inside Two-Factor Authentication Apps

October 16, 2017 by 66 Comments

Passwords are in a pretty broken state of implementation for authentication. People pick horrible passwords and use the same password all over the place, firms fail to store them correctly and then their databases get leaked, and if anyone’s looking over your shoulder as you type it in (literally or metaphorically), you’re hosed. We’re told that two-factor authentication (2FA) is here to the rescue.

Well maybe. 2FA that actually implements a second factor is fantastic, but Google Authenticator, Facebook Code Generator, and any of the other app-based “second factors” are really just a second password. And worse, that second password cannot be stored hashed in the server’s database, which means that when the database is eventually compromised, your “second factor” blows away with the breeze.

Second factor apps can improve your overall security if you’re already following good password practices. We’ll demonstrate why and how below, but the punchline is that the most popular 2FA app implementations protect you against eavesdropping by creating a different, unpredictable, but verifiable, password every 30 seconds. This means that if someone overhears your login right now, they wouldn’t be able to use the same login info later on. What 2FA apps don’t protect you against, however, are database leaks.

Continue reading “Inside Two-Factor Authentication Apps”

Oh Great, WPA2 Is Broken

October 16, 2017 by 131 Comments

WPA2, the standard security for Wi-Fi networks these days, has been cracked due to a flaw in the protocol. Implications stemming from this crack range from decrypting Wi-Fi, hijacking connections, and injecting content. It’s fair to say, WPA2 is now Considered Harmful. The paper is available here (PDF).

This is a proof-of-concept exploit, and like all headline-making network security stories, it has a name. It’s called KRACK, for Key Reinstallation Attack. The key insight to this exploit is a vulnerability in the handshaking between routers and devices to establish a secure connection.

This is not the first time the researchers behind this exploit have found holes in WPA2. In a paper published by the KRACK researchers at the USENIX Symposium last August (PDF), they showed that the Random Number Generator used in 802.11 is flawed, ill-defined, and insecure. The researchers have also spoken at 33c3 on predicting WPA2 Group Keys.

The practical consequences of a poor definition and implementation of an RNG can be found in consumer hardware. The researchers found that in MediaTek-based routers, the only source of randomness is the current time. Meanwhile Broadcom-based routers do not use the RNG proposed by the 802.11 spec, but instead take the MD5 of the current time in microseconds. The researchers do not mention if the current time is a secret.

So what do we do now?

This has happened before. In 2001, WEP, the Wi-Fi security protocol many security-ignorant people are still running, was cracked in much the same was as KRACK. This quickly led to the development of Aircrack, and in 2003, the Wi-Fi Alliance rolled out WPA and WPA2. Sure, you can still select a deprecated security protocol for your router, but the problem of WEP hacking is as solved as it’s ever going to be.

The early 2000s were a different time when it came to wireless networks, though here in 2017 Wi-Fi permeates every cubic inch of our lives. Everything and everyone has Wi-Fi now. This is going to be a bit bigger than cracking WEP, but it remains possible to patch devices to ensure that this exploit is rendered useless. Install those security updates, people! Of course there will still be millions of unpatched devices in a year’s time, and for those routers, IoT baubles, and other wireless devices, turning on WPA2 will be akin to having no security at all.

That said, this isn’t a world-ending Armageddon in the way the botnet of webcams was. You will only be vulnerable if an attacker is within range of your router, and you will still be secure if you’re accessing secure websites. However, turning off Wi-Fi on your phone, relying on mobile data, not ignoring HTTPS cert warnings, and plugging into an Ethernet port might not be a bad idea.