Hackaday Trims Its Own Resistors

April 10, 2017 by Elliot Williams 95 Comments

There are times when you might want an odd-value resistor. Rather than run out to the store to buy a 3,140 Ω resistor, you can get there with a good ohmmeter and a willingness to solder things in series and parallel. But when you want a precise resistor value, and you want many of them, Frankensteining many resistors together over and over is a poor solution.

Something like an 8-bit R-2R resistor-ladder DAC, for instance, requires seventeen resistors of two values in better than 0.4% precision. That’s just not something I have on hand, and the series/parallel approach will get tiresome fast.

Ages ago, I had read about trimming resistors by hand, but had assumed that it was the domain of the madman. On the other hand, this is Hackaday; I had some time and a file. Could I trim and match resistors to within half a percent? Read on to find out.

Continue reading “Hackaday Trims Its Own Resistors” →

Lights Out In Québec: The 1989 Geomagnetic Storm

April 10, 2017 by Dan Maloney 56 Comments

I found myself staring up at the sky on the night of March 13, 1989, with my girlfriend and her parents in the backyard of their house. The sky was on fire, almost literally. Red and pink sheets of plasma streamed out in a circle from directly overhead, with blue-white streaks like xenon flashes occasionally strobing across the sky. We could actually hear a sizzling, crackling sound around us. The four of us stood there, awestruck by the aurora borealis we were lucky enough to witness.

At the same time, lights were winking out a couple of hundred miles north in Québec province. The same solar storm that was mesmerizing me was causing fits for Hydro-Québec, the provincial power authority, tripping circuit breakers and wreaking havoc. This certainly wasn’t the first time the Sun threw a fit and broke systems on Earth, but it was pretty dramatic, and there are some lessons to be learned from it and other solar outbursts.

Continue reading “Lights Out In Québec: The 1989 Geomagnetic Storm” →

PC In A Mouse

April 10, 2017 by Steven Dufresne 37 Comments

[Slider2732] got his Orange Pi Zero working with a 3 watt amplifier, wireless keyboard (with built-in mouse), and car reversing monitor. But he needed a case to house it in. He remembered that he used to make parameters for ghost hunting by filling PC mouse cases with all sorts of electronics. So why not put the Orange Pi Zero in a mouse too? Looking through his mouse collection, he picked out an old Logitech optical mouse and went to work.

We like that the Logitech has transparent bottom halves, perfect for proving to anyone who might be skeptical that the PC really is in the mouse. A great enhancement we think would be to make the mouse actually be the mouse too! But there doesn’t seem to be enough room left for that. What’s smaller than a Pi Zero that will also run the armbian Linux distribution, OpenELEC Mediacenter, Kodi and a bunch of games?

He even set up the wireless networking for watching YouTube videos. Check out the build and demo video after the break.

Continue reading “PC In A Mouse” →

How To Hack Your Own Password

April 9, 2017 by Brian Benchoff 10 Comments

[Haseeb] failed the marshmallow test as a kid. He has no self-control. He wastes a lot of time on reddit. There is a solution to this problem — simply lock yourself out of your account. The process is simple, and all you need to do is change your password to something random, change the recovery email address, and click submit. In the blink of an eye, all your imaginary Internet points vanish.

That’s the one guaranteed way to quit reddit. However, [Haseeb] wanted to hold onto those magic Internet points in the event they become worth something. This led to a far more baroque solution. He found a service that would email him at a later date, send an email to himself containing a random password, and quit reddit temporarily. Until that email was delivered, he was officially off reddit. When that email was received, productivity would stop.

A few years pass, and [Haseeb] had some time to kill at his new job. He decided to scrounge up his old password, only to discover he locked himself out of his Reddit account until 2018. What followed is a security exploit of an ’email me in the future’ service, and a great example of how much effort one person will commit to a lifetime of instant gratification.

The email service in question is LetterMeLater, a site that will send an email at some arbitrary point in the future. You can hide the body of the email from yourself, making this a fairly good solution for what [Haseeb] is doing. He was still locked out of his email, though, and emailing the people running LetterMeLater seemed absurd. Dopamine is fun, though, and [Haseeb] eventually found a workaround. This site indexes the body of an email for search. This is great, because the body of the email this site would send [Haseeb] in 2018 contained his reddit password and only his reddit password. With a little bit of code, he can perform substring queries on an email he can’t read. Now, extracting the password is simply a first year CS homework problem.

At this point, the only thing [Haseeb] knows about his password is that it’s a long string of random characters that probably doesn’t include upper-case characters. That’s 26 possible characters, 10 possible numbers, and a character bank that can be determined by searching his email one character at a time. [Haseeb] is essentially playing Hangman against his former self here.

After figuring out an API for LetterMeLater, [Haseeb] whipped up a quick bit of code that finds the password by searching substrings. It’s beautiful and recursive, although he did break it down into finding a suffix of the password then determining the remainder of the password. It took 443 iterations of the code to find the password, and when that was complete he logged into reddit. Math works, although [Haseeb] will have to figure out a way to wean himself off the opiate of the millennials again.

BrickerBot Takes Down Your IoT Devices Permanently

April 8, 2017 by Adam Fabio 69 Comments

There is a new class of virii in town, specifically targeting Internet of Things (IoT) devices. BrickerBot and its variants do exactly as their name says, turning your smart devices into bricks. Someone out there has gotten tired of all the IoT security flaws and has undertaken extreme (and illegal) measures to fix the problem. Some of the early reports have come in from a security company called Radware, who isolated two variants of the virii in their honeypots.

In a nutshell, BrickerBot gains access to insecure Linux-based systems by using brute force. It tries to telnet in using common default root username/password pairs. Once inside it uses shell commands (often provided by BusyBox) to write random data to any mounted drives. It’s as easy as

dd if=/dev/urandom of=/dev/sda1

With the secondary storage wiped, the device is effectively useless. There is already a name for this: a Permanent Denial-of-Service (PDoS) attack.

Now any card carrying Hackaday reader will know that a system taken down like this can be recovered by re-flashing through USB, JTAG, SD, other methods. However, we’re not BrickerBot’s intended audience. We’ve all changed our devices default passwords, right? RIGHT?

For more IoT security, check out Elliot’s excellent article about botnets earlier this year, and its follow-up.

Is My Password Safe? Practices For People Who Know Better

April 7, 2017 by Pedro Umbelino 75 Comments

A couple of weeks back a report came out where [Tavis Ormandy], a widely known security researcher for Google Project-Zero, showed how it was possible to abuse Lastpass RPC commands and steal user passwords. Irony is… Lastpass is a software designed to keep all your passwords safe and it’s designed in a way that even they can’t access your passwords, the passwords are stored locally using strong cryptography, only you can access them via a master-key. Storing all your passwords in only place has its downfalls. By the way, there is no proof or suggestion that this bug was abused by anyone, so if you use Lastpass don’t worry just yet.

But it got me thinking, how worried and how paranoid should a regular Internet user should be about his password? How many of us have their account details exposed somewhere online? If you’ve been around long enough, odds are you have at least a couple of accounts on some major Internet-based companies. Don’t go rushing into the Dark Web and try to find if your account details are being sold. The easiest way to get your paranoia started is to visit Have I Been Pwned. For those who never heard about it, it’s a website created by [Troy Hunt], a well-known security professional. It keeps track of all known public security breaches he can get his hands on and provides an answer to a simple question: “Was my account in any major data leak?” Let’s take a look.

Continue reading “Is My Password Safe? Practices For People Who Know Better” →

File Format Posters

April 7, 2017 by Zoe Skyforest 28 Comments

It’s not uncommon for hackers to have a particular delectation for unusual interior decoration. Maybe it’s a Nixie tube clock, or a vacuum fluorescent display reading out the latest tweets from a favorite chatbot. If this sounds like your living room already, perhaps you’d like some of these file format posters to adorn your walls.

The collection of images includes all kinds of formats — GIF, ZIP and WAV are all represented, but it even gets into some real esoterica — DOLphin format executables are here if you’re a total GameCube fanatic. Each poster breaks down the format into parts, such as the header, metadata and descriptor sections, and come in a variety of formats themselves — most available in SVG, PDF and PNG.

If we’re totally honest, these aren’t all designed for hanging on your wall as-is — we’d consider putting some work into to optimize the color palettes and layouts before putting these to print. But regardless, they’re an excellent visual representation of data structures that you might find particularly useful if you need to do some reverse engineering down the track.

If you still have wall space available after seeing this, here’s the electronic reference poster that should fill it.

[Thanks to JD for the tip!]