Hackaday Links: August 4, 2024

August 4, 2024 by Dan Maloney 8 Comments

Good news, bad news for Sun watchers this week, as our star launched a solar flare even bigger than the one back in May that gave us an amazing display of aurora that dipped down into pretty low latitudes. This was a big one; where the earlier outburst was only an X8.9 class, the one on July 23 was X14. That sure sounds powerful, but to put some numbers to it, the lower end of the X-class exceeds 10^-4 W/m² of soft X-rays. Numbers within the class designate a linear increase in power, so X2 is twice as powerful as X1. That means the recent X14 flare was about five times as powerful as the May flare that put on such a nice show for us. Of course, this all pales in comparison to the strongest flare of all time, a 2003 whopper that pegged the needle on satellite sensors at X17 but was later estimated at X45.

Continue reading “Hackaday Links: August 4, 2024” →

How About Privacy and Hackability?

August 3, 2024 by Elliot Williams 32 Comments

Many smart electric meters in the US use the 900 MHz band to broadcast their usage out to meter readers as they walk the neighborhood. [Jeff Sandberg] used an RTL-SDR dongle and some software to integrate this data into his own home automation system, which lets him keep track of his home’s power usage.

Half of the comment section was appalled that the meters broadcast this data in the clear, and these readers thought this data should be encrypted even if the reach is limited to the home-owner’s front yard. But that would have stopped [Jeff] from accessing his own data as well, and that would be a shame. So there’s clearly a tradeoff in play here.

We see this tradeoff in a lot of hardware devices as well – we want to be able to run our firmware on them, but we don’t want criminals to do the same. We want the smart device to work with the cloud service, but to also work with our own home automation system if we have one. And we want to be able to listen in to our smart meters, but don’t necessarily want others to do so.

The solution here is as easy as it is implausible that it will get implemented. If the smart meters transmitted encrypted, each with their own individual password, then everyone would win. The meter reader would have a database of passwords linked to meter serial numbers or addresses, and the home owner could just read it off of a sticker, optimally placed on each unit. Privacy and usability would be preserved.

This issue isn’t just limited to electric meters. Indeed, think of all of the data that is being sent out from or about you, and what percentage of it is not encrypted and should be, but also about what data is sent out encrypted that you could use access to. The solution is to put you in control of the encryption, by selecting a password or having access to one that’s set for you. Because after all, if it’s your data, it should be your data: private and usable.

Hackaday Podcast Episode 282: Saildrones, A New Classic Laptop, And SNES Cartridges Are More Than You Think

August 2, 2024 by Tom Nardi 1 Comment

In this episode, the CrowdStrike fiasco has Hackaday Editors Elliot Williams and Tom Nardi pondering the fragility of our modern infrastructure. From there the discussion moves on to robotic sailboats, the evolving state of bespoke computers, and the unique capabilities of the Super Nintendo cartridge. You’ll also hear about cleaning paintings with lasers, the advantages of electronic word processors, stacking 3D printed parts, and the joys of a nice data visualization. They’ll wrap the episode up by marveling at the techniques required to repair undersea fiber optic cables, and the possibilities (and frustrations) of PCB panelization using multiple designs.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

As always, the Hackaday Podcast is available in DRM-free MP3 for offline listening.

Continue reading “Hackaday Podcast Episode 282: Saildrones, A New Classic Laptop, And SNES Cartridges Are More Than You Think” →

This Week In Security: Echospoofing, Ransomware Records, And Github Attestations

August 2, 2024 by Jonathan Bennett 5 Comments

It’s a bit of bitter irony, when a security product gets used maliciously, to pull off the exact attack it was designed to prevent. Enter Proofpoint, and the EchoSpoofing attack. Proofpoint offers an email security product, filtering spam and malicious incoming emails, and also handling SPF, DKIM, and DMARC headers on outgoing email. How does an external service provide those email authentication headers?

One of the cardinal sins of running an email server is to allow open relaying. That’s when anyone can forward email though an SMTP server without authentication. What we have here is two nearly open relays, that wound up with spoofed emails getting authenticated just like the real thing. The first offender is Microsoft’s Office365, which seems to completely skip checking for email spoofing when using SMTP relaying from an allowed IP address. This means a valid Office365 account allows sending emails as any address. The other half relies on the way Proofpoint works normally, accepting SMTP traffic from certain IP addresses, and adding the authentication headers to those emails. There’s an option in Proofpoint to add the Microsoft Office 365 servers to that list, and apparently quite a few companies simply select that option.

The end result is that a clever spammer can send millions of completely legitimate looking emails every day, that look very convincing even to sophisticated users. At six months of activity, averaging three millions emails a day, this campaign managed just over half a billion malicious emails from multiple high-profile domains.

The good news here is that Proofpoint and Guardio discovered the scheme, and worked with Microsoft to develop the X-OriginatorOrg header that is now applied to every email sent from or through the Office365 servers. This header marks the account tenant the email belongs to, giving vendors like Proofpoint a simple way to determine email validity. Continue reading “This Week In Security: Echospoofing, Ransomware Records, And Github Attestations” →

Polaroid In An Instant

July 31, 2024 by Al Williams 23 Comments

Edwin Land, were he alive, would hate this post. He wanted to be known for this scientific work and not for his personal life. In fact, upon his death, he ordered the destruction of all his personal papers. However, Land was, by our definition, a hacker, and while you probably correctly associate him with the Polaroid camera, that turns out to be only part of the story.

It was obvious that Land was intelligent and inquisitive from an early age. At six, he blew all the fuses in the house. He was known for taking apart clocks and appliances. When his father forbade him from tearing apart a phonograph, he reportedly replied that nothing would deter him from conducting an experiment. We imagine many Hackaday readers have similar childhood stories.

Optics

He was interested in optics, and at around age 13, he became interested in using polarized light to reduce headlight glare. The problem was that one of the best polarizing crystals known — herapathite — was difficult to create in a large size. Herapathite is a crystalline form of iodoquinine sulfate studied in the 1800s by William Herapath, who was unable to grow large sizes of the crystal. Interestingly, one of Herapath’s students noticed the crystals formed when adding iodine to urine from dogs that were given quinine.

Land spent a year at Harvard studying physics, but he left and moved to New York. He continued trying to develop a way to make large, practical, light-polarizing crystals. At night, he would sneak into labs at Columbia University to conduct experiments.

Continue reading “Polaroid In An Instant” →

Undersea Cable Repair

July 30, 2024 by Dan Maloney 6 Comments

The bottom of the sea is a mysterious and inaccessible place, and anything unfortunate enough to slip beneath the waves and into the briny depths might as well be on the Moon. But the bottom of the sea really isn’t all that far away. The average depth of the ocean is only about 3,600 meters, and even at its deepest, the bottom is only about 10 kilometers away, a distance almost anyone could walk in a couple of hours.

Of course, the problem is that the walk would be straight down into one of the most inhospitable environments our planet has to offer. Despite its harshness, that environment is home to hundreds of undersea cables, all of which are subject to wear and tear through accidents and natural causes. Fixing broken undersea cables quickly and efficiently is a highly specialized field, one that takes a lot of interesting engineering and some clever hacks to pull off.

Continue reading “Undersea Cable Repair” →

Hacker Tactic: Multi-Design Panels

July 29, 2024 by Arya Voronova 12 Comments

Last time, we talked about single-PCB-design panels, all the cool aspects of it, including some cost savings and handling convenience. Naturally, you might wonder, and many did – can you put multiple different PCBs on a single panel? The answer is “yes, without a doubt!” The tool we used last time, KiKit, will not be as helpful here, so we’ll be looking elsewhere.

Making multi-PCB panels can help you save money, naturally, but it can also make your assembly a whole lot easier, and it can bring you hacking to a whole new level. It sure helped with mine! You might have already learned that some fabs scoff at multi-design panels and add surcharges. Well, you’ll be delighted to learn that there are more hacker-friendly fabs out there, too.

Developing PCBs In Bulk

So far, I’ve worked on about 300 different PCB designs, with half of them available in my monorepo. I’ve assembled and tested just about half of these. You might guess that this would cost a lot of money, and that assembly would take a fair bit of time, but I have some tricks up my sleeve. For a start, you can easily order PCBs 10-12 times more cheaply if you do multi-panel.

Continue reading “Hacker Tactic: Multi-Design Panels” →