GitHub is an incredibly powerful tool for sharing source code, and its value to the modern hacker can’t be overstated. But there’s at least one downside to effortlessly sharing your source: it’s now much easier for the whole world to find out when you screw up. Back in the day, if you accidentally left a username or password in a tarball hosted on your site, you could pull it down before anyone noticed. But push something like that up to GitHub, and you’ve got a problem on your hands.
For an example, look no farther than this tool that crawls GitHub for Slack webhooks written by [Michele Gruppioni]. Exploiting the fact that Slack webhook links have a predictable format, the tool searches repositories to find code that erroneously includes the authentication token. With the token in hand, an attacker now has the ability to send unsolicited messages into that channel.
But [Michele] restrained himself and didn’t Rickroll the over 6,500 Slack channels he had access to after searching GitHub with his tool. Instead, he sent them all a friendly message explaining their webhook tokens were available on GitHub, and gave them a link to where they could get more information about his project.
Most of the people who contacted him after the fact appreciated that he sent a gentle warning and not something unsavory. Still, we’d recommend caution to anyone looking to expose a vulnerability in this manner. While [Michele] had honorable intentions, it’s certainly not unheard of for an embarrassed administrator to blame the messenger.
When used properly, webhooks can be a very handy way of pushing data into your chat platform of choice. We’ve previously looked at a practical example of a weather station that pushes current conditions into a Discord channel. Just try not to accidentally commit your authentication token to the world’s largest database of open source projects, or you might receive more than you bargained for.
[W8BH] attended a talk by another ham, [W8TEE] that showed a microcontroller sending and receiving Morse code. He decided to build his own, and documented his results in an 8 part tutorial. He’s using the Blue Pill board and the resulting device sends code with paddles, sends canned text, provides an LCD with a rotary knob menu interface, and even has an SD card for data storage.
All the code is on GitHub. If you are interested in Morse code or in learning how to write a pretty substantial application using the Blue Pill and the Arduino IDE (or any other similar processor), this is a great exposition that is also a practical tool.
Humans seem to have a need to do things that aren’t practical. Make the biggest ball of twine. Engrave the Declaration of Independence on a grain of rice. We want to make things bigger, smaller, faster, or whatever. That might explain why [nanochess] put out bootBASIC.
The 8088 (or later) assembly code gives you a very restricted BASIC interpreter that you can boot up. That means it has to fit in the 512-byte boot block that the hardware loads to get an operating system running. How restricted? Keep in mind it fits in 512 bytes. Each line can only have 19 characters or less. Backspace works, but doesn’t update the screen. Line numbers range from 1 to 999 and there are only 26 integer variables named a through z that hold 16 bits. All statements are in lower case.
PythonAnywhere gives you access to a python shell over a web browser, and also lets you run a web app that can be accessed via a custom sub-domain. Even though it does not have direct integration with GitHub, you can drop to the bash shell to and get access to a git client.
For this hack, [Aadi Bajpai] utilizes the webhooks from GitHub that are triggered when a push event is detected. A flask server running on PythonAnywhere is written such that once triggered by the get POST request, it locally executes a git pull from the repository. There a bit more work that allows adding a bit of security sauce to the recipe but it is a pretty elegant solution and can be used for other cases as well.
Setting up alert notifications has been demonstrated to be an interesting task, though integrating Discord or Slack for notifications adds a little more bragging rights.
By pretty much any metric you care to use, the last couple of decades has been very good for the open source movement. There was plenty of pushback in the early days, back when the only people passionate about the idea were the Graybeards in the IT department. But as time went on, more and more developers and eventually companies saw the benefit of sharing what they were working on. Today, open source is effectively the law of the land in many fields, and you don’t have to look far to find the community openly denouncing groups who are keeping their source under lock and key.
In the last few years, we’ve even seen the idea gain traction in the hardware field. While it’s not nearly as prevalent as opening up the software side of things, today it’s not uncommon to see hardware schematics and PCB design files included in project documentation. So not only can you download an open source operating system, web browser, and office suite, but you can also pull down all the information you need to build everything from a handheld game system to an autonomous submarine.
With so many projects pulling back the curtain, it’s not unreasonable to wonder where the limits are. There’s understandably some concerns about the emerging field of biohacking, and anyone with a decent 3D printer can download the files necessary to produce a rudimentary firearm. Now that the open source genie is out of the bottle, it seems there’s precious little that you can’t download from your favorite repository.
Scratching an exceptionally surprising entry off that list is Transatomic, who late last year uploaded the design for their TAP-520 nuclear reactor to GitHub. That’s right, now anyone with git, some uranium, and a few billion dollars of seed money can have their very own Molten Salt Reactor (MSR). Well, that was the idea at least.
So six months after Transatomic dumped a little under 100 MB worth of reactor documentation on GitHub, is the world any closer to forkable nuclear power? Let’s find out.
If you are browsing GitHub it is very tempting to open up the source code to some project and peek at how it works. The code view is easy to read, but the viewer lacks one important feature: the ability to click on an included file and find it. The Octolinker extension fixes that oversight.
If you want to try it without installing the extension, there is a mock-up demo available. Even though the demo wants you to click on specific things, if you don’t play by the rules it will still do the right thing and take you to either the code on GitHub or an appropriate page. You can even substitute the demo URL for github.com and try it out on any GitHub page without the extension.
For those hosting their own git repositories there are a number of solutions for creating convenient web-accessible front ends, but [mitxela] wasn’t quite satisfied with any of them. After trying a number of alternatives and reflecting on his requirements, he realized that all he really needed was a summary page listing the latest commits, and a file tree with a list of branches and tags. To accomplish this, he created web-git-sum. It’s a bash script that runs on git’s post-receive hook and generates only two files: a summary page and an index of the repository. You can see a demo of the output at git.mitxela.com.
[mitxela]’s writeup goes into some detail on how git repositories work, how those repositories are served over HTTP, and covers a few of the different options for providing convenient and accessible web front ends. Not all repositories are alike, and what works well for one may not work or scale well for another.