Security researchers have found that it is possible to alter a digitally signed PDF without invalidating its signatures. To demonstrate it, they produced a fake document “refund order” of $1,000,000,000,000 dollars, with a valid signature from Amazon. This sparked my attention, since I was quite sure that they didn’t use some sort of quantum device to break the cryptography involved in the signing process. So what exactly is going on?
The researchers claim to found at least three different ways to, in their words:
… use an existing signed document (e.g., amazon.de invoice) and change the content of the document arbitrarily without invalidating the signatures. Thus, we can forge a document signed by firstname.lastname@example.org to refund us one trillion dollars.
That’s not good news if you take into account that the main purpose of digitally signing a document is, well, prevent unauthorized changes in that document. The good news is that you can update your software to fix this flaws because of this research; the main PDF readers companies were given time to fix the issues. The bad news is that if you rely on the signature verification for any sensitive process, you likely want to go back and see if you were using vulnerable software previously and check that documents were correctly validated. I’m thinking about government institutions, banks, insurance companies and so on.
The implications are yet to be seen and probably won’t even be fully known.
There are three classes of attacks that work on different software. I’ll try to go into each one from what I could tell from reading the research.
Continue reading “1 Trillion USD Refund! (PDF Enclosed)”
For anyone out there who has ever struggled finding a part for Eagle or KiCad, there are some who would say you’re doing it wrong. You’re supposed to make your own parts if you can’t find them in the libraries you already have. This is really the only way; PCB design tools are tools, and so the story goes you’ll never be a master unless you can make your own parts.
That said, making schematic parts and footprints is a pain, and if there’s a tool to automate the process, we’d be happy to use it. That’s exactly what uConfig does. It automatically extracts pinout information from a PDF datasheet and turns it into a schematic symbol.
uConfig is an old project from [sebastien caux] that’s been resurrected and turned into an Open Source tool. It works by extracting blocks of text from a PDF, sorts out pin numbers and pin labels, and associates those by the relevant name to make pins. It’s available as a pre-built project (for Windows, even!), and works kind of like magic.
The video demo below shows uConfig importing a PDF datasheet — in this case a PIC32 — automatically extracting the packages from the datasheet, and turning that into a schematic symbol. It even looks as if it’ll work, too. Of course, this is just the schematic symbol, not the full part including a footprint, but when it comes to footprints we’re probably dealing with standard packages anyway. If you’re looking to build a software tool that takes a datasheet and spits out a complete part, footprint and all, this is the place to start.
Continue reading “Creating KiCad Parts From A PDF Automagically”
There’s a new documentary series on Al Jazeera called Rebel Geeks that looks at the people who make the stuff everyone uses. The latest 25-minute part of the series is with [Massimo], chief of the arduino.cc camp. Upcoming episodes include Twitter co-creator [Evan Henshaw-Plath] and people in the Madrid government who are trying to build a direct democracy for the city on the Internet.
Despite being a WiFi device, the ESP8266 is surprisingly great at being an Internet of Thing. The only problem is the range. No worries; you can use the ESP as a WiFi repeater that will get you about 0.5km further for each additional repeater node. Power is of course required, but you can stuff everything inside a cell phone charger.
I’ve said it before and I’ll say it again: the most common use for the Raspberry Pi is a vintage console emulator. Now there’s a Kickstarter for a dedicated tabletop Raspi emulation case that actually looks good.
Pogo pins are the go-to solution for putting firmware on hundreds of boards. These tiny spring-loaded pins give you a programming rig that’s easy to attach and detach without any soldering whatsoever. [Tom] needed to program a few dozen boards in a short amount of time, didn’t have any pogo pins, and didn’t want to solder a header to each board. The solution? Pull the pins out of a female header. It works in a pinch, but you probably want a better solution for a more permanent setup.
Half of building a PCB is getting parts and pinouts right. [Josef] is working on a tool to at least semi-automate the importing of pinout tables from datasheets into KiCad. This is a very, very hard problem, and if it’s half right half the time, that’s a tremendous accomplishment.
Last summer, [Voja] wrote something for the blog on building enclosures from FR4. Over on Hackaday.io he’s working on a project, and it’s time for that project to get an enclosure. The results are amazing and leave us wondering why we don’t see this technique more often.
This flimsy case isn’t going to protect your Raspberry Pi if you knock it off the workbench. It will provide a level of protection against shorting out from contact with metal objects, or from liquids spilled in the near vicinity. [CGPatterson] ended up making this case from a single sheet of transparency film.
The project is basically papercraft. He started with the dimensions published on the Raspberry Pi FAQ, which turned out to be wrong. Not having a caliper available to help with the precision of the measurements, he grabbed his ruler and did the best he could. The first two cases were a poor fit, but as you can see the third is like a glove. Luckily you don’t have to go through this same trial and error as he release the design. Both A4 and US Letter sized PDFs are available for download. Print them out on the transparency, cut along the lines, apply transparent double-sided tape to the tabs and you’re in business. If you wish to alter the design he has also posted the SVG source he made in Inkscape.
This is certainly a good option for those of us without the ability to produce laser cut parts.
The biggest benefit to using the BeagleBone is it’s 700 MHz ARM processor. If you’re just messing around with basic I/O that power is going unused, but [Nuno Alves] is taking advantage of its power. He built a PDF password cracker based on the $85 development board.
We recently saw how easy it is to perform basic I/O using the BeagleBone. Those techniques are in play here, used to drive a character LCD and sample a button input from the breadboard circuit. [Nuno] even published separate posts for each of these peripheral features.
The password protected PDF file is passed to the device on a thumb drive. Since the BeagleBone is running embedded Linux you don’t need to mess around with figuring out how to read from the device. A click of the button starts the process. Currently the code just uses a brute force attack which can test more than 6000 four-character passwords per second. This is quite slow for any password more than four or five characters long, but [Nuno] does mention the possibility of running several ARM processors in parallel, or using a dictionary (or rainbow table) to speed things up. Either way it’s an interesting project to try on the hardware. You can see his video demo of the device after the break.
Continue reading “Brute force a password protected PDF using the BeagleBone”
[Satiagraha] let us know that Texas Instruments(TI) has given out a neat “LED Reference Design Cookbook” PDF. The document contains 17 some odd little projects featuring different TI ICs and ways of using them to control LEDs in things from backlights to torches to solar lanterns to advanced PWM control! Sure the document is biased towards using TI equipment, but that shouldn’t stop you from recreating, modifying, and generally just having fun with their designs in your own productions.