Hackaday Links: April 22, 2018

Eagle 9 is out. Autodesk is really ramping up the updates to Eagle, so much so it’s becoming annoying. What are the cool bits this time? Busses have been improved, which is great because I’ve rarely seen anyone use busses in Eagle. There’s a new pin breakout thingy that automagically puts green lines on your pins. The smash command has been overhauled and now moving part names and values is somewhat automatic. While these sound like small updates, Autodesk is doing a lot of work here that should have been done a decade ago. It’s great.

Crypto! Bitcoin is climbing up to $9,000 again, so everyone is all-in on their crypto holdings. Here’s an Arduino bitcoin miner. Stats of note: 150 hashes/second for the assembly version, and at this rate you would need 10 billion AVRs to mine a dollar a day. This array of Arduinos would need 2 Gigawatts, and you would be running a loss of about $10 Million per day (minus that one dollar you made).

Are you going to be at Hamvention? Hamvention is the largest amateur radio meetup in the Americas, and this year is going to be no different. Unfortunately, I’ll be dodging cupcake cars that weekend, but there is something of note: a ‘major broadcaster’ is looking for vendors for a ‘vintage tech’ television series. This looks like a Canadian documentary, which adds a little bit of respectability to this bit of reality television (no, really, the film board of Canada is great). They’re looking for weird or wacky pieces of tech, and items that look unique, strange, or spark curiosity. Set your expectations low for this documentary, though; I think we’re all several orders of magnitude more nerd than what would be interesting to a production assistant. ‘Yeah, before there were pushbutton phones, they all had dials… No, they were all attached to the wall…”

The new hotness on Sparkfun is a blinky badge. What we have here is a PCB, coin cell holder, color changing LED, and a pin clasp. It’s really not that different from the Tindie Blinky LED Badge. There is, however, one remarkable difference: the PCB is multicolored. The flowing unicorn locks are brilliant shades of green, blue, yellow, pink, purple, and red. How did they do it? We know full-color PCBs are possible, but this doesn’t look like it’s using a UV printer. Pad printing is another option, but it doesn’t look like that, either. I have no idea how the unicorn is this colorful. Thoughts?

Defcon is canceled, but there’s still a call for demo labs. They’re looking for hackers to show off what they’ve been working on, and to coax attendees into giving feedback on their projects.

Review: IoT Data Logging Services with MQTT

For the last few months, I had been using Sparkfun’s Phant server as a data logger for a small science project. Unfortunately, they’ve had some serious technical issues and have discontinued the service. Phant was good while it lasted: it was easy to use, free, and allowed me to download the data in a CSV format. It shared data with analog.io, which at the time was a good solution for data visualization.

While I could continue using Phant since it is an open-source project and Sparkfun kindly releases the source code for the server on Github, I thought it might be better to do some research, see what’s out there. I decided to write a minimal implementation for each platform as an interesting way to get a feel for each. To that end, I connected a DHT11 temperature/humidity sensor to a NodeMCU board to act as a simple data source.

Continue reading “Review: IoT Data Logging Services with MQTT”

Hackaday’s Open Hardware Summit Experience

Last week was the Open Hardware Summit in Denver Colorado. This yearly gathering brings together the people and businesses that hold Open Hardware as an ideal to encourage, grow, and live by. There was a night-before party, the summit itself which is a day full of talks, and this year a tour of a couple very familiar open hardware companies in the area.

I thought this year’s conference was quite delightful and am happy to share with you some of the highlights.

Continue reading “Hackaday’s Open Hardware Summit Experience”

Hackaday Links: October 8, 2017

On the top of the popcorn pile for this weekend is an ambiguous tweet from Adafruit that was offered without comment or commentary. [Lady Ada] is holding some sort of fancy incorporation papers for Radio Shack. The smart money is that Adafruit just bought these at the Radio Shack auction a month or so ago. The speculation is that Adafruit just bought Radio Shack, or at least the trademarks and other legal ephemera. Either one is cool, but holy crap please bring back the retro 80s branding.

A Rubik’s Cube is a fantastic mechanical puzzle, and if you’ve never taken one apart, oh boy are you in for a treat. Here’s an RGB LED Rubick’s Cube with not enough detail as to how each square is getting powered. Here’s an open challenge for anyone: build an RGB LED Rubick’s Cube, and Open Source the design.

Last weekend, the front fell off the engine of an Air France A380 flying over Greenland. As with all aircraft incidents, someone has to find the missing bits. It only took a week to find a mangled cowling on an ice sheet. This is incredibly impressive; if you want a comparison to another accident, it took three months to find the fan disk for UA 232 in an Iowa cornfield.

Poorly thought out Kickstarters don’t grab our attention like they used to, but this is an exception. The Aire is a mashup of one of those voice-activated home assistants (Alexa, whatever the Google one is named…) and a drone. The drone half of the build is marginally interesting as a ducted fan coaxial thingy, and building your own home assistant isn’t that hard with the right mics and a Raspberry Pi. The idea is actually solid — manufacturing is another story, though. It appears no one thought about how annoying it would be to have a helicopter following them around their house, or if the mics would actually be able to hear anyone over beating props. Here’s the kicker: this project was successfully funded. People want to buy this. A fool and his or her money…

Processing is cool, although we’re old skool and still reppin’ Max/MSP. It looks like the first annual Processing Community Day is coming up soon. The Processing Community Day will be at the MIT Media Lab on October 21st, with talks from the headliners of the Processing community.

Maker Faire NYC was two weekends ago, the TCT show in Birmingham was last week, and Open Hardware Summit was in Denver this weekend. Poor [Prusa] was at all of them, racking up the miles. He did, however, get to ride [James from XRobots.co.uk]’s electric longboard. There’s some great videos from [James] right here and here.

Speaking of Open Hardware Summit, there was a field trip to Sparkfun and Lulzbot this Friday. The highlight? The biggest botfarm in the states, and probably the second largest in the world. That’s 155 printers, all in their own enclosures, in a room that’s kept at 80° F. They’re printing ABS. Control of the printers is through a BeagleBone running Octoprint. These ‘Bones and Octoprint only control one printer each, and there is no software layer ‘above’ the Octoprint instances for managing multiple printers simultaneously. That probably means the software to manage a botfarm doesn’t exist. There have been attempts, though, but nothing in production. A glove thrown down?

Seek Out Scammers With Skimmer Scanner

Last week we reported on some work that Sparkfun had done in reverse engineering a type of hardware card skimmer found installed in gasoline pumps incorporating card payment hardware. The device in question was a man-in-the-middle attack, a PIC microcontroller programmed to listen to the serial communications between card reader and pump computer, and then store the result in an EEPROM.

The devices featured a Bluetooth module through which the crooks could harvest the card details remotely, and this in turn provides a handy way to identify them in the wild. If you find a Bluetooth connection at the pump bearing the right identification and with the right password, it can then be fingered as a skimmer by a simple response test. And to make that extra-easy they had written an app, which when we reported on it was available from a GitHub repository.

In a public-spirited move, they are now calling upon the hardware hacker and maker community to come together today, Monday, September 25th, and draw as much attention as possible to these devices in the wild, and with luck to get a few shut down. To that end, they have put a compiled version of the app in the Google Play Store to make it extra-easy to install on your phone, and they are asking for your help. They are asking for people to first read their tutorial linked above, then install the app and take it on the road. Then should any of you find a skimmer, please Tweet about it including your zip code and the #skimmerscanner hashtag. Perhaps someone with a bit of time on their hands might like to take such a feed of skimmer location data and map it.

It would be nice to think that this work might draw attention to the shocking lack of security in gas pumps that facilitates the skimmers, disrupt the finances of a few villains, and even result in some of them getting a free ride in a police car. We can hope, anyway.

Gasoline pump image: Michael Rivera [CC BY-SA 3.0].

Seriously, Is It That Easy To Skim Cards?

We’ve all heard of card skimmers, nefarious devices that steal the identity of credit and debit cards, attached to ATMs and other machines in which unsuspecting consumers use them. Often they have relied on physical extraction of data from the card itself, such as by inserting a magnetic stripe reader in a fake ATM fascia, or by using a hidden camera to catch a picture of both card and user PIN entry.

The folks at Sparkfun write about an approach they received from a law enforcement agency bearing a selection of card skimmer devices that had been installed in gasoline pumps. These didn’t rely on interception of the card itself, instead they sat as a man-in-the-middle attack in the serial line between the card reader unit and the pump electronics. Let that sink in for a minute: a serial line that is readily accessible to anyone with the pump manufacturer’s standard key, carries card data in an unencrypted form. The owner of the skimming device is the criminal, but the company leaving such a wide-open vulnerability should really be joining them in having to answer to authorities.

The Skimmer Scanner app may help keep you safe.
The Skimmer Scanner app may help keep you safe.

The device itself is quite simple and well-executed, though it appears that attachment of wires and connectors is a job left to the crook. Some boards boast excellent soldering, while others have joints that are, well, simply criminal. On the board is a PIC microcontroller, a serial Flash chip, and a commodity Bluetooth module. This last component provides the means for the miscreant to harvest their ill-gotten gains, and incidentally a handy means by which compromised pumps can be identified. The Sparkfun people have provided an Android app that interrogates any modules it encounters, and warns of any that return the signature of a skimmer.

It is sad to say that some level of crime is an inevitable feature of the human condition, and therefore it should not be an unreasonable expectation that any entity with which we trust our sensitive data such as a credit card number should take reasonable steps to ensure its security. If a bank transported customer cash through the streets as bundles of $10 bills in open handcarts it is likely that they would get into trouble very quickly, so that the pump manufacturers send card information in the clear over such a readily accessible medium should be a scandal of similar magnitude. That financial institutions prefer to cover up the problem and shift the loss onto the gas stations rather than mandate better device security from the pump manufacturers speaks volumes about their misplaced priorities.

If this topic interests you, we’ve shown you a teardown of a more traditional skimmer in the past.

Thanks [CYK] for the tip.

Sparkfun’s Alternate Reality Hardware

SparkFun has a new wing of hardware mischief. It’s SparkX, the brainchild of SparkFun’s founder [Nate Seidle]. Over the past few months, SparkX has released breakout boards for weird sensors, and built a safe cracking robot that got all the hacker cred at DEF CON. Now, SparkX is going off on an even weirder tangent: they have released The Prototype. That’s actually the name of the product. What is it? It’s a HARP, a hardware alternate reality game. It’s gaming, puzzlecraft, and crypto all wrapped up in a weird electronic board.

The product page for The Prototype is exactly as illuminating as you would expect for a piece of puzzle electronics. There is literally zero information on the product page, but from the one clear picture, we can see a few bits and bobs that might be relevant. The Prototype features a microSD card socket, an LED that might be a WS2812, a DIP-8 socket, a USB port, what could be a power switch, a PCB antenna, and a strange black cylinder. Mysteries abound. There is good news: the only thing you need to decrypt The Prototype is a computer and an open mind. We’re assuming that means a serial terminal.

The Prototype hasn’t been out for long, and very few people have one in hand. That said, the idea of a piece of hardware sold as a puzzle is something we haven’t seen outside of conference badges. The more relaxed distribution of The Prototype is rather appealing, and we’re looking forward to a few communities popping up around HARP games.