Any software that accepts user input must take some effort to sanitize incoming data, lest unexpected and unwelcome things happen. Here to make that easier is the Big List of Naughty Strings, an evolving list of edge cases, unusual characters, script-injection fragments, and all-around nonstandard stuff aimed at QA testers, developers, and the curious. It’s a big list that has grown over the years, and every piece of it is still (technically) just a string.
These strings have a high probability of surfacing any problems with handling user input. They won’t necessarily break anything, but they may cause unexpected things to happen and help point out any issues that need fixing. After all, many attacks hinge on being able to send unexpected inputs that don’t get properly sanitized.
Finding bad inputs is not always entirely straightforward, but at least the Big List of Naughty Strings is available in a variety of formats to make it easy to use. [Max Woolf] has been maintaining the list for years, but if you haven’t heard of it yet and think it might come in useful, now’s the time to give it a look. Now you can help ensure your system can handle things like someone registering a company named
; DROP TABLE “COMPANIES”;– LTD.
Electric guitars were the hip new thing back in the mid-century. The electrification of the common and portable guitar opened up a lot of avenues in terms of sound and technique. Specifically, the use of the pickup, an electromagnetic device which converts the vibrations of the guitar strings into electrical signals, increased the number of ways that a musician can alter the guitar’s sound on-the-fly. Some guitars have several rows of pickups which can be used in any number of ways, but this custom guitar has a single pickup which can be moved around the guitar’s body instead.
[Breno] was gifted this Dolphin bass guitar to start learning after years of playing a regular guitar, and while they aren’t known for high-quality instruments this guitar seemed to play and sound well enough to attempt this modification. First, a hole had to be cut all the way through the guitar’s body in order to accommodate the build. The pickup for this guitar is then mounted on two rods which allow it to move in various positions along the strings, and a second set of adjustments can be made to bring the pickups closer or further away from the strings. Some additional custom circuitry was added to control it and also to handle the volume and tone knobs, and while this was being added [Breno] and his friend [Arthur] decided this would be a great time to build some effects into the guitar’s now-custom electronics as well.
While this was largely a project for [Breno] to understand in greater depth the effect of moving the pickups around an electric guitar, the finished product looks ready to play some live shows. The addition of some extras like the effects really adds some punch to this guitar and it looks to be completely original. The nearest thing we could find is this guitar which uses hot-swappable pickups but even those are mounted in fixed locations.
We’re partial to musical instrument hacks around here, mainly because we find instruments to be fascinating machines. Few are more complex than the piano, and, as it turns out, few are quite so hackable. Still, we have to admit that this ragtime piano hack took us by surprise.
We always thought that the rich variety of tones that can be coaxed from a piano, from the tinny sound of an Old West saloon piano to the rich tones of a concert grand, were due mainly to the construction of the instrument and the way it’s played. Not so, apparently, as [Measured Workshop] demonstrated by installing a “mandolin rail” in a small upright piano. The instrument had seen better days, so step one was disassembly and cleaning. A wooden rail spanning the entire width of the string board was added, with a curtain of fabric draping down to the level of the hammers. The curtain was cut into a fringe in the same spacing as the hammers – marking the hammer locations with cornstarch was a nice trick – and metal clips were crimped to each fringe. The completed mandolin rail can be raised and lowered using a new foot pedal, completely changing the tone as the hammers hit the strings with the metal clips rather than their soft felt heads. It makes the piano sound a little like a harpsichord, or the aforementioned saloon instrument, and at the touch of a foot, it’s back to its original tone.
Most of the piano hacks we offer tend toward the electronic variety, so it’s nice to see a purely mechanical piano hack for a change. And if the hacked piano doesn’t work out as an instrument, you can always turn it into a workbench.
Continue reading “Simple Hack Completely Changes The Sound Of This Piano” →
A core part of the hacker mentality is the desire to test limits: trying out ideas to see if something interesting, informative, and/or entertaining comes out of it. Some employees of Andrews & Arnold (a UK network provider) applied this mentality towards connecting their ADSL test equipment to some unlikely materials. The verdict of experiment: yes, ADSL works over wet string.
ADSL itself is something of an ingenious hack, carrying data over decades-old telephone wires designed only for voice. ADSL accomplished this in part through robust error correction measures keeping the bytes flowing through lines that were not originally designed for ADSL frequencies. The flow of bytes may slow over bad lines, but they will keep moving.
How bad? In this case, a pair of strings dampened with salty water. But there are limits: the same type of string dampened with just plain water was not enough to carry ADSL.
The pictures of the test setup also spoke volumes. They ran the wet string across a space that looked much like every hacker workspace, salt water dripping on the industrial carpet. Experimenting and learning right where you are, using what you have on hand, are hallmarks of hacker resourcefulness. Fancy laboratory not required.
Thanks to [chris] and [Spencer] for the tips.
When [sticilface] started using the Arduino IDE to program an ESP8266, he found he was running out of RAM quickly. The culprit? Strings. That’s not surprising. Strings can be long and many strings like prompts and the like don’t ever change. There is a way to tell the compiler you’d like to store data that won’t change in program storage instead of RAM. They still eat up memory, of course, but you have a lot more program storage than you do RAM on a typical device. He posted his results on a Gist.
On the face of it, it is simple enough to define a memory allocation with the PROGMEM keyword. There’s also macros that make things easier and a host of functions for dealing with strings in program space (basically, the standard C library calls with a _P suffix).
Continue reading “Save ESP8266 RAM With PROGMEM” →
Small Office and Home Office (SOHO) wireless routers have terrible security. That’s nothing new. But it is somewhat sad that manufacturers just keep repurposing the same broken firmware. Case in point: D-Link’s new DIR-890L, which looks like a turtled hexapod. [Craig] looked behind the odd case and grabbed the latest firmware for this device from D-Link’s website. Then he found a serious vulnerability.
The usual process was applied to the firmware image. Extract it, run binwalk to find the various contents of the firmware image, and then extract the root filesystem. This contains all the code that runs the router’s various services.
The CGI scripts are an obvious place to poke for issues. [Colin] disassembled the single executable that handles all CGI requests and started looking at the code that handles Home Network Administration Protocol (HNAP) requests. The first find was that system commands were being built using HNAP data. The data wasn’t being sanitized, so all that was needed was a way to bypass authentication.
This is where D-Link made a major error. They wanted to allow one specific URL to not require authentication. Seems simple, compare string A to string B and ensure they match. But they used the strstr function. This will return true if string A contains string B. Oops.
So authentication can be bypassed, telnetd can be started, and voila: a root shell on D-Link’s most pyramid-shaped router. Oh, and you can’t disable HNAP. May we suggest OpenWrt or dd-wrt?
The Irregular Incurve is a robotic instrument built by [Xiaoyang Feng] as part of his ITP thesis work. It’s a MIDI instrument with an array of 12 strung bows mounted to a curved shower rod. The end of each bow has a tuning key. The strings are each picked using independently mounted arms. One servo controls the downward motion of the pick while the other controls the rotation of the shaft. A damper is also attached to each arm. The string vibrations are transferred to a spruce soundbox under the bridge. Below you can see a video of Gizmodo playing with it at the ITP show. Check out [Xiaoyang]’s Flickr set for images of the build process plus some early videos of the mechanism.
Continue reading “Irregular Incurve Robotic Instrument” →