Hackaday Links Column Banner

Hackaday Links: February 12, 2023

So, maybe right now isn’t the best time to get into the high-altitude ballooning hobby? At least in the US, which with the downing of another — whatever? — over Alaska, seems to have taken a “Sidewinders first, threat identification later” approach to anything that floats by. The latest incident involved an aircraft of unknown type, described as “the size of a small car” — there’s that units problem again — that was operating over Prudhoe Bay off the northern coast of Alaska. The reason that was given for this one earning a Sidewinder was that it was operating much lower than the balloon from last week, only about 40,000 feet, which is well within the ceiling of commercial aviation. It was also over sea ice at the time of the shootdown, making the chance of bothering anyone besides a polar bear unlikely. We’re not taking any political position on this whole thing, but there certainly are engineering and technical aspects of these shootdowns that are pretty interesting, as well as the aforementioned potential for liability if your HAB goes astray. Nobody ever really benefits from having an international incident on their resume, after all.

Continue reading “Hackaday Links: February 12, 2023”

Cardboard Game Tokens Become Shiny Click-Clacks With DIY Treatment

Tabletop games and cardboard tokens go hand-in-hand for a good reason: they are economical and effective. However, their tactile attributes leave a little to be desired. There’s something really great about high-quality pieces possessing a shiny, pleasing smoothness and click-clack handling that cardboard simply can’t deliver, but that all changes with [Dzhav]’s simple method for converting cardboard tokens into deluxe versions of themselves with a little work and a resin coating.

The result is a token with a crystal-clear, smooth, and slightly-convex coating of hardened resin on it. They feel (and sound) like plastic, rather than cardboard. The resin used is a two-part clear jewelry resin, used for casting things like pendants. It benefits from a long working time and unlike UV-cured resin (like the SLA 3D printer resin) it won’t be affected by light.

Careful application of resin relies on surface tension to prevent messes.

Like with most things, good results come from careful preparation and technique. [Dzhav] suggests preparing the tokens by sanding the edges completely smooth with fine sandpaper, then using a black marker to color them. Then, tokens are coated one side at a time with a paintbrush and correctly-mixed resin: while holding a token down with a toothpick, resin is brushed right to (but not over) the edges. Then, additional resin can be dropped in the center of the token, and gravity and surface tension will work together to ensure an even coating that doesn’t drip.

After the resin has had plenty of time to cure, the tokens are flipped over and the process repeated. The end result are tokens with both sides coated in a nice, smooth, ever-so-slightly-convex shield of resin.

They look fantastic, and sound even better. Turn up your volume and play the two-second video embedded below to listen for yourself. And when you’re ready for another gamer that didn’t settle for what was in the box, check out this redesigned Catan version.

Continue reading “Cardboard Game Tokens Become Shiny Click-Clacks With DIY Treatment”

Cruising GitHub For Slack Webhook Tokens

GitHub is an incredibly powerful tool for sharing source code, and its value to the modern hacker can’t be overstated. But there’s at least one downside to effortlessly sharing your source: it’s now much easier for the whole world to find out when you screw up. Back in the day, if you accidentally left a username or password in a tarball hosted on your site, you could pull it down before anyone noticed. But push something like that up to GitHub, and you’ve got a problem on your hands.

For an example, look no farther than this tool that crawls GitHub for Slack webhooks written by [Michele Gruppioni]. Exploiting the fact that Slack webhook links have a predictable format, the tool searches repositories to find code that erroneously includes the authentication token. With the token in hand, an attacker now has the ability to send unsolicited messages into that channel.

But [Michele] restrained himself and didn’t Rickroll the over 6,500 Slack channels he had access to after searching GitHub with his tool. Instead, he sent them all a friendly message explaining their webhook tokens were available on GitHub, and gave them a link to where they could get more information about his project.

Most of the people who contacted him after the fact appreciated that he sent a gentle warning and not something unsavory. Still, we’d recommend caution to anyone looking to expose a vulnerability in this manner. While [Michele] had honorable intentions, it’s certainly not unheard of for an embarrassed administrator to blame the messenger.

When used properly, webhooks can be a very handy way of pushing data into your chat platform of choice. We’ve previously looked at a practical example of a weather station that pushes current conditions into a Discord channel. Just try not to accidentally commit your authentication token to the world’s largest database of open source projects, or you might receive more than you bargained for.

Use A Digital Key To Deter Lockpicking

Spending an hour or two around any consumer-level padlock or house deadbolt lock with a simple lockpicking kit will typically instill a good amount of panic and concern about security. While it’s true that any lock can be defeated, it’s almost comically easy to pick basic locks like this. So, if you’re looking for a level of security that can’t be defeated in two minutes with a tiny piece of metal, you might want to try something a little more advanced.

This project stemmed from an idea to use a YubiKey, a USB hardware token typically used for two-factor authentication, for physical locks instead. The prototype was built around an Arduino UNO, and all of the code and build instructions are available on the project’s site. The creator, [rprinz08], does not have one built inside of a secure enclosure so that would remain an exercise for the reader, but the proof-of-concept is interesting and certainly useful.

While digital keys like this can have their own set of problems (as all locks do), this would be a great solution for anyone needing to lock up anything where physical keys are a liability or a nuisance, where logging is important, or where many people need access to the same lock. The open source code and well-known platform make it easy for anyone to build, too.

Improved Game Tokens With Laser Cutting And Clever Design

[Martin Raynsford] is a prolific project maker, especially when it comes to using a laser cutter. These laser-cut token counters for the board game Tigris & Euphrates demonstrate some clever design, and show that some simple touches can make a big difference.

In the digital version of the game, the tokens conveniently display a number representing their total power value. [Martin] liked this feature, and set out to design a replacement token for the tabletop version that could display a number while still keeping the aesthetic of the originals. The tokens were designed as a dial with a small cutout window to show a number, but the surface of the token showing color and icon is still mostly unchanged.

Magnets hold the top and bottom together, and because of the small size of the assembly, no detents are needed. Friction is enough to keep things from moving unintentionally. The second noteworthy design feature is the material for the top layer of the token. This layer is made from 0.8 mm birch plywood; a nice and thin top layer means a wider viewing angle because the number is nearer to the surface. If the top layer were thicker, the number would be recessed and harder to see.

[Martin] made the design file available should anyone wish to try it out. No stranger to games, he even once game-ified the laser itself, turning it into a physical version of Space Invaders. Be sure to check it out!


Taking A U2F Hardware Key From Design To Production

Building a circuit from prototyping to printed circuit board assembly is within the reach of pretty much anyone with the will to get the job done. If that turns out to be something that everyone else wants, though, the job gets suddenly much more complex. This is what happened to [Conor], who started with an idea to create two-factor authentication tokens and ended up manufacturing an selling them on Amazon. He documented his trials and tribulations along the way, it’s both an interesting and perhaps cautionary tale.

[Conor]’s tokens themselves are interesting in their simplicity: they use an Atmel ATECC508A specifically designed for P-256 signatures and keys, a the cheapest USB-enabled microcontroller he could find: a Silicon Labs EFM8UB1. His original idea was to solder all of the tokens over the course of one night, which is of course overly optimistic. Instead, he had the tokens fabricated and assembled before being shipped to him for programming.

Normally the programming step would be straightforward, but using identical pieces of software for every token would compromise their security. He wrote a script based on the Atmel chip and creates a unique attestation certificate for each one. He was able to cut a significant amount of time off of the programming step by using the computed values with a programming jig he built to flash three units concurrently. This follows the same testing and programming path that [Bob Baddeley] advocated for in his Tools of the Trade series.

From there [Conor] just needed to get set up with Amazon. This was a process worthy of its own novel, with Amazon requiring an interesting amount of paperwork from [Conor] before he was able to proceed. Then there was an issue of an import tariff, but all-in-all everything seems to have gone pretty smoothly.

Creating a product from scratch like this can be an involved process. In this case it sounds like [Conor] extracted value from having gone through the entire process himself. But he also talks about a best-case-scenario margin of about 43%. That’s a tough bottom line but a good lesson anyone looking at building low-cost electronics.

Facebook Bounty

Deleting Facebook Albums Without Permission

[Laxman] was poking around Facebook looking for security vulnerabilities. Facebook runs a bug bounty program which means if you can find a vulnerability that’s serious enough, it can earn you cold hard cash. It didn’t take much for [Laxman] to find one worthy of a bounty.

The graph API is the primary way for Facebook apps to read and write to the Facebook social graph. Many apps use this API, but there are limitations to what it can do. For example, the API is unable to delete users’ photo albums. At least, it’s not supposed to be able too. [Laxman] decided to test this claim himself.

He started by sending a command to delete one of his own albums using a graph explorer access token. His request was denied. The application didn’t have the correct permissions to be able to perform that action. It seemed that Facebook was correct and the API was unable to delete photos. [Laxman] had another trick up his sleeve, though. He noticed that the wording of the response suggested that other apps would have the ability to delete the albums, so he decided to check the Facebook mobile application.

He decided to send the same request with a different token. This time he used a token from the Facebook for Mobile application. This actually worked, and resulted in his photo album being deleted. To take things a step further, [Laxman] sent the same requests, but changed the user’s ID to a victim account he had set up. The request was accepted and processed without a problem. This meant that [Laxman] could effectively delete photo albums from any other user without that user’s consent. The vulnerability did require that [Laxman] had permission to view the album in the first place.

Since [Laxman] is one of the good guys, he sent this bug in to the Facebook team. It took them less than a day to fix the issue and they rewarded [Laxman] $12,500 for his trouble. It’s always nice to be appreciated. The video below shows [Laxman] walking through how he pulled off this hack using Burp Suite. Continue reading “Deleting Facebook Albums Without Permission”