Hackaday

Syndicate content Hackaday
Fresh hacks every day
ถูกปรับปรุง 2 hours 19 min ก่อน

DIY 9V Battery

พฤ, 10/19/2017 - 18:00

Volta’s pile — the first battery — was little more than silver and zinc discs separated by paper soaked in salt water. A classic classroom experiment is to build a pile from copper pennies, tin foil, and vinegar or lemon juice. [Omars2] has a different take on this old experiment. He creates a 9V battery using some zinc screws, copper wire, and salt water. There’s a video of the battery, below.

A syringe piston serves as a substrate for the cells, and each cell is just a screw with paper wrapped around it and then 35 turns of copper wire on top of that. The battery is soaked in salt water, although we suspect vinegar or lemon juice would work even better. Heating the electrolyte is also a good idea.

The theory is pretty simple: The salt dissolves into positively charged sodium ions and negatively charged chlorine atoms to form the electrolyte. The cathode loses electrons into the solution, leaving it positive. The other electrode — the anode — collects electrons, so it has a net negative charge. The difference between the charge on the two electrodes creates a potential difference. When you close the circuit, electrons flow from the anode back to the cathode, causing an electrical current.

If you’d rather make the penny version of this, it’s been easier in the US since 1982 when pennies became copper-covered zinc. Grinding the copper off one side of each penny allows them to act as both electrodes. Old pennies don’t have a zinc core, so to use those you’d need another metal like tin foil.

If you want something more impressive looking, try a cola can battery. If these aren’t exciting enough for you, consider a nuclear battery.


Filed under: classic hacks

Cheap RC Truck Mod Is Slightly Risky Fun

พฤ, 10/19/2017 - 15:00

The world of RC can be neatly split into two separate groups: models and toys. The RC models are generally big, complex, and as you’d imagine, more expensive. On the other hand, the RC toys are cheap and readily available. While not as powerful or capable as their more expensive siblings, they can often be a lot of fun; especially since the lower costs means a crash doesn’t put too big of a ding into to your wallet.

With his latest mod, [PoppaFixIt] has attempted to bridge the gap between toy and model by sticking a considerably overpowered battery into a $10 RC truck from Amazon. He reports greatly improved performance from his hacked together truck, but anyone looking to replicate his work should understand the risks before attempting to hack up their own version.

The principle is pretty simple; the truck is designed to run on two AA batteries, providing 3 volts. But by swapping the AAs out for a 3.7 volt 1S LiPo of the type that’s used in small airplanes and quadcopters, you can get an instant boost in power. As a happy side effect, the LiPo batteries are also rechargeable and fairly cheap, so you won’t have to keep burning through alkaline AAs.


The mod itself is a basic job that only requires a few bucks in parts, and for which [PoppaFixIt] has helpfully provided Amazon links. Essentially you just crack open the truck, solder a JST connector pigtail to the positive and negative traces on the PCB, and then pop a hole in the roof to run the new battery wires out.

Right about now the RC purists are probably screaming obscenities at their displays, and not without reason. As fun as these supercharged little trucks are to drive, there are a number of real issues here which need to be mentioned.

First, while the motor will probably be alright with a bit higher voltage running through them, the gears won’t be liking it one bit. In fact, [PoppaFixIt] even mentions they shredded a few gears when they tried to take one off-road. The second issue is that since these vehicles were not designed with LiPo batteries in mind, there’s no low voltage cutoff to prevent over discharge. If you aren’t careful, a setup like this will cook those cute little batteries in short order. But hey, at least it’s all cheap.

If you are more interested in control than power, you may want to check out the previous hacks we’ve featured. Seems like these little RC trucks are the platform of choice for hackers who want to get stuff moving on the cheap.


Filed under: hardware, toy hacks

A Web-Based Modem

พฤ, 10/19/2017 - 12:00

If you are beyond a certain age, you will recall when getting on the Internet was preceded by strange buzzing and squawking noises. Modems used tones to transmit and receive data across ordinary telephone lines. There were lots of tricks used to keep edging the speed of modem up until — at the end — you could download (but not upload) at a blazing 56,000 bits per second. [Martin Kirkholt Melhus] decided to recreate a modem. In a Web browser. No kidding.

We started to say something about a modem in the cloud, but that wouldn’t really be accurate. The modem uses the HTML 5 audio API, so it really runs in the browser. We would have been really surprised if [Martin] had cooked up a modem able to interact with a real modem, but as you might expect, the browser modem only communicates with other instances of itself. If you want a brief introduction to HTML 5 audio, you might enjoy the video below.

Still, the work is impressive and if you look at the code on GitHub, it isn’t as complicated as you’d expect. You can also check out a live demo. The tones reminded us of some of the multitone encodings that ham radio operators use, such as MFSK.

Although this might not be of great practical value for most people, it did make us think. A secure air-gapped computer with a speaker could broadcast out data using something like this with no more than a web page exploit. We wonder if you could shift the tones up high enough that most people couldn’t hear it? If you want to pull off a similar trick with an Arduino on one side, you can.

We covered how modem technology drove the modern phone landscape way back when. Of course, these days, a modem is more likely to connect to the Internet than the phone lines.


Filed under: internet hacks

Motion Activated Super-Squirter Stands Guard

พฤ, 10/19/2017 - 09:01

Thieves beware. If you prowl around [Matthew Gaber]’s place, you get soaked by his motion activated super-squirter. Even if he’s not at home, he can aim and fire it remotely using an iPhone app. And for the record, a camera saves photos of your wetted-self to an SD card.

ESPino, ArduCAM UNO and voltage converter boards

The whole security system is handled by three subsystems for target acquisition, photo documentation, and communications. The first subsystem is centered around an ESPino which utilizes a PIR sensor to detect motion. It then turns on a windscreen washer pump and uses pan and tilt servos to squirt water in a pattern toward the victim.

The target acquisition hardware also sends a message to the second subsystem, an ArduCAM ESP8266 UNO board. It takes a burst of photos using an ArduCAM Mini Camera mounted beside the squirter outlet. The UNO can also serve up a webpage with a collection of the photos.

The final subsystem is an iPhone app which talks to both the ESPino and the UNO board. It can remotely control the squirter and provide a video feed of what the camera sees.

One detail of the build we really enjoyed is the vacuum relief valve he fabricated himself. It prevents siphoning through the pump when it’s not on. Don’t miss a demo of the squirter in action after the break.

Automatic soaking seems to be a thing here on Hackaday. [Ashish]’s motion sensing water gun not only soaks his officemates but also tweets photos of its exploits. And [Austin Shaf] keeps his soaker hidden and triggers it remotely via wireless.


Filed under: misc hacks

Hassle-Free Classical Conditioning for Honey Bees

พฤ, 10/19/2017 - 06:00

When you’re sick or have a headache, you tend to see things a bit differently. An ill-feeling human will display a cognitive bias and expect the world to punish them further. The same is true of honey bees. They are intelligent creatures that exhibit a variety of life skills, such as decision-making and learning.

It was proven back in 2011 that honey bees will make more pessimistic decisions after being shaken in a way that simulates an attack by varroa destructor mites. The bees were trained to associate a reward of sugar-water with a particular odor and to associate foul-tasting punishment water with another odor—that of formic acid, a common treatment against varroa mites. When a third stimulus created by mixing the two odors was presented, the experimenters found that the aggravated bees were more likely to expect the bad odor. Sure enough, they kept their tongues in their mouths when they smelled the third odor. All the bees that weren’t shaken looked forward to sucking down a bit of sugar-water.

So, how does one judge a honey bee’s response? Whenever their antennae come in contact with something appetizing, they stick out their proboscis involuntarily to have a taste. This is called proboscis extension reflex (PER), and it’s the ingrained, day-one behavior that leads them to suck the nectar out of flower blossoms and regurgitate it to make honey.

[LJohann] is a behavioral biologist who wanted to test the effects of varroa mite treatment on bee-havior by itself, without agitating the bees. He built a testing apparatus to pump odors toward bees and judge their response which is shown in a few brief demo videos after the break. This device enables [LJohann] to restrain a bee, tantalize its antennae with sucrose, and pump a stimulus odor at its face on the cue of an LED and piezo buzzer. A fan mounted behind the bee helps clear the air of the previous scents. We especially like the use of a servo to swing the tube in and out of the bee’s face between tests.

[LJohann] and his colleagues concluded that the varroa mite treatment by itself does not make the bees pessimistic. This is great news for concerned apiarists who might be skeptical about using formic acid in the fight against the honey bee’s worst predator. Check out the brief demo videos after the break.

Hackaday has long been abuzz about bees whether they produce honey or not. We’ve covered many kinds of sweet projects like intelligent hives, remote hive weight monitoring, and man-made bee nest alternatives.


Filed under: Arduino Hacks

Exploiting Weak Crypto on Car Key Fobs

พฤ, 10/19/2017 - 03:00

[tomwimmenhove] has found a vulnerability in the cryptographic algorithm that is used by certain Subaru key fobs and he has open-sourced the software that drives this exploit. All you need to open your Subaru is a RasPi and a DVB-T dongle, so you could complain that sharing this software equates to giving out master keys to potential car thieves. On the other hand, this only works for a limited number of older models from a single manufacturer — it’s lacking in compatibility and affordability when compared to the proverbial brick.

This hack is much more useful as a case study than a brick is, however, and [tomwimmenhove]’s work points out some bad design on the manufacturer’s side and as such can help you to avoid these kind of mistakes. The problem of predictable keys got great treatment in the comments of our post about an encryption scheme for devices low in power and memory, for instance.

Those of you interested in digital signal processing may also want to take a look at his code, where he implements filtering, demodulation and decoding of the key fob’s signal. The transmission side is handled by rpitx and attacks against unencrypted communications with this kind of setup have been shown here before. There’s a lot going on here that’s much more interesting than stealing cars.

[Via Bleeping Computer]


Filed under: car hacks, security hacks

Hackaday Prize Entry: Unlock Your PC The RFID Way

พฤ, 10/19/2017 - 01:30

Sometimes we see projects whose name describes very well what is being achieved, without conveying the extra useful dimension they also deliver. So it is with [Prasanth KS]’s Windows PC Lock/Unlock Using RFID. On the face of it this is a project for unlocking a Windows PC, but when you sit down and read through it you discover a rather useful primer for complete RFID newbies on how to put together an RFID project. Even the target doesn’t do it justice, there is no reason why this couldn’t be used with any other of the popular PC operating systems besides Windows.

The project takes an MRFC-522 RFID module and explains how to interface it to an Arduino. In this case the Arduino in question is an Arduino Pro Micro chosen for its ability to be a USB host. The supplied code behaves as a keyboard, sending the keystroke sequence to the computer required to unlock it. The whole is mounted in what seems to be a 3D printed enclosure, and for ease of use the guts of the RFID tag have been mounted in a ring.

As we said above though, the point of this project stretches beyond a mere PC unlocker. Any straightforward RFID task could use this as a basis, and if USB is not a requirement then it could easily use a more run-of-the-mill Arduino. If you’re an RFID newbie, give it a read.

Plenty of RFID projects have made it here before, such as this door lock. And we’ve had another tag in a ring, too.

The HackadayPrize2017 is Sponsored by:
Filed under: Arduino Hacks, The Hackaday Prize

Retrotechtacular: Weather Station Kurt

พฤ, 10/19/2017 - 00:01

Sometimes when researching one Hackaday story we as writers stumble upon the one train of thought that leads to another. So it was with a recent look at an unmanned weather station buoy from the 1960s, which took us on a link to a much earlier automated weather station.

The restored Kurt in the Canadian National War Museum.

Weather Station Kurt was the only successful installation among a bold attempt by the German military during the Second World War to gain automated real-time meteorological data from the Western side of the Atlantic. Behind that simple sentence hides an extremely impressive technical and military achievement for its day. This was the only land-based armed incursion onto the North American continent by the German military during the entire war. Surrounded as it was though by secrecy, and taking place without conflict in an extremely remote part of Northern Labrador, it passed unnoticed by the Canadian authorities and was soon forgotten as an unimportant footnote in the wider conflagration.

Kurt took the form of a series of canisters containing a large quantity of nickel-cadmium batteries, meteorological instruments, a telemetry system, and a 150W high frequency transmitter. In addition there was a mast carrying wind speed and direction instruments, and the transmitting antenna. In use it was to have provided vital advance warning of weather fronts from the Western Atlantic as they proceeded towards the European theatre of war, the establishment of a manned station on enemy territory being too hazardous.

A small number of these automated weather stations were constructed by Siemens in 1943, and it was one of them which was dispatched in the U-boat U537 for installation on the remote Atlantic coast of what is now part of modern-day Canada. In late October 1943 they succeeded in that task after a hazardous trans-Atlantic voyage, leaving the station bearing the markings of the non-existent “Canadian Meteor Service” in an attempt to deceive anybody who might chance upon it. In the event it was not until 1977 that it was spotted by a geologist, and in 1981 it was retrieved and taken to the Canadian War Museum.

There is frustratingly little information to be found on the exact workings on the telemetry system, save that it made a transmission every few hours on 3940kHz. A Google Books result mentions that the transmission was encoded in Morse code using the enigmatic Graw’s Diaphragm, a “sophisticated contact drum” named after a Dr. [Graw], from Berlin. It’s a forgotten piece of technology that defies our Google-fu in 2017, but it must in effect have been something of a mechanical analogue-to-digital converter.

Should you happen to be visiting the Canadian capital, you can see Kurt on display in the Canadian War Museum. It appears to have been extensively restored from the rusty state it appears in the photograph taken during its retrieval, it would be interesting to know whether anything remains of the Graw’s Diaphragm. Do any readers know how this part of the station worked? Please let us know in the comments.

Weather station Kurt retrieval image, Canadian National Archives. (Public domain).

Weather station Kurt in museum image, SimonP (Public domain).


Filed under: History, Retrotechtacular

Friday Hack Chat: Energy Harvesting

พุธ, 10/18/2017 - 23:00

Think about an Internet-connected device that never needs charging, never plugs into an outlet, and will never run out of power. With just a small solar cell, an Internet of Thing module can run for decades. This is the promise of energy harvesting, and it opens the doors to a lot of interesting questions.

Joining us for this week’s Hack Chat will be [John Tillema], CTO and co-founder of TWTG. They’re working on removing batteries completely from the IoT equation. They have a small device that operates on just 200 lux — the same amount of light that can be found on a desktop. That’s a device that can connect to the Internet without batteries, wall warts, or the black magic wizardry of RF harvesting. How do you design a device that will run for a century? Are caps even rated for that? Are you really going to download firmware updates several decades down the line?

For this week’s Hack Chat, we’ll be discussing what energy harvesting actually is, what TWTG’s ‘light energy’ technology is all about, and the capabilities of this technology. Going further, we’ll be discussing how to design a circuit for low-power usage, how to select components that will last for decades, and how to measure and test the entire system so it lives up to the promise of being always on, forever, without needing a new battery.

This is a community Hack Chat, so of course we’ll be taking questions from the community. If you have a question, add it to the discussion sheet

Our Hack Chats are live community events on the Hackaday.io Hack Chat group messaging. This Hack Chat will be going down noon, Pacific time on Friday, October 20th. Is it always five o’clock somewhere? Yes, so here’s a time zone converter!

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.


Filed under: Hackaday Columns

About That Giant Robot Battle Last Night

พุธ, 10/18/2017 - 22:00

Two years ago we wrote about a giant robot battle between the USA and Japan. After two years in the making, MegaBots (team USA) and Suidobashi (team Japan) were finally ready for the first giant robot fight. If you are into battle bots, you probably did not miss the fight that happened around 7:00 pm PST. If you missed it, you can watch the whole thing here.

There were two duels. First it was Iron Glory (MkII) vs. Kuratas, and after that it was Eagle Prime (MkIII) vs. Kuratas.

Be warned, spoilers ahead.

Or not that much. The first combat ended in 30 seconds or so, with the heavier Kuratas knocking Iron Glory to the ground in one punch. That was all it took, and it was a bit disappointing. The second combat had a bit more action, the robots actually got stuck in each other and, as per rules, had to be restarted. A kind of “go to the corners” as in boxing. There were some interesting surprises like Kuratas launching a drone, and Eagle Prime showing off a 4 foot, 40 hp chainsaw. In the end, Eagle Prime’s superior weight and weaponry grabbed the victory.

The heavily edited video of the fight left some viewers slightly disappointed. But if you think about it, there were actual humans inside the robots, and that alone had to limit a lot on the potential action. For example, they fired giant paint balls at each other instead of explosive rockets. Even in smaller battle bots there are limitations about weapons, and that makes sense. If you are building a giant, metallic, ground vessel to win a fight with no weapons limitations, well, it’s already built, and it is called a tank. So we’ll take paint balls and theatricality.

All in all, the robots were huge feats of engineering and are awesome to see in action. This was only the first giant robot battle, lets hope there are more to come. Here is a short version of the event with the battles included:


Filed under: news, robots hacks

Practical Public Key Cryptography

พุธ, 10/18/2017 - 21:01

Encryption is one of the pillars of modern-day communications. You have devices that use encryption all the time, even if you are not aware of it. There are so many applications and systems using it that it’s hard to begin enumerating them. Ranging from satellite television to your mobile phone, from smart power meters to your car keys, from your wireless router to your browser, and from your Visa to your Bitcoins — the list is endless.

One of the great breakthroughs in the history of encryption was the invention of public key cryptography or asymmetrical cryptography in the 70’s. For centuries traditional cryptography methods were used, where some secret key or scheme had to be agreed and shared between the sender and the receiver of an encrypted message.

Asymmetric cryptography changed that. Today you can send an encrypted message to anyone. This is accomplished by the use of a pair of keys: one public key and one private key. The key properties are such that when something is encrypted with the public key, only the private key can decrypt it and vice-versa. In practice, this is usually implemented based on mathematical problems that admit no efficient solution like certain integer factorization, discrete logarithm and elliptic curve relationships.

But the game changer is that the public key doesn’t have to be kept secret. This allows cryptography to be used for authentication — proving who someone is — as well as for encryption, without requiring you to have previously exchanged secrets. In this article, I’ll get into the details of how to set yourself up so that anyone in the world is able to send you an e-mail that only you can read.

Public Key Cryptography in a Nutshell

But first, how does it work in theory? Let’s say that Alice wants to talk to Bob. (Yes, it’s Alice and Bob again.) Alice and Bob generate their respective pair of keys. They tell the whole world about their public keys, including one another. Alice can now use Bob’s public key to encrypt a message that only Bob can read — only Bob’s private key can decrypt the message and, as the name implies, it should be kept private and known only to Bob.

Imagine Alice wants to send the world (or Bob) an important message, and prove that it comes from her? In the times we live in, how could we make sure the message Alice claims to have sent is not a fake? Well, Alice uses her own private key to encrypt her important message. The world just has to use Alice public key to decrypt the message, since it is the only way to decrypt it and only the person with Alice private key could have encrypted it, hence proving that it was Alice that wrote that message.

Let’s Get Alice Started

So, assuming Alice has GPG installed, she would start by creating her own public/private key pair:

alice@wonderland ~ $ gpg --gen-key gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) Y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Alice Email address: alice@wonderland.xyz Comment: Mushroom You selected this USER-ID: "Alice (Mushroom) <alice@wonderland.xyz>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. ... public and secret key created and signed. pub 2048R/96FE8CE5 2017-10-13 Key fingerprint = B5FF 1BE3 4502 F425 A444 D6EC FBEC 78AE 96FE 8CE5 uid Alice (Mushroom) <alice@wonderland.xyz> sub 2048R/76E5C437 2017-10-13

Depending on Alice’s needs, setting up key expiration might be a good idea. After this command, it is a good idea to export and store a copy of the keys somewhere safe, ideally with redundancy. She can, for example, store a copy in a USB drive and print a hardcopy and put it in a safe.

alice@wonderland ~ $ gpg --export-secret-key alice@wonderland.xyz > ./alice-gpg-backup.gpg alice@wonderland ~ $ gpg --export-secret-key -a alice@wonderland.xyz -----BEGIN PGP PRIVATE KEY BLOCK----- Version: GnuPG v1 lQPGBFngvxUBCADNVg9j2iNv3FuzscUOe9oZqP0xCk8p9s+ApIDTqD6vZFkXLpYs... -----END PGP PRIVATE KEY BLOCK-----

The above commands perform a backup and outputs an ASCII version of the private key, suitable for printing. The private key implementation of OpenPGP actually contains a complete copy of the public key, so this backup file is enough to recover the key pair. Restoring the backup is done with the --import flag.

Tell The World Who You Are

Now that Alice has her key, it’s time to tell the world about it. There are several ways to do it. On the command line:

alice@wonderland ~ $ gpg --list-public-keys /home/alice/.gnupg/pubring.gpg ------------------------------ pub 2048R/96FE8CE5 2017-10-13 uid Alice (Mushroom) <alice@wonderland.xyz> sub 2048R/76E5C437 2017-10-13 alice@wonderland ~ $ gpg --send-keys 96FE8CE5 gpg: sending key 96FE8CE5 to hkp server keys.gnupg.net alice@wonderland ~ $ gpg --search-keys 96FE8CE5 gpg: searching for "0x96FE8CE5" from hkp server keys.gnupg.net (1) Alice (Mushroom) <alice@wonderland.xyz> 2048 bit RSA key 96FE8CE5, created: 2017-10-13 Keys 1-1 of 1 for "0x96FE8CE5". Enter number(s), N)ext, or Q)uit > q

This way, Alice just published her key in a known OpenPGP Key server, accessible to anyone. (keys.gnupg.net is the default on my distro.) There are several key servers available to publish public keys, some of them are synchronized. I like to use pgp.mit.edu. Another option is to export the public key with the --export flag and sent it via email and/or manually publish it in several servers — the more the better. Now Alice can digitally sign her messages and receive encrypted messages directed to her. Lets see an example:

alice@wonderland ~ $ echo "This is a test file" > file.txt alice@wonderland ~ $ gpg --detach-sign file.txt You need a passphrase to unlock the secret key for user: "Alice (Mushroom) <alice@wonderland.xyz>" 2048-bit RSA key, ID 96FE8CE5, created 2017-10-13 alice@wonderland ~ $ ls -l file* -rw-rw-r-- 1 alice alice 37 Out 13 15:56 file.txt -rw-rw-r-- 1 alice alice 287 Out 13 15:56 file.txt.sig alice@wonderland ~ $ gpg --verify file.txt.sig gpg: assuming signed data in `file.txt' gpg: Signature made Sex 13 Out 2017 15:56:23 WEST using RSA key ID 96FE8CE5 gpg: Good signature from "Alice (Mushroom) <alice@wonderland.xyz>" alice@wonderland ~ $ echo "The file contents have been tampered" > file.txt alice@wonderland ~ $ gpg --verify file.txt.sig gpg: assuming signed data in `file.txt' gpg: Signature made 13 Out 2017 15:56:23 WEST using RSA key ID 96FE8CE5 gpg: BAD signature from "Alice (Mushroom) <alice@wonderland.xyz>"

When Alice wishes to shared file.txt she also shares file.txt.sig so that anyone can verify her signature. So Alice can sign but before she can send Bob a message, Bob must also have a key pair and publish his public key somewhere or sent it to Alice. Lets assume Bob already did it and Alice imported Bob’s public key into GPG, either with the --import flag or --recv-keys from a server. If Alice wants to send Bob a message she would issue the following commands:

alice@wonderland ~ $ gpg --import bob.asc gpg: key 81DBD5F6: public key "Robert (Nope) <bob@whatdoesthebobsay.xyz>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) alice@wonderland ~ $ gpg --list-public-keys /home/alice/.gnupg/pubring.gpg ------------------------------ pub 2048R/96FE8CE5 2017-10-13 uid Alice (Mushroom) <alice@wonderland.xyz> sub 2048R/76E5C437 2017-10-13 pub 2048R/81DBD5F6 2017-10-13 uid Robert (Nope) <bob@whatdoesthebobsay.xyz> sub 2048R/21B662BE 2017-10-13 alice@wonderland ~ $ echo "This is a secret message to Bob" > message.txt alice@wonderland ~ $ ls -l message* -rw-rw-r-- 1 alice alice 32 Out 13 16:25 message.txt alice@wonderland ~ $ gpg -r bob@whatdoesthebobsay.xyz --sign --encrypt message.txt You need a passphrase to unlock the secret key for user: "Alice (Mushroom) <alice@wonderland.xyz>" 2048-bit RSA key, ID 96FE8CE5, created 2017-10-13 gpg: gpg-agent is not available in this session gpg: 21B662BE: There is no assurance this key belongs to the named user pub 2048R/21B662BE 2017-10-13 Robert (Nope) <bob@whatdoesthebobsay.xyz> Primary key fingerprint: 1558 11B0 C87D 0E02 1C8B 304F 4982 D1D3 81DB D5F6 Subkey fingerprint: 6CC7 BC9C D69E 9465 78E4 53E3 A931 7A64 21B6 62BE It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y alice@wonderland ~ $ ls -l message* -rw-rw-r-- 1 alice alice 32 Out 13 16:25 message.txt -rw-rw-r-- 1 alice alice 678 Out 13 16:25 message.txt.gpg

This would encrypt message.txt with Bob’s public key and sign the file using Alice private key. Now Alice can send Bob the file message.txt.gpg and not only is Bob the only person able to decrypt it, he can also verify that it came from Alice as long as he has Alice’s public key. Let’s see what Bob would have to do:

bob@whatdoesthebobsay ~ $ gpg --import alice-public-key.asc gpg: key 96FE8CE5: public key "Alice (Mushroom) <alice@wonderland.xyz>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) bob@whatdoesthebobsay ~ $ gpg --decrypt message.txt.gpg You need a passphrase to unlock the secret key for user: "Robert (Nope) <bob@whatdoesthebobsay.xyz>" 2048-bit RSA key, ID 21B662BE, created 2017-10-13 (main key ID 81DBD5F6) gpg: encrypted with 2048-bit RSA key, ID 21B662BE, created 2017-10-13 "Robert (Nope) <bob@whatdoesthebobsay.xyz>" This is a secret message to Bob gpg: Signature made Sex 13 Out 2017 16:19:51 WEST using RSA key ID 96FE8CE5 gpg: Good signature from "Alice (Mushroom) <alice@wonderland.xyz>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: B5FF 1BE3 4502 F425 A444 D6EC FBEC 78AE 96FE 8CE5 Who Can You Trust?

You might have notice the WARNING message saying that Alice key is not certified with a trusted signature and there is no indication that the signature belongs to her. If Bob knows for sure that Alice key is from Alice, he can sign it and GPG will see it as trusted.

bob@whatdoesthebobsay ~ $ gpg --edit-key alice@wonderland.xyz sign pub 2048R/96FE8CE5 created: 2017-10-13 expires: never usage: SC trust: undefined validity: unknown sub 2048R/76E5C437 created: 2017-10-13 expires: never usage: E [ unknown] (1). Alice (Mushroom) <alice@wonderland.xyz> pub 2048R/96FE8CE5 created: 2017-10-13 expires: never usage: SC trust: undefined validity: unknown Primary key fingerprint: B5FF 1BE3 4502 F425 A444 D6EC FBEC 78AE 96FE 8CE5 Alice (Mushroom) <alice@wonderland.xyz> Are you sure that you want to sign this key with your key "Robert (Nope) <bob@whatdoesthebobsay.xyz>" (81DBD5F6) Really sign? (y/N) y You need a passphrase to unlock the secret key for user: "Robert (Nope) <bob@whatdoesthebobsay.xyz>" 2048-bit RSA key, ID 81DBD5F6, created 2017-10-13 gpg> save bob@whatdoesthebobsay ~ $ gpg --decrypt message.txt.gpg You need a passphrase to unlock the secret key for user: "Robert (Nope) <bob@whatdoesthebobsay.xyz>" 2048-bit RSA key, ID 21B662BE, created 2017-10-13 (main key ID 81DBD5F6) gpg: encrypted with 2048-bit RSA key, ID 21B662BE, created 2017-10-13 "Robert (Nope) <bob@whatdoesthebobsay.xyz>" This is a secret message to Bob gpg: Signature made Sex 13 Out 2017 16:19:51 WEST using RSA key ID 96FE8CE5 gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 8 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 8u gpg: depth: 1 valid: 2 signed: 0 trust: 1-, 1q, 0n, 0m, 0f, 0u gpg: next trustdb check due at 2019-03-19 gpg: Good signature from "Alice (Mushroom) <alice@wonderland.xyz>"

The warning will disappear. But why was there a warning? So far, someone sent an email claiming to have Alice’s public key, but how does Bob know it is the Alice that he knows? Or that the initial public key exchange was not intercepted? Even though public key cryptography eliminated the need to distribute secret keys, public keys have to be distributed to others with whom they want to communicate, and if the encryption is also used for authentication, the provenance of the public keys is important.

So what are Bob’s options? Bob can meet Alice face to face where she guarantees him that her key (or her key fingerprint) is correct, and Bob can mark it as trusted by signing it as in the above example. Sometimes it is impossible to meet face to face or you are talking with someone you don’t actually know. Bob can alternately choose to trust a particular key server, which is usually quite secure. If Bob does not want to choose to trust any key server, there is another way.

The Web of Trust

GnuPG addresses this problem with a mechanism known as the web of trust. In the web of trust model, responsibility for validating public keys is delegated to people you trust. This is different from normal public key infrastructure (PKI) approach since PKI permits each certificate to be signed only by a single party: a certificate authority (CA). By contrast, OpenPGP identity certificates (which include public key(s) and owner information) can be digitally signed by other users who, by signing, acknowledge the association of that public key with the person listed in the certificate.

There are even events, known as key signing parties, where users gather with their keys and identity documents and sign each other keys. Basically, as more people sign a key, the more sure you can be that the key is from who it claims to be.

I Take It All Back

On a last note, it might be a good idea for Alice to create a revocation certificate. A revocation certificate can be used if and when Alice loses her key or she believes the key was compromised. It is published to notify others that the public key should no longer be used. A revoked public key can still be used to verify signatures made by Alice in the past, but it cannot be used to encrypt future messages to Alice. It also does not affect the ability to decrypt messages sent to Alice in the past if she still has the key.

alice@wonderland ~ $ gpg -a --gen-revoke alice@wonderland.xyz sec 2048R/96FE8CE5 2017-10-13 Alice (Mushroom) <alice@wonderland.xyz> Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 0 Enter an optional description; end it with an empty line: > revoke! > Reason for revocation: No reason specified revoke! Is this okay? (y/N) y You need a passphrase to unlock the secret key for user: "Alice (Mushroom) <alice@wonderland.xyz>" 2048-bit RSA key, ID 96FE8CE5, created 2017-10-13 Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. As with the private key, it is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: the print system of your machine might store the data and make it available to others! -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 Comment: A revocation certificate should follow iQEmBCABAgAQBQJZ5N6XCR0AcmV2b2tlIQAKCRD77Hiulv6M5XnuB/41jjJCVx/S ... -----END PGP PUBLIC KEY BLOCK-----

The above code demonstrates how to generate a revocation certificate.

“This is too confusing!”

I get that. I do. Users don’t want to be encrypting stuff via the command line and worry about certificates and trust models. It might seem a bit overwhelming at first but luckily there are easy to use software solutions available to the end-user that solve your basic public key cryptography needs. It’s an extensive list and I’m pretty sure our readers have plenty of suggestions depending on your internet use and operating system. Let’s hear them in the comments!

For example, to secure emails, there are several options. If you use Thunderbird, you can install Enigmail. It should work on Linux, Windows, Mac and SunOS/Solaris. For Outlook users, look for gpg4o or gpg4win. Apple Mail has GPGTools. Android has K9 and R2Mail2 while iOS has iPGMail. If you don’t use a specific email client but use webmail instead, you are not left out, you can try Mailvelope. Mailvelope is an extension for Chrome and Firefox that implements OpenPGP and works over your regular webmail client.

Regarding email encryption, you can see that there is a lot to choose from. There is probably a OpenPGP implementation available to your email client of choice, it’s a matter of choosing a solution for a software that you are already accustomed and start from there. So if you don’t use encryption yet, what is your excuse now?

Go and create your key pair, share it with the world! And do it now, before the next revolution in cryptography, quantum computing, kills it all.


Filed under: Featured, Interest, security hacks

Rescuing An Antique Saw Set

พุธ, 10/18/2017 - 18:00

Who doesn’t like old tools? Even if they aren’t practical to use for production, plenty of old tools still have a life to offer the hobbyist or home worker.  Some tools might seem a bit too far gone – due to age, rust, or practicality, to use. That’s where [Hand Tool Rescue] comes in. [HTR] finds rusty, dirty old tools, and brings them back to life. Sometimes they’re practical tools, other times, they’re a bit out there. In a recent video, he restored a BeMaCo automatic saw set from the 1940’s. Saw sets are tools which bend each tooth of a saw blade slightly. Typically they are pliers-like devices.

The slight bend of each tooth on the blade widens the saw’s kerf and prevents binding. Typically these tools are pliers-like devices. The BeMaCo set is something else — it pulls the blade through tooth by tooth, while a spring-loaded head pecks away, bending each tooth. It’s something Rube Goldberg would have loved.

[HTR’s] filming style borrows a lot from [Jimmy DiResta], who we’ve covered here before. There are no words, and most of the video is sped up. Even with the fast video, [HTR] probably has many hours of footage to pare down to a 20-minute video.

The restoration begins with tearing the saw set apart. Every nut and bolt is removed. All the parts are cleaned, chemically de-rusted, and wire-wheeled. Even the motor is torn down, cleaned, and wired up. Then come the re-assembly. [HTR] gets every piece back in its proper place. We’re wondering how many times he had to refer to the teardown video to get everything right. Finally, the saw is complete — ready for another 70 years of work.


Filed under: tool hacks

Testing Brushless Motors with a Scope (or a Meter)

พุธ, 10/18/2017 - 15:00

Brushless motors have a lot of advantages over traditional brushed motors. However, testing them can be a bit of a pain. Because the resistance of the motor’s coils is usually very low, a standard resistance check isn’t likely to be useful. Some people use LC meters, but those aren’t as common as a multimeter or oscilloscope. [Nils Rohwer] put out two videos — one two years ago and one recently — showing how to test a brushless motor with a multimeter or scope. Oh, you do need one other thing: a drill.

You don’t have to drill into the motor, instead you use the drill to spin the motor’s shaft. Since a motor and a generator are about the same thing, you can read the voltages produced by the spinning motor and determine if it is good or not. The first video shows the technique and the second, more recent video shows a scope reading a bad motor. You can see both videos, below.

In the second video, you’ll see that a pair of coils have shorted — probably due to a failure of the insulation, perhaps due to heat — and are putting out about 1/10 of the voltage a good coil produces. In the end, he opened the faulty motor and looks at the suspect coils, even though there wasn’t much to see visually.

We’ve seen working brushless motors used as encoders. You can even build your own brushless motor demonstration, or opt for a more practical design.


Filed under: tool hacks

Control System Fundamentals by Video

พุธ, 10/18/2017 - 12:00

If you’ve had the classic engineering education, you probably have a hazy recollection of someone talking about control theory. If you haven’t, you’ve probably at least heard of PID controllers and open loop vs closed loop control. If you don’t know about control theory or even if you just want a refresher, [Brian Douglas] has an excellent set of nearly 50 video lectures that will give you a great introduction to the topic. You can watch the first lecture, below.

You might think that control systems are only useful in electronics when you are trying to control a process like a chemical plant or a temperature. However, control theory shows up in a surprising number of places from filters to oscillators, to the automatic gain control in a receiver. You’ll find the background behind many familiar results inside control theory. Sort of like when you take calculus and you discover how they came up with all the formulas you memorized in geometry.

The presentation style of these videos is good. The first sets of topics are necessarily abstract, but later videos in the series show a robotic vehicle using tracks and an Arduino, a MEMS gyro, and how to land on a planet. If you don’t think control systems are everywhere, consider an example we use when talking to school kids: a toilet. A very simple and very common closed loop control system. Even [Bill Gates] and Caltech agree. Although, honestly, we don’t know what constitutes an “aspirational toileting experience.”

We’ve done our own series on this topic, but not using video. We’ve covered PID-controlled projects ranging from drones to soldering irons.


Filed under: how-to

Sacrificial Bridge Avoids 3D Printed Supports

พุธ, 10/18/2017 - 09:00

[Tommy] shares a simple 3D printing design tip that will be self-evident to some, but a bit of a revelation to others: the concept of a sacrificial bridge to avoid awkward support structures. In the picture shown, the black 3D print has small bridges and each bridge has a hole. The purpose of these bits is to hold a hex nut captive in the area under the bridge; a bolt goes in through the round hole in the top.

Readers familiar with 3D printing will see right away that printing the bridges might be a problem. When a printer gets to the first layer of the bridge, it will be trying to lay filament in empty space. By itself this is not usually a problem as long as a bridge is short, flat, and featureless. Unfortunately this bridge has a hole in it, and that hole means the printer will be trying to draw circles in mid-air, rather than simply stretching filament point-to-point across a gap. One solution would be to add a small amount of support structure, but that just moves the problem. Removing small supports from enclosed spaces can be a real hassle.

To solve this [Tommy] added what he calls a “sacrificial bridge”, shown as blue in the CAD image. He essentially gives the hole a flat bottom, so that the printer first lays down a thin but solid bridge as a foundation. Then, the portion with the round hole is printed on top of that. With this small design change, the print becomes much more reliable with no support structure required.

There is a bit of post-work involved since each hole needs to be drilled out to punch through the thin sacrificial bridge underneath, but it definitely beats digging out little bits of support structure instead.


Filed under: 3d Printer hacks

Click Your Heels Thrice, Hail a Cab Home

พุธ, 10/18/2017 - 06:00

If Dorothy from The Wizard of Oz were to wake up in 2017, with her magic Ruby Slippers on her feet, she’d probably believe she had woken up in a magical world. But modern folks will need a little more magic to impress them. Like Clicking your heels thrice to get home with these Uber ruby slippers. [Hannah Joshua] was tasked by her employer to build a quirky maker project. She got an idea when a friend complained about having trouble hailing a cab at the end of a hard day at work.

[Hannah] started with ruby colored slippers with a platform toe and high heels to allow space to stuff in all the magic dust, err, electronic bits. The initial plan was to use an Arduino with a GSM/GPS shield but that would have needed a separate SIM card and data plan for the shoes. Instead, she opted for the 1Sheeld which connects to a smart phone over Bluetooth. The 1Sheeld gets access to all of the smart phone’s sensors including the GPS as well as the data connection. The Arduino and 1Sheeld are put in a cavity carved out in the toe section. The 9 V battery goes inside another cavity in the heel, where an activation switch is also installed. Three LED’s indicate when the shoe is active, the cab request is accepted, and when the cab is on its way.

The code is basic since this one of her first Arduino projects, but it gets the job done. It sends an http request to Uber’s API to request a cab. The destination is hard-coded, so the slippers only allow you to get from your current location to whatever destination is programmed. The GitHub repository provides code, as well as some additional information on construction. [Hannah] has also added notes explaining some of the design choices and things to take care about if you plan to build one of these magic slippers.

We covered the 1Sheeld when it was introduced several years back, and if you get your hands on one, try building this Hand Waving Door Unlocker.

 


Filed under: Arduino Hacks

Spare RPi? You Have a Currency Trading Platform

พุธ, 10/18/2017 - 03:00

While Bitcoin and other altcoins are all the rage these days, there is still a lot of activity in the traditional currency exchanges. Believe it or not, there’s money to be made there as well, although it rarely makes fanciful news stories like cryptocurrency has been. Traditional currency trading can be done similar to picking stocks, but if you’d rather automate your particular trading algorithm you can set up a Raspberry Pi to make money by trading money.

This particular project by [dmitry] trades currency on the Forex exchange using an already-existing currency trading software package called MetaTrader. This isn’t an ARM-compatible software suite though, so some auxiliary programs (Wine and ExaGear Desktop) need to be installed to get it working properly. From there, its easy enough to start trading in government-backed currency while reaping all of the low-power-usage benefits that the Pi offers.

[dmitry] does note that you can easily use MetaTrader on a standard laptop, but you might be tempted to go against your trading algorithms and even then you won’t be reaping the power benefits of the ARM processor. We don’t see too many traditional currency or stock trading tips around here, but don’t forget that it’s still possible to mine some types of cryptocurrency even if BitCoin is out of reach of most now.


Filed under: Raspberry Pi

Hackaday Prize Entry: Playing With USB Power Delivery

พุธ, 10/18/2017 - 01:30

USB Power Delivery is the technology that’s able to pump 100 Watts down a USB cable. It’s been around for half a decade now, but only in the last few years have devices and power supplies supporting USB PD shown up on the market. This is a really interesting technology, and we can’t wait to see the outcome of people messing around with five amps flowing through a cable they picked up at the dollar store, but where are the DIY solutions to futz around with USB PD?

For his Hackaday Prize entry, [Clayton] is doing just that. He’s built a tiny little power jack for USB PD that has a USB type-C plug on one end and a pair of screw terminals on the other. It’s the USB PD Buddy Sink, and once we find some cheap 100 Watt USB power adapters, this is going to be an invaluable tool.

Getting 100 Watts out of a USB charger is a bit more complex than just soldering a few wires together. The power delivery must be negotiated, and for that [Clayton] is using a simple, cheap STM32F0 ARM microcontroller. Plugging into a USB bus is a bit more complicated, but luckily On Semi has a neat little programmable USB Type-C controller PHY that does all the work. Throw in a few MOSFETS and other ancillary parts, and you have a simple, small 100 Watt power supply that plugs right into your new fancy laptop charger.

The design of the USB PD Buddy Sink is complete, and [Clayton] has a bunch of these on hand. He’s selling them on Tindie, but it’s also a great entry to the Hackaday Prize.

The HackadayPrize2017 is Sponsored by:
Filed under: The Hackaday Prize

Microsoft Bug Tracking Hacked

พุธ, 10/18/2017 - 00:00

It seems that the database containing descriptions of critical and unfixed bugs and/or vulnerabilities in some of the most widely used software in the world, including the Windows operating system, was hacked back in 2013. This database is basically gold for any security researcher, regardless of the color of their hat. To know which programs fail and the preconditions for that to happen is half an exploit right there.

Microsoft discovered the database breach in early 2013 after the highly skilled hacking group Morpho a.k.a. Butterfly a.k.a. Wild Neutron broke into computers at a number of major tech companies, including Apple, Facebook, and Twitter. The group exploited a flaw in the Java programming language to penetrate employees’ Apple Macintosh computers and then use them as pivots into the company internal network.

Official sources say that the Microsoft bug database was poorly protected, with access possible via little more than a password. Four years later, we have official confirmation that it happened. To measure the breach impact, Microsoft started a study to correlate the potential flaws in their databases and subsequent attacks. The study found that the flaws in the stolen database were actually used in cyber attacks, but Microsoft argued the hackers could have obtained the information elsewhere, and that there’s “no evidence that the stolen information had been used in those breaches.”

There is really no way to know besides asking the actual hacking group, which will most likely not happen… unless they are HaD readers, in this case they can feel free to comment.

[via Reuters]


Filed under: news

Bad RSA Library Leaves Millions of Keys Vulnerable

อังคาร, 10/17/2017 - 22:42

So, erm… good news everyone! A vulnerability has been found in a software library responsible for generating RSA key pairs used in hardware chips manufactured by Infineon Technologies AG. The vulnerability, dubbed ROCA, allows for an attacker, via a Coppersmith’s attack, to compute the private key starting with nothing more than the public key, which pretty much defeats the purpose of asymmetric encryption altogether.

Affected hardware includes cryptographic smart cards, security tokens, and other secure hardware chips produced by Infineon Technologies AG. The library with the vulnerability is also integrated in authentication, signature, and encryption tokens of other vendors and chips used for Trusted Boot of operating systems. Major vendors including Microsoft, Google, HP, Lenovo, and Fujitsu already released software updates and guidelines for mitigation.

The researchers found and analysed vulnerable keys in various domains including electronic citizen documents (750,000 Estonian identity cards), authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP. The currently confirmed number of vulnerable keys found is about 760,000 but could be up to two to three orders of magnitude higher.

Devices dating back to at least 2012 are affected, despite being NIST FIPS 140-2 and CC EAL 5+ certified.. The vulnerable chips were not necessarily sold directly by Infineon Technologies AG, as the chips can be embedded inside devices of other manufacturers.

The difficulty of the factorization attack is not the same for all key lengths and is NOT strictly increasing (some longer keys may take less time to factorize than other shorter ones). The following key length ranges are now considered practically factorizable (time complexity between hours to 1000 CPU years at maximum): 512 to 704 bits, 992 to 1216 bits and 1984 to 2144 bits. Note that 4096-bit RSA key is not practically factorizable now, but may become so, if the attack is improved.

The time complexity and cost for the selected key lengths (Intel E5-2650 v3@3GHz Q2/2014):

  • 512 bit RSA keys – 2 CPU hours (the cost of $0.06);
  • 1024 bit RSA keys – 97 CPU days (the cost of $40-$80);
  • 2048 bit RSA keys – 140.8 CPU years, (the cost of $20,000 – $40,000).

Keep in mind that these benchmarks are for a single CPU. For certain three-letter agencies one must assume the attacks take trivial time to complete. Then again, they probably already have your keys (citation needed).

Concerned users can test their public keys online or, maybe a better idea, offline by cloning the following GitHub repository. If using Linux flavors with pip, you can try the following to test your known public keys:

$ sudo pip install roca-detect $ gpg -a --export > /tmp/public && roca-detect /tmp/public 2017-10-17 14:10:33 [7869] INFO ### SUMMARY #################### 2017-10-17 14:10:33 [7869] INFO Records tested: 93 2017-10-17 14:10:33 [7869] INFO .. PEM certs: . . . 0 2017-10-17 14:10:33 [7869] INFO .. DER certs: . . . 0 2017-10-17 14:10:33 [7869] INFO .. RSA key files: . 0 2017-10-17 14:10:33 [7869] INFO .. PGP master keys: 1 2017-10-17 14:10:33 [7869] INFO .. PGP total keys: 102 2017-10-17 14:10:33 [7869] INFO .. SSH keys: . . . 0 2017-10-17 14:10:33 [7869] INFO .. APK keys: . . . 0 2017-10-17 14:10:33 [7869] INFO .. JSON keys: . . . 0 2017-10-17 14:10:33 [7869] INFO .. LDIFF certs: . . 0 2017-10-17 14:10:33 [7869] INFO .. JKS certs: . . . 0 2017-10-17 14:10:33 [7869] INFO .. PKCS7: . . . . . 0 2017-10-17 14:10:33 [7869] INFO No fingerprinted keys found (OK) 2017-10-17 14:10:33 [7869] INFO ################################

In this example, no vulnerable keys were found. Did you find one? If it is yours, it’s probably better to revoke and generate a new one. It seems 2017 keeps on giving us security pearls with each passing day. Yesterday we mourned the death of WPA2, but we’ve also seen SHA-1 broken, the Broadcom WiFi exploit in one billion smartphones (Broadpwn), a Bluetooth vuln that won’t be patched in around 40% of the devices, your credentials being cached in search engines, and we left several from this list.


Filed under: news, security hacks