[Jason Dookeran] reminded us of something we don’t like to think about. Your printer probably adds barely noticeable dots to everything you print. It does it on purpose, so that if you print something naughty, the good guys can figure out what printer it came from. This is the machine identification code and it has been around since the days that the US government feared that color copiers would allow wholesale counterfiting.
The technology dates back to Xerox and Canon devices from the mid-80s, but it was only publicly acknowledged in 2004. With color printers, the MIC — machine identification code — is a series of tiny yellow dots. Typically, each dock is about 10 microns across and spaced about a millimeter from each other. The pattern prints all over the page so that even a fragment of, say, a ransom note can be identified.
Apparently, printers use different encoding schemes, but reading the dots is usually done by scanning them under a blue light.
The EFF has an out-of-date list that identifies many printers that track. But they point out that some printers may use a different method, especially those that can’t print yellow. They also mention that it is likely that “all recent commercial color laser printers” print some kind of code.
If you want to check your printer, [Jason] points out an Instructable and a website that can decode common patterns.
While we can think of times we are glad people can figure out the origin of a death threat or a ransom note, we can also think of times when we would like whistleblowers or people with different opinions to be able to print things without fear of retribution. But either way, the technology is an interesting real-world example of steganography.
We prefer these yellow dots. Yellow steganography reminds us of turmeric.
Title image: “Yellow dots produced by an HP Color LaserJet CP1515n” CC BY-SA 3.0 by [Ianusisu].
As far as model construction sets go, LEGO is by far the most popular brand for building not only pre-planned models but whatever the builder can imagine. There are a few others out there though, some with some interesting features. Meccano (or Erector in North America) is a construction set based around parts that are largely metal including its fasteners, which allows for a different approach to building models than other systems including the easy addition of electricity. [Craig], a member of the London Meccano Club, is demonstrating his model Enigma machine using this system for all of its parts and adding some electricity to make the circuitry work as well.
The original Enigma machine was an electronic cypher used by the German military in World War 2 to send coded messages. For the time, its code was extremely hard to break, and led to the British development of the first programmable electronic digital computer to help decipher its coded messages. This model uses Meccano parts instead to recreate the function of the original machine, with a set of keys similar to a typewriter which, when pressed, advance a set of three wheels. The wheels all have wiring in them, and depending on their initial settings will light up a different character on a display.
There are a few modifications made to the design (besides the use of a completely different set of materials) but one of the main ones was eliminating the heavy leaf springs of the original for smaller and easier-to-manage coil springs, which are also part of the electrical system that creates the code. The final product recreates the original exceptionally faithfully, with plans to create a plugboard up next, and you can take a look at the inner workings of a complete original here.
Thanks to [Tim] for the tip!
There’s a popular Sysadmin meme that system problems are “always DNS”. In the realm of security, it seems like “it’s always Unicode“. And it’s not hard to see why. Unicode is the attempt to represent all of Earth’s languages with a single character set, and that means there’s a lot of very similar characters. The two broad issues are that human users can’t always see the difference between similar characters, and that libraries and applications sometimes automatically convert exotic Unicode characters into more traditional text.
This week we see the resurrection of an ancient vulnerability in PHP-CGI, that allows injecting command line switches when a web server launches an instance of PHP-CGI. The solution was to block some characters in specific places in query strings, like a query string starting with a dash.
The bypass is due to a Windows feature, “Best-Fit”, an automatic down-convert from certain Unicode characters. This feature works on a per-locale basis, which means that not every system language behaves the same. The exact bypass that has been found is the conversion of a soft hyphen, which doesn’t get blocked by PHP, into a regular hyphen, which can trigger the command injection. This quirk only happens when the Windows locale is set to Chinese or Japanese. Combined with the relative rarity of running PHP-CGI, and PHP on Windows, this is a pretty narrow problem. The XAMPP install does use this arrangement, so those installs are vulnerable, again if the locale is set to one of these specific languages. The other thing to keep in mind is that the Unicode character set is huge, and it’s very likely that there are other special characters in other locales that behave similarly.
The ComfyUI project is a flowchart interface for doing AI image generation workflows. It’s an easy way to build complicated generation pipelines, and the community has stepped up to build custom plugins and nodes for generation. The thing is, it’s not always the best idea to download and run code from strangers on the Internet, as a group of ComfyUI users found out the hard way this week. The ComfyUI_LLMVISION node from u/AppleBotzz was malicious.
The node references a malicious Python package that grabs browser data and sends it all to a Discord or Pastebin. It appears that some additional malware gets installed, for continuing access to infected systems. It’s a rough way to learn.
CVE-2024-5480 is a PyTorch flaw that allows PyTorch worker nodes to trigger arbitrary eval() calls on the master node. No authentication is required to add a PyTorch worker, so this is technically an unauthorized RCE, earning the CVSS of 10.0. Practically speaking it’s not that dire of a problem, as your PyTorch cluster shouldn’t be on the Internet to start with, and there’s no authentication as a design choice. It’s not clear the the PyTorch developers consider this a legitimate security vulnerability at all. It may or may not be fixed with version 2.3.
My least favorite term in infosec has to be “smishing”, a frankenword for SMS phishing. Cell phone carriers around the world are working hard to blocking spam messages, making smishing an impossible task. And that’s why it’s particularly interesting to hear about a bypass that a pair of criminals were using in London. The technical details are light, but the police reported a “homemade mobile antenna”, “illegitimate telephone mast”, and “text message blaster” as part of the seized kit. The initial report sounds like it may be a sort of reverse stingray, where messages are skipping the regular cellular infrastructure and are getting sent directly to nearby cell phones. Hopefully more information will be forthcoming soon.
The programmers at Zyxel apparently have a sense of humor, given the naming used for this mis-feature. Zyxel NAS units have a bit of magic code that writes a password for the new user, NsaRescueAngel, to the shadow password file. The SSH daemon is restarted, and upnp is fired off to request port forwarding from the outside world. One of the script names, possibly from a previous iteration, was open_back_door.sh, which seems to be sort of lampshading the whole thing.
It’s presumably intended to be a great troubleshooting tool, when a customer is stuck and needs help, to be able to visit a web url to enable remote access for a Zyxel tech. The problem is that the Zyxel NAS already has an authentication bypass flaw, and while it’s been patched, it wasn’t patched very well, making this whole scheme accessible without authentication, just by slapping /favicon.ico onto the url. The additional problems have been fixed in a more recent update.
A Twitter thread tells the story of a Russian secure device, left behind on the back of a bus in England. That’s an interesting premise. But the thread continues, that ‘conveniently the owner also left a briefcase with design notes, architecture, documentation, implementation, marketing material and internal Zoom demos about “trusted” devices too!’ OK, now this has to either be a fanfic, or a fell-off-the-back-of-a-truck story. There’s some convincing looking screenshots, and even rom dumps. What’s going on here?
Nobody knew how the devices worked, conveniently the owner also left a briefcase with design notes, architecture, documentation, implementation, marketing material and internal Zoom demos about "trusted" devices too! We'd all have been lost without those. https://t.co/LN7cTybxOV pic.twitter.com/j5OCHprSie
— hackerfantastic.x (@hackerfantastic) June 11, 2024
The most likely explanation is that somebody got their hands on a trove of data on these devices, and wanted to dump it online with a silly story. But fair warning, don’t trust any of the shared files. Who knows what’s actually in there. Taking a look at something untrusted like this is an art in itself, best done with isolated VMs and burner machines, maybe a Linux install you don’t mind wiping?
Buskill just published their 8th warrant canary, a cryptographically signed statement attesting that they have not been served any secret warrants or national security letters that would undermine the trustworthiness of the Buskill project or code. In addition to a good cryptographic signature, this canary includes a handful of latest news headlines in the signed material, proving it is actually a recently generated document.
[Aethlios] has published Reset Tolkien, an open source tool for finding and attacking a very specific sort of weakness in time based tokens. The targeted flaw is a token generated from improper randomness source, like the current time. If the pattern can be found, a “sandwich attack” can narrow down the possible reset codes by requesting a reset code for a controlled account, requesting one for the target account, and then once again for the controlled account. The target code must come between the two known codes.
And finally, TPM security is hard. This time, the Trusted Platform Module can be reset by reclaiming the GPIO pins connected to it, and simulating a reboot by pulling the reset pin. This results in the TPM possibly talking to an application when it thinks it is talking to the CPU doing boot decryption. In short, it can result in compromised keys. Thanks to [char] from Discord for sending this one in!
YouTuber My Developer Thoughts, a self-confessed middle-aged Software Developer, clearly has a real soft spot for the 6502-based 8-bit era machines such as the Commodore 64 and the VIC-20, for which he has created several video tutorials while travelling through retro-computing. This latest instalment concerns bringing up the toolchain for using the Kick Assembler with VS Code to target the C64, initially via the VICE emulator.
The video offers a comprehensive tutorial on setting up the toolchain on Windows from scratch with minimal knowledge. While some may consider this level of guidance unnecessary, it is extremely helpful for those who wish to get started with a few examples quickly and don’t have the time to go through multiple manuals and Wikis. In that regard, the video does an excellent job.
VS Code is a great tool with a large user base, so it’s not surprising that there’s a plugin for using the Kick Assembler directly from the IDE. You can also easily launch the application onto the emulator with just a push of a button, allowing you to focus on learning and working on your application. Once it runs under emulation, there’s a learning curve for running it on native hardware, but there are plenty of tutorials available for that. While you could code directly on the C64 itself, it’s much more pleasant to use modern tools, revision control, and all the conveniences and not have to endure the challenges.
Once you’ve mastered assembly, it may be time to move on to C or even C++. The Oscar64 compiler is a good choice for that. Next, you may want to show off your new skills on the retro demo scene. Here’s a neat C64 demo with a twist. There is no C64.
Thanks to [Stephen] for the tip!
Sometimes it seems like ideas for projects spring out of nothingness from a serendipitous set of circumstances. [Maarten] found himself in just such a situation, with a combination of his existing Tetris novelty lamp and an awkwardly-sized window on a second-floor apartment, he was gifted with the perfect platform for a giant playable Tetris game built into that window.
To make the giant Tetris game easily playable by people walking by on the street, [Maarten] is building as much of this as possible in the browser. Starting with the controller, he designed a NES-inspired controller in JavaScript that can be used on anything with a touch screen. A simulator display was also built in the browser so he could verify that everything worked without needing the giant display at first. From there it was on to building the actual window-sized Tetris display which is constructed from addressable LEDs arranged in an array that matches the size of the original game.
There were some issues to iron out, as would be expected for a project with this much complexity, but the main thorn in [Maarten]’s side was getting his controller to work in Safari on iPhones. That seems to be mostly settled and there were some other gameplay issues to solve, but the unit is now working in his window and ready to be played by any passers-by, accessed by a conveniently-located QR code. Tetris has been around long enough that there are plenty of unique takes on the game, like this project from 2011 that uses Dance Dance Revolution pads for controllers.
Despite what you might have heard, even the most devout Hackaday readers may eventually find themselves getting married. Should you ever find yourself in a situation where you need to send out invitations for your big day, or any other major celebration for that matter, you could do worse than follow the example [Mokas] and their partner set with these memorable electronic wedding invitations.
Inspired by the electronic badges distributed at hacker cons, [Mokas] decided to use Adafruit’ EdgeBadge and PyBadge devices to create a similar interactive keepsake that would be a bit more exciting than a piece of paper. While it would have been enough to have the wedding information pop up on the screen when they were turned on, the final invites actually boot into a retro-style game where you walk around talking to characters to uncover information about the event and the venue.
The game was created in Microsoft MakeCode Arcade, with a sprinkling of original and commissioned sprites. Early versions of the game ended up being a bit much for the Adafruit badge’s to handle, but after doing a bit of research on creating games for computationally-constrained platforms, [Mokas] was able to optimize the performance. For those that didn’t get a physical invite (no doubt ours was simply lost in the mail), you can play the whole thing right in your browser.
It’s a very clever idea, and while using custom hardware would have allowed for a more bespoke package, we can’t blame [Mokas] for wanting to keep this one simple. Getting everything ready for your wedding is already enough stress — it’s hardly the time to spin up a new board.
For a similar reasons, another Adafruit offering was selected to power the couple’s e-ink baby development display.
Building a retro computer of some sort is a rite of passage for many of us, with some building replicas or restorations of old Commodores, Ataris, and other machines from decades past. Others go even further back, to the time of the Intel 8008 or earlier, and a dedicated few will build something completely novel. This project from [3DSage] falls squarely in the latter category, with his completely DIY computer built component by component from scratch, including the machine code needed to run it.
[3DSage] starts with the backbone of every computer: the clock. He first demonstrates how a pair of NOT gates with a set of capacitors can be used as a rudimentary clock pulse, then builds a more refined version with a 555 timer and potentiometer for adjustable rates. Then, it’s on to creating a binary counter, which is a fundamental part of the memory system for this small computer, and finally, allows this circuitry to behave like a normal computer. Using a set of switches to store values in memory and stepping through them with the clock, the computer can be programmed to do plenty of tasks just like a modern microcontroller.
[3DSage] built this project a few years ago and has used it for real-world applications such as controlling servos, LED arrays, playing music, and other tasks. Although he has to program it using his own machine code by hand, it’s a usable computer in many ways. If you want to eschew modernity and build a retro computer in the style of the 1960s, though, this piece goes through what it would have been like to build a similar system in the era when these computers were more common. If you have a switch fetish, you might like to see how real computers worked back then, too.
As those of us who worked in the consumer software world back when physical media was king can attest, when a master disc has been sent for duplication and distribution there is no turning back from whatever code is in the hands of thousands of users. Usually such worries were confined to bugs or inadvertently sending out pre-release software versions, but [Lance Ewing] is here with the story of how Sierra On-Line once inadvertently released most of the source code for their game engine.
If you have some 720k floppy disk versions of the 1988 game Space Quest II, the first disk in the set appears to have nothing out of the ordinary, but a closer look reveals that the free space on the disk reported by DOS is greater than its used space. Diving in to the disk block contents with a hex editor reveals that many of the unused blocks in fact contain C code, and some further detective work allows the recovery of a not-quite complete set of source files for the company’s AGI, or adventure game interpreter. They had been left behind when the original master disk had been emptied by deleting them, rather than by formatting it afresh.
In commercial terms this would in 1988 have been something of a disaster for Sierra had it been discovered at the time, because it was the cornerstone of their success. As it was we’re told the code sat peacefully undetected until 2016, since when it has proved invaluable to those interested in computer game archaeology. Or did it? We’ll never know if a sharp-eyed competitor snagged it, and kept quiet.
Of course, these days, there are game engines that are open source. Some of them are very modern. Others… not so much.
There are plenty of reasons to pick up or build a 3D scanner. Modeling for animation or special effects, reverse engineering or designing various devices or products, and working with fabrics and clothing are all well within the wide range of uses for these tools. [Vojislav] built one a few years ago which used an array of cameras to capture 3D information but the Pi camera modules used in this build limited the capabilities of the scanner in some ways. [Vojislav]’s latest 3D scanner takes a completely different approach by using a single high-quality camera instead.
The new 3D scanner is built to carry a full-size DSLR camera, its lens, and a light. Much more similarly to how a 3D printer works, the platform moves the camera around the object in programmable steps for the desired 3D scan. The object being scanned sits on a rotating plate as well, allowing for the entire object to be scanned without needing to move the camera through a full 180° in two axes. The scanner can also be used for scanning more 2D objects while capturing information about texture, such as various textiles.
For anyone looking to reproduce something like this, [Vojislav] has made all of the plans for this build available on the project’s GitHub page including some sample gcode to demonstrate the intended use for the scanner. On the other hand, if you’re short the often large amount of funding required to get a DSLR camera, his older 3D scanner is still worth taking a look at as well.
This week Jonathan Bennett and David Ruggles chat with Rak Siva and Steve Demchuck to talk about Nitric! That’s the Infrastructure from Code framework that makes it easy to use a cloud back-end in your code, using any of multiple providers, in multiple programming languages.
The group chatted about the role and form of good documentation, as well as whether a Contributor License Agreement is ever appropriate, and what a good CLA would actually look like. Don’t miss it!
Did you know you can watch the live recording of the show right in the Hackaday Discord? Have someone you’d like use to interview? Let us know, or contact the guest and have them contact us!
Direct Download in DRM-free MP3.
If you’d rather read along, here’s the transcript for this week’s episode.
Conectar