Little Twitter Game Boy Won’t Work Now The API Is Dead

April 19, 2023 by 13 Comments

Twitter, like many social networks, used to feature a useful API. This let people do fun things like create toasters that could automatically post breaderly updates, or even load Twitter posts on machines that couldn’t handle full-fat websites. That API is now history, but [NEKOPLA] used it for a cute Game Boy-like Twitter device in its dying days earlier this year.

Swap out the TW BOY for a smartphone and this photo wouldn’t be nearly as good.

The “TW BOY”, as it is known, runs on a Raspberry Pi Zero 2 W, which includes a WiFi chip on board for easy internet connectivity. A Python script was charged with fetching Tweets for viewing using the now-dead Twitter API. Dithering was used to display color images on the 320×240 monochrome screen. Everything was wrapped up in a tidy 3D-printed housing to complete the look. The device uses two action buttons, and four directional buttons for navigation. It’s the layout popularized by the original Game Boy, and it looks super cute here, too.

The project was built as [NEKOPLA] has a penchant for single-use devices, due to their solitary focuses on doing one thing well. We can appreciate that ethos, and we love the final product, even if Twitter decreed it would no longer work. (Time to move on to Mastodon?) More images after the break.

Continue reading “Little Twitter Game Boy Won’t Work Now The API Is Dead”

End Of An Automation Era As Twitter Closes Its Doors To Free API Access

February 3, 2023 by 40 Comments

Over the last few months since Elon Musk bought Twitter there has been a lot of comment and reaction, but not much with relevance to Hackaday readers. Today though that has changed, with an announcement from the company that as of February 9th they will end their free API tier. It’s of relevance here because Twitter has become one of those glue items for connected projects and has appeared in many featured works on this site. A week’s notice of a service termination is exceptionally short, so expect to see a lot of the Twitter bots you follow disappearing.

Twitter bot owners have the option of paying to continue with Twitter, or rebuilding their service to use a Mastodon instance such as botsin.space. If the fediverse is new to you, then the web is not short of tutorials on how to do this.

We feel that Twitter will be a poorer place without some of the creative, funny, or interesting bots which have enriched our lives over the years, and we hope that the spam bots don’t remain by paying for API access. We can’t help feeling that this is a misguided step though, because when content is the hook to bring in the users who are the product, throwing out an entire category of content seems short-sighted. We’re not so sure about it as a move towards profitability either, because the payback from a successful social media company is never profit but influence. In short: social media companies don’t make money but the conversation itself, and that can sometimes be worth more than money if you can avoid making a mess of it.

If the bots from our field depart for Mastodon, we look forward to seeing whether the new platform offers any new possibilities. Meanwhile if your projects don’t Toot yet, find out how an ESP32 can do it.

Header: D J Shin, CC BY-SA 3.0.

The demo toot screenshot, showing a text-only message sent from the ESP32 using the library.

Moved Off Twitter? Make Your ESP32 Toot

November 9, 2022 by 75 Comments

Since Twitter was officially taken over by Elon Musk a few days ago, there’s been significant staff cuts, a stream of questionable decisions, and uncertainty about the social media platform’s future. So it’s little surprise that a notable number of people, those in the tech and hacker scenes in particular, have decided to move over to (or at least bridge their accounts with) the distributed and open source Mastodon service.

Of course, the hacks would follow closely, and [Toby] shares a simple ESP32-based Mastodon client library for us to start with. Instead of “tweets”, messages on Mastodon instances are called “toots”, in line with the platform’s mammoth-like mascot. The library, called Luyba, is able to send toots and includes a demo firmware. Built using C++ and with support for Platform.IO, it should fit into quite a few projects out there, letting you easily send toots to whichever instance you find your home, as the library-aided demo toot shows.

What could you do with such a library on your MCU? Turns out, quite a few fun things – a home automation interface, a critter trap, an online BBC Basic interpreter, or, given image support, a camera that tweets whatever it’s pointed at. There’s quite a bit of fun hackers can have given a micro-blogging service API access and a bit of code that works with it. That said, for all the good that Twitter brought us over the years, there’s a lot that Mastodon can easily do better, between easily game-able “Trending” sidebar, bias found in auto-cropping algorithms and disarrayed internal security policies.

CRT TV screen showing a Super Mario Bros main screen with "Social Media Bros" written on the title screen instead. There's a NES console to the right of it, with a perfboard on top of it, wires going into the console port.

ConnectedNES Brings Twitter Into Super Mario Bros World

October 2, 2022 by 6 Comments

Back in 2016, artist and video game historian [Rachel Weil (HXLNT)] was hanging out with her friend and hacking on console stuff, as friends do. [Rachel] was galvanized by the idea of having an iconic game like Super Mario Bros be interrupted by push notifications, and set out to bring a Twitter feed to her NES gaming experience. What she ended up with is ConnectedNES — a charming combination of a custom Twitter modem and a hacked Super Mario Bros ROM, creating a social media experience you have to see for yourself.

The technical side is as immaculate as the visuals. Data is transferred to the NES through the controller port using a Particle Photon that’s emulating a NES controller, and everything is encased in an adorable shell made out of yarn needlework.

The Photon currently taps into the Twitter feed through a proxy server run locally, and listens for tweets with specific keywords, relaying them to the ROM through mimicking controller port inputs. The ROM, now bearing the name Social Media Bros, went through some careful assembly trimming work. In particular, [Rachel] had to sacrifice Green Mario to the bit bucket gods.

Playing this game has to be quite the experience. Thankfully, source code for everything — the proxy server, the Photon firmware and the NES ROM — is on GitHub for all of us NES enthusiasts to hack at. If simply reading the feed is not enough, you can send tweets from your NES as well.

This Week In Security: F5 Twitter PoC, Certifried, And Cloudflare Pages Pwned

May 13, 2022 by 7 Comments

F5’s BIG-IP platform has a Remote Code Execution (RCE) vulnerability: CVE-2022-1388. This one is interesting, because a Proof of Concept (PoC) was quickly reverse engineered from the patch and released on Twitter, among other places.

HORIZON3.ai researcher [James Horseman] wrote an explainer that sums up the issue nicely. User authentication is handled by multiple layers, one being a Pluggable Authentication Modules (PAM) module, and the other internally in a Java class. In practice this means that if the PAM module sees an X-F5-Auth-Token, it passes the request on to the Java code, which then validates the token to confirm it as authentic. If a request arrives at the Java service without this header, and instead the X-Forwarded-Host header is set to localhost, the request is accepted without authentication. The F5 authentication scheme isn’t naive, and a request without the X-F5-Auth-Token header gets checked by PAM, and dropped if the authentication doesn’t check out.

So where is the wiggle room that allows for a bypass? Yet another HTTP header, the Connection header. Normally this one only comes in two varieties, Connection: close and Connection: keep-alive. Really, this header is a hint describing the connection between the client and the edge proxy, and the contents of the Connection header is the list of other headers to be removed by a proxy. It’s essentially the list of headers that only apply to the connection over the internet. Continue reading “This Week In Security: F5 Twitter PoC, Certifried, And Cloudflare Pages Pwned”

This WeeΚ In Security: Hackerman, Twitter’s Best, And Signs To Watch Out For

April 1, 2022 by 6 Comments

[Editor’s note: There is a second, fake iteration of this column out today. This is obviously the real column.]

First off, there’s an amazing video tutorial from [Hackerman], embedded below the break. It’s a beginners guide to temporal displacement through GPU accelerated, cellular-connected partition board. The central flaw that makes this possible is a segmentation violation, accessible through a mode 6 cursor address reset. Watch out, though, because many mainframes actually have a core terminal capable of shutting such an attempt out of the grid altogether.

It’s a great guide, and definitely worth a watch if temporal security tickles your fancy. Watch out, though, because everyday objects can apparently act as bridges, infecting even users with temporal effects.

Continue reading “This WeeΚ In Security: Hackerman, Twitter’s Best, And Signs To Watch Out For”

Gaming Twitter’s Trending Algorithm To Make A Point

February 5, 2022 by 13 Comments

If you have ever taken to Twitter to gauge the zeitgeist, you’ll have noticed that among the trending hashtags related to major events of the day there are sometimes outliers of minority interest associated with single-issue causes. When a cause with a distasteful pedigree was cited one as proof of widespread public support in a debate in the UK’s House of Lords there were concerns raised that a flaw in the ranking algorithm might be responsible, and it was left to [Mallory Moore] to prove the hypothesis by getting a #ThisIsAnExploit hashtag trending without a groundswell of popular support.

Some previous detective work had established that equal ranking might be awarded equally not simply for Tweeting a hashtag but also for retweeting it. The exploit takes advantage of this by means of a relatively small cadre of people all Tweeting the tag a number of times, then retweeting all other instances of it. The resulting rank gain is then in the order of the square of the number of accounts interacting with the tag, and thus hugely inflated over the number of real participants. To test this she created the #ThisIsAnExploit tag and asked her followers to do just that: Tweet it and retweet all others containing it. In a short time the exploit succeeded, beating a very high-profile tag associated with the travails of the British Prime Minister in the process, and with most of the effort due to only 50 accounts.

Our world is now significantly influenced by social media because for many it appears more trustworthy than the old-style mass media with a print origin. Work like this is important because a reminder that transferring the message from newspaper proprietors to tech barons does not confer credibility is sorely needed. Meanwhile now the weakness is in the wild we wonder how Hackaday readers might have fun with it. Does anyone want to see a #RaiseTheJollyWrencher hashtag top the pile?