Hackaday Links: April 24, 2016

TruckThe Internet Archive has a truck. Why? Because you should never underestimate the bandwidth of a truck filled with old manuals, books, audio recordings, films, and everything else the Internet Archive digitizes and hosts online. This truck also looks really, really badass. A good thing, too, because it was recently stolen. [Jason Scott] got the word out on Twitter and eagle-eyed spotters saw it driving to Bakersfield. The truck of awesome was recovered, and all is right with the world. The lesson we learned from all of this? Steal normal cars. Wait. Don’t steal cars, but if you do, steal normal cars.

In a completely unrelated note, does anyone know where to get a 99-01 Chevy Astro / GMC Safari cargo van with AWD, preferably with minimal rust?

[Star Simpson] is almost famous around these parts. She’s responsible for the TacoCopter among other such interesting endeavours. Now she’s working on a classic. [Forrest Mims]’ circuits, making the notebook version real. These Circuit Classics take the circuits found in [Forrest Mims]’ series of notebook workbooks, print them on FR4, and add a real, solderable implementation alongside.

Everyone needs more cheap Linux ARM boards, so here’s the Robin Core. It’s $15, has WiFi, and does 720p encoding. Weird, huh? It’s the same chip from an IP webcam. Oooohhhh. Now it makes sense.

Adafruit has some mechanical keyboard dorks on staff. [ladyada] famously uses a Dell AT101 with Alps Bigfoot switches, but she and [Collin Cunningham] spent three-quarters of an hour dorking out on mechanical keyboards. A music video was the result. Included in the video: vintage Alps on a NeXT keyboard and an Optimus Mini Three OLED keyboard.

A new Raspberry Pi! Get overenthusiastic hype! The Raspberry Pi Model A+ got an upgrade recently. It now has 512MB of RAM

We saw this delta 3D printer a month ago at the Midwest RepRap festival in Indiana. Now it’s a Kickstarter. Very big, and fairly cheap.

The Rigol DS1054Zed is one of the best oscilloscopes you can buy for the price. It’s also sort of loud. Here’s how you replace the fan to make it quieter.

Here’s some Crowdfunding drama for you. This project aims to bring the Commodore 64 back, in both a ‘home computer’ format and a portable gaming console. It’s not an FPGA implementation – it’s an ARM single board computer that also has support for, “multiple SIDs for stereo sound (6581 or 8580).” God only knows where they’re sourcing them from. Some tech journos complained that it’s, “just a Raspberry Pi running an emulator,” which it is not – apparently it’s a custom ARM board with a few sockets for SIDs, carts, and disk drives. I’ll be watching this one with interest.

This Teddy Bear Steals Your Ubuntu Secrets

Ubuntu just came out with the new long-term support version of their desktop Linux operating system. It’s got a few newish features, including incorporating the “snap” package management format. One of the claims about “snaps” is that they’re more secure — being installed read-only and essentially self-contained makes them harder to hack across applications. In principle.

[mjg59] took issue with their claims of increased cross-application security. And rather than just moan, he patched together an exploit that’s disguised as a lovable teddy bear. The central flaw is something like twenty years old now; X11 has no sense of permissions and any X11 application can listen in on the keyboard and mouse at any time, regardless of which application the user thinks they’re providing input to. This makes writing keylogging and command-insertion trojans effortless, which is just what [mjg59] did. You can download a harmless version of the demo at [mjg59]’s GitHub.

This flaw in X11 is well-known. In some sense, there’s nothing new here. It’s only in light of Ubuntu’s claim of cross-application security that it’s interesting to bring this up again.

xeyes

And the teddy bear in question? Xteddy dates back from when it was cool to display a static image in a window on a workstation computer. It’s like a warmer, cuddlier version of Xeyes. Except it just sits there. Or, in [mjg59]’s version, it records your keystrokes and uploads your passwords to shady underground characters or TLAs.

We discussed Snappy Core for IoT devices previously, and we think it’s a step in the right direction towards building a system where all the moving parts are only loosely connected to each other, which makes upgrading part of your system possible without upgrading (or downgrading) the whole thing. It probably does enhance security when coupled with a newer display manager like Mir or Wayland. But as [mjg59] pointed out, “snaps” alone don’t patch up X11’s security holes.

Pine64: The Un-Review

Even before the announcement and introduction of the Raspberry Pi 3, word of a few very powerful single board ARM Linux computers was flowing out of China. The hardware was there – powerful 64-bit ARM chips were available, all that was needed was a few engineers to put these chips on a board, a few marketing people, and a contract manufacturer.

One of the first of these 64-bit boards is the Pine64. Introduced to the world through a Kickstarter that netted $1.7 Million USD from 36,000 backers, the Pine64 is already extremely popular. The boards are beginning to land on the doorsteps and mailboxes of backers, and the initial impressions are showing up in the official forums and Kickstarter campaign comments.

I pledged $15 USD to the Pine64 Kickstarter, and received a board with 512MB of RAM, 4K HDMI, 10/100 Ethernet and a 1.2 GHz ARM Cortex A53 CPU in return. This post is not a review, as I can’t fully document the Pine64 experience. My initial impression? This is bad. This is pretty bad.

Continue reading “Pine64: The Un-Review”

VGA Output On A Freescale

Even though VGA is an outdated and becoming somewhat deprecated, getting this video output running on non-standard hardware is a rite of passage for some hackers. [Andrew] is the latest to take up the challenge. He got VGA output on a Freescale i.MX233 and also got some experience diving into the Linux kernel while he was at it.

The Freescale i.MX233 is a single-board computer that is well-documented and easy to wire up to other things without specialized hardware. It has video output in the form of PAL/NTSC but this wasn’t quite enough for [Andrew]. After obtaining the kernel sources, all that’s needed is to patch the kernel, build the kernel, and build a custom DAC to interface the GPIO pins to the VGA connector.

The first thing that [Andrew] did was load up the Hackaday home page, which he notes took quite a while since the i.MX233 only runs at 454 MHz with just 64 MB of RAM. While our retro page may have loaded a little faster, this is still an impressive build and a great first step to exploring more of the Linux kernel. The Freescale i.MX233 is a popular chip for diving into Linux on single-board computers, and there’s a lot going on in that community. There are some extreme VGA hacks out there as well if that’s more your style.

The Internet of Linux Things

The Linux Foundation is a non-profit organization that sponsors the work of Linus Torvalds. Supporting companies include HP, IBM, Intel, and a host of other large corporations. The foundation hosts several Linux-related projects. This month they announced Zephyr, an RTOS aimed at the Internet of Things.

The project stresses modularity, security, and the smallest possible footprint. Initial support includes:

  • Arduino 101
  • Arduino Due
  • Intel Galileo Gen 2
  • NXP FRDM-K64F Freedom

The project (hosted on its own Website) has downloads for the kernel and documentation. Unlike a “normal” Linux kernel, Zephyr builds the kernel with your code to create a monolithic image that runs in a single shared address space. The build system allows you to select what features you want and exclude those you don’t. You can also customize resource utilization of what you do include, and you define resources at compile time.

By default, there is minimal run-time error checking to keep the executable lean. However, there is an optional error-checking infrastructure you can include for debugging.

The API contains the things you expect from an RTOS like fibers (lightweight non-preemptive threads), tasks (preemptively scheduled), semaphores, mutexes, and plenty of messaging primitives. Also, there are common I/O calls for PWM, UARTs, general I/O, and more. The API is consistent across all platforms.

You can find out more about Zephyr in the video below. We’ve seen RTOS systems before, of course. There’s even some for robots. However, having a Linux-heritage RTOS that can target small boards like an Arduino Due and a Freedom board could be a real game changer for sophisticated projects that need an RTOS.

Continue reading “The Internet of Linux Things”

Linux Mint Hacked Briefly – Bad ISOs, Compromised Forum

On February 20th, servers hosting the Linux Mint web site were compromised and the site was modified to point to a version of Mint with a backdoor installed. Very few people were impacted, fortunately; only those who downloaded Mint 17.3 Cinnamon on February 20th. The forum user database was also compromised.

What is most impressive here is not that Linux Mint was compromised, but the response and security measures that were already in place that prevented this from becoming a bigger problem. First, it was detected the same day that it was a problem, so the vulnerability only lasted less than a day. Second, it only affected downloads of a specific version, and only if they clicked a specific link, so anyone who was downloading from a direct HTTP request or a torrent is unaffected. Third, they were able to track down the names of three people in Bulgaria who are responsible for this hack.

As far as the forum compromise, the breech netted usernames, emails, and encrypted passwords, as well as personal information that forum users may have entered in signatures or private messages. It’s always nice to see when compromised sites are not storing passwords in plain text, though.

There is one security measure which should have protected against this and failed for a couple of reasons, and that’s the signature. Normally, the file download is accompanied by a signature which is generated from the file, like an MD5 or SHA checksum. By generating the checksum of the downloaded ISO file and comparing it to the reported signature on the web site, one can confirm that the file has downloaded correctly and that it is the same file. In this case anyone downloading the bad ISO should have caught that the downloaded file was not the official one because the signatures did not match. This can fail. Most people are too lazy to check (and there is no automated checking process). More importantly, because the attackers controlled the web site, they could change the site to report any signature they wanted, including the signature for the bad ISO file.

If you are affected by this, you should change your password on the forum and anywhere you use the same email/password. More importantly, as great as the verification signature is, shouldn’t there be a better way to verify so that people use it regularly and so that it can’t be compromised so easily?

Flip Your Desktop Over to Boot Linux

[Andy France] built his computer into a Windows XP box. (Yes, this is from the past.) He needed to run windows most of the time, but it was nice to boot into Linux every now and then. That’s where the problem lay. If he was running Linux on his Windows XP case mod, he’d get made fun of. The only solution was to make a Linux sleeve for his computer. He would slide the sleeve over the case whenever he ran Linux, and hide his shame from wandering eyes. Once his plan was fully formed, he went an extra step and modified the computer so that if the sleeve was on, it would automatically boot Linux, and if it was off it would boot Windows.

The Linux sleeve could only slide on if the computer was flipped upside down. So he needed to detect when it was in this state. To do this he wired a switch into one of the com ports of his computer, and attached it to the top of the case mod. He modified the assembly code in the MBR to read the state of the switch. When the Linux sleeve is on (and therefore the computer is flipped over) it boots Linux. When the sleeve is off, Windows. Neat. It would be cool to put a small computer in a cube and have it boot different operating systems with this trick. Or maybe a computer that boots into guest mode in one orientation, and the full system in another.

Continue reading “Flip Your Desktop Over to Boot Linux”