Hackaday Links Column Banner

Hackaday Links: March 3, 2024

Who’d have thought that $30 doorbell cameras would end up being security liabilities? That’s the somewhat obvious conclusion reached by Consumer Reports after looking at some entry-level doorbell cameras available through the usual outfits and finding glaring security gaps which are totally not intentional in any way.

All these cameras appear to be the same basic hardware inside different enclosures, most supporting the same mobile app. Our favorite “exploit” for these cameras is the ability to put them into a pairing mode with the app, sometimes by pressing a public-facing button. Slightly more technically challenging would be accessing images from the app using the camera’s serial number, or finding file names being passed in plain text while sniffing network traffic. And that’s just the problems CR identified; who knows what else lurks under the covers? Some retailers have stopped offering these things, others have yet to, so buyer beware.

Speaking of our techno-dystopian surveillance state, if you’ve had it with the frustrations and expense of printers, has Hewlett-Packard got a deal for you. They want you to never own a printer again, preferring that you rent it from them instead. Their “All-In Plan” launched this week, which for $6.99 a month will set up up with an HP Envy inkjet printer, ink deliveries, and 24/7 tech support. It doesn’t appear that paper is included in the deal, so you’re on your own for that, but fear not — you won’t go through much since the entry-level plan only allows 20 prints per month. Plans scale up to 700 prints per month from an OfficeJet Pro for the low, low price of $36. The kicker, of course, is that your their printer has to be connected to the Internet, and HP can pretty much brick the thing anytime they want to. The terms of service also explicitly state that they’ll be sending your information to advertising partners, so that’ll be fun. This scheme hearkens back to the old pre-breakup days of AT&T, where you rented your phone from the phone company. That model made a lot more sense when the phone (probably) wasn’t listening in on everything you do. This just seems like asking for trouble.

“Enhance, enhance…” Credit: NASA/JPL-Caltech/LANL/CNES/IRAP/Simeon Schmauß

It’s been a while since Ingenuity‘s final rough landing on Mars permanently grounded the overachieving helicopter, long enough that it’s time for the post-mortem analyses to begin. The first photographic evidence we had was a shadowgram from one of the helicopter’s navigational cameras, showing damage to at least one of the rotor tips, presumably from contact with the ground. Then we were treated to a long-distance shot from Ingenuity‘s rover buddy Perseverance, which trained its MASTCAM instruments on the crash zone and gave us a wide view of its lonely resting place.

Now, geovisual design student [Simeon Schmauβ] has taken long shots made with the rover’s SuperCam instrument and processed them into amazingly detailed closeups, which show just how extensive the damage really is. One rotor blade sheared clean off on contact, flying 15 meters before gouging a hole in the regolith. Another blade looks to be about half gone, while the remaining two blades show the damaged tips we’ve already seen. That the helicopter is still on its feet given the obvious violence of the crash is amazing, as well as an incredible piece of luck, since it means the craft’s solar panel is pointing in roughly the right direction to keep it powered up.

Continue reading “Hackaday Links: March 3, 2024”

The Orb Web Desktop

[Hugo Leisink] is a programmer who contributes to Open Source projects. In their spare time, they have been developing a web-browser-based operating system called Orb. It is available for the princely sum of zero cheeseburgers and doesn’t need a high-spec machine to run smoothly. The project is built using PHP and Javascript, which allows it to run efficiently on most desktop devices. There are a number of apps included, which are again written in a combination of PHP and js, together with a few written using webasm.

A few notable examples include a C64 emulator, minesweeper, and even a js port of Wolfenstein 3D so this isn’t just a toy, but actually useful. Ok, for real use cases, there are also the usual file browsers, and document readers as well as a writing application based on CKeditor. There is a kind of Windows 3.1 look and feel simplicity to the experience which is refreshing in the modern era of complex applications with their learning curves. Orb could be very useful in an educational setting, or just for jotting your own notes as you travel. Who knows, because the possibilities are endless if you’re willing to get your hands dirty with a bit of coding.

We’ve seen a few web desktops before, here’s a collection of them we saw last year. If you want to go in the other direction and turn a webpage into a desktop app, then look no further than Gluon.

Creating Your Alarm On The Fly

We suspect that most of us who use an alarm clock have our particular sound memorized. Common choices are annoying beeping, energetic marimbas, or what used to be your favorite song (which you have now come to despise). [Adam Kumpf] wanted a more pleasant alarm clock and came up with WakeSlow, an alarm clock audio stream, which is a spiritual successor to an earlier project he did called Warmly.

Some might say, “an audio stream? You could create an acceptable alarm tone generator with a 555 and a 2N2222”. The idea behind WakeSlow is to use your existing internet-connected alarm clock that can play an audio stream. You generate a URL using WakeSlow, and it plays the alarm. A custom URL is helpful since it incorporates weather data, letting you know if it’s going to rain, blowing wind, or be sunny that day. It mixes CC0 audio to form the stream, and includes a 5-minute fade to wake you up gradually. After five minutes, it’s jazz time, and it plays a sample of some CC0 jazz.

The code is super simple, and he makes it available on his website under a public domain/CC0 license. The simplicity offers something powerful, making it exactly how you like it. You could incorporate holiday information, a text-to-speech news announcer reading the news of what’s on your calendar that day, or anything you can dream of.

Hackers are generally particular about clocks, and alarm clocks fall under the same umbrella. WakeSlow allows you to skip the hardware part of making your customized alarm, but if you prefer to have the whole thing be custom, we have a few suggestions for alarms to look at.

This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis

If you use PHP, you likely use the Composer tool for managing dependencies, at least indirectly. And the good folks at SonarSource found a nasty, potential supply chain attack in this tool, when used in the Packagist repository. The problem is the support for arbitrary README filenames. When a package update shows up on Packagist, that service uses a Version Control Service (VCS) like Git or Mercurial to pull the specified readme location. That pull operation is subject to argument injection. Name your branch --help, and Git will happily run the help argument instead of doing the pull intended. In the case of Git commands, our intrepid researchers were unable to weaponize the issue to achieve code execution.

Composer also supports projects that use Mercurial as their VCS, and Mercurial has a --config option that has… interesting potential. It allows redefining a Mecurial command as a script snippet. So a project just has to contain a malicious payload.sh, and the readme set to --config=alias.cat=!hg cat -r : payload.sh|sh;,txt. For those keeping track at home, the vulnerability is that this cursed string of ugly is accepted by Composer as a valid filename. This uses the --config trick to redefine cat as a bit of script that executes the payload. It ends in .txt because that is a requirement of Composer.

So let’s talk about what this little hack could have been used for, or maybe still used for on an unpatched, private install of Packagist. This is an unattended attack that jumps straight to remote script execution — on an official package repository. If discovered and used for evil, this would have been a massive supply chain attack against PHP deployments. Instead, thanks to SonarSource, it was discovered and disclosed privately back in April. The official Packagist repo at packagist.org was fixed the day after disclosure, and a CVE and updated packages went out six days later. Great work all around.
Continue reading “This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis”

Get GitHub Tickets IRL With A Raspberry Pi And A Receipt Printer

Thermal receipt printers are finding their way into all sorts of projects that are well beyond the point-of-sale environment that they normally inhabit. And while we applaud all the creative and artistic uses hackers have found for these little gems, this GitHub physical ticket printer has to be the best use for one yet.

According to [Andrew Schmelyun], seeing a fast-food order pop up on a thermal printer was the inspiration for this build. Maintaining over one hundred GitHub repos as he does, it’s easy for the details of any one bug report or feature request to get lost in the swarm of sticky notes that [Andrew] previously used to keep track of his work. To make it happen, he teamed an Epson thermal printer up to a Raspberry Pi Zero W and worked out the details of sending data to the printer using PHP. Luckily, there’s a library for that — the beauty of GitHub.

With the “Hello, World!” bit out of the way, [Andrew] turned his attention to connecting to GitHub. He set up some webhooks on the GitHub side to send a POST request every time an issue is reported on one of his repos. The POSTs are sent via ngrok to a PHP web server running on the Pi, which formats the data and sends the text to the printer. There’s a short video in the tweet below.

Between the sound of the printer working and the actual dead-tree ticket, it’ll be hard for [Andrew] to miss issues now. We’ve seen thermal printers stuffed into cameras, used to send pictures to Grannie, and even watched them commit suicide slowly, but we say hats off to [Andrew] for his solid work ethic and a fun new way to put a receipt printer to use.

Continue reading “Get GitHub Tickets IRL With A Raspberry Pi And A Receipt Printer”

PHP Gets A Demoscene Engine Of Its Very Own

When we think demoscene, our first thought is typically of 80s computers, particularly the Commodore 64 and Amiga 500 which were widely regarded as the awesomest of their time. However, you can write a demo on any platform you wish, and [OxABADCAFE] has done just that – in PHP.

Pretty, no?

Going by PDE, standing for Pointless, Portable, or PHP Demo Engine, the code is available on GitHub for the curious. The code is set up for RGB ASCII terminal output, for a beautifully old-school aesthetic. Demo sequences can be programmed in JSON files, with the code executing a default in-built demo if none is provided.

There’s no audio yet, so you’ll have to cool your thumping chiptune jets until that’s available in a later release. With that said, we look forward to more development expanding what can be done with the engine – after all, there’s nothing more demoscene than pushing the limits. Video after the break.

Continue reading “PHP Gets A Demoscene Engine Of Its Very Own”

Roll Your Own Photo Sharing, Minus The Social Networking Baggage

[Niklas Roy] rolled his own photo diary, because he found the core functionality of something like instagram attractive, but didn’t want the social network baggage that it came with. His simple system is called my own insta ;) and it consists of some javascript and PHP to create a nice progressive web app photo diary and backend that can be accessed just fine from a mobile device. It is available on GitHub for anyone interested in having their own.

This project came up because [Niklas] sometimes found himself working on small projects or experiments that aren’t destined for proper documentation, but nevertheless could benefit from being shared as a photo with a short description. This dovetails with what many social networks offer, except that those platforms also come with other aspects [Niklas] doesn’t particularly want. His online photo diary solves this by having a simple back end with which he can upload, sort, and caption photos in an easy way even from a mobile device.

Rolling one’s own solution to some small core functionality offered by a social network is one way to avoid all the extra baggage, but another method is to simply automate away all the pesky social bits with a robot.