Day: February 28, 2020

Casual Tetris Comes In At $9

February 28, 2020 by 3 Comments

[Michael Pick] calls himself the casual engineer, though we don’t know whether he is referring to his work clothes or his laid back attitude. However, he does like to show quick and easy projects. His latest? A little portable Tetris game for $9 worth of parts. There is an Arduino Pro Mini and a tiny display along with a few switches and things on a prototyping PC board. [Michael] claims it is a one day build, and we imagine it wouldn’t even be that much.

Our only complaint is that there isn’t a clear bill of material or the code. However, we think you could figure out the parts pretty easy and there are bound to be plenty of games including Tetris that you could adapt to the hardware.

Continue reading “Casual Tetris Comes In At $9”

OpenSource GUI Tool For OpenCV And DeepLearning

February 28, 2020 by 4 Comments

AI and Deep Learning for computer vision projects has come to the masses. This can be attributed partly to theĀ  community projects that help ease the pain for newbies. [Abhishek] contributes one such project called Monk AI which comes with a GUI for transfer learning.

Monk AI is essentially a wrapper for Computer Vision and deep learning experiments. It facilitates users to finetune deep neural networks using transfer learning and is written in Python. Out of the box, it supports Keras and Pytorch and it comes with a few lines of code; you can get started with your very first AI experiment.

[Abhishek] also has an Object Detection wrapper(GitHub) that has some useful examples as well as a Monk GUI(GitHub) tool that looks similar to the tools available in commercial packages for running, training and inference experiments.

The documentation is a work in progress though it seems like an excellent concept to build on. We need more tools like these to help more people getting started with Deep Learning. Hardware such as the Nvidia Jetson Nano and Google Coral are affordable and facilitate the learning and experimentation.

Using IR LEDs To Hide In Plain Sight

February 28, 2020 by 88 Comments

Getting by without falling under the gaze of surveillance cameras doesn’t seem possible nowadays – from malls to street corners, it’s getting more common for organizations to use surveillance cameras to keep patrons in check. While the freedom of assembly is considered a basic human right in documents such as the US Condition and the Universal Declaration of Human Rights, it is not a right that is respected everywhere in the world. Often times, governments enforcing order will identify individuals using image recognition programs, preventing them from assembling or demonstrating against their government.

Freedom Shield built by engineer [Nick Bild] is an attempt at breaking away from the status quo and giving people a choice on whether they want to be seen or not. The spectrum of radiation visible to humans maxes out around 740nm, allowing the IR waves to remain undetected by normal observers.

The project uses 940nm infrared (IR) LEDs embedded in clothes to overwhelm photo diodes in IR-sensitive cameras used for surveillance. Since the wavelength of the lights are not visible to humans, they don’t obstruct normal behavior, making it an ideal way to hide in plain sight. Of course, using SMD LEDs rather than the larger sizes would also help with making the lights even less visible to the naked eye.

The result doesn’t perfectly obscure your face from cameras, but for a proof-of-concept it’s certainly a example of how to avoid being tracked.

Continue reading “Using IR LEDs To Hide In Plain Sight”

Latest FlexLED Milestone Refines The POV Display

February 28, 2020 by 7 Comments

With his FlexLED project, [Carl Bugeja] is trying to perfect a simple and affordable persistence of vision (POV) display capable of generating “holographic” characters in mid-air. Traditionally POV systems spin LEDs rapidly to create the desired illusion, but that means motors, slip rings, and noise. As the name implies, the goal with this project is to do away with all that and replace it with a self-actuating flexible PCB.

The device is able to quickly move the LEDs back and forth quietly and efficiently thanks to a permanent magnet and magnetic coils integrated into the flexible PCB. With no motors or gears, the whole unit is smaller and less complex than other POV displays. As an added bonus, there’s no danger to the operator or the device should a curious user stick their finger into it.

The last time we took a look at this project, [Carl] had entered an earlier single-LED version into the 2019 Hackaday Prize. Competition was tough last year, and unfortunately FlexLED didn’t get selected as a Finalist. But we’re still extremely interested in seeing the project develop, and we imagine so are you.

The recently completed second version of the display features an improved coil design, eight RGB LEDs and a 3D printed base with integrated magnet. With more LEDs onboard, a single display is able to show multiple characters and even rudimentary animations. A large array of these flapping elements promises to be quite a sight.

But before you get too excited, [Carl] does have some bad news. For one, the cost of building them in small quantities is high, which is always tough for a single hacker trying to iterate a design. Worse, some of the LEDs seem to have died on this prototype already. He says it likely has something to do with the stress of flexing back and forth so quickly, which is obviously a bit troubling. He’s looking to get some feedback from the community, and is hoping to address these issues in the next version.

For an interesting look into his flexible PCB actuator projects, check out the interview [Carl] did with us at the 2018 Hackaday Superconference.

Continue reading “Latest FlexLED Milestone Refines The POV Display”

Building Cameras For The Immersive Future

February 28, 2020 by 6 Comments

Thus far, the vast majority of human photographic output has been two-dimensional. 3D displays have come and gone in various forms over the years, but as technology progresses, we’re beginning to see more and more immersive display technologies. Of course, to use these displays requires content, and capturing that content in three dimensions requires special tools and techniques. Kim Pimmel came down to Hackaday Superconference to give us a talk on the current state of the art in advanced AR and VR camera technologies.

[Kim]’s interest in light painting techniques explored volumetric as well as 2D concepts.
Kim has plenty of experience with advanced displays, with an impressive resume in the field. Having worked on Microsoft’s Holo Lens, he now leads Adobe’s Aero project, an AR app aimed at creatives. Kim’s journey began at a young age, first experimenting with his family’s Yashica 35mm camera, where he discovered a love for capturing images. Over the years, he experimented with a wide variety of gear, receiving a Canon DSLR from his wife as a gift, and later tinkering with the Stereorealist 35mm 3D camera. The latter led to Kim’s growing obsession with three-dimensional capture techniques.

Through his work in the field of AR and VR displays, Kim became familiar with the combination of the Ricoh Theta S 360 degree camera and the Oculus Rift headset. This allowed users to essentially sit inside a photo sphere, and see the image around them in three dimensions. While this was compelling, [Kim] noted that a lot of 360 degree content has issues with framing. There’s no way to guide the observer towards the part of the image you want them to see.

Continue reading “Building Cameras For The Immersive Future”

Last Call For Hackaday Belgrade Proposals Grants You A Four-Day Reprieve

February 28, 2020 by No comments

We want you to present a talk at Hackaday Belgrade and this is the last call to send us your proposal.

Europe’s biennial conference on hardware creation returns to Serbia on May 9th for an all-day-and-into-the-night extravaganza. Core to this conference is people from the Hackaday community sharing their stories of pushing the boundaries of what’s possible on their electronics workbenches, firmware repos, and manufacturing projects.

Here at Hackaday we live a life of never ending deadlines, but we also understand that this isn’t true for everyone. In that spirit, we’re extending the deadline so that those who count procrastination as a core skill don’t miss their chance to secure a speaking slot at the last minute. You now have until 18:00 GMT (19:00 in Belgrade) next Friday to file your talk proposal.

The conference badge is being built by Voja Antonic, the inventor of Yugoslavia’s first widely-adopted personal computer. We know he has prototype PCBs on hand and plan to share more information on what he has in store for you very soon.

This Week In Security: Chrome Bugs And Non-bugs, Kr00k, And Letsencrypt

February 28, 2020 by 20 Comments

Google Chrome minted a new release to fix a trio of bugs on Monday, with exploit code already in the wild for one of them. The first two bugs don’t have much information published yet. They are an integer-overflow problem in Unicode internationalization, and a memory access issue in streams. The third issue, type confusion in V8, was also fixed quietly, but a team at Exodus Intel took the time to look at the patches and figure out what the problem was.

The actual vulnerability dives into some exotic Javascript techniques, but to put it simply, it’s possible to change a data-type without V8 noticing. This allows malicious code to write into the header area of the attacked variable. The stack, now corrupted, can be manipulated to the point of arbitrary code execution. The researchers make the point that even with Google’s fast-paced release schedule, a determined attacker could have several days of virtual zero-day exploitation of a bug mined from code changes. Story via The Register.

The Chrome Problem that Wasn’t

A second Chrome story came across my desk this week: Chrome 80 introduces a new feature, ScrollToTextFragment. This useful new feature allows you to embed a string of text in a URL, and when loading that address, Chrome will scroll the page to make that text visible. For certain use cases, this is an invaluable feature. Need to highlight a specific bit of text in a big document online?

The following bookmarklet code by [Paul Kinlan] is the easy way to start using this feature. Paste this code into the URL of a bookmark, put it on the bookmark bar, highlight some text in a webpage, and then run the bookmarklet. It should open a new tab with the new URL, ready to use or send to someone.

javascript:(function()%7Bconst%20selectedText%20%3D%20getSelection().toString()%3Bconst%20newUrl%20%3D%20new%20URL(location)%3BnewUrl.hash%20%3D%20%60%3A~%3Atext%3D%24%7BencodeURIComponent(selectedText)%7D%60%3Bwindow.open(newUrl)%7D)()

Since we’re talking about it in the security column, there must be more to the story. A privacy guru at Brave, [Peter Snyder], raised concerns about privacy implications of the feature. His argument has been repeated and misrepresented in a few places. What argument was he making? Simply put, that it’s not normal user behavior to immediately scroll to an exact position on the page. Because modern web pages and browsers do things like deferred loading of images, it could be possible to infer where in the page the link was pointing. He gives the example of a corporate network where DNS is monitored. This isn’t suggesting that the entire URL is leaked over DNS, but rather that DNS can indicate when individual components of a page are loaded, particularly when they are embedded images from other sites.

While this concern isn’t nonsensical, it seems to me to be a very weak argument that is being over-hyped in the press.

Whatsapp Groups Searchable on Google

It’s not new for search engines to index things that weren’t intended to be public. There is a bit of mystery surrounding how Google finds URLs to index, and StackExchange is full of plenty of examples of webadmins scratching their heads at their non-public folders showing up in a Google search.

That said, a story made the rounds in the last few days, that WhatsApp and Telegram group invites are being indexed by Google. So far, the official word is that all the indexed links must have been shared publicly, and Google simply picked them up from where they were publicly posted.

It appears that WhatsApp has begun marking chat invitation links as “noindex”, which is a polite way to ask search engines to ignore the link.

If it’s shown that links are getting indexed without being posted publicly online, then we have a much bigger story. Otherwise, everything is working as expected.

Letsencrypt Makes Attacks Harder

Letsencrypt has rolled out an invisible change to their validation process that makes a traffic redirection attack much harder. The new feature, Multi-Perspective Validation, means that when you verify your domain ownership, Letsencrypt will test that verification from multiple geographic regions. It might be possible to spoof ownership of a domain through a BGP attack, but that attack would be much harder to pull off against traffic originating from another country, or multiple countries simultaneously. Letsencrypt is currently using different regions of a single cloud, but plans to further diversify and use multiple cloud providers for even stronger validation.

Kr00k

Brought to us by the researchers at Eset, Krook (PDF) is a simple flaw in certain wireless chips. So far, the flaw seems to be limited to WPA2 traffic sent by Broadcom and Cypress chips. They discovered Kr00k while doing some followup research on KRACK.

Let’s talk about WPA2 for a moment. WPA2 has a 4-way handshake process that securely confirms that both parties have the shared key, and then establishes a shared Temporal Key, also known as a session key. This key is private between the two devices that performed the handshake, meaning that other devices on the same wireless network can’t sniff traffic sent by other devices.

When a device disconnects, or disassociates, that session key is reset to all 0s, and no packets should be sent until another handshake is performed. Here’s the bug: The packets already in the output buffer are still sent, but are encrypted with the zeroed key, making them trivially decrypted. As it’s simple to trigger deauthentication events, an attacker can get a sampling of in-the-clear packets. The ubiquity of TLS is a saving grace here, but any unencrypted traffic is vulnerable. Eset informed vendors about the flaw in 2019, and at least some devices have been patched.

Exchange

Microsoft Exchange got a security patch this past Tuesday that addressed a pair of bugs that together resulted in a remote code execution vulnerability. The first bug was an encryption key that is generated on Exchange server installation. That generation seemed to lack a good source of entropy, as apparently every Exchange install uses the the exact same key.

The second half of this bug is a de-serialization problem, where an encrypted payload can contain a command to run. Because the encryption key is known, any user can access the vulnerable endpoint. The process of exploitation is so trivial, be sure to patch your server right away.

TODO: Remove Vulnerabilities

This one is just humorous. An Intel virtualization feature appears to have been pushed into the Linux kernel before it was finished. Know what unfinished code tends to contain? Bugs and vulnerabilities. CVE-2020-2732, in this case. It’s unclear how exactly an exploit would work, but the essence is that a virtual guest is allowed to manipulate system state in unintended ways.