Year: 2024

This Week In Security: Linux VMs, Real AI CVEs, And Backscatter TOR DoS

November 8, 2024 by 4 Comments

Steve Ballmer famously called Linux “viral”, with some not-entirely coherent complaints about the OS. In a hilarious instance of life imitating art, Windows machines are now getting attacked through malicious Linux VM images distributed through phishing emails.

This approach seems to be intended to fool any anti-malware software that may be running. The VM includes the chisel tool, described as “a fast TCP/UDP tunnel, transported over HTTP, secured via SSH”. Now that’s an interesting protocol stack. It’s an obvious advantage for an attacker to have a Linux VM right on a target network. As this sort of virtualization does require hardware virtualization, it might be worth disabling the virtualization extensions in BIOS if they aren’t needed on a particular machine.

AI Finds Real CVE

We’ve talked about some rather unfortunate use of AI, where aspiring security researchers asked an LLM to find vulnerabilities in a project like curl, and then completely wasted a maintainer’s time on those bogus reports. We happened to interview Daniel Stenberg on FLOSS Weekly this week, and after he recounted this story, we mused that there might be a real opportunity to use LLMs to find vulnerabilities, when used as a way to direct fuzzing, and when combined with a good test suite.

And now, we have Google Project Zero bringing news of their Big Sleep LLM project finding a real-world vulnerability in SQLite. This tool was previously called Project Naptime, and while it’s not strictly a fuzzer, it does share some similarities. The main one being that both tools take their educated guesses and run that data through the real program code, to positively verify that there is a problem. With this proof of concept demonstrated, it’s sure to be replicated. It seems inevitable that someone will next try to get an LLM to not only find the vulnerability, but also find an appropriate fix. Continue reading “This Week In Security: Linux VMs, Real AI CVEs, And Backscatter TOR DoS”

Ask Hackaday: How Much Would You Stake On An Online Retailer

November 8, 2024 by 69 Comments

On the bench where this is being written, there’s a Mitutoyo vernier caliper. It’s the base model with a proper vernier scale, but it’s beautifully made, and it’s enjoyable to see younger hardware hackers puzzle over how to use it. It cost about thirty British pounds a few years ago, but when it comes to quality metrology instruments that’s really cheap. The sky really is the limit for those in search of ultimate accuracy and precision. We can see then why this Redditor was upset when the $400 Mitutoyo they ordered from Amazon turned out to be nothing of the sort. We can’t even call it a fake, it’s just a very cheap instrument stuffed oddly, into a genuine Mitutoyo box.

Naturally we hope they received a refund, but it does raise the question when buying from large online retailers; how much are we prepared to risk? We buy plenty of stuff from AliExpress in out community, but in that case the slight element of chance which comes with random Chinese manufacture is offset by the low prices. Meanwhile the likes of Amazon have worked hard to establish themselves as trusted brands, but is that misplaced? They are after all simply clearing houses for third party products, and evidently have little care for what’s in the box. The £30 base model caliper mentioned above is an acceptable punt, but at what point should we go to a specialist and pay more for some confidence in the product?

It’s a question worth pondering as we hit the “Buy now” button without thinking. What’s your view? Let us know in the comments. Meanwhile, we can all be caught with our online purchases.

Thanks [JohnU] for the tip.

Teaching A Pi Pico E-Ink Panel New Tricks

November 8, 2024 by 13 Comments

We’ve noticed that adding electronic paper displays to projects is getting easier. [NerdCave] picked up a 4.2-inch E-ink panel but found its documentation a bit lacking when it came to using the display under MicroPython. Eventually he worked it out, and was kind enough to share with the rest of the class.

These paper-like displays draw little power and can hold static images. There were examples from the vendor of how to draw some simple objects and text, but [NerdCave] wanted to do graphics. There was C code to do it, but it wasn’t clear how to port it to Python.

The key was to use the image2cpp website (we’ve used it before, but you can also use GIMP). Instead of C code, though, you get the raw bytes out and place them in your Python code. Once you know the workflow, it isn’t that hard, and this is an inexpensive way to add a different kind of display to your projects. The same image conversion will help you work with other displays, too.

We aren’t sure what driver chip this particular display uses, but if you have one with the UC8151/IL0373, you can find some amazing MicroPython drivers for those chips.

Continue reading “Teaching A Pi Pico E-Ink Panel New Tricks”

An image of a desert with dramatically cloudy skies. In the middle of the image is a series of clay doorways with vertically-oriented wooden slats surrounding a central pole. These form the basis of a panemone windmill.

Help Wanted: Keep The World’s Oldest Windmills Turning

November 7, 2024 by 35 Comments

While the Netherlands is the country most known for its windmills, they were originally invented by the Persians. More surprisingly, some of them are still turning after 1,000 years.

The ancient world holds many wonders of technology, and some are only now coming back to the surface like the Antikythera Mechanism. Milling grain with wind power probably started around the 8th Century in Persia, but in Nashtifan, Iran they’ve been keeping the mills running generation-to-generation for over 1000 years. [Mohammed Etebari], the last windmill keeper is in need of an apprentice to keep them running though.

In a world where vertical axis wind turbines seem like a new-fangled fad, it’s interesting to see these panemone windmills are actually the original recipe. The high winds of the region mean that the timber and clay structure of the asbad structure housing the turbine is sufficient for their task without all the fabric or man-made composites of more modern designs. While drag-type turbines aren’t particularly efficient, we do wonder how some of the lessons of repairability might be used to enhance the longevity of modern wind turbines. Getting even 100 years out of a turbine would be some wicked ROI.

Wooden towers aren’t just a thing of the past either, with new wooden wind turbines soaring 100 m into the sky. Since you’ll probably be wanting to generate electricity and not mill grain if you made your own, how does that work anyway?

Continue reading “Help Wanted: Keep The World’s Oldest Windmills Turning”

Using AI To Help With Assembly

November 7, 2024 by 30 Comments

Although generative AI and large language models have been pushed as direct replacements for certain kinds of workers, plenty of businesses actually doing this have found that using this new technology can cause more problems than it solves when it is given free reign over tasks. While this might not be true indefinitely, the real use case for these tools right now is as a kind of assistant to certain kinds of work. For this they can be incredibly powerful as [Ricardo] demonstrates here, using Amazon Q to help with game development on the Commodore 64.

The first step here was to generate code that would show a sprite moving across the screen. The AI first generated code in all caps, as was the style at the time of the C64, but in [Ricardo]’s development environment this caused some major problems, so the code was converted to lowercase. A more impressive conversion was done in the next steps, as the program needed to take advantage of the optimizations found in the Assembly language. With the code converted to 6502 Assembly that can run on the virtual Commodore, [Ricardo] was eventually able to show four sprites moving across the screen after several iterations with the AI, as well as change the style of the sprites to arbitrary designs.

Although the post is a bit over-optimistic on Amazon Q as a tool specifically for developers, it might have some benefits over other generative AIs especially if it’s capable at the chore of programming in Assembly language. We’d love to hear anyone with real-world experience with this and whether it is truly worth the extra cost over something like Copilot or GPT 4. For any of these generative AI models, though, it’s probably worth trying them out while they’re in their early stages. Keep in mind that there’s a lot more than programming that can be done with some of them as well.

DIY Lock Nuts

November 7, 2024 by 19 Comments

If you have a metal lathe just looking for some work, why not make your own lock nuts? That’s what [my mechanics insight] did when faced with a peculiar lock nut that needed replacing in a car. We can’t decide what we enjoyed more in the video you can watch below: the cross-section cut of a lock nut or the oddly calming videos of the new nut being turned on a lathe.

The mystery of the lock nut, though, isn’t how it works. The nylon insert is just a little too small for the bolt, and the bolt, being harder than nylon, taps a very close-fitting hole in the nylon as you tighten it. The real mystery is how that nylon got in there to start with.

Continue reading “DIY Lock Nuts”

Disposable Vape Batteries Power EBike

November 7, 2024 by 14 Comments

There are a lot of things that get landfilled that have some marginal value, but generally if there’s not a huge amount of money to be made recycling things they won’t get recycled. It might not be surprising to most that this is true of almost all plastic, a substantial portion of glass, and even a lot of paper and metals, but what might come as a shock is that plenty of rechargeable lithium batteries are included in this list as well. It’s cheaper to build lithium batteries into one-time-use items like disposable vape pens and just throw them out after one (or less than one) charge cycle, but if you have some spare time these batteries are plenty useful.

[Chris Doel] found over a hundred disposable vape pens after a local music festival and collected them all to build into a battery powerful enough for an ebike. Granted, this involves a lot of work disassembling each vape which is full of some fairly toxic compounds and which also generally tend to have some sensitive electronics, but once each pen was disassembled the real work of building a battery gets going. He starts with testing each cell and charging them to the same voltage, grouping cells with similar internal resistances. From there he assembles them into a 48V pack with a battery management system and custom 3D printed cell holders to accommodate the wide range of cell sizes. A 3D printed enclosure with charge/discharge ports, a power switch, and a status display round out the build.

With the battery bank completed he straps it to his existing ebike and hits the trails, easily traveling 20 miles with barely any pedal input. These cells are only rated for 300 charge-discharge cycles which is on par for plenty of similar 18650 cells, making this an impressive build for essentially free materials minus the costs of filament, a few parts, and the sweat equity that went into sourcing the cells. If you want to take an ebike to the next level of low-cost, we’d recommend pairing this battery with the drivetrain from the Spin Cycle.

Thanks to [Anton] for the tip!