Run Your Own Server For Fun (and Zero Profit)

March 15, 2022 by 126 Comments

It seems there’s a service for everything, but sometimes you simply learn more by doing it yourself. If you haven’t enjoyed the somewhat anachronistic pleasures of running your own server and hosting your own darn website, well, today you’re in luck!

Yes, we’re going to take an old computer of some sort and turn it into a web server for hosting all of your projects at home. You could just as easily use a Raspberry Pi –even a Zero W would work — or really anything that’ll run Linux, but be aware that not all computing platforms are created equally as we’ll discuss shortly.

Yes, we’re going to roll our own in this article series. There are a lot of moving parts, so we’re going to have to cover a lot of material. Don’t worry- it’s not incredibly complicated. And you don’t have to do things the way we say. There’s flexibility at every turn, and you’re encouraged to forge your own path. That’s part of the fun!

Note: For the sake of space we’re going to skip over some of the most basic details such as installing Linux and focus on those that have the greatest impact on the project. This article gives a high level overview of what it takes to host your project website at home. It intentionally glosses over the deeper details and makes some necessary assumptions.

Continue reading “Run Your Own Server For Fun (and Zero Profit)”

Your Voice Assistant Doesn’t Have To Be Cloudy

March 21, 2024 by 24 Comments

Voice assistants are neat — they let us interface with computers without having to bother with touching them at all. Still, many decry the perceived privacy intrusion these devices present, as they’re always trucking data off to corporate servers for all kinds of opaque reasons. Building your own standalone assistant is a way to get around that, and that’s precisely what [Tristram] did.

The build is based on an ESP32 Lyrat development board. Unlike most devboards, this one has two 3 watt audio outputs and mics on board, making it perfect for a build like this one. The Lyrat was paired with some NeoPixel LEDs and a pair of Dayton Audio 1.5″ speakers to enable it to interact with the user both audibly and visually.

[Tristram] steps through not only how to set up the voice assistant, but also how to build it into a simple and attractive enclosure that won’t unduly stand out in the average house. The Lyrat simply has to be flashed with firmware that enables it to work as a voice aid with Home Assistant platform.

If you’re unfamiliar, Home Assistant is a smart home architecture that you can run yourself on your own hardware, without having everything live in the cloud of some murky corporation.

Home Assistant has grown in popularity in recent years as a less intrusive smarthome solution. You can even use it to monitor your hot tub! Video after the break.

Continue reading “Your Voice Assistant Doesn’t Have To Be Cloudy”

This Week In Security: Glibc, Ivanti, Jenkins, And Runc

February 2, 2024 by 4 Comments

There’s a fun buffer overflow problem in the Glibc __vsyslog_internal() function. This one’s a real rollercoaster, because logging vulnerabilities are always scary, but at a first look, it seems nearly impossible to exploit. The vulnerability relies on a very long program name, which can overflow an internal buffer. No binaries are going to have a name longer than 1024 bytes, so there’s no problem, right?

Let’s talk about argv. That’s the list of arguments that gets passed into the main() function of every Linux binary when it launches. The first string in that list is the binary name — except that’s a convention, and not particularly enforced anywhere. What really happens is that the execve() system call sets that list of strings. The first argument can be anything, making this an attacker-controlled value. And it doesn’t matter what the program is trying to write to the log, because the vulnerability triggers simply by writing the process name to a buffer.

There is a one-liner to test for a vulnerable Glibc:

exec -a "`printf '%0128000x' 1`" /usr/bin/su < /dev/null

and the Qualys write-up indicates that it can be used for an escalation of privilege attack. The good news is this seems to be a local-only attack. And on top of that, a pair of other lesser severity issues were found and fixed in glibc while fixing this one.
Continue reading “This Week In Security: Glibc, Ivanti, Jenkins, And Runc”

Sun On The Run: Diving Into Solar With A Mobile PV System

January 17, 2024 by 36 Comments

For obvious reasons, there has been a lot of interest in small-scale residential solar power systems lately. Even in my neck of the woods, where the sun doesn’t shine much from October to April, solar arrays are sprouting up on rooftops in a lot of local neighborhoods. And it’s not just here in suburbia; drive a little way out into the country or spend some time looking around in Google maps and it won’t take long to spy a sizable array of PV panels sitting in a field next to someone’s ranch house or barn.

Solar has gotten to the point where the expense of an installation is no longer a serious barrier to entry, at least if you’re willing to put in a little sweat equity and not farm the project out to a contractor. Doing it yourself requires some specialized tools and knowledge, though, over and above your standard suite of DIY skills. So, in the spirit of sharing hard-won knowledge, I decided to take the somewhat unusual step of writing up one of my personal projects, which has been in progress for a couple of years now and resulted in a solar power system that isn’t on a rooftop or a ground-mounted array at all, but rather is completely mobile: my solar trailer.

Continue reading “Sun On The Run: Diving Into Solar With A Mobile PV System”

A Web Server, The Sixteen Bit Way

December 25, 2023 by 13 Comments

If you were to talk about sixteen bit computing in retrocomputing circles, misty-eyed reminiscences of the ST or Amiga would emerge. Both fine platforms, but oddly the elephant in the 16-bit room has become a victim of its own success. DOS, the granddaddy of all PC operating systems, seems oddly overshadowed by its 68000-based competitors in a way it certainly wasn’t back in the day. Perhaps it’s the often-atrocious graphics when cards designed for business graphics were pressed into gaming service, but it’s easy to forget that DOS PCs were the powerhouses of their day. They still pack a punch even in 2023, as [Lunduke] is here to show us by running a DOS web server. Take that, nginx! Continue reading “A Web Server, The Sixteen Bit Way”

This Week In Security: Browser Exploits, Play Protect, And Turn ON Your Firewall!

October 20, 2023 by 5 Comments

Google Chrome has done a lot of work on JavaScript performance, pushing the V8 engine to more and more impressive feats. Recently, that optimization has one more piece, the Maglev compiler, which sits between Sparkplug and TurboFan, as a mid-tier optimization step. With a Just In Time (JIT) system, the time saving of code optimization steps has to be carefully weighed against the time costs, and Maglev is another tool in that endless hunt for speed. And with anything this complicated, there’s the occasional flaw found in the system. And of course, because we’re talking about it here, it’s a security vulnerability that results in Remote Code Execution (RCE).

The trick is to use Maglev’s optimization against it. Set up a pair of classes, such that B extends A. Calling new B() results in an attempt to use the constructor from A. Which works, because the compiler checks to make sure that the constructors match before doing so. There’s another way to call a constructor in JS, something like Reflect.construct(B, [], Array);. This calls the B constructor, but indicates that the constructor should return an Array object. You may notice, there’s no array in the A class below. Tricking the compiler into using the parent class constructor in this fashion results in the array being uninitialized, and whatever happens to be in memory will set the length of the array. Continue reading “This Week In Security: Browser Exploits, Play Protect, And Turn ON Your Firewall!”

Meshtastic And Owntracks To Kick Your Google Habit

October 11, 2023 by 20 Comments

I have an admission to make. I have a Google addiction. Not the normal addiction — I have a problem with Google Maps, and the timeline feature. I know, I’m giving my location data to Google, who does who-knows-what-all with it. But it’s convenient to have an easy way to share location with my wife, and very useful to track my business related travel for each month. What we could really use is a self-hosted, open source system to track locations and display location history. And for bonus points, let’s include some extra features, like the ability to track vehicles, kids, and pets that aren’t carrying a dedicated Internet connection.

You can read the title — you know where we’re going with this. We’re setting up an Owntracks service, and then tying it to Meshtastic for off-Internet usability. The backbone that makes this work is MQTT, a network message bus that has really found its niche in the Home Assistant project among others. It’s a simple protocol, where clients send brief messages labeled by topic, and can also subscribe to specific topics. For this little endeavor we’ll use the Mosquito MQTT broker.

One of the nice things about MQTT is that the messages are all text strings, and often take the form of JSON. When trying to get two applications to talking using a shared MQTT server, there may need to be a bit of translation. One application may label a field latitude, and the other shortens it to lat. The glue code to put these together is often known as an MQTT translator, or sometimes an MQTT bridge. This is a program that listens to a given topic, ingests each message, and sends it back to the MQTT server in a different format and topic name.

The last piece is Owntracks, which has a recorder project, which pulls locations from the MQTT server, and stores it locally. Then there’s Owntracks Frontend, which is a much nicer user interface, with some nice features like viewing movement a day at a time. Continue reading “Meshtastic And Owntracks To Kick Your Google Habit”