Hackaday Podcast 205: Hackaday Berlin, So Many Sundials, And Ovens Pinging Google

February 10, 2023 by 9 Comments

Editor-in-Chief Elliot Williams and Managing Editor Tom Nardi start this week’s episode off with the announcement of Hackaday Berlin on March 25th. It’s been quite some time since we’ve been on the other side of the pond, because we had to cancel 2020’s Hackaday Belgrade due to COVID-19, so excitement is high for all three days of this “one-day” event.

After a new What’s that Sound, discussion moves on to an impressive collection of DIY sundials, the impact filament color has on the strength of 3D printed parts, the incredible retrocomputer replicas of Michael Gardi, and the Arduino FPGA that you’ve probably never heard of. We’ll wrap things up with the unexpected difficulties of mixing multiple cheap audio sources in Linux, and try to figure out why our kitchen appliances need to be connected to the Internet.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in  the comments!

Download all the bits!

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 205: Hackaday Berlin, So Many Sundials, And Ovens Pinging Google”

Bicopter Phone Case Might Be Hard To Pocket, But Delivers Autonomous Selfies

February 10, 2023 by 8 Comments

Remember that “PhoneDrone” scam from a while back? With two tiny motors and props that could barely lift a microdrone, it was pretty clearly a fake, but that doesn’t mean it wasn’t a pretty good idea. Good enough, in fact, that [Nick Rehm] came up with his own version of the flying phone case, which actually works pretty well.

In the debunking collaboration between [Mark Rober], [Peter Sripol], and the indispensable [Captain Disillusion], you’ll no doubt recall that after showing that the original video was just a CGI scam, they went on to build exactly what the video purported to do. But alas, the flying phone they came up with was manually controlled. While cool enough, [Nick Rehm], creator of dRehmFlight, can’t see such a thing without wanting to make it autonomous.

To that end, [Nick] came up with the DroneCase — a bicopter design that allows the phone to hang vertically. The two rotors are on a common axis and can swivel back and forth under control of two separate micro-servos; the combination of tilt rotors and differential thrust gives the craft full aerodynamic control. A modified version of dRehmFlight runs on a Teensy, while an IMU, a lidar module, and a PX4 optical flow sensor round out the sensor suite. The lidar and flow sensor both point down; the lidar is used to sense altitude, while the flow sensor, which is basically just the guts from an optical mouse, watches for translation in the X- and Y-axes.

After a substantial amount of tuning and tweaking, the DroneCase was ready for field tests. Check out the video below for the results. It’s actually quite stable, at least as long as the batteries last. It may not be as flexible as a legit drone, but then again it probably costs a lot less, and does the one thing it does quite well without any inputs from the user. Seems like a solid win to us.

Continue reading “Bicopter Phone Case Might Be Hard To Pocket, But Delivers Autonomous Selfies”

This Week In Security: ImageMagick, VBulletin, And Dota 2

February 10, 2023 by 3 Comments

There are a few binaries that wind up running in a bunch of places, silently do their jobs, and being easily forgotten about. ImageMagick is used on many servers for image conversion and resizing, and tends to run automatically on uploaded images. Easily forgotten, runs automatically, and with arbitrary inputs. Yep, perfect target for vulnerability hunting. And the good folks at Metabase found two of them.

First up is CVE-2022-44267, a Denial of Service, when ImageMagick tries to process a rigged PNG that contains a textual chunk. This data type is usually used for metadata, and can include a profile entry for something like EXIF data. If this tag is specified inside a text chunk, ImageMagick looks to the given value as a filename for finding that profile data. And notably, if that value is a dash -, it tries to read from standard input. If the server’s image processing flow doesn’t account for that quirk, and virtually none of them likely do, this means the ImageMagick process hangs forever, waiting for the end of input. So while that’s not usually a critical problem, it could be used for a resource exhaustion attack.

But the real problem is CVE-2022-44268. It’s the same trick, but instead of using - to indicate standard input, the processed image refers to a file on the server filesystem. If the file exists, and can be read, the contents are included in the image output. If the attacker has access to the image, it’s a slick data leak — and obviously a real security problem. If a server doesn’t have tight file permissions and isolation, there’s plenty of sensitive information to be found and abused.

The fix landed back in October 2022, and was part of the 7.1.0-52 release. There’s a bit of uncertainty about which versions are vulnerable, but I wouldn’t trust anything older than that version. It’s a pretty straightforward flaw to understand and exploit, so there’s a decent chance somebody figured it out before now. The file exfiltration attack is the one to watch out for. It looks like there’s an Indicator of Compromise (IoC) for those output PNGs: “Raw profile type”. Continue reading “This Week In Security: ImageMagick, VBulletin, And Dota 2”

Modernizing C Arrays For Greater Memory Safety

February 10, 2023 by 75 Comments

Lately, there has been a push for people to stop using programming languages that don’t promote memory safety. But as we still haven’t seen the death of some languages that were born in the early 1960s, we don’t think there will be much success in replacing the tremendous amount of software that uses said “unsafe” languages.

That doesn’t mean it’s a hopeless cause, though. [Kees Cook] recently posted how modern C99 compilers offer features to help create safer arrays, and he outlines how you can take advantage of these features. Turns out, it is generally easy to do, and if you get errors, they probably point out unexpected behavior in your original code, so that’s a plus.

We don’t think there’s anything wrong with C and C++ if you use them as you should. Electrical outlets are useful until you stick a fork in one. So don’t stick a fork in one. We really liked the recent headline we saw from [Sarah Butcher]: “If you can’t write safe C++ code, it’s because you can’t write C++.” [Cook’s] post makes a similar argument.  C has advanced quite a bit and the fact that 30-year-old code doesn’t use these new features isn’t a good excuse to give up on C.

Continue reading “Modernizing C Arrays For Greater Memory Safety”

Homebrew Ball Drop Machine Rings In The New Year

February 10, 2023 by No comments

The New Year’s Ball Drop in New York City stems from an old English naval tradition. These days, it’s more of a celebratory thing, and [Jon Gonzalez] wanted to bring a bit of that joy to his own celebrations. Thus enter the Ball-Drop-O-Matic 3000.

The ball itself consists of two 3D printed halves assembled together with a linear bearing in the middle. It’s loaded up with a ton of addressable LEDs to give it plenty of flash, pomp, and circumstance as it rides down the flagpole. Animations are coded in to the K-1000C display controller using LEDEdit2014, an older piece of software which can turn Flash animations into commands to run WS2812B LED strips.

Lowering the ball is handled by a motorized winch. The winch is mounted at the base of the flagpole for aesthetic reasons, with the cable travelling up to the top of the pole, over a pulley, and back down to the ball. The descent speed is set to countdown the last minute of the year, with numbers animated on the ball itself.

The build was clearly a great addition to [Jon’s] New Years celebrations, even if it wasn’t quite finished until 9:35 PM on the big night. We’ve seen other fun ball drop builds before, too.

Continue reading “Homebrew Ball Drop Machine Rings In The New Year”

Domino Ring Machine Tips Tiles In A Never-ending Wave

February 9, 2023 by 9 Comments

Like to see dominoes fall? [JK Brickworks] has got what you need, in the form of a never-ending ring of falling and resetting tiles. LEGO pieces are the star in this assembly, which uses a circular track and moving ramp to reset tiles after they have fallen. Timed just right, it’s like watching a kinetic sculpture harmoniously generating a soliton wave as tiles fall only to be endlessly reset in time to fall again.

A Mindstorms IR sensor monitors a tile’s state for timing.

It’s true that these chunky tiles aren’t actually dominoes — not only are they made from LEGO pieces and hinged to their bases, they have a small peg to assist with the reset mechanism. [JK Brickworks] acknowledges that this does stretch the definition of “dominos”, but if you’re willing to look past that, it’s sure fun to see the whole assembly in action.

The central hub in particular is a thing of beauty. For speed control, an IR sensor monitors a single domino’s up/down state and a LEGO Mindstorms EV3 with two large motors takes care of automation.

The video does a great job of showing the whole design process, especially the refinements and tweaks, that demonstrate the truly fun part of prototyping. [JK Brickworks] suggests turning on subtitles for some added details and technical commentary, but if you’re in a hurry skip directly to 4:55 to see it in action.

Want to see more automated domino action? This domino-laying robot sets them up for you to knock down at your leisure, and this entirely different robot lays out big (and we do mean BIG) domino art displays.

Continue reading “Domino Ring Machine Tips Tiles In A Never-ending Wave”

Getty Images Is Suing An AI Image Generator For Using Its Images

February 9, 2023 by 43 Comments
As per the Getty Images legal complaint, the Stable Diffusion AI seems to reproduce gooey versions of the Getty Images watermark in some of its output. Credit: Getty Images

Many AI systems require huge training datasets in order to achieve their impressive feats. This applies whether or not you’re talking about an AI that works with images, natural language, or just about anything else. AI developers are starting to come under scrutiny for where they’re sourcing their datasets. Unsurprisingly, stock photo site Getty Images is at the forefront of this, and is now suing the creators of Stable Diffusion over the matter, as reported by The Verge.

Stability AI, the company behind Stable Diffusion, is the target of the lawsuit for one good reason: there’s compelling evidence the company used Getty Images content without permission. The Stable Diffusion AI has been seen to generate output images that actually include blurry approximations of the Getty Images watermark. This is somewhat of a smoking gun to suggest that Stability AI may have scraped Getty Images content for use as training material.

The copyright implications are unclear, but using any imagery from a stock photo database without permission is always asking for trouble. Various arguments will likely play out in court. Stability AI may make claims that their activity falls under fair use guidelines, while Getty Images may claim that the appearance of perverted versions of their watermark may break trademark rules. The lawsuit could have serious implications for AI image generators worldwide, and is sure to be watched closely by the nascent AI industry. As with any legal matter, just don’t expect a quick answer from the courts.

[Thanks to Dan for the tip!]