This Week In Security: Ghoscript In Imagemagick, Solarwinds, And DHCP Shenanigans

September 10, 2021 by 3 Comments

A PoC was just published for a potentially serious flaw in the Ghostscript interpreter. Ghostscript can load Postscript, PDF, and SVG, and it has a feature from Postscript that has been a continual security issue: the %pipe% command. This command requests the interpreter to spawn a new process — It’s RCE as part of the spec. This is obviously a problem for untrusted images and documents, and Ghostscript has fixed security vulnerabilities around this mis-feature several times over the years.

This particular vulnerability was discovered by [Emil Lerner], and described at ZeroNights X. That talk is available, but in Russian. The issue seems to be a bypass of sorts, where the pipe command appears to be working in the /tmp/ directory, but a simple semicolon allows for an arbitrary command to be executed. Now why is this a big deal? Because ImageMagick uses Ghostscript to open SVG images by default on some distributions, and ImageMagick is often used for automatically resizing and converting images for web sites. In [Emil]’s presentation, he uses this flaw as part of an attack chain against three different companies.

I was unable to reproduce the flaw on my Fedora install, but I haven’t found any notice of it being fixed in the Ghostscript or Imagemagick changelogs either. It’s unclear if this problem has already been fixed, or if this is a true 0-day for some platforms. Either way, expect attackers to start trying to make use of it.

Continue reading “This Week In Security: Ghoscript In Imagemagick, Solarwinds, And DHCP Shenanigans”

An acousto-optic tunable filter and laser

Acousto-Optic Filter Uses Sound To Bend Light

September 10, 2021 by 17 Comments

We all know that light and sound are wave phenomena, but of very different kinds. Light is electromechanical in nature, while sound is mechanical. Light can travel through a vacuum, while sound needs some sort of medium to transmit it. So it would seem that it might be difficult to use sound to modify light, but with the right equipment, it’s actually pretty easy.

Easy, perhaps, if you’re used to slinging lasers around and terms like “acousto-optic tunable filter” fall trippingly from your tongue, as is the case for [Les Wright]. An AOTF is a device that takes a radio frequency input and applies it to a piezoelectric transducer that’s bonded to a crystal of tellurium oxide. The RF signal excites the transducer, which vibrates the TeO2 crystal and sets up a standing wave within it. The alternating bands of compressed and expanded material within the crystal act like a diffraction grating. Change the excitation frequency, and the filter’s frequency changes too.

To explore the way sound can bend light, [Les] picked up a commercial AOTF from the surplus market. Sadly, it didn’t come with the RF driver, but no matter — a few quick eBay purchases put the needed RF generator and power amplifier on his bench. The modules went into an enclosure to make the driver more of an instrument and less of a one-off, with a nice multi-turn pot and vernier knob for precise filter adjustment. It’s really kind of cool to watch the output beam change colors at the twist of a knob, and cooler still to realize how it all works.

We’ve been seeing a lot of [Les]’ optics projects lately, from homemade TEA lasers to blasting the Bayer filter off a digital camera, each as impressive as the last! Continue reading “Acousto-Optic Filter Uses Sound To Bend Light”

Putting Thousands Of Minecraft Players On The Same Server

September 10, 2021 by 15 Comments

Multi-threading was the common go-to technique for extracting more performance from a machine for several years. These days it’s all about horizontal scaling or adding more virtual machines to a pool of workers. The Minecraft server is still stuck in the past in some ways as it supports neither multi-threading nor horizontal scaling. [Jackson Roberts] decided to change all that by hacking Minecraft to support thousands of players rather than dozens.

Since the server is single-threaded, having more than 100 players on a single server can slow it to a crawl. Some mods try to optimize and speed up the existing server but [Jackson] wanted more. An early proof of concept was to slice the world into separate servers, each holding 64×64 chunks (chunks are what Minecraft defines as a 16x256x16 volume of the world). When crossing a boundary, entities such as players and zombies were transferred from one server to another. While workable, the demo had issues such as parts of the world being inaccessible if a server went down. The boundaries were also jarring as you had to reconnect and couldn’t see players outside your server.

Instead of splitting the world, [Jackson] took the approach to split the players and have some backing store for persisting and broadcasting changes. A proxy sits in front of several Minecraft servers, which each have a connection to a WorldQL server (a spatial database based on Postgres). Each server reports the player’s location to the WorldQL server and receives updates for their loaded locations. When a server comes online, it catches up with the changes stored in WorldQL and starts syncing, allowing servers to auto-scale. There are still a few core game mechanics that aren’t quite ready for prime-time such as NPCs and Redstone, but the progress so far is remarkable.

The code for the Minecraft plugin is up on GitHub, but more is coming in the future. So if you’re interested in something a little more vanilla, why not marvel at the completely playable Pokemon Red inside vanilla Minecraft?

CAD design for a vinyl record cutter.

VinyGo Stereo Vinyl Recorder Will Put You In The Groove

September 9, 2021 by 30 Comments

A long time ago, there were these vinyl recording booths. You could go in there and cut a 45PM record as easily as getting a strip of four pictures of yourself in the next booth along the boardwalk. With their 2021 Hackaday Prize entry called VinyGo, [mras2an] seeks to reinvigorate this concept for private use by musicians, artists, or anyone else who has always wanted to cut their own vinyl.

VinyGo is for people looking to make a few dozen copies or fewer. Apparently there’s a polymer shortage right now on top of everything else, and smaller clients are getting the shaft from record-pressing companies. This way, people can cut their own records for about $4 a unit on top of the cost of building VinyGo, which is meant to be both affordable and accessible.

You probably know how a record player works, but how about a record cutter? As [mras2an] explains over on IO, music coming through a pair of speakers vibrates a diamond cutting head, which cuts a groove in the vinyl that’s an exact representation of the music. Once it’s been cut, a regular stylus picks up the groove and plays back the vibrations. Check it out after the break.

[mras2an] plans to enter VinyGo into the Hackaday Prize during the Wildcard round, where anything goes. Does your project defy categorization? Or are you just running a little behind? The Wildcard round runs from Monday, September 27th to Wednesday, October 27th and is your last chance to enter this year’s Prize.

Not your kind of vinyl cutter? We’ve got those, too.

Continue reading “VinyGo Stereo Vinyl Recorder Will Put You In The Groove”

Buoyant Aero MK4 keeps station in a tail wind

Aerodynamic Buoyant Blimp Budges Into Low Cost Cargo Commerce

September 9, 2021 by 22 Comments

Before the Wright Brothers powered their way across the sands of Kitty Hawk or Otto Lilienthal soared from the hills of Germany, enveloping hot air in a balloon was the only way to fly. Concepts were refined as time went by, and culminated in the grand Zeppelins of the 1930’s. However since the tragic end of the Zeppelin era, lighter than air aircraft have often been viewed as a novelty in the aviation world.

Several companies have come forward in the last decade, pitching enormous lighter than air machines for hauling large amounts of cargo at reduced cost. These behemoths rely on a mixture of natural buoyancy and lifting body designs and are intended to augment ferries and short haul commercial aviation routes.

It was this landscape where Buoyant Aero founders [Ben] and [Joe] saw an underserved that they believe they can thrive in: Transporting 300-600 lbs between warehouses or airports. They aim to increase the safety, cargo capacity, and range of traditional quadcopter concepts, and halve the operating costs of a typical Cessna 182. They hope to help people such as those rural areas of Alaska where high transportation costs double the grocery bill.

Like larger designs, Buoyant Aero’s hybrid airship relies on aerodynamic lift to supply one third the needed lift. Such an arrangement eliminates the need for ballast when empty while retaining the handling and navigation characteristics needed for autonomous flight. The smaller scale prototype’s outstanding ability to maneuver sharply and hold station with a tailwind is displayed in the video below the break. You can also learn more about their project on their Hacker News launch. We look forward to seeing the larger prototypes as they are released!

Perhaps this project will inspire your own miniature airship, in which case you may want to check out the Blimpduino for some low buck ideas. We recently covered some other Hybrid Airships that are trying to scale things even further. And if you have your own blimpy ideas you’d like to pass along, please let us know via the Tip Line!

Continue reading “Aerodynamic Buoyant Blimp Budges Into Low Cost Cargo Commerce”

A musical cyberdeck

Musical Cyberdeck Is Part Synth, Part MIDI Controller, And All Cool

September 9, 2021 by 3 Comments

When a new project type starts to get a lot of exposure, it’s typically not long before we see people forking the basic concept and striking out in a new direction. It happened with POV displays, it happened with Nixie clocks, and now, it seems to be happening with cyberdecks. And that’s something we can get behind, especially with cyberdecks built to suit a specialized task, like this musical cyberdeck/synth.

Like many musicians, [Benjamin Caccia] felt like he needed a tool to help while performing with his band “Big Time Kill.” He mainly needed to trigger track playbacks on the fly, but also wanted something to act as a mega-effects pedal and standalone synth. And while most of that could be done with an iPad, it wouldn’t look as cool as a cyberdeck. The build centers around a Raspberry Pi 4 and a 7″ LCD display. Those sit on top of a 25-key USB MIDI keyboard and a small mixer. Alongside the keyboard is a USB keypad, which has custom mappings to allow fast access to buried menu functions in the cyberdeck’s Patchbox OS. Everythign was tied together on a 3D-printed frame; the video below shows it in action, and that it sounds as good as it looks.

We think [Benjamin]’s cyberdeck came out great. Need to see some other specialized cyberdecks? Why not take a look at this battle-ready cyberdeck, one that aims to be distraction-free, or a cyberdeck for patrolling the radioactive wastelands.

Continue reading “Musical Cyberdeck Is Part Synth, Part MIDI Controller, And All Cool”

Drill press modded with a treadmill motor, speed controller, lights, and a tachometer.

Drill Press Runs Faster On A Treadmill Motor

September 9, 2021 by 20 Comments

Are you tired of the same old video style from your favorite content creators? We can’t say that we were, exactly. But nevertheless, we appreciate this creative departure from [Eric Strebel]’s regular fare as he soups up his drill press with an old treadmill motor and a few extra features.

First off, that commentator in the video is right — 2.6 horsepower is a crazy amount for a drill press. Fortunately, [Eric] also added a variable speed controller and a digital tachometer to keep things in check. As an added bonus, he no longer has to get under the hood and mess with the belts.

We like what [Eric] brings to the drill press motor mod, which is already well-documented on YouTube. We love the re-use of an office chair bracket as a new motor mount. It’s probably our favorite bit aside from the 2-color forward/reverse switch plate idea: print it in whatever letter color you want with proud lettering, paint the whole thing black, and sand off the letters so the color shows. Check it out after the break.

There are many ways to make your own drill press, and one of the easiest is to mount a hand drill.

Did you miss the Industrial Design Hack Chat with [Eric]? It’s okay, you can read the transcript over on IO.

Continue reading “Drill Press Runs Faster On A Treadmill Motor”