A Touchless Handwashing Timer Comes In Handy

April 3, 2020 by 23 Comments

In 2020, it’s no longer enough to simply wash your hands. You’ve got to do it right. Proper process involves rubbing soap and water over every surface of your hands, and taking a full 20 seconds to do the job. While many recommend singing various popular songs to keep time, that can be more than a little embarassing in shared spaces. [Alex Glow] instead created this simple timer to help out.

The timer is built on the Adafruit Circuit Playground Express, a devboard that features 10 RGB LEDs already onboard, making the project a cinch. It also comes with a MEMS microphone and a light sensor all ready to go. Thus, with a bit of code, [Alex] was able to create a timer activated by a loud noise, such as clapping. Once detected, the timer starts, flashing its LEDs to indicate time remaining. There’s also a nightlight feature, which activates when light levels decrease, making it easier to navigate the bathroom in the dark.

It’s a useful little project for these troubled times, and one that makes great use of everything onboard the Circuit Playground Express. Having everything included certainly does make projects come together quickly. You can even program it from your phone! Video after the break.

Continue reading “A Touchless Handwashing Timer Comes In Handy”

LED Heart Beats With The Beholder

April 3, 2020 by 9 Comments

Many a maker likes to use their craft to create gifts for loved ones. [Jiří Praus] was celebrating having been married for 5 years, and crafted this beautiful LED heart sculpture to commemorate the occasion.

The outer shell was created by first starting with a 3D printed heart shape. This was used as a form upon which the brass wire could be soldered together to form an attractive heart-shaped cage. Inside, an Arduino Nano is hooked up to a series of WS2812b LEDs. The LEDs are flashed in time with the heartbeat of the person holding the heart, thanks to a MAX30102 heartbeat sensor. There’s also a TP4056 charge module and a small lithium battery to provide power for the device.

Adding the heartbeat sensor really makes this project shine, forming a connection between the holder and the device itself. The tasteful craftsmanship of the brass design makes this an excellent gift, one we’re sure anyone would like to receive. We’ve seen [Jiří Praus] make the most of this artform before too, with projects like this stunning tulip or dead-bug Arduino. Video after the break.  Continue reading “LED Heart Beats With The Beholder”

Charging Pad Flips For Solar Power

April 3, 2020 by 10 Comments

Charging pads are now a common, popular way to charge small devices. They have the benefit of reducing wear on connectors and being easier to use. [bcschmi6] decided to build a solar powered charging pad, which should come in handy when out and about.

The build uses a 3 W square solar panel, hooked up to an Adafruit solar charging board. This charges a pair of 18650 lithium batteries. The batteries only put out a maximum of 4.2 V, so they’re hooked up to a boost converter to get the output a little higher, up to 5.2 V. The output of the boost converter is then hooked up to a charging pad harvested from an Anker charger, and it’s all wrapped up in a tidy 3D printed frame.

We imagine the device would be great for camping. It could be left charging in the sun during the day, before being flipped over and used as a charging pad at night. It would be easy to build a bigger version for charging several phones at once, too. If you want to build your own charging coils, that’s a thing, too. And if you’ve got your own solar project cooking up as we head into summer, be sure to let us know!

Cellular Tracking Used During COVID-19 Pandemic

April 3, 2020 by 43 Comments

As most in the technology community know, nation states have a suite of powerful tools that can be used to trace and monitor mobile phones. By and large, this comes up in discussions of privacy and legislation now and then, before fading out of the public eye once more. In the face of a global pandemic, however, governments are now using these tools in the way many have long feared – for social control. Here’s what’s happening on the ground.

The Current Situation

With COVID-19 sweeping the globe, its high level of contagiousness and rate of hospitalizations has left authorities scrambling to contain the spread. Unprecedented lockdowns have been put in place in an attempt to flatten the curve of new cases to give medical systems the capacity to respond. A key part of this effort is making sure that confirmed cases respect quarantine rules, and isolate themselves to avoid spreading the disease. Rules have also been put in place in several countries where all overseas arrivals must quarantine, regardless of symptoms or status. Continue reading “Cellular Tracking Used During COVID-19 Pandemic”

Hackaday Podcast 061: Runaway Soldering Irons, Open Source Ventilators, 3D Printed Solder Stencils, And Radar Motion

April 3, 2020 by 2 Comments

Hackaday editors Mike Szczys and Elliot Williams sort through the hardware hacking gems of the week. There was a kerfuffle about whether a ventilator data dump from Medtronics was open source or not, and cool hacks from machine-learning soldering iron controllers to 3D-printing your own solder paste stencils. A motion light teardown shows it’s not being done with passive-infrared, we ask what’s the deal with Tim Berners-Lee’s decentralized internet, and we geek out about keyboards that aren’t QWERTY.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 061: Runaway Soldering Irons, Open Source Ventilators, 3D Printed Solder Stencils, And Radar Motion”

Minimalist Magnetic Minute Minder Mesmerizes

April 3, 2020 by 26 Comments

Timepieces are cool no matter how simplistic or granular they are. Sometimes its nice not to know exactly what time it is down to the second, and most of the really beautiful clocks are simple as can be. If you didn’t know this was a clock, it would still be fascinating to watch the bearings race around the face.

This clock takes design cues from the Story clock, a visual revolution in counting down time which uses magnetic levitation to move a single bearing around the face exactly once over a duration of any length as set by the user. As a clock, it’s not very useful, so there’s a digital readout that still doesn’t justify the $800 price tag.

[tomatoskins] designed a DIY version that’s far more elegant. It has two ball bearings that move around the surface against hidden magnets — an hour ball and a minute ball. Inside there’s a pair of 3D-printed ring gears that are each driven by a stepper motor and controlled with an Arduino Nano and a real-time clock module. The body is made of plywood reclaimed from a bed frame, and [tomatoskins] added a walnut veneer for timeless class.

In addition to the code, STLs, and CAD files that birthed the STLs, [tomatoskins] has a juicy 3D-printing tip to offer. The gears had to be printed in interlocked pieces, but these seams can be sealed with a solution of acetone and plastic from supports and failed prints.

If you dig minimalism but think this clock is a bit too vague to read, here’s a huge digital clock made from small analog clocks.

This Week In Security: OpenWrt, ZOOM, And Systemd

April 3, 2020 by 21 Comments

OpenWrt announced a problem in opkg, their super-lightweight package manager. OpenWrt’s target hardware, routers, make for an interesting security challenge. A Linux install that fits in just 4 MB of flash memory is a minor miracle in itself, and many compromises had to be made. In this case, we’re interested in the lack of SSL: a 4 MB install just can’t include SSL support. As a result, the package manager can’t rely on HTTPS for secure downloads. Instead, opkg first downloads a pair of files: A list of packages, which contains a SHA256 of each package, and then a second file containing an Ed25519 signature. When an individual package is installed, the SHA256 hash of the downloaded package can be compared with the hash provided in the list of packages.


It’s a valid approach, but there was a bug, discovered by [Guido Vranken], in how opkg reads the hash values from the package list. The leading space triggers some questionable pointer arithmetic, and as a result, opkg believes the SHA256 hash is simply blank. Rather than fail the install, the hash verification is simply skipped. The result? Opkg is vulnerable to a rather simple man in the middle attack.

OpenWrt doesn’t do any automatic installs or automatic updates, so this vulnerability will likely not be widely abused, but it could be used for a targeted attack. An attacker would need to be in a position to MitM the router’s internet connection while software was being installed. Regardless, make sure you’re running the latest OpenWrt release to mitigate this issue. Via Ars Technica.

Wireguard V1.0

With the Linux Kernel version 5.6 being finally released, Wireguard has finally been christened as a stable release. An interesting aside, Google has enabled Wireguard in their Generic Kernel Image (GKI), which may signal more official support for Wireguard VPNs in Android. I’ve also heard reports that one of the larger Android ROM development communities is looking into better system-level Wireguard support as well.

Javascript in Disguise

Javascript makes the web work — and has been a constant thorn in the side of good security. For just an example, remember Samy, the worm that took over Myspace in ’05. That cross-site scripting (XSS) attack used a series of techniques to embed Javascript code in a user’s profile. Whenever that profile page was viewed, the embedded JS code would run, and then replicate itself on the page of whoever had the misfortune of falling into the trap.

Today we have much better protections against XSS attacks, and something like that could never happen again, right? Here’s the thing, for every mitigation like Content-Security-Policy, there is a guy like [theMiddle] who’s coming up with new ways to break it. In this case, he realized that a less-than-perfect CSP could be defeated by encoding Javascript inside a .png, and decoding it to deliver the payload.

Systemd

Ah, systemd. Nothing seems to bring passionate opinions out of the woodwork like a story about it. In this case, it’s a vulnerability found by [Tavis Ormandy] from Google Project Zero. The bug is a race condition, where a cached data structure can be called after it’s already been freed. It’s interesting, because this vulnerability is accessible using DBus, and could potentially be used to get root level access. It was fixed with systemd v220.

Mac Firmware

For those of you running MacOS on Apple hardware, you might want to check your firmware version. Not because there’s a particularly nasty vulnerability in there, but because firmware updates fail silently during OS updates. What’s worse, Apple isn’t publishing release notes, or even acknowledging the most recent firmware version. A crowd-sourced list of the latest firmware versions is available, and you can try to convince your machine to try again, and hope the firmware update works this time.

Anti-Rubber-Ducky

Google recently announced a new security tool, USB Keystroke Injection Protection. I assume the nickname, UKIP, isn’t an intentional reference to British politics. Regardless, this project is intended to help protect against the infamous USB Rubber Ducky attack, by trying to differentiate a real user’s typing cadence, as opposed to a malicious device that types implausibly quickly.

While the project is interesting, there are already examples of how to defeat it that amount to simply running the scripts with slight pauses between keystrokes. Time will tell if UKIP turns into a useful mitigation tool. (Get it?)

SMBGhost

Remember SMBGhost, the new wormable SMB flaw? Well, there is already a detailed explanation and PoC. This particular PoC is a local-only privilege escalation, but a remote code execution attack is like inevitable, so go make sure you’re patched!