Latest FlexLED Milestone Refines The POV Display

February 28, 2020 by 7 Comments

With his FlexLED project, [Carl Bugeja] is trying to perfect a simple and affordable persistence of vision (POV) display capable of generating “holographic” characters in mid-air. Traditionally POV systems spin LEDs rapidly to create the desired illusion, but that means motors, slip rings, and noise. As the name implies, the goal with this project is to do away with all that and replace it with a self-actuating flexible PCB.

The device is able to quickly move the LEDs back and forth quietly and efficiently thanks to a permanent magnet and magnetic coils integrated into the flexible PCB. With no motors or gears, the whole unit is smaller and less complex than other POV displays. As an added bonus, there’s no danger to the operator or the device should a curious user stick their finger into it.

The last time we took a look at this project, [Carl] had entered an earlier single-LED version into the 2019 Hackaday Prize. Competition was tough last year, and unfortunately FlexLED didn’t get selected as a Finalist. But we’re still extremely interested in seeing the project develop, and we imagine so are you.

The recently completed second version of the display features an improved coil design, eight RGB LEDs and a 3D printed base with integrated magnet. With more LEDs onboard, a single display is able to show multiple characters and even rudimentary animations. A large array of these flapping elements promises to be quite a sight.

But before you get too excited, [Carl] does have some bad news. For one, the cost of building them in small quantities is high, which is always tough for a single hacker trying to iterate a design. Worse, some of the LEDs seem to have died on this prototype already. He says it likely has something to do with the stress of flexing back and forth so quickly, which is obviously a bit troubling. He’s looking to get some feedback from the community, and is hoping to address these issues in the next version.

For an interesting look into his flexible PCB actuator projects, check out the interview [Carl] did with us at the 2018 Hackaday Superconference.

Continue reading “Latest FlexLED Milestone Refines The POV Display”

Building Cameras For The Immersive Future

February 28, 2020 by 6 Comments

Thus far, the vast majority of human photographic output has been two-dimensional. 3D displays have come and gone in various forms over the years, but as technology progresses, we’re beginning to see more and more immersive display technologies. Of course, to use these displays requires content, and capturing that content in three dimensions requires special tools and techniques. Kim Pimmel came down to Hackaday Superconference to give us a talk on the current state of the art in advanced AR and VR camera technologies.

[Kim]’s interest in light painting techniques explored volumetric as well as 2D concepts.
Kim has plenty of experience with advanced displays, with an impressive resume in the field. Having worked on Microsoft’s Holo Lens, he now leads Adobe’s Aero project, an AR app aimed at creatives. Kim’s journey began at a young age, first experimenting with his family’s Yashica 35mm camera, where he discovered a love for capturing images. Over the years, he experimented with a wide variety of gear, receiving a Canon DSLR from his wife as a gift, and later tinkering with the Stereorealist 35mm 3D camera. The latter led to Kim’s growing obsession with three-dimensional capture techniques.

Through his work in the field of AR and VR displays, Kim became familiar with the combination of the Ricoh Theta S 360 degree camera and the Oculus Rift headset. This allowed users to essentially sit inside a photo sphere, and see the image around them in three dimensions. While this was compelling, [Kim] noted that a lot of 360 degree content has issues with framing. There’s no way to guide the observer towards the part of the image you want them to see.

Continue reading “Building Cameras For The Immersive Future”

Last Call For Hackaday Belgrade Proposals Grants You A Four-Day Reprieve

February 28, 2020 by No comments

We want you to present a talk at Hackaday Belgrade and this is the last call to send us your proposal.

Europe’s biennial conference on hardware creation returns to Serbia on May 9th for an all-day-and-into-the-night extravaganza. Core to this conference is people from the Hackaday community sharing their stories of pushing the boundaries of what’s possible on their electronics workbenches, firmware repos, and manufacturing projects.

Here at Hackaday we live a life of never ending deadlines, but we also understand that this isn’t true for everyone. In that spirit, we’re extending the deadline so that those who count procrastination as a core skill don’t miss their chance to secure a speaking slot at the last minute. You now have until 18:00 GMT (19:00 in Belgrade) next Friday to file your talk proposal.

The conference badge is being built by Voja Antonic, the inventor of Yugoslavia’s first widely-adopted personal computer. We know he has prototype PCBs on hand and plan to share more information on what he has in store for you very soon.

This Week In Security: Chrome Bugs And Non-bugs, Kr00k, And Letsencrypt

February 28, 2020 by 20 Comments

Google Chrome minted a new release to fix a trio of bugs on Monday, with exploit code already in the wild for one of them. The first two bugs don’t have much information published yet. They are an integer-overflow problem in Unicode internationalization, and a memory access issue in streams. The third issue, type confusion in V8, was also fixed quietly, but a team at Exodus Intel took the time to look at the patches and figure out what the problem was.

The actual vulnerability dives into some exotic Javascript techniques, but to put it simply, it’s possible to change a data-type without V8 noticing. This allows malicious code to write into the header area of the attacked variable. The stack, now corrupted, can be manipulated to the point of arbitrary code execution. The researchers make the point that even with Google’s fast-paced release schedule, a determined attacker could have several days of virtual zero-day exploitation of a bug mined from code changes. Story via The Register.

The Chrome Problem that Wasn’t

A second Chrome story came across my desk this week: Chrome 80 introduces a new feature, ScrollToTextFragment. This useful new feature allows you to embed a string of text in a URL, and when loading that address, Chrome will scroll the page to make that text visible. For certain use cases, this is an invaluable feature. Need to highlight a specific bit of text in a big document online?

The following bookmarklet code by [Paul Kinlan] is the easy way to start using this feature. Paste this code into the URL of a bookmark, put it on the bookmark bar, highlight some text in a webpage, and then run the bookmarklet. It should open a new tab with the new URL, ready to use or send to someone.

javascript:(function()%7Bconst%20selectedText%20%3D%20getSelection().toString()%3Bconst%20newUrl%20%3D%20new%20URL(location)%3BnewUrl.hash%20%3D%20%60%3A~%3Atext%3D%24%7BencodeURIComponent(selectedText)%7D%60%3Bwindow.open(newUrl)%7D)()

Since we’re talking about it in the security column, there must be more to the story. A privacy guru at Brave, [Peter Snyder], raised concerns about privacy implications of the feature. His argument has been repeated and misrepresented in a few places. What argument was he making? Simply put, that it’s not normal user behavior to immediately scroll to an exact position on the page. Because modern web pages and browsers do things like deferred loading of images, it could be possible to infer where in the page the link was pointing. He gives the example of a corporate network where DNS is monitored. This isn’t suggesting that the entire URL is leaked over DNS, but rather that DNS can indicate when individual components of a page are loaded, particularly when they are embedded images from other sites.

While this concern isn’t nonsensical, it seems to me to be a very weak argument that is being over-hyped in the press.

Whatsapp Groups Searchable on Google

It’s not new for search engines to index things that weren’t intended to be public. There is a bit of mystery surrounding how Google finds URLs to index, and StackExchange is full of plenty of examples of webadmins scratching their heads at their non-public folders showing up in a Google search.

That said, a story made the rounds in the last few days, that WhatsApp and Telegram group invites are being indexed by Google. So far, the official word is that all the indexed links must have been shared publicly, and Google simply picked them up from where they were publicly posted.

It appears that WhatsApp has begun marking chat invitation links as “noindex”, which is a polite way to ask search engines to ignore the link.

If it’s shown that links are getting indexed without being posted publicly online, then we have a much bigger story. Otherwise, everything is working as expected.

Letsencrypt Makes Attacks Harder

Letsencrypt has rolled out an invisible change to their validation process that makes a traffic redirection attack much harder. The new feature, Multi-Perspective Validation, means that when you verify your domain ownership, Letsencrypt will test that verification from multiple geographic regions. It might be possible to spoof ownership of a domain through a BGP attack, but that attack would be much harder to pull off against traffic originating from another country, or multiple countries simultaneously. Letsencrypt is currently using different regions of a single cloud, but plans to further diversify and use multiple cloud providers for even stronger validation.

Kr00k

Brought to us by the researchers at Eset, Krook (PDF) is a simple flaw in certain wireless chips. So far, the flaw seems to be limited to WPA2 traffic sent by Broadcom and Cypress chips. They discovered Kr00k while doing some followup research on KRACK.

Let’s talk about WPA2 for a moment. WPA2 has a 4-way handshake process that securely confirms that both parties have the shared key, and then establishes a shared Temporal Key, also known as a session key. This key is private between the two devices that performed the handshake, meaning that other devices on the same wireless network can’t sniff traffic sent by other devices.

When a device disconnects, or disassociates, that session key is reset to all 0s, and no packets should be sent until another handshake is performed. Here’s the bug: The packets already in the output buffer are still sent, but are encrypted with the zeroed key, making them trivially decrypted. As it’s simple to trigger deauthentication events, an attacker can get a sampling of in-the-clear packets. The ubiquity of TLS is a saving grace here, but any unencrypted traffic is vulnerable. Eset informed vendors about the flaw in 2019, and at least some devices have been patched.

Exchange

Microsoft Exchange got a security patch this past Tuesday that addressed a pair of bugs that together resulted in a remote code execution vulnerability. The first bug was an encryption key that is generated on Exchange server installation. That generation seemed to lack a good source of entropy, as apparently every Exchange install uses the the exact same key.

The second half of this bug is a de-serialization problem, where an encrypted payload can contain a command to run. Because the encryption key is known, any user can access the vulnerable endpoint. The process of exploitation is so trivial, be sure to patch your server right away.

TODO: Remove Vulnerabilities

This one is just humorous. An Intel virtualization feature appears to have been pushed into the Linux kernel before it was finished. Know what unfinished code tends to contain? Bugs and vulnerabilities. CVE-2020-2732, in this case. It’s unclear how exactly an exploit would work, but the essence is that a virtual guest is allowed to manipulate system state in unintended ways.

Hackaday Podcast 056: Cat Of 9 Heads, Robot Squats, PhD In ESP32, And Did You Hear About Sonos?

February 28, 2020 by No comments

Hackaday editors Elliot Williams and Mike Szczys gab on great hacks of the past week. Did you hear that there’s a new rev of the Pi 4 out there? We just heard… but apparently it’s release into the wild was months ago. Fans of the ESP8266 are going to love this tool that flashes and configures the board, especially for Sonoff devices. Bitluni’s Supercon talk was published this week and it’s a great roadmap of all the things you should try to do with an ESP32. Plus we take on the Sonos IoT speaker debacle and the wacky suspension system James Bruton’s been building into his humanoid robot.

Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!

Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download (60 MB or so.)

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast 056: Cat Of 9 Heads, Robot Squats, PhD In ESP32, And Did You Hear About Sonos?”

A Simple Yet Feature-Packed Programmable DC Load

February 28, 2020 by 14 Comments

If you’ve got the hankering to own a lab full of high-end gear but your budget is groaning in protest, rolling your own test equipment can be a great option. Not everything the complete shop needs is appropriate for a DIY version, of course, but a programmable DC load like this one is certainly within reach of most hackers.

This build comes to us courtesy of [Scott M. Baker], who does his usual top-notch job of documenting everything. There’s a longish video below that covers everything from design to testing, while the link above is a more succinct version of events. Either way, you’ll get treated to a good description of the design basics, which is essentially an op-amp controlling the gate of a MOSFET in proportion to the voltage across a current sense resistor. The final circuit adds bells and whistles, primarily in the form of triple MOSFETS and a small DAC to control the set-point. The DAC is driven by a Raspberry Pi, which also supports either an LCD or VFD display, an ADC for reading the voltage across the sense resistor, and a web interface for controlling the load remotely. [Scott]’s testing revealed a few problems, like a small discrepancy in the actual amperage reading caused by the offset voltage of the op-amp. The MOSFETs also got a bit toasty under a full load of 100 W; a larger heatsink allows him to push the load to 200 W without releasing the smoke.

We always enjoy [Dr. Baker]’s projects, particularly for the insight they provide on design decisions. Whether you want to upgrade the controller for a 40-year-old game console or giving a voice to an RC2014, you should check out his stuff.

Continue reading “A Simple Yet Feature-Packed Programmable DC Load”

Astra Readies Secretive Silicon Valley Rocket; Firm Exits Stealth Mode, Plans Test Launch

February 28, 2020 by 27 Comments

After the end of the Second World War the United States and the Soviet Union started working feverishly to perfect the rocket technology that the Germans developed for the V-2 program. This launched the Space Race, which thankfully for everyone involved, ended with boot prints on the Moon instead of craters in Moscow and DC. Since then, global tensions have eased considerably. Today people wait for rocket launches with excitement rather than fear.

That being said, it would be naive to think that the military isn’t still interested in pushing the state-of-the-art forward. Even in times of relative peace, there’s a need for defensive weapons and reconnaissance. Which is exactly why the Defense Advanced Research Projects Agency (DARPA) has been soliciting companies to develop a small and inexpensive launch vehicle that can put lightweight payloads into Earth orbit on very short notice. After all, you never know when a precisely placed spy satellite can make the difference between a simple misunderstanding and all-out nuclear war.

More than 50 companies originally took up DARPA’s “Launch Challenge”, but only a handful made it through to the final selection. Virgin Orbit entered their air-launched booster into the competition, but ended up dropping out of contention to focus on getting ready for commercial operations. Vector Launch entered their sleek 12 meter long rocket into the competition, but despite a successful sub-orbital test flight of the booster, the company ended up going bankrupt at the end of 2019. In the end, the field was whittled down to just a single competitor: a relatively unknown Silicon Valley company named Astra.

Should the company accomplish all of the goals outlined by DARPA, including launching two rockets in quick succession from different launch pads, Astra stands to win a total of $12 million; money which will no doubt help the company get their booster ready to enter commercial service. Rumored to be one of the cheapest orbital rockets ever built and small enough to fit inside of a shipping container, it should prove to be an interesting addition to the highly competitive “smallsat” launcher market.

Continue reading “Astra Readies Secretive Silicon Valley Rocket; Firm Exits Stealth Mode, Plans Test Launch”