There was a time when building your own satellite and having it placed into orbit would have been a wild dream. Now it is extremely possible, but still not trivial. A CubeSat is a very small satellite that can hitch a ride with a bigger satellite or get tossed out of a friendly space station. This week’s issue of The Orbital Index has a very good overview of what all is required. It also contains a great selection of links to get more information.
At first glance, it seems like it would be pretty simple. A computer, a battery, and some solar cells. Well, you probably want to hear back from it, so then you need a radio. Oh, and an antenna. But the antenna can’t stick out during launch so you need a way to deploy it. If you want the satellite to point somewhere, you’ll need things for that, too. Some CubeSats even have tiny thrusters to affect their orbit.
Imagine if you will that you are enthroned upon the porcelain, minding your own business while doing your business. You’re catching up on Hackaday on your phone – c’mon, admit it – when a whir and a buzz comes from behind you. You sit up in alarm, whereupon your lower back suddenly feels as if someone is scrubbing it with a steel wool pad. Then the real pain sets in as super-hot plasma lances into your skin, the smell of burning flesh fills the bathroom, and you crack your head on the towel bar trying to escape this torture chamber in a panic.
Sound good? Then [Vije Miller]’s plasma-powered toilet air freshener is a must-build for you. We’re not entirely sure where this was going, but the name of the project seems to indicate a desire to, ahem, clear the air near your derrière with the power of ions. While that might work – we’ve recently seen an electrostatic precipitator for 3D-printer fumes – the implementation here is a bit sketchy. The ball of steel wool? It was possibly intended as a way to disperse the ions, but it served as nothing more than fuel when touched by the plasma. The Contact-esque gimballed rings? Not a clue what they’re for, but they look cool. And hats off to [Vije] for the intricate 3D-printed parts, the geartrain and linkages, and the DIY slip rings.
It may be a head-scratcher of a build, but the video below is entertaining. Check out some of [Vije]’s other projects of dubious value, like his licorice launcher or the smartphone back scratcher.
Whether it is motivated by a dream of superhuman strength courtesy of a mech suit or of mobility for those with impaired muscle function, the powered exoskeleton exerts a curious fascination among engineers. The idea of a machine-augmented human body achieving great things is thwarted though by the difficulty of the task, actuators and power sources small enough to be worn comfortably represent a significant challenge that is not easily overcome. It’s a subject that has captivated [Kristjan Berce] since at a young age seeing his grandmother struggling with lifting, and he presents a working powered exoskeleton arm as a proof of his ideas.
It’s a wonderful exercise in low-tech construction with hand tools and a drill press on pieces of aluminium and wood. Motive power comes from an automotive windscreen wiper motor, and electrical power comes from a hefty LiPo attached to the device’s harness. There is a feedback potentiometer incorporated into the elbow joint, and an Arduino oversees the operation under the direction of a pair of glove-mounted buttons. It’s certainly impressive to see it in the video below lifting a bicycle, though we wonder how its weight might affect someone with less muscle function than average.
Projects like this one are very good to see, because there’s a chance that somebody out there may be helped by building one of these. However there is always a note of caution to be struck, as the best solutions come from those who need them and not those who merely think they have the solution. We have written about the Engineer Saviour Trap here in years past.
If I were to ask you what is the oldest man-made orbiting satellite still in use, I’d expect to hear a variety of answers. Space geeks might mention the passive radar calibration spheres, or possibly one of the early weather satellites. But what about the oldest communication satellite still in use?
The answer is a complicated one. Oscar 7 is an amateur radio satellite launched on November 5th 1974, carrying two transponders and four beacons, all of which operate on bands available to amateur radio operators. Nearly 45 years later it still provides radio amateurs with contacts just as it did in the 1970s. But this bird’s history is anything but ordinary. It’s the satellite that came back from the dead after being thought lost forever. And just as it was fading from view it played an unexpected role in the resistance to the communist government in Poland.
Hackaday Editors Elliot Williams and Mike Szczys geek out over the latest hacks. This week we saw a couple of clever CNC builds that leverage a great ESP32 port of GRBL. The lemonade-pitcher-based submarine project is everything you thought couldn’t work in an underwater ROV. Amazon’s newest Dot has its warranty voided to show off what 22 pounds gets you these days. And there’s a great tutorial on debugging circuits that grew out of a Fail of the Week. Plus, we get the wind knocked out of us with an ambitious launch schedule for airless automotive tires, and commiserate over the confusing world of USB-C.
Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!
Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
[Thomas] does a lot of interesting experiments with 3D printing and lately, he’s been using the free version of Fusion 360 to do topology optimization. He started with a blocky bookshelf bracket and let the software analyze the loads so it can remove pieces that don’t contribute a lot to the bracket’s strength. This uses less material, prints faster, and — [Thomas’] biggest goal — looks cool.
If you know [Thomas] you know he didn’t just hope the brackets would be strong enough. He made prototypes and destroyed them in testing. Despite being printed in a poor orientation for strength, the models held a good bit of weight.
This has been an interesting week. First off, security researchers at Armis discovered a set of serious vulnerabilities in the vxWorks Real Time Operating System (RTOS). Released under a name that sounds like the title of a western or caper movie, Urgent/11. Not familiar with vxWorks? It’s a toss-up as to whether vxWorks or Linux is more popular for embedded devices. Several printer brands, Arris modems, Sonicwall firewalls, and a whole host of other industrial and medical devices run the vxWorks RTOS.
Several of these vulnerabilities are in the network stack, rather than in applications. The worst offender is CVE-2019-12256, a vulnerability in error handling. An ICMP error response is generated from an incoming packet, and assumptions are made about that incoming packet. When data is copied from that packet into the ICMP error, the length is not first checked, allowing unconfined memory write. If this sounds familiar, it should. We covered a similar vulnerability in Apple’s XNU kernel not long ago.
This particular vulnerability can compromise a vxWorks machine even without an opened port. The saving grace of that vulnerability applies here: a maliciously crafted packet is necessarily malformed, and won’t navigate public routing. In other words, it’s LAN only, and can’t be sent over the internet.
They come in through the firewall.
A second class of vulnerability, where the name comes from, is related to the TCP urgent pointer. This rarely used TCP feature was intended to allow more up-to-date information to supersede data still being processed. Not only has TCP urgent not been widely used, the specifications were not written particularly well, with the various RFC documents describing conflicting implementations. It’s surprising that vxWorks supports it at all, but isn’t particularly surprising that their implementation is flawed. Manipulation of the data stream can cause a length integer to underflow. The nature of binary arithmetic means that underflowing an unsigned integer causes it to wrap around to maximum value, which can lead to writing packet data in the buffer in unexpected memory locations. These vulnerabilities require an established TCP connection, but the researchers describe several scenarios where that could be accomplished by an attacker.
The last RCE vulnerability they describe is in the DHCP client, ipdhcpc. This is a very simple vulnerability. One section of code allocates a buffer for DHCP options, but allocates 24 bytes fewer than the maximum size. An attacker could use this 24 byte overflow to manipulate the data structure and potentially jump execution into manipulated memory.
Update (2019-08-02 09:15 UTC-7): Hackaday received a statement from SonicWall that they made a patch for this vulnerability back on July 19th:
Ensuring the security of our customers is a responsibility we take seriously at SonicWall and we work vigilantly to always keep our customers secure. SonicWall physical firewall appliances running certain versions of SonicOS contain vulnerabilities in code utilized for remote management. At this time, there is no indication that the discovered vulnerabilities are being exploited in the wild. The patches are available now and we strongly advised our partners and end users July 19 th to apply the SonicOS patch immediately.
Capital One made use of Amazon AWS for storing customer data. This isn’t surprising, many companies have turned to Amazon’s seemingly inexhaustible cloud computing platform for storing large data sets. It seems, however, that Capital One failed to configure the security properly on that bucket. (As many other companies have done.) Information was leaked for over an estimated 100 million customers. A former Amazon employee has been arrested, and seems to have posted at least a portion of that data in a Github gist.
Reading between the lines, it seems that this was a very simple mistake. Perhaps credentials were leaked, or the S3 bucket was publicly available. That particular detail has not been released. There is something to be said for Capital One’s response to the incident. They were anonymously informed of the existence of the gist on July 17, using their responsible disclosure process. By the 29th, they had fixed the misconfiguration, coordinated with law enforcement, and publicly announced the breach. A twelve day turn-around is an impressive response, particularly when so many companies have tried to hide or ignore similar breaches.
Cabarrus County, NC
It seemed simple enough. The general contractor for the county’s new school building needed to update bank account information. The appropriate forms were signed and filed, and the information was updated. Nothing seemed amiss unto two months later, when the contractor notified the county that they had missed a scheduled payment of 2.5 million dollars. But the transaction went through, and the money was transferred to the account on file.
Yes, the transfer went through, but the the county had been hit with a social engineering scam. The report refers to it as an Email Account Compromise (EAC) scam, which seems to indicate that the scammer first gained access to a legitimate email account of the contractor in question. Alternatively, an attacker could simply spoof the sender’s email address, and set a different reply-to field. Unless a user was particularly watching for such a scheme, it would be easy to overlook the discrepancy. In any case, even after recovering some of the transferred money, the county seems to be out about $1.7 million. These scams are becoming more and more popular, so remember, don’t believe anything you read in an email.
The Weird and Wacky
And to round out this week’s news, yet another [Satoshi Nakamoto] candidate has been found: Linus Torvalds. While it appears to be a serious suggestion, I’ll just note that the author doesn’t have his name attached to this article. He does make one interesting observation — git is the killer blockchain app. You see, I tend to compare blockchain to the laser. Both were very clever inventions, but didn’t have any immediate uses. They were solutions in search of a problem. This article points out that core concepts of blockchain are present in git, which seems to be an accurate and clever observation. So what is blockchain good for? Git!
