Experiencing Visual Deficits And Their Impact On Daily Life, With VR

March 29, 2024 by 14 Comments

Researchers presented an interesting project at the 2024 IEEE Conference on Virtual Reality and 3D User Interfaces: it uses VR and eye tracking to simulate visual deficits such as macular degeneration, diabetic retinopathy, and other visual diseases and impairments.

Typical labels and pill bottles can be shockingly inaccessible to a variety of common visual deficits.

VR offers a unique method of allowing people to experience the impact of living with such conditions, a point driven home particularly well by having the user see for themselves the effect on simple real-world tasks such as choosing a pill bottle, or picking up a mug. Conditions like macular degeneration (which causes loss of central vision) are more accurately simulated by using eye tracking, a technology much more mature nowadays than it was even just a few years ago.

The abstract for the presentation is available here, and if you have some time be sure to check out the main index for all of the VR research demos because there are some neat ones there, including a method of manipulating a user’s perception of the shape of the ground under their feet by electrically-stimulating the tendons of the ankle.

Eye tracking is in a few consumer VR products nowadays, but it’s also perfectly feasible to roll your own in a surprisingly slick way. It’s even been used on jumping spiders to gain insights into the fascinating and surprisingly deep perceptual reality these creatures inhabit.

Security Alert: Potential SSH Backdoor Via Liblzma

March 29, 2024 by 34 Comments

In breaking news that dropped just after our weekly security column went live, a backdoor has been discovered in the xz package, that could potentially compromise SSH logins on Linux systems. The most detailed analysis so far seems to be by [Andres Freund] on the oss-security list.

The xz release tarballs from 5.6.0 in late February and 5.6.1 on March 9th both contain malicious code. A pair of compressed files in the repository contain the majority of the malicious patch, disguised as test files. In practice, this means that looking at the repository doesn’t reveal anything amiss, but downloading the release tarballs gives you the compromised code.

This was discovered because SSH logins on a Debian sid were taking longer, with more CPU cycles than expected. And interestingly, Valgrind was throwing unexpected errors when running on the liblzma library. That last bit was first discovered on February 24th, immediately after the 5.6.0 release. The xz-utils package failed its tests on Gentoo builds.

Continue reading “Security Alert: Potential SSH Backdoor Via Liblzma”

Electrospinning Artificial Heart Valves

March 29, 2024 by 10 Comments

When you think about additive manufacturing, thoughts naturally turn to that hot-glue squirting CNC machine sitting on your bench and squeezing whatever plastic doodad you need. But 3D printing isn’t the only way to build polymer structures, as [Riley] shows us with this fascinating attempt to create electrospun heart valves.

Now, you may never have heard of electrospinning, but we’ll venture a guess that as soon as you see what it entails, you’ll have a “Why didn’t I think of that?” moment. As [Riley] explains, electrospinning uses an electric field to build structures from fine threads of liquid polymer solution — he uses polycaprolactone (PCL), a biodegradable polyester we’ve seen used in other medical applications, which he dissolves in acetone. He loads it into a syringe, attaches the positive terminal of a high-voltage power supply to the hypodermic needle, and the negative terminal to a sheet of aluminum foil. The charge turns the PCL droplets into fine threads that accumulate on the foil; once the solvent flashes off, what’s left is a gossamer layer of non-woven plastic fabric.

To explore the uses of this material, [Riley] chose to make an artificial heart valve. This required a 3D-printed framework with three prongs, painted with conductive paint. He tried a few variations on the design before settling on a two-piece armature affixed to a rotating shaft. The PCL accumulates on the form, creating a one-piece structure that can be gingerly slipped off thanks to a little silicon grease used as a release agent.

The results are pretty impressive. The structure bears a strong resemblance to an artificial tricuspid heart valve, with three delicate leaves suspended between the upright prongs. It’s just a proof of concept, of course, but it’s a great demonstration of the potential of electrospinning, as well as an eye-opening look at what else additive manufacturing has to offer.

Continue reading “Electrospinning Artificial Heart Valves”

Retrotechtacular: The IBM 7070

March 29, 2024 by 10 Comments

If you think of IBM mainframe computers, you most likely are thinking of the iconic S/360 or the slightly newer S/370. But what about the 7070 from 1958? It had transistors! It didn’t, however, use binary. Instead, it was a decimal-architecture machine. You can see a lost video of the machine below.

It was originally slated to upgrade the older IBM 650 and 705 computers. However, it wasn’t compatible with either, so IBM had to roll out the IBM7080, which was compatible, at least, with the 705. Both machines could run 650 code via emulation.

Continue reading “Retrotechtacular: The IBM 7070”

Hackaday Podcast Episode 264: Cheap Minimills, 65-in-1 Electronics, And Time On Moon

March 29, 2024 by 5 Comments

It was Dan’s turn behind the mic with Elliot this time as we uncovered the latest from the world of hacking, and what an eclectic mix it was. It was slightly heavy on machining, with a look at mini-mills that are better than nothing, and a DIY DRO that’s A-OK. We also kicked the nostalgia bucket over — whatever that means — and got a new twist on the old “65-in-1” concept, found hidden code in 80s music, and looked at color TV in the US and how it got that way. We’ve got ample alliteration about grep, thoughts about telling time on the Moon, and what does Canada have against the poor Flipper Zero, anyway?

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Grab a copy for yourself if you want to listen offline.

Continue reading “Hackaday Podcast Episode 264: Cheap Minimills, 65-in-1 Electronics, And Time On Moon”

The Most Annoying Thing On The Internet Isn’t Really Necessary

March 29, 2024 by 31 Comments

We’re sure you’ll agree that there are many annoying things on the Web. Which of them we rate as most annoying depends on personal view, but we’re guessing that quite a few of you will join us in naming the ubiquitous cookie pop-up at the top of the list. It’s the pesky EU demanding consent for tracking cookies, we’re told, nothing to do with whoever is demanding you click through screens and screens of slider switches to turn everything off before you can view their website.

Now [Bite Code] is here to remind us that it’s not necessary. Not in America for the somewhat obvious reason that it’s not part of the EU, and perhaps surprisingly, not even in the EU itself.

The EU does have a consent requirement, but the point made in the article is that its requirements are satisfied by the Do Not Track header standard, an HTTP feature that’s been with us since 2009 but which almost nobody implemented so is now deprecated. This allowed a user to reject tracking at the browser level, making all the cookie popups irrelevant. That popups were chosen instead, the article concludes, is due to large websites preferring to make the process annoying enough that users simply click on the consent button to make it go away, making tracking much more likely. We suspect that the plethora of cookie popups also has something to do with FUD among owners of smaller websites, that somehow they don’t comply with the law if they don’t have one.

So as we’d probably all agree, the tracking cookie situation is a mess. This post is being written of Firefox which now silos cookies to only the site which delivered them, but there seems to be little for the average user stuck with either of the big browsers. Perhaps we should all hope for a bit more competition in the future.

Cookies header: Lisa Fotios, CC0.

This Week In Security: Peering Through The Wall, Apple’s GoFetch, And SHA-256

March 29, 2024 by 1 Comment

The Linux command wall is a hold-over from the way Unix machines used to be used. It’s an abbreviation of Write to ALL, and it was first included in AT&T Unix, way back in 1975. wall is a tool that a sysadmin can use to send a message to the terminal session of all logged-in users. So far nothing too exciting from a security perspective. Where things get a bit more interesting is the consideration of ANSI escape codes. Those are the control codes that moves the cursor around on the screen, also inherited from the olden days of terminals.

The modern wall binary is actually part of util-linux, rather than being a continuation of the old Unix codebase. On many systems, wall runs as a setgid, so the behavior of the system binary really matters. It’s accepted that wall shouldn’t be able to send control codes, and when processing a message specified via standard input, those control codes get rejected by the fputs_careful() function. But when a message is passed in on the command line, as an argument, that function call is skipped.

This allows any user that can send wall messages to also send ANSI control codes. Is that really a security problem? There are two scenarios where it could be. The first is that some terminals support writing to the system clipboard via command codes. The other, more creative issue, is that the output from running a binary could be overwritten with arbitrary text. Text like:
Sorry, try again.
[sudo] password for jbennett:

You may have questions. Like, how would an attacker know when such a command would be appropriate? And how would this attacker capture a password that has been entered this way? The simple answer is by watching the list of running processes and system log. Many systems have a command-not-found function, which will print the failing command to the system log. If that failing command is actually a password, then it’s right there for the taking. Now, you may think this is a very narrow attack surface that’s not going to be terribly useful in real-world usage. And that’s probably pretty accurate. It is a really fascinating idea to think through, and definitively worth getting fixed. Continue reading “This Week In Security: Peering Through The Wall, Apple’s GoFetch, And SHA-256”