Hackaday Podcast 237: Dancing Raisins, Coding On Apples, And A Salad Spinner Mouse

September 22, 2023 by Kristina Panos 7 Comments

This week, Editor-in-Chief Elliot Williams and Kristina Panos gathered over the Internet and a couple cups of coffee to bring you the best hacks of the previous week. Well, the ones we liked best, anyhow.

First up in the news, we’ve got a brand-spankin’ new Halloween Hackfest contest running now until 9AM PDT on October 31st! Arduino are joining the fun this year and are offering some spooky treats in addition to the $150 DigiKey gift cards for the top three entrants.

It’s a What’s That Sound Results Show this week, and although Kristina actually got into the neighborhood of this one, she alas did not figure out that it was an MRI machine (even though she spent a week in an MRI one day).

Then it’s on to the hacks, which had a bit of a gastronomical bent this week. We wondered why normies don’t want to code on their Macs, both now and historically. We also examined the majesty of dancing raisins, and appreciated the intuitiveness of a salad spinner-based game controller.

From there we take a look at nitinol and its fun properties, admire some large, beautiful Nixie tubes, and contemplate a paper punching machine that spits out nonsensical binary. Finally we talk about rocker bogie suspensions and the ponder the death of cursive.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Download and savor at your leisure.

Continue reading “Hackaday Podcast 237: Dancing Raisins, Coding On Apples, And A Salad Spinner Mouse” →

This Week In Security: WebP, Cavium, Gitlab, And Asahi Lina

September 22, 2023 by Jonathan Bennett 15 Comments

Last week we covered the latest 0-day from NSO group, BLASTPASS. There’s more details about exactly how that works, and a bit of a worrying revelation for Android users. One of the vulnerabilities used was CVE-2023-41064, a buffer overflow in the ImageIO library. The details have not been confirmed, but the timing suggests that this is the same bug as CVE-2023-4863, a Webp 0-day flaw in Chrome that is known to be exploited in the wild.

The problem seems to be an Out Of Bounds write in the BuildHuffmanTable() function of libwebp. And to understand that, we have to understand libwebp does, and what a Huffman Table has to do with it. The first is easy. Webp is Google’s pet image format, potentially replacing JPEG, PNG, and GIF. It supports lossy and lossless compression, and the compression format for lossless images uses Huffman coding among other techniques. And hence, we have a Huffman table, a building block in the image compression and decompression.

What’s particularly fun about this compression technique is that the image includes not just Huffman compressed data, but also a table of statistical data needed for decompression. The table is rather large, so it gets Huffman compressed too. It turns out, there can be multiple layers of this compression format, which makes the vulnerability particularly challenging to reverse-engineer. The vulnerability is when the pre-allocated buffer isn’t big enough to hold one of these decompressed Huffman tables, and it turns out that the way to do that is to make maximum-size tables for the outer layers, and then malform the last one. In this configuration, it can write out of bounds before the final consistency check.

An interesting note is that as one of Google’s C libraries, this is an extensively fuzzed codebase. While fuzzing and code coverage are both great, neither is guaranteed to find vulnerabilities, particularly well hidden ones like this one. And on that note, this vulnerability is present in Android, and the fix is likely going to wait til the October security update. And who knows where else this bug is lurking. Continue reading “This Week In Security: WebP, Cavium, Gitlab, And Asahi Lina” →

Illustrated Kristina with an IBM Model M keyboard floating between her hands.

Keebin’ With Kristina: The One With The Busy Box Macro Pad

September 21, 2023 by Kristina Panos 7 Comments

Well, I must admit that Google Translate completely failed me here, and thus I have no real idea what the trick is to this beautiful, stunning transparent split keyboard by [illness072]. Allegedly, the older tweets (exes?) hold the key to this magic, but again, Google Translate.

Based on top picture, I assume that the answer lies in something like thin white PCB fingers bent to accommodate the row stagger and hiding cleverly behind the keys.

Anyone who can read what I assume is Japanese, please advise what is going on in the comments below.

Continue reading “Keebin’ With Kristina: The One With The Busy Box Macro Pad” →

Button, Button, Who’s Got The (Pico) Button?

September 20, 2023 by Al Williams 26 Comments

There is an episode of Ren and Stimpy with a big red “history eraser’ button that must not be pressed. Of course, who can resist the temptation of pressing the unpressable button? The same goes for development boards. If there is a button on there, you want to read it in your code, right? The Raspberry Pi Pico is a bit strange in that regard. The standard one lacks a reset button, but there is a big tantalizing button to reset in bootloader mode. You only use it when you power up, so why not read it in your code? Why not, indeed?

Turns out, that button isn’t what you think it is. It isn’t connected to a normal CPU pin at all. Instead, it connects to the flash memory chip. So does that mean you can’t read it at all? Not exactly. There’s good news, and then there’s bad news.

The Good News

The official Raspberry Pi examples show how to read the button (you have read all the examples, right?). You can convert the flash’s chip-select into an input temporarily and try to figure out if the pin is low, meaning that the button is pushed. Sounds easy, right?

Continue reading “Button, Button, Who’s Got The (Pico) Button?” →

Hello, Halloween Hackfest!

September 19, 2023 by Elliot Williams 3 Comments

Halloween is possibly the hackiest of holidays. Think about it: when else do you get to add animatronic eyes to everyday objects, or break out the CNC machine to cut into squashes? Labor day? Nope. Proximity-sensing jump-scare devices for Christmas? We think not. But for Halloween, you can let your imagination run wild!

We’re happy to announce that DigiKey and Arduino have teamed up for this year’s Hackaday Halloween Contest. Bring us your best costume, your scariest spook, your insane home decorations, your wildest pumpkin, or your most kid-pleasing feat!

We’ll be rewarding the top three with a $150 gift certificate courtesy of DigiKey, plus some Arduino Halloween treats if you use a product from the Arduino Pro line to make your hair-raising fantasy happen.

We’ve also got five honorable mention categories to inspire you to further feats of fancy.

Costume: Halloween is primarily about getting into outrageous costumes and scoring candy. We don’t want to see the candy.
Pumpkin: Pumpkin carving could be as simple as taking a knife to a gourd, but that’s not what we’re after. Show us the most insane carving method, or the pumpkin so loaded with electronics that it makes Akihabara look empty in comparison.
Kid-Pleaser: Because a costume that makes a kid smile is what Halloween is really all about. But games or elaborate candy dispensers, or anything else that helps the little ones have a good time is fair game here.
Hallowed Home: Do people come to your neighborhood just to see your haunted house? Do you spend more on light effects than on licorice? Then show us your masterpiece!
Spooky: If your halloween build is simply scary, it belongs here.

Head on over to Hackaday.io for the full details. And get working on your haunts, costumes, and Rube Goldberg treat dispensers today.

What Is Killing Cursive? Ballpoints. Probably.

September 18, 2023 by Kristina Panos 221 Comments

I get it — you hate writing by hand. But have you ever considered why that is? Is it because typing is easier, faster, and more convenient here in 2023? Maybe so. All of those notwithstanding, I honestly think there’s an older reason: it’s because of the rise of ballpoint pens. And I’m not alone.

Bear with me here. Maybe you think you hate writing because you were forced to do it in school. While that may very well be, depending on your age, you probably used a regular wood-case pencil before graduating to the ballpoint pen, never experiencing the joys of the fountain pen. Well, it’s never too late.

Continue reading “What Is Killing Cursive? Ballpoints. Probably.” →

Satellite Hunting Hack Chat

September 18, 2023 by Dan Maloney 5 Comments

Join us on Wednesday, September 20 at noon Pacific for the Satellite Hunting Hack Chat with Scott Tilley!

From the very first beeps of Sputnik, space has primarily been the domain of nations. It makes sense — for the most part, it takes the resources of a nation to get anything of appreciable size up out of the gravity well we all live in, but more importantly, space is the highest of high ground, and the high ground has always been a place of advantage to occupy. And so a lot of the hardware we’ve sent upstairs in the last 70 years has been in the national interest of this or that country.

A lot of these satellites are — or were, at least — top secret stuff, with classified payloads, poorly characterized orbits, and unknown communications protocols. This can make tracking them from the ground a challenge, but one that’s worth undertaking. Scott Tilley has been hunting for satellites for years, writing about his exploits on the Riddles in the Sky blog and sometimes being featured on Hackaday. After recently putting his skills to work listening in on a solar observation satellite as its orbit takes it close to Earth again, we asked him to stop by the Hack Chat to share what he’s learned about hunting for satellites, both long-lost and intentionally hidden. Join us as we take a virtual trip into orbit to find out just what’s going on up there.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, September 20 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.