Patents And The Missing Museum

July 23, 2022 by Elliot Williams 38 Comments

A beautiful chapter of the history of invention in the United States ended with a fire in 1880. Well, the fire took place in 1877, but the wheels of government turn slowly. For the first 90 years that patents were granted in the USA, applications were required to be accompanied by a working model – to prove that the idea works and rule out “the perpetual motion cranks”.

During this time, the US Patent Office put all of these models on display, or at least as many of them as they could. The idea was that, alongside the printed documents, people would learn from seeing the inventions in the flesh. This tremendous resource got the Patent Office nicknamed the “Temple of Invention”, and rightly so. Many of the crucial innovations of the industrial revolution were there, in miniature. From Samuel Morse’s model telegraph, through Eli Whitney’s cotton gin, to more than a thousand inventions of Thomas Edison’s, working models were to be seen in the flesh, if in the small. We can only imagine how awe-inspiring it would have been to walk through those halls.

Two fires put significant dents in this tremendous collection. First in 1836, in a fire that consumed most of the approximately 10,000 patents that had been issued to that date, models and paper copies alike. Ironically, these included the patent for the first cast-iron fire hydrant. This fire was so devastating that it led to a dramatic patent reform in that same year, and to the building of a new fireproof Patent Office.

And the “new” Patent Office building still stands today, and proudly displayed patent models until the fire that broke out inside the building in 1877. (The contents of the building weren’t fireproof.) In this second fire, brave employees saved many of the works by staying and battling the fire from inside, but the second demoralizing beatdown, and the accelerating number of patent applications, it became obvious that there just wasn’t enough space to store a model of each patentable invention, and the requirement was dropped in 1880.

A small portion of the remaining patent models were put on display in one wing of the National Portrait Gallery, housed in the Patent Office building, and I had the wonderful opportunity to see it live in the early 2000s. I have no idea if the exhibit is still there – I’m guessing it’s not. The Smithsonian owns the lion’s share of the existing models, and we imagine they are in a warehouse somewhere, like at the end of Raiders of the Lost Ark.

A shame, because seeing a real 3D model of a thing is different from seeing line drawings. Maybe in the future, 3D CAD drawings will take their place? They’d be a lot easier to save in event of a fire.

Hackaday Podcast 178: The Return Of Supercon, Victory For Open Source, Exquisite Timepieces, And Documentation To Die For

July 22, 2022 by Tom Nardi 2 Comments

Hackaday Editor-in-Chief Elliot Williams and Managing Editor Tom Nardi start this week’s podcast off with an announcement the community has been waiting years for: the return of the Hackaday Supercon! While there’s still some logistical details to hammer out, we’re all extremely excited to return to a live con and can’t wait to share more as we get closer to November. Of course you can’t have Supercon without the Hackaday Prize, which just so happens to be wrapping up its Hack it Back challenge this weekend.

In other news, we’ll talk about the developing situation regarding the GPLv3 firmware running on Ortur’s laser engravers (don’t worry, it’s good news for a change), and a particularly impressive fix that kept a high-end industrial 3D printer out of the scrapheap. We’ll also fawn over a pair of fantastically documented projects, learn about the fascinating origins of the lowly fire hydrant, and speculate wildly about the tidal wave of dead solar panels looming menacingly in the distance.

Or download the fresh bitstream yourself.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Continue reading “Hackaday Podcast 178: The Return Of Supercon, Victory For Open Source, Exquisite Timepieces, And Documentation To Die For” →

This Week In Security: Asterisk, TikTok, Gitlab, And Finally A Spam Solution

July 22, 2022 by Jonathan Bennett 14 Comments

There’s an ongoing campaign that’s compromising FreePBX systems around the world. It seems to be aimed specifically at Elastix systems, using CVE-2021-45461, a really nasty Remote Code Execution (RCE) from December of last year. This flaw was a 0-day, as it was discovered by analyzing a compromised FreePBX system. It’s unclear if the campaign described in last week’s report was using the 0-day back in December, or if it was launched as a result of the public disclosure of the bug.

Regardless, the CVE is a URL parameter sent to the Rest Phone Apps service. This module is intended to run right on the screen of VoIP phones, and allow end users to set features like Do Not Disturb without having to punch in star codes, or visit a web page. Because of the use case, any FreePBX deployment that supports VoIP phones connecting from outside the network, that use this feature, would need these ports open. The best way to secure that would be to enforce connections over a VPN, which only some phones natively support.

Upon finding a vulnerable endpoint, the campaign starts by dropping a webshell in several locations, all obfuscated slightly differently. It then creates multiple root-level user accounts, and adds a Cron job to maintain access. There is a surprising amount of obfuscation and stealth features in this family of malware, making it difficult to point to a single Indicator Of Compromise. If you run a FreePBX system that may have the Phone Apps module running, it’s time to go through it with a fine-toothed comb.

What’s The Deal with TikTok?

The FCC has once again called for TikTok to be de-listed from the Google Play Store and the Apple App store. What is going on with TikTok? It’s just an app for filming and sharing silly videos, right? There are essentially two potential problems with TikTok, and both of them trace back to the app’s parent company residing in China.

Here in the US we have National Security Letters, and China seems to have a more straightforward system, where “everything is seen in China,” as said by a member of TikTok’s Trust and Safety Department. TikTok uses quite a few permissions, some of which seem a bit overzealous. If you’re a person of interest to the Chinese government, could those permissions be used to surveil you? Absolutely. Just like a US based app could, as a result of a National Security Letter.

The second problem is a bit more subtle, and may stray towards a conspiracy theory, but is worth considering. TikTok has videos about every subject imaginable, from every possible viewpoint. What if the Chinese Communist Party (CCP) wanted a specific rumor to gain traction in the US? Just a little pressure on the video recommendation algorithm would make videos about that topic trend. Instant public opinion lever.

There’s likely a missing piece of the story here, in the form of some classified intel. Until enough time goes by that a Freedom of Information Act request can unlock the rest of the story, it’s going to be unclear how much of the TikTok threat is legitimate, and how much is geo-political wrangling.

Oh, and if you thought you could just go open up the Google Play Store and see the exact permissions the TikTok app uses, Google has made the unfortunate decision to hide permissions until you actually do the install. That sounds like a terrible decision and, after a brief outcry, it seems like Google agrees. Just before this article went to the presses, Google announced that they were walking back this decision.

Gitlab RCE

Gitlab fixed a very serious problem in its 4th of July round of minor version releases, and [Nguyễn Tiến Giang (Jang)] really wanted to understand what was going on with this one. So much so, that he set up a debuggable install of Gitlab and recreated the issue, bringing us along for the ride. The flaw is in importing an existing Gitlab project, where the archive name is appended directly to a command string. If you can manipulate the value given for the archive name, and avoid tripping on any of the checks intended to prevent it, you can trivially insert shell code that will be run on the underlying server. Avoiding the traps is a big part of the work to actually make this into an real PoC. Read the post for full details on the debugging journey.

Calendar Spam Finally Fixed

Consider yourself lucky if you’ve missed out on the scourge that is Calendar spam. Google Calendar is great, because anyone can send you an email with an invite, and the event automatically shows up on your calendar. In retrospect, it seems obvious that this would be used for spam. Regardless, after multiple years of the spam problem, Google is finally rolling out a feature, to only add invitations to your calendar from known senders. Now if you get asked, or suffer from spam yourself, you know to look under event settings, and make the setting change. Finally!

Don’t Miss Your Last Chance To Enter The Hack It Back Challenge

July 21, 2022 by Tom Nardi 3 Comments

While the 2022 Hackaday Prize as a whole winds its way through a good chunk of the year, each individual challenge that makes up the competition only sticks around for a limited time. As hard as it might be to believe, our time with theHack it Back challenge is nearly at a close, with just a few days left to enter your project before the July 24th deadline.

Each challenge in this year’s Hackaday Prize has been designed around the core themes of sustainability, resiliency, and circularity — and for the Hack it Back phase of the competition we asked hackers to essentially keep as much hardware out of the landfill as possible. That could mean making a simple fix that puts a piece of equipment back into service, or it might be a be complete rebuild of an older device to bring it up to modern standards. These are the kind of projects Hackaday was built on, so turning it into an official challenge this year made perfect sense. Continue reading “Don’t Miss Your Last Chance To Enter The Hack It Back Challenge” →

Dead Solar Panels Are The Hottest New Recyclables

July 19, 2022 by Lewin Day 99 Comments

When it comes to renewable energy, there are many great sources. Whether it’s solar, wind, or something else, though, we need a lot of it. Factories around the globe are rising to the challenge to provide what we need.

We can build plenty of new solar panels, of course, but we need to think about what happens when they reach end of life. As it turns out, with so much solar now out in the field, a major new recycling industry may be just around the corner.

Continue reading “Dead Solar Panels Are The Hottest New Recyclables” →

The 2022 Hackaday Supercon Is On! And The Call For Proposals Is Open

July 18, 2022 by Elliot Williams 42 Comments

After two years in remote mode, we’re very excited to announce that this year’s Hackaday Supercon will be coming back, live! Join us Nov. 4th, 5th, and 6th in sunny Pasadena, CA for three days of hacks, talks, and socializing with the Hackaday community. And we’d love to see and hear in person what you’ve been up to for the last two years – so start brainstorming what you’re going to talk about now and fill out the call for proposals.

Supercon is On!

We’ll be starting off on Friday Nov. 4th with early-bird registration, a mellow afternoon of badge-hacking and workshops, and a party to kick off the con. Saturday and Sunday will be the full enchilada: two tracks of talks, hacking stations and food set up in the alley, and workshops aplenty. (Just thinking about hacking in the alley and sharing tacos afterward again brings a tear of joy to my eye.) We’ll close up Sunday night with the 2022 Hackaday Prize Awards and a chance to demo the weekend’s badge hacking on stage.

If you haven’t ever been to a Supercon before, it’s Hackaday in real life. People bring hacks to show and share, projects to work on, and their ideas that are too big to fit in the overhead compartment anyway. The crowd is awesome. There are seasoned pros, famous YouTubers, and brand-new hackers to boot. But yet it’s not overwhelming – Supercon is too big to fit in your living room, but it’s nonetheless cozy. The folks in attendance are all fantastic and you’ll stumble into the most awesome conversations.

It’s a weekend you don’t want to miss, so start figuring out how you’re going to get to Pasadena now.

We’ll be putting tickets on sale soon, and while we can’t see into the future, they have sold out every year, so keep your eyes on Hackaday to get yours. And of course, speakers don’t need no stinking tickets. Continue reading “The 2022 Hackaday Supercon Is On! And The Call For Proposals Is Open” →

Hackaday Links: July 17, 2022

July 17, 2022 by Dan Maloney 9 Comments

Webb’s first deep-field image. Source: NASA

The folks at NASA are taking a well-deserved victory lap this week after the splashy reveal of the first scientific images from the James Webb Space Telescope. As we expected, the first public release included a lot of comparisons to images obtained from Hubble, as the general public understandably sees Webb as the successor to the venerable space telescope, now in its third decade of service. So for a “let’s see what this baby can do” image, they turned Webb loose on a tiny patch of sky in the southern hemisphere containing galactic cluster SMACS 0723, and sent back images and spectroscopic data from galaxies up to 13 billion light years away. There are plenty of analyses of Webb’s deep field and the other images in the first release, but we particularly liked the takes by both Anton Petrov and Dr. Becky. They both talk about the cooler scientific aspects of these images, and how Webb is much more than just a $10 billion desktop image generator.

Continue reading “Hackaday Links: July 17, 2022” →