2022 Hackaday Prize: Make Your World More Disaster Resistant, More Engaged

July 25, 2022 by Elliot Williams 10 Comments

Following along with the 2022 Hackaday Prize theme on building a better world by doing what we all do best – hacking together solutions – the fourth round of the Prize focuses on making our local communities more resilient against and sensitive to severe weather and environmental disasters. Whether it’s an early warning system for wildfires or a distributed communication network that will keep working even when the cell phone service goes down, we’re challenging you to help make your world safer by reacting sooner and better. Get your project entered now!

Sensing

We love systems that help us monitor our environments, and not just for idle curiosity or citizen science. Sometimes it’s critical. We’ve seen monitors aimed at giving you a personal particulate air quality indicator, especially helpful for people with respiratory problems when downstream of a forest fire.

But even better is networking these together to generate an air quality map, or to log long-run trends over time and space. CanAirIO, for instance, has both a fixed and mobile unit that can help map out CO2 and particulate matter quality. Or maybe it’s not wildfires that invade your airspace, but rather pollution from car use. We’ve seen projects like that before too, and anything along these lines would make a great entry into this challenge round. Could you predict local air quality? Continue reading “2022 Hackaday Prize: Make Your World More Disaster Resistant, More Engaged” →

Hackaday Links: July 24, 2022

July 24, 2022 by Dan Maloney 6 Comments

OK, maybe that won’t buff right out. NASA has released a more detailed analysis of the damage suffered by the James Webb Space Telescope in a run-in with a micrometeoroid, and has deemed the damage “uncorrectable”. Not that any damage to JWST is correctable, at least in the sense that the Hubble Space Telescope was able to be fitted with optics to fix its precisely-yet-inaccurately-ground main mirror. JWST is far too remote for a service call, so correctability in this case refers to a combination of what can be accomplished by tweaking the shape and position of the affected mirror segment, and what can be taken care of with image processing. The damage to segment C3, as well as damage to the other segments in a total of six collisions in the half year Webb has been on station, are assessed via “wavefront sensing”, which looks at how out of phase the light coming from each mirror segment is. The damage sounds bad, and it certainly must hurt for the techs and engineers who so lovingly and painstakingly built the thing to see it dinged up already, but in the long run, this damage shouldn’t hamper Webb’s long-term science goals.

In other space news, we hear that the Perseverance rover has taken its first chunk out of the ancient river delta in Jezero Crater. The rover has been poking around looking for something interesting to sample, but everything it tried out with its abrading tool was either too brittle, too hard to get at, or scientifically dull. Eventually the rover found a good spot to drill, and managed to bring up a 6.7-cm core sample. This makes the tenth core sample collected overall, and the first from the delta area, which is thought to have the best chance to contain evidence of ancient Martian life.

Closer to home, we’ve all likely heard of robotic surgery, but the image that conjures up doesn’t really comport with reality. Robot-assisted surgery is probably a better term, since surgical robots are generally just ultra-precise remote manipulators that are guided by a skilled surgeon. But if a study on surgery robot performance is any indication, the days of human surgeons might be numbered. The study compared accuracy and speed of both a human surgeon controlling a standard Da Vinci surgical robot and an autonomous version of the robot alone, using a depth camera for sensing. Using a standard surgical skills test, the autonomous system matched the human surgeons in terms of failures — thankfully, no “oopsies” for either — but bested the humans in speed and positional accuracy. It’ll probably be a while before fully autonomous surgeons are a thing, but we wouldn’t be betting against it in the long run.

Most readers will no doubt have heard the exciting news that Supercon will be back this year as an in-person event! Make sure you set aside the first weekend in November to make the pilgrimage to Pasadena — it’ll be great seeing everyone again after the long absence. But if you just can’t wait till November for an IRL con, consider dropping by SCALE 19X, coming up this week in Los Angeles. The Southern California Linux Expo is being held July 28 through 31, and features a ton of speakers, including a keynote by Vint Cerf. Hackaday readers can save 50% on tickets with promo code HACK.

And finally, as a lover of Easter eggs of all kinds, but specifically of the hidden message in software variety, we appreciated this ode to the Easter egg, the embedded artistry that has served as a creative outlet for programmers over the years. The article lists a few great examples of the art form, along with explaining why they’re actually important artifacts of the tech world and what they’re good for. We tried out a few of the ones listed in the article that we hadn’t heard of before; some hits, some misses, but they’re all appreciated. Well, most of them — the corporate rah-rah kind can bugger straight off as far as we’re concerned.

Patents And The Missing Museum

July 23, 2022 by Elliot Williams 38 Comments

A beautiful chapter of the history of invention in the United States ended with a fire in 1880. Well, the fire took place in 1877, but the wheels of government turn slowly. For the first 90 years that patents were granted in the USA, applications were required to be accompanied by a working model – to prove that the idea works and rule out “the perpetual motion cranks”.

During this time, the US Patent Office put all of these models on display, or at least as many of them as they could. The idea was that, alongside the printed documents, people would learn from seeing the inventions in the flesh. This tremendous resource got the Patent Office nicknamed the “Temple of Invention”, and rightly so. Many of the crucial innovations of the industrial revolution were there, in miniature. From Samuel Morse’s model telegraph, through Eli Whitney’s cotton gin, to more than a thousand inventions of Thomas Edison’s, working models were to be seen in the flesh, if in the small. We can only imagine how awe-inspiring it would have been to walk through those halls.

Two fires put significant dents in this tremendous collection. First in 1836, in a fire that consumed most of the approximately 10,000 patents that had been issued to that date, models and paper copies alike. Ironically, these included the patent for the first cast-iron fire hydrant. This fire was so devastating that it led to a dramatic patent reform in that same year, and to the building of a new fireproof Patent Office.

And the “new” Patent Office building still stands today, and proudly displayed patent models until the fire that broke out inside the building in 1877. (The contents of the building weren’t fireproof.) In this second fire, brave employees saved many of the works by staying and battling the fire from inside, but the second demoralizing beatdown, and the accelerating number of patent applications, it became obvious that there just wasn’t enough space to store a model of each patentable invention, and the requirement was dropped in 1880.

A small portion of the remaining patent models were put on display in one wing of the National Portrait Gallery, housed in the Patent Office building, and I had the wonderful opportunity to see it live in the early 2000s. I have no idea if the exhibit is still there – I’m guessing it’s not. The Smithsonian owns the lion’s share of the existing models, and we imagine they are in a warehouse somewhere, like at the end of Raiders of the Lost Ark.

A shame, because seeing a real 3D model of a thing is different from seeing line drawings. Maybe in the future, 3D CAD drawings will take their place? They’d be a lot easier to save in event of a fire.

Hackaday Podcast 178: The Return Of Supercon, Victory For Open Source, Exquisite Timepieces, And Documentation To Die For

July 22, 2022 by Tom Nardi 2 Comments

Hackaday Editor-in-Chief Elliot Williams and Managing Editor Tom Nardi start this week’s podcast off with an announcement the community has been waiting years for: the return of the Hackaday Supercon! While there’s still some logistical details to hammer out, we’re all extremely excited to return to a live con and can’t wait to share more as we get closer to November. Of course you can’t have Supercon without the Hackaday Prize, which just so happens to be wrapping up its Hack it Back challenge this weekend.

In other news, we’ll talk about the developing situation regarding the GPLv3 firmware running on Ortur’s laser engravers (don’t worry, it’s good news for a change), and a particularly impressive fix that kept a high-end industrial 3D printer out of the scrapheap. We’ll also fawn over a pair of fantastically documented projects, learn about the fascinating origins of the lowly fire hydrant, and speculate wildly about the tidal wave of dead solar panels looming menacingly in the distance.

Or download the fresh bitstream yourself.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Continue reading “Hackaday Podcast 178: The Return Of Supercon, Victory For Open Source, Exquisite Timepieces, And Documentation To Die For” →

This Week In Security: Asterisk, TikTok, Gitlab, And Finally A Spam Solution

July 22, 2022 by Jonathan Bennett 14 Comments

There’s an ongoing campaign that’s compromising FreePBX systems around the world. It seems to be aimed specifically at Elastix systems, using CVE-2021-45461, a really nasty Remote Code Execution (RCE) from December of last year. This flaw was a 0-day, as it was discovered by analyzing a compromised FreePBX system. It’s unclear if the campaign described in last week’s report was using the 0-day back in December, or if it was launched as a result of the public disclosure of the bug.

Regardless, the CVE is a URL parameter sent to the Rest Phone Apps service. This module is intended to run right on the screen of VoIP phones, and allow end users to set features like Do Not Disturb without having to punch in star codes, or visit a web page. Because of the use case, any FreePBX deployment that supports VoIP phones connecting from outside the network, that use this feature, would need these ports open. The best way to secure that would be to enforce connections over a VPN, which only some phones natively support.

Upon finding a vulnerable endpoint, the campaign starts by dropping a webshell in several locations, all obfuscated slightly differently. It then creates multiple root-level user accounts, and adds a Cron job to maintain access. There is a surprising amount of obfuscation and stealth features in this family of malware, making it difficult to point to a single Indicator Of Compromise. If you run a FreePBX system that may have the Phone Apps module running, it’s time to go through it with a fine-toothed comb.

What’s The Deal with TikTok?

The FCC has once again called for TikTok to be de-listed from the Google Play Store and the Apple App store. What is going on with TikTok? It’s just an app for filming and sharing silly videos, right? There are essentially two potential problems with TikTok, and both of them trace back to the app’s parent company residing in China.

Here in the US we have National Security Letters, and China seems to have a more straightforward system, where “everything is seen in China,” as said by a member of TikTok’s Trust and Safety Department. TikTok uses quite a few permissions, some of which seem a bit overzealous. If you’re a person of interest to the Chinese government, could those permissions be used to surveil you? Absolutely. Just like a US based app could, as a result of a National Security Letter.

The second problem is a bit more subtle, and may stray towards a conspiracy theory, but is worth considering. TikTok has videos about every subject imaginable, from every possible viewpoint. What if the Chinese Communist Party (CCP) wanted a specific rumor to gain traction in the US? Just a little pressure on the video recommendation algorithm would make videos about that topic trend. Instant public opinion lever.

There’s likely a missing piece of the story here, in the form of some classified intel. Until enough time goes by that a Freedom of Information Act request can unlock the rest of the story, it’s going to be unclear how much of the TikTok threat is legitimate, and how much is geo-political wrangling.

Oh, and if you thought you could just go open up the Google Play Store and see the exact permissions the TikTok app uses, Google has made the unfortunate decision to hide permissions until you actually do the install. That sounds like a terrible decision and, after a brief outcry, it seems like Google agrees. Just before this article went to the presses, Google announced that they were walking back this decision.

Gitlab RCE

Gitlab fixed a very serious problem in its 4th of July round of minor version releases, and [Nguyễn Tiến Giang (Jang)] really wanted to understand what was going on with this one. So much so, that he set up a debuggable install of Gitlab and recreated the issue, bringing us along for the ride. The flaw is in importing an existing Gitlab project, where the archive name is appended directly to a command string. If you can manipulate the value given for the archive name, and avoid tripping on any of the checks intended to prevent it, you can trivially insert shell code that will be run on the underlying server. Avoiding the traps is a big part of the work to actually make this into an real PoC. Read the post for full details on the debugging journey.

Calendar Spam Finally Fixed

Consider yourself lucky if you’ve missed out on the scourge that is Calendar spam. Google Calendar is great, because anyone can send you an email with an invite, and the event automatically shows up on your calendar. In retrospect, it seems obvious that this would be used for spam. Regardless, after multiple years of the spam problem, Google is finally rolling out a feature, to only add invitations to your calendar from known senders. Now if you get asked, or suffer from spam yourself, you know to look under event settings, and make the setting change. Finally!

Don’t Miss Your Last Chance To Enter The Hack It Back Challenge

July 21, 2022 by Tom Nardi 3 Comments

While the 2022 Hackaday Prize as a whole winds its way through a good chunk of the year, each individual challenge that makes up the competition only sticks around for a limited time. As hard as it might be to believe, our time with theHack it Back challenge is nearly at a close, with just a few days left to enter your project before the July 24th deadline.

Each challenge in this year’s Hackaday Prize has been designed around the core themes of sustainability, resiliency, and circularity — and for the Hack it Back phase of the competition we asked hackers to essentially keep as much hardware out of the landfill as possible. That could mean making a simple fix that puts a piece of equipment back into service, or it might be a be complete rebuild of an older device to bring it up to modern standards. These are the kind of projects Hackaday was built on, so turning it into an official challenge this year made perfect sense. Continue reading “Don’t Miss Your Last Chance To Enter The Hack It Back Challenge” →

Dead Solar Panels Are The Hottest New Recyclables

July 19, 2022 by Lewin Day 99 Comments

When it comes to renewable energy, there are many great sources. Whether it’s solar, wind, or something else, though, we need a lot of it. Factories around the globe are rising to the challenge to provide what we need.

We can build plenty of new solar panels, of course, but we need to think about what happens when they reach end of life. As it turns out, with so much solar now out in the field, a major new recycling industry may be just around the corner.

Continue reading “Dead Solar Panels Are The Hottest New Recyclables” →