This Week In Security:Use-After-Free For Dummies, WiFi Cracking, And PHP-FPM

October 29, 2021 by Jonathan Bennett 27 Comments

In a brilliant write-up, [Stephen Tong] brings us his “Use-After-Free for Dummies“. It’s a surprising tale of a vulnerability that really shouldn’t exist, and a walkthrough of how to complete a capture the flag challenge. The vulnerable binary is running on a Raspberry Pi, which turns out to be very important. It’s a multithreaded application that uses lock-free data sharing, through pair of integers readable by multiple threads. Those ints are declared using the volatile keyword, which is a useful way to tell a compiler not to optimize too heavily, as this value may get changed by another thread.

On an x86 machine, this approach works flawlessly, as all the out-of-order execution features are guaranteed to be globally transparent. Put another way, even if thread one can speed up execution by modifying shared memory ahead of time, the CPU will keep the shared memory changes in the proper order. When that shared memory is controlling concurrent access, it’s really important that ordering happens the way you expect it. What was a surprise to me is that the ARM platform does not provide that global memory ordering. While the out-of-order execution will be transparent to the thread making changes, other threads and processes may observe those actions out of order. An example may help:

volatile int value;
volatile int ready;

// Thread 1
value = 123; // (1)
ready = 1; // (2)

// Thread 2
while (!ready); // (3)
print(value); // (4)

Continue reading “This Week In Security:Use-After-Free For Dummies, WiFi Cracking, And PHP-FPM” →

Four More Talks Added To The 2021 Remoticon Lineup

October 28, 2021 by Tom Nardi 1 Comment

We’ve already unveiled multiple keynote speakers and a slate of fascinating presenters that will be showing off everything from reverse engineering vintage calculators to taking those first tentative steps on your CAD journey for this year’s Remoticon. You’d be forgiven for thinking that’s everything you’ll see at the conference, but there’s still plenty to announce before the two-day virtual event kicks off on November 19th. Normally we’d be promising to make sure you get your money’s worth, but since tickets are completely free, we’re shooting a bit higher than that.

We were blown away by the number of fantastic talk proposals we received during this year’s extended call. Let’s take a look at the next four presenters who will be joining us for the 2021 Hackaday Remoticon on November 19th through the 20th.

Continue reading “Four More Talks Added To The 2021 Remoticon Lineup” →

Tech In Plain Sight: Air Conditioning

October 27, 2021 by Al Williams 41 Comments

I’m always amazed that technology can totally wipe out industries. Sure, some people make a living making horseshoes, for example, but the demand for them is way down compared to what it would have been when horses were the normal mode of transportation. But even so, people still make horseshoes. But think about the ice harvesting business. Never heard of it? Turns out, before refrigeration, there was a huge business of moving ice from where it naturally occurred to other places and storing it, usually underground with a lot of insulation. As far as I know, that business — including the neighborhood ice man — is totally gone now except for some historical exhibitions. We take refrigeration and air conditioning for granted, but it hasn’t been that long ago that ice was a luxury and your own reprieve from the heat was a fan.

Early Cooling

The story starts a little earlier than you might expect. In the 1840s, physician John Gorrie was concerned about “the evils of high temperature.” His hospital in Florida imported ice using the aforementioned ice trade and it wasn’t cheap nor was it very effective.

Undeterred, he developed a machine that used a horse, a waterwheel, steam, or wind power to drive a compressor to create ice. He got a patent in 1851 but it failed to catch on before his financial backer died. In fact, Oliver Evans had the idea in 1805 but never built a working machine. Jacob Perkins patented the first compression cooler in 1834, again with little practical use.

When U.S. President Garfield was shot, Navy engineers built a cooling box using cloths soaked in ice water to cool the president’s hospital room by 20 degrees. Since the mortally wounded president survived 80 days after the shooting, we presume he appreciated the comfort.

Continue reading “Tech In Plain Sight: Air Conditioning” →

VCF East 2021: Novasaur TTL Computer Sets The Bar

October 25, 2021 by Tom Nardi 12 Comments

There was certainly no shortage of unique computers on display at the 2021 Vintage Computer Festival East; that’s sort of the point. But even with the InfoAge Science and History Museum packed to the rafters with weird and wonderful computing devices stretching back to the very beginning of the digital age, Alastair Hewitt’s Novasaur was still something of an oddity.

In fact, unless you knew what it was ahead of time, you might not even recognize it as a computer. Certainly not a contemporary one, anyway. There’s nothing inside its Polycase ZN-40 enclosure that looks like a modern CPU, a bank of RAM, or a storage device. Those experienced with vintage machines would likely recognize the tight rows of Advanced Schottky TTL chips as the makings of some sort of computer that predates the 8-bit microprocessor, but its single 200 mm x 125 mm (8 in x 5 in) board seems far too small when compared to the 1970s machines that would have utilized such technology. So what is it?

Inspired by projects such as the Gigatron, Alastair describes the Novasaur as a “full-featured personal computer” built using pre-1980 components. In his design, 22 individual ICs stand in for the computer’s CPU, and another 12 are responsible for a graphics subsystem that can push text and bitmapped images out over VGA at up to 416 x 240. It has 512 K RAM, 256 K ROM, and is able to emulate the Intel 8080 fast enough to run CP/M and even play some early 80s PC games.

Continue reading “VCF East 2021: Novasaur TTL Computer Sets The Bar” →

Soft Robotics Hack Chat

October 25, 2021 by Dan Maloney No comments

Join us on Wednesday, October 27 at noon Pacific for the Soft Robotics Hack Chat with Ali Shtarbanov!

By this point in technological history, we’ve all been pretty well trained in how to think about robots. Designs vary wildly, but to achieve their goals, most robots have one thing in common: they’re rigid. Whether it’s a robot arm slinging a spot welder on an assembly line or a robot dog on patrol, they’re largely made of stiff, strong, materials that, more often than not, are powered by electric motors of some sort.

But just because that’s the general design palette for robotics doesn’t mean there aren’t other ways. Robots, especially those that are intended to be used in close association with humans, can often benefit from being a little more flexible. And that’s where the field of soft robotics shines. Rather than a skeleton of machined aluminum and powerful electric actuators, these robots tend more toward silicone rubber construction with pneumatic activation. Some soft robots are even compliant and safe enough to be wearable, giving humans the ability to do things they never could before, or perhaps restoring functions that have been lost to the ravages of entropy.

Soft robotics is a fascinating field with the potential to really revolutionize things like wearables and collaborative robotics. To help us understand a little more about what’s going on in this space, we’re pleased to welcome Ali Shtarbanov to the Hack Chat. Ali is a Ph.D. student at MIT’s famed Media Lab, where he studies Human-Computer Interaction. He’s particularly interested in making soft robotics as fast and easy to prototype as traditional robotics have become, and to this end, he invented FlowIO, an open-source platform for pneumatic control. We’ll use this as a jumping-off point to discuss the whole field of soft robotics, especially where it is now and where Ali sees it going in the future.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, October 27 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

Hackaday Links: October 24, 2021

October 24, 2021 by Kristina Panos 13 Comments

It seems that the engineers of NASA’s Lucy spacecraft have some ‘splaining to do. The $981M asteroid-seeking mission launched without a hitch, but when the two solar panels unfolded, one of them failed to latch into place. Lucy’s two large solar arrays combine to an impressive 51 square meters. Both are critical to this 12-year mission as it will travel farther from the Sun than any previous spacecraft, and be gone for longer. The problem is that Lucy is on an escape route, and so they can’t just sidle up to her with a repair craft. Even so, NASA and Lockheed are “pretty optimistic” that they can fix the problem somehow. On the bright side, both solar arrays are providing power and charging batteries inside the cockpit.

It’s kind of hard to believe, but KDE is turning 25 this year! Well, the actual anniversary date (October 14th) has already passed, but the festivities continue through the 25th when KDE founder Matthias Ettrich delivers a fireside chat at 17:00 UTC. Registration begins here.

EnergyStar, purveyors of appliance efficiency ratings and big yellow stickers, will no longer recommend gas-powered water heaters, furnaces, and clothes dryers on their yearly Most Efficient list. They will continue to give them ratings, however. This move was prompted by several environmentalist groups who pointed out that continuing to recommend gas appliances would not put America on track to reach Biden’s 2050 net-zero carbon emissions goal, since they produce greenhouse gases. We totally understand the shift away from gas, but not so much the nitty gritty of this move, which the article presents as exclusive of any appliance that doesn’t run on 100% clean energy. You can’t prove that a user’s electricity is renewable. For example, this consumer is well aware that the energy company in her town still burns coal for the most part. Anyway, here’s the memo. And a PDF warning.

Sure, you can trawl eBay for space rocks, but how do you know for sure that you’re getting a real meteorite? You could play the 1 in 100 billion or so odds that one will just fall in your lap. Just a few weeks ago, a meteorite crashed through a British Columbia woman’s ceiling and landed between two decorative pillows on her bed, narrowly missing her sleeping head. Ruth Hamilton awoke to the sound of an explosion, unaware of what happened until she saw the drywall dust on her face and looked back at the bed. The 2.8 pound rock was the size of a large man’s fist and was one of two meteorites to hit Golden, BC that evening. The other one landed safely in a field.

Hackaday alum Jeremy Cook wrote in to give us a heads up that his newest build, the JC Pro Macro 2, is currently available through Kickstarter. It’s exactly what it sounds like — a Pro Micro-powered macro pad. But this version is packed with extra keyswitches, blinkenlights, and most importantly for the Hackaday universe, broken out GPIO pins. Do what you will with the eight switches, rotary encoder, and optional OLED screen, and do it with Arduino or QMK. Jeremy is offering a variety of reward levels, from bare boards with SMT LEDs soldered on to complete kits, or fully assembled and ready to go.

In Search Of The First Comment

October 23, 2021 by Elliot Williams 105 Comments

Are you writing your code for humans or computers? I wasn’t there, but my guess is that at the dawn of computing, people thought that they were writing for the machines. After all, they were writing in machine language, and whatever bits they flipped into the electronic brain stayed in the electronic brain, unless punched out on paper tape. And the commands made the machine do things, not other people. Code was written strictly for computers.

Modern programming practice, on the other hand, is aimed firmly at people. Variable and function names are chosen to be long and to describe what they contain or do. “Readability” of code is a prized attribute. Indeed, sometimes the fact that it does the right thing at all almost seems to be an afterthought. (I kid!)

Somewhere along this path, there was an important evolutionary step, like the first fish using its flippers to walk on land. Comments were integrated into programming languages, formalizing the notes that coders of old surely wrote by hand in the margins of the paper first-drafts before keying it in. So I went looking for the missing link: the first computer language, and ideally the first program, with comments. I came up empty handed.

Or rather full handed. Every computer language that I could find had comments from the beginning. FORTRAN had comments, marked by a “C” as the first character in a line. APL had comments, marked by the bizarro rune ⍝. Even the custom language written for the Apollo 11 guidance computers had comments — the now-commonplace “#”. I couldn’t find an early programming language without comments.

My guess is that the first language with a comment must have been an assembly language, because I don’t know of any machines with a native comment instruction. (How cool and frivolous would that be?)

Assemblers simply translate mnemonic names to their machine instruction counterparts, but this gives them the important freedom to ignore anything starting with, traditionally, a semicolon. Even though you’re just transferring the contents of register X to the memory location pointed to in register Y, you can write that you’re “storing the height above ground (meters)” in the comments.

The crucial evolutionary step, though, is saving the comments along with the code. Simply ignoring everything that comes after the semicolon and throwing it away doesn’t count. Does anyone know? What was the first code to include comments as part of the code itself, and not simply as marginalia?