This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.
By this point in technological history, we’ve all been pretty well trained in how to think about robots. Designs vary wildly, but to achieve their goals, most robots have one thing in common: they’re rigid. Whether it’s a robot arm slinging a spot welder on an assembly line or a robot dog on patrol, they’re largely made of stiff, strong, materials that, more often than not, are powered by electric motors of some sort.
But just because that’s the general design palette for robotics doesn’t mean there aren’t other ways. Robots, especially those that are intended to be used in close association with humans, can often benefit from being a little more flexible. And that’s where the field of soft robotics shines. Rather than a skeleton of machined aluminum and powerful electric actuators, these robots tend more toward silicone rubber construction with pneumatic activation. Some soft robots are even compliant and safe enough to be wearable, giving humans the ability to do things they never could before, or perhaps restoring functions that have been lost to the ravages of entropy.
Soft robotics is a fascinating field with the potential to really revolutionize things like wearables and collaborative robotics. To help us understand a little more about what’s going on in this space, we’re pleased to welcome Ali Shtarbanov to the Hack Chat. Ali is a Ph.D. student at MIT’s famed Media Lab, where he studies Human-Computer Interaction. He’s particularly interested in making soft robotics as fast and easy to prototype as traditional robotics have become, and to this end, he invented FlowIO, an open-source platform for pneumatic control. We’ll use this as a jumping-off point to discuss the whole field of soft robotics, especially where it is now and where Ali sees it going in the future.
It seems that the engineers of NASA’s Lucy spacecraft have some ‘splaining to do. The $981M asteroid-seeking mission launched without a hitch, but when the two solar panels unfolded, one of them failed to latch into place. Lucy’s two large solar arrays combine to an impressive 51 square meters. Both are critical to this 12-year mission as it will travel farther from the Sun than any previous spacecraft, and be gone for longer. The problem is that Lucy is on an escape route, and so they can’t just sidle up to her with a repair craft. Even so, NASA and Lockheed are “pretty optimistic” that they can fix the problem somehow. On the bright side, both solar arrays are providing power and charging batteries inside the cockpit.
It’s kind of hard to believe, but KDE is turning 25 this year! Well, the actual anniversary date (October 14th) has already passed, but the festivities continue through the 25th when KDE founder Matthias Ettrich delivers a fireside chat at 17:00 UTC. Registration begins here.
EnergyStar, purveyors of appliance efficiency ratings and big yellow stickers, will no longer recommend gas-powered water heaters, furnaces, and clothes dryers on their yearly Most Efficient list. They will continue to give them ratings, however. This move was prompted by several environmentalist groups who pointed out that continuing to recommend gas appliances would not put America on track to reach Biden’s 2050 net-zero carbon emissions goal, since they produce greenhouse gases. We totally understand the shift away from gas, but not so much the nitty gritty of this move, which the article presents as exclusive of any appliance that doesn’t run on 100% clean energy. You can’t prove that a user’s electricity is renewable. For example, this consumer is well aware that the energy company in her town still burns coal for the most part. Anyway, here’s the memo. And a PDF warning.
Sure, you can trawl eBay for space rocks, but how do you know for sure that you’re getting a real meteorite? You could play the 1 in 100 billion or so odds that one will just fall in your lap. Just a few weeks ago, a meteorite crashed through a British Columbia woman’s ceiling and landed between two decorative pillows on her bed, narrowly missing her sleeping head. Ruth Hamilton awoke to the sound of an explosion, unaware of what happened until she saw the drywall dust on her face and looked back at the bed. The 2.8 pound rock was the size of a large man’s fist and was one of two meteorites to hit Golden, BC that evening. The other one landed safely in a field.
Hackaday alum Jeremy Cook wrote in to give us a heads up that his newest build, the JC Pro Macro 2, is currently available through Kickstarter. It’s exactly what it sounds like — a Pro Micro-powered macro pad. But this version is packed with extra keyswitches, blinkenlights, and most importantly for the Hackaday universe, broken out GPIO pins. Do what you will with the eight switches, rotary encoder, and optional OLED screen, and do it with Arduino or QMK. Jeremy is offering a variety of reward levels, from bare boards with SMT LEDs soldered on to complete kits, or fully assembled and ready to go.
Are you writing your code for humans or computers? I wasn’t there, but my guess is that at the dawn of computing, people thought that they were writing for the machines. After all, they were writing in machine language, and whatever bits they flipped into the electronic brain stayed in the electronic brain, unless punched out on paper tape. And the commands made the machine do things, not other people. Code was written strictly for computers.
Modern programming practice, on the other hand, is aimed firmly at people. Variable and function names are chosen to be long and to describe what they contain or do. “Readability” of code is a prized attribute. Indeed, sometimes the fact that it does the right thing at all almost seems to be an afterthought. (I kid!)
Somewhere along this path, there was an important evolutionary step, like the first fish using its flippers to walk on land. Comments were integrated into programming languages, formalizing the notes that coders of old surely wrote by hand in the margins of the paper first-drafts before keying it in. So I went looking for the missing link: the first computer language, and ideally the first program, with comments. I came up empty handed.
Or rather full handed. Every computer language that I could find had comments from the beginning. FORTRAN had comments, marked by a “C” as the first character in a line. APL had comments, marked by the bizarro rune ⍝. Even the custom language written for the Apollo 11 guidance computers had comments — the now-commonplace “#”. I couldn’t find an early programming language without comments.
My guess is that the first language with a comment must have been an assembly language, because I don’t know of any machines with a native comment instruction. (How cool and frivolous would that be?)
Assemblers simply translate mnemonic names to their machine instruction counterparts, but this gives them the important freedom to ignore anything starting with, traditionally, a semicolon. Even though you’re just transferring the contents of register X to the memory location pointed to in register Y, you can write that you’re “storing the height above ground (meters)” in the comments.
The crucial evolutionary step, though, is saving the comments along with the code. Simply ignoring everything that comes after the semicolon and throwing it away doesn’t count. Does anyone know? What was the first code to include comments as part of the code itself, and not simply as marginalia?
This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter.
Want this type of article to hit your inbox every Friday morning? You should sign up!
For a happy weekend away in early September, I joined a few of my continental friends for the NewLine event organised by Hackerspace Gent in Belgium. You may have seen some of the resulting write-ups here, and for me the trip is as memorable for the relaxing weekend break it gave me in a mediaeval city as it is for the content of the talks and demonstrations. We took full advantage of the warm weather to have some meals out on café terraces, and it was on the way to one of them that my interest was captured by something unexpected. There at the end of the street was a cannon, not the normal-size cannon you’ll see tastefully arranged around historical military sites the world over, but a truly massive weapon. I had stumbled upon Dulle Griet, one of very few surviving super-sized 15th century siege cannons. It even had a familiar feel to it, being a sister to the very similar Mons Meg at Edinburgh Castle in Scotland.
Hackaday editors Mike and Elliot Williams catch up on a week’s worth of hacks. It turns out there are several strange radio bands that don’t require a license, and we discuss this weekend’s broadcast where you can listen in. It’s unlikely you’ve ever seen the website check-box abused quite like this: it’s the display for playing Doom! Just when you thought you’d seen all the ESP32’s tricks it gets turned into a clock styled after Out Run. Mike geeks out over how pianos work, we’re both excited to have Jeremy Fielding giving a Keynote talk at Remoticon, and we wrap things up with a chat about traffic rules in space.
Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
The government of Argentina has a national ID card system, and as a result maintains a database containing data on every citizen in the country. What could possibly go wrong? Predictably, an attacker has managed to gain access to the database, and is offering the entire dataset for sale. The Argentinian government has claimed that this wasn’t a mass breach, and only a handful of credentials were accessed. This seems to be incorrect, as the seller was able to provide the details of an arbitrary citizen to the journalists investigating the story.
Patch Tuesday
Microsoft has released their monthly round of patches for October, and there are a couple doozies. CVE-2021-40486 is an RCE in Microsoft Word, and this flaw can trigger via the preview pane. CVE-2021-38672 and CVE-2021-40461 are both RCE vulnerabilities in Hyper-V. And finally, CVE-2021-40449 is a privilege upgrade actively being used in the wild, more on that in a moment. Oh, and you thought the Print Nightmare was over? CVE-2021-36970 is yet another print spooler vulnerability. The unfortunate thing about the list of Microsoft vulnerabilities is that there is hardly any information available about them.
On the other hand, Apple just patched CVE-2021-30883, a 0-day that’s being actively exploited in iOS. With the release of the fix, [Saar Amar] has put together a very nice explanation of the bug with PoC. It’s a simple integer overflow when allocating a buffer, leading to an arbitrary memory write. This one is particularly nasty, because it’s not gated behind any permissions, and can be triggered from within app sandboxes. It’s being used in the wild already, so go update your iOS devices now.
Kaspersky brings us a report on a CVE-2021-40449 being used in the wild. It’s part of an attack they’re calling MysterySnail, and seems to originate from IronHusky out of China. The vulnerability is a use-after-free, and is triggered by making a the ResetDC API call that calls its own callback. This layer of recursive execution results in an object being freed before the outer execution has finished with it.
Since the object can now be re-allocated and controlled by the attacker code, the malformed object allows the attacker to run their code in kernel space, achieving privilege escalation. This campaign then does some data gathering and installs a Remote Access Trojan. Several Indicators of Compromise are listed as part of the write-up.
Off to the Races
Google’s Project Zero is back with a clever Linux Kernel hack, an escalation of privilege triggered by a race condition in the pseudoterminal device. Usually abbreviated PTY, this kernel device can be connected to userspace applications on both ends, making for some interesting interactions. Each end has a struct that reflects the status of the connection. The problem is that TIOCSPGRP, used to set the process group that should be associated with the terminal, doesn’t properly lock the terminal’s internal state.
As a result, calling this function on both sides at the same time is a race condition, where the reference count can be corrupted. Once the reference count is untrustworthy, the whole object can be freed, with a dangling pointer left in the kernel. From there, it’s a typical use-after-free bug. The post has some useful thoughts about hardening a system against this style of attack, and the bug was fixed December 2020.
AI vs Pseudorandom Numbers
[Mostafa Hassan] of the NCC Group is doing some particularly fascinating research, using machine learning to test pseudorandom number generators. In the first installment, he managed to break the very simple xorshift128 algorithm. Part two tackles the Mersenne Twister, which also falls to the neural network. Do note that neither of these are considered cryptographic number generators, so it isn’t too surprising that a ML model can determine their internal state. What will be most interesting is the post to come, when he tackles other algorithms thought to be secure. Watch for that one in a future article.
L0phtcrack Becomes Open Source
In a surprise to me, the L0phtcrack tool has been released as open source. L0phtcrack is the password cracking/auditing tool created by [Mudge] and company at L0pht Heavy Industries, about a billion years ago. Ownership passed to @stake, which was purchased by Symantec in 2004. Due to export regulations, Symantec stopped selling the program, and it was reacquired by the original L0pht team.
In April 2020, Terahash announced that they had purchased rights to the program, and began selling and supporting it as a part of their offerings. Terahash primarily builds GPU based cracking hardware, and has been hit exceptionally hard by the chip shortage. As a result of Terahash entering bankruptcy protection, the L0phtcrack ownership has reverted back to L0pht, and version 7.2.0 has been released as Open Source.
It’s usual for a Hackaday scribe to read hundreds of web pages over a typical week as we traverse the world in search of the good stuff to bring you. Sometimes they’re obvious Hackaday stories but as you’ll all no doubt understand we often end up on wild tangents learning about stuff we never expected to be excited about. Thus it was last week that I happened upon a GQ piece charting the dwindling remains of the communes set up in rural California by hippies during the counterculture years.
With only a few ageing residents who truly embraced the back-to-the-land dream remaining, these adventurously-designed home-made houses are gently decaying into the forest. It’s a disappearing world, but it’s also close to home for me as someone who crew up on a self-sufficiency smallholding in the 1970s. My parents may not have been hippies in the way those of everyone else in that scene at the time seemed to be, but I learned all my curiosity and hacking skills in the many opportunities presented to a small child by an unruly combination of small farm and metalworking business. There’s part of me that would build a hippy home in a Californian forest in a heartbeat, and throw myself with gusto into subsistence vegetable growing to get me through each winter.
Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, October 27 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.
Or rather full handed. Every computer language that I could find had comments from the beginning. FORTRAN had comments, marked by a “C” as the first character in a line. APL had comments, marked by the bizarro rune ⍝. Even the custom language written for the 
In a surprise to me, 
