This Week In Security: Sudo, Database Breaches, And Ransomware

January 29, 2021 by Jonathan Bennett 27 Comments

We couldn't resist, OK? — Obligatory XKCD

Sudo is super important Linux utility, as well as the source of endless jokes. What’s not a joke is CVE-2021-3156, a serious vulnerability around incorrect handling of escape characters. This bug was discovered by researchers at Qualys, and has been in the sudo codebase since 2011. If you haven’t updated your Linux machine in a couple days, you may very well be running the vulnerable sudo binary still. There’s a simple one-liner to test for the vulnerability:

sudoedit -s '\' `perl -e 'print "A" x 65536'`

In response to this command, my machine throws this error, meaning it’s vulnerable:

malloc(): corrupted top size Aborted (core dumped)

To understand the problem with sudo, we have to understand escape characters. It really boils down to spaces in file and folder names, and how to deal with them. You want to name your folder “My Stuff”? That’s fine, but how do you interact with that directory name on the command line, when spaces are the default delimiter between arguments? One option is to wrap it in quotation marks, but that gets old in a hurry. The Unix solution is to use the backslash character as an escape character. Hence you can refer to your fancy folder as My\ Stuff. The shell sees the escape character, and knows to interpret the space as part of the folder name, rather than an argument separator. Escape characters are a common vulnerability location, as there are plenty of edge cases. Continue reading “This Week In Security: Sudo, Database Breaches, And Ransomware” →

Swine Of The Times: Pig-to-Human Organ Transplants On Track For 2021

January 28, 2021 by Kristina Panos 73 Comments

Every day in the US, seventeen people die because they couldn’t get a organ transplant in time. An American biotech company called United Therapeutics is looking to pick up the lifesaving slack by producing a line of genetically-modified pigs for the purpose of harvesting their organs, among other therapeutic uses. United Therapeutics’ pig-farming subsidiary Revivicor is a spin-off of PPL Therapeutics, the company that gave us Dolly the cloned sheep back in 1996. They intend to start transplanting pig organs into humans as early as this year.

Baby Fae after transplant surgery. Image by Duane Miller-AP via Time Magazine

Although it sounds like science fiction, the idea of transplanting animal cells, organs, and tissue into humans has been around for over a hundred years. The main problem with xenotransplantation is that it usually triggers severe immune system reactions in the recipient’s body. In one of the more noteworthy cases, a baby girl received a baboon heart in 1984, but died a few weeks later because her body rejected the organ.

The leading cause of xenotransplant rejection is a sugar called alpha-gal. This sugar appears on the cell surfaces of all non-primate mammals. Alpha-gal is problematic for other reasons, too: a condition called alpha-gal syndrome usually begins when a Lone Star tick bites a person and transmits alpha-gal cells from the blood of animals they have bitten. From that point on, the person will experience an allergic reaction when eating red meat such as beef, pork, and lamb.

Continue reading “Swine Of The Times: Pig-to-Human Organ Transplants On Track For 2021” →

Before Google, There Was The Reference Librarian

January 27, 2021 by Al Williams 75 Comments

I know it is a common stereotype for an old guy to complain about how good the kids have it today. I, however, will take a little different approach: We have it so much better today when it comes to access to information than we did even a few decades ago. Imagine if I asked you the following questions:

Where can you have a custom Peltier device built?
What is the safest chemical to use when etching glass?
What does an LM1812 IC do?
Who sells AWG 12 wire with Teflon insulation?

You could probably answer all of these trivially with a quick query on your favorite search engine. But it hasn’t always been that way. In the old days, we had to make friends with three key people: the reference librarian, the vendor representative, and the old guy who seemed to know everything. In roughly that order. Continue reading “Before Google, There Was The Reference Librarian” →

Cable Mechanism Maths: Designing Against The Capstan Equation

January 26, 2021 by Sonya Vasquez 20 Comments

I fell in love with cable driven mechanisms a few years ago and put together some of my first mechanical tentacles to celebrate. But only after playing with them did I start to understand the principles that made them work. Today I want to share one of the most important equations to keep in mind when designing any device that involves cables, the capstan equation. Let some caffeine kick in and stick with me over the next few minutes to get a sense of how it works, how it affects the overall friction in your system, and how you can put it to work for you in special cases.

A Quick Refresher: Push-Pull Cable Driven Mechanisms

But first: just what exactly are cable driven mechanisms? It turns out that this term refers to a huge class of mechanisms, so we’ll limit our scope just to push-pull cable actuation systems.

These are devices where cables are used as actuators. By sending these cables through a flexible conduit, they serve a similar function to the tendons in our body that actuate our fingers. When designing these, we generally assume that the cables are both flexible and do not stretch when put in tension. Continue reading “Cable Mechanism Maths: Designing Against The Capstan Equation” →

The Politics Of Supersonic Flight: The Concord(e)

January 25, 2021 by Jenny List 29 Comments

Every nation has icons of national pride: a sports star, a space mission, or a piece of architecture. Usually they encapsulate a country’s spirit, so citizens can look up from their dreary lives and say “Now there‘s something I can take pride in!” Concorde, the supersonic airliner beloved by the late 20th century elite for their Atlantic crossings, was a genuine bona-fide British engineering icon.

But this icon is unique as symbols of national pride go, because we share it with the French. For every British Airways Concorde that plied the Atlantic from London, there was another doing the same from Paris, and for every British designed or built Concorde component there was another with a French pedigree. This unexpected international collaboration gave us the world’s most successful supersonic airliner, and given the political manoeuverings that surrounded its gestation, the fact that it made it to the skies at all is something of a minor miracle. Continue reading “The Politics Of Supersonic Flight: The Concord(e)” →

ESP32-S2 And RP2040 Hack Chat With Adafruit

January 25, 2021 by Dan Maloney 20 Comments

Join us on Wednesday, January 27 at noon Pacific for the ESP32-S2 and RP2040 Hack Chat with Adafruit!

It’s always an event when we have Adafruit on the Hack Chat, and last time was no exception. Then, the ESP32-S2 was the new newness, and Adafruit was just diving into what’s possible with the chip. It’s an interesting beast — with a single core and no Bluetooth or Ethernet built-in, it appears to be less capable than other Espressif chips. But with a faster CPU, more GPIO and ADCs, a RISC-V co-processor, and native USB, the chip looked promising.

Among their other duties, the folks at Adafruit have spent the last six months working with the chip, and they’d now like to share what they’ve learned with the community. So Limor “Ladyada” Fried, Phillip Torrone, Scott Shawcroft, Dan Halbert, and Jeff Epler will stop by the Hack Chat to show us what’s under the hood of the ESP32-S2. They’ve worked on a bunch of projects using the chip, and they’ve taken a deep-dive into the chip’s deep-sleep capabilities, so stop by the Chat with your burning questions about low-power applications or anything ESP32-S2-related and ask away.

Plus, a late and exciting addition to the agenda: they’ll be talking about the recently released RP2040, the first custom chip from the folks at Raspberry Pi. We’ve already started talking about the Raspberry Pi Pico, the dev board that uses the chip, and Adafruit will share what they’ve learned about the RP2040 so far.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, January 27 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.

Continue reading “ESP32-S2 And RP2040 Hack Chat With Adafruit” →

Hackaday Links: January 24, 2021

January 24, 2021 by Dan Maloney 9 Comments

Code can be beautiful, and good code can be a work of art. As it so happens, artful code can also result in art, if you know what you’re doing. That’s the idea behind Programming Posters, a project that Michael Fields undertook to meld computer graphics with the code behind the images. It starts with a simple C program to generate an image. The program needs to be short enough to fit legibly into the sidebar of an A2 sheet, and as if that weren’t enough of a challenge, Michael constrained himself to the standard C libraries to generate his graphics. A second program formats the code and the image together and prints out a copy suitable for display. We found the combination of code and art beautiful, and the challenge intriguing.

It always warms our hearts when we get positive feedback from the hacker community when something we’ve written has helped advance a project or inspire a build. It’s not often, however, that we learn that Hackaday is required reading. Educators at the Magellan International School in Austin, Texas, recently reached out to Managing Editor Elliot Williams to let him know that all their middle school students are required to read Hackaday as part of their STEM training. Looks like the kids are paying attention to what they read, too, judging by KittyWumpus, their ongoing mechatronics/coding project that’s unbearably adorable. We’re honored to be included in their education, and everyone in the Hackaday community should humbled to realize that we’ve got an amazing platform for inspiring the next generation of hardware hackers.

Hackers seem to fall into two broad categories: those who have built a CNC router, and those who want to build one. For those in the latter camp, the roadblock to starting a CNC build is often “analysis paralysis” — with so many choices to make, it’s hard to know where to start. To ease that pain and get you closer to starting your build, Matt Ferraro has penned a great guide to planning a CNC router build. The encyclopedic guide covers everything from frame material choice to spindle selection and software options. If Matt has a bias toward any particular options it’s hard to find; he lists the pros and cons of everything so you can make up your own mind. Read it at your own risk, though; while it lowers one hurdle to starting a CNC build, it does nothing to address the next one: financing.

Like pretty much every conference last year and probably every one this year, the Open Hardware Summit is going to be virtual. But they’re still looking for speakers for the April conference, and just issued a Call for Proposals. We love it when we see people from the Hackaday community pop up as speakers at conferences like these, so if you’ve got something to say to the open hardware world, get a talk together. Proposals are due by February 11, so get moving.

And finally, everyone will no doubt recall the Boston Dynamics robots that made a splash a few weeks back with their dance floor moves. We loved the video, mainly for the incredible display of robotic agility and control but also for the choice of music. We suppose it was inevitable, though, that someone would object to the Boomer music and replace it with something else, like in the video below, which seems to sum up the feelings of those who dread our future dancing overlords. We regret the need to proffer a Tumblr link, but the Internet is a dark and wild place sometimes, and only the brave survive.

https://commiemartyrshighschool.tumblr.com/post/640760882224414720/i-fixed-the-audio-for-that-boston-dynamics-video