When all else fails, blame it on the cloud? It seems like that’s the script for just about every outage that makes the news lately, like the Wyze camera outage this week that kept people from seeing feeds from their cameras for several hours. The outage went so far that some users’ cameras weren’t even showing up in the Wyze app, and there were even reports that some people were seeing thumbnails for cameras they don’t own. That’s troubling, of course, and Wyze seems to have taken action on that quickly by disabling a tab on the app that would potentially have let people tap into camera feeds they had no business seeing. Still, it looks like curiosity got the better of some users, with 1,500 tapping through when notified of motion events and seeing other people walking around inside unknown houses. The problem was resolved quickly, with blame laid on an “AWS partner” even though there were no known AWS issues at the time of the outage. We’ve said it before and we’ll say it again: security cameras, especially mission-critical ones, have no business being connected with anything but Ethernet or coax, and exposing them to the cloud is a really, really bad idea.
Hackaday Columns4114 Articles
This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.
Want To Learn Binary? Draw Space Invaders!
This was the week that I accidentally taught my nearly ten-year-old son binary. And I didn’t do it on purpose, I swear.
It all started innocently enough. He had a week vacation, and on one of those days, we booked him a day-course for kids at our local FabLab. It was sold as a “learn to solder” class, and the project they made was basically a MiniPOV: eight LEDs driven by a museum-piece AVR ATtiny2313. Blinking lights make a pattern in your persistence of vision as you swipe it back and forth.
The default pattern was a heart, which is nice enough. But he wanted to get his own designs in there, and of course he knows that I know how to flash the thing with new code. So I got him to solder on an ISP header and start drawing patterns on grids of graph paper while I got the toolchain working and updated some of the 2000’s-era code so it would compile.
There’s absolutely no simpler way to get your head around binary than to light up a row of LEDs, and transcribing the columns of his fresh pixel art into ones and zeros was just the motivation he needed. We converted the first couple rows into their decimal equivalents, but it was getting close to dinner time, so we cheesed out with the modern 0b00110100
format for the rest. This all happened quite organically; “unintentional parenting” is what we call it.
While we were eating dinner, I got the strangest sense of deja vu. When I was around ten or eleven, my own father told me about the custom fonts for the Okidata 24-pin printer at his lab, because he needed me out of his hair for a while, and I set out to encode all of the Hobbit runes for it. (No comment.) He must have handed me a piece of graph paper explained how it goes, and we had a working rune font by evening. That was probably how I learned about binary as well.
Want to teach someone binary? Give them a persistence of vision toy, or a dot-matrix printer.
(Art is from a much older POV project: Trakr POV — a hack of an old kids’ toy to make a long-exposure POV image. But it looks cool, and it gets the point across.)
Hackaday Podcast Episode 259: Twin-T, Three-D, And Driving To A Tee
Hackaday Editors Elliot Williams and Al Williams sat down to compare notes on their favorite Hackaday posts of the week. You can listen in on this week’s podcast. The guys talked about the latest Hackaday contest and plans for Hackaday Europe. Plus, there’s a what’s that sound to try. Your guess can’t be worse than Al’s, so take a shot. You could win a limited-edition T-shirt.
In technical articles, Elliot spent the week reading about brushless motor design, twin-t oscillators, and a truly wondrous hack to reverse map a Nintendo Switch PCB. Al was more nostalgic, looking at the 555 and an old Radio Shack kit renewed. He also talked about a method to use SQL to retrieve information from Web APIs.
Quick hacks were a decided mix with everything from homemade potentiometers to waterproof 3D printing. Finally, the guys talked about Hackaday originals. Why don’t we teach teens to drive with simulators? And why would you want to run CP/M — the decades-old operating system — under Linux?
Download the file suitable for listening, burning on CDs, or pressing on vinyl.
Continue reading “Hackaday Podcast Episode 259: Twin-T, Three-D, And Driving To A Tee”
This Week In Security: Wyze, ScreenConnect, And Untrustworthy Job Postings
For a smart home company with an emphasis on cloud-connected cameras, what could possibly be worse than accidentally showing active cameras to the wrong users? Doing it again, to far more users, less than 6 months after the previous incident.
The setup for this breach was an AWS problem, that caused a Wyze system outage last Friday morning. As the system was restored, the load spiked and a caching library took the brunt of the unintentional DDoS. This library apparently has a fail state of serving images and videos to the wrong users. An official report from Wyze mentions that this library had been recently added, and that the number of thumbnails shown to unauthorized users was around 13,000. Eek. There’s a reason we recommend picking one of the Open Source NVR systems here at Hackaday.
ScreenConnect Exploit in the Wild
A pair of vulnerabilities in ConnectWise ScreenConnect were announced this week, Proof of Concepts were released, and are already being used in active exploitation. The vulnerabilities are a CVSS 10.0 authentication bypass and a CVSS 8.4 path traversal bypass.
Huntress has a guide out, detailing how embarrassingly easy the vulnerabilities are to exploit. The authentication bypass is a result of a .Net quirk, that adding an additional directory on the end of a .aspx
URL doesn’t actually change the destination, but is captured as PathInfo. This allows a bypass of the protections against re-running the initial setup wizard: hostname/SetupWizard.aspx/literallyanything
The second vulnerability triggers during extension unpack, as the unzipping process doesn’t prevent path traversal. The most interesting part is that the unzip happens before the extension installation finishes. So an attacker can compromise the box, cancel the install, and leave very little trace of exploitation. Continue reading “This Week In Security: Wyze, ScreenConnect, And Untrustworthy Job Postings”
Making Wooden Shingles With Hand Tools
While they have mostly been replaced with other roofing technologies, wooden shingles have a certain rustic charm. If you’re curious about how to make them by hand, [Harry Rogers] takes us through his friend [John] making some.
There are two primary means of splitting a log for making shingles (or shakes). The first is radial, like one would cut a pie, and the other is lateral, with all the cuts in the same orientation. Using a froe, the log is split in progressively smaller halves to control the way the grain splits down the length of the log and minimize waste. Larger logs result in less waste and lend themselves to the radial method, while smaller logs must be cut laterally. Laterally cut shingles have a higher propensity for warping and other issues, but will work when larger logs are not available.
Once the pieces are split out of the log, they are trimmed with an axe, including removing the outer sapwood which is the main attractant for bugs and other creatures that might try eating your roof. Once down to approximately the right dimensions, the shingle is then smoothed out on a shave horse with a draw knife. Interestingly, the hand-made shingles have a longer lifespan than those sawn since the process works more with the grain of the wood and introduces fewer opportunities for water to seep into the shingles.
If you’re looking for something more solarpunk and less cottagecore for your house, maybe try a green solar roof, and if you’ve got a glass roof, try cleaning it with the Grawler.
Linux Fu: Forward To The Past!
Ok, so the title isn’t as catchy as “Back to the Future,” but my guess is a lot of people who are advanced Linux users have — at least — a slight interest in retrocomputing. You’d like an Altair, but not for $10,000. You can build replicas of varying fidelities, of course. You can also just emulate the machine or a similar CP/M machine in software. There are many 8080 or Z80 emulators out there, ranging from SIMH to MAME. Most of these will run on Linux or — at the least — WINE. However, depending on your goals, you should consider RunCPM. Why? It runs on many platforms, including, of course, Linux and other desktop systems. But it also will work with the Arduino, Teensy, ESP32, or STM32 processors. There is also experimental support for SAM4S and Cyclone II FPGAs.
It’s pretty interesting to have one system that will work across PCs and embedded hardware. What’s more is that, at least on Linux, the file system is directly translated (sort of), so you don’t have to use tricks or special software to transfer files to and from CP/M. It is almost like giving Linux the ability to run CP/M software. You still have to have virtual disks, but they are nothing more than directories with normal files in them.
Goals
Of course, if your goal is to simulate a system and you want to have 180 kB floppies or whatever, then the direct file system isn’t a benefit. But if you want to use CP/M software for education, nostalgia, or cross-development, this is the way to go, in my opinion.
It isn’t just the file system, either. If you need a quick utility inside your bogus CP/M environment, you can write it in Lua, at least on desktop systems. On the Arduino, you can access digital and analog I/O. Theoretically, you could deploy an embedded Altair for some real purpose fairly cheaply. Continue reading “Linux Fu: Forward To The Past!”
Keebin’ With Kristina: The One With The 200% Typewriter
You know, the really sad truth about cyberdecks and cyberdeck-adjacent builds is that many of them just end up on the shelf, collecting dust while waiting for the dystopian future. Well, not this one. No, [jefmer] says their Portable Pi sees daily use, and even comes along on the go.
Since [jefmer] is “temperamentally unsuited to 3D printing”, the Pi 4B and its accessories are nestled in a rugged, splash-proof case under some acrylic sheets. One of those accessories, the keyboard, is a KPrepublic BM40 with Gateron Yellows. In order to get used to the number and symbols layer, [jefmer] laid down some great-looking labels above the keyboard.
Although the build started with an SD card for storage, [jefmer] has since upgraded to a 120 GB SSD. This required a beefy battery pack, but the difference is that it gets around four hours of power versus five hours when using an SD card.
Continue reading “Keebin’ With Kristina: The One With The 200% Typewriter”