This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.
Ever since the early days of the Space Race, people have been fascinated with satellites. And rightly so; the artificial moons we’ve sent into orbit are engineering marvels, built to do a difficult job while withstanding an incredibly harsh environment. But while most people are content to just know that satellites are up there providing weather forecasts and digital television, some of us want a little more.
Enter SatNOGS. Since winning the very first Hackaday Prize in 2014, SatNOGS has grown into exactly what Pierros Papadeas and the rest of the team envisioned: a globe-spanning network of open-source satellite ground stations, feeding continuous observations into an open, accessible database. With extensive documentation and an active community, SatNOGS has helped hundreds of users build ground stations with steerable antennas and get them connected. The network tracks hundreds of Low-Earth Orbit (LEO) satellites each day, including increasingly popular low-cost Cubesats.
Join us as the SatNOGS crew stops by the Hack Chat to give us an update on their efforts over the last few years. We’ll discuss how winning the Hackaday Prize changed SatNOGS, how the constellation of satellites has changed and how SatNOGS is dealing with it, and what it takes to build a global network and the community that makes it work.
Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about.
A year ago, we wrote about the discovery of treasure trove of original documentation from the development of the MOS 6502 by Jennifer Holdt-Winograd, daughter of the late Terry Holdt, the original program manager on the project. Now, Ms. Winograd has created a website to celebrate the 6502 and the team that built it. There’s an excellent introductory video with a few faces you might recognize, nostalgia galore with period photographs that show the improbable styles of the time, and of course the complete collection of lab notes, memos, and even resumes of the team members. If there were a microchip hall of fame – and there is – the 6502 would be a first-round pick, and it’s great to see the history from this time so lovingly preserved.
Speaking of the 6502, did you ever wonder what the pin labeled SO was for? Sure, the data sheets all say pin 38 of the original 40-pin DIP was the “Set Overflow” pin, an active low that set the overflow bit in the Processor Status Register. But Rod Orgill, one of the original design engineers on the 6502, told a different story: that “SO” was the initials of his beloved dog Sam Orgill. The story may be apocryphal, but it’s a Good Doggo story, so we don’t care.
You may recall a story we ran not too long ago about the shortage of plutonium-238 to power the radioisotope thermoelectric generators (RTGs) for deep-space missions. The Cold War-era stockpiles of Pu-238 were running out, but Oak Ridge National Laboratory scientists and engineers came up with a way to improve production. Now there’s a video showing off the new automated process from the Periodic Videos series, hosted by the improbably coiffed Sir Martyn Poliakoff. It’s fascinating stuff, especially seeing workers separated from the plutonium by hot-cells with windows that are 4-1/2 feet (1.4 meters) thick.
Dave Murray, better known as YouTube’s “The 8-Bit Guy”, can neither confirm nor deny the degree to which he participated in the golden age of phone phreaking. But this video of his phreaking presentation at the Portland Retro Gaming Expo reveals a lot of suspiciously detailed knowledge about the topic. The talk starts at 4:15 or so and is a nice summary of blue boxes, DTMF hacks, war dialing, and all the ways we curious kids may or may not have kept our idle hands busy before the Interwebz came along.
Do you enjoy a puzzle? We sure do, and one was just laid before us by a tipster who prefers to stay anonymous, but for whom we can vouch as a solid member of the hacker community. So no malfeasance will befall you by checking out the first clue, a somewhat creepy found footage-esque video with freaky sound effects, whirling clocks, and a masked figure reading off strings of numbers in a synthesized voice. Apparently, these clues will let you into a companion website. We worked on it for a bit and have a few ideas about how to crack this code, but we don’t want to give anything away. Or more likely, mislead anyone.
And finally, if there’s a better way to celebrate the Spooky Season than to model predictions on how humanity would fare against a vampire uprising, we can’t think of one. Dominik Czernia developed the Vampire Apocalypse Calculator to help you decide when and if to panic in the face of an uprising of the undead metabolically ambiguous. It supports several models of vampiric transmission, taken from the canons of popular genres from literature, film, and television. The Stoker-King model makes it highly likely that vampires would replace humans in short order, while the Harris-Meyer-Kostova model of sexy, young vampires is humanity’s best bet except for having to live alongside sparkly, lovesick vampires. Sadly, the calculator is silent on the Whedon model, but you can set up your own parameters to model a world with Buffy-type slayers at your leisure. Or even model the universe of The Walking Dead to see if it’s plausible that humans are still alive 3599 days into the zombie outbreak.
Hackaday Editors Mike Szczys and Elliot Williams shed some light on a true week of hacks. It seems as though all kinds of projects are doing this the “wrong” way this week and its delightful to see what they learn along the way. Hovercraft can work using the Coandă effect which uses the blowers on the outside. You can dump your Linux logs to soldered-on eMMC memory, and chain sprockets can be cut from construction brackets. If you really want to build your own rebreather you can. All of these hacks work, and seeing how to do something differently is an inspiring tribute to the art of hardware hacking… you can learn a lot by asking yourself why these particular techniques are not the most commonly used.
Plus, Mike caught up with Alessandro Ranellucci at Maker Faire Rome last weekend. In addition to being the original author of slic3r, Alessandro has been Italy’s Open Source lead for the last several years. He talks about the legislation that was passed earlier this year mandating that software commissioned by the government must now be Open Source and released with an open license.
Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!
Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
A Japanese hotel chain uses robots for nearly everything. Check in, room access, and most importantly, bedside service. What could possibly go wrong with putting embedded Android devices, complete with mics and cameras, right in every hotel room? While I could imagine bedside robots ending badly in many ways, today we’re looking at the possibility that a previous guest installed an app that can spy on the room. The kiosk mode used on these devices left much to be desired. Each bot has an NFC reader, and all it takes is an URL read by that reader to break out of the kiosk jail. From there, a user has full access to the Android system underneath, and can install whatever software they wish.
[Lance Vick] discovered this potential problem way back in July, and after 90 days of inaction has released the vulnerability. More of these hotels are being rolled out for the 2020 Olympics, and this sort of vulnerability is sure to be present in other similar kiosk devices.
VPN Compromise
In March 2018, a server in a Finnish data center was compromised through a remote management system. This was probably a Baseboard Management Controller (BMC), which is as dangerous as it is useful. Most BMCs have their own Ethernet adapter, not controlled by the host computer, and allows a remote user to access the machine just as if they had a monitor and keyboard connected to it. This particularly server was one rented by NordVPN, who was apparently not notified of the data center breach.
So what was captured from this server? Apparently the OpenVPN credentials stored on that server, as well as a valid TLS key. (Document mirror via TechCrunch) It’s been noted that this key is now expired, which does mean that it’s not being actively exploited. There were, however, about 7 months between the server break-in and the certificate expiration, during which time it could have been used for man-in-the-middle attacks.
NordVPN has confirmed the breach, and tried to downplay the potential impact. This report doesn’t seem to entirely match the leaked credentials. An attacker with this data and root access to the server would have likely been able to decrypt VPN traffic on the fly.
Graboid
Named in honor of a certain sci-fi worm, Graboid is an unusual piece of malware aimed at Docker instances. It is a true worm, in that compromised hosts are used to launch attacks against other vulnerable machines. Graboid isn’t targeting a Docker vulnerability, but simply looking for an unsecured Docker daemon exposed to the internet. The malware downloads malicious docker images, one of which is used for crypto-currency mining, while another attempts to compromise other servers.
Graboid has an unusual quirk — the quirk that earned it the name: It doesn’t constantly mine or attempt to spread, but waits over a minute between bursts of activity. This was likely an attempt to mask the presence of mining malware. It’s notable that until discovered, the malicious Docker images were hosted on the Docker Hub. Be careful what images you trust, and look for the “Docker Official Image” tag.
Iran and Misdirection
Remember a couple weeks ago, when we discussed the difficulty of attack attribution? It seems a healthy dose of such paranoia might be warranted. The American NSA and British NCSC revealed that they now suspect Russian actors compromised Iranian infrastructure and deployed malware developed by Iranian coders. The purpose of this seems to have been redirection — to compromise targets and put the blame on Iran. To date it’s not certain that this particular gambit fooled any onlookers, but this is likely not the only such effort.
Android Biometrics
New Android handsets have had a rough week. First, the Samsung Galaxy S10 had an issue with screen protectors interfering with the under-the-screen fingerprint reader. This particular problem seems to only affect fingerprints that are enrolled after a screen protector has been applied. With the protector still in place, anyone’s fingerprint is able to unlock the device. What’s happening here seems obvious. The ultrasonic fingerprint scanner isn’t able to penetrate the screen protector, so it’s recording an essentially blank fingerprint. A patch to recognize these blank prints has been rolled out to devices in Samsung’s home country of South Korea, with the rest of the world soon to follow.
The second new handset is the Google Pixel 4, which includes a new Face Unlock feature. While many have praised the feature, there is trouble in paradise. The Pixel’s Face Unlock works even when the user is asleep or otherwise unmoving. To their credit, Apple’s Face ID also checks for user alertness, trying to avoid unlocking unless the user is intentionally doing so.
The humorous scenario is a child or spouse unlocking your phone while you’re asleep, but a more sobering possibility is your face being used against you unwillingly, or even while unconscious or dead. Based on leaks, it’s likely that there was an “eyes open” mode planned but cut before launch. Hopefully the bugs can be worked out of that feature, and it can be re-added in a future update. Until then, it’s probably best not to use Google’s Face Unlock on Pixel 4 devices.
A remote Ethernet device needs two things: power and Ethernet. You might think that this also means two cables, a beefy one to carry the current needed to run the thing, and thin little twisted pairs for the data. But no!
Power over Ethernet (PoE) allows you to transmit power and data over to network devices. It does this through a twisted pair Ethernet cabling, which allows a single cable to drive the two connections. The main advantage of using PoE as opposed to having separate lines for power and data is to simplify the process of installation – there’s fewer cables to keep track of and purchase. For smaller offices, the hassle of having to wire new circuits or a transformer for converted AC to DC can be annoying.
PoE can also be an advantage in cases where power is not easily accessible or where additional wiring simply is not an option. Ethernet cables are often run in the ceiling, while power runs near the floor. Furthermore, PoE is protected from overload, short circuiting, and delivers power safely. No additional power supplies are necessary since the power is supplied centrally, and scaling the power delivery becomes a lot easier.
Devices Using PoE
[via PowerOverEthernet.com]VoIP phones are becoming increasingly prevalent as offices are opting to provide power for phones from a central supply rather than hosting smaller power supplies to supply separate phones. Smart cameras – or IP cameras – already use Ethernet to deliver video data, so using PoE simplifies the installation process. Wireless access points can be easily connected to Ethernet through a main router, which is more convenient than seeking out separate power supplies.
Other devices that use PoE include RFID readers, IPTV decoders, access control systems, and occasionally even wall clocks. If it already uses Ethernet, and it doesn’t draw too much power, it’s a good candidate for PoE.
On the supply side, given that the majority of devices that use PoE are in some form networking devices, it makes sense that the main device to provide power to a PoE system would be the Ethernet switch. Another option is to use a PoE injector, which works with non-PoE switches to ensure that the device is able to receive power from another source than the switch.
How it Works
Historically, PoE was implemented by simply hooking extra lines up to a DC power supply. Early power injectors did not provide any intelligent protocol, simply injecting power into a system. The most common method was to power a pair of wires not utilized by 100Base-TX Ethernet. This could easily destroy devices not designed to accept power, however. The IEEE 802.3 working group started their first official PoE project in 1999, titled the IEE 802.3af.
[via Fiber Optic Communication]This standard delivered up to 13 W to a powered device, utilizing two of the four twisted pairs in Ethernet cabling. This was adequate power for VoIP phones, IP cameras, door access control units, and other devices. In 2009, the IEEE 802.3 working group released the second PoE standard, IEEE 802.3at. This added a power class that could deliver up to 25.5 W, allowing for pan and tilt cameras to use the technology.
While further standards haven’t been released, proprietary technologies have used the PoE term to describe their methods of power delivery. A new project from the IEEE 802.3 working group was the 2018 released IEEE 802.3bt standard that utilizes all four twisted pairs to deliver up to 71 W to a powered device.
But this power comes at a cost: Ethernet cables simply don’t have the conductive cross-section that power cables do, and resistive losses are higher. Because power loss in a cable is proportional to the squared current, PoE systems minimize the current by using higher voltages, from 40 V to 60 V, which is then converted down in the receiving device. Even so, PoE specs allow for 15% power loss in the cable itself. For instance, your 12 W remote device might draw 14 W at the wall, with the remaining 2 W heating up your crawlspace. The proposed 70 W IEEE 802.3bt standard can put as much as 30 W of heat into the wires.
The bigger problem is typically insufficient power. The 802.4af PoE standard maximum power output is below 15.4 W (13 W delivered), which is enough to provide power for most networking devices. For higher power consumption devices, such as network PTZ cameras, this isn’t the case.
Although maximum power supply is specified in the standards, having a supply that supplied more power is necessary will not affect the performance of the device. The device will draw as much current as necessary to operate, so there is no risk of overload, just hot wires.
So PoE isn’t without its tradeoffs. Nevertheless, there’s certainly a lot of advantages to accepting PoE for devices, and of course we welcome a world with fewer wires. It’s fantastic for routers, phones, and their friends. But when your power-hungry devices are keeping you warm at night, it’s probably time to plug them into the wall.
To grind or not to grind? What a question! It all depends on what you’re really trying to show, and in the case of welded joints, I often want to prove the integrity of the weld.
My ground-back piece of welded tube. Eagle-eyed readers will spot that the grinding reveals a weld that isn’t perfect.
Recently, I wrote a piece in which I talked about my cheap inverter welder and others like it. As part of it I did a lower-current weld on a piece of thin tube and before snapping a picture of the weld I ground it back flat. It turns out that some people prefer to see a picture of the weld bead instead — the neatness of the external appearance of the weld — to allow judgment on its quality. Oddly I believe the exact opposite, that the quality of my weld can only be judged by a closer look inside it, and it’s this point I’d like to explore.
Sometimes, mechanical parts can be supremely expensive, or totally unavailable. In those cases, there’s just one option — make it yourself. It was this very situation in which I found myself. My electric scooter had been ever so slightly bested by a faster competitor, and I needed redemption. A gearing change would do the trick, but alas, the chain sprocket I needed simply did not exist from the usual online classifieds.
Thus, I grabbed the only tools I had, busied myself with my task. This is a build that should be replicable by anyone comfortable using a printer, power drill, and rotary tool. Let’s get to work!
Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, October 30 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.
