Controlling A Robot Over The Internet Grows Up

June 17, 2017 by John Baichtal 3 Comments

Since the beginning of the Internet people have been controlling robots over it, peering at grainy gifs of faraway rec rooms as the robot trundles around. RunMyRobot.com has taken that idea and brought it fully into the teens. These robots use wifi or mobile connections, are 3D printed, and run Python.

The site aims to provide everything to anyone who wants to participate. If you’re just an anonymous visitor, you can still play with the robots, but anyone can also play with the same one, and sometimes a whole bunch of visitors create a cacophony of commands that makes it not fun—but you can always move to a different robot. Logged-in members of the site have the option to take over a robot and not allow anyone else to use it.

If you want to build a robot and add it to the site, the creators show how to do that as well, with a Github code repository and 3D-printable designs available for download, as well as YouTube instructions on how to build either the printed robot or one made with off-the shelf parts. They’re also looking for patrons to help with development, with the first item on their list being a mobile app.

Thanks to [Sim] for the link.

Alexa, Sudo Read My Resistor! A Challenge For Hackers

May 19, 2017 by Al Williams 39 Comments

Nothing makes us feel more like we’re on Star Trek then saying “Computer, turn on desk light,” and watching the light turn on. Of course, normal people would have left the wake up word as “Alexa,” but we like “Computer” even if it does make it hard to watch Star Trek episodes without the home automation going crazy.

There’s a lot of hype right now about how voice recognition and artificial intelligence (AI) are transforming everything. We’ve even seen a few high-profile types warning that AI is going to come alive and put us in the matrix or something. That gets a lot of press, but we’re not sure we are even close to that, yet. Alexa and Google’s similar offerings are cool, there’s no doubt about it. The speech recognition is pretty good, although far from perfect. But the AI is really far off still.

Today’s devices utilize two rather rudimentary parts to provide an interaction with users. The first is how the devices pattern match language; it isn’t all that sophisticated. The other is the trivial nature of many of the apps, or — as Alexa calls them — skills. There are some good ones to be sure, but for every one useful application of the technology, there’s a dozen that are just text-to-speech of an RSS feed. Looking through the skills available we were amused at how many different offerings convert resistor color codes back and forth to values.

There was a time when building electronics meant learning the resistor color code. With today’s emphasis on surface mount components, though, it is less useful than it used to be. Still, like flossing, you really ought to do it. However, if you have an Amazon Alexa, it can learn the color code for you thanks to [Dennis Mantz].

Don’t have an Alexa? You can still try it in your browser, as we will show you shortly. There are at least eight similar skills out there like this one from [Steve Jernigan] or [Andrew Bergstrom’s] Resistor Reader.

Continue reading “Alexa, Sudo Read My Resistor! A Challenge For Hackers” →

Attack On The Clones: A Review Of Two Common ESP8266 Mini D1 Boards

May 15, 2017 by Sean Boyce 34 Comments

ESP8266-based development boards have proliferated rapidly. One favorite, the WEMOS Mini-D1 is frequently imitated and sold without any branding. As these boards continue to ship to hobbyists and retailers around the world, we thought it might be interesting to conduct a little experiment.

There are a few ESP8266 development boards available, and the most popular seem to be the NodeMCU ‘Amica’ board. Of course, there are dozens of other alternatives including the WiFiMCU, Sparkfun’s ESP8266 Thing, and Adafruit’s HUZZAH ESP8266. Given that, why is this review limited to the Mini D1 boards? Because the Mini D1 is the cheapest. Or was, until it was cloned.

We took a look at some of these ‘clone’ boards to figure out the differences, find out if they work as intended, and perhaps most importantly, are these clone boards shipped out reliably. What are the results? Check that out below.

Continue reading “Attack On The Clones: A Review Of Two Common ESP8266 Mini D1 Boards” →

How To Hack Your Own Password

April 9, 2017 by Brian Benchoff 10 Comments

[Haseeb] failed the marshmallow test as a kid. He has no self-control. He wastes a lot of time on reddit. There is a solution to this problem — simply lock yourself out of your account. The process is simple, and all you need to do is change your password to something random, change the recovery email address, and click submit. In the blink of an eye, all your imaginary Internet points vanish.

That’s the one guaranteed way to quit reddit. However, [Haseeb] wanted to hold onto those magic Internet points in the event they become worth something. This led to a far more baroque solution. He found a service that would email him at a later date, send an email to himself containing a random password, and quit reddit temporarily. Until that email was delivered, he was officially off reddit. When that email was received, productivity would stop.

A few years pass, and [Haseeb] had some time to kill at his new job. He decided to scrounge up his old password, only to discover he locked himself out of his Reddit account until 2018. What followed is a security exploit of an ’email me in the future’ service, and a great example of how much effort one person will commit to a lifetime of instant gratification.

The email service in question is LetterMeLater, a site that will send an email at some arbitrary point in the future. You can hide the body of the email from yourself, making this a fairly good solution for what [Haseeb] is doing. He was still locked out of his email, though, and emailing the people running LetterMeLater seemed absurd. Dopamine is fun, though, and [Haseeb] eventually found a workaround. This site indexes the body of an email for search. This is great, because the body of the email this site would send [Haseeb] in 2018 contained his reddit password and only his reddit password. With a little bit of code, he can perform substring queries on an email he can’t read. Now, extracting the password is simply a first year CS homework problem.

At this point, the only thing [Haseeb] knows about his password is that it’s a long string of random characters that probably doesn’t include upper-case characters. That’s 26 possible characters, 10 possible numbers, and a character bank that can be determined by searching his email one character at a time. [Haseeb] is essentially playing Hangman against his former self here.

After figuring out an API for LetterMeLater, [Haseeb] whipped up a quick bit of code that finds the password by searching substrings. It’s beautiful and recursive, although he did break it down into finding a suffix of the password then determining the remainder of the password. It took 443 iterations of the code to find the password, and when that was complete he logged into reddit. Math works, although [Haseeb] will have to figure out a way to wean himself off the opiate of the millennials again.

How To Find A Twitter Account

April 4, 2017 by Michael Uttmark 35 Comments

[Ashley Feinberg] is not one to say no to a challenge. When James Comey (the current Director of the Federal Bureau of Investigation for the United States of America) let slip that he has a secret Twitter and Instagram account, [Ashley] knew what she had to do.

At the beginning, [Ashley] knew only a few things: (1) Comey had recently joined twitter and (2) he only allows his “immediate relatives and one daughter’s serious boyfriend” to follow him. As such, [Ashely] deduced that “if we can find the Instagram accounts belonging to James Comey’s family, we can also find James Comey.”

To start, [Ashley] found the Instagram account of Comey’s 22-year-old son, a basketball star at Kenyon College. Not phased by Brien’s locked down Instagram account, [Ashley] requested access to Brien’s account in order to access the “Suggested for You” selections that are algorithmically generated from Brien Comey’s account. Sifting through the provided accounts [Ashley] found one that fit Comey’s profile: locked down with few friends. That account was named reinholdniebuhr. Not sure it was, in fact, James Comey, [Ashley] found Comey’s senior thesis on theologian Reinhold Niebuhr and televangelist Jerry Falwell as verification.

With Comey’s Instagram found, [Ashley] moved back to Twitter (something y’all can’t seem to get enough of). With only seven accounts on Twitter using some variation of “Reinhold Niebuhr” as a user name, [Ashley] was quickly able to narrow it down to one account (@projectexile7) via profiling, sealing the deal on an awesome hack filled quest. Can’t get enough of social media? Don’t worry, you never have to be disconnected.

Point And Click To An IoT Button

March 8, 2017 by Al Williams 14 Comments

The availability of cheap WiFi boards like the ESP8266 and others means you can inexpensively put projects on the network. But there is still the problem of how to connect these devices to other places reliably. An Open Source project that attempts to make that whole effort point and click is Mongoose OS. The open source system works with the ESP8266, ESP32, and several other platforms. It is well integrated with Amazon’s IoT backend, but it isn’t locked to it.

Everyone wants to be your IoT broker and we see products appear (and disappear) regularly aimed at capturing that market. One common way to send and receive messages from a tiny device to a remote server is MQTT, an ISO standard made with resource-limited devices in mind. Many IoT services speak this protocol, including Amazon’s IoT offering. You can see how quick it is to flash an ESP8266 to make an Amazon IoT button in the video below. Although the video example uses Amazon, you can configure the system to talk to any public or private MQTT broker.

Continue reading “Point And Click To An IoT Button” →

Amazon S3: Out Like A Light; On Like A Bathtub

March 3, 2017 by Mike Szczys 9 Comments

You no doubt heard about the Amazon S3 outage that happened earlier this week. It was reported far and wide by media outlets who normally don’t delve into details of the technology supporting our connected world. It is an interesting thing to think that most people have heard about The Cloud but never AWS and certainly not S3.

We didn’t report on the outage, but we ate up the details of the aftermath. It’s an excellent look under the hood. We say kudos to Amazon for adding to the growing trend of companies sharing the gory details surrounding events like this so that we can all understand what caused this and how they plan to avoid it in the future.

Turns out the S3 team was working on a problem with some part of the billing system and to do so, needed to take a few servers down. An incorrect command used when taking those machines down ended up affecting a larger block than expected. So they went out like a light switch — but turning that switch back on wasn’t nearly as easy.

The servers that went down run various commands in the S3 API. With the explosive growth of the Simple Storage Service, this “reboot” hadn’t been tried in several years and took far longer than expected. Compounding this was a backlog of tasks that built up while they were bringing the API servers back online. Working through that backlog took time as well. The process was like waiting for a bathtub to fill up with water. It must have been an agonizing process for those involved, but certainly not as bad as the folks who had to restore GitLab service a few weeks back.

[via /r/programming]