As the common saying goes, “all networked computers are vulnerable to exploits, but some networked computers are more vulnerable than others”. While not the exact wording from Animal Farm, the saying does have plenty of merit nonetheless. Sure, there are some viruses and issues with Linux distributions but by far most of the exploits target Windows, if only because more people use it daily than any other operating system. The latest Windows 10 exploit, discovered by [jonhat], is almost comically easy too, and involves little more than plugging in a mouse.
While slightly comforting in that an attacker would need physical access to the device rather than simple network access, it is very concerning how simple this attack is otherwise. Apparently plugging in a Razer mouse automatically launches Windows Update, which installs a driver for the mouse. The installation is run with admin privileges, and a Power Shell can be opened by the user simply by pressing Shift and right-clicking the mouse. While [jonhat] originally tried to let the company know, they weren’t responsive until he made the exploit public on Twitter, and are now apparently working on solving the issue.
Others have confirmed the exploit does in fact work, so hopefully there is a patch released soon that solves the issue. In the meantime, we recommend not allowing strangers to plug any devices into your personal computers as a general rule, or plugging in anything where its origins are unknown. Also remember that some attacks don’t required physical or network access at all, like this one which remotely sniffs keystrokes from a wireless keyboard with less than stellar security, also coincidentally built by Microsoft.
If you ever get the feeling someone is watching you, maybe they are listening, too. At least they might be listening to what’s coming over your computer speakers thanks to a new attack called “glow worm.” In this novel attack, careful observations of a power LED on a speaker allowed an attacker to reproduce the sound playing thanks to virtually imperceptible fluctuations in the LED brightness, most likely due to the speaker’s power line sagging and recovering.
You might think that if you could see the LED, you could just hear the output of the speaker, but a telescope through a window 100 feet away appears to be sufficient. You can imagine that from a distance across a noisy office you might be able to pull the same trick. We don’t know — but we suspect — even if headphones were plugged into the speakers, the LED would still modulate the audio. Any device supplying power to the speakers is a potential source of a leak.
We agree with [magic-blue-smoke] that one of the only things more fun than a standard Raspberry Pi 4 is the Compute Module form factor. If they are not destined to be embedded in a system, these need a breakout board to be useful. Each can be customized with a myriad board shapes and ports, and that’s where the real fun starts. We’ve already seen projects that include custom carrier boards in everything from a 3D Printer to a NAS and one that shows we can build a single-sided board at home complete with high-speed ports.
[magic blue smoke] used this ability to customize the breakout board as an opportunity to create a hackable media player “stick” with the Raspberry Pi built-in. We love that this Raspberry Pi CM4 TV Stick eliminates all the adapters and cables usually required to connect a Pi’s fiddly micro HDMI ports to a display and has heat sinks and an IR receiver to boot. Like a consumer media player HDMI stick, all you need to add is power. Continue reading “How Do You Make A Raspberry Pi On A Stick?”→
While we don’t feature many woodworking projects here, we always love learning from people who really know their stuff in any medium. [Brian Oltrogge] showed us a hands-off way to shape aluminum with this 3D print sand-casting project and now brings us a very hands-on kayak project.
We have seen kayaks made from plastic wrap and 3D printed parts, and in the video after the break, [Brian Oltrogge] is building a scale model to validate a wood kayak design created with Rhino 3D and Grasshopper. Besides being a joy to watch the craft of the project, the video is full of great hacks. The “buck” that the wood is formed over sits on CNC cut stands that slot into it. The thickness of three layers of laminated veneer fits the 1:4 scale model perfectly representing 3/4” plywood, and the laser-cut parts use the exact pattern that the final full-size CNC will.
There are also some great tool hacks hidden in the video. [Brian Oltrogge] tells us about a spiral scroll saw blade that can cut in any direction, but as a bonus tip, we also can see a clamp compressing the saw while the blade is tensioned. Watch the video through the end to see some clever wall-mounting brackets too.
The video doesn’t tell us what a Stitch & Glue boat is or how the full-scale will be assembled. To find out more about that, see this charmingly odd vintage film from Chesapeake Light Craft.
This is newsworthy in itself because despite several years and significant resources being devoted to the problem of drones hitting planes, demonstrable cases remain vanishingly rare. The machine in this case being a police one will we expect result in many fewer column inches for the event than had it been flown at the hands of a private multirotor pilot, serving only to heighten the contrast with coverage of previous events such as the Gatwick closure lacking any drone evidence.
It’s picking an easy target to lay into the Your Regional Police over this incident, but it is worth making the point that their reaction would have been disproportionately larger had the drone not been theirs. The CTV news report mentions that air traffic regulators were unaware of the drone’s presence:
NAV Canada, the country’s air navigation service provider, had not been notified about the YRP drone, Transport Canada said.
Given the evident danger to aviation caused by their actions it’s not unreasonable to demand that the officers concerned face the same penalties as would any other multirotor pilot who caused such an incident. We aren’t holding our breath though.
[AchillesVM] decided to build a tabletop electric fan so it would track him as he moves around the room. Pan and tilt control is provided by a pair of servos controlled by a Raspberry Pi 3b+. How does it know where [AchillesVM} is? It captures the scene using a Raspberry Pi v2 Camera and uses OpenCV’s default face-tracking algorithm to find him. Well, strictly speaking, it tracks anyone’s face around the room. If multiple faces are detected, it follows the largest — which is usually the person closest to the fan.
The whole processing loop runs at 60 ms, so the speed of the servo mechanism is probably the limiting factor when it comes to following fast-moving house guests. At first glance it might look like an old fan from the 1920s, in fact [AchillesVM] built the whole thing by himself, 3D-printing case and using a few off-the-shelf parts (like the 25 cm R/C plane propeller).
It’s a work in progress, so follow his GitHub repository (above) for updates. Hopefully, there will be a front-mounted finger guard coming soon. If you like gadgets that interact with you as you move about, we’ve covered the face-tracking confectionery cannon back in 2014, and the head-tracking water blaster last year. In the “don’t try this” file goes the build that started a career — the eye-tracking laser robot.
For readers that might not spend their free time watching spools of PLA slowly unwind, The Spaghetti Detective (TSD) is an open source project that aims to use computer vision and machine learning to identify when a 3D print has failed and resulted in a pile of plastic “spaghetti” on the build plate. Once users have installed the OctoPrint plugin, they need to point it to either a self-hosted server that’s running on a relatively powerful machine, or TSD’s paid cloud service that handles all the AI heavy lifting for a monthly fee.
Unfortunately, 73 of those cloud customers ended up getting a bit more than they bargained for when a configuration flub allowed strangers to take control of their printers. In a frank blog post, TSD founder Kenneth Jiang owns up to the August 19th mistake and explains exactly what happened, who was impacted, and how changes to the server-side code should prevent similar issues going forward.
TSD allows users to remotely manage and monitor their printers.
For the record, it appears no permanent damage was done, and everyone who was potentially impacted by this issue has been notified. There was a fairly narrow window of opportunity for anyone to stumble upon the issue in the first place, meaning any bad actors would have had to be particularly quick on their keyboards to come up with some nefarious plot to sabotage any printers connected to TSD. That said, one user took to Reddit to show off the physical warning their printer spit out; the apparent handiwork of a fellow customer that discovered the glitch on their own.
According to Jiang, the issue stemmed from how TSD associates printers and users. When the server sees multiple connections coming from the same public IP, it’s assumed they’re physically connected to the same local network. This allows the server to link the OctoPrint plugin running on a Raspberry Pi to the user’s phone or computer. But on the night in question, an incorrectly configured load-balancing system stopped passing the source IP addresses to the server. This made TSD believe all of the printers and users who connected during this time period were on the same LAN, allowing anyone to connect with whatever machine they wished.
New code pushed to the TSD repository limits how many devices can be associated with a single IP.
The mix-up only lasted about six hours, and so far, only the one user has actually reported their printer being remotely controlled by an outside party. After fixing the load-balancing configuration, the team also pushed an update to the TSD code which puts a cap on how many printers the server will associate with a given IP address. This seems like a reasonable enough precaution, though it’s not immediately obvious how this change would impact users who wish to add multiple printers to their account at the same time, such as in the case of a print farm.
While no doubt an embarrassing misstep for the team at The Spaghetti Detective, we can at least appreciate how swiftly they dealt with the issue and their transparency in bringing the flaw to light. This is also an excellent example of how open source allows the community to independently evaluate the fixes applied by the developer in response to a discovered flaw. Jiang says the team will be launching a full security audit of their own as well, so expect more changes getting pushed to the repository in the near future.
We were impressed with TSD when we first covered it back in 2019, and glad to see the project has flourished since we last checked in. Trust is difficult to gain and easy to lose, but we hope the team’s handling of this issue shows they’re on top of things and willing to do right by their community even if it means getting some egg on their face from time to time.
