News

3639 Articles

RIP Lynn Conway, Whose Work Gave Us VLSI And Much More

June 14, 2024 by 47 Comments

Lynn Conway, American engineer and computer scientist, passed away at the age of 86 from a heart condition on June 9th, at her Michigan home. Her work in the 1970s led to the integrated circuit design and manufacturing methodology known as Very Large Scale Integration, or VLSI, something which touches almost all facets of the world we live in here in 2024.

It was her work at the legendary Xerox PARC that resulted in VLSI, and its subsequent publication had the effect through the 1980s of creating a revolution in the semiconductor industry. By rendering an IC into a library of modular units that could be positioned algorithmically, VLSI enabled much more efficient use of space on the die, and changed the design process from one of layout into one of design. In simple terms, by laying out pre-defined assemblies with a computer rather than individual components by hand, a far greater density of components could be achieved, and more powerful circuits could be produced.

You may have also heard of Lynne Conway, not because of her VLSI work, but because as a transgender woman she found herself pursuing a parallel career as an activist in her later decades. As an MIT student in the 1950s she had tried to transition but been beaten back by the attitudes of the time, before dropping out and only returning to Columbia University to finish her degree a few years later in the early 1960s. A job at IBM followed, but when she announced her intent to transition she was fired from IBM and lost access to her family. Continue reading “RIP Lynn Conway, Whose Work Gave Us VLSI And Much More”

This Week In Security: Unicode Strikes Again, Trust No One (Redditor), And More

June 14, 2024 by 7 Comments

There’s a popular Sysadmin meme that system problems are “always DNS”. In the realm of security, it seems like “it’s always Unicode“. And it’s not hard to see why. Unicode is the attempt to represent all of Earth’s languages with a single character set, and that means there’s a lot of very similar characters. The two broad issues are that human users can’t always see the difference between similar characters, and that libraries and applications sometimes automatically convert exotic Unicode characters into more traditional text.

This week we see the resurrection of an ancient vulnerability in PHP-CGI, that allows injecting command line switches when a web server launches an instance of PHP-CGI. The solution was to block some characters in specific places in query strings, like a query string starting with a dash.

The bypass is due to a Windows feature, “Best-Fit”, an automatic down-convert from certain Unicode characters. This feature works on a per-locale basis, which means that not every system language behaves the same. The exact bypass that has been found is the conversion of a soft hyphen, which doesn’t get blocked by PHP, into a regular hyphen, which can trigger the command injection. This quirk only happens when the Windows locale is set to Chinese or Japanese. Combined with the relative rarity of running PHP-CGI, and PHP on Windows, this is a pretty narrow problem. The XAMPP install does use this arrangement, so those installs are vulnerable, again if the locale is set to one of these specific languages. The other thing to keep in mind is that the Unicode character set is huge, and it’s very likely that there are other special characters in other locales that behave similarly.

Downloader Beware

The ComfyUI project is a flowchart interface for doing AI image generation workflows. It’s an easy way to build complicated generation pipelines, and the community has stepped up to build custom plugins and nodes for generation. The thing is, it’s not always the best idea to download and run code from strangers on the Internet, as a group of ComfyUI users found out the hard way this week. The ComfyUI_LLMVISION node from u/AppleBotzz was malicious.

The node references a malicious Python package that grabs browser data and sends it all to a Discord or Pastebin. It appears that some additional malware gets installed, for continuing access to infected systems. It’s a rough way to learn. Continue reading “This Week In Security: Unicode Strikes Again, Trust No One (Redditor), And More”

Raspberry Pi Goes Public

June 11, 2024 by 57 Comments

We’ve heard rumors for the last few months, and now it looks like they’ve come true: the business side of Raspberry Pi, Raspberry Pi Holdings has become a publicly listed company on the London Stock Exchange.

We heard rumblings about this a while back, and our own [Jenny List] asked the question of what this means for the hobbyist and hacker projects that use their products. After all, they’ve been spending a lot of money making new silicon, and issuing stock helps them continue. Jenny worried that they’d forget that what sells their hardware is the software, but ends up concluding that they’ll probably continue doing more of the same thing, just with better funding.

Raspberry Pi CEO [Eben Upton] said basically the same when we asked him what a floatation would mean for the Raspberry Pi Foundation, which is the non-profit arm of the Raspberry Empire, and which is responsible for a lot of the educational material and outreach that they do. (Fast-forward to minute 40.) Before the share issue, the Foundation wholly owned Holdings, and received donations to fund its work. Now that there has been a floatation, it looks like the Foundation will owns 70% of Holdings, and will use this endowment to finance its educational mission.

We don’t have a crystal ball, but we suspect this changes not much at all. Raspberry Pi Holdings Ltd is doing great business by producing niche single-board computers that appeal both to the hacker and industrial markets, and the Raspberry Pi Foundation now has a more concrete source of funding to continue its educational goals. But the future will tell!

Scrapping The Local Loop, By The Numbers

June 11, 2024 by 57 Comments

A few years back I wrote an “Ask Hackaday” article inviting speculation on the future of the physical plant of landline telephone companies. It started innocently enough; an open telco cabinet spotted during my morning walk gave me a glimpse into the complexity of the network buried beneath my feet and strung along poles around town. That in turn begged the question of what to do with all that wire, now that wireless communications have made landline phones so déclassé.

At the time, I had a sneaking suspicion that I knew what the answer would be, but I spent a good bit of virtual ink trying to convince myself that there was still some constructive purpose for the network. After all, hundreds of thousands of technicians and engineers spent lifetimes building, maintaining, and improving these networks; surely there must be a way to repurpose all that infrastructure in a way that pays at least a bit of homage to them. The idea of just ripping out all that wire and scrapping it seemed unpalatable.

With the decreasing need for copper voice and data networks and the increasing demand for infrastructure to power everything from AI data centers to decarbonized transportation, the economic forces arrayed against these carefully constructed networks seem irresistible. But what do the numbers actually look like? Are these artificial copper mines as rich as they appear? Or is the idea of pulling all that copper out of the ground and off the poles and retasking it just a pipe dream?

Continue reading “Scrapping The Local Loop, By The Numbers”

This Week In Security: Recall, Modem Mysteries, And Flipping Pages

June 7, 2024 by 6 Comments

Microsoft is racing to get into the AI game as part of Windows 11 on ARM, calling it Copilot+. It’s an odd decision, but clearly aimed at competing with the Apple M series of MacBooks. Our focus of interest today is Recall, a Copilot+ feature that not only has some security problems, but also triggers a sort of visceral response from regular people: My computer is spying on me? Eww.

Yes, it really sort of is. Recall is a scheme to take screen shots of the computer display every few seconds, run them through character recognition, and store the screenshots and results in a database on the local machine hard drive. There are ways this could be useful. Can’t remember what website had that recipe you saw? Want to revisit a now-deleted tweet? Is your Google-fu failing you to find a news story you read last week? Recall saw it, and Recall remembers. But what else did Recall see? Every video you watched, ever website you visited, and probably some passwords and usernames you typed in.

Continue reading “This Week In Security: Recall, Modem Mysteries, And Flipping Pages”

Building And Testing A 1912-style Radio

June 2, 2024 by 28 Comments

A glimpse at a high-end radio set, for 1912. (Credit: [glasslinger], YouTube)
Doing electronics in the 1910s was rather rough, with the radio probably the pinnacle of hi-tech. Despite this, with some know-how and basic wood- and metal-working skills you could get pretty far with DIY-ing a radio set. As [glasslinger] demonstrates in a YouTube video, you can even build your own set with your own crafted tube-amplifier. With items like a hand-crafted resistor and capacitor – as well as tuning elements and period-correct point-to-point wiring – it definitely has that retro vibe to it.

Such DIY projects used to be very commonly featured in electronics magazine, even after the transistor came onto the scene by the 1950s. The fancier designs use a regenerative design, like this one by [Dick Whipple] which provides not only some background theory, but also the full schematic and how-to in case you feel like giving it a shake yourself.

Even if you’re not into crafting your own basic electronic components, radios like these are a great introduction to a lot of RF theory and amplification basics.

Continue reading “Building And Testing A 1912-style Radio”

A screenshot of the release page, showing the headline and a crop of the release notes

MicroPython 1.23 Brings Custom USB Devices, OpenAMP, Much More

June 2, 2024 by 25 Comments

MicroPython is a wonderful Python interpreter that runs on many higher-end microcontrollers, from ESP8266 to STM32 to the RP2040. MicroPython lets you build devices quickly, and its latest release, 1.23, brings a number of improvements you should be aware of.

The first one is custom USB device support, and it’s a big one. Do you want to build HID devices, or play with MIDI, or do multiple serial streams with help of PIO? Now MicroPython lets you easily create USB devices on a variety of levels, from friendly wrappers for creating HID or MIDI devices, to low-level hooks to let you define your own USB descriptors, with user-friendly libraries to help all the way through. Currently, SAMD and RP2040 ports are supported in this part of code, but you can expect more in the future.

Hooray to 10 years of MicroPython!

There’s more – support for OpenAMP, an inter-core communication protocol, has received a ton of improvements for systems where MicroPython reigns supreme on some of the CPU cores but also communicates with different systems on other cores. A number of improvements have made their way through the codebase, highlighting things we didn’t know MicroPython could do – for instance, did you know that there’s a WebAssembly port in the interpreter, letting you run MicroPython in your browser?

Well, it’s got a significant overhaul in this release, so there’s no better time to check it out than now! Library structure has been refactored to improve CPython compatibility, the RP2040 port receives a 10% performance boost thanks to core improvements, and touches upon areas like PIO and SPI interfaces.

We applaud all contributors involved on this release. MicroPython is now a decade old as of May 3rd, and it keeps trucking on, having firmly earned its place in the hacker ecosystem. If you’ve been playing with MicroPython, remember that there are multiple IDEs, graphics libraries, and you can bring your C code with you!