News

3602 Articles

Binary Watch Rocks A Bare PCB With Pride

January 26, 2023 by 18 Comments

Most of us learn to read digital clocks first, which display the time in obvious numbers. Analog clocks are often learned later, with the hands taking our young brains a little longer to figure out. Once you’ve grown into a 1337h4XX0r, though, you’re ready to learn how to read a binary watch. Then you can build your own, just like [taifur] did.

The watch rocks a simplistic, bare bones design with the PCB acting as the body of the device itself. It’s not great for water resistance, or even incidental contact, but it’s a sharp look with the golden traces on display. The heart of the operation is a ATmega328P, as seen in the popular Arduino Uno, and it’s paired with a DS3231M real-time clock module to keep accurate time. 13 SMD LEDs are charged with displaying the time in binary format, with [taifur] choosing to spec a classic red color for the build. The watch is powered via a CR2032 coin cell, which you’re best advised not to swallow. So far, [taifur] has found the watch will last for over a month before the battery is tapped out.

It’s a fun build, and one that looks good when paired with a classic NATO watch strap in green. If, however, you desire a watch that definitely won’t last a month on a single coin cell, you can always build a Nixie watch instead. Video after the break.

Continue reading “Binary Watch Rocks A Bare PCB With Pride”

ADS-B Exchange Sells Up, Contributors Unhappy

January 26, 2023 by 62 Comments

In the news among aviation enthusiasts, the ADS-B data aggregation and aircraft tracking site ADSB-Exchange has been sold by its founder to JETNET for a reported $20,000,000. This type of routine financial news is more at home in the business media than on Hackaday, but in this case there’s something a little different at play. ADS-B Exchange is a community driven site whose data comes from thousands of enthusiasts worldwide connecting their ADS-B receivers to its feed API. The sale to a commercial flight data company has not gone down well with this community who are unsurprisingly unimpressed that their free contributions to the website have been sold.

This certainly isn’t the first time a site built on community data has flipped into big business, and while it’s unclear whether JETNET will do a full CDDB and boot out anyone not paying to play, we can understand the users feeling that their work has been sold from under them. On the other hand, how many of us can truly claim their open source beliefs wouldn’t start to buckle once somebody slides a $20m check across the table?

It’s evidently too late for anyone aggrieved by their ADS-B data being sold, but perhaps there’s something else to think about here. We have an established way to recognize open source software in the many well-known software libre licences, but we don’t for crowd-sourced data. Perhaps it’s time for the open-source community to consider this problem and come up with something for future sites like ADS-B Exchange whatever field they may be in, a licence which clearly defines the open terms under which contributors provide the data and those under which site owners can use it. Otherwise we’ll be here again in a few years writing about another aggrieved community, and we think that doesn’t have to happen.

Smart Bike Suspension Tunes Your Ride On The Fly

January 23, 2023 by 23 Comments

Riding a bike is a pretty simple affair, but like with many things, technology marches on and adds complications. Where once all you had to worry about was pumping the cranks and shifting the gears, now a lot of bikes have front suspensions that need to be adjusted for different riding conditions. Great for efficiency and ride comfort, but a little tough to accomplish while you’re underway.

Luckily, there’s a solution to that, in the form of this active suspension system by [Jallson S]. The active bit is a servo, which is attached to the adjustment valve on the top of the front fork of the bike. The servo moves the valve between fully locked, for smooth surfaces, and wide open, for rough terrain. There’s also a stop in between, which partially softens the suspension for moderate terrain. The 9-gram hobby servo rotates the valve with the help of a 3D printed gear train.

But that’s not all. Rather than just letting the rider control the ride stiffness from a handlebar-mounted switch, [Jallson S] added a little intelligence into the mix. Ride data from the accelerometer on an Arduino Nano 33 BLE Sense was captured on a smartphone via Arduino Science Journal. The data was processed through Edge Impulse Studio to create models for five different ride surfaces and rider styles. This allows the stiffness to be optimized for current ride conditions — check it out in action in the video below.

[Jallson S] is quick to point out that this is a prototype, and that niceties like weatherproofing still have to be addressed. But it seems like a solid start — now let’s see it teamed up with an Arduino shifter.

Continue reading “Smart Bike Suspension Tunes Your Ride On The Fly”

This Week In Security: Git Deep Dive, Mailchimp, And SPF

January 20, 2023 by 10 Comments

First up, git has been audited. This was an effort sponsored by the Open Source Technology Improvement Fund (OSTIF), a non-profit working to improve the security of Open Source projects. The audit itself was done by researchers from X41 and GitLab, and two critical vulnerabilities were found, both caused by the same bad coding habit — using an int to hold buffer lengths.

On modern systems, a size_t is always unsigned, and the same bit length as the architecture bit-width. This is the proper data type for string and buffer lengths, as it is guaranteed not to overflow when handling lengths up to the maximum addressable memory on the system. On the other hand, an int is usually four bytes long and signed, with a maximum value of 2^31-1, or 2147483647 — about 2 GB. A big buffer, but not an unheard amount of data. Throw something that large at git, and it will break in unexpected ways.

Our first example is CVE-2022-23521, an out of bounds write caused by an int overflowing to negative. A .gitattributes file can be committed to a repository with a modified git client, and then checking out that repository will cause the num_attrs variable to overflow. Push the overflow all the way around to a small negative number, and git will then vastly under-allocate the attributes buffer, and write all that data past the end of the allocated buffer.

CVE-2022-41903 is another signed integer overflow, this time when a pretty print format gets abused to do something unexpected. Take a look at this block of code:

Continue reading “This Week In Security: Git Deep Dive, Mailchimp, And SPF”

A man sits in a chair atop a hexagonal platform. From the platform there are six hydraulically-actuated legs supporting the hexapod above a grassy field. The field is filled with fog, giving the shot a mysterious, otherworldly look.

Megahex Will Give You Robo-Arachnophobia

January 17, 2023 by 24 Comments

Some projects start with a relatively simple idea that quickly turns into a bit of a nightmare when you get to the actual implementation. [Hacksmith Industries] found this to be the case when they decided to build a giant rideable hexapod, Megahex. [YouTube]

After seeing a video of a small excavator that could move itself small distances with its bucket, the team thought they could simply weld six of them together and hook them to a controller. What started as a three month project quickly spiraled into a year and a half of incremental improvements that gave them just enough hope to keep going forward. Given how many parts had to be swapped out before they got the mech walking, one might be tempted to call this Theseus’ Hexapod.

Despite all the issues getting to the final product, the Megahex is an impressive build. Forward motion and rotation on something with legs this massive is a truly impressive feat. Does the machine last long in this workable, epic state? Spoilers: no. But, the crew learned a lot and sometimes that’s still a good outcome from a project.

If you’re looking for more hexapod fun, checkout Stompy, another rideable hexapod, or Megapod, a significantly smaller 3D-printed machine.

Continue reading “Megahex Will Give You Robo-Arachnophobia”

Illuminated smart curtain in front of a window, beside a Christmas tree

Smart LED Curtain Brings Sprites To Your Windows

January 14, 2023 by 13 Comments
Mobile interface for LED smart curtain display
A mobile interface is a nice touch

Anybody who has ever seen a video wall (and who hasn’t?) will be familiar with the idea of making large-scale illuminated images from individual coloured lights. But how many of us have gone the extra mile and fitted such a display in our own homes? [vcch] has done just that with his Deluxe Smart Curtain that can be controlled with a phone or laptop.

The display itself is made up of a series of Neopixel strips, hung in vertical lines in front of the window.  There is a wide gap between each strip, lending a ghostly translucent look to the images and allowing the primary purpose of the window to remain intact.

The brains of the system are hosted on a low-cost M5stack atom ESP32 device. The data lines for the LEDs are wired in a zig-zag up and down pattern from left to right, which the driver software maps to the rectangular images. However, the 5V power is applied to the strips in parallel to avoid voltage drops along the chain.

If you’d like to build your own smart curtain, Arduino sketch files and PHP for the mobile interface are included on the project page. Be sure to check out the brief video of what the neighbors will enjoy at night after the break.

If video walls are your kind of thing, then how about this one that uses Ping Pong Balls as diffusers? Continue reading “Smart LED Curtain Brings Sprites To Your Windows”

This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM

January 13, 2023 by 7 Comments

This week we start with a Remote Code Execution (RCE) vulnerability that has potential to be a real pain for sysadmins. Cacti, the system monitoring and graphing solution, has a pair of bugs that chain together to allow an attacker with unauthenticated access to the HTTP/S port to trivially execute bash commands. The first half of this attack is an authentication bypass, and it’s embarrassingly trivial. The Cacti authentication code trusts the Forwarded-For: header in the request. Set it to the server’s IP, and the authentication code treats it like a localhost request, bypassing any real authentication process.

The second half is found in the remote_agent.php endpoint, where the poller_id is set by the user and treated as a string. Then, if the right host_id and local_data_id item is triggered, that string is concatenated into a proc_open() function call. The string isn’t sanitized, so it’s trivial enough to include a second command to run, dropping a webshell, for instance.

Version 1.2.23 of Cacti contains the fix, and released on the 2nd. This one is likely to be exploited, and if automated exploitation hasn’t started already, it likely will soon. So if you have a Cacti install, go double-check that the interface isn’t exposed to the world.

JSON Web Token

Researchers at Unit 42 found an exploit that can be used to achieve an RCE in the JsonWebToken project. The issue is this library’s verify() function, which takes arguments of the token to check, the key to use, and options. If there aren’t any algorithms specified in the options object, then the key is processed as a PEM string. The toString() method of that key is called during the actual check, and the assumption is that it’s either a string or buffer. But what if the key passed in to the verify() function was actually a complex object, bringing it’s own toString() method along to play. At that point, we have arbitrary code execution. And if this code is running on the server-side under node.js, that means a popped server.

But wait, it’s not that simple, right? It’s not like a valid JWT can contain an arbitrary object — that would be a problem all on its own. So CVE-2022-23529 is a stepping-stone. It’s insecure code, but the rest of the application has to have another vulnerability for this one to be reachable. Continue reading “This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM”