News

3667 Articles

Wizards Get Creative, Maybe Save The World

January 30, 2023 by 12 Comments

While it’s not normal Hackaday fare, we’ve covered the Dungeons & Dragons licensing kerfuffle, partially because we’re all nerds at heart, and also because it’s worrying that an Open Source styled license could be “deauthorized”. I did touch base with the Open Source Initiative, and got a telling comment that this issue was outside their purview, as the OGL 1.0a didn’t rise to the definition of an OSI approved license, and the update looked to be a disaster.

Since our coverage was published, Wizards of the Coast released part of the Fifth Edition System reference Document (SRD) under a Creative Commons license, removed the profit sharing language from the OGL update, but notably left the language in place about deauthorizing the 1.0a version of the license. As you can imagine, fans were still unamused, and we informed WotC of our displeasure when they launched a survey, asking fans their thoughts on the new license.

And the outpouring was overwhelming, with over 15,000 survey responses in just over a week. The vast majority (90% for some questions) informed WotC that they had lost their collective minds. That response, combined with a plummeting subscription count on DND Beyond, Paizo’s explosion of popularity and new ORC license announcement, and the plethora of publishers jumping ship, has finally shone the light of reason upon management at WotC.

The latest announcement is a win in basically every regard. The OGL 1.0a will not be deauthorized, and the entire 5e SRD has been released under the Creative Commons 4.0 By Attribution license. That’s an interesting choice, as CC-BY-4.0 is a very permissive license. It’s not “viral”, as it does not place any licensing restrictions on derivative works, and there are no restrictions on commercial use. The only restriction is that attribution must be included. The latest SRD is now available under both licenses, you pick your preference. So as a reward for going through the trauma, we get a sizable chunk of the game under an even less restrictive license. Bravo.

Continue reading “Wizards Get Creative, Maybe Save The World”

This Week In Security: GTA, Apple And Android, And Insecure Boot

January 27, 2023 by 11 Comments

When we first saw tweets about a security issue in Grand Theft Auto V, it sounded a bit like a troll. “Press ‘alt and f4’ to unlock a cheat mode”, or the hacker that claims to be able to delete your character. [Tez2]’s warning tweet that you shouldn’t play GTA Online without a firewall sounds like another of these online urban legends. But this one actually seems legit. NIST is even in on the fun, assigning CVE-2023-24059 for the exploit.

When playing an online game, other users send a “join request” to join the active session. This packets can contain malformed data which has been observed to crash the game client remotely. It’s believed, though not publicly confirmed, that it’s also a Remote Code Execution (RCE) vulnerability. It seems likely that this aspect will be added to some of the various cheat panels that are already widely used for this 10-year-old game. So now, rather than just giving your own character infinite ammo and health, you can inflict some havoc on other players, possibly up to corrupting their character files and getting them banned.

But why stop there? If we have code execution inside the game, what stops another player from launching a real attack? A video game isn’t sandboxed like a browser, and there’s nothing preventing a disk wiper attack or even a worm from compromising a bunch of players. The worst part is that it’s an old game, and even though there’s a large playerbase, it’s not guaranteed to get a fix. There’s at least one project aiming to be a firewall to prevent the issue. Continue reading “This Week In Security: GTA, Apple And Android, And Insecure Boot”

Binary Watch Rocks A Bare PCB With Pride

January 26, 2023 by 18 Comments

Most of us learn to read digital clocks first, which display the time in obvious numbers. Analog clocks are often learned later, with the hands taking our young brains a little longer to figure out. Once you’ve grown into a 1337h4XX0r, though, you’re ready to learn how to read a binary watch. Then you can build your own, just like [taifur] did.

The watch rocks a simplistic, bare bones design with the PCB acting as the body of the device itself. It’s not great for water resistance, or even incidental contact, but it’s a sharp look with the golden traces on display. The heart of the operation is a ATmega328P, as seen in the popular Arduino Uno, and it’s paired with a DS3231M real-time clock module to keep accurate time. 13 SMD LEDs are charged with displaying the time in binary format, with [taifur] choosing to spec a classic red color for the build. The watch is powered via a CR2032 coin cell, which you’re best advised not to swallow. So far, [taifur] has found the watch will last for over a month before the battery is tapped out.

It’s a fun build, and one that looks good when paired with a classic NATO watch strap in green. If, however, you desire a watch that definitely won’t last a month on a single coin cell, you can always build a Nixie watch instead. Video after the break.

Continue reading “Binary Watch Rocks A Bare PCB With Pride”

ADS-B Exchange Sells Up, Contributors Unhappy

January 26, 2023 by 62 Comments

In the news among aviation enthusiasts, the ADS-B data aggregation and aircraft tracking site ADSB-Exchange has been sold by its founder to JETNET for a reported $20,000,000. This type of routine financial news is more at home in the business media than on Hackaday, but in this case there’s something a little different at play. ADS-B Exchange is a community driven site whose data comes from thousands of enthusiasts worldwide connecting their ADS-B receivers to its feed API. The sale to a commercial flight data company has not gone down well with this community who are unsurprisingly unimpressed that their free contributions to the website have been sold.

This certainly isn’t the first time a site built on community data has flipped into big business, and while it’s unclear whether JETNET will do a full CDDB and boot out anyone not paying to play, we can understand the users feeling that their work has been sold from under them. On the other hand, how many of us can truly claim their open source beliefs wouldn’t start to buckle once somebody slides a $20m check across the table?

It’s evidently too late for anyone aggrieved by their ADS-B data being sold, but perhaps there’s something else to think about here. We have an established way to recognize open source software in the many well-known software libre licences, but we don’t for crowd-sourced data. Perhaps it’s time for the open-source community to consider this problem and come up with something for future sites like ADS-B Exchange whatever field they may be in, a licence which clearly defines the open terms under which contributors provide the data and those under which site owners can use it. Otherwise we’ll be here again in a few years writing about another aggrieved community, and we think that doesn’t have to happen.

Smart Bike Suspension Tunes Your Ride On The Fly

January 23, 2023 by 23 Comments

Riding a bike is a pretty simple affair, but like with many things, technology marches on and adds complications. Where once all you had to worry about was pumping the cranks and shifting the gears, now a lot of bikes have front suspensions that need to be adjusted for different riding conditions. Great for efficiency and ride comfort, but a little tough to accomplish while you’re underway.

Luckily, there’s a solution to that, in the form of this active suspension system by [Jallson S]. The active bit is a servo, which is attached to the adjustment valve on the top of the front fork of the bike. The servo moves the valve between fully locked, for smooth surfaces, and wide open, for rough terrain. There’s also a stop in between, which partially softens the suspension for moderate terrain. The 9-gram hobby servo rotates the valve with the help of a 3D printed gear train.

But that’s not all. Rather than just letting the rider control the ride stiffness from a handlebar-mounted switch, [Jallson S] added a little intelligence into the mix. Ride data from the accelerometer on an Arduino Nano 33 BLE Sense was captured on a smartphone via Arduino Science Journal. The data was processed through Edge Impulse Studio to create models for five different ride surfaces and rider styles. This allows the stiffness to be optimized for current ride conditions — check it out in action in the video below.

[Jallson S] is quick to point out that this is a prototype, and that niceties like weatherproofing still have to be addressed. But it seems like a solid start — now let’s see it teamed up with an Arduino shifter.

Continue reading “Smart Bike Suspension Tunes Your Ride On The Fly”

This Week In Security: Git Deep Dive, Mailchimp, And SPF

January 20, 2023 by 10 Comments

First up, git has been audited. This was an effort sponsored by the Open Source Technology Improvement Fund (OSTIF), a non-profit working to improve the security of Open Source projects. The audit itself was done by researchers from X41 and GitLab, and two critical vulnerabilities were found, both caused by the same bad coding habit — using an int to hold buffer lengths.

On modern systems, a size_t is always unsigned, and the same bit length as the architecture bit-width. This is the proper data type for string and buffer lengths, as it is guaranteed not to overflow when handling lengths up to the maximum addressable memory on the system. On the other hand, an int is usually four bytes long and signed, with a maximum value of 2^31-1, or 2147483647 — about 2 GB. A big buffer, but not an unheard amount of data. Throw something that large at git, and it will break in unexpected ways.

Our first example is CVE-2022-23521, an out of bounds write caused by an int overflowing to negative. A .gitattributes file can be committed to a repository with a modified git client, and then checking out that repository will cause the num_attrs variable to overflow. Push the overflow all the way around to a small negative number, and git will then vastly under-allocate the attributes buffer, and write all that data past the end of the allocated buffer.

CVE-2022-41903 is another signed integer overflow, this time when a pretty print format gets abused to do something unexpected. Take a look at this block of code:

Continue reading “This Week In Security: Git Deep Dive, Mailchimp, And SPF”

A man sits in a chair atop a hexagonal platform. From the platform there are six hydraulically-actuated legs supporting the hexapod above a grassy field. The field is filled with fog, giving the shot a mysterious, otherworldly look.

Megahex Will Give You Robo-Arachnophobia

January 17, 2023 by 24 Comments

Some projects start with a relatively simple idea that quickly turns into a bit of a nightmare when you get to the actual implementation. [Hacksmith Industries] found this to be the case when they decided to build a giant rideable hexapod, Megahex. [YouTube]

After seeing a video of a small excavator that could move itself small distances with its bucket, the team thought they could simply weld six of them together and hook them to a controller. What started as a three month project quickly spiraled into a year and a half of incremental improvements that gave them just enough hope to keep going forward. Given how many parts had to be swapped out before they got the mech walking, one might be tempted to call this Theseus’ Hexapod.

Despite all the issues getting to the final product, the Megahex is an impressive build. Forward motion and rotation on something with legs this massive is a truly impressive feat. Does the machine last long in this workable, epic state? Spoilers: no. But, the crew learned a lot and sometimes that’s still a good outcome from a project.

If you’re looking for more hexapod fun, checkout Stompy, another rideable hexapod, or Megapod, a significantly smaller 3D-printed machine.

Continue reading “Megahex Will Give You Robo-Arachnophobia”