Machining With Electricity Hack Chat

January 16, 2023 by Dan Maloney 12 Comments

Join us on Wednesday, January 18 at noon Pacific for the Machining with Electricity Hack Chat with Daniel Herrington!

With few exceptions, metalworking has largely been about making chips, and finding something hard enough and tough enough to cut those chips has always been the challenge. Whether it’s high-speed steel, tungsten carbide, or even little chunks of rocks like garnet or diamond, cutting metal has always used a mechanical interaction between tool and stock, often with spectacular results.

But then, some bright bulb somewhere realized that electricity could be used to remove metal from a workpiece in a controlled fashion. Whether it’s using electric sparks to erode metal — electric discharge machining (EDM) — or using what amounts to electroplating in reverse — electrochemical machining (ECM) — electrical machining methods have made previously impossible operations commonplace.

While the technology behind ExM isn’t really that popular in the hobby machine shop yet, a lot of the equipment needed and the methods to make it all work are conceivably DIY-able. But the first step toward that is understanding how it all works, and we’re lucky enough to have Daniel Herrington stop by the Hack Chat to help us out with that. Daniel is CEO and founder of Voxel Innovations, a company that’s on the cutting edge of electrochemical machining with its pulsed ECM technology. There’s a lot to unpack, so make sure you stop by so we can all get up to speed on what’s up with using electricity to do the machining.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, January 18 at 12:00 PM Pacific time. If time zones have you tied up, we have a handy time zone converter.

Hackaday Links: January 15, 2023

January 15, 2023 by Dan Maloney 18 Comments

It looks like the Martian winter may have claimed another victim, with reports that Chinese ground controllers have lost contact with the Zhurong rover. The solar-powered rover was put into hibernation back in May 2022, thanks to a dust storm that kicked up a couple of months before the start of local winter. Controllers hoped that they would be able to reestablish contact with the machine once Spring rolled around in December, but the rover remains quiet. It may have suffered the same fate as Opportunity, which had its solar panels covered in dust after a planet-wide sandstorm and eventually gave up the ghost.

What’s worse, it seems like the Chinese are having trouble talking to the Tianwen-1 orbiter, too. There are reports that controllers can’t download data from the satellite, which is a pity because it could potentially be used to image the Zhurong landing site in Utopia Planitia to see what’s up. All this has to be taken with a grain of dust, of course, since the Chinese aren’t famously transparent with their space program. But here’s hoping that both the rover and the orbiter beat the odds and start doing science again soon.

Continue reading “Hackaday Links: January 15, 2023” →

Too Many Pixels

January 14, 2023 by Elliot Williams 39 Comments

Sometimes simpler is more impressive than complicated, and part of this is certainly due to Arthur C. Clarke’s third law: “Any sufficiently advanced technology is indistinguishable from magic.”. It’s counter-intuitive, though, that a high-tech project would seem any less amazing than a simpler one, but hear me out.

I first noticed this ages ago, when we were ripping out the blue laser diodes from Casio XJ-A130 laser projectors back when this was the only way to get a powerful blue laser diode. Casio had bought up the world’s supply of the 1.5 W Nichias, and was putting 24 of them in each projector, making them worth more dead than alive, if you know what I mean. Anyway, we were putting on a laser show, and the bright blue diode laser was just what we needed.

RGB Laser show — A sweeter setup than mine, but you get the idea.

Color laser setups take three or more different lasers, combine the beams, and then bounce them off of mirrors attached to galvos. Steer the mirrors around, and you can project vector images. It’s pretty cool tech, and involves some serious fine-tuning, but the irony here is that we were tearing apart a device with 788,736 microscopic DLP mirrors to point the lasers through just two. And yet, a DIY laser show is significantly cooler than just putting up your powerpoint on the office wall.

The same thing goes for 2D plotting machines like the AxiDraw. The astonishing tech behind any old laser printer is mind-numbing. Possibly literally. Why else would we think that art drawn out by a pen in the hands of a stepper-powered robot is cooler than the output of a 1600 DPI unit coming from HP’s stable? I mean, instead of running an hours-long job to put ink on paper with a pen, my Laserjet puts out an image in ten seconds. But it’s just not as much fun.

So here we are, in an age where there’s so darn much magic all around us, in the form of sufficiently advanced technology, that comprehensible devices are actually more impressive. And my guess is that it’s partly because it’s not surprising when a device that’s already magic does something magical. I mean, that’s just what it’s supposed to do. Duh!

But when something beautiful emerges from a pair of mirrors epoxied to shafts on springs turned by copper coils, that’s real magic.

Hackaday Podcast 201: Faking A Transmission, Making Nuclear Fuel, And A Slidepot With A Twist

January 13, 2023 by Dan Maloney 2 Comments

Even for those with paraskevidekatriaphobia, today is your lucky day as Editor-in-Chief Elliot Williams and Staff Writer Dan Maloney sit under ladders with umbrellas while holding black cats to talk about the week in awesome hacks. And what a week it was, with a Scooby Doo code review, mushrooms in your PCBs, and the clickiest automatic transmission that never was. Have you ever flashed the firmware on a $4 wireless sensor? Maybe you should try. Wondering how to make a rotary Hall sensor detect linear motion? We’ll answer that too. Will AI muscle the dungeon master out of your D&D group? That’s a hard no. We’ll talk about a new RISC-V ESP32, making old video new again, nuclear reactor kibble, and your least satisfying repair jobs. And yes, everyone can relax — I’m buying her a new stove.

Download the podcast in case our servers get unlucky.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Continue reading “Hackaday Podcast 201: Faking A Transmission, Making Nuclear Fuel, And A Slidepot With A Twist” →

This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM

January 13, 2023 by Jonathan Bennett 7 Comments

This week we start with a Remote Code Execution (RCE) vulnerability that has potential to be a real pain for sysadmins. Cacti, the system monitoring and graphing solution, has a pair of bugs that chain together to allow an attacker with unauthenticated access to the HTTP/S port to trivially execute bash commands. The first half of this attack is an authentication bypass, and it’s embarrassingly trivial. The Cacti authentication code trusts the Forwarded-For: header in the request. Set it to the server’s IP, and the authentication code treats it like a localhost request, bypassing any real authentication process.

The second half is found in the remote_agent.php endpoint, where the poller_id is set by the user and treated as a string. Then, if the right host_id and local_data_id item is triggered, that string is concatenated into a proc_open() function call. The string isn’t sanitized, so it’s trivial enough to include a second command to run, dropping a webshell, for instance.

Version 1.2.23 of Cacti contains the fix, and released on the 2nd. This one is likely to be exploited, and if automated exploitation hasn’t started already, it likely will soon. So if you have a Cacti install, go double-check that the interface isn’t exposed to the world.

JSON Web Token

Researchers at Unit 42 found an exploit that can be used to achieve an RCE in the JsonWebToken project. The issue is this library’s verify() function, which takes arguments of the token to check, the key to use, and options. If there aren’t any algorithms specified in the options object, then the key is processed as a PEM string. The toString() method of that key is called during the actual check, and the assumption is that it’s either a string or buffer. But what if the key passed in to the verify() function was actually a complex object, bringing it’s own toString() method along to play. At that point, we have arbitrary code execution. And if this code is running on the server-side under node.js, that means a popped server.

But wait, it’s not that simple, right? It’s not like a valid JWT can contain an arbitrary object — that would be a problem all on its own. So CVE-2022-23529 is a stepping-stone. It’s insecure code, but the rest of the application has to have another vulnerability for this one to be reachable. Continue reading “This Week In Security: Cacti RCE, VMs In The Browser, And SugarCRM” →

3D Printering: Can You Ever Have Enough Vitamins?

January 12, 2023 by Jenny List 66 Comments

As a community we owe perhaps more than we realise to the RepRap project. From it we get not only a set of open-source printer designs, but that 3D printing at our level has never become dominated by proprietary manufacturers in the way that for example paper printing is. The idea of a printer that can reproduce itself has never quite been fully realised though, because of what the RepRap community refer to as “vitamins“.

These are the mass-produced parts such as nuts, bolts, screws, and other parts which a RepRap printer can’t (yet) create for itself. It’s become a convenience among some of my friends to use this term in general for small pieces of hardware, which leads me to last week. I had a freshly printed prototype of one of my projects, and my hackerspace lacked the tiny self-tapping screws necessary for me to assemble it. Where oh where, was my plaintive cry, are the vitamins!

So my hackerspace is long on woodscrews for some reason, and short on machine screws and self-tappers. And threaded inserts for that matter, but for some reason it’s got a kit of springs. I’m going to have to make an AliExpress order to fix this, so the maybe I need you lot to help me. Just what vitamins does a a lone hardware hacker or a hackerspace need? Continue reading “3D Printering: Can You Ever Have Enough Vitamins?” →

AI-Controlled Twitch V-Tuber Has More Followers Than You

January 12, 2023 by Kristina Panos 45 Comments

Surely we have all at least heard of Twitch by now. For the as-yet uninitiated: imagine you had your own TV channel. What would you do on it? Although Twitch really got going as a place for gamers to stream the action, there are almost as many people jamming out on their guitars, or building guitars, or just talking about guitars. And that’s just the example that uses guitars — if you can think of it, someone is probably doing it live on Twitch, within the Terms of Service, of course.

Along with the legions of people showing their faces and singing their hearts out, you have people in partial disguise, and then you have v-tubers. That stands for virtual tubers, and it just means that the person is using an anime avatar to convey themselves.

Now that you’re all caught up, let’s digest the following item together: there’s a v-tuber on Twitch that’s controlled entirely by AI. Let me run that by you again: there’s a person called [Vedal] who operates a Twitch channel. Rather than stream themselves building Mad Max-style vehicles and fighting them in a post-apocalyptic wasteland, or singing Joni Mitchell tunes, [Vedal] pulls the strings of an AI they created, which is represented by an animated character cleverly named Neuro-sama. Not only does Neuro-sama know how to play Minecraft and osu!, she speaks gamer and interacts regularly with chat in snarky, 21st century fashion. And that really is the key behind Twitch success — interacting with chat in a meaningful way.

Continue reading “AI-Controlled Twitch V-Tuber Has More Followers Than You” →