Software Development

788 Articles

ua-parser-js compromised

Supply Chain Attack: NPM Library Used By Facebook And Others Was Compromised

October 22, 2021 by 26 Comments

Here at Hackaday we love the good kinds of hacks, but now and then we need to bring up a less good kind. Today it was learned that the NPM package ua-parser-js was compromised, and any software using it as a library may have become victim of a supply chain attack. What is ua-parser-js and why does any of this matter?

In the early days of computing, programmers would write every bit of code they used themselves. Larger teams would work together to develop larger code bases, but it was all done in-house. These days software developers don’t write every piece of code. Instead they use libraries of code supplied by others.

For better or worse, repositories of code are now available to do even the smallest of functions so that a developer doesn’t have to write the function from scratch. One such registry is npm (Node Package Manager), who organize a collection of contributed libraries written in JavaScript. One only need to use npm to include a library in their code, and all of the functions of that code are available to the developer. One such example is ua-parser-js which is a User Agent Parser written in JavaScript. This library makes it easy for developers to find out the type of device and software being used to access a web page.

On October 22 2021, the developer of ua-parser-js found that attackers had uploaded a version of his software that contained malware for both Linux and Windows computers. The malicious versions were found to steal data (including passwords and Chrome cookies, perhaps much more) from computers or run a crypto-currency miner. This prompted GitHub to issue a Critical Severity Security Advisory.

What makes this compromise so dangerous is that ua-parser-js is considered to be part of a supply chain, and has been adopted even by Facebook for use in some of its customer facing software. The developer of ua-parser-js has already secured his GitHub account and uploaded new versions of the package that are clean. If you have any software that uses this library, make sure you’ve got the latest version!

Of course this is by no means a unique occurrence. Last month Maya Posch dug into growing issues that come from some flaws of trust in package management systems. The art for that article is a house of cards, an apt metaphor for a system that is only as stable as the security of each and every package being built upon.

QB64 Hits Version 2.0, Gets Enhanced Debugging

October 17, 2021 by 28 Comments

Despite the name, BASIC isn’t exactly a language recommended for beginners these days. Technology has moved on, and now most people would steer you towards Python if you wanted to get your feet wet with software development. But for those who got their first taste of programming by copying lines of BASIC out of a computer magazine, the language still holds a certain nostalgic appeal.

If that sounds like you, then may we heartily recommend QB64. The open source project seeks to modernize the classic programming language while retaining compatibility for QBasic 4.5, the late-80s BASIC environment Microsoft included with MS-DOS. That modernization not only includes the addition of contemporary technology like OpenGL, but cross-platform support that lets you run the same code on Windows, Linux, and Mac OS.

The new debug mode in QB64 v2.

The QB64 team released version 2.0 just a few days ago, making this the perfect time to give the project a test drive if you haven’t tried it out yet. The changelog includes platform specific improvements for each supported operating system, as well as a long list of general fixes and updates. But arguably the biggest feature for this release is the inclusion of the $Debug metacommand.

When this command is included in your code, the IDE will insert a debugging stub into the compiled program. During execution, the QB64 IDE will switch over to debugging mode, and communicate with your program in real-time over a local TCP/IP connection. The debugging mode lets you step through the code line-by-line, check the values of variables, and set breakpoints. Once you’re done fussing with the code and want to release a final binary, you just need to remove that single $Debug command and recompile.

We’ve talked in the past about using QB64 to revitalize vintage code, and think the project is a fantastic melding of old and new technology. You never know when you might suddenly have the urge to dust off some code you wrote back in the 80s and run it on an OS that didn’t even exist at the time.

Interconnected CPU nodes forming a system-wide network

With Luos Rapid Embedded Deployment Is Simplified

October 10, 2021 by 18 Comments

Those of us tasked with developing firmware for embedded systems have a quite a few hurdles to jump through compared to those writing for the desktop or mobile platforms. Solved problems such as code reuse or portability are simply harder. It was with considerable interest that we learnt of another approach to hardware abstraction, called Luos, which describes itself as micro-services for embedded systems.

This open source project enables deployment of distributed architectures composed of collaborating micro-services. By containerizing applications and hardware drivers, interfaces to the various components are hidden behind a consistent API. It doesn’t even matter where a resource is located, multiple services may be running on the same microcontroller, or separate ones, yet they can communicate in the same way.

By following hardware and software design rules, it’s possible to create an architecture of cooperating computing units, that’s completely agnostic of the actual hardware. Microcontrollers talk at the hardware level with a pair of bidirectional signals, so the hardware cost is very low. It even integrates with ROS, so making robots is even easier.

Luos architecture

By integrating a special block referred to as a Gate, it is possible to connect to the architecture in real-time from a host computer via USB, WiFi, or serial port, and stream data out,  feed data in, or deploy new software. The host software stack is based around Python, running under Jupyter Notebook, which we absolutely love.

Current compatibility is with many STM32 and ATSAM21 micros, so chances are good you can use it with whatever you have lying around, but more platforms are promised for the future.

Now yes, we’re aware of CMSIS, and the idea of Hardware Abstraction Layers (HALs) used as part of the platform-specific software kits, this is nothing new. But, different platforms work quite differently, and porting code from one to another, just because you can no longer get your preferred microcontroller any more, is a real drag we could all do without, so why not go clone the GitHub and have a look for yourselves?

Continue reading “With Luos Rapid Embedded Deployment Is Simplified”

1981 Called, Here’s Your Software

October 10, 2021 by 53 Comments

How many of us who have a few decades of adulthood under our belts would like to talk to our 17 year old selves? “Hey kid, it’s all gonna be OK. Also, Duke Nukem Forever does come out eventually, but it’s not going to be pretty!” Being honest, exposure to the hot takes of one’s naive teenage self would almost certainly be as cringeworthy as the time-worn-but-familiar adult would be to the teenager, but there’s one way in which you can in a sense have a conversation with your teenage self. [Mad Ned] had this opportunity, when he discovered a printed BASIC listing for a game he’d written for the TRS-80 back in 1981. Could he make it run again, and what did it tell him about his teenage years?

Grizzled 8-bit veterans will tell you of countless hours spent typing poorly-reproduced listings found in magazines, and the inevitable pain that followed as all those mistypes were ironed out. [Ned] eschewed all that retro experience because this is the 21st century, and we now have much more powerful computers to do our bidding! The reality of incomplete OCR is one we’ll no doubt all be used to, and for 8-bit fans also the debugging that was needed to get the listing to run. Breaker Ball is an odd hybrid of Breakout and Space Invaders, and it’s his analysis of the teenage thinking that led to the game being the way it is that rounds off the piece.  Sadly we’re not treated to the entire listing, but there’s a short gameplay video we’ve placed below the break.

Continue reading “1981 Called, Here’s Your Software”

Need A New Programming Language? Try Zig

October 5, 2021 by 131 Comments

Maybe you’ve heard of it, maybe you haven’t. Zig is a new programming language that seems to be growing in popularity. Let’s do a quick dive into what it is, why it’s unique, and what sort of things you would use it for. (Ed Note: Other than “for great justice“, naturally.)

What Is It?

You’ve likely heard of Rust as it has made significant inroads in critical low-level infrastructures such as operating systems and embedded microcontrollers. As a gross oversimplification, it offers memory safety and many traditional runtime checks pushed to compile time. It has been the darling of many posts here at Hackaday as it offers some unique advantages. With Rust on the rise, it makes sense that there might be some space for some new players. Languages like Julia, Go, Swift, and even Racket are all relative newcomers vying for the highly coveted mindshare of software engineers everywhere.

So let’s talk Zig. In a broad sense, Zig is really trying to provide some of the safety of Rust with the simplicity and ease of C. It touts a few core features such as:

  • No hidden control flow
  • No hidden memory allocations
  • No preprocessor, no macros
  • First-class support for optional standard library
  • Interoperable by design
  • Adjustable Runtime Safety
  • Compile-time code-execution

Continue reading “Need A New Programming Language? Try Zig”

Awesome Python Video Tutorials Keep You Motivated

October 1, 2021 by 21 Comments

Programming languages are one of those topics that we geeks have some very strong and often rather polarised opinions about. As new concepts in computing are dreamt up, older languages may grow new features, if viable, or get left behind when new upstarts come along and shake things up a bit. This scribe can remember his early days programming embedded systems, and the arguments that ensued when someone came along with a project that required embedded C++ or worse, Java, when we were mostly diehard C programmers. Fast forward a decade or two, and things are way more complicated. So much choice, so much opinion.

So it’s really nice to come across some truly unique and beautifully made Python tutorial videos, that are engaging and fun to watch. Fronted by Canadian actress [Ulka Simone Mohanty] who some may recognise from such lofty titles as the game “Magic: The Gathering Arena” and various films and TV shows, she delivers a dead-pan avatar-like presentation of the most important areas of Python. We were particularly amused by the comment “Loopus Interruptus” as the exception condition iterating off the end of a list. 

Continue reading “Awesome Python Video Tutorials Keep You Motivated”

A Rant On Personal Software Projects

September 14, 2021 by 41 Comments

Looking across your hard drive and GitHub, you might find hundreds of notes and skeletons of Git repositories. A veritable graveyard of software side projects. The typical flow for many of these projects is: get an idea, ruminate on the idea until it becomes exciting, eventually becoming more exciting than the current side project, notes are captured, a repository is created, and work begins at a blistering pace as the focus and excitement are there. There might be some rewrites or some changes in direction. Questions of whether the project is worthwhile or “what even should this project actually be” start to arise. Eventually, enthusiasm wanes as these questions continue to multiply. Progress slows as the path forward seems less clear-cut as it once did. The project is either sunset with a mournful promise to someday return or quietly put aside as something new and exciting comes to take its place. Sound familiar? Perhaps not, but the principles here could be helpful.

This particular article is largely a piece of opinion from one engineer to another. It’s about engineering the process by which you design a project to have better outcomes. There are many reasons why a project could be shelved or scrapped and not all of them are from a lack of clear project definition. In the case where it isn’t clear what the project is, it can be helpful to think about it in a more holistic/meta sense. There are two types of personal projects in broad strokes: technology demos and products.

Continue reading “A Rant On Personal Software Projects”