This Week In Security: Nvidia, Ransomware Retirement, And A TOCTOU Bug In Docker

Nvidia’s GeForce Experience (GFE) is the companion application for the Nvidia drivers, keeping said drivers up to date, as well as adding features around live streaming and media capture. The application runs as two parts, a GUI, and a system service, using an HTTP API to communicate. [David Yesland] from Rhino Security Labs decided to look into this API, searching for interesting, undocumented behavior, and shared the results on Sunday the 2nd.

The first interesting finding was that the service was written in Javascript and run using Node.js. Javascript is a scripting language, not a compiled language — the source code of the service was open for studying. This led to the revelation that API requests would be accepted from any origin, so long as the request included the proper security token. The application includes an update mechanism, which allows an authorized API call to execute an arbitrary system command. So long as the authentication token isn’t leaked to an attacker, this still isn’t a problem, right? Continue reading “This Week In Security: Nvidia, Ransomware Retirement, And A TOCTOU Bug In Docker”

Howto: Docker, Databases, And Dashboards To Deal With Your Data

So you just got something like an Arduino or Raspberry Pi kit with a few sensors. Setting up temperature or motion sensors is easy enough. But what are you going to do with all that data? It’s going to need storage, analysis, and summarization before it’s actually useful to anyone. You need a dashboard!

But even before displaying the data, you’re going to need to store it somewhere, and that means a database. You could just send all of your data off into the cloud and hope that the company that provides you the service has a good business model behind it, but frankly the track records of even the companies with the deepest pockets and best intentions don’t look so good. And you won’t learn anything useful by taking the easiest way out anyway.

Instead, let’s take the second-easiest way out. Here’s a short tutorial to get you up and running with a database backend on a Raspberry Pi and a slick dashboard on your laptop or cellphone. We’ll be using scripts and Docker to automate as many things as possible. Even so, along the way you’ll learn a little bit about Python and Docker, but more importantly you’ll have a system of your own for expansion, customization, or simply experimenting with at home. After all, if the “cloud” won’t let you play around with their database, how much fun can it be, really?

Continue reading “Howto: Docker, Databases, And Dashboards To Deal With Your Data”

Web Development: What’s Big In 2019?

I try to keep up with web development trends but it’s hard to keep pace since it’s such a fast evolving field. Barely a week goes by without the release of a new JS framework, elaborate build tool or testing suite — all of them touted as the one to learn. Sorting the hype from the genuinely useful is no mean feat, so my aim in this article is to summarise some of the most interesting happenings that web development saw in the last year, and what trends we expect to see more of in 2019.

A technology or framework doesn’t have to be brand new to be on our list here, it just needs to be growing rapidly or evolving in an interesting way. Let’s take a look!

Continue reading “Web Development: What’s Big In 2019?”

This Bitcoin Price Tracking Traffic Light Isn’t Just A Red LED

Quick, what’s the price of Bitcoin? Is it lower today than yesterday? Are you overdrafting your Lamborghini account? What if you had an easy way to tell at a glance how much you could have made if you sold in December of last year? That’s what this Bitcoin price tracking traffic light is all about, and it’s a great use of existing electronics.

The hardware for this build is a traffic light table lamp available on Amazon for twenty bucks. Inside this traffic light, you get a PCB with three LEDs and a small microcontroller to control the LEDs. The microcontroller isn’t used in this case, instead the microcontroller is removed and a few wires are soldered up to the base of the transistors used to drive the LEDs. The other ends of these wires are attached to a trio of pins on a Raspberry Pi Zero W, giving this traffic light table lamp Linux and a connection to the Internet.

On the software side of things, we’re looking at a Docker container running a Python script that fetches the latest Bitcoin price from Coindesk and calculates the change from the previous fetch of the price of Bitcoin. This data is shuffled off to another Python script that actually changes the LEDs on the lamp.

Sure, these days a ‘bitcoin price tracking traffic light’ is as simple as connecting a red LED to a battery, and if you’re feeling extra fancy you can add a 220 Ω resistor. But this is a project that’s so well executed that we’ve got to give it a tip ‘o our hat.

Intro To Docker: Why And How To Use Containers On Any System

If you have your ear even slightly to the ground of the software community, you’ll have heard of Docker. Having recently enjoyed a tremendous rise in popularity, it continues to attract users at a rapid pace, including many global firms whose infrastructure depends on it. Part of Docker’s rise to fame can be attributed to its users becoming instant fans with evangelical tendencies.

But what’s behind the popularity, and how does it work? Let’s go through a conceptual introduction and then explore Docker with a bit of hands-on playing around.

Continue reading “Intro To Docker: Why And How To Use Containers On Any System”

An Eye-Catching Raspberry Pi Smart Speaker

[curcuz]’s BoomBeastic mini is a Raspberry Pi based smart connected speaker. But don’t dis it as just another media center kind of project. His blog post is more of a How-To guide on setting up container software, enabling OTA updates and such, and can be a good learning project for some. Besides, the design is quite elegant and nice.

boombeastic_02The hardware is simple. There’s the Raspberry-Pi — he’s got instructions on making it work with the Pi2, Pi2+, Pi3 or the Pi0. Since the Pi’s have limited audio capabilities, he’s using a DAC, the Adafruit I2S 3W Class D Amplifier Breakout for the MAX98357A, to drive the Speaker. The I2S used by that part is Inter-IC Sound — a 3 wire peer to peer audio bus — and not to be confused with I2C. For some basic visual feedback, he’s added an 8×8 LED matrix with I2C interface. A Speaker rounds out the BoM. The enclosure is inspired by the Pimoroni PiBow which is a stack of laser cut MDF sheets. The case design went through four iterations, but the final result looks very polished.

On the software side, the project uses Mopidy — a Python application that runs in a terminal or in the background on devices that have network connectivity and audio output. Out of the box, it is an MPD and HTTP server. Additional front-ends for controlling Mopidy can be installed from extensions, enabling Spotify, Soundcloud and Google Music support, for example. To allow over-the-air programming, [curcuz] is using resin.io which helps streamline management of devices that are hard to reach physically. The whole thing is containerized using Docker. Additional instructions on setting up all of the software and libraries are posted on his blog post, and the code is hosted on GitHub.

There’s a couple of “To-Do’s” on his list which would make this even more interesting. Synced audio being one: in a multi-device environment, have the possibility to sync them and reproduce the same audio. The other would be to add an Emoji and Equalizer display mode for the LED matrix. Let [curcuz] know if you have any suggestions.

Continue reading “An Eye-Catching Raspberry Pi Smart Speaker”

How To Use Docker To Cross Compile For Raspberry Pi (and More)

It used to be tedious to set up a cross compile environment. Sure you can compile on the Raspberry Pi itself, but sometimes you want to use your big computer — and you can use it when your Pi is not on hand like when on an airplane with a laptop. It can be tricky to set up a cross compiler for any build tools, but if you go through one simple step, it becomes super easy regardless of what your real computer looks like. That one step is to install Docker.

Docker is available for Linux, Windows, and Mac OS. It allows developers to build images that are essentially preconfigured Linux environments that run some service. Like a virtual machine, these images can run together without interfering with each other. Unlike a virtual machine, Docker containers (the running software) are lightweight because they share the same underlying kernel and hardware of the computer.

The reality is, setting up the Raspberry Pi build environment isn’t any easier. It is just that with Docker, someone else has already done the work for you and you can automatically grab their setup and keep it up to date. If you are already running Linux, your package manager probably makes the process pretty easy too (see [Rud Merriam’s] post on that process). However, the nice thing about the images is it is a complete isolated environment that can move from machine to machine and from platform to platform (the Windows and Mac platforms use a variety of techniques to run the Linux software, but it is done transparently).

Continue reading “How To Use Docker To Cross Compile For Raspberry Pi (and More)”