Git is a handy tool that many of us are using for more than just software development. Having a cloud-based upstream repository is also surprisingly useful, but until now using GitHub — the most common upstream server — meant firing up a web browser, at least for certain tasks. Now GitHub is releasing a beta version of command-line tools made to manipulate your GitHub repos.
The tools are early release so they mostly focus on issues and pull requests. Of course, git itself will do the normal things like clone and checkout — you’ve always been able to do that on the command line. The example given in the announcement blog post lists all issues with a help wanted label:
gh issue list --label "help wanted"
We noticed that asking to view the issue, while done on the command line, will still open a browser. The tools are still a little early, so this is an excellent time to let the developers know what you’d like or otherwise influence the project.
We were a little surprised it wouldn’t just consume git, so that you’d use the same commands for everything and it would just pass pre-formed commands to git. Of course, that would be pretty easy to write as a shell script wrapper if you were interested in such a thing.
Now that November of 2019 has passed, it’s a shame that some of the predictions made in Blade Runner for this future haven’t yet come true. Oh sure, 109 million people living in Los Angeles would be fun and all, but until we get our flying cars, we’ll just have to console ourselves with the ability to “Enhance!” photographs. While the new service, AI Image Enlarger, can’t tease out three-dimensional information, the app is intended to sharpen enlargements of low-resolution images, improving the focus and bringing up details in the darker parts of the image. The marketing material claims that the app uses machine learning, and is looking for volunteers to upload high-resolution images to improve its training set.
We’ve been on a bit of a nano-satellite bender around here lately, with last week’s Hack Chat discussing simulators for CubeSats, and next week’s focusing on open-source thrusters for PocketQube satellites. So we appreciated the timing of a video announcing the launch of the first public LoRa relay satellite. The PocketCube-format satellite, dubbed FossaSat-1, went for a ride to space along with six other small payloads on a Rocket Lab Electron rocket launched from New Zealand. Andreas Spiess has a short video preview of the FossaSat-1 mission, which was designed to test the capabilities of a space-based IoT link that almost anyone can access with cheap and readily available parts; a ground station should only cost a couple of bucks, but you will need an amateur radio license to uplink.
We know GitHub has become the de facto standard for source control and has morphed into a collaboration and project management platform used by everybody who’s anybody in the hacking community. But have you ever wished for a collaboration platform that was a little more in tune with the needs of hardware designers? Then InventHub might be of interest to you. Currently in a limited beta – we tried to sign up for the early access program but seem to have been put on a waiting list – it seems like this will be a platform that brings versioning directly to the ECAD package of your choice. Through plugins to KiCad, Eagle, and all the major ECAD players you’ll be able to collaborate with other designers and see their changes marked up on the schematic — sort of a visual diff. It seems interesting, and we’ll be keeping an eye on developments.
Amazon is now offering a stripped-down version of their Echo smart speaker called Input, which teams up with speakers that you already own to satisfy all your privacy invasion needs on the super cheap — only $10. At that price, it’s hard to resist buying one just to pop it open, which is what Brian Dorey did with his. The teardown is pretty standard, and the innards are pretty much what you’d expect from a modern piece of surveillance apparatus, but the neat trick here involved the flash memory chip on the main board. Brian accidentally overheated it while trying to free up the metal shield over it, and the BGA chip came loose. So naturally, he looked up the pinout and soldered it to a micro-SD card adapter with fine magnet wire. He was able to slip it into a USB SD card reader and see the whole file system for the Input. It was a nice hack, and a good teardown.
GitHub is an incredibly powerful tool for sharing source code, and its value to the modern hacker can’t be overstated. But there’s at least one downside to effortlessly sharing your source: it’s now much easier for the whole world to find out when you screw up. Back in the day, if you accidentally left a username or password in a tarball hosted on your site, you could pull it down before anyone noticed. But push something like that up to GitHub, and you’ve got a problem on your hands.
For an example, look no farther than this tool that crawls GitHub for Slack webhooks written by [Michele Gruppioni]. Exploiting the fact that Slack webhook links have a predictable format, the tool searches repositories to find code that erroneously includes the authentication token. With the token in hand, an attacker now has the ability to send unsolicited messages into that channel.
But [Michele] restrained himself and didn’t Rickroll the over 6,500 Slack channels he had access to after searching GitHub with his tool. Instead, he sent them all a friendly message explaining their webhook tokens were available on GitHub, and gave them a link to where they could get more information about his project.
Most of the people who contacted him after the fact appreciated that he sent a gentle warning and not something unsavory. Still, we’d recommend caution to anyone looking to expose a vulnerability in this manner. While [Michele] had honorable intentions, it’s certainly not unheard of for an embarrassed administrator to blame the messenger.
When used properly, webhooks can be a very handy way of pushing data into your chat platform of choice. We’ve previously looked at a practical example of a weather station that pushes current conditions into a Discord channel. Just try not to accidentally commit your authentication token to the world’s largest database of open source projects, or you might receive more than you bargained for.
[W8BH] attended a talk by another ham, [W8TEE] that showed a microcontroller sending and receiving Morse code. He decided to build his own, and documented his results in an 8 part tutorial. He’s using the Blue Pill board and the resulting device sends code with paddles, sends canned text, provides an LCD with a rotary knob menu interface, and even has an SD card for data storage.
All the code is on GitHub. If you are interested in Morse code or in learning how to write a pretty substantial application using the Blue Pill and the Arduino IDE (or any other similar processor), this is a great exposition that is also a practical tool.
Humans seem to have a need to do things that aren’t practical. Make the biggest ball of twine. Engrave the Declaration of Independence on a grain of rice. We want to make things bigger, smaller, faster, or whatever. That might explain why [nanochess] put out bootBASIC.
The 8088 (or later) assembly code gives you a very restricted BASIC interpreter that you can boot up. That means it has to fit in the 512-byte boot block that the hardware loads to get an operating system running. How restricted? Keep in mind it fits in 512 bytes. Each line can only have 19 characters or less. Backspace works, but doesn’t update the screen. Line numbers range from 1 to 999 and there are only 26 integer variables named a through z that hold 16 bits. All statements are in lower case.
PythonAnywhere gives you access to a python shell over a web browser, and also lets you run a web app that can be accessed via a custom sub-domain. Even though it does not have direct integration with GitHub, you can drop to the bash shell to and get access to a git client.
For this hack, [Aadi Bajpai] utilizes the webhooks from GitHub that are triggered when a push event is detected. A flask server running on PythonAnywhere is written such that once triggered by the get POST request, it locally executes a git pull from the repository. There a bit more work that allows adding a bit of security sauce to the recipe but it is a pretty elegant solution and can be used for other cases as well.
Setting up alert notifications has been demonstrated to be an interesting task, though integrating Discord or Slack for notifications adds a little more bragging rights.
By pretty much any metric you care to use, the last couple of decades has been very good for the open source movement. There was plenty of pushback in the early days, back when the only people passionate about the idea were the Graybeards in the IT department. But as time went on, more and more developers and eventually companies saw the benefit of sharing what they were working on. Today, open source is effectively the law of the land in many fields, and you don’t have to look far to find the community openly denouncing groups who are keeping their source under lock and key.
In the last few years, we’ve even seen the idea gain traction in the hardware field. While it’s not nearly as prevalent as opening up the software side of things, today it’s not uncommon to see hardware schematics and PCB design files included in project documentation. So not only can you download an open source operating system, web browser, and office suite, but you can also pull down all the information you need to build everything from a handheld game system to an autonomous submarine.
With so many projects pulling back the curtain, it’s not unreasonable to wonder where the limits are. There’s understandably some concerns about the emerging field of biohacking, and anyone with a decent 3D printer can download the files necessary to produce a rudimentary firearm. Now that the open source genie is out of the bottle, it seems there’s precious little that you can’t download from your favorite repository.
Scratching an exceptionally surprising entry off that list is Transatomic, who late last year uploaded the design for their TAP-520 nuclear reactor to GitHub. That’s right, now anyone with git, some uranium, and a few billion dollars of seed money can have their very own Molten Salt Reactor (MSR). Well, that was the idea at least.
So six months after Transatomic dumped a little under 100 MB worth of reactor documentation on GitHub, is the world any closer to forkable nuclear power? Let’s find out.