Supply Chain Attack: NPM Library Used By Facebook And Others Was Compromised

October 22, 2021 by Ryan Flowers 26 Comments

Here at Hackaday we love the good kinds of hacks, but now and then we need to bring up a less good kind. Today it was learned that the NPM package ua-parser-js was compromised, and any software using it as a library may have become victim of a supply chain attack. What is ua-parser-js and why does any of this matter?

In the early days of computing, programmers would write every bit of code they used themselves. Larger teams would work together to develop larger code bases, but it was all done in-house. These days software developers don’t write every piece of code. Instead they use libraries of code supplied by others.

For better or worse, repositories of code are now available to do even the smallest of functions so that a developer doesn’t have to write the function from scratch. One such registry is npm (Node Package Manager), who organize a collection of contributed libraries written in JavaScript. One only need to use npm to include a library in their code, and all of the functions of that code are available to the developer. One such example is ua-parser-js which is a User Agent Parser written in JavaScript. This library makes it easy for developers to find out the type of device and software being used to access a web page.

On October 22 2021, the developer of ua-parser-js found that attackers had uploaded a version of his software that contained malware for both Linux and Windows computers. The malicious versions were found to steal data (including passwords and Chrome cookies, perhaps much more) from computers or run a crypto-currency miner. This prompted GitHub to issue a Critical Severity Security Advisory.

What makes this compromise so dangerous is that ua-parser-js is considered to be part of a supply chain, and has been adopted even by Facebook for use in some of its customer facing software. The developer of ua-parser-js has already secured his GitHub account and uploaded new versions of the package that are clean. If you have any software that uses this library, make sure you’ve got the latest version!

Of course this is by no means a unique occurrence. Last month Maya Posch dug into growing issues that come from some flaws of trust in package management systems. The art for that article is a house of cards, an apt metaphor for a system that is only as stable as the security of each and every package being built upon.

Python Provides Classic Basic

October 8, 2021 by Al Williams 22 Comments

Back in the late 1970s and early 1980s when you turned on a PC, more often than not, you’d get a Basic prompt. Most people would then load a game from a tape, but if you were inclined to program you could just start writing. [Richpl] wanted that same experience and thus PyBasic was born. Along with some other Github contributors, the system has grown quite a bit and would be a good start at porting classic games or creating a replica vintage computer.

The interpreter lacks specialized hardware-specific features such as sound and graphics, of course, but then again, you could add them. It does have file I/O and also includes some interesting features like an analog of C’s ternary operator.

Continue reading “Python Provides Classic Basic” →

GitHub Copilot And The Unfulfilled Promises Of An Artificial Intelligence Future

August 2, 2021 by Maya Posch 36 Comments

In late June of 2021, GitHub launched a ‘technical preview’ of what they termed GitHub Copilot, described as an ‘AI pair programmer which helps you write better code’. Quite predictably, responses to this announcement varied from glee at the glorious arrival of our code-generating AI overlords, to dismay and predictions of doom and gloom as before long companies would be firing software developers en-masse.

As is usually the case with such controversial topics, neither of these extremes are even remotely close to the truth. In fact, the OpenAI Codex machine learning model which underlies GitHub’s Copilot is derived from OpenAI’s GPT-3 natural language model, and features many of the same stumbles and gaffes which GTP-3 has. So if Codex and with it Copilot isn’t everything it’s cracked up to be, what is the big deal, and why show it at all?

Continue reading “GitHub Copilot And The Unfulfilled Promises Of An Artificial Intelligence Future” →

NFC Who’s At The Door

July 13, 2021 by Michael Shaub 8 Comments

RevK_NFC_v1-Prototype-Photo — An early prototype that worked on the first try, except for one LED

[RevK] wanted to learn about NFC readers, and we agree that the best way to do so is to dive in and build one yourself.

There are readers available from multiple sources, but [RevK] found them either compact but with no prototyping space or plenty of prototyping space and a large footprint. High-speed UART (HSU) was selected over I2C for communication with an ESP32 as testing showed it was just as fast and more reliable over long distances at the cost of only one additional wire.

After a few versions, the resulting PN532 based NFC reader has just enough GPIO for a doorbell and tamper switch and three status LEDs, with board files and a 3D-printed case design included in the open source project on GitHub. When looking into the project, we appreciated learning about tamper switches that can include closed or open contact status when an NFC is read, most often used in the packaging of high-value and collectible products. If you have worked with this tamper feature of NFCs, let us know about it.

Thanks for the tip, [Simon]

Surf’s Up, A Styrofoam Ball Rides The Waves To Create A Volumetric Display

March 19, 2021 by Michael Shaub 22 Comments

We are big fans of POV displays, particularly ones that move into 3D. To do so, they need to move even faster than their 2D cousins. [danfoisy] built a volumetric display that doesn’t move LEDs or any other digital display through space, or project light onto a moving surface. All that moves here is a bead of styrofoam and does so at up to 1 meter per second. Having low mass certainly helps when trying to hit the brakes, but we’re getting ahead of ourselves.

[danfoisy] and son built an acoustic levitator kit from [PhysicsGirl] which inspired the youngster’s science fair project on sound. See the video by [PhysicsGirl] for an explanation of levitation in a standing wave. [danfoisy] happened upon a paper in the Journal Nature about a volumetric display that expanded this one-dimensional standing wave into three dimensions. The paper described using a phased array of ultrasonic transducers, each with a 40 kHz waveform.

After reading the paper and determining how to recreate the experiment, [danfoisy] built a 2D simulation and then another in 3D to validate the approach. We are impressed with the level of physics and programming on display, and that the same code carried through to the build.

[danfoisy] didn’t stop with the simulations, designing and building control boards for each ~~100 x 100~~ 10 x 10 grid of transducers. Each grid is driven by 2 Intel Cyclone FPGAs and all are fed 3D shapes by a Raspberry Pi Zero W. The volume of the display is 100 mm x 100 mm x 145mm and the positioning of the foam ball is accurate down to .01 mm though currently there is considerable distortion in the positioning.

Check out the video after the break to see the process of simulating, designing, and testing the display. There are a number of tips along the way, including how to test for the polarity of the transducers and the use of a Python script to place the grids of transducers and drivers in KiCad.

Continue reading “Surf’s Up, A Styrofoam Ball Rides The Waves To Create A Volumetric Display” →

Hackaday Links: December 13, 2020

December 13, 2020 by Dan Maloney 16 Comments

Our Sun is getting a bit frisky these days, and has rewarded us with perhaps the best screensaver image ever taken. The incredibly detailed photo of a sunspot was actually taken back in January by the Daniel K. Inouye Solar Telescope, a 4-meter instrument with adaptive optics that can image the sun from the near-infrared to visible wavelengths and resolve surface details down to 20 km. The photo, with a distinct “Eye of Sauron” look, shows the massive convection cells surrounding the dark sunspot; an accompanying animation shows the movement of plasmas along the tortured lines of magnetic flux that cause the sunspot to form. It’s fascinating to watch, and even more interesting to mull over the technology that went into capturing it.

With the dustup surrounding the youtube-dl DCMA takedown by GitHub fresh on the open-source community’s minds, GitHub Universe 2020 had an interesting discussion about maintaining open-source software projects that’s worth watching. They focused on the challenges that youtube-dl maintainers face in keeping the tool working, and the impact their effort has on the people and groups that rely on them. To underscore that point, they featured a researcher with Human Rights Watch who depends on youtube-dl in her work, and made it quite clear that keeping up with all the API changes that constantly break open source tools like youtube-dl make the role of the maintainers that much more critical.

Speaking of GitHub, here’s a frightening and fascinating new tool: Depix, the password de-pixelizer. Developer Sipke Mellema noticed that his company often used pixelization to obscure passwords in documentation, and wondered if he could undo the process. He wrote up an article describing the pixelization process using a linear box filter and his method for attacking it, which involves generating a De Bruijn sequence in the same font, text size, and colors as the original document and feeding a screenshot of that and the pixellated password into the tool. We suspect it’ll only work for a subset of obfuscated passwords, but it’s still pretty clever.

‘Tis the season for Advent calendars, and the folks at QEMU have posted theirs. Open each of 24 doors on the calendar and you’re rewarded with a downloadable QEMU disk image that implements something fun. Minesweeper, a ray tracer that fits into a boot loader, and of course Conway’s Game of Life. The GW-BASIC image on Day 3 caught our eye — brings back some memories.

For anyone who has ever watched a Pixar film and wondered how all that animation actually works, here’s a great lesson in making art with math. The video is by Inigo Quilez and goes through the basics of rendering images using raymarching SDFs, or signed distance functions. In the beginning, it seemed like it was going to be a little bit like drawing an owl, but his descriptions of the math involved and how each element of the animation is just another formula is fascinating. What’s more, there’s a real-time rendering tool where you can inspect the code and edit it. Alas, my changes only made things worse, but it was still fun and instructive to play with. Check out the video after the break!

Continue reading “Hackaday Links: December 13, 2020” →

Turning GitHub Into A URL Shortening Service

November 18, 2020 by Sven Gregori 11 Comments

URL shortening services like TinyURL or Bitly have long become an essential part of the modern web, and are popular enough that even Google killed off their own already. Creating your own shortener is also a fun exercise, and in its core doesn’t require much more than a nifty domain name, some form of database to map the URLs, and a bit of web technology to glue it all together. [Nelsontky] figured you don’t even have to build most of it yourself, but you could just (ab)use GitHub for it.

Using GitHub Pages to host the URL shortening website itself, [nelsontky] actually repurposes GitHub’s issue tracking system to map the shortened identifier to the original URL. Each redirection is simply a new issue, with the issue number serving as the shortening identifier, and the issue’s title text storing the original URL. To map the request, a bit of JavaScript extracts the issue number from the request, looks it up via GitHub API, and if a valid one was found (and API rate limits weren’t exceeded), redirects the caller accordingly. What’s especially clever about this is that GitHub Pages usually just serves static files stored in a repository, so the entire redirection logic is actually placed in the 404 error handling page, allowing requests to any arbitrary paths.

While this may not be as neat as placing your entire website content straight into the URL itself, it could be nicely combined with this rotary phone to simply dial the issue number and access your bookmarks — perfect in case you always wanted your own website phone book. And if you don’t like the thought of interacting with the GitHub UI every time you want to add a new URL, give the command line tools a try.