Using Google Calendar For Machines To Keep Track Of Human Days

October 25, 2022 by Danie Conradie 10 Comments

Daily triggers for automation are simple in theory, unless it needs to keep track of the calendar that humans actually live by. Seasonal changes, shifting public holidays, or just being on vacation are all exceptions you may need to account for. [Jeremy Rode] likes using Google Calendar to stay on top of events, so he created CalendarScraper, a simple script to make his machines use it too.

Jeremy needed a timer for his spa heater that would reduce costs by only switching it on when his local time-of-use-based electricity rates were favorable. The rates varied based on the time of day, day of the week, and even seasons and public holidays. Instead of trying to set up everything manually in a cron job, he created a short and easy-to-modify JavaScript script to keep track of events on a Google Calendar.

We’ve seen some other projects that pull data from Google Calendar, including a recycling day reminder, and even a physical desktop calendar.

This Week In Security: 11,000 Gas Stations, TrustZone Hacks Kernel, And Unexpected Fuzzing Finds

September 16, 2022 by Jonathan Bennett 6 Comments

Automated Tank Gauges (ATGs) are nifty bits of tech, sitting unseen in just about every gas station. They keep track of fuel levels, temperature, and other bits of information, and sometimes get tied into the automated systems at the station. The problem, is that a bunch of these devices are listening to port 10001 on the Internet, and some of them appear to be misconfigured. How many? Let’s start with the easier question, how many IPs have port 10001 open? Masscan is one of the best tools for this, and [RoseSecurity] found over 85,000 listening devices. An open port is just the start. How many of those respond to connections with the string In-Tank Inventory Reports? Shodan reports 11,113 IPs as of August of this year. [RoseSecurity] wrote a simple Python script that checked each of those listening IPs came up with a matching number of devices. The scary bit is that this check was done by sending a Get In-Tank Inventory Report command, and checking for a good response. It seems like that’s 11K systems, connected to the internet, with no authentication. What could possibly go wrong? Continue reading “This Week In Security: 11,000 Gas Stations, TrustZone Hacks Kernel, And Unexpected Fuzzing Finds” →

A New Javascript Runtime Fresh Out Of The Oven

July 8, 2022 by Matthew Carlson 15 Comments

A sizable portion of the Hackaday audience groans and runs their eyes when some new-fangled Javascript thing comes out. So what makes Bun different? Bun is a runtime (like Node or Deno)t that offers a performant all-in-one approach. Much to the Spice Girl’s delight, it is written in Zig. It offers bundling, transpiling, module resolution, and a fantastic foreign-function interface.

Node.js and Deno run on the V8 Javascript engine and provide the Node-API to access different features, such as filesystems, that don’t apply to web browsers. However, vast amounts of tooling have built up around Node.js and NPM (node package manager). Many Javascript projects have a bundling and transpiling step that takes the source and packages it together in a more standard format. Typescript needs to be packaged into javascript, and modules need to be resolved. Continue reading “A New Javascript Runtime Fresh Out Of The Oven” →

Javascript Is Everywhere. Even MSDOS

April 15, 2022 by Al Williams 34 Comments

Although pundits have joked that Java’s “write once, run everywhere” slogan might be better expressed as “write once, debug everywhere,” a relative of Java — JavaScript — has delivered on both promises better than its namesake. Thanks to its proliferation in browsers, JavaScript is a veritable lingua franca of computer languages which has led to entire applications being written in it using tools like Node.js and Electron, and not just browsers. But what if you are still using MSDOS or Windows 98? We know some of you do, at least on retro machines. Don’t feel left out, the DOjS project has jSH, a JavaScript engine for DOS and related operating systems.

Continue reading “Javascript Is Everywhere. Even MSDOS” →

Online Tool Turns STLs Into 3D ASCII Art

January 22, 2022 by Dan Maloney 8 Comments

If you look hard enough, most of the projects we feature on these pages have some practical value. They may seem frivolous, but there’s usually something that compelled the hacker to commit time and effort to its doing. That doesn’t mean we don’t get our share of just-for-funsies projects, of course, which certainly describes this online 3D ASCII art generator.

But wait — maybe that’s not quite right. After all, [Andrew Sink] put a lot of time into the code for this, and for its predecessor, his automatic 3D low-poly generator. That project led to the current work, which like before takes an STL model as input, this time turning it into an ASCII art render. The character set used for shading the model is customizable; with the default set, the shading is surprisingly good, though. You can also swap to a black-on-white theme if you like, navigate around the model with the mouse, and even export the ASCII art as either a PNG or as a raw text file, no doubt suitable to send to your tractor-feed printer.

[Andrew]’s code, which is all up on GitHub, makes liberal use of the three.js library, so maybe stretching his 3D JavaScript skills is really the hidden practical aspect of this one. Not that it needs one — we think it’s cool just for the gee-whiz factor.

Continue reading “Online Tool Turns STLs Into 3D ASCII Art” →

Supply Chain Attack: NPM Library Used By Facebook And Others Was Compromised

October 22, 2021 by Ryan Flowers 26 Comments

Here at Hackaday we love the good kinds of hacks, but now and then we need to bring up a less good kind. Today it was learned that the NPM package ua-parser-js was compromised, and any software using it as a library may have become victim of a supply chain attack. What is ua-parser-js and why does any of this matter?

In the early days of computing, programmers would write every bit of code they used themselves. Larger teams would work together to develop larger code bases, but it was all done in-house. These days software developers don’t write every piece of code. Instead they use libraries of code supplied by others.

For better or worse, repositories of code are now available to do even the smallest of functions so that a developer doesn’t have to write the function from scratch. One such registry is npm (Node Package Manager), who organize a collection of contributed libraries written in JavaScript. One only need to use npm to include a library in their code, and all of the functions of that code are available to the developer. One such example is ua-parser-js which is a User Agent Parser written in JavaScript. This library makes it easy for developers to find out the type of device and software being used to access a web page.

On October 22 2021, the developer of ua-parser-js found that attackers had uploaded a version of his software that contained malware for both Linux and Windows computers. The malicious versions were found to steal data (including passwords and Chrome cookies, perhaps much more) from computers or run a crypto-currency miner. This prompted GitHub to issue a Critical Severity Security Advisory.

What makes this compromise so dangerous is that ua-parser-js is considered to be part of a supply chain, and has been adopted even by Facebook for use in some of its customer facing software. The developer of ua-parser-js has already secured his GitHub account and uploaded new versions of the package that are clean. If you have any software that uses this library, make sure you’ve got the latest version!

Of course this is by no means a unique occurrence. Last month Maya Posch dug into growing issues that come from some flaws of trust in package management systems. The art for that article is a house of cards, an apt metaphor for a system that is only as stable as the security of each and every package being built upon.

Hackers And China

October 9, 2021 by Elliot Williams 26 Comments

The open source world and Chinese manufacturing have a long relationship. Some fifteen years ago, the big topic was how companies could open-source their hardware designs and not get driven bankrupt by competition from overseas. Companies like Sparkfun, Adafruit, Arduino, Maple Labs, Pololu, and many more demonstrated that this wasn’t impossible after all.

Maybe ten years ago, Chinese firms started picking up interesting hacker projects and producing them. This gave us hits like the AVR transistor tester and the NanoVNA. In the last few years, we’ve seen open-source hardware and software projects that have deliberately targeted Chinese manufacturers, and won. We do the design and coding, they do the manufacturing, sales, and distribution.

But this is something else: the Bangle.js watch takes an essentially mediocre Chinese smartwatch and reflashes the firmware, and sells them as open-source smartwatches to the general public. These pre-hacked watches are being sold on Kickstarter, and although the works stands on the shoulders of previous hacker’s reverse engineering work on the non-open watch hardware, it’s being sold by the prime mover behind the Espruino JavaScript-on-embedded language, which it runs on.

We have a cheap commodity smartwatch, being sold with frankly mediocre firmware, taken over by hackers, re-flashed, re-branded, and sold by the hackers on Kickstarter. As a result of it being (forcibly) opened, there’s a decently sized app store of contributed open-source applications that’ll run on the platform, making it significantly more useful and hacker friendly than it was before.

Will this boost sales? Will China notice the hackers’ work? Will this, and similar projects, end up in yet another new hacker/China relationship? We’re watching.