javascript

131 Articles

A New Javascript Runtime Fresh Out Of The Oven

July 8, 2022 by 15 Comments

A sizable portion of the Hackaday audience groans and runs their eyes when some new-fangled Javascript thing comes out. So what makes Bun different? Bun is a runtime (like Node or Deno)t that offers a performant all-in-one approach. Much to the Spice Girl’s delight, it is written in Zig. It offers bundling, transpiling, module resolution, and a fantastic foreign-function interface.

Node.js and Deno run on the V8 Javascript engine and provide the Node-API to access different features, such as filesystems, that don’t apply to web browsers. However, vast amounts of tooling have built up around Node.js and NPM (node package manager). Many Javascript projects have a bundling and transpiling step that takes the source and packages it together in a more standard format. Typescript needs to be packaged into javascript, and modules need to be resolved. Continue reading “A New Javascript Runtime Fresh Out Of The Oven”

Javascript Is Everywhere. Even MSDOS

April 15, 2022 by 35 Comments

Although pundits have joked that Java’s “write once, run everywhere” slogan might be better expressed as “write once, debug everywhere,” a relative of Java — JavaScript — has delivered on both promises better than its namesake. Thanks to its proliferation in browsers, JavaScript is a veritable lingua franca of computer languages which has led to entire applications being written in it using tools like Node.js and Electron, and not just browsers. But what if you are still using MSDOS or Windows 98? We know some of you do, at least on retro machines. Don’t feel left out, the DOjS project has jSH, a JavaScript engine for DOS and related operating systems.

Continue reading “Javascript Is Everywhere. Even MSDOS”

3D ASCII art

Online Tool Turns STLs Into 3D ASCII Art

January 22, 2022 by 8 Comments

If you look hard enough, most of the projects we feature on these pages have some practical value. They may seem frivolous, but there’s usually something that compelled the hacker to commit time and effort to its doing. That doesn’t mean we don’t get our share of just-for-funsies projects, of course, which certainly describes this online 3D ASCII art generator.

But wait — maybe that’s not quite right. After all, [Andrew Sink] put a lot of time into the code for this, and for its predecessor, his automatic 3D low-poly generator. That project led to the current work, which like before takes an STL model as input, this time turning it into an ASCII art render. The character set used for shading the model is customizable; with the default set, the shading is surprisingly good, though. You can also swap to a black-on-white theme if you like, navigate around the model with the mouse, and even export the ASCII art as either a PNG or as a raw text file, no doubt suitable to send to your tractor-feed printer.

[Andrew]’s code, which is all up on GitHub, makes liberal use of the three.js library, so maybe stretching his 3D JavaScript skills is really the hidden practical aspect of this one. Not that it needs one — we think it’s cool just for the gee-whiz factor.

Continue reading “Online Tool Turns STLs Into 3D ASCII Art”

ua-parser-js compromised

Supply Chain Attack: NPM Library Used By Facebook And Others Was Compromised

October 22, 2021 by 26 Comments

Here at Hackaday we love the good kinds of hacks, but now and then we need to bring up a less good kind. Today it was learned that the NPM package ua-parser-js was compromised, and any software using it as a library may have become victim of a supply chain attack. What is ua-parser-js and why does any of this matter?

In the early days of computing, programmers would write every bit of code they used themselves. Larger teams would work together to develop larger code bases, but it was all done in-house. These days software developers don’t write every piece of code. Instead they use libraries of code supplied by others.

For better or worse, repositories of code are now available to do even the smallest of functions so that a developer doesn’t have to write the function from scratch. One such registry is npm (Node Package Manager), who organize a collection of contributed libraries written in JavaScript. One only need to use npm to include a library in their code, and all of the functions of that code are available to the developer. One such example is ua-parser-js which is a User Agent Parser written in JavaScript. This library makes it easy for developers to find out the type of device and software being used to access a web page.

On October 22 2021, the developer of ua-parser-js found that attackers had uploaded a version of his software that contained malware for both Linux and Windows computers. The malicious versions were found to steal data (including passwords and Chrome cookies, perhaps much more) from computers or run a crypto-currency miner. This prompted GitHub to issue a Critical Severity Security Advisory.

What makes this compromise so dangerous is that ua-parser-js is considered to be part of a supply chain, and has been adopted even by Facebook for use in some of its customer facing software. The developer of ua-parser-js has already secured his GitHub account and uploaded new versions of the package that are clean. If you have any software that uses this library, make sure you’ve got the latest version!

Of course this is by no means a unique occurrence. Last month Maya Posch dug into growing issues that come from some flaws of trust in package management systems. The art for that article is a house of cards, an apt metaphor for a system that is only as stable as the security of each and every package being built upon.

Hackers And China

October 9, 2021 by 26 Comments

The open source world and Chinese manufacturing have a long relationship. Some fifteen years ago, the big topic was how companies could open-source their hardware designs and not get driven bankrupt by competition from overseas. Companies like Sparkfun, Adafruit, Arduino, Maple Labs, Pololu, and many more demonstrated that this wasn’t impossible after all.

Maybe ten years ago, Chinese firms started picking up interesting hacker projects and producing them. This gave us hits like the AVR transistor tester and the NanoVNA. In the last few years, we’ve seen open-source hardware and software projects that have deliberately targeted Chinese manufacturers, and won. We do the design and coding, they do the manufacturing, sales, and distribution.

But this is something else: the Bangle.js watch takes an essentially mediocre Chinese smartwatch and reflashes the firmware, and sells them as open-source smartwatches to the general public. These pre-hacked watches are being sold on Kickstarter, and although the works stands on the shoulders of previous hacker’s reverse engineering work on the non-open watch hardware, it’s being sold by the prime mover behind the Espruino JavaScript-on-embedded language, which it runs on.

We have a cheap commodity smartwatch, being sold with frankly mediocre firmware, taken over by hackers, re-flashed, re-branded, and sold by the hackers on Kickstarter. As a result of it being (forcibly) opened, there’s a decently sized app store of contributed open-source applications that’ll run on the platform, making it significantly more useful and hacker friendly than it was before.

Will this boost sales? Will China notice the hackers’ work? Will this, and similar projects, end up in yet another new hacker/China relationship? We’re watching.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!
flow IO module options

Get Your Flex On With The FlowIO Platform

August 20, 2021 by 7 Comments

Hackaday Prize 2021 entry FlowIO Platform promises to be to pneumatics what Arduino is to Electronics. The modular platform comprises a common controller/valve block, a selection of differently sized pumps, and a few optional connectivity and sensing blocks. With Arduino software support as well as as Javascript and web-GUI, there’s a way to program this no matter what the level of experience the user has.

flowIO exploded view
flowIO exploded view from http://www.softrobotics.io/flowio

This last point is a critical one for the mission [Ali Shtarbanov] from the MIT Media Lab is setting out for this project. He reminds us that in decades gone by, there was a significant barrier to entry for anyone building electronics prototypes. Information about how to get started was also much harder to by before the internet really got into gear.

It’s a similar story for software, with tools like Scratch and Python lowering the barrier to entry and allowing more people to get their toes wet and build some confidence.

But despite some earlier work by projects like the Soft Robotics Toolkit and Programmable-Air, making a start on lowering the bar for pneumatics support for soft robotics, and related applications, the project author still finds areas for further improvement. FlowIO was designed from the ground-up to be wearable. It appears to be much smaller, more portable and supports more air ports and a greater array of sensing and connectivity than previous Open Source work to date.

Creative Commons Hardware

Whilst you can take all the plans (free account signup required) and build yourself a FlowIO rig of your very own, the project author offers another solution. Following on from the Wikipedia model of free sharing and distribution of information, FlowIO offers its hardware for free, for the common good. Supported by donations to the project, more hardware is produced and distributed to those who need it. The only ask is that redundant kits are passed on or returned to base for upgrade, rather than landfill.

Continue reading “Get Your Flex On With The FlowIO Platform”

Hiding Links In Plain Sight With Bookmark Knocking

August 10, 2021 by 21 Comments

Have you ever been looking for a screwdriver, USB stick, or your keys, only to find them right where you left them in plain sight? We have. As many prolific geocachers know, hiding things out in the open is a great way to make sure that people overlook them. 

[Jacob Strieb] has been researching various ways to password protect and hide browser bookmarks in plain sight. He calls his latest technique “Bookmark Knocking” and he’s made a demonstration available on his Github account.

Why hide bookmarks to begin with? A browser’s bookmark collection can give away the habits, interests, and needs of the person who put them there. Bookmarks to gifts, domestic abuse support websites, and other private destinations might be best kept away from prying eyes.

Inspired by port knocking — opening connections to specific network ports in sequence to gain access through a firewall — bookmark knocking requires clicking bookmarks in a specific order to open a link. When the bookmarks are accessed in the proper order, the third bookmark reveals a hidden site. It’s not only a novel approach to hiding things in plain sight, it’s very cool to use! 

We especially appreciate [Jacob]’s motivation: Helping those who are vulnerable to protect themselves in any way possible. It’s a solid reminder that technology can be elevated to a higher stature when put to a noble use. Be sure to check out the demonstration so you can try it for yourself!

If camouflaging data flips your bits, you may want to look at a neat way to embed data right into bash scripts, or conceal a WiFi enabled microcontroller in a USB cable. Do you have your own favorite “hidden in plain sight” hack? Be sure to let us know through the Tip Line.