javascript

127 Articles

Get The Party Started With A Mesh WiFi Light Show

June 26, 2020 by 1 Comment

Wildly blinking LEDs may not be the ideal lighting for the average office environment, but they’ll surely spice up any party. And since a party without music is just a meeting, having both synced up is a great way to set the mood. Sure, you could simply roll out your standard LED strip instead, but that gets a bit boring, and also a bit tricky if you want to light up several places the same way. [Gerrit] might have built the perfect solution though, with his (mu)sic (R)eactive (Li)ghts, or muRLi, which are a set of individual lights that synchronize a programmable pattern over WiFi.

The system consists of muRLi itself as the base station that defines and sends the light pattern through WebSockets, and several muRLi Nodes that house a set of WS2812B LEDs to receive and display it. Both are built around a Wemos D1 Mini configured to set up a WiFi mesh network, and depending what’s in reach, the nodes connect either to the base station or other nodes, giving the system definitely enough reach for any location size. The music is picked up by a MAX4466-amplified microphone inside the base station — adding some more flexibility to positioning the system — and analyzed for volume and audio spectrum, which is also shown on an OLED.

The best part however is how the light patterns are programmed. Instead of hard-coding it into the firmware, [Gerrit] went for a modular approach with little ROM cartridges to plug into the muRLi base station. The cartridge itself contains just an I2C EEPROM, storing JavaScript code that is interpreted by the firmware using mJS. The scripts have access to the analyzed audio data and amount of LEDs within the network, and can dynamically generate the patterns as needed that way. Everything is neatly housed in 3D-printed enclosures, with all the design and source files available on the project’s GitHub page — but see for yourself in the video after the break.

If you don’t care about the wireless part but enjoy light synced up with music, have a look at a plain MIDI solution for that. As for [Gerrit], we’re definitely looking forward to seeing his next endeavor one day, since we also enjoyed his last one.

Continue reading “Get The Party Started With A Mesh WiFi Light Show”

Simulate Your World With Hash.ai

June 21, 2020 by 8 Comments

We will admit that we often throw together software simulations of real-world things, but we’ll also admit they are usually quick and dirty and just dump out text that we might graph in a spreadsheet or using GNUPlot. But with Hash.ai, you can quickly generate simulations of just about anything quickly and easily. The simulations will have beautiful visualizations and graphs, too. The tool works with JavaScript or Python and you don’t have to waste your time writing the parts that don’t change.

The web-based tool works on the idea of agents. Each agent has one or more behaviors that run each time step. In the example simulation, which models wildfires in forests, the agent is named forest, although it really models one virtual tree. There’s also a behavior called forest which controls the tree’s rate of growth and chance of burning based on nearby trees and lightning. Other behaviors simulate a burning tree and what happens to a tree after burning — an ember — which may or may not grow back.

Continue reading “Simulate Your World With Hash.ai”

Quarantine Clock Focuses On The Essential

April 12, 2020 by 21 Comments

In these dire times of self quarantining, social distancing, and life as know it coming to a halt, time itself can become rather blurry, and even word clocks may seem unnecessarily precise — especially if you happen to have a more peculiar circadian rhythm. And let’s face it, chances are your usual schedule has become somwehat irrelevant by now, so why bother yourself with dates or an exact time anyway? If you can relate to this, then [mwfisher3] has the perfect clock for you, displaying only the day of the week and a rough estimate of how far that day has progressed.

Using a Raspberry Pi and a spare touch screen, [mwfisher3] had an easy game to begin with, so the clock itself is just Chrome running in Kiosk mode, displaying a local web site with the hours of the day mapped to an array of their textual representation. A few lines of JavaScript are then updating the web site content with the current day and “time”, and a Python script is handling the screen’s back light based on the readings from a Philips Hue motion sensor, using the phue library.

While this is definitely one of the simpler clock projects we’ve seen, this simplicity offers actually a great introduction to some easy JavaScript-based web displays on a Raspberry Pi without much fuzz and distraction. But if that’s not your thing, and you like things more mechanical, we’ve recently covered this day clock that follows the same idea, and then there’s also this light box for an artistic approach of getting a rough estimate of the time.

This Week In Security: OpenWrt, ZOOM, And Systemd

April 3, 2020 by 21 Comments

OpenWrt announced a problem in opkg, their super-lightweight package manager. OpenWrt’s target hardware, routers, make for an interesting security challenge. A Linux install that fits in just 4 MB of flash memory is a minor miracle in itself, and many compromises had to be made. In this case, we’re interested in the lack of SSL: a 4 MB install just can’t include SSL support. As a result, the package manager can’t rely on HTTPS for secure downloads. Instead, opkg first downloads a pair of files: A list of packages, which contains a SHA256 of each package, and then a second file containing an Ed25519 signature. When an individual package is installed, the SHA256 hash of the downloaded package can be compared with the hash provided in the list of packages.


It’s a valid approach, but there was a bug, discovered by [Guido Vranken], in how opkg reads the hash values from the package list. The leading space triggers some questionable pointer arithmetic, and as a result, opkg believes the SHA256 hash is simply blank. Rather than fail the install, the hash verification is simply skipped. The result? Opkg is vulnerable to a rather simple man in the middle attack.

OpenWrt doesn’t do any automatic installs or automatic updates, so this vulnerability will likely not be widely abused, but it could be used for a targeted attack. An attacker would need to be in a position to MitM the router’s internet connection while software was being installed. Regardless, make sure you’re running the latest OpenWrt release to mitigate this issue. Via Ars Technica.

Wireguard V1.0

With the Linux Kernel version 5.6 being finally released, Wireguard has finally been christened as a stable release. An interesting aside, Google has enabled Wireguard in their Generic Kernel Image (GKI), which may signal more official support for Wireguard VPNs in Android. I’ve also heard reports that one of the larger Android ROM development communities is looking into better system-level Wireguard support as well.

Javascript in Disguise

Javascript makes the web work — and has been a constant thorn in the side of good security. For just an example, remember Samy, the worm that took over Myspace in ’05. That cross-site scripting (XSS) attack used a series of techniques to embed Javascript code in a user’s profile. Whenever that profile page was viewed, the embedded JS code would run, and then replicate itself on the page of whoever had the misfortune of falling into the trap.

Today we have much better protections against XSS attacks, and something like that could never happen again, right? Here’s the thing, for every mitigation like Content-Security-Policy, there is a guy like [theMiddle] who’s coming up with new ways to break it. In this case, he realized that a less-than-perfect CSP could be defeated by encoding Javascript inside a .png, and decoding it to deliver the payload.

Systemd

Ah, systemd. Nothing seems to bring passionate opinions out of the woodwork like a story about it. In this case, it’s a vulnerability found by [Tavis Ormandy] from Google Project Zero. The bug is a race condition, where a cached data structure can be called after it’s already been freed. It’s interesting, because this vulnerability is accessible using DBus, and could potentially be used to get root level access. It was fixed with systemd v220.

Mac Firmware

For those of you running MacOS on Apple hardware, you might want to check your firmware version. Not because there’s a particularly nasty vulnerability in there, but because firmware updates fail silently during OS updates. What’s worse, Apple isn’t publishing release notes, or even acknowledging the most recent firmware version. A crowd-sourced list of the latest firmware versions is available, and you can try to convince your machine to try again, and hope the firmware update works this time.

Anti-Rubber-Ducky

Google recently announced a new security tool, USB Keystroke Injection Protection. I assume the nickname, UKIP, isn’t an intentional reference to British politics. Regardless, this project is intended to help protect against the infamous USB Rubber Ducky attack, by trying to differentiate a real user’s typing cadence, as opposed to a malicious device that types implausibly quickly.

While the project is interesting, there are already examples of how to defeat it that amount to simply running the scripts with slight pauses between keystrokes. Time will tell if UKIP turns into a useful mitigation tool. (Get it?)

SMBGhost

Remember SMBGhost, the new wormable SMB flaw? Well, there is already a detailed explanation and PoC. This particular PoC is a local-only privilege escalation, but a remote code execution attack is like inevitable, so go make sure you’re patched!

What Does GitHub’s Npm Acquisition Mean For Developers?

March 26, 2020 by 33 Comments

Microsoft’s open-source shopping spree has claimed another victim: npm. [Nat Friedman], CEO of GitHub (owned by Microsoft), announced the move recently on the GitHub blog.

So what motivated the acquisition, and what changes are we likely to see as a result of it? There are some obvious upsides and integrations, but these will be accompanied by the usual dose of skepticism from the open-source community. The company history and working culture of npm has also had its moments in the news, which may well have contributed to the current situation. This post aims to explore some of the rationale behind the acquisition, and what it’s likely to mean for developers in the future.

Continue reading “What Does GitHub’s Npm Acquisition Mean For Developers?”

RasterCarve Converts Images To CNC

January 19, 2020 by 11 Comments

CNC machines are an essential part of the hacker’s toolset. These computer-controlled cutters of wood, metal and other materials can translate a design into a prototype in short order, making the process of iterating a project much easier. However, the software to create these designs can be expensive, so [Franklin Wei] decided to write his own. In particular, he decided to write his own program to engrave images, converting a photo into a toolpath that can be cut. The result is RasterCarve, a web app that converts an image into a GCode that can be fed into a CNC machine.

Continue reading “RasterCarve Converts Images To CNC”

New Part Day: Arduino Goes Pro With The Portenta H7

January 15, 2020 by 92 Comments

The Consumer Electronics Show in Las Vegas is traditionally where the big names in tech show off their upcoming products, and the 2020 show was no different. There were new smartphones, TVs, and home automation devices from all the usual suspects. Even a few electric vehicles snuck in there. But mixed in among flashy presentations from the electronics giants was a considerably more restrained announcement from a company near and dear to the readers of Hackaday: Arduino is going pro.

While Arduino has been focused on the DIY and educational market since their inception, the newly unveiled Portenta H7 is designed for professional users who want to rapidly develop robust hardware suitable for industrial applications. With built-in wireless hardware and the ability to run Python and JavaScript out of the box, the powerful dual-core board comes with a similarly professional price tag; currently for preorder at $99 USD a pop, the Portenta is priced well outside of the company’s traditional DIY and educational markets. With increased competition from other low-cost microcontrollers, it seems that Arduino is looking to expand out of its comfort zone and find new revenue streams.

Continue reading “New Part Day: Arduino Goes Pro With The Portenta H7”