Let’s Talk Intel, Meltdown, and Spectre

This week we’ve seen a tsunami of news stories about a vulnerability in Intel processors. We’re certain that by now you’ve heard of (and are maybe tired of hearing about) Meltdown and Spectre. However, as a Hackaday reader, you are likely the person who others turn to when they need to get the gist of news like this. Since this has bubbled up in watered-down versions to the highest levels of mass media, let’s take a look at what Meltdown and Spectre are, and also see what’s happening in the other two rings of this three-ring circus.

Meltdown and Spectre in a Nutshell

These two attacks are similar. Meltdown is specific to Intel processors and kernel fixes (basically workarounds implemented by operating systems) will result in a 5%-30% speed penalty depending on how the CPU is being used. Spectre is not limited to Intel, but also affects AMD and ARM processors and kernel fixes are not expected to come with a speed penalty.

Friend of Hackaday and security researcher extraordinaire Joe Fitz has written a superb layman’s explanation of these types of attacks. His use of the term “layman” may be a little more high level than normal — this is something you need to read.

The attack exploits something called branch prediction. To boost speed, these processors keep a cache of past branch behavior in memory and use that to predict future branching operations. Branch predictors load data into memory before checking to see if you have permissions to access that data. Obviously you don’t, so that memory will not be made available for you to read. The exploit uses a clever guessing game to look at other files also returned by the predictor to which you do have access. If you’re clever enough, you can reconstruct the restricted data by iterating on this trick many many times.

For the most comprehensive info, you can read the PDF whitepapers on Meltdown and Spectre.

Update: Check Alan Hightower’s explanation of the Meltdown exploit left as a comment below. Quite good for helping deliver better understanding of how this works.

Frustration from Kernel Developers

These vulnerabilities are in silicon — they can’t be easily fixed with a microcode update which is how CPU manufacturers usually workaround silicon errata (although this appears to be an architectural flaw and not errata per se). An Intel “fix” would amount to a product recall. They’ve already said they won’t be doing a recall, but how would that work anyway? What’s the lead time on spinning up the fabs to replace all the Intel chips in use — yikes!

So the fixes fall on the operating systems at the kernel level. Intel should be (and probably is behind the scenes) bowing down to the kernel developers who are saving their bacon. It is understandably frustrating to have to spend time and resources patching these vulnerabilities, which displaces planned feature updates and improvements. Linus Torvalds has been throwing shade at Intel — anecdotal evidence of this frustration:

“I think somebody inside of Intel needs to really take a long hard look at their CPU’s, and actually admit that they have issues instead of writing PR blurbs that say that everything works as designed.”

That’s the tamest part of his message posted on the Linux Kernel Mailing List.

Stock Sales Kerfuffle is Just a Distraction

The first thing I did on hearing about these vulnerabilities on Tuesday was to check Intel’s stock price and I was surprised it hadn’t fallen much. In fact, peak to peak it’s only seen about an 8% drop this week and has recovered some from that low.

Of course, it came out that back in November Intel’s CEO Bryan Krzanich sold off his Intel stock to the tune of $24 Million, bringing him down to his contractual minimum of shares. He likely knew about Meltdown when arranging that sale. Resist the urge to flame on this decision. Whether it’s legal or not, hating on this guy is just a distraction.

What’s more interesting to me is this: Intel is too big to fail. What are we all going to do, stop using Intel and start using something else? You can’t just pull the chip and put a new one in, in the case of desktop computers you need a new motherboard plus all the supporting stuff like memory. For servers, laptops, and mobile devices you need to replace the entire piece of equipment. Intel has a huge market share, and silicon has a long production cycle. Branch prediction has been commonplace in consumer CPUs going back to 1995 when the Pentium Pro brought it to the x86 architecture. This is a piece of the foundation that will be yanked out and replaced with new designs that provide the same speed benefits without the same risks — but that will take time to make it into the real world.

CPUs are infrastructure and this is the loudest bell to date tolling to signal how important their design is to society. It’s time to take a hard look at what open silicon design would bring to the table. You can’t say this would have been prevented with Open design. You can say that the path to new processors without these issues would be a shorter one if there were more than two companies producing all of the world’s processors — both of which have been affected by these vulnerabilities.

Friday Hack Chat: Contributing To Open Source Development

Open Source is how the world runs. Somewhere, deep inside the box of thinking sand you’re sitting at right now, there’s code you can look at, modify, compile, and run for yourself. At every point along the path between your router and the horrific WordPress server that’s sending you this webpage, there are open source bits transmitting bytes. The world as we know it wouldn’t exist without Open Source software.

That said, how does someone contribute to Open Source? Maintainers do like to build their own little kingdoms, so how does anyone break into developing Open Source hardware and software?

Our guest for this Hack Chat will be Robert Wolff, technical writer, and Open Source evangelist who has a history of working in and around STE*M-based educational programs. Right now, Robert is the community manager for 96Boards at Linaro. 96Boards is a hardware specification to make the latest ARM-based processors available at a reasonable cost. This open specification defines a standard board layout for SoC-agnostic platforms that can be used by any application, device, and kernel by system software developers.

The questions we’ll be looking at during this Hack chat is how to contribute to Open Source projects, how to do that using 96Boards, the technical challenges involved in documenting an Open system, the difficulty in designing a processor-agnostic system, and general questions about the 96Boards community, ecosystem, and resources.

As always, we’re going to be taking questions from the hackaday.io community, so if you have a question, drop it on the Hack Chat event page.

join-hack-chat

Our Hack Chats are live community events on the Hackaday.io Hack Chat group messaging. These Hack Chats usually happen at Noon, Pacific time, on Friday. This week, everything is going down on Noon, PST, Friday, December 8th. Don’t have any idea what time that is on your meridian? Here’s a handy countdown timer!

Click that speech bubble to the left, and you’ll be taken directly to the Hack Chat group on Hackaday.io.

You don’t have to wait until Friday; join whenever you want and you can see what the community is talking about.

Mathieu Stephan : The Making of a Secure Open Source Hardware Password Keeper

Mathieu Stephan is an open source hardware developer, a Tindie seller who always has inventory, a former Hackaday writer, and an awesome all-around guy. One of his biggest projects for the last few years has been the Mooltipass, an offline password keeper built around smart cards and a USB interface. It’s the solution to Post-It notes stuck to your monitor and using the same password for all your accounts around the Internet.

The Mooltipass is an extremely successful product, and last year Mathieu launched the Mooltipass Mini. No, it doesn’t have the sweet illuminated touch-sensitive buttons, but it is a bit cheaper than its big brother and a bit more resistant to physical attacks — something you want in a device that keeps all your passwords secure.

Mathieu didn’t build the Mooltipass alone, though. This is an Open Source project that has developers and testers from around the globe. It may have started off as a Hackaday Post, but now the Mooltipass has grown into a worldwide development team with contributors across the globe. How did Mathieu manage to pull this off? You can check out his talk at the 2017 Hackaday Superconference below.

Continue reading “Mathieu Stephan : The Making of a Secure Open Source Hardware Password Keeper”

Open Source Underwater Glider Wins 2017 Hackaday Prize

The Open Source Underwater Glider has just been named the Grand Prize winner of the 2017 Hackaday Prize. As the top winner of the Hackaday Prize, the Open Source Underwater Glider will receive $50,000 USD completes the awarding of more than $250,000 in cash prizes during the last eight months of the Hackaday Prize.

More than one thousand entries answered the call to Build Something That Matters during the 2017 Hackaday Prize. Hardware creators around the globe competed in five challenges during the entry rounds: Build Your Concept, Internet of Useful Things, Wings-Wheels-an-Walkers, Assistive Technologies, and Anything Goes. Below you will find the top five finisher, and the winner of the Best Product award of $30,000.

Open Source Underwater Glider

Grand Prize Winner ($50,000 USD): The Open Source Underwater Glider is an AUV (Autonomous Underwater Vehicle) capable of long-term underwater exploration of submarine environments. Where most AUVs are limited in both power and range, the Open Source Underwater Glider does not use active propulsion such as thrusters or propellers. This submersible glides, extending the range and capabilities of whatever task it is performing.

The Open Source Underwater Glider is built from off-the-shelf hardware, allowing anyone to build their own copy of this very capable underwater drone. Extended missions of up to a week are possible, after which the Glider would return home autonomously.

Connected Health: Open source IoT patient monitor

Second Place ($20,000): The Connected Health project aims to bring vital sign monitoring to the masses with a simple, inexpensive unit built around commodity hardware. This monitoring system is connected to the Internet, which enables remote patient monitoring.

Assistance System for Vein Detection

Third Place ($15,000): This Assistance System for Vein Detection uses off-the-shelf components and near-IR imaging to detect veins under the skin. This system uses a Raspberry Pi and camera module or a modified webcam and yet is just as reliable as professional solutions that cost dozens of times more than this team’s prototype.

Adaptive Guitar

Fourth Place ($10,000): The Adaptive Guitar is an electromechanical system designed to allow disabled musicians to play the guitar with one hand (and a foot). This system strums the strings of a guitar while the musician frets each string.

Tipo : Braille Smartphone Keypad

Fifth Place ($5,000): Tipo is effectively a Braille USB keyboard designed for smartphones. The advent of touchscreen-only phones has unfortunately left the visually impaired without a modern phone. Tipo allows for physical interaction with modern smartphones.

Best Product Winner: Tipo : Braille Smartphone Keypad

The winner of the Best Product is Tipo : Braille Smartphone Keypad. Tipo is the solution to the problem of the increasingly buttonless nature of modern smartphones. A phone that is only a touchscreen cannot be used by the visually impaired, and Tipo adds a Braille keypad to the back of any phone. It is effectively a USB keypad, designed for Braille input, that attaches to the back of any phone.

The Best Product competition ran concurrently with the five challenge rounds and asked entrants to go beyond prototype to envision the user’s needs, manufacturing, and all that goes into getting to market. By winning the Best Product competition, the creators of Tipo will refine their design, improve their mechanical build, start looking at injecton molding, and turn their 3D printed prototype into a real product that has the ability to change lives.

Congratulations to all who entered the Hackaday Prize. Taking time to apply your skill and experience to making the world better is a noble pursuit. It doesn’t end with the awarding of a prize. We have the ability to change lives by supporting one another, improving on great ideas, and sharing the calling to Build Something that Matters.

DIY Laptop Aims for Complete Hardware Freedom

Open source software has unquestionably gone from fringe idealism to mainstream, even if the average person doesn’t really know it. From their web browser to their smartphone operating system, more people are running open source software today than at any other time in the history of computing, and the numbers are only getting bigger. While we can debate how well some companies are handling their responsibilities to the open source community, overall this is probably a lot closer to an open source utopia that many of us ever believed we’d get.

For argument’s sake, let’s say the software is settled. What’s next? Well, if we’ve got all the open source software we could ever ask for, naturally we now need to run it on open source hardware. Just like our software, we want to see how it works, we want to modify it, and to fix it ourselves if we want. These goals are precisely what [Lukas Hartmann] had in mind when he started work on Reform, the latest entry in the world of fully open source laptops.

A plate of fresh keycaps

Like the Novena that came before it, the Reform leverages the four-core ARM Cortex-A9 NXP i.MX6 SoC to deliver tablet-level performance, though [Lukas] mentions the design may migrated to the upgraded six-core version of the chip in the future which should give it a little more punch. The SoC is paired with the Vivante GC2000 GPU which can be used under Linux without any binary blobs. Most hardware is connected to the system via the USB 2.0 bus, though networking is provided by a ThinkPenguin mini PCI-e wireless adapter, and on-board SATA handles the 128 GB SSD.

While the internals are relatively run-of-the-mill these days, the work that [Lukas] has done on the case and input devices is definitely very impressive. He partnered with industrial designer [Ana Dantas] to get the look and feel of the system down, and built almost everything out of 3D printed parts. Even the keyboard caps and the trackball were manufactured in house on a Formlabs Form 2. Rather than using an off-the-shelf USB HID solution, [Lukas] is using Teensy LC boards to interface the custom input hardware with the OS.

[Lukas] is still working on how and when the Reform will be made available to the public. After some refinements, the team hopes to make both kits and individual parts available, and of course put all the files up so you can build your own if you’ve got the equipment. A mockup Amazon listing for the Reform has been posted to get the public’s feedback on the look and features of the machine, and [Lukas] asks that anyone with comments and suggestions send him an email.

Between the Reform, Novena, and the Olimex, competition in the realm of DIY laptops is frankly staggering. Now we just need more people working on open hardware smartphones.

Thanks to [Adrian] for the tip.

MakerBot Really Wants You To Like Them Again

For the last couple years, a MakerBot press release has generally signaled that more pink slips were going to be heading out to the already shell-shocked employees at their NYC factory. But just last week something that could almost pass as good news came out of the once mighty 3D printer manufacturer, the unveiling of “MakerBot Labs”. A number of mainstream tech sites heralded this as MakerBot’s first steps back into the open source community that launched it nearly a decade ago; signs of a newer and more thoughtful MakerBot.

Reading the announcement for “MakerBot Labs”, you can almost believe it. All the buzz words are there, at least. In fact, if this announcement came from anyone else, in any other field, I’d probably be on board. Sharing knowledge and listening to the community is essential if you want to connect with hackers and makers. But this is MakerBot, and they’ve dug themselves into a very deep hole over the years.

The spectacular fall from grace that MakerBot has experienced, from industry leader to afterthought, makes this hat-in-hand peace offering hard to take seriously. It reads like a company making a last ditch effort to win back the users they were so sure they didn’t need just a few years ago. There is now a whole new generation of 3D printer owners who likely have never even seen a MakerBot printer, and it’s hard to imagine there’s still enough innovation and life in the company to turn that around before they completely fade into obscurity.

Continue reading “MakerBot Really Wants You To Like Them Again”

Best Product Entry: A HSDK for Ultrasound Imaging

As an entry into this year’s Best Product portion of the Hackaday Prize, [kelu124] is developing a hardware and software development kit for ultrasound imaging.

Ultrasound is one of the primary tools used in modern diagnostic medicine. Head to the doctor with abdominal pain, and you can bet you’ll be seeing the business end of an ultrasound system. While Ultrasound systems have gotten cheaper, they aren’t something everyone has in the home yet.  [kelu124] is working to change that by building a hardware and software development kit which can be used to explore ultrasound systems. This isn’t [kleu124’s] first rodeo. HSDK builds upon and simplifies Murgen, his first open source ultrasound, and an entry in the 2016 Hackaday prize. [kelu124’s] goal is to “simplify everything, making it more robust and more user-friendly”.

The system is driven by a Raspberry Pi Zero W. A custom carrier board connects the Pi to the pulser block, which sends out the ultrasonic pings, and the analog front end, which receives the reflected signals. The receiver is called Goblin, and is a custom PCB designed [kelu124] designed himself. It uses a variable gain amplifier to bring reflected ultrasound signals up out of the noise.

A system like this would be a boon both to hackers and medical professionals working in the field. Ultrasonics can do more than just imaging. You can decrease healing time with ultrasonics, or even levitate things!