Dot-Matrix Printer Brings Old School Feel To Today’s Headlines

If you remember a time when TV news sets universally incorporated a room full of clattering wire service teleprinters to emphasize the seriousness of the news business, congratulations — you’re old. Now, most of us get our news piped directly into our phones, selected by algorithms perfectly tuned to rile us up on whatever the hot-button issue du jour happens to be. Welcome to the future.

If like us you long for a simpler way to get your news, [Andrew Schmelyun] has a partial solution with this dot-matrix news feeder. It’s part of his effort to detox a bit from the whole algorithm thing and make the news a little more concrete. He managed to chase down a very old Star Micronics printer with a serial interface, which he got on the cheap thanks to the previous owner not being sure if it worked. It did, at least after some cleaning, and thanks to a USB-to-serial and the efforts of Linux kernel hackers through the ages, was able to echo output to the printer from a Raspberry Pi Zero W.

From there, getting a daily news feed was as simple as writing some PHP code to mine the APIs of a few selected services. We’re perplexed and alarmed to report that Hackaday is not among the selected sources, but we’re sure this was just a small oversight that will be corrected in version 2. The program runs as a cron job so that a dead-tree version of the day’s top stories is ready for [Andrew]’s morning coffee.

We’ve seen similar news printers before; we particularly like this roll-feed paper version. But for a seriously retro feel, we’d love to see this done on a real teletype.

This Week In Security: Chat Control, Vulnerability Extortion, And Emoji Malware

Way back in 2020, I actually read the proposed US legislation known as EARN IT, and with some controversy, concluded that much of the criticism of that bill was inaccurate. Well what’s old is new again, except this time it’s the European Union that’s wrestling with how to police online Child Sexual Abuse Material (CSAM). And from what I can tell of reading the actual legislation (pdf), this time it really is that bad.

The legislation lays out two primary goals, both of them problematic. The first is detection, or what some are calling “upload moderation”. The technical details are completely omitted here, simply stating that services “… take reasonable measures to mitigate the risk of their services being misused for such abuse …” The implication here is that providers would do some sort of automated scanning to detect illicit text or visuals, but exactly what constitutes “reasonable measures” is left unspecified.

The second goal is the detection order. It’s worth pointing out that interpersonal communication services are explicitly mentioned as required to implement these goals. From the bill:

Providers of hosting services and providers of interpersonal communications services that have received a detection order shall execute it by installing and operating technologies approved by the Commission to detect the dissemination of known or new child sexual abuse material or the solicitation of children…

This bill is careful not to prohibit end-to-end encryption, nor require that such encryption be backdoored. Instead, it requires that the apps themselves be backdoored, to spy on users before encryption happens. No wonder Meredith Whittaker has promised to pull the Signal app out of the EU if it becomes law. As this scanning is done prior to encryption, it’s technically not breaking end-to-end encryption.

You may wonder why that’s such a big deal. Why is it a non-negotiable for the Signal app to not look for CSAM in messages prior to encryption? For starters, it’s a violation of user trust and an intentional weakening of the security of the Signal system. But maybe most importantly, it puts a mechanism in place that will undoubtedly prove too tempting for future governments. If Signal can be forced into looking for CSAM in the EU, why not anti-government speech in China?

Continue reading “This Week In Security: Chat Control, Vulnerability Extortion, And Emoji Malware”

Hackaday Links Column Banner

Hackaday Links: March 3, 2024

Who’d have thought that $30 doorbell cameras would end up being security liabilities? That’s the somewhat obvious conclusion reached by Consumer Reports after looking at some entry-level doorbell cameras available through the usual outfits and finding glaring security gaps which are totally not intentional in any way.

All these cameras appear to be the same basic hardware inside different enclosures, most supporting the same mobile app. Our favorite “exploit” for these cameras is the ability to put them into a pairing mode with the app, sometimes by pressing a public-facing button. Slightly more technically challenging would be accessing images from the app using the camera’s serial number, or finding file names being passed in plain text while sniffing network traffic. And that’s just the problems CR identified; who knows what else lurks under the covers? Some retailers have stopped offering these things, others have yet to, so buyer beware.

Speaking of our techno-dystopian surveillance state, if you’ve had it with the frustrations and expense of printers, has Hewlett-Packard got a deal for you. They want you to never own a printer again, preferring that you rent it from them instead. Their “All-In Plan” launched this week, which for $6.99 a month will set up up with an HP Envy inkjet printer, ink deliveries, and 24/7 tech support. It doesn’t appear that paper is included in the deal, so you’re on your own for that, but fear not — you won’t go through much since the entry-level plan only allows 20 prints per month. Plans scale up to 700 prints per month from an OfficeJet Pro for the low, low price of $36. The kicker, of course, is that your their printer has to be connected to the Internet, and HP can pretty much brick the thing anytime they want to. The terms of service also explicitly state that they’ll be sending your information to advertising partners, so that’ll be fun. This scheme hearkens back to the old pre-breakup days of AT&T, where you rented your phone from the phone company. That model made a lot more sense when the phone (probably) wasn’t listening in on everything you do. This just seems like asking for trouble.

“Enhance, enhance…” Credit: NASA/JPL-Caltech/LANL/CNES/IRAP/Simeon Schmauß

It’s been a while since Ingenuity‘s final rough landing on Mars permanently grounded the overachieving helicopter, long enough that it’s time for the post-mortem analyses to begin. The first photographic evidence we had was a shadowgram from one of the helicopter’s navigational cameras, showing damage to at least one of the rotor tips, presumably from contact with the ground. Then we were treated to a long-distance shot from Ingenuity‘s rover buddy Perseverance, which trained its MASTCAM instruments on the crash zone and gave us a wide view of its lonely resting place.

Now, geovisual design student [Simeon Schmauβ] has taken long shots made with the rover’s SuperCam instrument and processed them into amazingly detailed closeups, which show just how extensive the damage really is. One rotor blade sheared clean off on contact, flying 15 meters before gouging a hole in the regolith. Another blade looks to be about half gone, while the remaining two blades show the damaged tips we’ve already seen. That the helicopter is still on its feet given the obvious violence of the crash is amazing, as well as an incredible piece of luck, since it means the craft’s solar panel is pointing in roughly the right direction to keep it powered up.

Continue reading “Hackaday Links: March 3, 2024”

The Orb Web Desktop

[Hugo Leisink] is a programmer who contributes to Open Source projects. In their spare time, they have been developing a web-browser-based operating system called Orb. It is available for the princely sum of zero cheeseburgers and doesn’t need a high-spec machine to run smoothly. The project is built using PHP and Javascript, which allows it to run efficiently on most desktop devices. There are a number of apps included, which are again written in a combination of PHP and js, together with a few written using webasm.

A few notable examples include a C64 emulator, minesweeper, and even a js port of Wolfenstein 3D so this isn’t just a toy, but actually useful. Ok, for real use cases, there are also the usual file browsers, and document readers as well as a writing application based on CKeditor. There is a kind of Windows 3.1 look and feel simplicity to the experience which is refreshing in the modern era of complex applications with their learning curves. Orb could be very useful in an educational setting, or just for jotting your own notes as you travel. Who knows, because the possibilities are endless if you’re willing to get your hands dirty with a bit of coding.

We’ve seen a few web desktops before, here’s a collection of them we saw last year. If you want to go in the other direction and turn a webpage into a desktop app, then look no further than Gluon.

Creating Your Alarm On The Fly

We suspect that most of us who use an alarm clock have our particular sound memorized. Common choices are annoying beeping, energetic marimbas, or what used to be your favorite song (which you have now come to despise). [Adam Kumpf] wanted a more pleasant alarm clock and came up with WakeSlow, an alarm clock audio stream, which is a spiritual successor to an earlier project he did called Warmly.

Some might say, “an audio stream? You could create an acceptable alarm tone generator with a 555 and a 2N2222”. The idea behind WakeSlow is to use your existing internet-connected alarm clock that can play an audio stream. You generate a URL using WakeSlow, and it plays the alarm. A custom URL is helpful since it incorporates weather data, letting you know if it’s going to rain, blowing wind, or be sunny that day. It mixes CC0 audio to form the stream, and includes a 5-minute fade to wake you up gradually. After five minutes, it’s jazz time, and it plays a sample of some CC0 jazz.

The code is super simple, and he makes it available on his website under a public domain/CC0 license. The simplicity offers something powerful, making it exactly how you like it. You could incorporate holiday information, a text-to-speech news announcer reading the news of what’s on your calendar that day, or anything you can dream of.

Hackers are generally particular about clocks, and alarm clocks fall under the same umbrella. WakeSlow allows you to skip the hardware part of making your customized alarm, but if you prefer to have the whole thing be custom, we have a few suggestions for alarms to look at.

This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis

If you use PHP, you likely use the Composer tool for managing dependencies, at least indirectly. And the good folks at SonarSource found a nasty, potential supply chain attack in this tool, when used in the Packagist repository. The problem is the support for arbitrary README filenames. When a package update shows up on Packagist, that service uses a Version Control Service (VCS) like Git or Mercurial to pull the specified readme location. That pull operation is subject to argument injection. Name your branch --help, and Git will happily run the help argument instead of doing the pull intended. In the case of Git commands, our intrepid researchers were unable to weaponize the issue to achieve code execution.

Composer also supports projects that use Mercurial as their VCS, and Mercurial has a --config option that has… interesting potential. It allows redefining a Mecurial command as a script snippet. So a project just has to contain a malicious payload.sh, and the readme set to --config=alias.cat=!hg cat -r : payload.sh|sh;,txt. For those keeping track at home, the vulnerability is that this cursed string of ugly is accepted by Composer as a valid filename. This uses the --config trick to redefine cat as a bit of script that executes the payload. It ends in .txt because that is a requirement of Composer.

So let’s talk about what this little hack could have been used for, or maybe still used for on an unpatched, private install of Packagist. This is an unattended attack that jumps straight to remote script execution — on an official package repository. If discovered and used for evil, this would have been a massive supply chain attack against PHP deployments. Instead, thanks to SonarSource, it was discovered and disclosed privately back in April. The official Packagist repo at packagist.org was fixed the day after disclosure, and a CVE and updated packages went out six days later. Great work all around.
Continue reading “This Week In Security: PHP Attack Defused, Scoreboard Manipulation, And Tillitis”

Get GitHub Tickets IRL With A Raspberry Pi And A Receipt Printer

Thermal receipt printers are finding their way into all sorts of projects that are well beyond the point-of-sale environment that they normally inhabit. And while we applaud all the creative and artistic uses hackers have found for these little gems, this GitHub physical ticket printer has to be the best use for one yet.

According to [Andrew Schmelyun], seeing a fast-food order pop up on a thermal printer was the inspiration for this build. Maintaining over one hundred GitHub repos as he does, it’s easy for the details of any one bug report or feature request to get lost in the swarm of sticky notes that [Andrew] previously used to keep track of his work. To make it happen, he teamed an Epson thermal printer up to a Raspberry Pi Zero W and worked out the details of sending data to the printer using PHP. Luckily, there’s a library for that — the beauty of GitHub.

With the “Hello, World!” bit out of the way, [Andrew] turned his attention to connecting to GitHub. He set up some webhooks on the GitHub side to send a POST request every time an issue is reported on one of his repos. The POSTs are sent via ngrok to a PHP web server running on the Pi, which formats the data and sends the text to the printer. There’s a short video in the tweet below.

Between the sound of the printer working and the actual dead-tree ticket, it’ll be hard for [Andrew] to miss issues now. We’ve seen thermal printers stuffed into cameras, used to send pictures to Grannie, and even watched them commit suicide slowly, but we say hats off to [Andrew] for his solid work ethic and a fun new way to put a receipt printer to use.

Continue reading “Get GitHub Tickets IRL With A Raspberry Pi And A Receipt Printer”