Screwless Eyeballs Are A Lesson In Design-For-Assembly

[Will Cogley] makes eyeballs; hey, everyone needs a hobby, and we don’t judge. Like all his animatronics, his eyeballs are wondrous mechanisms, but they do tend toward being a bit complex, especially in terms of the fasteners needed to assemble them.

But not anymore. [Will] redid his eyeball design to be as easy to assemble as possible, and the results are both impressive and instructive. His original design mimics real eyeballs quite well, but takes six servos and a large handful of screws and nuts, which serve both to attach the servos to the frame and act as pivots for the many, many linkages needed. The new design has snap-fit pivots similar to Lego Technic axles printed right into the linkage elements, as well as snap connectors to hold the servos down. This eliminates the need for 45 screws and cuts assembly time from 30 minutes to about six, with no tools required. And although [Will] doesn’t mention it, it must save a bunch of weight, too.

Everything comes at a cost, of course, and such huge gains in assembly ease are no exception. [Will] details this in the video below, including printing the parts in the right orientation to handle the forces exerted both during assembly and in use. And while it’s hard to beat a five-fold reduction in assembly time, he might be able to reduce that even more with a few print-in-place pivots.

Continue reading “Screwless Eyeballs Are A Lesson In Design-For-Assembly”

This Week In Security: Filename Not Sanitized, MonikerLink, And Snap Attack!

Reading through a vulnerability report about ClamAV, I came across a phrase that filled me with dread: “The file name is not sanitized”. It’s a feature, VirusEvent, that can be enabled in the ClamnAV config. And that configuration includes a string formatting function, where the string includes %v and %s, which gets replaced with a detected virus name and the file name from the email. And now you see the problem, I hope: The filename is attacker supplied input.

Where this really gets out of hand is what ClamAV does with this string. execle("/bin/sh", "sh", "-c", buffer_cmd, NULL, env). So let’s talk defensive program design for a minute. When it comes to running a secondary command, there are two general options, system() and the exec*() family of system calls. system() is very simple to use. It pauses execution of the main process and asks the operating system to run a string, just as if the user had typed that command into the shell. While this is very convenient to use, there is a security problem if any of that command string is user-supplied. All it takes is a semicolon or ampersand to break assumptions and inject a command.

To the rescue comes exec(). It’s a bit more complicated to use, requiring the programmer to manually call fork() and wait(). But it’s not running the command via the shell. exec() executes a program directly, totally eliminating the potential for command injection! Except… oops.

Yeah, exec() and related calls don’t offer any security protections when you use them to execute /bin/sh. I suspect the code was written this way to allow running a script without specifying /bin/sh in the config. The official fix was to disable the filename format character, and instead supply it as an environment variable. That certainly works, and that fix is available in 1.0.5, 1.2.2, and 1.3.0.

The real danger here is that we have another case where some hardware appliance manufacturer has used ClamAV for email filtering, and uses this configuration by default. That’s how we get orders from CISA to unplug your hardware, because it’s already compromised. Continue reading “This Week In Security: Filename Not Sanitized, MonikerLink, And Snap Attack!”

Dear Ubuntu…

Dear Ubuntu,

I hope this letter finds you well. I want to start by saying that our time together has been one of creativity and entertainment, a time in which you gave me the tools to develop a new career, to run a small electronics business, make fun things, and to write several thousand articles for Hackaday and other publications, but for all that it’s sadly time for our ways to part. The magic that once brought us together has faded, and what remains is in danger of becoming a frustration.

In our early days as an item you gave me for the first time a Linux distro that was complete, fast, and easy to use without spending too much time at the CLI or editing config files to make things happen; you gave me a desktop that was smooth and uncluttered, and you freed me from all those little utilities that were required to make Windows usable. You replaced the other distros I’d been using, you dual-booted with my Windows machines, and pretty soon you supplanted the Microsoft operating system entirely.

Ubuntu and me and a trusty Dell laptop, Oxford Hackspace, 2017.
Me and Ubuntu in 2017, good times.

We’ve been together for close to two decades now, and in that time we’ve looked each other in the eye across a variety of desktop and laptop computers. My trusty Dell Inspiron 640 ran you for over a decade through several RAM, HDD, and SSD upgrades, and provided Hackaday readers with the first few years of my writing. Even the Unity desktop couldn’t break our relationship, those Linux Mint people weren’t going to tear us asunder! You captured my text, edited my videos and images, created my PCBs and CAD projects, and did countless more computing tasks. Together we made a lot of people happy, and for that I will always be grateful. Continue reading “Dear Ubuntu…”

Hackaday Links Column Banner

Hackaday Links: November 21, 2021

As the most spendiest time of the year rapidly approaches, it’s good to know that your hard-earned money doesn’t have to go towards gifts that are probably still sitting in the dank holds of container ships sitting at anchor off the coast of California. At least not if you shop the Tindie Cyber Sale that started yesterday and goes through December 5. There’s a lot of cool stuff on sale, so it shouldn’t be too hard to find something; to sweeten the deal, Jasmine tells us that there will be extra deals going live on Black Friday and Cyber Monday. But wait, there’s more — follow Tindie on Twitter for bonus discount codes.

Blue is the old black, which was the new blue? At least when it comes to “Screens of Death” it is, since Microsoft announced the Windows 11 BSOD will revert back from its recent black makeover to the more familiar blue theme. You’ll have to scroll down a bit, perhaps three-quarters of the way through the list of changes. Again, the change seems completely cosmetic and minor, but we’d still love to know what kind of research went into making a decision like this.

From the “One Man’s Trash” department, we have a request for help from reader Mike Drew who picked up a bunch — like, a thousand — old tablet computers. They originally ran Windows but they can run Linux Mint just fine, and while they lack batteries and the back cover, they’re otherwise complete and in usable condition, at least judging by the pictures he shared. These were destined for the landfill, but Mike is willing to send batches of 10 — no single units, please — to anyone who can cover the cost of packaging and shipping. Mike says he’ll be wiping the tablets and installing Mint, and will throw in a couple of battery cables and a simple instruction sheet to get you started. If you’re interested, Mike can be reached at michael.l.drew@gmail.com. Domestic shipping only, please. Here’s hoping you can help a fellow hacker reclaim a room in his house.

Answering the important questions: it turns out that Thanos couldn’t have snapped half of the universe out of existence after all. That conclusion comes from a scientific paper, appearing in the Journal of the Royal Society. While not setting out to answer if a nigh-invulnerable, giant purple supervillain could snap his fingers, it’s pretty intuitive that wearing any kind of gloves, let alone a jewel-encrusted metal gauntlet, makes it hard to snap one’s fingers. But the mechanics of snapping is actually pretty cool, and has implications beyond biomechanics. According to the paper, snapping is actually an example of latch-mediated spring actuation, with examples throughout the plant and animal kingdoms, including the vicious “one-inch punch” of the tiny mantis shrimp. It turns out that a properly executed human finger snap is pretty darn snappy — it takes about seven milliseconds to complete, compared to 150 milliseconds for an eye blink.

And finally, it seems like someone over at Id Software is a bit confused. The story began when a metal guitarist named Dustin Mitchell stumbled across the term “doomscroll” and decided that it would make a great name for a progressive thrash metal band. After diligently filing a trademark application with the US Patent and Trademark Office, he got an email from an attorney for Id saying they were going to challenge the trademark, apparently because they feel like it will cause confusion with their flagship DOOM franchise. It’s hard to see how anyone who lived through the doomscrolling years of 2020 and 2021 is going to be confused by a thrash metal band and a 30-year-old video game, but we suppose that’s not the point when you’re an attorney. Trademark trolls gonna troll, after all.

Ubuntu Update Hack Chat

Join us on Wednesday, July 22 at noon Pacific for the Ubuntu Update Hack Chat with Rhys Davies and Alan Pope!

Everyone has their favorite brands, covering everything from the clothes they wear to the cars they drive. We see brand loyalty informing all sorts of acquisition decisions, not only in regular consumer life but in technology, too. Brand decisions sort people into broad categories like Mac versus PC, or iPhone versus Android, and can result in spirited discussions of the relative merits of one choice over the others. It’s generally well-intentioned, even if it gets a bit personal sometimes.

Perhaps no choice is more personal in hacker circles than which Linux distribution to use. There are tons to choose from, each with their various features and particular pros and cons. Ubuntu has become a very popular choice for Linux aficionados, attracting more than a third of the market. Canonical is the company behind the Debian-based distro, providing editions that run on the desktop, on servers, and on a variety of IoT devices, as well as support and services for large-scale users.

To fill us in on what’s new in the world of Ubuntu, Canonical product manager Rhys Davies and developer advocate Alan Pope will stop by the Hack Chat this week. They’ll be ready to answer all your questions about the interesting stuff that’s going on with Ubuntu, including the recently announced Ubuntu Appliances, easy to install, low maintenance images for Raspberry Pis and PCs that are built for security and simplicity. We’ll also talk about snaps, desktops, and whatever else crops up.

join-hack-chatOur Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, July 22 at 12:00 PM Pacific time. If time zones have you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about. Continue reading “Ubuntu Update Hack Chat”

What’s The Deal With Snap Packages?

Who would have thought that software packaging software would cause such a hubbub? But such is the case with snap. Developed by Canonical as a faster and easier way to get the latest versions of software installed on Ubuntu systems, the software has ended up starting a fiery debate in the larger Linux community. For the more casual user, snap is just a way to get the software they want as quickly as possible. But for users concerned with the ideology of free and open source software, it’s seen a dangerous step towards the types of proprietary “walled gardens” that may have drove them to Linux in the first place.

Perhaps the most vocal opponent of snap, and certainly the one that’s got the most media attention, is Linux Mint. In a June 1st post on the distribution’s official blog, Mint founder Clement Lefebvre made it very clear that the Ubuntu spin-off does not approve of the new package format and wouldn’t include it on base installs. Further, he announced that Mint 20 would actively block users from installing the snap framework through the package manager. It can still be installed manually, but this move is seen as a way to prevent it from being added to the system without the user’s explicit consent.

The short version of Clement’s complaint is that the snap packager installs from a proprietary Canonical-specific source. If you want to distribute snaps, you have to set up an account with Canonical and host it there. While the underlying software is still open source, the snap packager breaks with long tradition of having the distribution of the software also being open and free. This undoubtedly makes the install simple for naive users, and easier to maintain for Canonical maintainers, but it also takes away freedom of choice and diversity of package sources.

Continue reading “What’s The Deal With Snap Packages?”

Wearable Breadboard

We all know what a short circuit is, but [Clement Zheng] and [Manasvi Lalwani] want to introduce you to the shirt circuit. Their goal is to help children, teachers and parents explore and learn electronics. The vehicle is a shirt with a breadboard-like pattern of conductors attaching snaps. Circuit elements reside in stiff felt boxes with matching snaps. You can see it all in action in the video below.

We imagine you could cut the felt pieces out by hand with the included patterns. However, they used a laser cutter to produce the “breadboard” and the component containers. Conductive thread is a must, of course, as are some other craft supplies like glue and regular thread.

Continue reading “Wearable Breadboard”