Hackaday Links Column Banner

Hackaday Links: November 13, 2022

Talk about playing on hard mode! The news this week was rife with stories about Palmer Luckey’s murder-modified VR headset, which ostensibly kills the wearer if their character dies in-game. The headset appears to have three shaped charges in the visor pointing right at the wearer’s frontal lobe, and would certainly do a dandy job of executing someone. In a blog post that we suspect was written with tongue planted firmly in cheek, Luckey, the co-founder of Oculus, describes that the interface from the helmet to the game is via optical sensors that watch the proceeding on the screen, and fire when a certain frequency of flashing red light is detected. He’s also talking about ways to prevent the removal of the headset once donned, in case someone wants to tickle the dragon’s tail and try to quickly rip off the headset as in-game death approaches. We’re pretty sure this isn’t serious, as Luckey himself suggested that it was more of an office art thing, but you never know what extremes a “three commas” net worth can push someone to.

There’s light at the end of the Raspberry Pi supply chain tunnel, as CEO Eben Upton announced that he foresees the Pi problems resolving completely by this time next year. Upton explains his position in the video embedded in the linked article, which is basically that the lingering effects of the pandemic should resolve themselves over the next few months, leading to normalization of inventory across all Pi models. That obviously has to be viewed with some skepticism; after all, nobody saw the supply chain issues coming in the first place, and there certainly could be another black swan event waiting for us that might cause a repeat performance. But it’s good to hear his optimism, as well as his vision for the future now that we’re at the ten-year anniversary of the first Pi’s release.

Continue reading “Hackaday Links: November 13, 2022”

Hackaday Links Column Banner

Hackaday Links: March 20, 2022

Well, that de-escalated quickly! It was less than a week ago that the city of Shenzhen, China was put on lockdown due to a resurgence of COVID-19 in the world’s electronics manufacturing epicenter. This obviously caused no small amount of alarm up and down the electronics supply chain, promising to once again upset manufacturers seeking everything from PCBs to components to complete electronic assemblies. But just a few days later, the Chinese government announced that the Shenzhen lockdown was over. At least partially, that is — factories and public transportation have been reopened in five of the city’s districts, with iPhone maker Foxconn, one of the bigger players in Shenzhen, given the green light to partially reopen. What does this mean for hobbyists’ ability to get cheap PCBs made quickly? That’s hard to say, at least at this point. Please feel free to share your experiences with any supply chain disruptions in the comments below.

Better news from a million miles away, as NASA announced that the James Webb Space Telescope finished the first part of its complex mirror alignment procedure. The process, which uses the complex actuators built into each of the 18 hexagonal mirror segments, slightly moves each mirror to align them all into one virtual optical surface. The result is not only the stunning “selfie” images we’ve been seeing, but also a beautiful picture of the star Webb has been focusing on as a target. The video below explains the process in some detail, along with sharing that the next step is to move the mirrors in and out, or “piston” them, so that the 18 separate wavefronts all align to send light to the instruments in perfect phase. Talk about precision!

Is a bog-standard Raspberry Pi just not tough enough for your application? Do you need to run DOOM on a  platform that can take a few g of vibration and still keep working? Sick of your Pi-based weather station breaking own when it gets a little wet or too hot? Then you’ll want to take a look at the DuraCOR Pi, a ruggedized chassis containing a Pi CM4 that’s built for extreme environments. The machine is in a tiny IP67-rated case and built to MIL-STD specs with regard to vibration, temperature, humidity, and EMI conditions. This doesn’t really seem like something aimed at the hobbyist market — it’s marketed by Curtiss-Wright Defense Solutions, a defense contractor that traces its roots all the way back to a couple of bicycle mechanics from Ohio that learned how to fly. So this Pi is probably more like something you’d spec if you were building a UAV or something like that. Still, it’s cool to know such things are out there.

BrainLubeOnline has a fun collection of X-rays. With the exception of a mouse — the other kind — everything is either electronic or mechanical, which makes for really interesting pictures. Seeing the teeth on a gear or the threads on a screw, and seeing right through the object, shows the mechanical world in a whole new light — literally.

And finally, would you buy a car that prevents you from opening the hood? Most of us probably wouldn’t, but then again, most of us probably wouldn’t buy a Mercedes EQS 580 electric sedan. Sarah from Sarah -n- Tuned on YouTube somehow got a hold of one of these babies, which she aptly describes as a “German spaceship,” and took it for a test drive, including a “full beans” acceleration test. Just after that neck-snapping ride, at about the 7:20 mark in the video below, she asks the car’s built-in assistant to open the hood, a request the car refused by saying, “The hood may only be opened by a specialist workshop.”  Sarah managed to get it open anyway, and it’s not a frunk — it’s home to one of the two motors that power the car, along with all kinds of other goodies.

Hackers Beware: Shenzhen Is Closing

If you’re among those of us with immediate plans for a PCB or parts order from China, watch out – Shenzhen just recently got put on a week-long lockdown. Factories, non-essential stores and public places are closed, and people are required to spend time at home – for a city that makes hardware thrive, this sounds like a harsh restriction. Work moves to remote where possible, but some PCB fabs and component warehouses might not be at our service for at least a week.

It might be puzzling to hear that the amount of cases resulting in closures is as low as 121, for a city of 12.6 million people. The zero-tolerance policy towards COVID has been highly effective for the city, with regular testing, adhered-to masking requirements and vaccinations – which is how we’ve been free to order any kinds of boards and components we needed throughout the past two years. In fact, 121 cases in one day is an unprecedented number for Shenzhen, and given their track record and swift reaction, it is reasonable to expect the case count dropping back to the regular (under 10 cases per day) levels soon.

Not all manufacturing facilities are located in Shenzhen, either. Despite what certain headlines might have you believe, supply chain shortages aren’t a certainty from here. A lot of the usual suspects like PCBWay and JLCPCB are merely reporting increased lead times as they reallocate resources, and while some projects are delayed for now, a lot of fabs you’d use continue operating with minor delays at most. SeeedStudio has its operations impacted more severely, and your Aliexpress orders might get shipped a bit later than usual – but don’t go around calling this a Chinese New Year v2 just yet. For those who want to keep a closer eye on the situation and numbers, the [Shenzhen Pages] Twitter account provides from-the-ground updates on the situation.

Wondering how your supply chain might be affected? We’ve talked about this way back in February 2020, addressing then-warranted worries that Chinese New Year would grow into a longer disruption than planned due to COVID becoming into a factor to manage. If you’re yet to discover the significance of Shenzhen, books have been written on this marvellous city, where you can build a successful hardware company in a week’s time. We’ve even had a meetup there once!

Header image: Charlie fong, CC BY-SA 4.0.

Hackaday Links Column Banner

Hackaday Links: October 31, 2021

Global supply chain issues are beginning to hit closer to home for the hacker community, as Raspberry Pi has announced their first-ever price increase on their flagship Pi 4. The move essentially undoes the price drop on the 2GB version of the Pi 4 that was announced in February, and sets the price back up from $35 to $45. Also rolled back is the discontinuation of the 1GB version, which will now be available at the $35 price point. The announcements come from Eben Upton himself, who insists the price increase is only temporary. We applaud his optimism, but take it with a grain of salt since he also said that 2021 production across the board will stay at the seven million-unit level, which is what they produced in 2020. That seems to speak to deeper issues within the supply chain, but more immediately, it’s likely that the supply of Pi products will be pinched enough that you’ll end up paying above sticker price just to get the boards you need. Hope everyone is stocked up.

On the topic of supply chain issues and their threat to Christmas gift-giving, here’s one product we hope is stranded in a container off Long Beach or better still, bobbing along in the Strait of Juan De Fuca: a toddler’s toy telephone that actually makes and receives calls. Anyone born in the last 60 years probably had one of the Fisher-Price Chatter telephone, a toy that in its original form looked like a desk telephone on wheels that was dragged behind the child, popping along and providing endless hours of clicky amusement as kids twisted the dial and lifted the receiver. Come to think of it, the Chatter telephone may be as close to a dial phone as anyone born since 1990 may have come. Anyway, some genius stuck a Bluetooth module into the classic phone to let it hook up to an app on an actual phone, allowing kids (or more likely their nostalgia-soaked parents) to make and receive calls. It’s actually priced at a reasonable $60, so there might be some hacking potential here.

Also tangential to supply chains, we stumbled across a video guide to buying steel that might interest readers. Anyone who has seen the displays of steel and other metals at the usual big-box retailers might wonder what the fuss is, but buying steel that way or ordering online is a great way to bust a project’s budget. Fabricator and artist Doug Boyd insists that finding a local steel supplier is the best bang for your buck, and has a bunch of helpful tips for not sounding like a casual when you’re ordering. It’s all good advice, and would have helped us from looking foolish a time or two at the metal yard; just knowing that pipe is measured by inside diameter while tubing is measured by outside dimensions is worth the price of admission alone.

With all the money you save on steel and by not buying Raspberry Pis, perhaps you’ll have a couple of hundred thousand Euros lying around to bid on this authentic 1957 Sputnik I satellite. The full-scale model of Earth’s first artificial satellite — manhole covers excluded — was a non-flown test article, but externally faithful to the flown hardware that kicked off the first Space Race. The prospectus says that it has a transmitter and a “modern power supply”; it’s not clear if the transmitter was originally part of the test article or added later. The opening bid is €85,000 and is expected to climb considerably.

And finally, there’s something fascinating about “spy radios,” especially those from the Cold War era and before, when being caught with one in your possession was probably going to turn out to be a very bad day. One such radio is the Radio Orange “Acorn” receiver, which is in the collection of the Crypto Museum. The radio was used by the Dutch government to transmit news and information into the occupied Netherlands from their exile in London. Built to pass for a jewelry box, the case for the radio was made from an old cigar box and is a marvel of 1940s miniaturization. The radio used three acorn-style vacuum tubes and was powered by mains current; another version of the Radio Orange receiver was powered by a bike dynamo or even a water-powered turbine, which could be run from a tap or garden hose. The video below shows the water-powered version in action, but the racket it made must have been problematic for its users, especially given the stakes.

Continue reading “Hackaday Links: October 31, 2021”

ua-parser-js compromised

Supply Chain Attack: NPM Library Used By Facebook And Others Was Compromised

Here at Hackaday we love the good kinds of hacks, but now and then we need to bring up a less good kind. Today it was learned that the NPM package ua-parser-js was compromised, and any software using it as a library may have become victim of a supply chain attack. What is ua-parser-js and why does any of this matter?

In the early days of computing, programmers would write every bit of code they used themselves. Larger teams would work together to develop larger code bases, but it was all done in-house. These days software developers don’t write every piece of code. Instead they use libraries of code supplied by others.

For better or worse, repositories of code are now available to do even the smallest of functions so that a developer doesn’t have to write the function from scratch. One such registry is npm (Node Package Manager), who organize a collection of contributed libraries written in JavaScript. One only need to use npm to include a library in their code, and all of the functions of that code are available to the developer. One such example is ua-parser-js which is a User Agent Parser written in JavaScript. This library makes it easy for developers to find out the type of device and software being used to access a web page.

On October 22 2021, the developer of ua-parser-js found that attackers had uploaded a version of his software that contained malware for both Linux and Windows computers. The malicious versions were found to steal data (including passwords and Chrome cookies, perhaps much more) from computers or run a crypto-currency miner. This prompted GitHub to issue a Critical Severity Security Advisory.

What makes this compromise so dangerous is that ua-parser-js is considered to be part of a supply chain, and has been adopted even by Facebook for use in some of its customer facing software. The developer of ua-parser-js has already secured his GitHub account and uploaded new versions of the package that are clean. If you have any software that uses this library, make sure you’ve got the latest version!

Of course this is by no means a unique occurrence. Last month Maya Posch dug into growing issues that come from some flaws of trust in package management systems. The art for that article is a house of cards, an apt metaphor for a system that is only as stable as the security of each and every package being built upon.

Hackaday Links Column Banner

Hackaday Links: August 15, 2021

Unless you’re in the market for a new car, household appliance, or game console, or if you’re involved in the manufacture of these things, chances are pretty good that the global semiconductor shortage hasn’t directly impacted you yet. But we hobbyists might be due for a comeuppance as the chip shortage starts to impact our corner of the market. We suppose it’s natural that supplies of the chips needed to build Arduinos and Raspberry Pis would start to dry up, as semiconductor manufacturers realign their resources to service their most lucrative markets. Still, it was all sort of abstract until now, but seeing dire quotes from the likes of Adafruit, Pololu, and Sparkfun about the long lead times they’re being quoted — some chips won’t be seen until 2023! — is disheartening. As are the reports of price gouging and even hoarding; when a $10 part can suddenly command $350, you know something has gone seriously wrong.

But have no fear — we’re certain the global chip shortage will have no impact on the planned 2027 opening of the world’s first space hotel. Voyager Station — once dubbed Von Braun Station but renamed for some reason — looks for all the world like Space Station V in “2001: A Space Odyssey”, or at least half of it. The thing is enormous — witness the Starship docked in the center hub, as well as the several dozen shuttle-like craft — escape pods, perhaps? — attached to the outer rim. The renders are imaginative, to say the least — the station looks very sleek, completely unfettered by such banalities as, say, solar panels. We get that a private outfit needs to attract deep-pocketed investors, and that one doesn’t do that by focusing on the technical details when they can sell a “premium experience”. But really, if you’re going to space, do you want basically the same look and feel as a premium hotel on Earth, just with a better view? Or would you rather feel like you’ve actually traveled to space?

Speaking of space, did you ever wonder what the first programmable calculator in space was? Neither did we, but that doesn’t mean we didn’t find this detailed story about the HP-65 that was sent up on the Apollo-Soyuz Test Project in 1975 pretty fascinating. The ASTP was the last hurrah of Apollo, and an often underappreciated engineering challenge. Linking up the two spacecraft safely was not trivial, and a fair number of burn calculations had to be made in orbit to achieve rendezvous and docking, as well as to maintain orbit. The HP-65, a programmable calculator that went for about $750 at the time (for the non-space-rated version, of course) had several programs loaded onto its removable magnetic cards, and the Apollo crew used it to verify the results calculated by the Apollo Guidance Computer (AGC).

Facebook, a company that exists by providing people with a product they don’t need but now somehow can’t live without, is now dipping a toe into weird, weird waters: reverse-passthrough virtual reality. The idea, we take it, is that as users more widely adopt VR and integrate it into their daily lives, the VR headsets everyone will be wearing will make face-to-face contact more difficult. So what better way to solve that problem than by projecting a live image of the VR user’s eyes onto a screen outside the VR rig, for any and all to see? Pure genius, and not the least bit creepy. They’ve perhaps got a bit of work to go before achieving their goal of “seamless social connection between real and virtual worlds”.

And speaking of eyes, it’s good to know that developers are still hard at work keeping the most vital applications running at peak efficiency on today’s hardware. Yes, the venerable XEyes, a program for the X Window System on Unix-like operating systems that draws a pair of googly eyes on the screen to follow your mouse movements, has finally moved to version 1.2.0. It’s been 11 years since the 1.1.0 upgrade, so it was a long time coming. If you haven’t had the chance to play with XEyes, fear not — just about any Linux machine should be able to show you what you’ve been missing. Or, you know, you could even run it on a camera as the video below the break shows.

Continue reading “Hackaday Links: August 15, 2021”

This Week In Security: Fail2RCE, TPM Sniffing, Fishy Leaks, And Decompiling

Fail2ban is a great tool for dynamically blocking IP addresses that show bad behavior, like making repeated login attempts. It was just announced that a vulnerability could allow an attacker to take over a machine by being blocked by Fail2ban. The problem is in the mail-whois action, where an email is sent to the administrator containing the whois information. Whois information is potentially attacker controlled data, and Fail2ban doesn’t properly sterilize the input before piping it into the mail binary. Mailutils has a feature that uses the tilde key as an escape sequence, allowing commands to be run while composing a message. Fail2ban doesn’t sanitize those tilde commands, so malicious whois data can trivially run commands on the system. Whois is one of the old-school unix protocols that runs in the clear, so a MItM attack makes this particularly easy. If you use Fail2ban, make sure to update to 0.10.7 or 0.11.3, or purge any use of mail-whois from your active configs. Continue reading “This Week In Security: Fail2RCE, TPM Sniffing, Fishy Leaks, And Decompiling”