Hackaday Links Column Banner

Hackaday Links: October 31, 2021

Global supply chain issues are beginning to hit closer to home for the hacker community, as Raspberry Pi has announced their first-ever price increase on their flagship Pi 4. The move essentially undoes the price drop on the 2GB version of the Pi 4 that was announced in February, and sets the price back up from $35 to $45. Also rolled back is the discontinuation of the 1GB version, which will now be available at the $35 price point. The announcements come from Eben Upton himself, who insists the price increase is only temporary. We applaud his optimism, but take it with a grain of salt since he also said that 2021 production across the board will stay at the seven million-unit level, which is what they produced in 2020. That seems to speak to deeper issues within the supply chain, but more immediately, it’s likely that the supply of Pi products will be pinched enough that you’ll end up paying above sticker price just to get the boards you need. Hope everyone is stocked up.

On the topic of supply chain issues and their threat to Christmas gift-giving, here’s one product we hope is stranded in a container off Long Beach or better still, bobbing along in the Strait of Juan De Fuca: a toddler’s toy telephone that actually makes and receives calls. Anyone born in the last 60 years probably had one of the Fisher-Price Chatter telephone, a toy that in its original form looked like a desk telephone on wheels that was dragged behind the child, popping along and providing endless hours of clicky amusement as kids twisted the dial and lifted the receiver. Come to think of it, the Chatter telephone may be as close to a dial phone as anyone born since 1990 may have come. Anyway, some genius stuck a Bluetooth module into the classic phone to let it hook up to an app on an actual phone, allowing kids (or more likely their nostalgia-soaked parents) to make and receive calls. It’s actually priced at a reasonable $60, so there might be some hacking potential here.

Also tangential to supply chains, we stumbled across a video guide to buying steel that might interest readers. Anyone who has seen the displays of steel and other metals at the usual big-box retailers might wonder what the fuss is, but buying steel that way or ordering online is a great way to bust a project’s budget. Fabricator and artist Doug Boyd insists that finding a local steel supplier is the best bang for your buck, and has a bunch of helpful tips for not sounding like a casual when you’re ordering. It’s all good advice, and would have helped us from looking foolish a time or two at the metal yard; just knowing that pipe is measured by inside diameter while tubing is measured by outside dimensions is worth the price of admission alone.

With all the money you save on steel and by not buying Raspberry Pis, perhaps you’ll have a couple of hundred thousand Euros lying around to bid on this authentic 1957 Sputnik I satellite. The full-scale model of Earth’s first artificial satellite — manhole covers excluded — was a non-flown test article, but externally faithful to the flown hardware that kicked off the first Space Race. The prospectus says that it has a transmitter and a “modern power supply”; it’s not clear if the transmitter was originally part of the test article or added later. The opening bid is €85,000 and is expected to climb considerably.

And finally, there’s something fascinating about “spy radios,” especially those from the Cold War era and before, when being caught with one in your possession was probably going to turn out to be a very bad day. One such radio is the Radio Orange “Acorn” receiver, which is in the collection of the Crypto Museum. The radio was used by the Dutch government to transmit news and information into the occupied Netherlands from their exile in London. Built to pass for a jewelry box, the case for the radio was made from an old cigar box and is a marvel of 1940s miniaturization. The radio used three acorn-style vacuum tubes and was powered by mains current; another version of the Radio Orange receiver was powered by a bike dynamo or even a water-powered turbine, which could be run from a tap or garden hose. The video below shows the water-powered version in action, but the racket it made must have been problematic for its users, especially given the stakes.

Continue reading “Hackaday Links: October 31, 2021”

ua-parser-js compromised

Supply Chain Attack: NPM Library Used By Facebook And Others Was Compromised

Here at Hackaday we love the good kinds of hacks, but now and then we need to bring up a less good kind. Today it was learned that the NPM package ua-parser-js was compromised, and any software using it as a library may have become victim of a supply chain attack. What is ua-parser-js and why does any of this matter?

In the early days of computing, programmers would write every bit of code they used themselves. Larger teams would work together to develop larger code bases, but it was all done in-house. These days software developers don’t write every piece of code. Instead they use libraries of code supplied by others.

For better or worse, repositories of code are now available to do even the smallest of functions so that a developer doesn’t have to write the function from scratch. One such registry is npm (Node Package Manager), who organize a collection of contributed libraries written in JavaScript. One only need to use npm to include a library in their code, and all of the functions of that code are available to the developer. One such example is ua-parser-js which is a User Agent Parser written in JavaScript. This library makes it easy for developers to find out the type of device and software being used to access a web page.

On October 22 2021, the developer of ua-parser-js found that attackers had uploaded a version of his software that contained malware for both Linux and Windows computers. The malicious versions were found to steal data (including passwords and Chrome cookies, perhaps much more) from computers or run a crypto-currency miner. This prompted GitHub to issue a Critical Severity Security Advisory.

What makes this compromise so dangerous is that ua-parser-js is considered to be part of a supply chain, and has been adopted even by Facebook for use in some of its customer facing software. The developer of ua-parser-js has already secured his GitHub account and uploaded new versions of the package that are clean. If you have any software that uses this library, make sure you’ve got the latest version!

Of course this is by no means a unique occurrence. Last month Maya Posch dug into growing issues that come from some flaws of trust in package management systems. The art for that article is a house of cards, an apt metaphor for a system that is only as stable as the security of each and every package being built upon.

Hackaday Links Column Banner

Hackaday Links: August 15, 2021

Unless you’re in the market for a new car, household appliance, or game console, or if you’re involved in the manufacture of these things, chances are pretty good that the global semiconductor shortage hasn’t directly impacted you yet. But we hobbyists might be due for a comeuppance as the chip shortage starts to impact our corner of the market. We suppose it’s natural that supplies of the chips needed to build Arduinos and Raspberry Pis would start to dry up, as semiconductor manufacturers realign their resources to service their most lucrative markets. Still, it was all sort of abstract until now, but seeing dire quotes from the likes of Adafruit, Pololu, and Sparkfun about the long lead times they’re being quoted — some chips won’t be seen until 2023! — is disheartening. As are the reports of price gouging and even hoarding; when a $10 part can suddenly command $350, you know something has gone seriously wrong.

But have no fear — we’re certain the global chip shortage will have no impact on the planned 2027 opening of the world’s first space hotel. Voyager Station — once dubbed Von Braun Station but renamed for some reason — looks for all the world like Space Station V in “2001: A Space Odyssey”, or at least half of it. The thing is enormous — witness the Starship docked in the center hub, as well as the several dozen shuttle-like craft — escape pods, perhaps? — attached to the outer rim. The renders are imaginative, to say the least — the station looks very sleek, completely unfettered by such banalities as, say, solar panels. We get that a private outfit needs to attract deep-pocketed investors, and that one doesn’t do that by focusing on the technical details when they can sell a “premium experience”. But really, if you’re going to space, do you want basically the same look and feel as a premium hotel on Earth, just with a better view? Or would you rather feel like you’ve actually traveled to space?

Speaking of space, did you ever wonder what the first programmable calculator in space was? Neither did we, but that doesn’t mean we didn’t find this detailed story about the HP-65 that was sent up on the Apollo-Soyuz Test Project in 1975 pretty fascinating. The ASTP was the last hurrah of Apollo, and an often underappreciated engineering challenge. Linking up the two spacecraft safely was not trivial, and a fair number of burn calculations had to be made in orbit to achieve rendezvous and docking, as well as to maintain orbit. The HP-65, a programmable calculator that went for about $750 at the time (for the non-space-rated version, of course) had several programs loaded onto its removable magnetic cards, and the Apollo crew used it to verify the results calculated by the Apollo Guidance Computer (AGC).

Facebook, a company that exists by providing people with a product they don’t need but now somehow can’t live without, is now dipping a toe into weird, weird waters: reverse-passthrough virtual reality. The idea, we take it, is that as users more widely adopt VR and integrate it into their daily lives, the VR headsets everyone will be wearing will make face-to-face contact more difficult. So what better way to solve that problem than by projecting a live image of the VR user’s eyes onto a screen outside the VR rig, for any and all to see? Pure genius, and not the least bit creepy. They’ve perhaps got a bit of work to go before achieving their goal of “seamless social connection between real and virtual worlds”.

And speaking of eyes, it’s good to know that developers are still hard at work keeping the most vital applications running at peak efficiency on today’s hardware. Yes, the venerable XEyes, a program for the X Window System on Unix-like operating systems that draws a pair of googly eyes on the screen to follow your mouse movements, has finally moved to version 1.2.0. It’s been 11 years since the 1.1.0 upgrade, so it was a long time coming. If you haven’t had the chance to play with XEyes, fear not — just about any Linux machine should be able to show you what you’ve been missing. Or, you know, you could even run it on a camera as the video below the break shows.

Continue reading “Hackaday Links: August 15, 2021”

This Week In Security: Fail2RCE, TPM Sniffing, Fishy Leaks, And Decompiling

Fail2ban is a great tool for dynamically blocking IP addresses that show bad behavior, like making repeated login attempts. It was just announced that a vulnerability could allow an attacker to take over a machine by being blocked by Fail2ban. The problem is in the mail-whois action, where an email is sent to the administrator containing the whois information. Whois information is potentially attacker controlled data, and Fail2ban doesn’t properly sterilize the input before piping it into the mail binary. Mailutils has a feature that uses the tilde key as an escape sequence, allowing commands to be run while composing a message. Fail2ban doesn’t sanitize those tilde commands, so malicious whois data can trivially run commands on the system. Whois is one of the old-school unix protocols that runs in the clear, so a MItM attack makes this particularly easy. If you use Fail2ban, make sure to update to 0.10.7 or 0.11.3, or purge any use of mail-whois from your active configs. Continue reading “This Week In Security: Fail2RCE, TPM Sniffing, Fishy Leaks, And Decompiling”

JIT Vs. AM: Is Additive Manufacturing The Cure To Fragile Supply Chains?

As fascinating and frustrating as it was to watch the recent Suez canal debacle, we did so knowing that the fallout from it and the analysis of its impact would be far more interesting. Which is why this piece on the potential of additive manufacturing to mitigate supply chain risks caught our eye.

We have to admit that a first glance at the article, by [Davide Sher], tripped our nonsense detector pretty hard. After all, the piece appeared in 3D Printing Media Network, a trade publication that has a vested interest in boosting the additive manufacturing (AM) industry. We were also pretty convinced going in that, while 3D-printing is innovative and powerful, even using industrial printers it wouldn’t be able to scale up enough for print parts in the volumes needed for modern consumer products. How long would it take for even a factory full of 3D-printers to fill a container with parts that can be injection molded in their millions in China?

But as we read on, a lot of what [Davide] says makes sense. A container full of parts that doesn’t arrive exactly when they’re needed may as well never have been made, while parts that are either made on the factory floor using AM methods, or produced locally using a contract AM provider, could be worth their weight in gold. And he aptly points out the differences between this vision of on-demand manufacturing and today’s default of just-in-time manufacturing, which is extremely dependent on supply lines that we now know can be extremely fragile.

So, color us convinced, or at least persuaded. It will certainly be a while before all the economic fallout of the Suez blockage settles, and it’ll probably longer before we actually see changes meant to address the problems it revealed. But we would be surprised if this isn’t seen as an opportunity to retool some processes that have become so optimized that a gust of wind could take them down.

Hackaday Links Column Banner

Hackaday Links: March 28, 2021

If you thought the global shortage of computer chips couldn’t get any worse, apparently you weren’t counting on 2021 looking back at 2020 and saying, “Hold my beer.” As if an impacted world waterway and fab fires weren’t enough to squeeze supply chains, now we learn that water restrictions could potentially impact chip production in Taiwan. The subtropical island usually counts on three or four typhoons a year to replenish its reservoirs, but 2020 saw no major typhoons in the region. This has plunged Taiwan into its worst drought since the mid-1960s, with water-use restrictions being enacted. These include a 15% reduction of supply to industrial users as well as shutting off the water entirely to non-industrial users for up to two days a week. So far, the restrictions haven’t directly impacted chip and display manufacturers, mostly because their fabs are located outside the drought zone. But for an industry where a single fab can use millions of gallons of water a day, it’s clearly time to start considering what happens if the drought worsens.

Speaking of the confluence of climate and technology, everyone problem remembers the disastrous Texas cold snap from last month, especially those who had to endure the wrath of the unusually brutal conditions in person. One such victim of the storm is Grady, everyone’s favorite YouTube civil engineer, who recently released a very good post-mortem on the engineering causes for the massive blackouts experienced after the cold snap. In the immediate aftermath of the event, we found it difficult to get anything approaching in-depth coverage on its engineering aspects — our coverage excepted, naturally — as so much of what we found was laden with political baggage. Grady does a commendable job of sticking to the facts as he goes over the engineering roots of the disaster and unpacks all the complexity of the infrastructure failures we witnessed. We really enjoyed his insights, and we wish him and all our friends in Texas the best of luck as they recover.

If you’re into the demoscene, chances are pretty good that you already know about the upcoming Revision 2021, the year’s big demoscene party. Like last year’s Revision, this will be a virtual gathering, but it seems like we’re all getting pretty used to that by now. The event is next weekend, so if you’ve got a cool demo, head over and register. Virtual or not, the bar was set pretty high last year, so there should be some interesting demos that come out of this year’s party.

Many of us suffer from the “good enough, move on” mode of project management, leaving our benches littered with breadboarded circuits that got far enough along to bore the hell out of us make a minimally useful contribution to the overall build. That’s why we love it when we get the chance to follow up on a build that has broken from that mode and progressed past the point where it originally caught our attention. A great example is Frank Olsen’s all-wood ribbon microphone. Of course, with magnets and an aluminum foil ribbon element needed, it wasn’t 100% wood, but it still was an interesting build when we first spied it, if a bit incomplete looking. Frank has fixed that in grand style by continuing the wood-construction theme that completes this all-wood replica of the iconic RCA Model 44 microphone. It looks fabulous and sounds fantastic; we can’t help but wonder how many times Frank glued his fingers together with all that CA adhesive, though.

Continue reading “Hackaday Links: March 28, 2021”

Hackaday Links Column Banner

Hackaday Links: February 21, 2021

Well, that was quite a show! The Perseverance rover arrived on Mars Thursday. Don’t tell the boss, but we spent the afternoon watching the coverage in the house on the big TV rather than slaving away in the office. It was worth it; for someone who grew up watching Jules Bergman and Frank Reynolds cover the Apollo program and the sometimes cheesy animations provided by NASA, the current coverage is pretty intense. A replay of the coverage is available – skip to about the 1:15:00 mark to avoid all the filler and fluff preceding the “Seven Minutes of Terror” main event. And not only did they safely deliver the package, but they absolutely nailed the landing. Perseverance is only about 2 km away from the ancient river delta it was sent to explore for signs of life. Nice shooting!

We’re also being treated to early images from Jezero crater. The first lowish-rez shots, from the fore and after hazard cameras, popped up just a few seconds after landing — the dust hadn’t even settled yet! Some wags complained about the image quality, apparently without thinking that the really good camera gear was stowed away and a couple of quick check images with engineering cameras would be a good idea while the rover still had contact with the Mars Reconnaissance Orbiter. Speaking of which, the HiRISE camera on the MRO managed to catch a stunning view of Perseverance’s descent under its parachute; the taking of that photo is an engineering feat all by itself. But all of this pales in comparison to a shot from one of the down-looking cameras in the descent stage, show Perseverance dangling from the skycrane just before touchdown. It was a really good day for engineering.

Would that our Earthly supply chains were as well-engineered as our Martian delivery systems. We’ve been hearing of issues all along the electronics supply chain, impacting a wide range of industries. Some of the problems are related to COVID-19, which has sickened workers staffing production and shipping lines. Some, though, like a fire at the AKM semiconductor plant in Japan, have introduced another pinch point in an already strained system. The fire was in October, but the impact on the manufacturer depending on the plant’s large-scale integration (LSI) and temperature-compensated crystal oscillators (TCXO) products is only just now being felt in the amateur radio market. The impact is likely not limited to that market, though — TCXOs pop up lots of gear, and the AKM plant made LSI chips for all kinds of applications.

What do you get when you combine a 3D-printer, a laser cutter, a CNC router, and a pick-and-place robot? Drones that fly right off the build plate, apparently. Aptly enough, it’s called LaserFactory, and it comes from MITs Computer Science and Artificial Intelligence Lab. By making different “bolt-on” tools for a laser cutter, the CSAIL team has combined multiple next-generation manufacturing methods in one platform. The video below shows a drone frame being laser-cut from acrylic, to which conductive silver paste is added by an extruder. A pick-and-place head puts components on the silver goo, solders everything together with a laser, and away it goes. They also show off ways of building up 3D structures, both by stacking up flat pieces of acrylic and by cutting and bending acrylic in situ. It’s obviously still just a proof of concept, but we really like the ideas presented here.

And finally, as proof that astronomers can both admit when they’re wrong and have fun while doing so, the most remote object in the Solar System has finally received a name. The object, a 400-km diameter object in a highly elliptical orbit that takes it from inside the orbit of Neptune to as far as 175 astronomical units (AU) from the Sun, is officially known as 2018 AG37. Having whimsically dubbed the previous furthest-known object “Farout,” astronomers kept with the theme and named its wayward sister “Farfarout.” Given the rapid gains in technology, chances are good that Farfarout won’t stay the Sun’s remotest outpost for long, and we fear the (Far)nout trend will eventually collapse under its own weight. We therefore modestly propose a more sensible naming scheme, perhaps something along the lines of “Farthest McFaraway.” It may not scale well, but at least it’s stupid.