What Does A Dependable Open Source Ventilator Look Like?

Ventilators are key in the treating the most dire cases of coronavirus. The exponential growth of infections, and the number of patients in respiratory distress, has outpaced the number of available ventilators. In times of crisis, everyone looks for ways they can help, and one of the ways the hardware community has responded is in work toward a ventilator design that can be rapidly manufactured to meet the need.

The difficult truth is that the complexity of ventilator features needed to treat the sickest patients makes a bootstrapped design incredibly difficult, and I believe impossible to achieve in quantity on this timeline. Still, a well-engineered and clinically approved open source ventilator might deliver many benefits beyond the current crisis. Let’s take a look at some of the efforts we’ve been seeing recently and what it would take to pull together a complete design.

Continue reading “What Does A Dependable Open Source Ventilator Look Like?”

This Week In Security: 0-Days, Pwn2Own, IOS And Tesla

LILIN DVRs and cameras are being actively exploited by a surprisingly sophisticated botnet campaign. There are three separate 0-day vulnerabilities being exploited in an ongoing campaigns. If you have a device built by LILIN, go check for firmware updates, and if your device is exposed to the internet, entertain the possibility that it was compromised.

The vulnerabilities include a hardcoded username/password, command injection in the FTP and NTP server fields, and an arbitrary file read vulnerability. Just the first vulnerability is enough to convince me to avoid black-box DVRs, and keep my IP cameras segregated from the wider internet.

Continue reading “This Week In Security: 0-Days, Pwn2Own, IOS And Tesla”

Fun-Size Tesla Might Be The World’s Smallest

We get all kinds of tips about “the world’s something-est” widget, which normally end up attracting the debunkers in droves. So normally, we shy away from making superlative claims about a project, no matter how they bill themselves. But we’re comfortable that this is the world’s smallest Tesla, at least if we have to stretch the definition of Tesla a bit.

This clown-car version of the Tesla Model S that [Austin] built is based around a Radio Flyer replica of the electric sedan. The $600 battery-powered original doesn’t deliver exactly the same neck-snapping acceleration of its full-size cousin, so he stripped off the nicely detailed plastic body and put that onto a heavily modified go-cart chassis. The tiny wheelbase left little in the way of legroom, but with the seat mounted far enough back into the wheelie-inducing zone, it was possible for [Austin] to squeeze in. He chose to pay homage to Tesla’s battery pack design and built 16 modules with fourteen 18650 cells in each, a still-substantial battery for such a small vehicle. Hydraulic brakes were also added, a wise decision since the 4800 Watt BLDC is a little snappier than the stock motor, to say the least. The video below shows the build, as well as a dangerous test ride where the speed read 72 at one point; we’re not sure if that’s MPH or km/h, but either way, it’s terrifying. The drifts were pretty sick too.

It seems [Austin] has the need for speed, and for drifting.  We’ve seen his water-cooled electric drift trike before, as well as his ridiculously overpowered crazy cart.

Continue reading “Fun-Size Tesla Might Be The World’s Smallest”

Hackaday Links Column Banner

Hackaday Links: February 9, 2020

In case you thought that we learned everything we need to know to land on the Moon fifty years ago, think again. NASA still has a lot of questions, and has scheduled the first of many commercial missions designed to fill in the blanks. As part of the Artemis program, which aims to land the first women and the next men on the Moon by 2024, NASA’s Commercial Lunar Payload Service (CLPS) will send 16 science payloads to the Moon via two separate commercial flights. The two companies, Astrobotics and Intuitive Machines, will send landers to the Moon in 2021 using a ULA Vulcan Centaur and a SpaceX Falcon 9, respectively. Fourteen companies were selected for CLPS, and with much to learn (or relearn) about landing and working on the Moon, watch for many more flights in the years to come. We’re all for the commercialization of space, but we have to admit that things were easier to keep track of when space exploration was a little more monolithic.

It looks like millions of BlackBerry phone users will have to find something else to do with their thumbs now that TCL is getting out of the BlackBerry business. The Chinese company announced this week that they would no longer have the rights to manufacture BlackBerry-branded phones like the Key2 as of August 31, 2020. Crackberry addicts were understandably upset, but all may not be lost for those who can’t stand the virtual keyboards on most other smartphones, as there’s still a chance another manufacturer will step in to fill the void.

Hypothetical situation: You’re in need of a car, so you go to a used car dealer. You see a nice car, take it for a test drive, and decide to buy it. Money is exchanged, paperwork done, and the salesman hands you the keys. You go out to the lot to drive your new ride home only to find out that the mechanic has removed the tires. When you ask what the deal is, the salesman says, “Sorry, you didn’t buy a license for the tires.” Hypothetical perhaps, but not far off from what happened to one Tesla Model S buyer when an over-the-air update disabled the Enhanced Autopilot and Full Self-Driving features he paid for. Tesla didn’t see it that way, though, claiming that he’d need to pony up to use the new features, which originally sold for $8,000. It raises interesting questions about how the secondary automotive market will respond to the increasingly complicated relationship between hardware and software, and what you’re actually paying for when you buy a car.

Back in the early days of Bitcoin, skeptics used to dismiss the cryptocurrency by saying, “When you can pay your taxes with it, then it’s real money.” Well, that day is apparently here for the municipality of Zermatt in Switzerland, where it was announced that Bitcoin will be accepted as payment for local taxes and other official fees. The Zermatt city hall has installed a Bitcoin point-of-sale terminal, or payments can be made directly from a Bitcoin wallet after filling out the proper paperwork. Bitcoin as legal tender for public debts is not exactly new; Ohio was doing it back as far as 2018. But we find the economic implications of this interesting — as our resident econometrician [Elliot Williams] pointed out, paying taxes in anything but the national currency was considered preposterous not that long ago.

This Week In Security: Camera Feeds, Python 2, FPGAs

Networked cameras keep making the news, and not in the best of ways. First it was compromised Ring accounts used for creepy pranks, and now it’s Xiaomi’s stale cache sending camera images to strangers! It’s not hard to imagine how such a flaw could happen: Xiaomi does some video feed transcoding in order to integrate with Google’s Hub service. When a transcoding slot is re-purposed from one camera to another, the old data stays in the buffer until it is replaced by the new camera’s feed. The root cause is probably the same as the random images shown when starting some 3D games.

Python is Dead, Long Live Python

Python 2 has finally reached End of Life. While there are many repercussions to this change, the security considerations are important too. The Python 2 environment will no longer receive updates, even if a severe security vulnerability is found. How often is a security vulnerability found in a language? Perhaps not very often, but the impact can be far-reaching. Let’s take, for instance, this 2016 bug in zipimport. It failed to sanitize the header of a ZIP file being processed, causing all the problems one would expect.

It is quite possible that because of the continued popularity and usage of Python2, a third party will step in and take over maintenance of the language, essentially forking Python. Unless such an event happens, it’s definitely time to migrate away from Python2.
Continue reading “This Week In Security: Camera Feeds, Python 2, FPGAs”

Building A Mechanical Oscillator, Tesla Style

Before Tesla devised beautifully simple rotary machinery, he explored other methods of generating alternating current. One of those was the mechanical oscillator, and [Integza] had a go at replicating the device himself. (Video, embedded below the break.)

Initial attempts to reproduce the technology using 3D-printed parts were a failure. The round cylinder had issues sealing, and using O-ring seals introduced too much friction to allow the device to oscillate properly. A redesign that used external valving and a square cylinder proved more successful.

Once the oscillator was complete, the output shaft was fitted with magnets and a coil to generate electricity. After generating a disappointing 0.14 volts, [Integza] went back and had a look at the Maxwell-Faraday equations. Using this to guide the design, a new coil was produced with more turns, and the magnetic flux was maximised. With this done, the setup could generate seven volts, enough to light several LEDs.

While it’s not a particularly efficient generator, it’s a great proof-of-concept. Yes, Tesla’s invention worked, but it’s easy to see why he moved on to rotary designs when it came to real-world applications. We’ve seen [Integza] take on other builds too, like the ever-popular Tesla turbine.

Continue reading “Building A Mechanical Oscillator, Tesla Style”

This Week In Security:Malicious Previews, VNC Vulnerabilities, Powerwall, And The 5th Amendment

Malware embedded in office documents has been a popular attack for years. Many of those attacks have been fixed, and essentially all the current attacks are unworkable when a document is opened in protected view. There are ways around this, like putting a notice at the top of a document, requesting that the user turn off protected view. [Curtis Brazzell] has been researching phishing, and how attacks can work around mitigations like protected view. He noticed that one of his booby-trapped documents phoned home before it was opened. How exactly? The preview pane.

The Windows Explorer interface has a built-in preview pane, and it helpfully supports Microsoft Office formats. The problem is that the preview isn’t generated using protected view, at least when previewing Word documents. Generating the preview is enough to trigger loading of remote content, and could feasibly be used to trigger other vulnerabilities. [Curtis] notified Microsoft about the issue, and the response was slightly disappointing. His discovery is officially considered a bug, but not a vulnerability.

VNC Vulnerabilities

Researchers at Kaspersky took a hard look at several VNC implementations, and uncovered a total of 37 CVEs so far. It seems that several VNC projects share a rather old code-base, and it contains a plethora of potential bugs. VNC should be treated similarly to RDP — don’t expose it to the internet, and don’t connect to unknown servers. The protocol wasn’t written with security in mind, and none of the implementations have been sufficiently security hardened.

Examples of flaws include: Checking that a message doesn’t overflow the buffer after having copied it into said buffer. Another code snippet reads a variable length message into a fixed length buffer without any length checks. That particular function was originally written at AT&T labs back in the late 90s, and has been copied into multiple projects since then.

There is a potential downside to open source that is highlighted here. Open source allows poorly written code to spread. This isn’t a knock against open source, but rather a warning to the reader. Just because code or a project uses an OSS license doesn’t mean it’s secure or high quality code. There are more vulnerabilities still in the process of being fixed, so watch out for the rest of this story. Continue reading “This Week In Security:Malicious Previews, VNC Vulnerabilities, Powerwall, And The 5th Amendment”