This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger

Apache 2.4.50 included a fix for CVE-2021-41773. It has since been discovered that this fix was incomplete, and this version is vulnerable to a permutation of the same vulnerability. 2.4.51 is now available, and should properly fix the vulnerability.

The original exploit used .%2e/ as the magic payload, which is using URL encoding to sneak the extra dot symbol through as part of the path. The new workaround uses .%%32%65/. This looks a bit weird, but makes sense when you decode it. URL encoding uses UTF-8, and so %32 decodes to 2, and %65 to e. Familiar? Yep, it’s just the original vulnerability with a second layer of URL encoding. This has the same requirements as the first iteration, cgi-bin has to be enabled for code execution, and require all denied has to be disabled in the configuration files. Continue reading “This Week In Security: The Apache Fix Miss, Github (Malicious) Actions, And Shooting The Messenger”

Dedicated box to play new videos from a handful of content creators.

Dedicated Box Makes YouTube More TV-Like

[Exposed Wire] is a huge fan of YouTube and consumes a lot of content. If that sounds familiar, maybe you should build a dedicated YouTube box, too. You get to push buttons, there’s LEDs, and you can take a break from other screens to look at this one for a while. [Exposed Wire] wanted to make it easier to watch the latest videos from their favorite creators, but we would argue that this is more fun, too.

The Rasberry Pi 4 inside checks every five minutes for new videos by keeping track of the creator’s total number of videos in a text file and doing a comparison. If one of the channels has a new video, then the corresponding LED lights up and the new video’s URL is linked to the button. Press the button and the Raspi opens the browser, goes the the URL, maximizes the video, turns off the LED, and updates the video count in the text file.

We like the construction job here. The 1/4″ MDF walls are connected by 3D-printed L-brackets in PETG. At first, [Exposed Wire] mounted the LEDs and buttons to a PCB, but that was really fiddly so they printed panels instead. Combined with the bracket around the screen, the finished build looks good. Check out the build montage after the break.

Regular old YouTube videos not doing it for you anymore? Try watching them at low resolution on an LED matrix.

Continue reading “Dedicated Box Makes YouTube More TV-Like”

Engineering The Less Boring Way

We have to admire a YouTube channel with the name [Less Boring Lectures]. After all, he isn’t promising they won’t be boring, just less boring. Actually though, we found quite a few of the videos pretty interesting and not boring at all. The channel features videos about mechanical engineering and related subjects like statics and math. While your typical electronics project doesn’t always need that kind of knowledge, some of them do and the mental exercise is good for you regardless. A case in point: spend seven minutes and learn about 2D and 3D vectors in two short videos (see below). Or spend 11 minutes and do the whole vector video in one gulp.

These reminded us of Kahn Academy videos, although the topics are pretty hardcore. For example, if you want to know about axial loading, shear strain, or free body diagrams, this is a good place to look.

Continue reading “Engineering The Less Boring Way”

Playing Youtube Videos At Incredibly Low Resolution On LEDs

Since the high-definition era, screens with many millions of pixels have become commonplace. Resolutions have soared into the stratosphere, and media has never looked clearer or crisper. However, [gatoninja236] decided to go the other way with this build – an LED matrix capable of playing Youtube videos.

The execution is simple. A Raspberry Pi 3, with the help of a Python script, downloads a Youtube video. It then runs this through OpenCV, which parses the video frames, downconverting them to suit a 64×64 pixel display. Then, it’s a simple matter of clocking out the data to the 64×64 RGB LED matrix attached to the Raspberry Pi’s IO pins, where the video is displayed in all its low-resolution glory.

Is it a particularly useful project? No. That doesn’t mean it’s not without value however; it teaches useful skills in both working with LED displays and video data scraped from the Internet. If you simply must have more pixels, though, this ping pong video wall might be more to your liking. Video after the break.

Continue reading “Playing Youtube Videos At Incredibly Low Resolution On LEDs”

Community Rallies Behind Youtube-dl After DMCA Takedown

At this point, you’ve likely heard that the GitHub repository for youtube-dl was recently removed in response to a DMCA takedown notice filed by the Recording Industry Association of America (RIAA). As the name implies, this popular Python program allowed users to produce local copies of audio and video that had been uploaded to YouTube and other content hosting sites. It’s a critical tool for digital archivists, people with slow or unreliable Internet connections, and more than a few Hackaday writers.

It will probably come as no surprise to hear that the DMCA takedown and subsequent removal of the youtube-dl repository has utterly failed to contain the spread of the program. In fact, you could easily argue that it’s done the opposite. The developers could never have afforded the amount of publicity the project is currently enjoying, and as the code is licensed as public domain, users are free to share it however they see fit. This is one genie that absolutely won’t be going back into its bottle.

In true hacker spirit, we’ve started to see some rather inventive ways of spreading the outlawed tool. A Twitter user by the name of [GalacticFurball] came up with a way to convert the program into a pair of densely packed rainbow images that can be shared online. After downloading the PNG files, a command-line ImageMagick incantation turns the images into a compressed tarball of the source code. A similar trick was one of the ways used to distribute the DeCSS DVD decryption code back in 2000; though unfortunately, we doubt anyone is going to get the ~14,000 lines of Python code that makes up youtube-dl printed up on any t-shirts.

Screenshot of the Tweet sharing YouTube-dl repository as two images

It’s worth noting that GitHub has officially distanced themselves from the RIAA’s position. The company was forced to remove the repo when they received the DMCA takedown notice, but CEO Nat Friedman dropped into the project’s IRC channel with a promise that efforts were being made to rectify the situation as quickly as possible. In a recent interview with TorrentFreak, Friedman said the removal of youtube-dl from GitHub was at odds with the company’s own internal archival efforts and financial support for the Internet Archive.

But as it turns out, some changes will be necessary before the repository can be brought back online. While there’s certainly some debate to be had about the overall validity of the RIAA’s claim, it isn’t completely without merit. As pointed out in the DMCA notice, the project made use of several automated tests that ran the code against copyrighted works from artists such as Taylor Swift and Justin Timberlake. While these were admittedly very poor choices to use as official test cases, the RIAA’s assertion that the entire project exists solely to download copyrighted music has no basis in reality.

[Ed Note: This is only about GitHub. You can still get the code directly from the source.]

Keep Your YouTube Habits To Yourself With FreeTube

If your usual YouTube viewing selection covers a wild and random variety of music, tech subjects, cooking, history, and anything in-between, you will sooner or later be baffled by some of the “Recommended for you” videos showing up. When it features a ten-hour mix of Soviet propaganda choir music, you might start wondering what a world taken over by an artificial intelligence might actually look like, and realize that your browser’s incognito / private mode really isn’t just for shopping birthday presents in secret. Things get a bit tricky if you actually enjoy or even rely on the whole subscribing-to-channels concept though, which is naturally difficult to bring in line with privacy in today’s world of user-data-driven business models.

Entering the conversation: the FreeTube project, a cross-platform application whose mission is to regain privacy and put the control of one’s data back into the user’s hands. Bypassing YouTube and its player, the watch history and subscriptions — which are still possible — are kept only locally on your own computer, and you can import either of them from YouTube and export them to use within FreeTube on another device (or back to YouTube). Even better, it won’t load a video’s comments without explicitly telling it to, and of course it keeps out the ads as well.

Originally, the Invidious API was used to get the content, and is still supported as fallback option, but FreeTube comes with its own extractor API nowadays. All source code is available from the project’s GitHub repository, along with pre-built packages for Linux (including ARM), Windows, and Mac. The application itself is created using Electron, which might raise a few eyebrows as it packs an entire browser rendering engine and essentially just disguises a website as standalone application. But as the FAQ addresses, this allows easy cross-platform support and helps the project, which would have otherwise been Linux-only, to reach as many people as possible. That’s a valid point in our book.

Keep in mind though, FreeTube is only a player, and more of a wrapper around YouTube itself, so YouTube will still see your IP and interaction with the service. If you want to be fully anonymous, this isn’t a silver bullet and will require additional steps like using a VPN. Unlike other services that you could replace with a local alternative to avoid tracking and profiling, content services are just a bit trickier if you want to actually have a useful selection. So this is a great compromise that also just works out of the box for everyone regardless of their technical background. Let’s just hope it won’t break too much next time some API changes.

Hackaday Links Column Banner

Hackaday Links: November 24, 2019

It barely seems like it, but it’s been a week since the 2019 Hackaday Superconference wrapped up in sunny Pasadena. It was an amazing weekend, filled with fun, food, camaraderie, and hacks galore. For all who were there, it’ll likely take quite some time before spinning down to Earth again from the post-con high. For those who couldn’t make it, or for those who did but couldn’t squeeze in time for all those talks with everything else going on, luckily we’ve got a ton of content for you to review. Start on the Hackaday YouTube channel, where we’ve got videos already posted from most of the main stage talks. Can’t-miss talks include Chris Gammell’s RF deep-dive, Kelly Heaton’s natural electronic art, and Mohit Bhoite’s circuit sculpture overview. You’ll also want to watch The State of the Hackaday address by Editor-in-Chief Mike Szczys. More talks will be added as they’re edited, so watch that space for developments.

One of the talks we missed – and video of which appears not to be posted yet – was Adam Zeloof’s talk on thermodynamic design for your circuits. While we wait for that, here’s an interesting part that might prove useful for your next high-power design. It’s a Thermal Jumper Chip, which is essentially a ceramic SMD component that can conduct heat but not electricity. It’s intended to be used where a TO-220 case needs to be electrically isolated but thermally connected to a heatsink. Manufacturer TT Electronics has a whole line of the chips in various sizes and specs, plus a lot of other cool components like percussive igniters.

We got an interesting tip this week about a new development in the world of 3D-printing. A group from Harvard demonstrated a multinozzle extruder that can print multimaterial objects in a single pass. The work is written up in a Nature article entitled “Voxelated soft matter via multimaterial multinozzle 3D printing”, which is unfortunately paywalled, but the abstract and supplementary videos are really interesting. This appears not to be a standard hot plastic extrusion process; rather, the extruder uses elastomeric inks that cure after they’re extruded. They manage some clever tricks, including a millipede-like, vacuum-powered soft robot extruded in one pass from both soft and rigid silicone elastomers. It’s genuinely interesting stuff, and watching the multimaterial extruder head switch materials at up to 50 times per second is mesmerizing.

People really seemed to get worked up over the transit of Mercury across the face of the Sun last week, and for good reason – astronomical alignments such as these which can be seen from Earth are rare indeed, and worth taking time to see. Not everyone was in the right place at the right time with the right gear to view the transit directly, though, which is why we were glad that Justin over at The Thought Emporium did a video on leveraging online assets for space-based observations. We’ve featured a ton of hacks using SDRs and the like to intercept data from weather satellites, and while those hacks are fun and you should totally try them, Justin points out that most of these streams are readily available for free over the Internet. Clouds, lightning, forest fires and Earth changes, and yes, even the state of the Sun can all be monitored from the web.

Speaking of changes, do you know what has changed in Unix over the last 50 years? For that matter, did you know that Unix turned 50 recently? Sean Haas did after reading this article in Advent of Computing, which he shared on the tipline. The article compares a modern Debian distro to documentation from 1971 that pre-dates Unix version 1; we assume the “Dennis_v1” folder in the doc’s URL refers to none other than Dennis Ritchie himself. It turns out that Unix is remarkably well-conserved over 50 years, at least in the userspace. File system navigation and shell commands are much the same, while programming was much different. C didn’t yet exist – Dennis was busy – but there were assemblers and linkers, plus a FORTRAN compiler and an interpreter for BASIC. It’s comforting to know that if you drop into a wormhole and end up sitting in front of a PDP-11 with Three Dog Night singing “Joy to the World” on the radio in the background, you’ll at least be able to look like you belong there.

And finally, it’s nearly Sparklecon time again. Sparklecon VII will be held on January 25 and 26, 2020, at the 23b Shop hackspace in Fullerton, California. We’ve covered previous Sparkelcons and we’ve even sponsored the meetup in the past, and it looks like a blast. The organizers have put out a Call for Proposals for talks and workshops, so if you’re in the mood for some mischief, get your application going. And be quick about it – the CFP closes on December 8.