Issac Asimov wrote Caves of Steel in 1953. In it, he mentions something called trimensional personification. In an age before WebEx and Zoom, imagining that people would have remote meetings replete with 3D holograms was pretty far-sighted. We don’t know if any Google engineers read the book, but they are trying to create a very similar experience with project Starline.
The system is one of those that seems simple on the face of it, but we are sure the implementation isn’t easy. You sit facing something that looks like a window. The other person shows up in 3D as though they were on the other side of the window. Think prison visitation without the phone handset. The camera is mounted such that you look naturally at the other person through your virtual window.
Continue reading “Project Starline Realizes Asimov’s 3D Vision”
Our first story this week comes courtesy of the Pwn2own contest. For anyone not familiar with it, this event is held twice a year, and features live demonstrations of exploits against up-to-date software. The one exception to this is when a researcher does a coordinated release with the vendor, and the update containing the fix drops just before the event. This time, the event was held virtually, and the attempts are all available on Youtube. There were 23 attacks attempted, and only two were outright failures. There were 5 partial successes and 16 full successes.
One of the interesting demonstrations was a zero-click RCE against Zoom. This was a trio of vulnerabilities chained into a single attack. The only caveat is that the attack must come from an accepted contact. Pwn2Own gives each exploit attempt twenty minutes total, and up to three attempts, each of which can last up to five minutes. Most complex exploits have an element of randomness, and exploits known to work sometimes don’t work every time. The Zoom demonstration didn’t work the first time, and the demonstration team took enough time to reset, they only had enough time for one more try.
We first covered BleedingTooth almost exactly six months ago. The details were sparse then, but enough time has gone by to get the full report. BleedingTooth is actually a trio of vulnerabilities, discovered by [Andy Nguyen]. The first is BadVibes, CVE-2020-24490. It’s a lack of a length check in the handling of incoming Bluetooth advertisement packets. This leads to a buffer overflow. The catch here is that the vulnerability is only possible over Bluetooth 5. Continue reading “This Week In Security: Pwn2own, Zoom Zero Day, Clubhouse Data, And An FBI Hacking Spree”
Considering the state of well, everything, we can’t tell you how glad we are to be out of school. That goes double for not being a teacher these days. [Elena] had some awesome light-up tactile buttons set aside for a killer Kerbal Space Program controller, but it’s funny how a pandemic will change your priorities. Instead, those buttons found a good home in this colorful and enticing Zoom control panel.
[Elena]’s ready pile of Arduinos yielded no Leonardos or Pro Micros, but that’s okay because there’s a handy bootloader out there that allows you to reprogram the USB interface chip of an Uno or a Mega and use it as a keyboard. After setting that up, it was mostly a matter of wiring all those latching and momentary buttons and LEDs to the Mega and making them look fantastic with a set of icons. (We all know the big red mushroom button is for aborting the call; so does it really need an icon?)
[Elena] was inspired by the Zoom call-terminating pull chain we saw a month or so ago as well as the pink control box that launched a thousand or so macro keyboards. Have you made your own sanity-saving solution for our times? Let us know!
[memestra] is a teacher whose life has become a series of videoconferences over the last year or so. With all the classes and meetings, they spend the whole day switching between either Zoom, Teams, or Meet. If anyone needs a single piece of hardware to control them all, it’s [memestra]. Well, and every other teacher out there.
The hardware — an Arduino Pro Micro and some buttons — should come as no surprise, except for maybe [memstra]’s use of a resistor network for the LEDs. Still, there’s a lot to like about this little box, starting with the enclosure. That’s not milled or laser-cut metal — each side is a PCB, and they’re all soldered together into a box.
We especially like the top panel, which fits down over the PCB that all the components are soldered to. Each of the non-volume buttons has multiple functions that are accessed by pressing, long pressing, or double pressing. But even the volume buttons do double duty: press them together to mute and un-mute. If [memestra] ever forgets which button does what and how, there’s a handy reference table silkscreened on the bottom panel.
In true teacher fashion, [memestra] has written comprehensive instructions for anyone looking to build a similar device. The heavily-commented code should make it a cinch to drop in keyboard shortcuts for Discord or anything else you might be using, though it’s worth noting that this box is optimized for the desktop apps and not the browser-based versions.
Just looking for a fun way to end video calls? Pull chains are pretty fun.
OpenWRT is one of my absolute favorite projects, but it’s had a rough week. First off, the official OpenWRT forums is carrying a notice that one of the administrator accounts was accessed, and the userlist was downloaded by an unknown malicious actor. That list is known to include email addresses and usernames. It does not appear that password hashes were exposed, but just to be sure, a password expiration has been triggered for all users.
The second OpenWRT problem is a set of recently discovered vulnerabilities in Dnsmasq, a package installed by default in OpenWRT images. Of those vulnerabilities, four are buffer overflows, and three are weaknesses in how DNS responses are checked — potentially allowing cache poisoning. These seven vulnerabilities are collectively known as DNSpooq (Whitepaper PDF). Continue reading “This Week In Security: OpenWRT, Favicons, And Steganographia”
Yay! Another videoconference call is in the books, so that must mean that it’s time to fumble around awkwardly for the hang-up button with a fading smile. [lanewinfield] knew there had to be a better way, and looked to the pull chain switch for salvation. Sure, this could just as easily be a button, but what’s the fun in that? Besides, few buttons would be as satisfying as pulling a chain to a Zoom call.
The pull chain switch is connected to an Adafruit Feather nRF52840 Express that’s emulating a Bluetooth keyboard. Firmware-wise it sends command + F6, which triggers an AppleScript that manually exits and and all Zoom calls and kills Chrome tabs pointed to meet.google.com. He’s using Apple’s hotkey wizard Alfred, but this could be handled just as easily with something like AutoHotKey.
Pull chain switches are neat little mechanisms. The chain is connected to a cam that engages a wheel with copper contacts on half the outside. When you pull the chain, the wheel moves 90° and the wheel contacts connect up with the fixed contacts inside the housing to make a connection. Pulling the chain again moves the wheel which slides to the half without the contacts. Check it out in the video below.
Continue reading “A Pull Chain To End Your Zoom Pain”
This year has been the year of home video conferencing. If you are really on the ball, you’ve managed to put some kind of green screen up so you can hide your mess and look as though you are in your posh upper east side office space. However, most of the consumer video conferencing now has some way to try to guess what your background is and replace it even without a green screen. The results, though, often leave something to be desired. A recent University of Washington paper outlines a new background matting procedure using machine learning and, as you can see in the video below, the results are quite good. There’s code on GitHub and even a Linux-based WebCam filter.
The algorithm does require a shot of the background without you in it, which we imagine needs to be relatively static. From watching the video, it appears the acid test for this kind of software is spiky hair. There are several comparisons of definitely not bald people flipping their hair around using this method and other background replacers such as the one in Zoom.
Continue reading “The World Is Your Green Screen”