Saturday, February 29

After first coronavirus death in the US, first possible outbreak reported

a close up of Trump's face, with his mouth twisted.

Enlarge / WASHINGTON, DC - FEBRUARY 29: U.S. President Donald Trump pauses during a news conference at the James Brady Press Briefing Room at the White House February 29, 2020 in Washington, DC. Department of Health in Washington State has reported the first death in the U.S. related to the coronavirus. (credit: Getty | Alex Wong)

Health officials in Washington state reported three grim new features of the coronavirus situation in the US Saturday. They reported the country’s first death, the first case in a healthcare worker, and the first possible outbreak.

In a press briefing held by the Centers for Disease Control and Prevention, Dr. Jeffrey Duchin, health officer at Public Health of Seattle and King County, announced that there are three new presumptive cases of COVID-19 in the county, including the person who died. All of the cases appear to be from undetected spread of the new coronavirus in the community. The cases were identified because the state just recently gained the ability to do its own testing.

Two of the cases are linked to a long-term care facility called Life Care in Kirkland, Washington, east of Seattle. One of the cases is in a healthcare worker at the facility, a woman in her 40s who is said to be in “satisfactory” condition. She has no known travel outside of the US. The other is a resident of the facility, a woman in her 70s. She is in serious condition.

Read 8 remaining paragraphs | Comments

Media Streamer With E-Ink Display Keeps it Classy

The Logitech SqueezeBox was a device you hooked up to your stereo so you could stream music from a Network Attached Storage (NAS) box or your desktop computer over the network. That might not sound very exciting now, but when [Aaron Ciuffo] bought it back in 2006, it was a pretty big deal. The little gadget has been chugging all these years, but the cracks are starting to form. Before it finally heads to that great electronics recycling center in the sky, he’s decided to start work on its replacement.

Thanks to the Raspberry Pi, building a little device to stream digital audio from a NAS is easy these days. But a Pi hooked up to a USB speaker isn’t necessarily a great fit for the living room. [Aaron] didn’t necessarily want his replacement player to actually look like the SqueezeBox, but he wanted it to be presentable. While most of us probably would have tried to make something that looked like a traditional piece of audio gear, he took his design is a somewhat more homey direction.

An OpenSCAD render of the enclosure.

The Raspberry Pi 4 and HiFiBerry DAC+ Pro live inside of a wooden laser cut case that [Aaron] designed with OpenSCAD. We generally associate this tool with 3D printing, but here he’s exporting each individual panel as an SVG file so they can be cut out. We especially like that he took the time to add all of the internal components to the render so he could be sure everything fit before bringing the design into the corporeal world.

While the case was definitely a step in the right direction, [Aaron] wasn’t done yet. He added a WaveShare e-Paper 5.83″ display and mounted it in a picture frame. Software he’s written for the Raspberry Pi shows the album information and cover art on the display while the music is playing, and the current time and weather forecast when it’s idle. He’s written the software to plug into Logitech’s media player back-end to retain compatibility with the not-quite-dead-yet SqueezeBox, but we imagine the code could be adapted to whatever digital media scheme you’re using.

Over the years, we’ve seen a number of SqueezeBox replacements. Many of which have been powered by the Raspberry Pi, but even the ESP8266 and ESP32 have gotten in on the action recently.

Desktop PCB Mill Review

[Carl] wanted to prototype his circuits quickly using printed circuit boards. He picked up a Bantam Tools Desktop PCB Mill and made a video about the results. His first attempt wasn’t perfect, as you could notice under the microscope. A few adjustments, though, and the result was pretty good.

Be warned, this mill is pretty expensive — anywhere from $2,500 to $3,000. The company claims it is a better choice than a conventional cheap mill because it uses a 26,000 RPM spindle and has high-resolution steppers. Because of its low backlash and high accuracy and repeatability, the company claims it can easily mill boards with 6 mil traces.

Of course, the mill can do things other than PCBs. [Carl] was impressed with the speed of the system, too. The boards he tries in the video are pretty small, but they took a few minutes each.

Of course, like most homemade PCBs, there are no plated-through holes or solder mask or plating. Of course, you could add all of those things using additional steps. We’ve seen people use wires for vias or even rivets. However, that sort of takes away from the main idea of push a button and PCB pops out.

We’ve looked at using a cheap mill to do the same thing, and Hackaday’s own [Adil] found that 0.3 mm traces (not quite 12 mils) were easily doable. If that’s sufficient for your needs, you might save quite a bit of money over the mill presented here. We’ve seen others do 10 mil traces, so that’s probably doable, too.

WHO data shows coronavirus is containable—US fails to contain

A pedestrian wearing a protective mask stands on Mission Street in San Francisco, California, on Thursday, Feb. 27, 2020. California is monitoring 8,400 people for signs of the virus after they traveled to Asia.

Enlarge / A pedestrian wearing a protective mask stands on Mission Street in San Francisco, California, on Thursday, Feb. 27, 2020. California is monitoring 8,400 people for signs of the virus after they traveled to Asia. (credit: Getty | Bloomberg)

With the dizzying international spread of the novel coronavirus, the World Health Organization Friday announced that the global threat of COVID-19 has increased. The risk of spread and risk of impact has now risen from “high” to “very high” on a global scale, according to the organization’s latest assessments.

Between Thursday and Friday, five additional countries identified their first cases—Belarus, Lithuania, Netherlands, New Zealand, and Nigeria—and large outbreaks in Italy (888 cases) and Iran (388 cases) continue to export cases. So far, at least 24 cases in 14 countries link back to Italy and at least 97 cases in 11 countries link back to Iran, WHO reported Friday.

Worldwide, there are more than 85,400 cases and 2,924 deaths, with 53 countries reporting cases in addition to China, as of Saturday morning. While China still has over 90 percent of those cases, the daily case counts outside of China are now exceeding those within.

Read 32 remaining paragraphs | Comments

The IoT Trap

I’m sure that you’ve heard about the Sonos speaker debacle. (If not, read about it on Hackaday.) Basically, a company that sells a premium Internet-connected speaker wanted to retire an older product line, and offered a 30% discount to people who would “trade in” their old speakers for new ones. The catch: they weren’t really trading them in, but instead flashing a “self-destruct” firmware and then taking it to the recycling.

Naturally, Sonos’ most loyal customers weren’t happy about intentionally bricking their faithful devices, a hubbub ensued, and eventually the CEO ended up reversing course and eating crow. Hackaday’s own Gerrit Coetzee wrote up our coverage and mentioned that maybe Sonos just couldn’t afford to support the service for the old products any more, and didn’t want them to remain in the wild. So much so, that it’s worth 30% of the cost of their current product to get out from under the implicit contract.

By buying one of these IoT devices, you’re paying more money up front for the promise that the company will keep supporting the service that it relies on into the future. But providing this service costs money, and as more and more “products” are actually services in disguise, we’ve seen case after case of working machines shut down because the company doesn’t want to keep paying for the service. It doesn’t seem to matter if the company is small, like Sonos, or an immensely wealthy monopoly player like Google. Somehow, the people planning these products have a much shorter lifetime in mind than their customers do, and fail to make the up-front price cover costs.

This puts these companies in a tough spot. The more a customer loves the device, the longer they’ll want to keep it running, and the worse the blowback will be when the firm eventually has to try to weasel its way out of a “lifetime” contract. And they are alienating exactly their most loyal customers — those who want to keep their widget running longer than might even be reasonable. Given that this whole business model is new, it’s not surprising that some firms will get it wrong. What’s surprising to me is how many fall into the IoT trap.

So take this as a cautionary tale as a consumer. And if you’re in a company offering a product that depends on a service to continue to function, ask yourself if you’re really going to be able to support it for the customer’s idea of the lifetime of the product. What looks like a great deal at a five-year horizon might bankrupt your company at ten. Will you, or your customers, be willing to throw their devices away? Should they be?

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 210 weeks or so. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter.

Want this type of article to hit your inbox every Friday morning? You should sign up!

Watch Linux Boot On Your Hackaday Superconference Badge

Last year’s Hackaday Superconference badge was an electronic tour de force, packing an ECP5 FPGA shoehorned into a Game Boy-like form factor and shipping with a RISC-V core installed that together gave an almost infinite badge hacking potential. It did not however run Linux, and that’s something [Greg Davill] has addressed, as he’s not only running Linux on his badge, but also a framebuffer that allows him to use the badge screen as the Linux terminal screen. Finally you can watch Linux boot on your Superconference badge itself, rather than over its serial port.

He’s achieved this by changing essentially everything: from the new VexRiscv CPU core, to new video drivers and a VGA terminal courtesy of Frank Buss, now part of the LiteVideo project. It’s not quite a fully fledged Linux powerhouse yet, but you can find it in a GitHub repository should you have a mind to try it yourself. Paging back through his Twitter feed reveals the effort he’s put into this work over the last few months, and shows that it’s been no easy task.

For those keeping score at home, this is an open hardware design, running an open CPU core, with community-designed open-source peripherals, compiled by an open-source toolchain, running an open-source operating system. And it’s simply a fantastic demo for the badge, showing off how flexible the entire system is. One of the best parts of writing for Hackaday is that our community is capable of a huge breadth of amazing pieces of work, and this is an exemplar of that energy. We can’t wait to see what Greg and any other readers tempted to try it will come up with.

If you’d like to refresh your memory over the 2019 Supercon badge, here’s our write-up at the time.

Dances, diaries, detentions, and demons in Netflix’s I Am Not Okay With This

Netflix's trailer for I Am Not Okay With This

Whether from the trailer or the very first scene, Netflix's new series I Am Not Okay With This doesn't try to hide what it is. “Dear diary," says our high school "hero," Sydney, as she narrates from her diary while walking down an empty street covered in a blood-stained prom dress. "Go fuck yourself... I’m a boring 17-year-old white girl. What I mean is, I’m not special.”

Naturally, that's not quite true, as this seven-episode first season gradually makes clear. Not quite as dark as Carrie (blood aside), not quite as light-hearted as Stranger Things (a comparison that makes sense quickly), I Am Not Okay With This sits squarely somewhere in the middle of the teen-ekenisis spectrum. And whether or not this particular incarnation works for you may largely depend on your appetite for these types of stories in general.

In West Philadelphia Pennsylvania...

Sydney (Sophia Lillis) and her family are relatively new to this suburban Pennsylvania town, but adjusting to a new school and community barely registers on her list of problems to work through. First, there's the usual (albeit hard) teen stuff—she's still figuring out her sexual identity, still figuring out how she fits in within the strict social constructs of a stereotypical high school, still figuring out how to communicate honestly with her closest friends (Dina, another new-to-town girl who's attracted the attention of the quarterback, and Stan, her neighbor who drives an old landshark vehicle and listens to vinyl). But Syd's entire family also struggles as they cope with the suicide of Syd's father. Mom has to work overtime at the local diner and doesn't bring in a ton, leaving Syd and younger brother Liam to navigate aspects of poverty and overall family responsibility. That pales in comparison to the emotional fallout, of course, and the family members haven't really processed their grief, either.

Read 9 remaining paragraphs | Comments

New FAA drone rule is a giant middle finger to aviation hobbyists

New FAA drone rule is a giant middle finger to aviation hobbyists

Enlarge (credit: Stuart O'Sullivan)

More than 31,000 people have deluged the Federal Aviation Administration with comments over a proposed regulation that would require almost every drone in the sky to broadcast its location over the Internet at all times. The comments are overwhelmingly negative, with thousands of hobbyists warning that the rules would impose huge new costs on those who simply wanted to continue flying model airplanes, home-built drones, or other personally owned devices.

"These regulations could kill a hobby I love," wrote Virginian Irby Allen Jr. in a comment last week. "RC aviation has brought my family together and if these regulations are enacted we will no longer be able to fly nor be able to afford the hobby."

The new regulations probably wouldn't kill the hobby of flying radio-controlled airplanes outright, but it could do a lot of damage. Owners of existing drones and model airplanes would face new restrictions on when and where they could be used. The regulations could effectively destroy the market for kit aircraft and custom-designed drones by shifting large financial and paperwork burdens on the shoulders of consumers.

Read 19 remaining paragraphs | Comments

A 3D-Printed Bass Guitar

A visit to the hardware hacking area of the recent Hacker Hotel hacker camp in the Netherlands would bring plenty of interesting pieces of hardware to delight the eye. Among them though was one to delight the ear, and on hearing it we asked whether its creator could put it online so we could share it with you. [XDr4g0nX]’s bass guitar is 3D printed, and while it still contains some non-3D-printed parts it’s still a very effective musical instrument.

This is not the first model he’s produced, he told us, an earlier guitar was entirely 3D-printed but proved not to be rigid enough. Tuning such an instrument merely resulted in its bowing out of shape and becoming unplayable as well as out of tune. This one has hefty steel bars for rigidity, though it uses a Yamaha neck rather than 3D-printing the whole instrument.  The main body of the instrument has to be printed in multiple parts and epoxied together, which he’s done without some of the ugly seams that sometimes disfigure prints of this nature.

Having heard it, we’d be hard pressed to tell it wasn’t a more traditional guitar, but then again since people have made guitars from all kinds of scrap it’s not the first home build we’ve encountered.

How a hacker’s mom broke into prison—and the warden’s computer

How a hacker’s mom broke into prison—and the warden’s computer

Enlarge (credit: Getty Images)

John Strand breaks into things for a living. As a penetration tester, he gets hired by organizations to attack their defenses, helping reveal weaknesses before actual bad guys find them. Normally, Strand embarks on these missions himself, or deploys one of his experienced colleagues at Black Hills Information Security. But in July 2014, prepping for a pen test of a South Dakota correctional facility, he took a decidedly different tack. He sent his mom.

In fairness, it was Rita Strand's idea. Then 58, she had signed on as chief financial officer of Black Hills the previous year after three decades in the food service industry. She was confident, given that professional experience, that she could pose as a state health inspector to gain access to the prison. All it would take was a fake badge and the right patter.

"She approached me one day, and said 'You know, I want to break in somewhere," says Strand, who is sharing the experience this week at the RSA cybersecurity conference in San Francisco. "And it's my mom, so what am I supposed to say?"

Read 18 remaining paragraphs | Comments

A Mini USB Keyboard That Isn’t A Keyboard

A useful add-on for any computer is a plug-in macro keyboard, a little peripheral that adds those extra useful buttons to automate tasks. [Sayantan Pal] has made one, a handy board with nine programmable keys and a USB connector, but the surprise is that at its heart lies only the ubiquitous ATmega328 that you might find in an Arduino Uno. This isn’t a USB HID keyboard, instead it uses a USB-to-serial chip and appears to the host computer as a serial device. The keys themselves are simple momentary action switches, perhaps a deluxe version could use key switches from the likes of Cherry or similar.

The clever part of this build comes on the host computer, which runs some Python code using the PyAutoGui library. This allows control of the keyboard and mouse, and provides an “in” for the script to link serial and input devices. Full configurability is assured through the Python code, and while that might preclude a non-technical user from gaining its full benefit it’s fair to say that this is not intended to compete with mass-market peripherals. It’s a neat technique for getting the effect of an HID peripheral though, and one to remember for future use even if you might not need it immediately.

More conventional USB keyboards have appeared here in the past, typically using a processor with built-in USB HID support such as the ATmega32u4.

Casual Tetris Comes In At $9

[Michael Pick] calls himself the casual engineer, though we don’t know whether he is referring to his work clothes or his laid back attitude. However, he does like to show quick and easy projects. His latest? A little portable Tetris game for $9 worth of parts. There is an Arduino Pro Mini and a tiny display along with a few switches and things on a prototyping PC board. [Michael] claims it is a one day build, and we imagine it wouldn’t even be that much.

Our only complaint is that there isn’t a clear bill of material or the code. However, we think you could figure out the parts pretty easy and there are bound to be plenty of games including Tetris that you could adapt to the hardware.

The display looks suspiciously like an SSD1306 display which is commonly cloned. so that answers one question. These are just less than an inch of screen, but if you buy them from China that eats up almost half of the $9 budget. The Arduino is probably another $3. The other parts are cheap, but it is easy to imagine you might exceed $9 by a bit if you try to duplicate this.

Just from looking at the video, the code looks a lot like Tiny Tetris by [AJRussel], though there are a few others out there if you look. The rest should be pretty easy to puzzle out. Maybe [Michael] will add a link to the code, a bill of materials, and some specific wiring instructions.

Of course, if you just want Tetris, grab your transistor tester. We’ve even seen smaller versions of Tetris given away as business cards.

OpenSource GUI Tool For OpenCV And DeepLearning

AI and Deep Learning for computer vision projects has come to the masses. This can be attributed partly to the  community projects that help ease the pain for newbies. [Abhishek] contributes one such project called Monk AI which comes with a GUI for transfer learning.

Monk AI is essentially a wrapper for Computer Vision and deep learning experiments. It facilitates users to finetune deep neural networks using transfer learning and is written in Python. Out of the box, it supports Keras and Pytorch and it comes with a few lines of code; you can get started with your very first AI experiment.

[Abhishek] also has an Object Detection wrapper(GitHub) that has some useful examples as well as a Monk GUI(GitHub) tool that looks similar to the tools available in commercial packages for running, training and inference experiments.

The documentation is a work in progress though it seems like an excellent concept to build on. We need more tools like these to help more people getting started with Deep Learning. Hardware such as the Nvidia Jetson Nano and Google Coral are affordable and facilitate the learning and experimentation.

Using IR LEDs To Hide In Plain Sight

Getting by without falling under the gaze of surveillance cameras doesn’t seem possible nowadays – from malls to street corners, it’s getting more common for organizations to use surveillance cameras to keep patrons in check. While the freedom of assembly is considered a basic human right in documents such as the US Condition and the Universal Declaration of Human Rights, it is not a right that is respected everywhere in the world. Often times, governments enforcing order will identify individuals using image recognition programs, preventing them from assembling or demonstrating against their government.

Freedom Shield built by engineer [Nick Bild] is an attempt at breaking away from the status quo and giving people a choice on whether they want to be seen or not. The spectrum of radiation visible to humans maxes out around 740nm, allowing the IR waves to remain undetected by normal observers.

The project uses 940nm infrared (IR) LEDs embedded in clothes to overwhelm photo diodes in IR-sensitive cameras used for surveillance. Since the wavelength of the lights are not visible to humans, they don’t obstruct normal behavior, making it an ideal way to hide in plain sight. Of course, using SMD LEDs rather than the larger sizes would also help with making the lights even less visible to the naked eye.

The result doesn’t perfectly obscure your face from cameras, but for a proof-of-concept it’s certainly a example of how to avoid being tracked.

Friday, February 28

Boeing acknowledges “gaps” in its Starliner software testing

Starliner touches down in December.

Enlarge / Starliner touches down in December. (credit: NASA/Aubrey Gemignani)

On Friday during a detailed, 75-minute briefing with reporters, a key Boeing spaceflight official sought to be as clear as possible about the company's troubles with its Starliner spacecraft.

After an uncrewed test flight in December of the spacecraft, Boeing "learned some hard lessons," said John Mulholland, a vice president who manages the company's commercial crew program. The December mission landed safely but suffered two serious software problems. Now, Mulholland said, Boeing will work hard to rebuild trust between itself and the vehicle's customer, NASA. During the last decade, NASA has paid Boeing a total of $4.8 billion to develop a safe capsule to fly US astronauts to and from the International Space Station.

At the outset of the briefing, Mulholland sought to provide information about the vehicle's performance, including its life support systems, heat shield, guidance, and navigation. He noted that there were relatively few issues discovered. However, when he invited questions from reporters, the focus quickly turned to software. In particular, Mulholland was asked several times how the company made decisions on procedures for testing flight software before the mission—which led to the two two mistakes.

Read 8 remaining paragraphs | Comments

Building Cameras For The Immersive Future

Thus far, the vast majority of human photographic output has been two-dimensional. 3D displays have come and gone in various forms over the years, but as technology progresses, we’re beginning to see more and more immersive display technologies. Of course, to use these displays requires content, and capturing that content in three dimensions requires special tools and techniques. Kim Pimmel came down to Hackaday Superconference to give us a talk on the current state of the art in advanced AR and VR camera technologies.

[Kim]’s interest in light painting techniques explored volumetric as well as 2D concepts.
Kim has plenty of experience with advanced displays, with an impressive resume in the field. Having worked on Microsoft’s Holo Lens, he now leads Adobe’s Aero project, an AR app aimed at creatives. Kim’s journey began at a young age, first experimenting with his family’s Yashica 35mm camera, where he discovered a love for capturing images. Over the years, he experimented with a wide variety of gear, receiving a Canon DSLR from his wife as a gift, and later tinkering with the Stereorealist 35mm 3D camera. The latter led to Kim’s growing obsession with three-dimensional capture techniques.

Through his work in the field of AR and VR displays, Kim became familiar with the combination of the Ricoh Theta S 360 degree camera and the Oculus Rift headset. This allowed users to essentially sit inside a photo sphere, and see the image around them in three dimensions. While this was compelling, [Kim] noted that a lot of 360 degree content has issues with framing. There’s no way to guide the observer towards the part of the image you want them to see.

Moving the Camera to Match What Happens in the Virtual Environment

It was this idea that guided Kim towards his own build. Inspired by the bullet-time effects achieved in The Matrix (1999) by John Gaeta and his team, he wished to create a moving-camera rig that would produce three-dimensional imagery. Setting out to Home Depot, he sourced some curved shower rails which would serve as his motion platform. Kim faced a series of mechanical challenges along the way, from learning how to securely mount the curved components, to reducing shake in the motion platform. He also took unconventional steps, like designing 3D printed components in Cinema4D. Through hard work and perseverance, the rig came together, using a GoPro Hero 4 triggered by an Arduino for image capture. The build was successful, but still had a few issues, with the camera tending to dip during motion.

The rig packs a twin-lens camera and is portable for shooting in the field.

The promising results only whet Kim’s appetite for further experimentation. He started again with a clean sheet build, this time selecting a Fujifilm camera capable of taking native 3D photos. This time, a stepper motor was used instead of a simple brushed motor, improving the smoothness of the motion. Usability tweaks also involved a lock on the carriage for when it’s not in use, and a simple UI implemented on an LCD screen. All packaged up in a wooden frame, this let Kim shoot stereoscopic video on the move, with a rig that could be conveniently mounted on a tripod. The results are impressive, with the captured video looking great when viewed in AR.

Smarter Motion

With smooth camera motion sorted, Kim is now experimenting with his Creative CNC build, designed to move a camera in two dimensions to capture more three-dimensional data. This leads into a discussion of commercial options on the market for immersive image capture. Adobe, Samsung, Facebook, and RED all have various products available, with most of the devices existing as geometric blobs studded with innumerable lenses. There’s also discussion of light field cameras, including the work of defunct company Lytro, as well as other problems in immersive experiences like locomotion and haptic feedback. If you want to geek out more on the topic of light field cameras, check out Alex Hornstein’s talk from the previous Supercon.

While fully immersive AR and VR experiences are a ways away, Kim does a great job of explaining the development in progress that will make such things a reality. It’s an exciting time, and it’s clear there’s plenty of awesome tech coming down the pipeline. We can’t wait to see what’s next!

Freeman Dyson, physicist with a sci-fi bent, has died at 96

Dyson's ideas even made it to where no man has gone before.

Freeman Dyson, a physicist whose interests often took him to the edge of science fiction, has died at the age of 96. Dyson is probably best known for his idea of eponymous spheres that would allow civilizations to capture all the energy radiating off a star. But his contributions ranged from fundamental physics to the practicalities of using nuclear weapons for war and peace. And he remained intellectually active into his 90s, although he wandered into the wrong side of science when it came to climate change.

Degrees? Who needs 'em?

It's difficult to find anything that summarizes a career so broad, but a sense of his intellectual energy comes from his educational history. Dyson was a graduate student in physics when he managed to unify two competing ideas about quantum electrodynamics, placing an entire field on a solid theoretical foundation. Rather than writing that up as his thesis, he simply moved on to other interests. He didn't get a doctorate until the honorary ones started arriving later in his career. His contributions were considered so important that he kept getting faculty jobs regardless.

That came after a fairly conventional start to his education: an undergraduate degree from the University of Cambridge. Like many other scientists at the time, his career was interrupted by World War II, with Dyson working at the Royal Air Force's Bomber Command, evaluating data from completed missions and finding ways of getting more out of the nation's aircraft. After the war, he returned to Cambridge to finish his degree, then started in a PhD program at Cornell University in the US.

Read 7 remaining paragraphs | Comments

Last Call for Hackaday Belgrade Proposals Grants You a Four-Day Reprieve

We want you to present a talk at Hackaday Belgrade and this is the last call to send us your proposal.

Europe’s biennial conference on hardware creation returns to Serbia on May 9th for an all-day-and-into-the-night extravaganza. Core to this conference is people from the Hackaday community sharing their stories of pushing the boundaries of what’s possible on their electronics workbenches, firmware repos, and manufacturing projects.

Here at Hackaday we live a life of never ending deadlines, but we also understand that this isn’t true for everyone. In that spirit, we’re extending the deadline so that those who count procrastination as a core skill don’t miss their chance to secure a speaking slot at the last minute. You now have until 18:00 GMT (19:00 in Belgrade) next Friday to file your talk proposal.

The conference badge is being built by Voja Antonic, the inventor of Yugoslavia’s first widely-adopted personal computer. We know he has prototype PCBs on hand and plan to share more information on what he has in store for you very soon.

Review: The Invisible Man is a horror film that works on multiple levels

Elisabeth Moss gets the gaslighting treatment in Universal's reinvention of The Invisible Man.

A traumatized woman escapes her abusive relationship, only to find she is being stalked by an unseen entity in The Invisible Man, (very) loosely based on the H.G. Wells science fiction novel. It's less a direct adaption than a reinvention, written and directed by Leigh Whannell, best known for the Saw and Insidious horror franchises. The Invisible Man is horror in the best sense of the word, working on multiple levels and firmly anchored by star Elisabeth Moss's intensely emotional, yet nuanced performance.

(Some spoilers below.)

First serialized and then published as a book in 1897, the novel tells the story of a scientist named Griffin, whose research into optics leads him to invent a means of turning himself invisible with a serum that chemically alters his body's refractive index to match that of air. Wells cited Plato's Republic as one of his influences, notably a legend involving a magic ring that renders a man invisible, which Plato used to explore whether a person would behave morally if there were no repercussions for bad behavior.

Read 11 remaining paragraphs | Comments

More than 2,200 agencies and companies have tried Clearview, report finds

More than 2,200 agencies and companies have tried Clearview, report finds

Enlarge (credit: Spencer Whalen | EyeEm | Getty Images)

Secretive startup Clearview AI distributes an apparently very powerful facial recognition tool that matches anyone against an enormous database of photos—it claims more than 3 billion—scraped from basically every major US platform on the Internet. A leaked list now reveals that more than 2,200 government agencies and private businesses have tried the service.

Clearview, which first came to light courtesy of a New York Times report from January, claims to have about 600 customers, all in law enforcement. The company has repeatedly refused to make a client list public, however, and previous reports find that at least some of its marketing claims are significantly exaggerated.

Earlier this week, Clearview disclosed that its client list and some information about searches those customers have run was lost in a data breach. Reporters at BuzzFeed ended up with access to a copy and found far more in it than Clearview has ever admitted.

Read 6 remaining paragraphs | Comments

This Week in Security: Chrome Bugs and Non-bugs, Kr00k, and Letsencrypt

Google Chrome minted a new release to fix a trio of bugs on Monday, with exploit code already in the wild for one of them. The first two bugs don’t have much information published yet. They are an integer-overflow problem in Unicode internationalization, and a memory access issue in streams. The third issue, type confusion in V8, was also fixed quietly, but a team at Exodus Intel took the time to look at the patches and figure out what the problem was.

The actual vulnerability dives into some exotic Javascript techniques, but to put it simply, it’s possible to change a data-type without V8 noticing. This allows malicious code to write into the header area of the attacked variable. The stack, now corrupted, can be manipulated to the point of arbitrary code execution. The researchers make the point that even with Google’s fast-paced release schedule, a determined attacker could have several days of virtual zero-day exploitation of a bug mined from code changes. Story via The Register.

The Chrome Problem that Wasn’t

A second Chrome story came across my desk this week: Chrome 80 introduces a new feature, ScrollToTextFragment. This useful new feature allows you to embed a string of text in a URL, and when loading that address, Chrome will scroll the page to make that text visible. For certain use cases, this is an invaluable feature. Need to highlight a specific bit of text in a big document online?

The following bookmarklet code by [Paul Kinlan] is the easy way to start using this feature. Paste this code into the URL of a bookmark, put it on the bookmark bar, highlight some text in a webpage, and then run the bookmarklet. It should open a new tab with the new URL, ready to use or send to someone.

javascript:(function()%7Bconst%20selectedText%20%3D%20getSelection().toString()%3Bconst%20newUrl%20%3D%20new%20URL(location)%3BnewUrl.hash%20%3D%20%60%3A~%3Atext%3D%24%7BencodeURIComponent(selectedText)%7D%60%3Bwindow.open(newUrl)%7D)()

Since we’re talking about it in the security column, there must be more to the story. A privacy guru at Brave, [Peter Snyder], raised concerns about privacy implications of the feature. His argument has been repeated and misrepresented in a few places. What argument was he making? Simply put, that it’s not normal user behavior to immediately scroll to an exact position on the page. Because modern web pages and browsers do things like deferred loading of images, it could be possible to infer where in the page the link was pointing. He gives the example of a corporate network where DNS is monitored. This isn’t suggesting that the entire URL is leaked over DNS, but rather that DNS can indicate when individual components of a page are loaded, particularly when they are embedded images from other sites.

While this concern isn’t nonsensical, it seems to me to be a very weak argument that is being over-hyped in the press.

Whatsapp Groups Searchable on Google

It’s not new for search engines to index things that weren’t intended to be public. There is a bit of mystery surrounding how Google finds URLs to index, and StackExchange is full of plenty of examples of webadmins scratching their heads at their non-public folders showing up in a Google search.

That said, a story made the rounds in the last few days, that WhatsApp and Telegram group invites are being indexed by Google. So far, the official word is that all the indexed links must have been shared publicly, and Google simply picked them up from where they were publicly posted.

It appears that WhatsApp has begun marking chat invitation links as “noindex”, which is a polite way to ask search engines to ignore the link.

If it’s shown that links are getting indexed without being posted publicly online, then we have a much bigger story. Otherwise, everything is working as expected.

Letsencrypt Makes Attacks Harder

Letsencrypt has rolled out an invisible change to their validation process that makes a traffic redirection attack much harder. The new feature, Multi-Perspective Validation, means that when you verify your domain ownership, Letsencrypt will test that verification from multiple geographic regions. It might be possible to spoof ownership of a domain through a BGP attack, but that attack would be much harder to pull off against traffic originating from another country, or multiple countries simultaneously. Letsencrypt is currently using different regions of a single cloud, but plans to further diversify and use multiple cloud providers for even stronger validation.

Kr00k

Brought to us by the researchers at Eset, Krook (PDF) is a simple flaw in certain wireless chips. So far, the flaw seems to be limited to WPA2 traffic sent by Broadcom and Cypress chips. They discovered Kr00k while doing some followup research on KRACK.

Let’s talk about WPA2 for a moment. WPA2 has a 4-way handshake process that securely confirms that both parties have the shared key, and then establishes a shared Temporal Key, also known as a session key. This key is private between the two devices that performed the handshake, meaning that other devices on the same wireless network can’t sniff traffic sent by other devices.

When a device disconnects, or disassociates, that session key is reset to all 0s, and no packets should be sent until another handshake is performed. Here’s the bug: The packets already in the output buffer are still sent, but are encrypted with the zeroed key, making them trivially decrypted. As it’s simple to trigger deauthentication events, an attacker can get a sampling of in-the-clear packets. The ubiquity of TLS is a saving grace here, but any unencrypted traffic is vulnerable. Eset informed vendors about the flaw in 2019, and at least some devices have been patched.

Exchange

Microsoft Exchange got a security patch this past Tuesday that addressed a pair of bugs that together resulted in a remote code execution vulnerability. The first bug was an encryption key that is generated on Exchange server installation. That generation seemed to lack a good source of entropy, as apparently every Exchange install uses the the exact same key.

The second half of this bug is a de-serialization problem, where an encrypted payload can contain a command to run. Because the encryption key is known, any user can access the vulnerable endpoint. The process of exploitation is so trivial, be sure to patch your server right away.

TODO: Remove Vulnerabilities

This one is just humorous. An Intel virtualization feature appears to have been pushed into the Linux kernel before it was finished. Know what unfinished code tends to contain? Bugs and vulnerabilities. CVE-2020-2732, in this case. It’s unclear how exactly an exploit would work, but the essence is that a virtual guest is allowed to manipulate system state in unintended ways.