The truck is based on a 1/14th scale Tamiya chassis, and had been fitted out by a prior group with an inductive charging system. On top of this platform, [Jon] added a Jetson TX2 to act as the brains of the system, hooking it up with a Slamtec RPLIDAR scanner to map its surrounding environment. There’s also a Teensy microcontroller onboard which handles synthesizing PWM signals for the radio control hardware that drives the truck, and a Logitech webcam up front for machine vision. The truck is capable of operating in a variety of modes, from full manual operation, to driving based on LIDAR mapping or with an AI controlling the truck based on camera data. The truck is programmed to drive a route including an inductive charging pad so it can keep its power levels up without human intervention.
We didn’t realize that dog training research techniques were so high-tech. Operant conditioning, as opposed to Pavlovian, gives a positive reward, in this case dog treats, to reinforce a desired behavior. Traditionally operant conditioning involved dispensing the treat manually and some devices do exist using wireless remote controls, but they are still manually operated and can give inconsistent results (too many or too few treats). There weren’t any existing methods available to automate this process, so this team decided to rectify the situation.
They took a commercial treat dispenser and retro-fitted it with an interface board that taps into the dispenser’s IR sensors to detect that the hopper is moving and treats were actually dispensed. The interface board connects to a Raspberry Pi which serves as a full-featured platform to run the tests. In this demonstration it connects to an HDMI monitor, detecting touches from the dog’s nose to correlate with events onscreen. Future researchers won’t have to reinvent the wheel, just redesign the test itself, because [Walter] and [Jeffrey] have released all the firmware and hardware as open-source on the lab’s GitHub repository.
In the short video clip below, watch the dog as he gets a treat when he taps the white dot with his snout. If you look closely, at one point the dog briefly moves the mouse pointer as well. We predict by next year the C-CHIL researchers will have this fellow drawing pictures and playing checkers.
The price of one bitcoin rose above $14,000 on Saturday morning. It was the first time the virtual currency reached that level since January 2018. As I write this, the currency is trading for around $13,800.
Bitcoin, a currency whose name has become synonymous with price volatility, has seen three major bull runs in the past. Bitcoin's price peaked around $30 in June 2011, around $1,100 in January 2014, and just below $20,000 in December 2017. Each peak was followed by a wrenching crash where the currency lost more than 80 percent of its value.
After the last bubble peaked in December 2017, the price steadily deflated until it reached a low around $3,200 in late 2018. It reached a peak around $13,800 in mid-2019, fell to $4,000 in early 2020, and has now soared back to $14,000. Bitcoin fans are hoping for another boom that pushes the currency past the highs of 2017, but that's far from a sure thing.
Many plastics are, in theory at least, highly recyclable. Unfortunately, in reality, most plastic ends up as waste instead, harming the environment and providing no ongoing value to society. Wanting to investigate possible ways to repurpose this material, [Rehaan33] built a rig to create bricks out of waste plastic for a school project.
The aim of the project is to take waste plastic, in this case high-impact polystyrene, and reform it into a brick that could be used as a low-cost building material. The material is shredded, before being packed into a steel mould and heated to 270 degrees in an oven. As polystyrene is a thermoplastic, it can readily be heated in this way for reforming without harming the material’s properties. Once heated, the mould is placed into the press rig, which uses parts of an old drill press to force down a steel plate, helping shape the final form of the brick.
While you’re unlikely to see old soda bottles used to build a skyscraper in New York any time soon, such techniques could be a good way to help eliminate plastic waste in impoverished areas and stem the flow of plastic into the world’s oceans. The project served as a useful learning experience, allowing [Rehaan33] to pick up skills in metalworking, machine design, and working with thermoplastics. Recycling plastics is a key area of interest for many, particularly in the 3D printing space, with many exploring ways to reuse thermoplastics in more efficient ways. If you’ve got your own project turning waste plastics into useful material, be sure to let us know!
Earlier this year, the federal government made a major change to how data on the pandemic is reported, taking the aggregation of hospital data away from the Centers for Disease Control and Prevention and shifting it into the CDC's parent organization, the Department of Health and Human Services (HHS).
At the time, there were worries that this represented an attempt to limit the public's ability to see how bad the pandemic was—worries that were reinforced when the data was no longer made public as it came in. But some recent reporting indicated that the change was primarily the work of White House Coronavirus Task Force Coordinator Deborah Birx, who wanted greater control over the data gathering and processing. Still, regardless of the motivation, the data flowing in to HHS only made its way out to the public via weekly summaries.
Until now. Someone has leaked the daily reports to NPR, which found that the reports weren't all that they could be, but they could still be useful for public health experts.
I did something silly. I bought a lot of ten “broken” cheesy indoor quadcopters on eBay — to hopefully cobble one working one together and to amuse my son. At this point, I’ve got eight working. The bad news is that they all come with dirt-cheap transmitters that aren’t really conducive to flying at all. They’d be a lot more fun if they could be controlled with a real remote. Enter the hackers.
Most all of the cheap quads are based on one of a handful of radio chipsets, although they use different protocols. An enterprising hacker could conceivably just bundle together this handful of radio modules, and the rest would be a simple matter of software. That’s exactly what Pascal Langer’s DIY Multiprotocol TX and supporting firmware does. This hobby project was so successful that compatible hardware is manufactured by more than a few Chinese companies, and non-geeks have them installed in their radios. The module lets you control virtually anything that uses 2.4 GHz. Of course, I’ve got one of them.
I opened up the cheesy drone’s transmitter, found that it used a popular chipset, and worked through all the different supported protocols that used it. No dice. But the radio module did have nicely labeled SPI lines, so I reached out to Pascal. A couple of Sigrok sessions later, he’d figured out that it was trying to bind on a different channel, I’d recompiled the firmware, and was playing with the drone’s other functions.
I just love a good SPI-sniffing session. sigrok-cli -d fx2lafw -c samplerate=4000000 -P spi:clk=D0:mosi=D1:cs=D2 -A spi="mosi transfer" --continuous | grep A0 | uniq reads the SPI lines, decodes the packets, filters out the commands, and removes duplicates, in real-time. All that’s left to do is wiggle the sticks, mash buttons, and take good notes.
None of this was hard, and certainly none of it was expensive. I got my drones under the control of my fancy-schmancy remote, and have a good foothold into controlling them algorithmically later on thanks to everyone’s previous work on reverse engineering these protocols. Support for DF Drone’s SkyTumbler will be included in the next DIY Multiprotocol TX release, and I spent about four or five pleasant hours on this project. Maybe only a handful of people will stumble on this particular protocol — or maybe it will just be me. I did it mostly just to scratch my own particular itch.
But that’s one way open source works, thrives, and grows. Here’s to you all out there, from the Deviation team, who did a lot of the early drone protocol reverse engineering, to Pascal for the DIY Module, to the Sigrok folks who made the tools accessible for me to piggyback on everyone’s previous work. Keep on hacking!
This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!
Enlarge/ human brain, motherboards, chip and artificial intelligence concept and neural tech and brain computer interfaces.
The hard part of connecting a gooey, thinking brain to a cold, one-ing and zero-ing computer is getting information through your thick skull—or mine, or anyone’s. The whole point of a skull, after all, is keeping a brain safely separate from [waves hands at everything].
So if that brain isn’t yours, the only way to tell what’s going on inside it is inference. People make very educated guesses based on what that brain tells a body to do—like, if the body makes some noises that you can understand (that’s speech) or moves around in a recognizable way. That’s a problem for people trying to understand how the brain works, and an even bigger problem for people who because of injury or illness can’t move or speak. Sophisticated imaging technologies like functional magnetic resonance can give you some clues. But it’d be great to have something more direct. For decades, technologists have been trying to get brains to interface with computer keyboards or robot arms, to get meat to commune with silicon.
Traditional light guns rely on quirks of CRT technology, and thus don’t play well with modern LCD televisions and monitors. However, die hard retro gamers aren’t known for moving on from the classics, and have persevered to build new hardware to suit the games of old. In just this vein, [BrittLiv] grabbed some Nerf blasters, and built a pair of light guns that work with today’s hardware.
The build relies on Ultramarc’s light gun kits, which work in a similar way to the original Wiimote. A camera inside the blaster is used to triangulate an LED bar placed on top of the screen for clean and accurate tracking. [BrittLiv] combined the Ultramarc kit with some clever hacks to a Nerf DoubleStrike blaster, stealthily hiding the buttons inside to interface with the original trigger and cocking mechanism, as well as the locking tab in the rail.
There’s both a wired and wireless version, and the setup looks to be a great way to enjoy classics like Duck Hunt and Point Blank. The blasters work great with common platforms like MAME and RetroPi as the Ultramarc hardware emulates a standard USB mouse.
After years of building political pressure for antitrust scrutiny of major tech companies, this month Congress and the US government delivered. The House Antitrust Subcommittee released a report accusing Apple, Amazon, Google, and Facebook of monopolistic behavior. The Department of Justice filed a complaint against Google alleging the company prevents consumers from sampling other search engines.
The new fervor for tech antitrust has so far overlooked an equally obvious target: US broadband providers. “If you want to talk about a history of using gatekeeper power to harm competitors, there are few better examples,” says Gigi Sohn, a fellow at the Georgetown Law Institute for Technology Law & Policy.
The Raspberry Pi has been with us for over eight years now, and during that time it has seen a myriad operating system ports. It seems that almost anything can be run on the little computer, but generally the offerings have seen minority uptake in the face of the officially supported Raspbian, or as it’s now called, Raspberry Pi OS.
Maybe that could change, with the arrival of an Ubuntu release for the platform. For those of you pointing out that this is nothing new, what makes the new version 20.10 release special is that it’s the first official full Ubuntu release, rather than an unofficial port.
So Raspberry Pi 4 owners can now install the same full-fat Ubuntu they have on their PCs, and with the same official Ubuntu support. What does this really do for them that Raspberry Pi OS doesn’t? Underneath they share Debian underpinnings, and they both benefit from a huge quantity of online resources should the user find themselves in trouble. Their repositories both contain almost every reasonable piece of software that could be imagined, so the average Pi user might be forgiven for a little confusion.
We don’t expect this news to take the Pi desktop world by storm then. Ubuntu is a powerful distribution, but it’s fair to say that it is not the least bloated among distributions, and that some of its quirks such as Snap applications leave many users underwhelmed. By contrast Raspberry Pi OS is relatively lightweight, and crucially it’s optimised for the Pi. Its entire support base online is specific to the Pi hardware, so the seeker of solutions need not worry about encountering some quirk in an explanation that pertains only to PC platforms.
It’s fair to say though, that this release is almost certainly not targeted at the casual desktop user. We’d expect that instead it will be in the Ubuntu portfolio for commercial and enterprise users, and in particular for the new Raspberry Pi 4 Compute Module in which it will no doubt form the underpinnings of many products without their owners ever realising it.
If you aren’t old enough to remember when computers had front panels, as [Patrick Jackson] found out after he built a replica Altair 8800, their operation can be a bit inscrutable. After figuring it out he made a pair of videos showing the basics, and then progressing to a program to add two numbers.
Even when the Altair was new, the days of front panels were numbered. Cheap terminals were on their way and MITS soon released a “turnkey” system that didn’t have a front panel. But anyone who had used a minicomputer from the late 1960s or early 1970s really thought you needed a front panel.
You may never program an Altair by the front panel, but it is still an interesting glimpse into what computing looked like only a few decades ago. While you might think that the front panel was a mere curiosity, it was not unusual to have to key in a bootloader program manually so you could then load other software — often a better bootloader — from paper or magnetic tape. Some computers even had the early bootloader code printed on the front panel for reference.
A front panel can also help you debug programs and hardware problems since you are probably looking right at the bus in a real computer. Of course, with an emulator, the emulator is just driving the front panel for make-believe, but it still works the same way.
We did our own front panel tutorial for the PDP/8. The operation is similar, but not exactly the same. The front panel for the BLUE computer was especially fun because it used the limited lights and switches available to the FPGA board it lived on. You can see it in a video in this post about the real-world implementation of a fake educational computer.
Back in 2018, we covered [Igor’s] Easy-SDR project that aimed to provide open hardware extensions for the chap RTL-SDR receivers. If you haven’t been there for a while, it’s worth a look as there have been many recent updates. According to the author’s Reddit post:
Most of the devices are now prepared for installation in a metal case measuring 80 x 50 x 20 millimeters.
There’s a completely redesigned LNA design. Now, Bias Tee powered amplifiers are housed in a 50 x 25 x 25mm metal case and have N-type connectors.
There’s an added amplifier based on the PGA-103 microcircuit.
Added is the ability to install filters in final amplifiers (a separate printed circuit board, depending on the filter used).
A new device – SPDT antenna switch for receiving antennas.
The upconverter has been redesigned. Added intermediate buffer stage between the crystal generator and mixer.
RF lines in all devices were recalculated to correspond to the characteristic wave impedance of 50 Ohm.
Reduced size of PI attenuator PCB.
There is an emphasis on ease of assembly, so the projects generally have a gerber file and can use through hole or surface mount parts. They are also available live on EasyEDA if you want to make changes. Some of the designs, like the new upconverter, are SMD only, but for some devices these days that’s your only choice.
We were impressed with the instructions included with some of the projects. It should be very possible to duplicate these projects with just a little effort. If you missed our first pass at [Igor’s] great repo, you can still catch up. Since he uses EasyEDA, you might want to read our experience with that, too.
The build consists of 3D printed pumpkins, lit from behind with a low-cost projector. Driven by a Raspberry Pi, the projector plays video files that project animated faces onto the pumpkins. The effect is great, giving the illusion of a real anthropomorphic Jack O’ Lantern sitting on your very porch. To control the system, a series of arcade buttons are hooked up to the Raspberry Pi allowing visitors to activate a song, a scare, or a story.
It’s a fun build that is a great way to add some interactivity to your Hallowe’en decorations. If you want to take your work up a notch, consider projecting on to your whole house. Video after the break.
It’s no secret that Halloween is a day that makers love. And, its great to see that childhood passion for trick-or-treating transform into a love of cosplay and costume creation and prop building. So this week and last we reached out to some of our favorite Maker Camp hosts to […]
The new Moto Razr. It's got updated specs and a slightly different design. [credit: Motorola ]
If you buy a new Moto Razr 5G, it might not seem all that "new" when you get it. A very interesting note (first spotted by The Verge) is at the bottom of the Amazon product description, which says that your Moto Razr will be opened before it gets to you, it's going to be folded, and, oh, we're sorry if there are some fingerprints:
NOTE: originally, RAZR was meant to be shipped in the unfolded position. However, to better protect the display, we have folded your RAZR – it’s safer but may not look as elegant as we hoped. We apologize if you see fingerprints on your device. We assure you your RAZR is brand new.
Motorola's foldable reboot of the Moto Razr has had a tough time surviving in the real world. While the modern take on a classic smartphone looks beautiful, it has also proven extremely fragile, with the trick hinge system and soft, plastic flexible display being prone to damage. (Ours died after one day!) The original released in February 2020, but a sequel with better specs, the Moto Razr "5G," already came out at the beginning of October. Already, it has been decided that the box isn't good enough.
The Razr 5G box looks just like the original Razr reboot box, and it doesn't follow your typical smartphone box design. The bottom half of the box is designed to double as a functional phone stand, and it actually amplifies the sound coming out of the speaker. The phone sits in the bottom of the box vertically, opened up, and tilted back slightly. The top "half" of the box lowers down over top of the phone stand assembly, and a very large foam block presses against the phone display, keeping the phone in place.
This year, a new season of The Mandalorian no longer has the benefit of being a behind-the-Rise surprise, nor part of a massive Disney entertainment barrage. It arrives with expectations, interest, and—in a pandemic-stricken world—little else in the way of competition.
But you wouldn't know that watching Mando and "The Child" return to TV screens early this morning. Series creator Jon Favreau once again writes and directs the new season's first episode, and in doing so, he places a firm first step into a comfortable foothold. In Mandalorian terms, that means viewers will find another entertaining interpretation of the "space cowboy" motif that last year's season delivered so well.
It wouldn’t be October without Halloween, and it wouldn’t be Halloween without some spooky music. There’s no instrument spookier than a Theremin, which also happens to be one of the world’s first electronic instruments.
Leon Theremin plays his namesake instrument. Image via Linda Hall Library
You’ve no doubt heard the eerie, otherworldly tones of the Theremin in various 1950s sci-fi films, or heard the instrument’s one-of-a-kind cousin, the Electro-Theremin in “Good Vibrations” by the Beach Boys. The Theremin turns 100 years old this month, so we thought we’d take a look at this strange instrument.
One hundred years ago, a young Russian physicist named Lev Sergeyevich Termen, better known as Leon Theremin, was trying to invent a device to measure the density of various gases. In addition to the standard analog needle readout, he wanted another way to indicate the density, so he devised an oscillator whistle that would change pitch based on the density.
He discovered by accident that having his hand in the field of the antenna changed the pitch of the whistle, too. Then he did what any of us would do — played around until he made a melody, then called everyone else in the lab over to check it out.
Theremin soon showed his device to Lenin, who loved it so much that he sent Lev on a world tour to show it off. While in New York, he played it for Rachmaninoff and Toscanini. In fact you can see a video recording of Leon playing the instrument, a performance that’s more hauntingly beautiful than spooky. In 1928, he patented the Theremin in the United States and worked with RCA to produce them.
Sales never really took off, partially because of the Great Depression, but largely because it’s so hard to get a nice sound from it. The instrument was touted as being easy to play, because you really do just wave your hands in the air to play it. But the truth is that your hands must be placed precisely to avoid terrible squawking sounds. The Theremin is quite difficult to master, and few have done it.
Inside the Theremin are a pair of circuits — one to control pitch, and the other to control volume. The pitch circuit uses two tuned oscillators to produce sound. One is fixed, and the other is variable and connected to a vertical antenna. Sound is produced when the player’s hand enters the electromagnetic field around the antenna. The frequency produced by the players hand is subtracted from the reference frequency of the fixed oscillator in a process called heterodyning. The difference between the two frequencies is then amplified and sent through a speaker. The volume circuit is a single oscillator connected to a horizontal loop antenna. As the player’s hand gets closer to the antenna, the volume goes down, which makes it easy to chop the sound into individual notes.
Theremins are still being made today by Moog, and many of them have more bells and whistles that make them sound more complex compared to the first Theremin, which had a sine wave sound to it. One of the best and most expressive Theremin players was Clara Rockmore, and Moog is honoring her by releasing a limited edition Theremin this month. That’s Clara in the header image.
Things didn’t work out so well for Leon Theremin. In 1938, he was kidnapped and taken back to Russia by the KGB. He spent time in a prison camp and was later forced by the government to create a bug to spy on the United States. Theremin returned to the US in 1991 at the age of 95 and gave several concerts. He died in Moscow two years later.
Leon Theremin would likely be pleased to see how many spinoffs his invention has spurred. Here’s to 100 more years of spooky, ethereal music. Take a deep dive into how the instrument works and where the art is today with this interview with Carolin Eyck.
It’s no secret that Halloween is a day that makers love. And, its great to see that childhood passion for trick-or-treating transform into a love of cosplay and costume creation and prop building. So this week and last we reached out to some of our favorite Maker Camp hosts to […]
Enlarge/ The close-ups highlight the bright ice exposed in the boulders when Philae struck them during its second touchdown (green box above). (credit: O'Rourke et al./Nature)
The Rosetta mission’s attempt to drop the Philae lander on a comet in 2014 didn’t go according to plan. The harpoon mechanism meant to stick Philae to terra-not-quite-firma didn’t work, and poor Philae ended up bouncing around and landing under a dark cliff overhang, unable to deploy its solar panels and complete its tasks. But let it not be said that Philae failed to leave its mark. Because it did. Quite literally.
To extract value from Philae’s accidental adventure, researchers have worked hard to identify the spots where the craft impacted the surface of the comet. This required painstaking analysis of Philae’s motion sensors to reconstruct its trajectory, along with a terrifically complex game of “one of these things is not like the others” played with before-and-after images of the comet’s jumbled surface.
The site of the initial bounce was easy enough to find, but the path from there to its resting place was another story. A new study led by the European Space Agency’s Laurence O’Rourke reveals another spot where Philae dented comet 67P. And the size of that dent actually tells us something remarkable about what comets are like.
Enlarge/ Jack Black, "classic Hollywood liberal," on January 22, 2017 in Park City, Utah. (credit: Getty | John Parra)
Democratic House lawmakers have had no luck getting the Department of Health and Human Services to hand over information on its $250 million advertising campaign to “defeat despair and inspire hope” amid the devastating coronavirus pandemic.
In a scathing letter to HHS Secretary Alex Azar, the lawmakers revealed some of those details, which show blatant political partisanship. For instance, A-list celebrities considered for pandemic-related public service announcements were individually rated based on their loyalty to Trump and other political leanings. Of the 274 celebrities reviewed, only 10 made the cut. The rest were rejected, including Jack Black, who was dubbed a “classic Hollywood liberal” and Judd Apatow, who, the documents say, “believes Trump does not have the intellectual capacity to run as President.”
Hackaday editors Mike Szczys and Elliot Williams dig through the greatest hacks that ought not be missed this week. There’s a wild one that flexes engineering skills instead of muscles to beat the homerun distance record with an explosively charged bat. A more elegant use of those engineering chops is shown in a CNC software tool that produces intricate wood joinery without needing an overly fancy machine to fabricate it. If your flesh and blood pets aren’t keeping up with your interests, there’s a new robot dog on the scene that far outperforms its constituent parts which are 3D-printed and of the Pi and Arduino varieties. And just when you thought you’d seen all the craziest retrocomputers, here’s an electromechanical relay based machine that took six years to build (although there’s so much going on here that it should have taken sixteen).
Take a look at the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
While the cost of a hobby-grade remote control transmitter has dropped significantly over the last decade or so, even the basic models are still relatively expensive. It’s not such a big deal if you only need to get one for personal use, but for a school to outfit a classroom’s worth of students their own radios, they’d need to have a serious STEM budget.
Which is why [Miharix], himself an educator with a decade of experience, developed a project that leverages the ESP8266 to create affordable RC vehicles that can be controlled with a smartphone’s web browser. There’s a bit of irony at play since the smartphones are more expensive than the RC transmitters would have been; but with more and more school-age kids having their own mobile devices, it takes the cost burden off of the educators. Depending on the age of the students, the teacher would only need to keep a couple of burner phones on hand for student that doesn’t have a device of their own.
A custom PCB makes connections easier for students.
In its fully realized form, the project uses an open hardware board that allows standard RC hobby servos to be connected to the GPIO pins of a ESP-12E module. But if you don’t want to go through the trouble of building the custom hardware, you could put something similar together with an ESP development board. From there it’s just a matter of installing the firmware, which starts up a server providing a touch-based controller interface that’s perfect for a smartphone’s screen.
Since the ESP8266 pops up as an Access Point that client devices can connect to, you don’t even need to have an existing network in place. Or Internet access, for that matter. [Miharix] says that in tests, the range between a common smartphone and the ESP8266 is approximately 85 meters (260 feet), which should be more than enough to get the job done.
[Masato Kinugawa] found a series of bugs that, when strung together, allowed remote code execution in the Discord desktop app. Discord’s desktop application is an Electron powered app, meaning it’s a web page rendered on a bundled light-weight browser. Building your desktop apps on JavaScript certainly makes life easier for developers, but it also means that you inherit all the problems from running a browser and JS. There’s a joke in there about finally achieving full-stack JavaScript.
The big security problem with Electron is that a simple Cross Site Scripting (XSS) bug is suddenly running in the context of the desktop, instead of the browser. Yes, there is a sandboxing option, but that has to be manually enabled.
And that brings us to the first bug. Neither the sandbox nor the contextIsolation options were set, and so both defaulted to false. What does this setting allow an attacker to do? Because the front-end and back-end JavaScript runs in the same context, it’s possible for an XSS attack to override JS functions. If those functions are then called by the back-end, they have full access to Node.js functions, including exec(), at which point the escape is complete.
Now that we know how to escape Electron’s web browser, what can we use for an XSS attack? The answer is automatic iframe embeds. For an example, just take a look at the exploit demo below. On the back-end, all I have to do is paste in the YouTube link, and the WordPress editor does its magic, automatically embedding the video in an iframe. Discord does the same thing for a handful of different services, one being Sketchfab.
This brings us to vulnerability #2. Sketchfab embeds have an XSS vulnerability. A specially crafted sketchfab file can run some JS whenever a user interacts with the embedded player, which can be shoehorned into discord. We’re almost there, but there is still a problem remaining. This code is running in the context of an iframe, not the primary thread, so we still can’t override functions for a full escape. To actually get a full RCE, we need to trigger a navigation to a malicious URL in the primary pageview, and not just the iframe. There’s already code to prevent an iframe from redirecting the top page, so this RCE is a bust, right?
Enter bug #3. If the top page and the iframe are on different domains, the code preventing navigation never fires. In this case, JavaScript running in an iframe can redirect the top page to a malicious site, which can then override core JS functions, leading to a full escape to RCE.
It’s a very clever chaining of vulnerabilities, from the Discord app, to an XSS in Sketchfab, to a bug within Electron itself. While this particular example required interacting with the embedded iframe, it’s quite possible that another vulnerable service has an XSS bug that doesn’t require interaction. In any case, if you use Discord on the desktop, make sure the app is up to date. And then, enjoy the demo of the attack, embedded below.
The problem is in the FreeType library, regarding how fonts are handled when they contain embedded PNGs. To put it simply, the PNG width and height are stored in the font as 32-bit values, but those values are truncated to 16-bit before the buffer is allocated. After this, the PNG is copied to the buffer, but using the non-truncated values. A check is then performed to make sure the copy didn’t overflow, but unhelpfully, this was checked *after* the copy had taken place. The bug includes a test case, so feel free to go check your devices using that code. It’s not clear how long this bug has existed, but it’s possible it also affects Android’s System WebView, which is much slower to update.
Step-by-step of Chrome Exploit
[Man Yue Mo] recently published a detailed report on a Use-After-Free Chrome bug he discovered back in March, tracked as CVE-2020-6449. What makes this one worth looking at is the detailed account he gives us of the process of developing a working exploit from the bug. The whole account is a masterclass in abusing JavaScript to manipulate the state of the underlying engine. As a bonus, he gives us a link to the PoC exploit code to look at, too.
FBI Warning
The FBI, along with CISA and HHS, has issued a warning (PDF) about an ongoing redoubling of ransomware attacks against US hospitals and other healthcare providers. This attack is using the Trickbot malware and the Ryuk ransomware. They also note the use of DNS tunneling for data exfiltration, and specifically mention Point of Sale systems as a target.
The mitigation steps are particularly interesting in trying to read between the lines here. Before we look too deeply, I have to call out an outdated piece of advice: “Regularly change passwords”. This has been the bane of many users and administrators, and leads to weaker security, not stronger. With that out of the way, let’s look at the other recommendations.
A few recommendations are boiler-plate, like two-factor authentication, install security updates, have backups, etc. I was surprised to see the recommendation to allow local administration, in order to get things working again. What might be the most interesting is the recommendation to take a hard look at any RDP services that are running. Does this mean that some healthcare PoS system is running an out-of-date Windows, with a vulnerable RDP service open to the network by default, and it’s suddenly being targeted? Maybe. I’ve learned not to put too much stock in these advisories, unless actual details are given, and this particular example is quite light on details.
Loginizer’s SQL Injection
The popular Loginizer WordPress plugin is intended to protect your site’s login page from attack. It can add two-factor authentication, CAPTCHAs for repeated login attempts, and even detect brute-force attempts and blacklist the offending IP. That last one is where the problem lies. Incoming login attempts are logged to a SQL database, and that logging wasn’t properly sanitized, nor were prepared statements used. Because of this, the login page was subject to a very simple SQL injection attack. The Lesson? Sanitize your inputs, and use prepared statements! The latest update fixes this, as well as a separate but similar security issue.
What makes this bug novel is that WordPress found it a big enough problem to break the glass and push the big red button labeled “Force Update”. I didn’t know the folks at WordPress had a button that did that, but for particularly bad bugs like this one, it’s a useful capability. A few users complained that this update was installed even though they had auto-updates disabled. It’s a fine line to walk here, but it seems like WordPress should make it clear in the settings that this feature exists, and include a way to opt-out of forced updates like this one.
Episode 3: Joshua Pearce on Open Source In the third episode of Make:Cast, I talk with Joshua Pearce about his new book, “Create, Share and Save Money Using Open Source Projects.” Joshua is a professor of materials science and electrical engineering at Michigan Tech University where he directs the Michigan […]
Enlarge/ Interior of Tesla's Model 3. (credit: Tesla)
Tesla is wasting no time cashing in on excitement over the company's forthcoming "full self-driving" software release, which was released in beta form to a small number of customers last week. Tesla has now raised the price of the FSD upgrade from $8,000 to $10,000.
Tesla has tinkered with pricing for the full self-driving package repeatedly over the last two years. In 2018, the package cost $3,000 at vehicle purchase time or $4,000 when purchased later. In 2019, Tesla briefly cut the price to $2,000, angering customers who had paid higher prices. Then Tesla revamped its price structure, making basic Autopilot features standard and raising the FSD package price to $5,000. Tesla subsequently raised the price to $6,000, $7,000, and then $8,000.
Musk has long warned customers to expect the price of the full self-driving technology to continue rising. "If you buy a Tesla today, I believe you are buying an appreciating asset—not a depreciating asset," Musk said in a 2019 podcast episode.
[Masato Kinugawa] found a series of bugs that, when strung together, allowed remote code execution in the Discord desktop app. Discord’s desktop application is an Electron powered app, meaning it’s a web page rendered on a bundled light-weight browser. Building your desktop apps on JavaScript certainly makes life easier for developers, but it also means that you inherit all the problems from running a browser and JS. There’s a joke in there about finally achieving full-stack JavaScript.
The big security problem with Electron is that a simple Cross Site Scripting (XSS) bug is suddenly running in the context of the desktop, instead of the browser. Yes, there is a sandboxing option, but that has to be manually enabled.
And that brings us to the first bug. Neither the sandbox nor the contextIsolation options were set, and so both defaulted to false. What does this setting allow an attacker to do? Because the front-end and back-end JavaScript runs in the same context, it’s possible for an XSS attack to override JS functions. If those functions are then called by the back-end, they have full access to Node.js functions, including exec(), at which point the escape is complete.
Now that we know how to escape Electron’s web browser, what can we use for an XSS attack? The answer is automatic iframe embeds. For an example, just take a look at the exploit demo below. On the back-end, all I have to do is paste in the YouTube link, and the WordPress editor does its magic, automatically embedding the video in an iframe. Discord does the same thing for a handful of different services, one being Sketchfab.
This brings us to vulnerability #2. Sketchfab embeds have an XSS vulnerability. A specially crafted sketchfab file can run some JS whenever a user interacts with the embedded player, which can be shoehorned into discord. We’re almost there, but there is still a problem remaining. This code is running in the context of an iframe, not the primary thread, so we still can’t override functions for a full escape. To actually get a full RCE, we need to trigger a navigation to a malicious URL in the primary pageview, and not just the iframe. There’s already code to prevent an iframe from redirecting the top page, so this RCE is a bust, right?
Enter bug #3. If the top page and the iframe are on different domains, the code preventing navigation never fires. In this case, JavaScript running in an iframe can redirect the top page to a malicious site, which can then override core JS functions, leading to a full escape to RCE.
It’s a very clever chaining of vulnerabilities, from the Discord app, to an XSS in Sketchfab, to a bug within Electron itself. While this particular example required interacting with the embedded iframe, it’s quite possible that another vulnerable service has an XSS bug that doesn’t require interaction. In any case, if you use Discord on the desktop, make sure the app is up to date. And then, enjoy the demo of the attack, embedded below.
The problem is in the FreeType library, regarding how fonts are handled when they contain embedded PNGs. To put it simply, the PNG width and height are stored in the font as 32-bit values, but those values are truncated to 16-bit before the buffer is allocated. After this, the PNG is copied to the buffer, but using the non-truncated values. A check is then performed to make sure the copy didn’t overflow, but unhelpfully, this was checked *after* the copy had taken place. The bug includes a test case, so feel free to go check your devices using that code. It’s not clear how long this bug has existed, but it’s possible it also affects Android’s System WebView, which is much slower to update.
Step-by-step of Chrome Exploit
[Man Yue Mo] recently published a detailed report on a Use-After-Free Chrome bug he discovered back in March, tracked as CVE-2020-6449. What makes this one worth looking at is the detailed account he gives us of the process of developing a working exploit from the bug. The whole account is a masterclass in abusing JavaScript to manipulate the state of the underlying engine. As a bonus, he gives us a link to the PoC exploit code to look at, too.
FBI Warning
The FBI, along with CISA and HHS, has issued a warning (PDF) about an ongoing redoubling of ransomware attacks against US hospitals and other healthcare providers. This attack is using the Trickbot malware and the Ryuk ransomware. They also note the use of DNS tunneling for data exfiltration, and specifically mention Point of Sale systems as a target.
The mitigation steps are particularly interesting in trying to read between the lines here. Before we look too deeply, I have to call out an outdated piece of advice: “Regularly change passwords”. This has been the bane of many users and administrators, and leads to weaker security, not stronger. With that out of the way, let’s look at the other recommendations.
A few recommendations are boiler-plate, like two-factor authentication, install security updates, have backups, etc. I was surprised to see the recommendation to allow local administration, in order to get things working again. What might be the most interesting is the recommendation to take a hard look at any RDP services that are running. Does this mean that some healthcare PoS system is running an out-of-date Windows, with a vulnerable RDP service open to the network by default, and it’s suddenly being targeted? Maybe. I’ve learned not to put too much stock in these advisories, unless actual details are given, and this particular example is quite light on details.
Loginizer’s SQL Injection
The popular Loginizer WordPress plugin is intended to protect your site’s login page from attack. It can add two-factor authentication, CAPTCHAs for repeated login attempts, and even detect brute-force attempts and blacklist the offending IP. That last one is where the problem lies. Incoming login attempts are logged to a SQL database, and that logging wasn’t properly sanitized, nor were prepared statements used. Because of this, the login page was subject to a very simple SQL injection attack. The Lesson? Sanitize your inputs, and use prepared statements! The latest update fixes this, as well as a separate but similar security issue.
What makes this bug novel is that WordPress found it a big enough problem to break the glass and push the big red button labeled “Force Update”. I didn’t know the folks at WordPress had a button that did that, but for particularly bad bugs like this one, it’s a useful capability. A few users complained that this update was installed even though they had auto-updates disabled. It’s a fine line to walk here, but it seems like WordPress should make it clear in the settings that this feature exists, and include a way to opt-out of forced updates like this one.
Enlarge/ Some 250 Covid-19 isolation bays stand at the ready at the Austin Convention Center on August 07, 2020 in Austin, Texas. The cavernous facility was prepared for use as a field hospital for Covid-19 patients. (credit: Getty | John Moore)
The United States recorded nearly 90,000 new coronavirus cases Thursday, the largest single-day total yet in the pandemic.
The record-breaking day comes amid a steady and sharp climb in US cases. The country is experiencing the third and highest peak in cases, and it’s unclear how high the numbers will go. Today may well be another record-breaking day. The country’s seven-day rolling average of daily new cases is now over 76,000, another record in the pandemic.
With more than 88,400 cases Thursday, the US is expected to easily surpass 9 million cases total Friday. Deaths are likely to near 30,000.
Enlarge/ Shozoku and ninjato are encouraged, but not strictly required, in order to compete. (credit: RunCode)
Annual programming competition Runcode.ninja is back again in its fourth year, beginning Friday, November 6. RunCode is a nonprofit organization staffed by volunteers working in their spare time and focused on providing educational opportunities for coders and infosec folks. The online event allows programmers of all experience levels to tackle a wide array of challenges, using any of 14 supported programming languages.
This year, the competition theme is "all things web"—which means that most challenges will have something to do with websites; although the "something" can vary pretty drastically, from user interaction to server log analysis. The event will have more than 30 available challenges, grouped into easy, intermediate, and hard, for competitors to find and upload solutions for.
For each challenge, competitors will be given a problem description, a sample data set, and an expected output to make the desired order and formatting clear. Competitors are expected to generate more test data of their own and thoroughly verify the correctness of their code against all the corner cases they can think of; solutions tested against only the sample data provided will likely fail the challenge. Uploaded code is run in a sandboxed Docker container and its output tested for correctness.
