The ongoing story of bogus analytical data being submitted to the public OctoPrint usage statistics has taken a surprising turn with the news that a second plugin was being artificially pushed up the charts. At least this time, the developer of the plugin has admitted to doing the deed personally.

Just to recap, last week OctoPrint creator [Gina Häußge] found that somebody had been generating fictitious OctoPrint usage stats since 2022 in an effort to make the OctoEverywhere plugin appear to be more popular than it actually was. It was a clever attempt, and if it wasn’t for the fact that the fake data was reporting itself to be from a significantly out of date build of OctoPrint, there’s no telling how long it would have continued. When the developers of the plugin were confronted, they claimed it was an overzealous user operating under their own initiative, and denied any knowledge that the stats were being manipulated in their favor.

Presumably it was around this time that Obico creator [Kenneth Jiang] started sweating bullets. It turns out he’d been doing the same thing, for just about as long. When [Gina] contacted him about the suspicious data she was seeing regarding his plugin, he owned up to falsifying the data and published what strikes us as a fairly contrite apology on the Obico blog. While this doesn’t absolve him of making a very poor decision, we respect that he didn’t try to shift the blame elsewhere.

That said, there’s at least one part of his version of events that doesn’t quite pass the sniff test for us. According to [Kenneth], he first wrote the script that generated the fake data back in 2022 because he suspected (correctly, it turns out) that the developers of OctoEverywhere were doing something similar. But after that, he says he didn’t realize the script was still running until [Gina] confronted him about it.

Now admittedly, we’re not professional programmers here at Hackaday. But we’ve written enough code to be suspicious when somebody claims a script they whipped up on a lark was able to run unattended for two years and never once crashed or otherwise bailed out. We won’t even begin to speculate where said script could have been running since 2022 without anyone noticing…

But we won’t dwell on the minutiae here. [Gina] has once again purged the garbage data from the OctoPrint stats, and hopefully things are finally starting to reflect reality. We know she was already angry about the earlier attempts to manipulate the stats, so she’s got to be seething right about now. But as we said before, these unfortunate incidents are ultimately just bumps in the road. We don’t need any stat tracker to know that the community as a whole greatly appreciates the incredible work she’s put into OctoPrint.

Cardboard is a surprisingly durable material, especially in its corrugated form. It’s extremely lightweight for its strength, is easy to work, can be folded and formed into almost any shape, is incredibly inexpensive, and when it has done its duty it can be recycled back into more paper. For these reasons, it’s often used in packaging material but it can be used to build all kinds of things outside of ensuring that products arrive at their locations safely. This working cardboard record player is one example.

While the turntable doesn’t have working records in the sense that the music is etched into them like vinyl, each has its own RFID chip embedded that allows the ESP32 in the turntable’s body to identify them. Each record corresponds to a song stored on an SD card that instructs the ESP32 to play the appropriate song. It also takes care of spinning the record itself with a small stepper motor. There are a few other details on this build that tie it together too, including a movable needle arm held on with a magnet and a volume slider.

As far as a building material goes, cardboard is fairly underrated in our opinion. Besides small projects like this turntable, we’ve also seen it work as the foundation for a computer, and it even has the strength and durability to be built into a wall or even used as shelving material. And, of course, it’s a great material to use when prototyping new designs.

As a result of the European Union’s push for greater repairability of consumer devices like smartphones, Apple sees itself forced to make the batteries in the iPhone user-replaceable by 2027. Reportedly, this has led Apple to look at using electroadhesion rather than conventional adhesives which require either heat, isopropyl alcohol, violence, or all of the above to release. Although details are scarce, it seems that the general idea would be that the battery is wrapped in metal, which, together with the inside of the metal case, would allow for the creation of a cationic/anionic pair capable of permanent adhesion with the application of a low-voltage DC current.

This is not an entirely wild idea. Tesa has already commercialized it in the electrical debonding form of its Debonding on Demand product. This uses a tape that’s applied to one side of the (metal) surfaces, with a 5 bar pressure being applied for 5 seconds. Afterwards, the two parts can be released again without residue as shown in the above image. This involves applying a 12V DC voltage for 60 seconds, with the two parts afterward removable without force.

Tesa markets this right alongside the pull tab adhesive strips which are currently all the rage in smartphones, with the opinions on pull strips during battery replacement strongly divided. A bottle of IPA is always good to have nearby when a pull tab inevitably snaps off and you have to pry the battery loose. In that regard electroadhesion for debonding would make life significantly easier since the times when batteries were not a structural part of smartphones are unlikely to return no matter how much we might miss them.

We covered electroadhesion previously, as you can make just about anything stick to anything, including biological tissues to graphite and metal, with potentially interesting applications in robotics and medicine.

Developing free and open source software can be a thankless experience. Most folks do it because it’s something they’re passionate about, with the only personal benefit being the knowledge that there are individuals out there who found your work useful enough to download and install. So imagine how you’d feel if it turns out somebody was playing around with the figures, and the steady growth in the number of installs you thought your software had turned out to be fake.

That’s what happened just a few days ago to OctoPrint developer [Gina Häußge]. Although there’s no question that her software for remotely controlling and monitoring 3D printers is immensely popular within the community, the fact remains that the numbers she’s been using to help quantify that popularity have been tampered with by an outside party. She’s pissed, and has every right to be.

[Gina] discovered this manipulation on June 26th after taking a look at the publicly available usage stats on data.octoprint.org. She noticed that an unusually high number of instances appeared to be running an old OctoPrint release, and upon closer inspection, realized what she was actually seeing was a stream of bogus data that was designed to trick the stat counter. Rolling back the data, she was able to find out this spam campaign has been going on since late 2022. Tens of thousands of the users she thought she’d gained over the last two years were in fact nothing more than garbage spit out by some bot. But why?

Here’s where it gets interesting. Looking at the data being reported by these fake OctoPrint instances, [Gina] could tell the vast majority of them claimed to be running a specific plugin: OctoEverywhere. The perpetrators were clever enough to sprinkle in a random collection of other popular plugins along with it, but this specific plugin was the one most of them had in common. Sure enough this pushed OctoEverywhere to the top of the charts, making it seem like it was the most popular plugin in the community repository.

So what do the developers of OctoEverywhere have to say for themselves? In a statement that [Gina] posted on the OctoPrint blog, they claim they were able to determine a member of the community had performed the stat manipulation of their own accord, but as of this writing are unwilling to release this individual’s identity. A similar statement now appears on the OctoEverywhere website.

On June 27th, Gina Häußge, the developer behind OctoPrint, informed us of an incident involving the OctoPrint usage stats. Gina had observed that the stats were being manipulated to boost OctoEverywhere’s rankings.

We took the report very seriously and quickly started an investigation. Using private community channels, we determined a community member was responsible for manipulating the OctoPrint stats. We had a private conversation with the individual, who didn’t realize the impact they were having but apologized and promised never to do it again.

From a journalistic perspective, it would be inappropriate for us to leap to any conclusions based on the currently available information. But we will say this…we’ve heard more convincing stories on a kindergarten playground. Even if we take the statement at face value, the fact that they were able to figure out who was doing this within 48 hours of being notified would seem to indicate this person wasn’t exactly a stranger to the team.

In any event, the bogus data has now been purged from the system, and the plugin popularity charts are once again showing accurate numbers. [Gina] also says some safeguards have been put into place to help prevent this sort of tampering from happening again. As for OctoEverywhere, it slid back to its rightful place as the 6th most popular plugin, a fact that frankly makes the whole thing even more infuriating — you’d think legitimately being in the top 10 would have been enough.

On Mastodon, [Gina] expressed her disappointment in being fooled into thinking OctoPrint was growing faster than it really was, which we certainly get. But even so, OctoPrint is a wildly popular piece of software that has become the cornerstone of a vibrant community. There’s no question that her work has had a incredible impact on the world of desktop 3D printing, and while this turn of events is frustrating, it will ultimately be little more than a footnote in what is sure to be a lasting legacy.

The hot news this week is that Kaspersky is banned in the USA. More specifically, Kaspersky products will be banned from sale in the US starting on September 29. This ban will extend to blocking software updates, though it’s unclear how that will actually be accomplished. It’s reasonable to assume that payment processors will block payments to Kaspersky, but will ISPs be required to block traffic that could contain antivirus updates?

WordPress Plugin Backdoor

A Quartet of WordPress plugins have been found to have recently included backdoor code. It’s a collection of five Open Source plugins, seemingly developed by unrelated people. Malicious updates first showed up on June 21st, and it appears that all five plugins are shipping the same malicious code.

Rabbit AI API

The Rabbit R1 was released to less than thunderous applause. The idea is a personal AI device, but the execution has been disappointing, to the point of reviewers suggesting some of the earlier claims were fabricated. Now it seems there’s a serious security issue, in the form of exposed API keys that have *way* too many privileges.

The research seems to be done by the rabbitude group, who found the keys back in May. Of the things allowed by access to the API keys, the most worrying for user privacy was access to every text-to-speech call. Rabbitude states in their June 25 post, that “rabbit inc has known that we have had their elevenlabs (tts) api key for a month, but they have taken no action to rotate the api keys.” On the other hand, rabbit pushed a statement on the 26th, claiming they were just then made aware of the issue, and made the needed key rotations right away.

MOVEit is Back

Last year a severe vulnerability in MOVEit file transfer server led to some big-deal compromises in 2023 and 2024. MOVEit is back, this time disclosing an authentication bypass. The journey to finding this vulnerability starts with an exception, thrown whenever an SSH connection is attempted with a public key.

…the server is attempting to open the binary data representing our auth material, as a file path, on the server.

Uh-oh. There’s no way that’s good. What’s worse, that path can be an external SMB path. That’s even worse. This behavior does depend on the incoming connection referencing a valid username, but this has the potential to enable password stealing, pass-the-hash attacks, and username mapping. So what’s actually going on here? The SSH server used here is IPWorks SSH, which has some useful additions to SSH. One of these additions seems to be an odd delegated authentication scheme that goes very wrong in this case.

The attack flow goes like this: Upload a public SSH key to any location on the MOVEit server, log in with any valid username signing the connection with the uploaded key, and send the file location of the uploaded key instead of an actual key. Server pulls the key, makes sure it matches, and lets you in. The only pesky bit is how to upload a key without an account. It turns out that the server supports PPK keys, and those survive getting written to and read from the system logs. Ouch.

The flaws got fixed months ago, and a serious effort has been carried out to warn MOVEit customers and get them patched. On the other hand, a full Proof of Concept (PoC) is now available, and Internet monitoring groups are starting to see the attack being attempted in the wild.

Cat File: Pop Calc

We all know not to trust files from the Internet. Don’t execute the script, don’t load the spreadsheet, and definitely don’t install the package. But what about running cat or strings on an untrusted file? Apparently the magic of escape strings makes those dangerous too. The iTerm2 terminal was accidentally set to allow “window title reporting”, or copying the window title to the command line. Another escape code can set that value, making for an easy way to put an arbitrary command on the command line. One more quirk in the form of tmux integration allowed the injection of a newline — running the arbitrary command. Whoops. Versions 3.5.0 and 3.5.1 are the only iterm2 versions that are vulnerable, with version 3.5.2 containing the fix.

Putting LLM to Work During Naptime

There’s been a scourge of fake vulnerability reports, where someone has asked ChatGPT to find a vulnerability in a project with a bug bounty. First off, don’t do this. But second, it would be genuinely useful if a LLM could actually find vulnerabilities. This idea intrigued researchers at Google’s Project Zero, so they did some research, calling it “Project Naptime”, in a playful reference to napping while the LLM works.

The secret sauce seems to be in extending an LLM to look at real code, to run Python scripts in a sandbox, and have access to a debugger. The results were actually encouraging, that LLM could eventually be a useful tool. It’s not gonna replace the researcher, but it won’t surprise me to cover vulnerabilities found by a LLM instead of a fuzzing tool. Or maybe that’s an LLM guided fuzzer?

Github Dishes on Chrome RCE

Github’s [Man Yue Mo] discovered and reported CVE-2024-3833 in Chrome back in March, a fix was released in April, and it’s now time to get the details. This one is all about how object cloning and code caching interacts. Cloning an object in a particular circumstance ends up with an object that exists in a superposition between having unused property fields, and yet a full property array. Or put simply, the internal object state incorrectly indicates there is unused allocated memory. Try to write a new property, and it’s an out of bounds write.

The full exploit is involved, but the whole thing includes a sandbox escape as well, using overwritten WebAssembly functions. Impressive stuff.

Bits and Bytes

[Works By Design] is taking a second crack at building an unpickable lock. This one has some interesting features, like a ball-bearing spring system that should mean that levering one pin into place encourages the rest to drop out of position. A local locksmith wasn’t able to pick it, given just over half-an-hour. The real test will be what happens when [LockPickingLawyer] gets his hands on it, which is still to come.

Gitlab just fixed a critical issue that threatened to let attackers run CI pipelines as arbitrary users. The full details aren’t out yet, but CVE-2024-5655 weighs in at a CVSS 9.6, and Gitlab is “strongly recommending” immediate updates.

This week Jonathan Bennett and Doc Searls chat with Igor Pecovnik and Ricardo Pardini about Armbian, the Debian-based distro tailor made for single-board computers. There’s more than just Raspberry Pi to talk about, with the crew griping about ancient vendor kernels, the less-than-easy ARM boot process, and more!

– https://www.armbian.com/
– https://github.com/armbian

Did you know you can watch the live recording of the show right in the Hackaday Discord? Have someone you’d like use to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

After the Living Computers museum in Seattle closed like so many museums and businesses in 2020 with the pandemic, there were many who feared that it might not open again. Four years later this fear has become reality, as the Living Computers: Museum + Labs (LCM+L, for short) entire inventory is being auctioned off. This occurs only 12 years after the museum and associated educational facilities were opened to the public. Along with Allen’s collection at the LCM+L, other items that he had been collecting until his death in 2018 will also be auctioned at Christie’s, for a grand total of 150 items in the Gen One: Innovations from the Paul G. Allen Collection.

In 2022 Allen’s art collection had seen the auction block, but this time it would seem that the hammer has come for this museum. Unique about LCM+L was that it featured vintage computing systems that visitors could interact with and use much like they would have been used back in the day, rather than being merely static display pieces, hence the ‘living computers’ part. Although other vintage computing museums in the US and elsewhere now also allow for such interactive displays, it’s sad to see the only major vintage computing museum in Washington State vanish.

Hopefully the items being auctioned will find loving homes, ideally at other museums and with collectors who aren’t afraid to keep the educational spirit of LCM+L alive.

Thanks to [adistuder] for the tip.

Top image: A roughly 180° panorama of the “conditioned” room of the Living Computer Museum, Seattle, Washington, USA. Taken in 2014. (Credit: Joe Mabel)

Most of us will probably have seen semiconductor wafers as they trundle their way through a chip factory, and some of us may have wondered about why they are round. This roundness is an obvious problem when one considers that the chip dies themselves are rectangular, meaning that a significant amount of the dies etched into the wafers end up being incomplete and thus as waste, especially with (expensive) large dies. This is not a notion which has escaped the attention of chip manufacturers like TSMC, with this particular manufacturer apparently currently studying a way to make square substrates a reality.

According to the information provided to Nikkei Asia by people with direct knowledge, currently 510 mm x 515 mm substrates are being trialed which would replace the current standard 12″ (300 mm) round wafers. For massive dies such as NVidia’s H200 (814 mm²), this means that approximately three times as many would fit per wafer. As for when this technology will go into production is unknown, but there exists significant incentive in the current market to make it work.

As for why wafers are round, this is because of how these silicon wafers are produced, using the Czochralski method, named after Polish scientist [Jan Czochralski] who invented the method in 1915. This method results in rod-shaped crystals which are then sliced up into the round wafers we all know and love. Going square is thus not inherently impossible, but it will require updating every step of the process and the manufacturing line to work with this different shape.

The first version of FreeDOS was released on September 16 of 1994, following Microsoft’s decision to cease development on MS-DOS in favor of Windows. This version 0.01 was still an Alpha release, with 0.1 from 1998 the first Beta and the first stable release (1.0, released on September 3 2006) still a while off. Even so, its main developer [Jim Hall] and the like-minded developers on the FreeDOS team managed to put together a very functional DOS using a shell, kernel and other elements which already partially existed before the FreeDOS (initially PD-DOS, for Public Domain DOS) idea was pitched by [Jim].

Nearly thirty years later, [Jim] reflects on these decades, and the strong uptake of what to many today would seem to be just a version of an antiquated OS. When it comes to embedded and industrial applications, of course, a simple DOS is all you want and need, not to mention for a utility you boot from a USB stick. Within the retro computing community FreeDOS has proven to be a boon as well, allowing for old PCs to use a modern DOS rather than being stuck on a version of MS-DOS from the early 90s.

For FreeDOS’ future, [Jim] is excited to see what other applications people may find for this OS, including as a teaching tool on account of how uncomplicated FreeDOS is. In a world of complicated OSes that no single mortal can comprehend any more, FreeDOS is really quite a breath of fresh air.

Way back in 2020, I actually read the proposed US legislation known as EARN IT, and with some controversy, concluded that much of the criticism of that bill was inaccurate. Well what’s old is new again, except this time it’s the European Union that’s wrestling with how to police online Child Sexual Abuse Material (CSAM). And from what I can tell of reading the actual legislation (pdf), this time it really is that bad.

The legislation lays out two primary goals, both of them problematic. The first is detection, or what some are calling “upload moderation”. The technical details are completely omitted here, simply stating that services “… take reasonable measures to mitigate the risk of their services being misused for such abuse …” The implication here is that providers would do some sort of automated scanning to detect illicit text or visuals, but exactly what constitutes “reasonable measures” is left unspecified.

The second goal is the detection order. It’s worth pointing out that interpersonal communication services are explicitly mentioned as required to implement these goals. From the bill:

Providers of hosting services and providers of interpersonal communications services that have received a detection order shall execute it by installing and operating technologies approved by the Commission to detect the dissemination of known or new child sexual abuse material or the solicitation of children…

This bill is careful not to prohibit end-to-end encryption, nor require that such encryption be backdoored. Instead, it requires that the apps themselves be backdoored, to spy on users before encryption happens. No wonder Meredith Whittaker has promised to pull the Signal app out of the EU if it becomes law. As this scanning is done prior to encryption, it’s technically not breaking end-to-end encryption.

You may wonder why that’s such a big deal. Why is it a non-negotiable for the Signal app to not look for CSAM in messages prior to encryption? For starters, it’s a violation of user trust and an intentional weakening of the security of the Signal system. But maybe most importantly, it puts a mechanism in place that will undoubtedly prove too tempting for future governments. If Signal can be forced into looking for CSAM in the EU, why not anti-government speech in China?

This story is ongoing, with the latest news that the EU has delayed the next step in attempting to ratify the proposal. It’s great news, but the future is still uncertain. For more background and analysis, see our conversation with the minds behind Matrix, on this very topic:

Bounty or Extortion?

A bit of drama played out over Twitter this week. The Kraken cryptography exchange had a problem where a deposit could be interrupted, and funds added to the Kraken account without actually transferring funds to back the deposit. A security research group, which turned out to be the CertiK company, discovered and disclosed the flaw via email.

Kraken Security Update:

On June 9 2024, we received a Bug Bounty program alert from a security researcher. No specifics were initially disclosed, but their email claimed to find an “extremely critical” bug that allowed them to artificially inflate their balance on our platform.

— Nick Percoco (@c7five) June 19, 2024

All seemed well, and the Kraken team managed to roll a hotfix out in an impressive 47 minutes. But things got weird when they cross referenced the flaw to see if anyone had exploited it. Three accounts had used it to duplicate money. The first use was for all of four dollars, which is consistent with doing legitimate research. But additionally, there were more instances from two other users, totaling close to $3 million in faked transfers — not to mention transfers of *real* money back out of those accounts. Kraken asked for the details and the money back.

According to the Kraken account, the researchers refused, and instead wanted to arrange a call with their “business development team”. The implication is that the transferred money was serving as a bargaining chip to request a higher bug bounty payout. According to Kraken, that’s extortion.

There is a second side to this story, of course. CertiK has a response on their x.com account where they claim to have wanted to return the transferred money, but they were just testing Kraken’s risk control system. There are things about this story that seem odd. At the very least, it’s unwise to transfer stolen currency in this way. At worst, this was an attempt at real theft that was thwarted. The end result is that the funds were eventually completed.

There are two fundamental problems with vuln disclosure/bounty:
#1 companies think security researchers are trying to extort them when they are not
#2 security researchers trying to extort companies https://t.co/I7vnk3oXi5

— Robert Graham 𝕏 (@ErrataRob) June 20, 2024

Report Bug, Get Nastygram

For the other side of the coin, [Lemon] found a trivial flaw in a traffic controller system. After turning it in, he was rewarded with an odd letter that was a combination of “thank you” and your work “may have constituted a violation of the Computer Fraud and Abuse Act”. This is not how you respond to responsible disclosure.

I received my first cease and desist for responsibly disclosing a critical vulnerability that gives a remote unauthenticated attacker full access to modify a traffic controller and change stoplights. Does this make me a Security Researcher now? pic.twitter.com/ftW35DxqeF

— Lemon (@Lemonitup) June 18, 2024

Emoji Malware

We don’t talk much about malware in South Asia, but this is an interesting one. DISGOMOJI is a malware attributed to a Pakistani group, mainly targeting government Linux machines in India. What really makes it notable is that the command and control system uses emoji in Discord channels. The camera emoji instructs the malware to take a screenshot. A fox triggers a hoovering of the Firefox profiles, and so on. Cute!

Using Roundcube to break PHP

This is a slow moving vulnerability, giving that the core is a 24-year old buffer overflow in iconv() in glibc. [Charles Fol] found this issue, which can pop up when using iconv() to convert to the ISO-2022-CN-EXT character set, and has been working on how to actually trigger the bug in a useful way. Enter PHP. OK, that’s not entirely accurate, since the crash was originally found in PHP. It’s more like we’re giving up on finding something else, and going back to PHP.

The core vulnerability can only overwrite one, two, or three bytes past the end of a buffer. To make use of that, the PHP bucket structure can be used. This is a growable doubly-linked list that is used for data handling. Chunked HTTP messages can be used to build a multi-bucket structure, and triggering the iconv() flaw overwrites one of the pointers in that structure. Bumping that pointer by a few bytes lands in attacker controlled data, which can land in a fake data structure, and continuing the dechunking procedure gives us an arbitrary memory write. At that point, a function pointer just has to be pointed at system() for code execution.

That’s a great theoretical attack chain, but actually getting there in the wild is less straightforward. There has been a notable web application identified that is vulnerable: Roundcube. Upon sending an email, the user can specify the addresses, as well as the character set parameter. Roundcube makes an iconv() call, triggering the core vulnerability. And thus an authenticated user has a path to remote code execution.

Bits and Bytes

Speaking of email, do you know the characters that are allowed in an email address? Did you know that the local user part of an email address can be a quoted string, with many special characters allowed? I wonder if every mail server and email security device realized that quirk? Apparently not, at least in the case of MailCleaner, which had a set of flaws allowing such an email to lead to full appliance takeover. Keep an eye out for other devices and applications to fall to this same quirk.

Nextcloud has a pair of vulnerabilities to pay attention to, with the first being an issue where a user with read and share permissions to an object could reshare it with additional permissions. The second is more troubling, giving an attacker a potential method to bypass a two-factor authentication requirement. Fixes are available.

Pointed out by [Herr Brain] on Hackaday’s Discord, we have a bit of bad news about the Arm Memory Tagging Extensions (MTE) security feature. Namely, speculative execution can reveal the needed MTE tags about 95% of the time. While this is significant, there is a bit of chicken-and-egg problem for attackers, as MTE is primarily useful to prevent running arbitrary code at all, which is the most straightforward way to achieve a speculative attack to start with.

And finally, over at Google Project Zero, [Seth Jenkins] has a report on a trio of Android devices, and finding vulnerabilities in their respective kernel drivers. In each case, the vulnerable drivers can be accessed from unprivileged applications. [Seth]’s opinion is that as the Android core code gets tighter and more secure, these third-party drivers of potentially questionable code quality will quickly become the target of choice for attack.

This week Jonathan Bennett and Simon Phipps chat with Matthew Hodgson and Josh Simmons about Matrix, the open source decentralized communications platform. How is Matrix a Git for Communications? Are the new EU and UK laws going to be a problem? And how is the Matrix project connected with the Element company?

– https://matrix.org/blog
– https://element.io/

Did you know you can watch the live recording of the show right in the Hackaday Discord? Have someone you’d like use to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

With few exceptions, power transmission is a field where wobbling is a bad thing. We generally want everything running straight and true, with gears and wheels perfectly perpendicular to their shafts, with everything moving smoothly and evenly. That’s not always the case, though, as this pericyclic gearbox demonstrates.

Although most of the components in [Retsetman] model gearboxes seem familiar enough — it’s mostly just a collection of bevel gears, like you’d see inside a differential — it’s their arrangement that makes everything work. More specifically, it’s the shaft upon which the bevel gears ride, which has a section that is tilted relative to the axis of the shaft. It’s just a couple of degrees, but that small bit of inclination, called mutation, makes the ring gear riding on it wobble as the shaft rotates, allowing it to mesh with one or more ring gears that are perpendicular to the shaft. This engages a few teeth at a time, transferring torque from one gear to another. It’s easier to visualize than it is to explain, so check out the video below.

Gearboxes like these have a lot of interesting properties, with the main one being gear ratio. [Retsetman] achieved a 400:1 ratio with just 3D printed parts, which of course impose their own limitations. But he was still able to apply some pretty serious torque. The arrangement is not without its drawbacks, of course, with the wobbling bits naturally causing unwelcome vibrations. That can be mitigated to some degree using multiple rotatins elements that offset each other, but that only seems to reduce vibration, not eliminate it.

[Retsetman] is no stranger to interesting gearboxes, of course, with his toothless magnetic gearboxes coming to mind. And this isn’t the only time we’ve seen gearboxes go all wobbly, either.

Thanks to [Keith Olson] for the tip.

This article was prompted by a friend of mine asking for help on a board with an ESP32 heart. The board outputs 2.1 V instead of 3.3 V, and it doesn’t seem like incorrectly calculated feedback resistors are to blame – let’s take a look at the layout. Then, let’s also take a look at a recently sent in design review entry, based on an IC that looks perfect for all your portable Raspberry Pi needs!

What Could Have Gone Wrong?

Here’s the board in all its two-layer glory. This is the kind of board you can use to drive 5 V or 12 V Neopixel strips with a firmware like WLED – exactly the kind of gadget you’ll want to use for LED strip experiments! 3.3 V power is provided by a Texas Instruments TPS54308 IC, and it’s the one misfiring, so let’s take a look.

The design has an ESP32 on the opposite side of the switching regulator. For review purposes, let’s pull the regulator circuit out – disable all front layers (copper, silk, mask, courtyard and paste), hide vias, then box select the regulator circuit and move it out. I’ve also added net labels to the circuit – here’s a screenshot.

There are things done right here, for sure, and a few things that could be the culprit in improper regulation. If you want hints, you can see TPS54308 datasheet, page 22, for layout recommendations. Both SW and FB nodes are pretty long, and the FB trace goes right next to VOUT – before regulation.

Furthermore, from the pinout and also the layout recommendations, it appears this regulator is designed in a way that all switching circuitry can be. Yet, this design has the inductor go all the way to supposedly sensitive side. Thankfully, this is easy to fix.

Refresher – FB and SW traces have to be as short as possible, inductor as close to SW as possible, and the VOUT to FB connection can be a separate tracks on the other layer. With that in mind, let’s move the inductor to the other side of the regulator, move the FB resistors to the FB pin, and see how far we get.

My Take Versus TI’s Recommendation

This is my take. FB resistors moved to one side, switching components to the other, VOUT track on another layer. Add capacitors and vias as necessary, and pull tracks under components to get extra ground connections if needed. Of course, ideally, SW would be a copper polygon, and so would be VOUT. I’m also showing how EN could be pulled out, in case you needed that – in this particular schematic, EN can be safely left floating, but most regulators will want you to pull it either to VIN or to GND.

Since this is a TI chip, it also has a diagram for the layout recommendation! Let’s take a look how far off the mark we are, and it appears we aren’t that far. Curiously, it wants us to put SW onto another layer. Having switching current pass through extra inductance doesn’t sit right with me, personally, but my guess is that they want to minimize switching current flowing under the regulator, as the recommendation suggests.

Another part that’s curious to me, is a suggestion for a Kelvin connection for the FB net’s GND pin. TI also publishes data for evaluation boards, and the TPS54308 has such a board indeed. Seeing on the page 13 of the evaluation board datasheet, I’m not quite seeing a Kelvin connection, unless Kelvin is the name of the engineer involved in designing the board. I do see that GND is tapped with a via far away from the area where switching happens, so it might just be that.

At this point, I’m curious whether my take is a dealbreaker, but since TI’s recommendations are available, I might just end up implementing exactly that and sending the files back. So, we take this circuit, implant it back into the board, order a new revision, and keep our fingers crossed.

A Pi-suited UPS, On A Stamp

A week ago, [Lukilukeskywalker] has shared a board with us, asking for a design review. The board is a stamp that houses a LTC4040 chip, and the chip itself is a treat. It takes 5 V, outputs 5 V, and when connected, it generates 5 V from a battery. It supports both regular LiIon, can do up to 2.5 A, and appears to be a perfect option if you want to power a Raspberry Pi or any other 5 V-powered SBC on the go.

There are a few small nits to pick on this board. For instance, the connector for the battery is JST-SH, 3-pin, with one pin for BATT+. 2.5 A at 5 V means 12.5 W means up to 4 A at 3.5 V battery level, which might just melt a JST-SH connector or the gauge of wire you can attach to a JST-SH-sized metal contact. However, it’s switching regulator time, so let’s take a look at that specifically.

Here’s another thing you might notice immediately – lack of ground path from the IC’s ground connections, all the way under the switching path. In particular, the switching path is broken by a few traces, and it doesn’t appear that these traces must be there! Page 22 in the LTC4040 datasheet, which lists the layout recommendations, also stresses upon this, elaborating that “High frequency currents in the hot loop tend to flow along a mirror path on the ground plane which is directly beneath the incident path on the top plane of the board”.

Well, there are only two tracks that really interrupt the switching path above them, and both could be moved to the left. One of them is for a resistor that sets the charging current limit, and another goes to a castellated pad. Moving the latter is going to break the symmetry, but remember – it’s okay for a stamp to be asymmetric, that helps you ensure it’s mounted on your board correctly!

Sadly, while Linear Tech makes fancy tech, their evaluation board data isn’t as available as TI’s – there’s a PDF with schematics, but no layout data I could find. However, comparing to the pictures, you can see that the general layout of the switching area is correct, our hacker correctly uses polygons, the feedback circuit is pretty nice – it’s just these two tracks that are a bit uncouth when it comes to the switching regulator part of it. As for reviewing the rest of the board, you can read this article!

Towards A Powerful Future

Got switching regulator designs that didn’t quite work right when you put them to test, or that you’re yet to order and feel cautious about? Show them to us down below in the comments, and let’s take a look; your circuits deserve to operate at their best capacity possible.

And, as usual, if you would like a design review for your board, submit a tip to us with [design review] in the title, linking to your board files. KiCad design files strongly preferred, both repository-stored files (GitHub/GitLab/etc) and shady Google Drive/Dropbox/etc .zip links are accepted.

Regulations surrounding disposable batteries have accelerated a quiet race to replace coin cells, which on the whole are not readily rechargeable. TDK produces solid-state batteries and has announced a new material that claims an energy density of about 100 times that of their conventional batteries.

Energy density measures how much energy a system contains relative to its volume. The new battery has 1000 Wh/L. For comparison, old nickel-cadmium cells had about 150 Wh/L. A typical lithium-ion battery usually turns in about 200 – 250 Wh/L.

There aren’t many technical details, but a few things caught our interest. For one, it uses an oxide-based solid electrolyte and lithium alloy anodes. However, what really caught our eye was that it is “intended for use in wearables… that come in direct contact with the human body.” We don’t know if that means the material is safe for your skin or if it depends on being next to your body to operate.

While the energy density is high, keep in mind that the batteries of this type are usually tiny, so the total actual power available is probably not very high. Tiny batteries are definitely a thing. We are always hearing about breakthroughs, but we always wonder if and when we’ll see actual products.

McDonald’s recently announced that it will be scrapping the voice-assistant which it has installed at over 100 of its drive-throughs after a two-year trial run. In the email that was sent to franchises, McDonald’s did say that they are still looking at voice ordering solutions for automated order taking (AOT), but it appears that for now the test was a disappointment. Judging by the many viral videos of customers struggling to place an order through the AOT system, it’s not hard to see why.

This AOT attempt began when in 2019 McDonald’s acquired AI company Apprente to create its McD Tech Labs, only to sell it again to IBM who then got contracted to create the technology for McDonald’s fast-food joints. When launched in 2021, it was expected that McDonald’s drive-through ordering lanes would eventually all be serviced by AOT, with an experience akin to the Alexa and Siri voice assistants that everyone knows and loves (to yell at).

With the demise of this test at McDonald’s, it would seem that the biggest change is likely to be in the wider automation of preparing fast-food instead, with robots doing the burger flipping and freedom frying rather than a human. That said, would you prefer the McD voice assistant when going through a Drive-Thru^® over a human voice?

The term ‘Social Media’ may give off a benign vibe, suggesting that it’s a friendly place where everyone is welcome to be themselves, yet reality has borne out that it is anything but. This is the reason why the US Surgeon General [Dr. Vivek H. Murthy] is pleading for a health warning label on social media platforms. Much like with warnings on tobacco products, it’s not expected that such a measure would make social media safe for children and adolescents, but would remind them and their parents about the risks of these platforms.

While this may sound dire for what is at its core about social interactions, there is a growing body of evidence to support the notion that social media can negatively impact mental health. A 2020 systematic review article in Cureus by [Fazida Karim] and colleagues found anxiety and depression to be the most notable negative psychological health outcomes. A 2023 editorial in BMC Psychology by [Ágnes Zsila] and [Marc Eric S. Reyes] concurs with this notion, while contrasting these cons of social media with the pros, such as giving individuals an online community where they feel that they belong.

Ultimately, it’s important to realize that social media isn’t the end-all, be-all of online social interactions. There are still many dedicated forums, IRC channels and newsgroups far away from the prying eyes and social pressure  of social media to act out a personality. Having more awareness of how social interactions affect oneself and/or one’s children is definitely essential, even if we’re unlikely to return to the ‘never give out your real name’ days of  the pre-2000s Internet.

As humanity’s furthest reach into the Universe so far, the two Voyager spacecraft’s well-being is of utmost importance to many. Although we know that there will be an end to any science mission, the recent near-death experience by Voyager 1 was a shocking event for many. Now it seems that things may have more or less returned to normal, with all four remaining scientific instruments now back online and returning information.

Since the completion of Voyager 1’s primary mission over 43 years ago, five of its instruments (including the cameras) were disabled to cope with its diminishing power reserves, with two more instruments failing. This left the current magnetometer (MAG), charged particle (LECP) and cosmic ray (CRS) instruments, as well as the plasma wave subsystem (PWS). These are now all back in operation based on the returned science data after the Voyager team confirmed previously that they were receiving engineering data again.

With Voyager 1 now mostly back to normal, some housekeeping is necessary: resynchronizing the onboard time, as well as maintenance on the digital tape recorder. This will ensure that this venerable spacecraft will be all ready for its 47th anniversary this fall.

Thanks to [Mark Stevens] for the tip.

There’s a popular Sysadmin meme that system problems are “always DNS”. In the realm of security, it seems like “it’s always Unicode“. And it’s not hard to see why. Unicode is the attempt to represent all of Earth’s languages with a single character set, and that means there’s a lot of very similar characters. The two broad issues are that human users can’t always see the difference between similar characters, and that libraries and applications sometimes automatically convert exotic Unicode characters into more traditional text.

This week we see the resurrection of an ancient vulnerability in PHP-CGI, that allows injecting command line switches when a web server launches an instance of PHP-CGI. The solution was to block some characters in specific places in query strings, like a query string starting with a dash.

The bypass is due to a Windows feature, “Best-Fit”, an automatic down-convert from certain Unicode characters. This feature works on a per-locale basis, which means that not every system language behaves the same. The exact bypass that has been found is the conversion of a soft hyphen, which doesn’t get blocked by PHP, into a regular hyphen, which can trigger the command injection. This quirk only happens when the Windows locale is set to Chinese or Japanese. Combined with the relative rarity of running PHP-CGI, and PHP on Windows, this is a pretty narrow problem. The XAMPP install does use this arrangement, so those installs are vulnerable, again if the locale is set to one of these specific languages. The other thing to keep in mind is that the Unicode character set is huge, and it’s very likely that there are other special characters in other locales that behave similarly.

Downloader Beware

The ComfyUI project is a flowchart interface for doing AI image generation workflows. It’s an easy way to build complicated generation pipelines, and the community has stepped up to build custom plugins and nodes for generation. The thing is, it’s not always the best idea to download and run code from strangers on the Internet, as a group of ComfyUI users found out the hard way this week. The ComfyUI_LLMVISION node from u/AppleBotzz was malicious.

The node references a malicious Python package that grabs browser data and sends it all to a Discord or Pastebin. It appears that some additional malware gets installed, for continuing access to infected systems. It’s a rough way to learn.

PyTorch Scores a Dubious 10.0

CVE-2024-5480 is a PyTorch flaw that allows PyTorch worker nodes to trigger arbitrary eval() calls on the master node. No authentication is required to add a PyTorch worker, so this is technically an unauthorized RCE, earning the CVSS of 10.0. Practically speaking it’s not that dire of a problem, as your PyTorch cluster shouldn’t be on the Internet to start with, and there’s no authentication as a design choice. It’s not clear the the PyTorch developers consider this a legitimate security vulnerability at all. It may or may not be fixed with version 2.3.

Next Level Smishing

My least favorite term in infosec has to be “smishing”, a frankenword for SMS phishing. Cell phone carriers around the world are working hard to blocking spam messages, making smishing an impossible task. And that’s why it’s particularly interesting to hear about a bypass that a pair of criminals were using in London. The technical details are light, but the police reported a “homemade mobile antenna”, “illegitimate telephone mast”, and “text message blaster” as part of the seized kit. The initial report sounds like it may be a sort of reverse stingray, where messages are skipping the regular cellular infrastructure and are getting sent directly to nearby cell phones. Hopefully more information will be forthcoming soon.

Zyxel’s NsaRescueAngel

The programmers at Zyxel apparently have a sense of humor, given the naming used for this mis-feature. Zyxel NAS units have a bit of magic code that writes a password for the new user, NsaRescueAngel, to the shadow password file. The SSH daemon is restarted, and upnp is fired off to request port forwarding from the outside world. One of the script names, possibly from a previous iteration, was open_back_door.sh, which seems to be sort of lampshading the whole thing.

It’s presumably intended to be a great troubleshooting tool, when a customer is stuck and needs help, to be able to visit a web url to enable remote access for a Zyxel tech. The problem is that the Zyxel NAS already has an authentication bypass flaw, and while it’s been patched, it wasn’t patched very well, making this whole scheme accessible without authentication, just by slapping /favicon.ico onto the url. The additional problems have been fixed in a more recent update.

Russian Secure Phablet?

A Twitter thread tells the story of a Russian secure device, left behind on the back of a bus in England. That’s an interesting premise. But the thread continues, that ‘conveniently the owner also left a briefcase with design notes, architecture, documentation, implementation, marketing material and internal Zoom demos about “trusted” devices too!’ OK, now this has to either be a fanfic, or a fell-off-the-back-of-a-truck story. There’s some convincing looking screenshots, and even rom dumps. What’s going on here?

Nobody knew how the devices worked, conveniently the owner also left a briefcase with design notes, architecture, documentation, implementation, marketing material and internal Zoom demos about "trusted" devices too! We'd all have been lost without those. https://t.co/LN7cTybxOV pic.twitter.com/j5OCHprSie

— hackerfantastic.x (@hackerfantastic) June 11, 2024

The most likely explanation is that somebody got their hands on a trove of data on these devices, and wanted to dump it online with a silly story. But fair warning, don’t trust any of the shared files. Who knows what’s actually in there. Taking a look at something untrusted like this is an art in itself, best done with isolated VMs and burner machines, maybe a Linux install you don’t mind wiping?

Bits and Bytes

Buskill just published their 8th warrant canary, a cryptographically signed statement attesting that they have not been served any secret warrants or national security letters that would undermine the trustworthiness of the Buskill project or code. In addition to a good cryptographic signature, this canary includes a handful of latest news headlines in the signed material, proving it is actually a recently generated document.

[Aethlios] has published Reset Tolkien, an open source tool for finding and attacking a very specific sort of weakness in time based tokens. The targeted flaw is a token generated from improper randomness source, like the current time. If the pattern can be found, a “sandwich attack” can narrow down the possible reset codes by requesting a reset code for a controlled account, requesting one for the target account, and then once again for the controlled account. The target code must come between the two known codes.

And finally, TPM security is hard. This time, the Trusted Platform Module can be reset by reclaiming the GPIO pins connected to it, and simulating a reboot by pulling the reset pin. This results in the TPM possibly talking to an application when it thinks it is talking to the CPU doing boot decryption. In short, it can result in compromised keys. Thanks to [char] from Discord for sending this one in!

A few years back I wrote an “Ask Hackaday” article inviting speculation on the future of the physical plant of landline telephone companies. It started innocently enough; an open telco cabinet spotted during my morning walk gave me a glimpse into the complexity of the network buried beneath my feet and strung along poles around town. That in turn begged the question of what to do with all that wire, now that wireless communications have made landline phones so déclassé.

At the time, I had a sneaking suspicion that I knew what the answer would be, but I spent a good bit of virtual ink trying to convince myself that there was still some constructive purpose for the network. After all, hundreds of thousands of technicians and engineers spent lifetimes building, maintaining, and improving these networks; surely there must be a way to repurpose all that infrastructure in a way that pays at least a bit of homage to them. The idea of just ripping out all that wire and scrapping it seemed unpalatable.

With the decreasing need for copper voice and data networks and the increasing demand for infrastructure to power everything from AI data centers to decarbonized transportation, the economic forces arrayed against these carefully constructed networks seem irresistible. But what do the numbers actually look like? Are these artificial copper mines as rich as they appear? Or is the idea of pulling all that copper out of the ground and off the poles and retasking it just a pipe dream?

Phones To Cars

There are a lot of contenders for the title of “Largest Machine Ever Built,” but it’s a pretty safe bet that the public switched telephone network (PSTN) is in the top five. From its earliest days, the PSTN was centered around copper, with each and every subscriber getting at least one pair of copper wires connected from their home or business. These pairs, referred to collectively and somewhat loosely as the “local loop,” were gathered together into increasingly larger bundles on their way to a central office (CO) housing the switchgear needed to connect one copper pair to another. For local calls, it could all be done within the CO or by connecting to a nearby CO over copper lines dedicated to the task; long-distance calls were accomplished by multiplexing calls together, sometimes over microwave links but often over thick coaxial cables.

Fiber optic cables and wireless technologies have played a large part in making all the copper in the local loops and beyond redundant, but the fact remains that something like 800,000 metric tons of copper is currently locked up in the PSTN. And judging by the anti-theft efforts that Home Depot and other retailers are making, not to mention the increase in copper thefts from construction sites and other soft targets, that material is incredibly valuable. Current estimates are that PSTNs are sitting on something like $7 billion worth of copper.

That sure sounds like a lot, but what does it really mean? Assuming that the goal of harvesting all that largely redundant PSTN copper is to support decarbonization, $7 billion worth of copper isn’t really that much. Take EVs for example. The typical EV on the road today has about 132 pounds (60 kg) of copper, or about 2.5 times the amount in the typical ICE vehicle. Most of that copper is locked up in motor windings, but there’s a lot in the bus bars and wires needed to connect the batteries to the motors, plus all the wires needed to connect all the data systems, sensors, and accessories. If you pulled all the copper out of the PSTN and used it to do nothing but build new EVs, you’d be able to build about 13.3 million cars. That’s a lot, but considering that 80 million cars were put on the road globally in 2021, it wouldn’t have that much of an impact.

Farming the Wind

What about on the generation side? Thirteen million new EVs are going to need a lot of extra generation and transmission capacity, and with the goal of decarbonization, that probably means a lot of wind power. Wind turbines take a lot of copper; currently, bringing a megawatt of on-shore wind capacity online takes about 3 metric tons of copper. A lot of that goes into the windings in the generator, but that also takes into account the wire needed to get the power from the nacelle down to the ground, plus the wires needed to connect the turbines together and the transformers and switchgear needed to boost the voltage for transmission. So, if all of the 800,000 metric tons of copper currently locked up in the PSTN were recycled into wind turbines, they’d bring a total of 267,000 megawatts of capacity online.

To put that into perspective, the total power capacity in the United States is about 1.6 million megawatts, so converting the PSTN to wind turbines would increase US grid capacity by about 16% — assuming no losses, of course. Not too shabby; that’s over ten times the capacity of the world’s largest wind farm, the Gansu Wind Farm in the Gobi Desert in China.

There’s one more way to look at the problem, one that I think puts a fine point of things. It’s estimated that to reach global decarbonization goals, in the next 25 years we’ll need to mine at least twice the amount of copper that has ever been mined in human history. That’s quite a lot; we’ve taken 700 million metric tons of copper in the last 11,000 years. Doubling that means we’ve got to come up with 1.4 billion metric tons in the next quarter century. The 800,000 metric tons of obsolete PSTN copper is therefore only about 0.05% of what’s needed — not even a drop in the bucket.

Accepting the Inevitable

These are just a few examples of what could be done with the “Buried Fortune” of PSTN copper, as Bloomberg somewhat breathlessly refers to it in the article linked above. It goes without saying that this is just back-of-the-envelope math, and that a real analysis of what it would take to recycle the old PSTN copper and what the results would be would require a lot more engineering and financial chops than I have. Even if it is just a drop in the bucket, I think we’ll probably end up doing it, if for no other reason than it takes something like two decades to bring a new copper mine into production. Until those mines come online and drive the price of copper down, all that refined and (relatively) easily recycled copper just sitting there is a tempting target for investors. So it’ll probably happen, which is sad in a way, but maybe it’s a more fitting end to the PSTN than just letting it sit there and corrode.