This week, Jonathan Bennett, Randal Schwartz, and Aaron Newcomb chat about Linux, the challenges with using system modules like the Raspberry Pi, challenges with funding development, and more!

Did you know you can watch the live recording of the show Right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Last week I completed the SAO flower badge redrawing task, making a complete KiCad project. Most of the SAO petals are already released as KiCad projects, except for the Petal Matrix. The design features 56 LEDs arranged in eight spiral arms radiating from the center. What it does not feature are straight lines, right angles, nor parts placed on a regular grid.

Importing into KiCad

I followed the same procedures as the main flower badge with no major hiccups. This design didn’t have any released schematics, but backing out the circuits was straightforward. It also helped that user [sphereinabox] over on the Hackaday Discord server had rung out the LED matrix connections and gave me his notes.

Grep Those Positons

I first wanted to only read the data from the LEDs for analysis, and I didn’t need the full Kicad + Python scripting for that. Using grep on the PCB file, you get a text file that can be easily parsed to get the numbers. I confirmed that the LED placements were truly as irregular as they looked.

My biggest worry was how obtain and re-apply the positions and angles of the LEDs, given the irregular layout of the spiral arms. Just like the random angles of six SAO connector on the badge board, [Voja] doesn’t disappoint on this board, either. I fired up Python and used Matplotlib to get a visual perspective of the randomness of the placements, as one does. Due to the overall shape of the arms, there is a general trend to the numbers. But no obvious equation is discernable.

It was obvious that I needed a script of some sort to locate 56 new KiCad LED footprints onto the board. (Spoiler: I was wrong.) Theoretically I could have processed the PCB text file with bash or Python, creating a modified file. Since I only needed to change a few numbers, this wasn’t completely out of the question. But that is inelegant. It was time to get familiar with the KiCad + Python scripting capabilities. I dug in with gusto, but came away baffled.

KiCad’s Python Console to the Rescue — NOT

This being a one-time task for one specific PCB, writing a KiCad plugin didn’t seem appropriate. Instead, hacking around in the KiCad Python console looked like the way to go. But I didn’t work well for quick experimenting. You open the KiCad PCB console within the PCB editor. But when the console boots up, it doesn’t know anything about the currently loaded PCB. You need to import the Kicad Python interface library, and then open the PCB file. Also, the current state of the Python REPL and the command history are not maintained between restarts of KiCad. I don’t see any advantages of using the built-in Python console over just running a script in your usual Python environment.

Clearly there is a use case for this console. By all appearances, a lot of effort has gone into building up this capability. It appears to be full of features that must be valuable to some users and/or developers. Perhaps I should have stuck with it longer and figured it out.

KiCad Python Script Outside KiCad

This seemed like the perfect solution. The buzz in the community is that modern KiCad versions interface very well with Python. I’ve also been impressed with the improved KiCad project documentation on recent years. “This is going to be easy”, I thought.

First thing to note, the KiCad v8 interface library works only with Python 3.9. I run pyenv on my computers and already have 3.9 installed — check. However, you cannot just do a pip install kicad-something-or-other... to get the KiCad python interface library. These libraries come bundled within the KiCad distribution. Furthermore, they only work with a custom built version of Python 3.9 that is also included in the bundle. While I haven’t encountered this situation before, I figured out you can make pyenv point to a Python that has been installed outside of pyenv. But before I got that working, I made another discovery.

The Python API is not “officially” supported. KiCad has announced that the current Simplified Wrapper and Interface Generator-based Python interface bindings are slated to be deprecated. They are to be replaced by Inter-Process Communication-based bindings in Feb 2026. This tidbit of news coincided with learning of a similar 3rd party library.

Introducing KiUtils

Many people were asking questions about including external pip-installed modules from within the KiCad Python console. This confounded my search results, until I hit upon someone using the KiUtils package to solve the same problem I was having. Armed with this tool, I was up and running in no time. To be fair, I susepct KiUtils may also break when KiCad switched from SWIG to IPC interface, but KiUtils was so much easier to get up and running, I stuck with it.

I wrote a Python script to extract all the information I needed for the LEDs. The next step was to apply those values to the 56 new KiCad LED footprints to place each one in the correct position and orientation. As I searched for an example of writing a PCB file from KiUtils, I saw issue #113, “Broken as of KiCAD 8?”, on the KiUtils GitHub repository. Looks like KiUtils is already broken for v8 files. While I was able to read data from my v8 PCB file, it is reported that KiCad v8 cannot read files written by KiUtils.

Scripting Not Needed — DOH

At a dead end, I was about to hand place all the LEDs manually when I realized I could do it from inside KiCad. My excursions into KiCad and Python scripting were all for naught. The LED footprints had been imported from Altium Circuit Maker as one single footprint per LED (as opposed to some parts which convert as one footprint per pad). This single realization made the problem trivial. I just needed to update footprints from the library. While this did require a few attempts to get the cathode and anodes sorted out, it was basically solved with a single mouse click.

Those Freehand Traces

The imported traces on this PCB were harder to cleanup than those on the badge board. There were a lot of disconinuities in track segments. These artifacts would work fine if you made a real PCB, but because some segment endpoints don’t precisely line up, KiCad doesn’t know they belong to the same net. Here is how these were fixed:

• Curved segments endpoints can’t be dragged like a straight line segment can. Solutions:
  • If the next track is a straight line, drag the line to connect to the curved segment.
  • If the next track is also a curve, manually route a very short track between the two endpoints.
• If you route a track broadside into a curved track, it will usually not connect as far as KiCad is concerned. The solution is to break the curved track at the desired intersection, and those endpoints will accept a connection.
• Some end segments were not connected to a pad. These were fixed by either dragging or routing a short trace.

Applying these rules over and over again, I finaly cleared all the discontinuities. Frustratingly, the algorithm to do this task already exists in a KiCad function: Tools -> Cleanup Graphics... -> Fix Discontinuities in Board Outline, and an accompanying tolerance field specified as a length in millimeters. But this operation, as noted in the its name, is restricted to lines on the Edge.Cuts layer.

PCB vs Picture

When I was all done, I noticed a detail in the photo of the Petal Matrix PCB assembly from the Hackaday reveal article. That board (sitting on a rock) has six debugging / expansion test points connected to the six pins of the SAO connector. But in the Altium Circuit Maker PCB design, there are only two pads, A and B. These connect to the two auxiliary input pins of the AS1115 chip. I don’t know which is correct. (Editor’s note: they were just there for debugging.) If you use this project to build one of these boards, edit it according to your needs.

Conclusion

The SAO Petal Matrix redrawn KiCad project can be found over at this GitHub repository. It isn’t easy to work backwards using KiCad from the PCB to the schematic. I certainly wouldn’t want to reverse engineer a 9U VME board this way. But for many smaller projects, it isn’t an unreasonable task, either. You can also use much simpler tools to get the job done. Earlier this year over on Hackaday.io, user [Skyhawkson] did a gread job backing out schematics from an Apollo-era PCB with Microsoft Paint 3D — a tool released in 2017 and just discontinued last week.

A couple of weeks back, we covered an interesting method for prototyping PCBs using a modified CNC mill to 3D print solder onto a blank FR4 substrate. The video showing this process generated a lot of interest and no fewer than 20 tips to the Hackaday tips line, which continued to come in dribs and drabs this week. In a world where low-cost, fast-turn PCB fabs exist, the amount of effort that went into this method makes little sense, and readers certainly made that known in the comments section. Given that the blokes who pulled this off are gearheads with no hobby electronics background, it kind of made their approach a little more understandable, but it still left a ton of practical questions about how they pulled it off. And now a new video from the aptly named Bad Obsession Motorsports attempts to explain what went on behind the scenes.

To be quite honest, although the amount of work they did to make these boards was impressive, especially the part where they got someone to create a custom roll of fluxless tin-silver solder, we have to admit to being a little let down by the explanation. The mechanical bits, where they temporarily modified the CNC mill with what amounts to a 3D printer extruder and hot end to melt and dispense the solder, wasn’t really the question we wanted answered. We were far more interested in the details of getting the solder traces to stick to the board as they were dispensed and how the board acted when components were soldered into the rivets used as vias. Sadly, those details were left unaddressed, so unless they decide to make yet another video, we suppose we’ll just have to learn to live with the mystery.

What do mushrooms have to do with data security? Until this week, we’d have thought the two were completely unrelated, but then we spotted this fantastic article on “Computers Are Bad” that spins the tale of Iron Mountain, which people in the USA might recognize as a large firm that offers all kinds of data security products, from document shredding to secure offsite storage and data backups. We always assumed the “Iron Mountain” thing was simply marketing, but the company did start in an abandoned iron mine in upstate New York, where during the early years of the Cold War, it was called “Iron Mountain Atomic Storage” and marketed document security to companies looking for business continuity in the face of atomic annihilation. As Cold War fears ebbed, the company gradually rebranded itself into the information management entity we know today. But what about the mushrooms? We won’t ruin the surprise, but suffice it to say that IT people aren’t the only ones that are fed shit and kept in the dark.

Do you like thick traces? We sure do, at least when it comes to high-current PCBs. We’ve seen a few boards with really impressive traces and even had a Hack Chat about the topic, so it was nice to see Mark Hughes’ article on design considerations for heavy copper boards. The conventional wisdom with high-current applications seems to be “the more copper, the better,” but Mark explains why that’s not always the case and how trace thickness and trace spacing both need to be considered for high-current applications. It’s pretty cool stuff that we hobbyists don’t usually have to deal with, but it’s good to see how it’s done.

We imagine that there aren’t too many people out there with fond memories of Visual Basic, but back when it first came out in the early 1990s, the idea that you could actually make a Windows PC do Windows things without having to learn anything more than what you already knew from high school computer class was pretty revolutionary. By all lights, it was an awful language, but it was enabling for many of us, so much so that some of us leveraged it into successful careers. Visual Basic 6 was pretty much the end of the line for the classic version of the language, before it got absorbed into the whole .NET thing. If you miss that 2008 feel, here’s a VB6 virtual machine to help you recapture the glory days.

And finally, in this week’s “Factory Tour” segment we have a look inside a Japanese aluminum factory. The video mostly features extrusion, a process we’ve written about before, as well as casting. All of it is fascinating stuff, but what really got us was the glow of the molten aluminum, which we’d never really seen before. We’re used to the incandescent glow of molten iron or even brass and copper, but molten aluminum has always just looked like — well, liquid metal. We assumed that was thanks to its relatively low melting point, but apparently, you really need to get aluminum ripping hot for casting processes. Enjoy.

This week, Jonathan Bennett and David Ruggles chat with Frank Delporte about Pi4J, the friendly Java libraries for the Raspberry Pi, that expose GPIO, SPI, I2C and other IO interfaces. Why would anyone want to use Java for the Pi? And what’s changed since the project started? Listen to find out!

• https://www.pi4j.com/
• https://webtechie.be/

Did you know you can watch the live recording of the show Right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Fair warning, while the first item this week has no obvious connection to hacking, when 43 Rhesus monkeys escape from a lab, it’s just something that needs to be discussed. The tiny primates broke free from Alpha Genesis, a primate research facility in South Carolina. The monkey jailbreak seems to have occurred sometime on Wednesday, shortly after which the sheriff of Beaufort County was notified to be on the lookout for the tribe. Luckily, none of the animals has been used in any kind of infectious disease research, so this likely won’t be the origin story for anything apocalyptic. At least some of the animals were quickly located, doing their monkey thing in the woods and getting to swing from real trees for probably the first time in their lives. Alpha Genesis employees are trying to lure the monkeys back to captivity with food, but we suspect they’re too smart for that. They’ll probably come back on their own recognizance or when they get bored and realize that the real world isn’t all they thought it would be. When it’s all done we’d love to hear details about the breakout; was it something the monkeys got together and planned, or did one of the humans mess up?

With apologies in advance for the pun, there’s been a lot of buzz lately about tech billionaires falling over themselves to be the first to add “nuclear power mogul” to their CVs with reactor-powered AI data centers. In the early lead was Meta’s Mark Zuckerberg, but it looks like he might have reached an unexpected hurdle in the form of a rare species of bee in residence near the site where he was planning to build the data center. The original article is aggressively paywalled and we haven’t been able to find out exactly what species of bee bested Zuck or what the specific concerns are, although we suspect that it’s disruption of habitat due to construction activities for the data center itself rather than anything related to the nuclear power aspect, since the deal was with an operator of an existing power plant. But fear not — Microsoft, Google, and Amazon are all waiting in the wings with their own nuclear ambitions, so carbon-free AI searches thanks to controlled nuclear fusion will surely soon be a thing.

Although the bees may have thwarted Zuck, not so the Seven Seas, as news leaks indicate that Meta is in the process of building a globe-spanning underseas fiber optic cable. The cable is said to go from coast to coast in the USA the long way, starting in South Carolina across the Atlantic to a landing in Portugal, down the coast of Africa and around the Cape, up to India before heading through to Australia and back across the Pacific to California. The cable is said to carry 16 pairs of fibers and could provide Meta with 320 Tbps of data capacity. That’s a lot of memes.

While you’ve probably never heard of Elwood Edwards, who passed away this week at the age of 74, you’ve certainly heard his voice. Mr. Edwards was the announcer who recorded the famous “You’ve got mail!” email alert for AOL, along with other audio blurbs for the once-ubiquitous ISP. He worked in broadcasting, both AM radio and television, and voiced commercials and announcements before being recommended for the email gig by his wife, who worked at the company that would eventually become AOL, Quantum Computer Services. He got $200 for the session, which he recorded on a cassette tape in his living room, and which would be heard 35 million times a day at AOL’s peak. Not too shabby.

And finally, as proof that we’re living in the weirdest possible timeline comes the story of The Baguette Bandits. It seems that a hacker group — the other kind — broke into French company Schneider Electric and stole 40 GB of data, issuing a $125,000 ransom demand payable in baguettes. The hackers apparently penetrated Schneider via the company’s Jira system and claimed to have specific data on internal projects and issues along with 400,000 lines of user data, which they threatened to release unless they got the baked goods. They did stipulate that they’d halve the ransom amount if Schneider would publically acknowledge the breach. We’re not sure if they want half the number of baguettes or if they want the same number of loaves all cut in half, but either way, it’s a lot of bread. More puns are possible, but we think we’ll leave them all on the table. Seems the yeast we can do.

Do you remember the fourth-place winner in the 2022 Hackaday Prize? If it’s slipped your mind, that’s okay—it was Boondock Echo. It was a radio project that aimed to make it easy to record and playback conversations from two-way radio communications. The project was entered via Hackaday.io, the judges dug it, and it was one of the top projects of that year’s competition.

The project was the brainchild of Mark Hughes and Kaushlesh Chandel. At the 2023 Hackaday Supercon, Mark and Kaushlesh (KC) came back to tell us all about the project, and how far it had come one year after its success in the 2022 Hackaday Prize.

Breaker, Breaker

The talk begins with a simple video explainer of the Boondock Echo project. Basically, it points out the simple problem with two-way radio communications. If you’re not sitting in front of the receiver at the right time, you’re going to miss the message someone’s trying to send you. Unlike cellular communications, Skype calls, or email, there’s no log of missed calls or messages waiting for you. If you weren’t listening, you’re out of luck.

Mark was inspired to create a device to solve these problems by his father’s experience as an emergency responder with FEMA. Often, his father would tell stories about problems with radios and missed transmissions, and Mark had always wondered if something could be done.

Boondock Echo is the device that hopes to change all that. It’s a device designed for recording and playback of two-way radio communications. The hardware is based around the ESP32, which is able to capture analog audio from a radio, digitize it, and submit it to the Boondock Echo online service. This also enables more advanced features—the system can transcribe audio to text, and even do keyword monitoring on the results and email you any important relevant messages.

Rather amazingly, Hackaday actually helped spawn this project. Mark had an idea of what Boondock Echo should do, but he didn’t feel like he had the full set of technical skills to implement it. Then, Mark met KC via a Hackaday Hackchat, and the two started a partnership to develop the project further. Eventually, they won fourth place in the 2022 Hackaday Prize, which netted them a tasty $10,000 which they could use to develop the project further. They then brought in Mark’s friend Jesse on the hardware side, and things really got rolling.

The hope was to start producing and delivering Boondock Echo devices. Of course, nobody is immune to production hell, and it was no different for this team. KC dives into the story of how the device relied on the ESP32-A1S module. When they went to make more, this turned out to be problematic. They found some of the purchased modules worked and some didn’t. Stripping the RF shields off the pre-baked modules, they found that while they all included audio codec chips marked “8388,” some modules had a different layout and functioned differently. And these were parts with FCC IDs, identical part numbers, and everything! This turned into a huge mess that derailed the project for some time. The project had to be retooled to work with the ESP32-based AI Thinker Audio Kit, to which they added a custom “sidekick” board to handle interfacing with the desired radio hardware.

Mark notes that there were some organizational lessons learned through this difficult journey. He talks about the value of planning and budgets when it comes to any attempt to escape the “Valley of Death” as a nascent startup. Mark also explains how Boondock Echo came to seek investors to grow further when he realized they didn’t have the resources to make it on their own.

“You don’t go out asking for $10,000 from family and friends, you go out and you ask for a heck of a lot more than that from professional investors,” explains Mark. “It’s a lot easier to come up with $100,000 than $10,000, because the venture capitalists don’t play in the $10,000 price range.” Of course, he notes that this comes with a tradeoff—investors want a stake in the company in exchange for cold, hard cash. Moving to this mode of operation involved creating a company and then dividing up shares for all the relevant stakeholders—a unique challenge of its own. Mark and KC explain how they handled the growing pains and grew their team from there.

The rest of the talk covers the product itself, and we get a demo of what it can do. KC and Mark show us how the Boondock Echo units capture audio, record it, and submit it to the cloud. From there, we get to see how things like AI transcription, keyword triggers, and notifications work, and there’s even a fun live demo. Beyond that, Mark explains how you can order the hardware via CrowdSupply, and sign up with the Boondock Echo cloud service.

It’s not just neat to see a cool project, it’s neat to see something like this grow from an idea into a fully-fledged business. Even better, it grew out of the Hackaday community itself, and has flourished from there. It’s a wonderful testament to what hackers can achieve with a good idea and the will to pursue it.

 

 

 

 

 

 

 

 

 

This week, Jonathan Bennett and Randal Schwartz chat with Daniel Stenberg about curl! How many curl installs are there?! What’s the deal with CVEs? How has curl managed to not break its ABI for 18 years straight? And how did Daniel turn all this into a career instead of just a hobby? Watch to find out!

• https://daniel.haxx.se/
• https://curl.se/

Did you know you can watch the live recording of the show Right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

“It was the best of times, it was the blurst of times?” Perhaps not anymore, if this Ig Nobel-worthy analysis of the infinite monkey theorem is to be believed. For the uninitiated, the idea is that if you had an infinite number of monkeys randomly typing on an infinite number of keyboards, eventually the complete works of Shakespeare or some other famous writer would appear. It’s always been meant to be taken figuratively as a demonstration of the power of time and randomness, but some people just can’t leave well enough alone. The research, which we hope was undertaken with tongue firmly planted in cheek, reveals that it would take longer than the amount of time left before the heat death of the universe for either a single monkey or even all 200,000 chimpanzees in the world today to type the 884,647 words of Shakespeare’s complete works in the proper order.

We feel like they missed the point completely, since this is supposed to be about an infinite number of monkeys. But if they insist on sticking with real-world force monkey labor, what would really be interesting is an economic analysis of project. How much space would 200,000 chimps need? What would the energy requirements be in terms of food in and waste out? What about electricity so the monkeys can see what they’re doing? If we’re using typewriters, how much paper do we need, and how much land will be deforested for it? Seems like you’ll need replacement chimps as they age out, so how do you make sure the chimps “mix and mingle,” so to speak? And how do you account for maternity and presumably paternity leave? Also, who’s checking the output? Seems like we’d have to employ humans to do this, so what are the economic factors associated with that? Inquiring minds want to know.

Speaking of ridiculous calculations, when your company racks up a fine that only makes sense in exponential notation, you know we’ve reached new levels of stupidity. But here we are, as a Russian court has imposed a two-undecillion rouble fine on Google for blocking access to Russian state media channels. That’s 2×10³⁶ roubles, or about 2×10³³ US dollars at current exchange rates. If you’re British and think a billion is a million million, then undecillion means something different entirely, but we don’t have the energy to work that out right now. Regardless, it’s a lot, and given that the total GPD of the entire planet was estimated to be about 100×10¹² dollars in 2022, Google better get busy raising the money. We’d prefer they don’t do it the totally-not-evil way they usually do, so it might be best to seek alternate methods. Maybe a bake sale?

A couple of weeks back we sang the praises of SpaceX after they managed to absolutely nail the landing of the Starship Heavy booster after its fifth test flight by managing to pluck it from the air while it floated back to the launch pad. But the amazing engineering success was very close to disaster according to Elon Musk himself, who discussed the details online. Apparently SpaceX engineers shared with him that they were scared about the “spin gas abort” configuration on Heavy prior to launch, and that they were one second away from aborting the “chopsticks” landing in favor of crashing the booster into the ground in front of the launch pad. They also expressed fears about spot welds on a chine on the booster, which actually did rip off during descent and could have fouled on the tower during the catch. But success is a hell of a deodorant, as they say, and it’s hard to argue with how good the landing looked despite the risks.

We saw a couple of interesting stories on humanoid robots this week, including one about a robot with a “human-like gait.” The bot is from China’s EnginAI Robotics and while its gait looks pretty good, there’s still a significant uncanny valley thing going on there, at least for us. And really, what’s the point? Especially when you look at something like this new Atlas demo, which really leans into its inhuman gait to get work done efficiently. You be the judge.

And finally, we’ve always been amazed by Liberty ships, the class of rapidly produced cargo ships produced by the United States to support the British war effort during WWII. Simple in design though they were, the fact that US shipbuilders were able to ramp up production of these vessels to the point where they were building a ship every eight hours has always been fascinating to us. But it’s often true that speed kills, and this video shows the fatal flaw in Liberty ship design that led to the loss of some of the early ships in the class. The short video details the all-welded construction of the ships, a significant advancement at the time but which wasn’t the cause of the hull cracks that led to the loss of some ships. We won’t spoil the story, though. Enjoy.

This week, Jonathan Bennett and Dan Lynch chat with Josh Bressers, VP of Security at Anchore, and host of the Open Source Security and Hacker History podcasts. We talk security, SBOMs, and how Josh almost became a Sun fan instead of a Linux geek.

– https://opensourcesecurity.io
– https://hackerhistory.com
– https://infosec.exchange/@joshbressers
– https://anchore.com

Did you know you can watch the live recording of the show Right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Even in the advanced world of 2024, robots are still better in science fiction than in reality. Star Trek gave us the erudite and refined Data, Rogue One gave us the fierce yet funny K-2SO, and Big Hero 6 gave us the caring charmer named Baymax. All these robots had smarts, capability, and agency. More than that, though—they were faithful(ish) companions to humans, fulfilling what that role entails.

The thing is, we’re not gonna get robots like that unless somebody builds them. [Angela Sheehan] is a artist and an educator, and a maker—and she’s trying to create exactly that. She came down to the 2023 Hackaday Supercon to tell us all about her efforts to create cuddly companion bots for real.

Beep Boop

You might remember Angela from her 2019 Supercon costume—she showed up dressed as a color-changing fairy. In fact, she has dabbled in all kinds of fields, which has given her a broad skillset applicable to creating companion bots. She’s done lots of costuming and cosplay over the years, she’s worked in product design, and she brands herself a bit of a fashion hacker. These skills might not be particularly relevant to building a high-speed industrial robot arm to perform 2000 welds an hour. However, they come in absolute clutch when you’re trying to build a robot that acts as a soft, cuddly companion. She notes that she was inspired to create her own companion bots by the work of others formerly showcased by Hackaday—you might remember work in this field from Alex Glow and Jorvon Moss.

Angela’s talk soon tackles the elephant in the room—from the drop, you’ve probably been wondering about the cute critter perched on her shoulder. The long-tailed creature is named Nova, and she’s remarkably friendly and soothing once you get to know her.

Development took some time, with Angela doing lots of research and development to create the Nova we see today. “I actually did a lot of the prototyping and field testing for this bot in the library makerspace that I work at,” she explains. “It was great to see people who don’t know the inside and out of technology interact with [Nova] and I could pinpoint the moment that she became alive to people.” The bot got quite a response, transcending the level of basic machine to something a little more. “People wanted to come in and visit her and pet her,” says Angela. “That was such a powerful moment… that happened as soon as I started putting a face on her.” Angela doesn’t just tell the tale—during the talk, she passes Nova to the audience so they can interact with her up close. She explains that this is something that she does regularly—and we get to see photos of the lovely interactions Nova has had with dozens of smiling, happy people.

Nova leverages Angela’s skills in sewing, 3D modelling, and 3D printing. She explains how components like Nova’s wings were first drafted in Adobe Illustrator. From there, the structure was refined into actual models in Fusion 360, while a PCB was developed in Eagle for the lighting electronics.

The face, though, was perhaps most crucial—as is the case for any anthropomorphic character. She took inspiration from Toothless from How To Train Your Dragon, using a stuffed toy as reference. Initial attempts weren’t particularly satisfying though, so she learned 3D sculpting for a further attempt in clay. Feedback from Twitter helped her develop the face further into the Nova we see today. The eyes were sourced from an Etsy supplier specializing in doll eyes. Angela notes there’s some magic there—when backlit with LEDs, switching them on and off can create a really believable blink pattern that feels super realistic. “What are those elements that make it feel alive?” Angela muses. “There are just little pieces of the psychology of it that you can dial into and you can make something that feels very alive.”

The talk then covers the rest of the design that helps create the “illusion of life.” Angela explains using servos and a robot gripper mechanism to flap the wings, and dialing in the motion so it felt as authentic as possible. She also covers robustness, designing “cuddle-worthy” bodies, and the value of designing for modularity. There’s also a useful discussion about how to make these builds more accessible, including useful starting points like which microcontroller and code platforms are good to use.

Even better, we get a look into the companion bot community, and we learn about the emotional impact these robots can have. Sometimes that’s intentional, other times, it’s down to a happy accident. “There is an unintended effect with [Nova’s] servos, that it feels like a purr,” says Angela. “It’s very comforting right on your shoulder, and I was thinking maybe I should try and insulate it a little bit, but actually people love it.”

Fundamentally, companion bots are a bit like virtual reality. We’ve seen a ton of products make big promises over the years, but we’ve never seen a killer app. However, as [Angela] demonstrates, it’s very possible to create something very real and very lovable if you pay attention to the right things. Perhaps it’s the personal touch that makes DIY companion bots so seemingly lifelike in a way that Furby never was.

In any case, if you’ve ever wanted a robot companion of your very own, there’s no reason you can’t start building your own. With maker skills, enthusiasm, and the will to succeed, you can create a fun and cuddly robot critter that has that magical spark of life.

 

Problem solved? If the problem is supplying enough lithium to build batteries for all the electric vehicles that will be needed by 2030, then a new lithium deposit in Arkansas might be a resounding “Yes!” The discovery involves the Smackover Formation — and we’ll be honest here that half the reason we chose to feature this story was to be able to write “Smackover Formation” — which is a limestone aquifer covering a vast arc from the Rio Grande River in Texas through to the western tip of the Florida panhandle. Parts of the aquifer, including the bit that bulges up into southern Arkansas, bear a brine rich in lithium salts, far more so than any of the brines currently commercially exploited for lithium metal production elsewhere in the world. Given the measured concentration and estimated volume of brine in the formation, there could be between 5 million and 19 million tons of lithium in the formation; even at the lower end of the range, that’s enough to build nine times the number of EV batteries needed.

There are still a lot of unknowns, not least of which is whether any of the lithium in the brine is recoverable, and there are surely technical and regulatory hurdles aplenty. But the mere existence of a brine deposit that rich in lithium that covers such a vast area is encouraging; surely there’s somewhere within the formation where it’ll be possible to extract and concentrate the brine in an environmentally sensitive manner. And, once again just for fun, Smackover Formation.

While not ones to cheer for interstellar catastrophes, we can’t say that we haven’t been rooting for Betelgeuse to go supernova these last few years. Ever since the red supergiant star that sits on Orion’s shoulder started its peculiar dimming a while back, talk among astronomy buffs was that the activity presaged an imminent explosion of the star, one that could make Betelgeuse the brightest object in the night sky for a few months, and possibly make it visible in the daytime as well. As thrilling — and foreboding, at least by ancient astronomy standards — as that sounds, it seems as if the unusual dimming recently observed has a more prosaic explanation: a “Betelbuddy” star. According to astronomers who pored over observations, after ruling out all the other possibilities to explain the dimming, it seems like there must be a smaller star orbiting Betelgeuse that’s periodically plowing a clear spot through the cloud of dust surrounding the dying star. That would explain the periodic dimming and brightening, but why have we not seen this Betelbuddy before? It could be that the smaller star is lost in the giant’s glare, hiding in its halo of incandescent gas. So, don’t hold your breath on seeing a supernova anytime soon.

Do you find password rules annoying? We sure do, and even using a password manager with a generator that can handle all sorts of restrictions like password length and special characters, being told how to generate a password seems silly, especially since the information on what characters a valid password would have seems like valuable clues to potential crackers. But if for some reason you haven’t had enough password pestering, try out the password game. You start by entering a password — we, of course, started with correct horse battery staple — and then deal with the consequences of your obviously poor choices. You’ll be asked to do all the silly stuff that only decreases the entropy of your password, which only makes it harder to remember and easier to guess. We haven’t played it through — it’s way too annoying — but we assume that if you ever actually manage to compose a suitable password, you’ll be asked to change it every 90 days.

And finally, we’ve managed to live long enough now to have cycled completely through all the major music recording modalities except wax cylinders. Having heard them all, we’ve got to agree with the hipsters: vinyl is the best. That’s especially true after watching this fascinating look at the LP record production process, which covers everything from mastering to packaging. The painstaking steps at the beginning are perhaps the most interesting, but anyone who doesn’t appreciate the hot vinyl squeezing out from the press is a cold, heartless monster. The video is only 15 minutes long and mercifully free of narration, so enjoy.

Leading off the week is the controversy around the Linux kernel and an unexpected change in maintainership. The exact change was that over a dozen developers with ties to or employment by Russian entities were removed as maintainers. The unfortunate thing about this patch was that it was merged without any discussion or real explanation, other than being “due to various compliance requirements”. We eventually got more answers, that this was due to US sanctions against certain Russian businesses, and that the Linux Foundation lawyers gave guidance that:

If your company is on the U.S. OFAC SDN lists, subject to an OFAC sanctions program, or owned/controlled by a company on the list, our ability to collaborate with you will be subject to restrictions, and you cannot be in the MAINTAINERS file.

So that’s that. One might observe that it’s unfortunate that a single government has that much control over the kernel’s development process. There were some questions about why Russian entities were targeted and not sanctioned Chinese companies like Huawei. [Ted Ts’o] spoke to that, explaining that in the US there are exemptions and different rules for each country and business. This was all fairly standard compliance stuff, up until a very surprising statement from [James Bottomley], a very core Kernel maintainer:

We are hoping that this action alone will be sufficient to satisfy the US Treasury department in charge of sanctions and we won’t also have to remove any existing patches.

I can only conclude from this that the US Treasury has in fact made this threat, that code would need to be removed. Now this is genuinely surprising, given the legal precedent that code is 1st Amendment protected speech. That precedent was established when dealing with encryption code that was being export restricted in the 90s. It seems particularly problematic that the US government believes it can specify what code does and does not belong in the Linux kernel.

SELinux

Since we’re in Kernel land, let’s talk SELinux. Many modern Linux systems, and Android in particular, use SELinux to provide an extra security layer. It’s not an uncommon troubleshooting step, to turn off SELinux to see if that helps with mysterious issues. What we have here in the klecko Blog is an intro to bypassing SELinux. The setup is that an exploit has achieved root, but is in a unprivileged context. What options does an attacker have to try to bypass SELinux?

The first, most obvious solution is to just disable SELinux altogether. If you can write to memory, the SELinux enabled bit can just be set to false. But that might not work, if you can’t write to memory, or have a hypervisor to wrestle with, like some Android systems. Another option is the set of permissive flags that can be overwritten, or the AVC cache that can be poisoned, both approaches resulting in every SELinux request being approved. It’s an interesting overview.

Printer Root

Xerox printers with the “Network Troubleshooting” feature have some unintended hidden functionality. The troubleshooting is done by calling tcpdump as root, and the configuration allows setting the IP address to use for the troubleshooting process. And as you might expect, that IP address was used to create a command line string, and it isn’t properly escaped. You can sneak a $(bash ...) in as part of the address, allowing code execution. The good news is that access to this troubleshooting function is locked behind the web admin account. Xerox has made fixed firmware available for this issue.

Fix Your Roundcube

The Roundcube email web client has a Cross-Site Scripting (XSS) vulnerability that is actively being exploited. The flaw is the processing of SVGs, and the addition of an extra space in an href tag, that the browser ignores. Sneaking this inside an SVG allows for arbitrary Javascript to run when opening this malicious email.

Roundcube has released 1.5.7 and 1.6.7 that address the issue. This is under active exploitation, currently being used against the Russian aligned CIS countries. It’s a simple exploit, so expect to see it more widely used soon.

The Archive

The Internet Archive continues to be under siege. The Distributed Denial of Service (DDoS) attacks were apparently done by SN-Blackmeta. But the hacker behind the data breach is still a mystery. But the news this week is that there is still someone with access to Internet Archive API keys. Specifically Zendesk, illustrated by the fact that when Mashable reached out via email, the hacker answered, “It’s dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets.”

It’s obviously been a terrible, horrible, no good, and very bad month for the Internet Archive. As it’s such an important resource, we’re hoping for some additional support, and getting the service back to 100%.

Quantum Errata

You may remember last week, that we talked about a Quantum Annealing machine making progress on solving RSA cryptography. In the comments, it was pointed out that some coverage on this talks about RSA, and some talks about AES, a cryptography thought to be quantum-resistant. At least one source is claiming that this confusion is because there were actually two papers from the same team, one discussing RSA, and the other techniques that could be used against AES. This isn’t confirmed yet, and there are outstanding questions about both papers.

Bits and Bytes

SQL injection attacks are old hat by this point. [NastyStereo] has an interesting idea: Polyglot SQL injection attacks. The idea is simple. A SQL query might be escapable with a single quote or a double quote. To test it, just include both: OR 1#"OR"'OR''='"="'OR''='. There are more examples and some analysis at the link.

Kaspersky researchers found a Chrome exploit, that was being delivered in the form of an online tank battle game. In reality, the game was stolen from its original developers, and the web site was a crypto stealing scam, making use of the browser 0-day. This campaign has been pinned on Lazarus, the APT from North Korea.

And yet another example of fake software, researchers at kandji discovered a fake Cloudflare Authenticator campaign. This one is a MacOS malware dropper that does a reasonably good job of looking like it’s an official Cloudflare app. It’s malware, and places itself in the system crontab, to get launched on every boot. Follow the link for Indicators of Compromise if you need them.

When all else fails, there’s radio. Hurricane Helene’s path of destruction through Appalachia stripped away every shred of modern infrastructure in some areas, leaving millions of residents with no ability to reach out to family members or call for assistance, and depriving them of any news from the outside world. But radio seems to be carrying the day, with amateur radio operators and commercial broadcasters alike stepping up to the challenge.

On the amateur side, there are stories of operators fixing their downed antennas and breaking out their field day gear to get on the air and start pitching in, with both formal and ad hoc networks passing messages in and out of the affected areas. Critical requests for aid and medication were fielded along with “I’m alright, don’t worry” messages, with reports from the ARRL indicating that Winlink emails sent over the HF bands were a big part of that. Unfortunately, there was controversy too, with reports of local hams being unhappy with unlicensed users clogging up the bands with Baofengs and other cheap radios. Our friend Josh (KI6NAZ) took a good look at the ins and outs of emergency use of the amateur bands, which of course by federal law is completely legal under the conditions. Some people, huh?

Also scoring a win were the commercial broadcasters, especially the local AM stations that managed to stay on the air. WWNC, an AM station out of Nashville, is singled out in this report for the good work they did connecting people through the emergency. As antiquated as it may seem and as irrelevant to most people’s daily lives as it has become, AM radio really proves its mettle when the chips are down. We’ve long been cheerleaders for AM in emergencies, and this has only served to make us more likely to call for the protection of this vital piece of infrastructure.

Windows 10 users, mark your calendars — Microsoft has announced that you’ve got one year to migrate to a more profitable modern operating system. After that, no patches for you! If Microsoft holds true to form, the scope of this “End of Life” will change as the dreaded day draws nearer, especially considering that Windows 10 still holds almost 63% of the Windows desktop market. Will the EOL announcement inspire all those people to migrate? Given a non-trivial fraction of users are still sticking it out with Windows 7, we wouldn’t hold our breath.

Speaking of Microsoft, for as much as they’re the company you love to hate, you’ve got to hand it to them for one product: Microsoft Flight Simulator. It seems like Flight Simulator has been around almost since the Wright Brothers’ day, going through endless updates to keep up with the state of the art and becoming better and better as the years go by. Streaming all that ultra-detailed terrain information comes at a price, though, to the tune of 81 gigabytes per hour for the upcoming Flight Simulator 2024. Your bandwidth may vary, of course, based on how you set up the game and where you’re virtually flying. But still, that number got us thinking: Would it be cheaper to fly a real plane? A lot of us don’t have explicit data caps on our Internet service, but the ISP still will either throttle your bandwidth or start charging per megabyte after a certain amount. Xfinity, for example, charges $10 for each 50GB block you use after reaching 1.2 TB of data in a month, at least for repeat offenders. So, if you were to settle in for a marathon flight, you’d get to fly for free for about 15 hours, after which each hour would rack up about $20 in extra charges. A single-engine aircraft costs anywhere between $120 and $200 to rent, plus the cost of fuel, so it’s still a better deal to fly Simulator, but not by much.

And finally, we were all witness to a remarkable feat of engineering prowess this week with the successful test flight of a SpaceX Starship followed by catching the returning Super Heavy booster. When we first heard about “Mechazilla” and the idea of catching a booster, we dismissed it as another bit of Elon’s hype, like “full self-driving” or “hyperloops.” But damn if we weren’t wrong! The whole thing was absolutely mesmerizing, and the idea that SpaceX pulled off what’s essentially snagging a 20-story building out of the air on mechanical arms was breathtaking. While the close-up videos of the catch are amazing, they don’t reveal a lot about the engineering behind it. Luckily, we’ve got this video by Ryan Hansen Space of the technology behind the catch, lovingly created in Blender. The work seems to have been done before the test flight and was made with a lot of educated guesses, but given how well the renders match up with the real video of the catch, we’d say Ryan nailed it.