javascript

135 Articles

ua-parser-js compromised

Supply Chain Attack: NPM Library Used By Facebook And Others Was Compromised

October 22, 2021 by 26 Comments

Here at Hackaday we love the good kinds of hacks, but now and then we need to bring up a less good kind. Today it was learned that the NPM package ua-parser-js was compromised, and any software using it as a library may have become victim of a supply chain attack. What is ua-parser-js and why does any of this matter?

In the early days of computing, programmers would write every bit of code they used themselves. Larger teams would work together to develop larger code bases, but it was all done in-house. These days software developers don’t write every piece of code. Instead they use libraries of code supplied by others.

For better or worse, repositories of code are now available to do even the smallest of functions so that a developer doesn’t have to write the function from scratch. One such registry is npm (Node Package Manager), who organize a collection of contributed libraries written in JavaScript. One only need to use npm to include a library in their code, and all of the functions of that code are available to the developer. One such example is ua-parser-js which is a User Agent Parser written in JavaScript. This library makes it easy for developers to find out the type of device and software being used to access a web page.

On October 22 2021, the developer of ua-parser-js found that attackers had uploaded a version of his software that contained malware for both Linux and Windows computers. The malicious versions were found to steal data (including passwords and Chrome cookies, perhaps much more) from computers or run a crypto-currency miner. This prompted GitHub to issue a Critical Severity Security Advisory.

What makes this compromise so dangerous is that ua-parser-js is considered to be part of a supply chain, and has been adopted even by Facebook for use in some of its customer facing software. The developer of ua-parser-js has already secured his GitHub account and uploaded new versions of the package that are clean. If you have any software that uses this library, make sure you’ve got the latest version!

Of course this is by no means a unique occurrence. Last month Maya Posch dug into growing issues that come from some flaws of trust in package management systems. The art for that article is a house of cards, an apt metaphor for a system that is only as stable as the security of each and every package being built upon.

Hackers And China

October 9, 2021 by 26 Comments

The open source world and Chinese manufacturing have a long relationship. Some fifteen years ago, the big topic was how companies could open-source their hardware designs and not get driven bankrupt by competition from overseas. Companies like Sparkfun, Adafruit, Arduino, Maple Labs, Pololu, and many more demonstrated that this wasn’t impossible after all.

Maybe ten years ago, Chinese firms started picking up interesting hacker projects and producing them. This gave us hits like the AVR transistor tester and the NanoVNA. In the last few years, we’ve seen open-source hardware and software projects that have deliberately targeted Chinese manufacturers, and won. We do the design and coding, they do the manufacturing, sales, and distribution.

But this is something else: the Bangle.js watch takes an essentially mediocre Chinese smartwatch and reflashes the firmware, and sells them as open-source smartwatches to the general public. These pre-hacked watches are being sold on Kickstarter, and although the works stands on the shoulders of previous hacker’s reverse engineering work on the non-open watch hardware, it’s being sold by the prime mover behind the Espruino JavaScript-on-embedded language, which it runs on.

We have a cheap commodity smartwatch, being sold with frankly mediocre firmware, taken over by hackers, re-flashed, re-branded, and sold by the hackers on Kickstarter. As a result of it being (forcibly) opened, there’s a decently sized app store of contributed open-source applications that’ll run on the platform, making it significantly more useful and hacker friendly than it was before.

Will this boost sales? Will China notice the hackers’ work? Will this, and similar projects, end up in yet another new hacker/China relationship? We’re watching.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!
flow IO module options

Get Your Flex On With The FlowIO Platform

August 20, 2021 by 7 Comments

Hackaday Prize 2021 entry FlowIO Platform promises to be to pneumatics what Arduino is to Electronics. The modular platform comprises a common controller/valve block, a selection of differently sized pumps, and a few optional connectivity and sensing blocks. With Arduino software support as well as as Javascript and web-GUI, there’s a way to program this no matter what the level of experience the user has.

flowIO exploded view
flowIO exploded view from http://www.softrobotics.io/flowio

This last point is a critical one for the mission [Ali Shtarbanov] from the MIT Media Lab is setting out for this project. He reminds us that in decades gone by, there was a significant barrier to entry for anyone building electronics prototypes. Information about how to get started was also much harder to by before the internet really got into gear.

It’s a similar story for software, with tools like Scratch and Python lowering the barrier to entry and allowing more people to get their toes wet and build some confidence.

But despite some earlier work by projects like the Soft Robotics Toolkit and Programmable-Air, making a start on lowering the bar for pneumatics support for soft robotics, and related applications, the project author still finds areas for further improvement. FlowIO was designed from the ground-up to be wearable. It appears to be much smaller, more portable and supports more air ports and a greater array of sensing and connectivity than previous Open Source work to date.

Creative Commons Hardware

Whilst you can take all the plans (free account signup required) and build yourself a FlowIO rig of your very own, the project author offers another solution. Following on from the Wikipedia model of free sharing and distribution of information, FlowIO offers its hardware for free, for the common good. Supported by donations to the project, more hardware is produced and distributed to those who need it. The only ask is that redundant kits are passed on or returned to base for upgrade, rather than landfill.

Continue reading “Get Your Flex On With The FlowIO Platform”

Hiding Links In Plain Sight With Bookmark Knocking

August 10, 2021 by 21 Comments

Have you ever been looking for a screwdriver, USB stick, or your keys, only to find them right where you left them in plain sight? We have. As many prolific geocachers know, hiding things out in the open is a great way to make sure that people overlook them. 

[Jacob Strieb] has been researching various ways to password protect and hide browser bookmarks in plain sight. He calls his latest technique “Bookmark Knocking” and he’s made a demonstration available on his Github account.

Why hide bookmarks to begin with? A browser’s bookmark collection can give away the habits, interests, and needs of the person who put them there. Bookmarks to gifts, domestic abuse support websites, and other private destinations might be best kept away from prying eyes.

Inspired by port knocking — opening connections to specific network ports in sequence to gain access through a firewall — bookmark knocking requires clicking bookmarks in a specific order to open a link. When the bookmarks are accessed in the proper order, the third bookmark reveals a hidden site. It’s not only a novel approach to hiding things in plain sight, it’s very cool to use! 

We especially appreciate [Jacob]’s motivation: Helping those who are vulnerable to protect themselves in any way possible. It’s a solid reminder that technology can be elevated to a higher stature when put to a noble use. Be sure to check out the demonstration so you can try it for yourself!

If camouflaging data flips your bits, you may want to look at a neat way to embed data right into bash scripts, or conceal a WiFi enabled microcontroller in a USB cable. Do you have your own favorite “hidden in plain sight” hack? Be sure to let us know through the Tip Line.

 

 

 

Tool Generates Interactive PCB Diagrams From KiCAD

August 3, 2021 by 21 Comments

Nearly everyone likes nice pinout diagrams, but the more pins and functions are involved, the more cluttered and less useful the diagram becomes. To address this, [Jan Mrázek] created Pinion, a tool to help generate interactive diagrams from KiCad design files.

The result is an interactive diagram that can be viewed in any web browser. Hovering over a pin or pad highlights those signals with a callout for the name, and clicking makes it stay highlighted for easier reference. Further information can be as detailed or as brief as needed.

Interestingly, Pinion isn’t a web service that relies on any kind of backend. The diagrams are static HTML and JavaScript only, easily included in web pages or embedded in GitHub documentation.

If you think Pinion looks a bit familiar, you’re probably remembering that we covered [Jan]’s much earlier PcbDraw tool, which turned KiCad board files into SVG renderings but had no ability to add labels or interactivity. Pinion is an evolution of that earlier idea, and its diagrams are able to act as both documentation and interactive reference, with no reliance on any kind of external service.

Interested? Pinion has a full tutorial and demo and a growing library of parts, so check it out.

JavaScript App Uses Advanced Math To Make PCBs Easier To Etch

May 19, 2021 by 28 Comments

We all remember the litany from various math classes we’ve taken, where frustration at a failure to understand a difficult concept bubbles over into the classic, “When am I ever going to need to know this in real life?” But as we all know, even the most esoteric mathematical concepts have applications in the real world, and failure to master them can come back to haunt you.

Take Voronoi diagrams, for example. While we don’t recall being exposed to these in any math class, it turns out that they can be quite useful in a seemingly unrelated area: converting PCB designs into easy-to-etch tessellated patterns. Voronoi diagrams are in effect a plane divided into different regions, or “cells”, each centered on a “seed” object. Each cell is the set of points that are closer to a particular seed than they are to any other seed. For PCBs the seeds can be represented by the traces; dividing the plane up into cells around those traces results in a tessellated pattern that’s easily etched.

To make this useful to PCB creators, [Craig Iannello] came up with a JavaScript application that takes an image of a PCB, tessellates the traces, and spits out G-code suitable for a laser engraver. A blank PCB covered with a layer of spray paint, the tessellated pattern is engraved into the paint, and the board is etched and drilled in the usual fashion. [Craig]’s program makes allowances for adding specific features to the board, like odd-shaped pads or traces that need specific routing.

This isn’t the first time we’ve seen Voronoi diagrams employed for PCB design, but the method looks so easy that we’d love to give it a try. It even looks as though it might work for CNC milling of boards too.

aemkei's xor patterns

Alien Art Drawn With Surprisingly Simple Math

April 13, 2021 by 20 Comments

Programmer [aemkei] Tweeted the formula (x ^ y) % 9 alongside code for more “alien art”. But how can a formula as simple as (x ^ y) % 9 result in a complex design? The combination of Bitwise XOR (^) and Modulo (%) generate a repeating pattern that’s still complex enough to satisfy the eye, and it’s ok if that doesn’t sound like an explanation. Bitwise operations are useful when working with memory and shift registers, but also worth learning if you want to drive lines or matrices of LEDs or interpret combinations of multiple switches, or in this case a great way to throw an interesting test pattern up on a new flip-dot display or low-res LED matrix. Are you into it? We are, so let’s jump in.

XOR Truth Table
0b00 0b01 0b10 0b11
0b00 0b00 0b01 0b10 0b11
0b01 0b01 0b00 0b11 0b10
0b10 0b10 0b11 0b00 0b01
0b11 0b11 0b10 0b01 0b00

Bitwise XOR compares each binary digit of the two inputs. The XOR returns a 1 when only one of the two digits is a 1, otherwise, it returns a zero for that position. Let’s say the coordinates were 3, 2. Converted to binary we have 0b11 and 0b10. From this truth table, we can see the most-significant digits are both 1, returning a 0, while only one of the least-significant digits is a 1, so the comparison returns a 1.

Moving onto the %, which is the Modulo operator has nothing to do with percentages. This operator divides two numbers and returns the remainder if any. Take 9 % 5. When dividing 9 by 5, 5 goes in once with a remainder of 4 so 9 % 5 = 4. Now our original formula from the top will draw a black box for every ninth number except that the bitwise XOR throws a wrench into that count, varying how often a number divisible by 9 appears and supplying the complexity necessary for these awesome patterns.

detail of aemkei's xor patterns

What are the most interesting designs can you create in a simple formula?