If you’re hear a rushing noise, don’t be alarmed — that’s just the rapidly approaching 2024 Hackaday Supercon. As hard as it is to believe, a whole year has gone by, and we’re now just a few days away from kicking off our annual hardware hacking extravaganza in Pasadena. Tickets just sold out over the weekend — thank you procrastinators!

For those of you who have tickets to join us this weekend, we’ve got a few last minute announcements and bits of information we wanted to get out to you. As a reminder, you can find the full schedule for all three days on the official Supercon site.

New Events Added!

For those who’ve attended a Supercon before, you know we like to cram as much content as we can into the weekend. But there’s always room for more, and this year we’ve managed to squeeze in a couple extra activities that we’re very excited about.

Halloween Hacker Happy Hour

It just so happens that Halloween is the night before Supercon officially kicks off, and that seemed like too good of an opportunity to pass up. So we’ll be throwing a pre-event party at the nearby KingsRow Gastropub where costumes and all manner of blinking LEDs are very much encouraged. Officially we’ll be hanging out from 7:00 to 10:00 PM, but don’t be surprised if you find yourself still talking to Hackaday folks at last call.

You don’t need tickets for this event, but we’d like to have a rough head count, so if you could RSVP through Eventbrite we’d appreciate it.

Tina’s Junk Challenge

We’ve always wanted to introduce some kind of swap meet aspect to Supercon, but the logistics have always been a challenge. This year though, we’re finally going to get the chance to test out the idea. Former DesignLab Resident Tina Belmont is in the process of moving out of the country and needs to find a new home for her electronic bric-a-brac.

Everything is free, so attendees are encouraged to take anything they think they can make use of. Naturally, an influx of interesting hardware could provide for some very unique badge hacking possibilities. If we can get enough people to graft these second-hand components onto their badges, we just might be able to turn it into a proper category come Sunday night.

A table where folks can offload their electronic bits and bobs has worked well at other hacker cons, so we’re eager to see how it goes at Supercon. If this is something you’d like to see more of, or would potentially like to participate in next year, let us know.

Krux’s Side Quests

Let’s be honest, most of us are already taking our marching orders from the computer in one way or another. So why not turn it into a fun interactive game?

The idea is simple: use the mysterious retrocomputer oracle, and it gives you a quest. Maybe you’ll have to find a hidden item, or solve a riddle. Krux has a run a variation of this game at Toor Con in the past, but the challenges spit out by the computer this time will be tailored to Supercon.

Windows Through Wires Exhibition

You may recall that we asked the Hackaday community if they had any unusual display technology they’d like to show off during Supercon as part of an exhibit.

Well, as you might have imagined, the response was incredible. From gorgeous vintage pieces to completely custom hardware, there’s going to be a wide array of fascinating hardware for attendees to study up-close.

While getting a chance to see various display technologies throughout the years would have our attention as it is, what’s really exciting is that many of the custom-built devices in the exhibit are either projects hosted on Hackaday.io or ones that we’ve covered at some point on the front page.

Considering how gorgeous some of them have looked in photographs, we’re eager to drool over them in the real world — and we bet you are to.

Workshop Technical Difficulties

Hopefully we’ve provided enough good news that we can slip in a bit of the bad. Unfortunately, we’ve had to cancel the “Hands on with an Electron Microscope” workshop that was to be hosted by Adam McCombs and Isabel Burgos. Everyone with tickets will of course be getting a refund, and you should be receiving an email to that effect shortly if you haven’t already.

While we’re just as disappointed by this news as you are, it’s one of those situations where there simply weren’t any good solutions. Long story short, the scanning electron microscope that was small enough to bring to Supercon is down, and there’s just not enough time to get it up and running at this point. An attempt was made to find another small-ish electron microscope on short notice but…well, that’s just as tricky to pull off as it sounds.

Send Us Your Lightning Talks!

To end this update on a high note, we want to remind everyone that this year we’ll once again be going Lighting Talks on Sunday morning. If you’ve never given a talk before, the shorter seven minute format is perfect for getting your feet wet. Or maybe you’ve got something you want to talk about that doesn’t take a whole hour to explain. Either way, the Lightning Talks are a great way to share what your passionate about with the Supercon audience.

If you’d like to give a Lightning Talk, simply fill out this form. You can upload slides if you’ve got them, but they aren’t strictly necessary.

With the latest release of Raspberry Pi OS (formerly Raspbian) the end of the X Window System has become reality, completing a years-long transition period. Although this change between display servers is not something which should be readily apparent to the casual user, the change from the client-server-based X11 protocol to the monolithic Wayland protocol has a number of implications. A major change is that with the display server and window manager no longer being separate units, features such as network transparency (e.g. remote X-sessions) are no longer a native feature, but have to be implemented separately by e.g. the Wayland compositor.

For Raspberry Pi the transition to Wayland was based on the perceived efficiency and security benefits of the monolithic architecture, with the 2021 release of Raspbian (based on Debian Bullseye) testing the waters using the hybrid X11 window manager/Wayland compositor Mutter. This allowed for switching between X11 and Wayland without committing. In 2023 Mutter was replaced with the Wayfire compositor with Wayland becoming the default on Raspberry Pi 4 and 5 platforms. Along the way it was found that the Wayfire project wasn’t developing in a way that would benefit Raspberry Pi OS, which led to what should now be the final Wayland compositor in the form of Labwc.

One advantage of Labwc is that it is more lightweight than Wayfire and Raspberry Pi has judged that this means that it should be the default across all Raspberry Pi systems. Compatibility with X11-based software is maintained with the XWayland library, so that users should ideally not notice any difference after switching to Labwc even on lower-end boards. Unless you’re one one of those people who use features such as (remote) X-sessions, nothing should feel markedly different.

In addition to this big change, the new Raspberry Pi OS release also improves touch screen support with the integrated Squeekboard virtual keyboard popping up when a touch screen is detected. Finally, the remote access Raspberry Pi Connect feature sees a few tweaks, which is the feature that effectively replaces remote X-sessions. Considering how glacially slow X desktop sessions can be, this is something which can be considered an improvement, but it would be nice if there was an alternative that didn’t rely on Raspberry Pi-provided services to work.

A British journalistic trope involves the phrase “The pound in your pocket”, a derisory reference to the 1960s Prime Minister Harold Wilson’s use of it to try to persuade the public that a proposed currency devaluation wouldn’t affect them. Nearly six decades later not so many Brits carry physical pounds in their pockets as electronic transfers have become more prevalent, but the currency remains. So much so that the governor of the Bank of England has had to reassure the world that the pound won’t be replaced by a proposed “Britcoin” cryptocurrency should that be introduced.

Normally matters of monetary policy aren’t within Hackaday’s remit, but since the UK is not the only country to mull over the idea of a tightly regulated cryptocurrency tied to their existing one, there’s a privacy angle to be considered while still steering clear of the fog of cryptocurrency enthusiasts. The problem is that reading the justification for the new digital pound from the Bank of England, it’s very difficult to see much it offers which isn’t already offered by existing cashless payment systems. Meanwhile it offers to them a blank regulatory sheet upon which they can write any new rules they want, and since that inevitably means some of those rules will affect digital privacy in a negative manner, it should be a worry to anyone whose government has considered the idea. Being at pains to tell us that we’ll still be able to see a picture of the King (or a dead President, or a set of bridges) on a bit of paper thus feels like an irrelevance as increasingly few of us handle banknotes much anyway these days. Perhaps that act in itself will now become more of an act of protest. And just when we’d persuaded our hackerspaces to go cashless, too.

Header: Wikitropia, CC BY-SA 3.0.

An unlikely theatre for an act in the right-to-repair saga came last year in the form of McDonalds restaurants, whose McFlurry ice cream machines are prone to breakdown. The manufacturer had locked them down, and a franchisee with a broken machine had no option but to call them for an expensive repair job. iFixit and Public Knowledge challenged this with a request for a DMCA exemption from the Copyright Office, and now news emerges that this has been granted.

The exemption in question isn’t specific to McDonalds, instead it applies to retail food preparation equipment in general, which includes ice-cream machines. We’re guessing that franchisees won’t be breaking out the screwdrivers either, instead it’s likely to lower significantly the cost of a service contract for them and any other food industry operators hit with the same problem. Meanwhile any hackers who’ve picked up an old machine can now fix it themselves without breaking the law, and maybe the chances of your local Mickey D’s having no McFlurries have gone down.

This story has featured more than once on these pages, so catch up here, and here.

Are you ready to elevate your interactive possibilities without breaking the bank? If so, explore [Caio Bassetti]’s tutorial on creating a full 3D hand controller using only a webcam, MediaPipe Hands, and Three.js. This hack lets you transform a 2D screen into a fully interactive 3D scene—all with your hand movements. If you’re passionate about low-cost, accessible tech, try this yourself – not much else is needed but a webcam and a browser!

The magic of the project lies in using MediaPipe Hands to track key points on your hand, such as the middle finger and wrist, to calculate depth and positioning. Using clever Three.js tricks, the elements can be controlled on a 3D axis. This setup creates a responsive virtual controller, interpreting hand gestures for intuitive movement in the 3D space. The hack also implements a closed-fist gesture to grab and drag objects and detects collisions to add interactivity. It’s a simple, practical build and it performs reliably in most browsers.

For more on this innovation or other exciting DIY hand-tracking projects, browse our archive on gesture control projects, or check out the full article on Codrops. With tools such as MediaPipe and Three.js, turning ideas into reality gets more accessible than ever.

Leading off the week is the controversy around the Linux kernel and an unexpected change in maintainership. The exact change was that over a dozen developers with ties to or employment by Russian entities were removed as maintainers. The unfortunate thing about this patch was that it was merged without any discussion or real explanation, other than being “due to various compliance requirements”. We eventually got more answers, that this was due to US sanctions against certain Russian businesses, and that the Linux Foundation lawyers gave guidance that:

If your company is on the U.S. OFAC SDN lists, subject to an OFAC sanctions program, or owned/controlled by a company on the list, our ability to collaborate with you will be subject to restrictions, and you cannot be in the MAINTAINERS file.

So that’s that. One might observe that it’s unfortunate that a single government has that much control over the kernel’s development process. There were some questions about why Russian entities were targeted and not sanctioned Chinese companies like Huawei. [Ted Ts’o] spoke to that, explaining that in the US there are exemptions and different rules for each country and business. This was all fairly standard compliance stuff, up until a very surprising statement from [James Bottomley], a very core Kernel maintainer:

We are hoping that this action alone will be sufficient to satisfy the US Treasury department in charge of sanctions and we won’t also have to remove any existing patches.

I can only conclude from this that the US Treasury has in fact made this threat, that code would need to be removed. Now this is genuinely surprising, given the legal precedent that code is 1st Amendment protected speech. That precedent was established when dealing with encryption code that was being export restricted in the 90s. It seems particularly problematic that the US government believes it can specify what code does and does not belong in the Linux kernel.

SELinux

Since we’re in Kernel land, let’s talk SELinux. Many modern Linux systems, and Android in particular, use SELinux to provide an extra security layer. It’s not an uncommon troubleshooting step, to turn off SELinux to see if that helps with mysterious issues. What we have here in the klecko Blog is an intro to bypassing SELinux. The setup is that an exploit has achieved root, but is in a unprivileged context. What options does an attacker have to try to bypass SELinux?

The first, most obvious solution is to just disable SELinux altogether. If you can write to memory, the SELinux enabled bit can just be set to false. But that might not work, if you can’t write to memory, or have a hypervisor to wrestle with, like some Android systems. Another option is the set of permissive flags that can be overwritten, or the AVC cache that can be poisoned, both approaches resulting in every SELinux request being approved. It’s an interesting overview.

Printer Root

Xerox printers with the “Network Troubleshooting” feature have some unintended hidden functionality. The troubleshooting is done by calling tcpdump as root, and the configuration allows setting the IP address to use for the troubleshooting process. And as you might expect, that IP address was used to create a command line string, and it isn’t properly escaped. You can sneak a $(bash ...) in as part of the address, allowing code execution. The good news is that access to this troubleshooting function is locked behind the web admin account. Xerox has made fixed firmware available for this issue.

Fix Your Roundcube

The Roundcube email web client has a Cross-Site Scripting (XSS) vulnerability that is actively being exploited. The flaw is the processing of SVGs, and the addition of an extra space in an href tag, that the browser ignores. Sneaking this inside an SVG allows for arbitrary Javascript to run when opening this malicious email.

Roundcube has released 1.5.7 and 1.6.7 that address the issue. This is under active exploitation, currently being used against the Russian aligned CIS countries. It’s a simple exploit, so expect to see it more widely used soon.

The Archive

The Internet Archive continues to be under siege. The Distributed Denial of Service (DDoS) attacks were apparently done by SN-Blackmeta. But the hacker behind the data breach is still a mystery. But the news this week is that there is still someone with access to Internet Archive API keys. Specifically Zendesk, illustrated by the fact that when Mashable reached out via email, the hacker answered, “It’s dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets.”

It’s obviously been a terrible, horrible, no good, and very bad month for the Internet Archive. As it’s such an important resource, we’re hoping for some additional support, and getting the service back to 100%.

Quantum Errata

You may remember last week, that we talked about a Quantum Annealing machine making progress on solving RSA cryptography. In the comments, it was pointed out that some coverage on this talks about RSA, and some talks about AES, a cryptography thought to be quantum-resistant. At least one source is claiming that this confusion is because there were actually two papers from the same team, one discussing RSA, and the other techniques that could be used against AES. This isn’t confirmed yet, and there are outstanding questions about both papers.

Bits and Bytes

SQL injection attacks are old hat by this point. [NastyStereo] has an interesting idea: Polyglot SQL injection attacks. The idea is simple. A SQL query might be escapable with a single quote or a double quote. To test it, just include both: OR 1#"OR"'OR''='"="'OR''='. There are more examples and some analysis at the link.

Kaspersky researchers found a Chrome exploit, that was being delivered in the form of an online tank battle game. In reality, the game was stolen from its original developers, and the web site was a crypto stealing scam, making use of the browser 0-day. This campaign has been pinned on Lazarus, the APT from North Korea.

And yet another example of fake software, researchers at kandji discovered a fake Cloudflare Authenticator campaign. This one is a MacOS malware dropper that does a reasonably good job of looking like it’s an official Cloudflare app. It’s malware, and places itself in the system crontab, to get launched on every boot. Follow the link for Indicators of Compromise if you need them.

Recently Singapore’s Energy Market Authority (EMA)  granted Sun Cable conditional approval for its transmission line with Australia. Singapore has been faced for years now with the dilemma that its population’s energy needs keep increasing year-over-year, while it has very little space to build out its energy-producing infrastructure, least of all renewables with their massive footprints. This has left Singapore virtually completely dependent on natural gas-burning thermal plants.

With no nearby countries to obtain excess power from as is common in e.g. the EU’s integrated energy market, an idea was floated in 2020 by Australian company Sun Cable for the project, called the Australia-Asia Power Link (AAPL). This would entail two transmission lines:

• the 800 km long DarwinLink to a yet-to-be-built multi-GW, 12,400 hectares solar farm in the Barkly Region of the Northern Territory. This link would be rated for 4 GW of transmission capacity.
• the 4300 km long SingaporeLink HVDC line from Darwin to Singapore, rated for 2 GW (1.75 GW after losses).

Back in 2023 Sun Cable went into voluntary administration after the two billionaires providing venture capital for Sun Cable had disagreements about the company’s ‘funding and direction’. It’s unknown in how far these issues are resolved, even as Singapore’s EMA seems to have given conditional approval to the SingaporeLink transmission line. This comes against the background of Singapore having signed a 30-year nuclear power deal with the US and is exploring the eventual deployment of nuclear power as well as the importing of large quantities of ammonia and (green) hydrogen.

The current planning for the whole Sun Cable project is set for completion by 2035, with construction yet to begin on all three components. There are still many uncertainties to be resolved, as the 1.75 GW that would be provided 24/7 to Singapore would have to be backed up by significant grid-level storage on both sides, which is not an easy problem to solve.

If completed, it would be the world’s longest electricity transmission line, providing enough power for ~9% of Singapore’s 2024 energy needs, and likely far below that by 2035. Naturally, all of these projections are eerily reminiscent of the EU’s continuously revived plans to import solar power and hydrogen from Africa.

Featured image: Senoko natural gas and oil-fired power station, Singapore in 2007. (Credit: Terence Ong)