Join Hackaday Editors Elliot Williams and Tom Nardi as they go over their picks for the best stories and hacks from the previous week. Things start off with a warning about the long-term viability of SSD backups, after which the discussion moves onto the limits of 3D printed PLA, the return of the Pebble smart watch, some unconventional aircraft, and an online KiCad schematic repository that has plenty of potential. You’ll also hear about a remarkable conference badge made from e-waste electronic shelf labels, filling 3D prints with foam, and a tiny TV powered by the ESP32. The episode wraps up with our wish for hacker-friendly repair manuals, and an interesting tale of underwater engineering from D-Day.
Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
There are reports of a public Proof of Concept (PoC), but the repository that has been linked explicitly calls out that it is not a true PoC, but merely research into how the vulnerability might work. As far as I can tell, there is not yet a public PoC, but reputable researchers have been able to reverse engineer the problem. This implies that mass exploitation attempts are not far off, if they haven’t already started.
Legal AI Breaks Attorney-Client Privilege
We often cover security flaws that are discovered by merely poking around the source of a web interface. [Alex Schapiro] went above and beyond the call of duty, manually looking through minified JS, to discover a major data leak in the Filevine legal AI. And the best part, the problem isn’t even in the AI agent this time.
The story starts with subdomain enumeration — the process of searching DNS records, Google results, and other sources for valid subdomains. That resulted in a valid subdomain and a not-quite-valid web endpoint. This is where [Alex] started digging though Javascript, and found an Amazon AWS endpoint, and a reference to BOX_SERVICE. Making requests against the listed endpoint resulted in both boxFolders and a boxToken in the response. What are those, and what is Box?
Box is a file sharing system, similar to a Google Drive or even Microsoft Sharepoint. And that boxToken was a valid admin-level token for a real law firm, containing plenty of confidential records. It was at this point that [Alex] stopped interacting with the Filevine endpoints, and contacted their security team. There was a reasonably quick turnaround, and when [Alex] re-tested the flaw a month later, it had been fixed.
JSON Formatting As A Service
The web is full of useful tools, and I’m sure we all use them from time to time. Or maybe I’m the only lazy one that types a math problem into Google instead of opening a dedicated calculator program. I’m also guilty of pasting base64 data into a conversion web site instead of just piping it through base64 and xxd in the terminal. Watchtowr researchers are apparently familiar with such laziness efficiency, in the form of JSONformatter and CodeBeautify. Those two tools have an interesting feature: an online save function.
You may see where this is going. Many of us use Github Gists, which supports secret gists protected by long, random URLs. JSONformatter and CodeBeautify don’t. Those URLs are short enough to enumerate — not to mention there is a Recent Links page on both sites. Between the two sites, there are over 80,000 saved JSON snippets. What could possibly go wrong? Not all of that JSON was intended to be public. It’s not hard to predict that JSON containing secrets were leaked through these sites.
And then on to the big question: Is anybody watching? Watchtowr researchers beautified a JSON containing a Canarytoken in the form of AWS credentials. The JSON was saved with the 24 hour timeout, and 48 hours later, the Canarytoken was triggered. That means that someone is watching and collecting those JSON snippets, and looking for secrets. The moral? Don’t upload your passwords to public sites.
Shai Hulud Rises Again
NPM continues to be a bit of a security train wreck, with the Shai Hulud worm making another appearance, with some upgraded smarts. This time around, the automated worm managed to infect 754 packages. It comes with a new trick: pushing the pilfered secrets directly to GitHub repositories, to overcome the rate limiting that effected this worm the first time around. There were over 33,000 unique credentials captured in this wave. When researchers at GitGuardian tested that list a couple days later, about 10% were still valid.
This wave was launched by a PostHog credential that allowed a malicious update to the PostHog NPM package. The nature of Node.js means that this worm was able to very quickly spread through packages where maintainers were using that package. Version 2.0 of Shai Hulud also includes another nasty surprise, in the form of a remote control mechanism stealthily installed on compromised machines. It implies that this is not the last time we’ll see Shai Hulud causing problems.
Bits and Bytes
[Vortex] at ByteRay took a look at an industrial cellular router, and found a couple major issues. This ALLNET router has an RCE, due to CGI handling of unauthenticated HTTP requests. It’s literally just /cgi-bin/popen.cgi?command=whoami to run code as root. That’s not the only issue here, as there’s also a hardcoded username and password. [Vortex] was able to derive that backdoor account information and use hashcat to crack the password. I was unable to confirm whether patched firmware is available.
Google is tired of their users getting scammed by spam phone calls and texts. Their latest salvo in trying to defeat such scams is in-call scam protection. This essentially detects a banking app that is opened as a result of a phone call. When this scenario is detected, a warning dialogue is presented, that suggests the user hangs up the call, and forces a 30 second waiting period. While this may sound terrible for sophisticated users, it is likely to help prevent fraud against our collective parents and grandparents.
What seemed to be just an illegal gambling ring of web sites, now seems to be the front for an Advanced Persistent Threat (APT). That term, btw, usually refers to a government-sponsored hacking effort. In this case, instead of a gambling fraud targeting Indonesians, it appears to be targeting Western infrastructure. One of the strongest arguments for this claim is the fact that this network has been operating for over 14 years, and includes a mind-boggling 328,000 domains. Quite the odd one.
Some like it flat, and there’s nothing wrong with that. What you are looking at is the first prototype of Atlas by [AsicResistor], which is still a work in progress. [AsicResistor] found the Totem to be a bit cramped, so naturally, it was time to design a keyboard from the ground up.
Image by [AsicResistor] via redditThe case is wood, if that’s not immediately obvious. This fact is easily detectable in the lovely render, but I didn’t want to show you that here.
This travel-friendly keyboard has 34 keys and dual trackpoints, one on each half. If the nubbin isn’t your thing, there’s an optional, oversized trackball, which I would totally opt for. But I would need an 8-ball instead, simply because that’s my number.
A build video is coming at some point, so watch the GitHub, I suppose, or haunt r/ergomechkeyboards.
Flat as it may be, I would totally at least give this keyboard a fair chance. There’s just something about those keycaps, for starters. (Isn’t it always the keycaps with me?) For another, I dig the pinky stagger. I’m not sure that two on each side is nearly enough thumb keys for me, however.
The Foot Roller Scroller Is Not a Crock
Sitting at a keyboard all day isn’t great for anyone, but adding in some leg and/or foot movement throughout the day is a good step in the right direction. Don’t want to just ride a bike all day under your desk? Add something useful like foot pedals.
Brain-wise, it has a wireless macro keyboard and an encoder from Ali, but [a__b] plans to upgrade it to a nice!nano in order to integrate it with a Glove80.
Although shown with a NautiCroc, [a__b] says the wheel works well with socks on, or bare feet. (Take it from me, the footfeel of pedals is much more accurate with no shoes on.) Interestingly, much of the inspiration was taken from sewing machines.
As of this writing, [a__b] has mapped all keys using BetterTouchTool for app-specific action, and is out there happily scrolling through pages, controlling the volume, and navigating YouTube videos. Links to CAD and STLs are coming soon.
The Centerfold: LEGO My Ergo
Image by [Flat-Razzmatazz-672] via redditThis here is a Silakka 54 split keyboard with a custom LEGO case available on Thingiverse. [Flat-Razzmatazz-672] says that it isn’t perfect (could have fooled me!), but it did take a hell of a lot of work to get everything to fit right.
As you might imagine and [Flat-Razzmatazz-672] can attest, 3D printing LEGO is weird. These studs are evidently >= 5% bigger than standard studs, because if you print it as is, the LEGO won’t fit right.
Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!
Historical Clackers: the North’s was a Striking Down-striker
Although lovely to gaze upon, the North’s typewriter was a doomed attempt at creating a visible typewriter. That is, one where a person could actually see what they were typing as they typed it.
North’s achieved this feat through the use of vertical typebars arranged in a semi-circle that would strike down onto the platen from behind, making it a rear down-striker.
In order for this arrangement to work, the paper had to be loaded, coiled into one basket, and it was fed into another, hidden basket while typing. This actually allowed the typist to view two lines at a time, although the unfortunate ribbon placement obstructed the immediate character.
The story of North’s typewriter is a fairly interesting one. For starters, it was named after Colonel John Thomas North, who wasn’t really a colonel at all. In fact, North had very little to do with the typewriter beyond bankrolling it and providing a name.
North started the company by purchasing the failed English Typewriter Company, which brought along with it a couple of inventors, who would bring the North’s to fruition. The machine was made from 1892 to 1905. In 1896, North died suddenly while eating raw oysters, though the cause of death was likely heart failure. As he was a wealthy, unpopular capitalist, conspiracy theories abounded surrounding his departure.
Finally, MoErgo Released a New Travel Keyboard, the Go60
It’s true, the MoErgo Glove80 is great for travel. And admittedly, it’s kind of big, both in and out of its (very nice) custom zipper case. But you asked, and MoErgo listened. And soon enough, there will be a new option for even sleeker travel, the Go60. Check out the full spec sheet.
You may have noticed that it’s much flatter than the Glove80, which mimics the key wells of a Kinesis Advantage quite nicely.
Don’t worry, there are removable palm rests that are a lot like the Glove80 rests. And it doesn’t have to be flat –there is 6-step magnetic tenting (6.2° – 17°), which snaps on or off in seconds. The palm rests have 7-step tenting (6°-21.5°), and they come right off, too.
Let’s talk about those trackpads. They are Cirque 40 mm Glidepoints. They aren’t multi-touch, but they are fully integrated into ZMK and thus are fully programmable, so do what you will.
Are you as concerned about battery life as I am? It’s okay — the Go60 goes fully wired with a TRRS cable between the halves, and a USB connection from the left half to the host. Although ZMK did not support this feature, MoErgo sponsored the founder, [Pete], to develop it, and now it’s just a feature of ZMK. You’re welcome.
Interested? The Go60 will be on Kickstarter first, and then it’ll be available on the MoErgo site. Pricing hasn’t quite been worked out yet, so stay tuned on that front.
This week Jonathan chats with Konstantinos Margaritis about SIMD programming. Why do these wide data instructions matter? What’s the state of Hyperscan, the project from Intel to power regex with SIMD? And what is Konstantinos’ connection to ARM’s SIMD approach? Watch to find out!
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or have the guest contact us! Take a look at the schedule here.
Color 3D printing has gone mainstream, and we expect more than one hacker will be unpacking one over the holidays. If you have, say, a color inkjet printer, the process is simple: print. Sure, maybe make sure you tick the “color” box, but that’s about it. However, 3D printers are a bit more complicated.
There are two basic phases to printing color 3D prints. First, you have to find or make a model that has different colors. Even if you don’t make your own models (although you should), you can still color prints in your slicer.
The second task is to set the printer up to deal with those multiple colors. There are several different ways to do this, and each one has its pros and cons. Of course, some of this depends on your slicer, and some depends on your printer. For the purposes of this post, I’ll assume you are using a Slic3r fork like Prusa or OrcaSlicer. Most of the lower-priced printers these days work in roughly the same way.
Current State of Color
In theory, there are plenty of ways to 3D print in color. You can mix hot plastic in the nozzle or use multiple nozzles, each loaded with a different color. But most entry-level color printers use a variation of the same technique. Essentially, they are just like single-nozzle FDM printers, but they have three extra pieces. First, there is a sensor that can tell if filament is in the hot end or not. There’s also a blade above the hot end but below the extruder that can cut the filament off cleanly on command. This usually involves having the hot end ram some actuator that pushes the spring-loaded knife through the filament.
The third piece is some unit to manage moving a bunch of filaments in and out of the hot end. Everyone calls this something else. Bambu calls it an AMS while Flashforge calls it an IFS. Prusa has an MMU. Whatever you call it, it just moves cold filament around: either pushing it into the extruder or pulling it out.
Every filament change starts with cutting the filament below the extruder. That leaves the stringy melted part down in the nozzle. Then the extruder can pull the rest up until the management unit can take over and pull it totally out of the hot end/extruder assembly. That’s why there’s a sensor. It pulls until it sees that the extruder is empty or it times out and throws an error.
Then it is simple enough to move another filament back into the extruder. Of course, the first thing it has to do is push the leftover filament out of the nozzle. Most printers move to a bin and extrude until they are sure the color has changed. However, there are other options.
Even if you push out all the old filament, you may want to print a little waste piece of the new filament before you start printing, and this is called a purge block. Slicers can also push purge material into places like your infill, for example. Some can even print objects with the purge, presumably an object that doesn’t have to look very nice. Depending on your slicer, printer, and workflow, you can opt to print without a purge block, which can work well when you have a part where each layer is a solid color. Some printers will let you skip the discharge step, too, which is often called “poop.”
One caveat, of course, is that all this switching logic takes time and generates waste. A good rule of thumb is to try to print many objects at one time if you are going to switch filament, because the changes are what take time and generate waste. Printing dozens of objects will generate essentially the same amount of waste as printing one. Of course, printing a dozen objects will take longer than a single one, but the biggest part of the time is filament changes, which doesn’t change no matter how many or few you print.
Get Ready to Print
Painting in Orca Slicer
We’ve talked before about creating your own color objects. We’ve even seen how to do it in TinkerCad. Of course, you can also load designs that already have color in them. However, there are several different ways to put color into an otherwise monochrome print.
First, you can take a regular print and use your slicer’s paint function to paint areas with different colors. That works, but it is often tedious, and for complex shapes, it is error-prone. Another downside is that you can’t really control the depth easily, so you get strange filament shifts inside the object if you do it that way.
In Orca, you can select an object in the Prepare screen and then use N, or the toolbar, to bring up the paint color dialog. From there, you can pick a brush shape, pen size, and color. Then it is easy to just paint where you like by left-dragging. You can remove paint by pressing Shift while clicking or dragging. Press the little question mark at the bottom left to see other options.
Once you make a color print, the slicer will automatically place a purge block for you unless you turn it off. Assuming you use it, it is a good idea to drag it on the build plate to be closer to the print, which can shave a few minutes of travel time.
From Many, One
Possibly the easiest way, other than not printing in color, of course, is to have each part of the model that needs to be one color as a separate STL file, as we talked about in the previous post. You tell the slicer which part goes with which filament, and you are done.
In Orca, the best way to do this is to import several STL models at one time. The software will ask you: “Load these files as a single object with multiple parts?” If you agree, you get one object made of individual pieces.
The resulting object won’t look much different until you go to “Process”, on the left-hand side of the screen, and switch from the default Global to Objects. From there, you’ll see the objects and their components. At first, each one will be set to the same color, but by clicking on the color box, you can assign different colors. In the screenshot, you’ll see two identical objects, each with two parts. Each part has a different color. The number is the extruder that holds that color.
Two filament changes are all it takes to make this nice-looking ornament
There is another way, though. You can avoid almost all of the waste generation and extra time if your model is designed so that each layer is a single color. People have done this for years, where you put a pause in your G-code and then switch filament manually. The idea is the same but the printer can switch for you. For example, the Christmas Tree ornament uses two filament changes to print white, then green, then white again. This works great for lettering and logos and other simple setups where you simply need some contrast.
In Orca, you’ll want to slice your model once and switch to the preview tab. Using the vertical slider on the right-hand side, adjust the view until it shows you where you want the filament change. Then right-click and select “Change Filament.” This is the same way you add a pause if you want to change filament manually, for example.
If you use this method, remember to turn off the purge block. You don’t really need it.
Summary
So now, when you unwrap that shiny new multimaterial printer, you have a plan. Get a color model or color one yourself. Then you can decide if you need color changes or full-blown, and waste-prone, color printing. Either way, have fun!
During World War II, as the Allies planned the invasion of Normandy, there was one major hurdle to overcome—logistics. In particular, planners needed to guarantee a solid supply of fuel to keep the mechanized army functional. Tanks, trucks, jeeps, and aircraft all drink petroleum at a prodigious rate. The challenge, then, was to figure out how to get fuel over to France in as great a quantity as possible.
War planners took a diverse approach. A bulk supply of fuel in jerry cans was produced to supply the initial invasion effort, while plans were made to capture port facilities that could handle deliveries from ocean-going tankers. Both had their limitations, so a third method was sought to back them up. Thus was born Operation Pluto—an innovative plan to simply lay fuel pipelines right across the English channel.
Back in the 1940s, undersea pipelines were rather underexplored technology. However, they promised certain benefits over other methods of shipping fuel to the continent. They would be far more difficult to destroy by aerial attack compared to surface ships or floating pipelines. An undersea pipeline would also be less likely to be damaged by rough sea conditions that were typical in the English Channel.
The idea was granted the codename PLUTO—for Pipe-Line Under The Ocean. Development began as soon as 1942, and the engineering challenges ahead were formidable. The Channel stood a good twenty miles wide at its narrowest point, with strong currents, variable depths, and the ever-present threat of German interference. Any pipeline would need to withstand high pressure from the fuel flowing inside, resist corrosion in seawater, and be flexible enough to handle the uneven seabed. It also needed to be laid quickly and surreptitiously, to ensure that German forces weren’t able to identify and strike the pipelines supplying Allied forces.
A sectioned piece of HAIS pipeline. Note the similarities to then-contemporary undersea cable construction. Credit: Geni, CC BY-SA 3.0
The first pipe developed as part of the scheme was HAIS. It was developed by Siemens Brothers and was in part the brainchild of Clifford Hartley, then Chief Engineer of Anglo-Iranian Oil and an experienced hand at delivering fuel pipelines in tough conditions. Thus the name—which stood for Hartly-Anglo-Iranian-Siemens. It used a 2-inch diameter pipe of extruded pipe to carry the fuel, surrounded by asphalt and paper doused in a vinyl-based resin. It was then wound with a layer of steel tape for strength, and then further layered with jute fiber and more asphalt and paper. The final layers were an armored sheath of galvanized steel wires and a canvas outer cover. The techniques used were inspired by those that had proved successful in the construction of undersea telegraph cables. As designed, the two-inch diameter pipe was intended to flow up to 3,500 imperial gallons of fuel a day when running at 500 psi.
HAIS pipe was produced across several firms in the UK and the US. Initial testing took place with pipe laid across the River Medway. Early efforts proved unsuccessful, with leaks caused by lead from the central core pushing out through the steel tape layer. The steel tape wraps were increased, however, and subsequent testing over the Firth of Clyde was more successful. Trials pushed the pipe up to 1,500 psi, showing that up to 250,000 liters of fuel could be delivered per day. The pipeline also proved robust, surviving a chance attack by a German bomb landing nearby. The positive results from testing led to the development of a larger 3-inch verison of the HAIS pipe to support even greater flow.
By this point in the war, however, supplies were becoming constrained on all sides. In particular, lead was becoming scarce, which spurred a desire for a cheaper pipe design to support Operation PLUTO. Thus was born HAMEL, named after engineers Bernard J. Ellis and H.A. Hammick, who worked on the project.
The HAMEL design concerned a flexible pipe constructed out of mild steel, at 3-½ inches in diameter. Lengths of the pipe were produced in 40-foot segments which would then be resistance welded together to create a longer flexible pipeline that could be laid on the seafloor. The steel-based pipe was stiffer than the cable-like HAIS, which caused an issue—it couldn’t readily be coiled up in a ship’s hold. Instead, giant floating drums were constructed at some 40 feet in diameter, nicknamed “Conundrums.” These were to be towed by tugs or hauled by barges to lay the pipeline across the Channel. Testing took place by laying pipelines to the Isle of Wight, which proved the concept was viable for deployment.
Beyond the two types of pipeline, a great deal of work went into the supporting infrastructure for the project. War planners had to build pumping stations to feed the pipelines, as well as ensure that they could in turn be fed fresh fuel from the UK’s network of fuel storage facilities and refineries. All this had to be done with a certain level of camouflage, lest German aircraft destroy the coastal pumping stations prior to the British invasion of the continent. Two main stations at Sandown and Dungeness were selected, and were intended to be connected via undersea pipe to the French ports of Cherbourg and Ambleteuse, respectively. The Sandown-Cherbourg link was to be named Bambi, while the Dungeness-Ambleteuse link would be named Dumbo, referencing further Disney properties since the overall project was called Pluto.
The Big Dance
On D-Day, the initial landings and immediate securing of the beachhead would run on pre-packaged fuel supplies in jerry cans and drums. The pipelines were intended to come later, ensuring that the Allied forces had the fuel supplies to push deep into Europe as they forced back the German lines. It would take some time to lay the pipelines, and the work could only realistically begin once the initial ports were secure.
A map indicating the Bambi and Dumbo pipelines between England and France. Notably, the Dumbo pipelines were run to Boulogne instead of the original plan of Ambleteuse. Credit: public domain
Bambi was intended to go into operation just 75 days after D-Day, assuming that Allied forces had managed to capture the port of Cherbourg within eight days of the landings. This process instead took 21 days due to the vagaries of war. Efforts to lay a HAIS pipeline began as soon as 12 August 1944, just 67 days after D-Day, only to fail due to an anchor strike by an escort destroyer. The second effort days later was scuppered when the piping was wound up in the propeller of a supporting craft. A HAMEL pipelaying effort on 27 August would also fail thanks to barnacles jamming the massive Conundrum from rotating, and while cleaning efforts freed it up, the pipeline eventually broke after just 29 nautical miles of the 65 nautical mile journey.
It wasn’t until 22 September that a HAIS cable was successfully installed across the Channel, and began delivering 56,000 imperial gallons a day. A HAMEL pipe was then completed on the 29 September. However, both pipes would fail just days later on October 3 as pressure was increased to up the rate of fuel delivery, and the Bambi effort was cancelled. Despite the great efforts of all involved, the pipelines had delivered just 935,000 imperial gallons, or 3,300 long tons of fuel—a drop in the ocean relative to what the war effort required.
A Conundrum pictured as it was towed to Cherbourg to lay a HAMEL pipeline as part of Operation Bambi. Credit: public domain
Dumbo would prove more successful, perhaps with little surprise that the distances involved were shorter. The first HAIS pipeline was completed and operational by 26 October. The pipeline was redirected from Dungeness to Boulogne instead of the original plan to go to Ambleteuse thanks to heavy mining by the Germans, and covered a distance of 23 nautical miles. More HAIS and HAMEL pipelines followed, and the pipeline would later be extended to Calais to use its rail links for delivery further inland.
A total of 17 pipelines were eventually laid between the two coasts by the end of 1944. They could deliver up to 1,300 long tons of fuel per day—soon eclipsing the Bambi efforts many times over. The HAMEL pipelines proved somewhat unreliable, but the HAIS cable-like pipes held up well and none broke during their use until the end of the war in Europe. The pipelines stuck to supplying petrol, while initial plans to deliver other fuels such as high-octane aviation spirit were discarded.
Once a key piece of war infrastructure, now a small part of a thrilling minigolf course. Credit: Paul Coueslant, CC BY-SA 2.0
Overall, Operation Pluto would deliver 370,000 long tons of fuel to support Allied forces, or about 8 percent of the total. The rest was largely delivered by oceangoing tankers, with some additional highly-expensive aerial delivery operations used when logistical lines were stretched to their very limits. Bulk fuel delivery by undersea pipeline had been proven possible, but perhaps not decisively important when it came to wartime logistics.
A small section of pipeline left over from Operation Pluto at Shanklin Chine on the Isle of Wight. Credit: Crookesmoor, CC BY SA 3.0
Arguments as to the value of the project abound in war history circles. On the one hand, Operation Pluto was yet another impressive engineering feat achieved in the effort to bring the war to an end. On the other hand, it was a great deal of fuss and ultimately only delivered a moderate portion of the fuel needed to support forces in theatre. In any case, there are still lingering reminders of Operation Pluto today—like a former pumping station that has been converted into a minigolf course, or remnants of the pipelines on the Isle of Wight.
Since World War II, we’ve seen precious few conflicts where infrastructure plays such a grand role in the results of combat. Nevertheless, the old saying always rings true—when it comes to war, amateurs discuss tactics, while professionals study logistics.
Asbestos is a nasty old mineral. It’s known for releasing fine, microscopic fibers that can lodge in the body’s tissues and cause deadly disease over a period of decades. Originally prized for its fire resistance and insulating properties, it was widely used in all sorts of building materials. Years after the dangers became clear, many countries eventually banned its use, with strict rules around disposal to protect the public from the risk it poses to health.
Australia is one of the stricter countries when it comes to asbestos, taking great pains to limit its use and its entry into the country. This made it all the more surprising when it became apparent that schools across the nation had been contaminated with loose asbestos material. The culprit was something altogether unexpected, too—in the form of tiny little tubes of colored sand. Authorities have rushed to shut down schools as the media asked the obvious question—how could this be allowed to happen?
Hiding In Plain Sight
Australia takes asbestos very seriously. Typically, asbestos disposal is supposed to occur according to very specific rules. Most state laws generally require that the material must be collected by qualified individuals except in minor cases, and that it must be bagged in multiple layers of plastic prior to disposal to avoid release of dangerous fibers into the environment. The use, sale, and import of asbestos has been outright banned since 2003, and border officials enforce strict checks on any imports deemed a high risk to potentially contain the material.
Colored sand is a popular artistic medium, used regularly by children in schools and households across Australia. Via: ProductSafety.gov.au
Thus, by and large, you would expect that any item you bought in an Australian retailer would be free of asbestos. That seemed to be true, until a recent chance discovery. A laboratory running tests on some new equipment happened to accidentally find asbestos contamination in a sample of colored sand—a product typically marketed for artistic use by children. The manager of the lab happened to mention the finding in a podcast, with the matter eventually reaching New Zealand authorities who then raised the alarm with their Australian counterparts. This led to a investigation by the Australian Competition and Consumer Commission (ACCC), which instituted a national safety recall in short order.
The response from there was swift. At least 450 schools instituted temporary shutdowns due to the presence or suspected presence of the offending material. Some began cleanup efforts in earnest, hiring professional asbestos removalists to deal with the colored sand. In many cases, the sand wasn’t just in sealed packaging—it had been used in countless student artworks or spilled in carpeted classrooms. Meanwhile, parents feared the worst after finding the offending products in their own homes. Cleanup efforts in many schools are ongoing, due in part to the massive spike in demand for the limited asbestos removal services available across the country. Authorities in various states have issued guidelines on how to handle cleanup and proper disposal of any such material found in the workplace.
Over 87 retailers have been involved in a voluntary recall that has seen a wide range of colored sand products pulled from shelves.
At this stage, it’s unclear how asbestos came to contaminate colored sand products sold across the country, though links have been found to a quarry in China. It’s believed that the products in question have been imported into Australia since 2020, but have never faced any testing regarding asbestos content. Different batches have tested positive for both tremolite and chrysotile asbestos, both of which present health risks to the public. However, authorities have thus far stated the health risks of the colored sand are low. “The danger from asbestos comes when there are very, very fine fibres that are released and inhaled by humans,” stated ACCC deputy chair, Catriona Lowe. “We understand from expert advice that the risk of that in relation to these products is low because the asbestos is in effect naturally occurring and hasn’t been ground down as such to release those fibres.”
Investigations are ongoing as to how asbestos-containing material was distributed across the country for years, and often used by children who might inhale or ingest the material during use. The health concerns are obvious, even if the stated risks are low. The obvious reaction is to state that the material should have been tested when first imported, but such a policy would have a lot of caveats. It’s simply not possible to test every item that enters the country for every possible contaminant. At the same time, one could argue that a mined sand product is more likely to contain asbestos than a box of Hot Wheels cars or a crate of Belgian chocolates. A measured guess would say this event will be ruled out as a freak occurrence, with authorities perhaps stepping up random spot checks on these products to try and limit the damage if similar contamination occurs again in future.
The modern office environment has shifted in recent years. Employees are routinely asked to collaborate with co-workers half way around the globe and be camera ready, or whatever passes for webcam ready, in order to telecommute when they are out of office. Every office laptop, tablet, or cell phone these days comes equipped with some sort of camera sensor capable of recording at HD resolution. Twenty years ago, that was not the case. Though tech conglomerates like HP had a different idea of teleconferencing to sell back in 2005 dubbed the Halo Collaboration Studio.
The Halo Studio was a collaboration between HP and Dreamworks that was used during the production of Bee Movie. Studio heads at Dreamworks thought it necessary to install the HP teleconferencing solution inside the New York office of Jerry Seinfeld, the writer of the film, as to allow him to avoid long trips to Dreamworks production offices in Los Angeles. According to the HP Halo Collaboration Studio brochure, “Halo actually pays for itself, not only by reducing travel costs, but also by encouraging higher productivity and stronger employee loyalty.” Certainly Dreamworks believed in that sales pitch for Bee Movie, because the upfront asking price left a bit of a sting.
Less of a singular machine, more of an entire dedicated room, the Halo Studio had a $550,000 asking price. It utilized three 1280×960 resolution plasma screens each fitted with a 720p broadcast camera and even included an “executive” table for six. The room lighting solution was also part of the package as the intent was to have all participants appear true to life size on the monitors. The system ran on a dedicated T3 fiber optic connection rated at 45 Mbps that connected to the proprietary Halo Video Exchange Network that gave customers access to 24×7 tech support for the small sum of $30,000 a month.
It’s that time of year when we eat perhaps a little too much food, and have maybe just a few too many sips of red wine. But it’s also when we think about what we’ve been grateful for over the past year. And here at Hackaday, that’s you all: the people out there making the crazy projects that we get the pleasure of writing about, and those of you just reading along. After all, we’re just the hackers in the middle. You are all Hackaday.
And it’s also the time of year, at least in this hemisphere, when the days get far too short for their own good and the weather gets frankly less than pleasant. That means more time indoors, and if we play our cards right, more time in the lab. Supercon is over and Hackaday Europe is still far enough in the future. Time for a good project along with all of the festive duties.
So here we sit, while the weather outside is frightful, wishing you all a pleasant start to the holiday season. May your parts bin overflow and your projects-to-do-list never empty!
This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter.
Want this type of article to hit your inbox every Friday morning? You should sign up!
This week, Hackaday’s Elliot Williams and Kristina Panos met up over coffee to bring you the latest news, mystery sound, and of course, a big bunch of hacks from the previous seven days or so.
On What’s That Sound, Kristina got sort of close, but of course failed spectacularly. Will you fare better and perhaps win a Hackaday Podcast t-shirt? Mayhap you will.
After that, it’s on to the hacks and such, beginning with an interesting tack to take with a flat-Earther that involves two gyroscopes. And we take a look at the design requirements when it comes to building synths for three-year-olds.
Then we discuss several awesome hacks such as a vehicle retrofit to add physical heated seat controls, an assistive radio that speaks the frequencies, and an acoustic radiometer build. Finally, we look at the joys of hacking an old Kindle, and get a handle on disappearing door handles.
Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
Download in DRM-free MP3 and savor at your leisure.
This week Jonathan chats with Maurice Kalinowski about QT! That’s the framework that runs just about anywhere, making it easy to write cross-platform applications. What’s the connection with KDE? And how has this turned into a successful company? Watch to find out!
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or have the guest contact us! Take a look at the schedule here.
When you’re designing a bounty hunter game for a five-day cyberpunk live-action-role-play out in the middle of the Mojave desert, you’ve got to bring something extra cool. But [Elli]’s Hackaday Supercon talk isn’t just about the hardware; it’s as much about the design philosophy behind the game – how you bring something immersive and exciting to hundreds of players.
Sandbox Systems
The game itself is fairly simple: bounty hunters try to find the bounty, and when they do, they have a quick-draw to see who wins. Everyone is issued a color-coded Portable Data Node device, and when a hunter jacks into a bounty’s Node, a countdown begins, and the first to press the button after the display say “Go” wins.
But the simplicity of the game is by design, and [Elli] talks about the philosophy that she and her team followed to make it a success. If you’re designing a conference badge or an immersive game for a large group of people, take note.
The first principle is to focus on the people first before the tech. Here, that essentially means making the experience as simple as possible in order to leave room for the players to put their own spin on it – it’s a role-play event after all.
Next is providing opportunities over demands. In this game, for instance, if you’re playing the bounty hunter role, you have to deliver a “Declaration of Intent to Seize” when you encounter a bounty player, but what deciding on your personal catchphrase for this is left up to you.
Embedding the rules of the game in the hardware is perhaps the most involved of the principles. The Data Nodes decide the winner and the loser, report it automatically over WiFi to a central scoreboard, and has anti-button-mashing provisions. These and many more examples of embedding the rules help make the game both fair and simple – nobody has to break the flow to look things up in a rule book or remember who gives what token to whom.
Selling the story of the game with the tech is also important. For instance, there is a part of the Node that [Elli] calls “the doodad” which is just pure LED and greebles. It doesn’t do anything, but it looks cool.
Finally, [Elli] mentions that her team puts an effort into making the game as accessible for everyone as possible. The onboarding video has cyberpunk-styled closed captioning, for instance. While originally designed for folks who don’t hear well, it ended up providing an aesthetic that everyone can enjoy – an example of the curb-cut effect at work.
The end result? 374 players played 3,838 matches over five days, but that’s just the stats. As [Elli] points out, the real point of the game is as an ice-breaker, to allow people room to explore whatever character they’re playing, and to connect people in real-space. It sounds like it was a complete success on all fronts.
The Sandbox
This is a talk on design principles, but it’s also a talk at Supercon, and [Elli] gets pulled into the hardware side of things many times throughout the talk. The Nodes have OLEDs and haptic motors for feedback, they use and ESP32 with WiFi for the score reporting, and there’s even discussion of the serial protocol that they speak to each other when they get connected up via an audio jack.
[Elli] gets some great questions about ways to expand the game, and you’re just going to have to watch the video to appreciate them all. Or join in: after all, it’s an open-source project and it’s intended to be a sandbox!
There seems to be a lot of room to play along, and [Elli]’s talk is definitely food for thought if you’re designing hardware with the end goal of creating and encouraging human interaction through building up an engaging story.
If you are a schoolkid of the right age, you can’t wait to lose a baby tooth. In many cultures, there is a ritual surrounding it, like the tooth fairy, a mouse who trades your tooth for a gift, or burying the tooth somewhere significant. But in 1958, a husband and wife team of physicians wanted children’s teeth for a far different purpose: quantifying the effects of nuclear weapons testing on the human body.
A young citizen scientist (State Historical Society of Missouri)
Louise and Eric Reiss, along with some other scientists, worked with Saint Louis University and the Washington School of Dental Medicine to collect and study children’s discarded teeth. They were looking for strontium-90, a nasty byproduct of above-ground nuclear testing. Strontium is similar enough to calcium that consuming it in water and dairy products will leave the material in your bones, including your teeth.
The study took place in the St. Louis area, and the results helped convince John F. Kennedy to sign the Partial Nuclear Test Ban Treaty.
They hoped to gather 50,000 teeth in a year. By 1970, 12 years later, they had picked up over 320,000 donated teeth. While a few kids might have been driven by scientific altruism, it didn’t hurt that the program used colorful posters and promised each child a button to mark their participation.
Children’s teeth were particularly advantageous to use because they are growing and are known to readily absorb radioactive material, which can cause bone tumors.
Scale
A fair trade for an old tooth? (National Museum of American History)
You might wonder just how much nuclear material is floating around due to bombs. Obviously, there were two bombs set off during the war, as well as the test bombs required to get to that point. Between 1945 and 1980, there were five countries conducting atmospheric tests at thirteen sites. The US, accounting for about 65% of the tests, the USSR, the UK, France, and China detonated 504 nuclear devices equivalent to about 440 megatons of TNT.
Well over 500 bombs with incredible force have put a lot of radioactive material into the atmosphere. That doesn’t count, too, the underground tests that were not always completely contained. For example, there were two detonations in Mississippi where the radiation was contained until they drilled holes for instruments, leaving contaminated soil on the surface. Today, sites like this have “monuments” explaining that you shouldn’t dig in the area.
Of course, above-ground tests are worse, with fallout affecting “downwinders” or people who live downwind of the test site. There have been more than one case of people, unaware of the test, thinking the fallout particles were “hot snow” and playing in it. Test explosions have sent radioactive material into the stratosphere. This isn’t just a problem for people living near the test sites.
Results
By 1961, the team published results showing that strontium-90 levels in the teeth increased depending on when the child was born. Children born in 1963 had levels of strontium-90 fifty times higher than those born in 1950, when there was very little nuclear testing.
The results were part of the reason that President Kennedy agreed to an international partial test ban, as you can see in the Lincoln Presidential Foundation video below. You may find it amazing that people would plan trips to watch tests, and they were even televised.
In 2001, Washington University found 85,000 of the teeth stored away. This allowed the Radiation and Public Health Project to track 3,000 children who were, by now, adults, of course.
Sadly, 12 children who had died from cancer before age 50 had baby teeth with twice the levels of the teeth of people who were still alive at age 50. To be fair, the Nuclear Regulatory Commission has questioned these findings, saying the study is flawed and fails to account for other risk factors.
And teeth don’t just store strontium. In the 1970s, other researchers used baby teeth to track lead ingestion levels. Baby teeth have also played a role in the Flint Water scandal. In South Africa, the Tooth Fairy Project monitored heavy metal pollution in children’s teeth, too.
Some people are not merely satisfied with functionality, or even just good looks. These persnickety snoots (I am one of them) seek something elegant, a true marriage of form and function.
Image by [YANG SHU] via Hackaday.IOShould such a person be in the market for a macro pad (or ‘macropad’ if you prefer), that snoot should look no further than [YANG SHU]’s 8-key programmable stream deck-like device.
The main goal here was the perfect fusion of display and feel. I’m not sure that an FDM-printed, DIY macro pad can look any better than this one does. But looks are only half the story, of course. There’s also feel, and of course, functionality.
Yes those are (hot-swappable) mechanical key switches, and they are powered by an ESP32-S2. Drawn on the 3.5″ LCD are icons and text for each switch, which of course can be easily changed in the config app.
There’s a three-direction tact switch that’s used to switch between layout profiles, and I’m sure that even this is satisfying on the feel front. Does it get better than this? Besides maybe printing it in black. I ask Hackaday.
KeebDeck Keyboard Gets Two Thumbs Up
Did you make it to Supercon this year? If so, you hold a badge with a special keyboard — a custom job by Hackaday superfriend [Arturo182], aka Solder Party. Were you wondering about its backstory?
This 69-key alphanumeric silicone number has all the keys a hacker needs, plus a rainbow of extras that can be used for macros. According to [Arturo182], the keyboard has a tactile feel thanks to a snap dome sheet underneath the keys, and this makes it more comfortable for long thumb-typing sessions.
Be sure to check out the teasers at the bottom of the KeebDeck page, because there is some really exciting stuff. If you want to build one, GitHub is your friend, pal.
Here’s what I know: That’s a Nulea m512 mouse, the keyboard is a KBD Craft Sachiel LEGO number, and that there is a Cidoo macro pad. Best of all, [Tardigradium] hand-painted the speakers. Neat-o!
Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!
Historical Clackers: the Gerda Typewriter Was One of Accessibility
Some of us (okay, I) would have thought that most accessibility inventions are fairly recent, say, from the 1960s onward. But consider the Gerda typewriter, which was created in 1919 to enable blind and one-armed victims of WWI to become employable typists.
According to the Antikey Chop, it’s quite possible that the German government helped grease the wheels of this project so that these soldiers would have a usable typewriter with which to get on with life.
Three versions of this index typewriter were produced: a two-handed Gerda, one with a Braille index, and one with an English index. All entered the market the same year, and were produced for a total of three years.
The Gerda’s typewheel was quite like Blickensderfer, and some even had the DHIATENSOR layout. More expensive than last week’s Clacker (75 Marks), the Gerdas for blind and sighted people with two hands cost 195 Marks, and the one-handed edition was 205 Marks. Some of the two-handed models had rectangular, wooden key-tops, and others had round, glass-topped keys.
Finally, Module-Based Keyboard Is a Sensory Nightmare
I’ve been an early adopter of keyboards in the past. This is usually to bring them to your attention, either before they’re released, or just as they’ve come out. And never have I ever had this poor of an experience.
Games Radar recently reviewed a surprisingly not-failed Kickstarter keyboard that actually shipped, the Naya Create. It may not look like it, but the Create is supposed to be a gaming keyboard. What it does look like is mouse-focused, or at least mouse-forward. And that’s the point of it. Evidently.
Those big modules are interchangeable, and there are four of them so far: the Touch (a trackpad), Track (a trackball that falls out reliably), the Tune (a dial), and the Float, which is designed for space mousing around. They sound cool enough, and might actually be the best part of this whole setup.
To fully illustrate my poit I hvemt’t corrected any of the typos experieved typim this semtemve with the Naya Create while tryig to maintain my usual speed.
But according to Games Radar, the Naya Create is so not worth the $850 (!) asking price. It has ‘mushy, low-profile switches’ and clammy caps, and although the reviewer complains about the non-staggered keys, y’all know that those are my preference at this point.
And apparently, by default, Backspace is mapped to the left side. What? Of course, you can remap any key, whenever the software decides to work. Whenever the reviewer tried to save changes, the software would say that the keyboard is disconnected. Wonderful.
Despite these shortcomings, Games Radar says the keyboard is rock-solid aluminium with good hinges. So there’s that. Just, you know, swap out the switches and keycaps, and wait for software updates, I guess.
Remember the Key Bridge collapse? With as eventful a year as 2025 has been, we wouldn’t blame anyone for forgetting that in March of 2024, container ship MV Dali plowed into the bridge across Baltimore Harbor, turning it into 18,000 tons of scrap metal in about four seconds, while taking the lives of six very unlucky Maryland transportation workers in the process. Now, more than a year and a half after the disaster, we finally have an idea of what caused the accident. According to the National Transportation Safety Board’s report, a loss of electrical power at just the wrong moment resulted in a cascade of failures, leaving the huge vessel without steerage. However, it was the root cause of the power outage that really got us: a wire with an incorrectly applied label.
Sal Mercogliano, our go-to guy for anything to do with shipping, has a great rundown of the entire cascade of failures, with the electrically interesting part starting around the 8:30 mark. The NTSB apparently examined a control cabinet on the Dali and found one wire with a heat-shrink label overlapping the plastic body of its terminating ferrule. This prevented the wire from being properly inserted into a terminal block, leading to poor electrical contact. Over time, the connection got worse, eventually leading to an undervoltage condition that tripped a circuit breaker and kicked off everything else that led to the collision. It’s a sobering thought that something so mundane and easily overlooked could result in such a tragedy, but there it is.
We’ve been harping a bit on the Flock situation in this space over the last month or so, but for good reason, or at least it seems to us. Flock’s 80,000-strong network of automated license plate readers (ALPRs), while understandably attractive from a law-and-order perspective, is a little hard to swallow for anyone interested in privacy and against pervasive surveillance. And maybe all of that wouldn’t be so bad if we had an inkling that the security start-up had at least paid passing attention to cybersecurity basics.
But alas, Benn Jordan and a few of his cybersecurity pals have taken a look inside a Flock camera, and the news isn’t good. Granted, this appears to be a first-pass effort, but given that the “hack” is a simple as pressing the button on the back of the camera a few times. Doing so creates a WiFi hotspot on the camera, and from there it’s off to the races. There are plenty of other disturbing findings in the video, so check it out.
Sufficiently annuated readers will no doubt recall classic toys of the ’60s and ’70s, such as Lite-Brite and Rock ‘Em Sock ‘Em Robots, and games like Mouse Trap and Toss Across. We recall owning all of those at one time or another, and surprisingly, they all sprang from the inventive mind of the same man: Burt Meyer, who died on October 30 at the age of 99. We have many fond memories of his inventions, but truth be told, we never much cared for Mouse Trap as a game; we just set up the Rube Goldberg-esque trap and played with that. The rest, though? Quality fun. RIP, Burt.
Last week, we featured the unfortunate story about a Russian humanoid robot that drunk-walked its way into “demo hell” history. And while it’s perhaps a bit too easy to poke fun at something like this, it’s a simple fact of life that the upright human form is inherently unstable, and that any mechanism designed to mimic that form is bound to fall once in a while. With that in mind, Disney Research engineers are teaching their humanoid bots to fall with style. The idea is for the robots to protect their vital parts in the event of a fall, which is something humans (usually) do instinctively. They first did hundreds of falls with virtual robots, rewarding them for correctly ending up in the target pose, and eventually worked the algorithms into real, albeit diminutive, robots. The video in the article shows them all sticking the landing, and even if some of the end poses don’t seem entirely practical, it’s pretty cool tech.
And finally, this week on the Hackaday Podcast was discussed the infuriating story of an EV-enthusiast who had trouble servicing the brakes on his Hyundai Ioniq. Check out the podcast if you want the full rant and the color commentary, but the TL;DL version is that Hyundai has the functions needed to unlock the parking brakes stuck behind a very expensive paywall. Luckily for our hacker hero, a $399 Harbor Freight bidirectional scan tool was up to the task, and the job was completed for far less than what the officially sanctioned tools would have cost. But it turns out there may have been a cheaper and more delightfully hackish way to do the job, with nothing but a 12-volt battery pack and a couple of jumper wires. Lots of vehicles with electric parking brakes use two-wire systems, so i’s a good tip for the shade tree mechanic to keep in mind.
One of our newer writers, [Tyler August], recently wrote a love letter to plasma TV technology. Sitting between the ubiquitous LCD and the vanishing CRT, the plasma TV had its moment in the sun, but never became quite as popular as either of the other display techs, for all sorts of reasons. By all means, go read his article if you’re interested in the details. I’ll freely admit that it had me thinking that I needed a plasma TV.
I don’t, of course. But why do I, and probably a bunch of you out there, like old and/or odd tech? Take [Tyler]’s plasma fetish, for instance, or many people’s love for VFD or nixie tube displays. At Supercon, a number of people had hit up Apex Electronics, a local surplus store, and came away with some sweet old LED character displays. And I’ll admit to having two handfuls of these displays in my to-hack-on drawer that I bought surplus a decade ago because they’re so cute.
It’s not nostalgia. [Tyler] never had a plasma growing up, and those LED displays were already obsolete before the gang of folks who had bought them were even born. And it’s not simply that it’s old junk – the objects of our desire were mostly all reasonably fancy tech back in their day. And I think that’s part of the key.
My theory is that, as time and tech progresses, we see these truly amazing new developments become commonplace, and get forgotten by virtue of their ever-presence. For a while, having a glowing character display in your car stereo would have been truly futuristic, and then when the VFD went mainstream, it kind of faded into our ambient technological background noise. But now that we all have high-res entertainment consoles in our cars, which are frankly basically just a cheap tablet computer (see what I did there?), the VFD becomes an object of wonder again because it’s rare.
Which is not to say that LCD displays are anything short of amazing. Count up the rows and columns of pixels, and multiply by three for RGB, and that’s how many nanoscale ITO traces there are on the screen of even the cheapest display these days. But we take it for granted because we are surrounded by cheap screens.
I think we like older, odder tech because we see it more easily for the wonder that it is because it’s no longer commonplace. But that doesn’t mean that our current “boring” tech is any less impressive. Maybe the moral of the story is to try to approach and appreciate what we’ve got now with new eyes. Pretend you’re coming in from the future and finding this “old” gear. Maybe try to figure out how it must have worked.
This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter.
Want this type of article to hit your inbox every Friday morning? You should sign up!
Wait, what? Is it time for the podcast again? Seems like only yesterday that Dan joined Elliot for the weekly rundown of the choicest hacks for the last 1/52 of a year. but here we are. We had quite a bit of news to talk about, including the winners of the Component Abuse Challenge — warning, some components were actually abused for this challenge. They’re also a trillion pages deep over at the Internet Archive, a milestone that seems worth celebrating.
As for projects, both of us kicked things off with “Right to repair”-adjacent topics, first with a washing machine that gave up its secrets with IR and then with a car that refused to let its owner fix the brakes. We heated things up with a microwave foundry capable of melting cast iron — watch your toes! — and looked at a tiny ESP32 dev board with ludicrously small components. We saw surveyors go to war, watched a Lego sorting machine go through its paces, and learned about radar by spinning up a sonar set from first principles.
Finally, we wrapped things up with another Al Williams signature “Can’t Miss Articles” section, with his deep dive into the fun hackers can have with the now-deprecated US penny, and his nostalgic look at pneumatic tube systems.
You may have noticed that large pieces of the Internet were down on Tuesday. It was a problem at Cloudflare, and for once, it wasn’t DNS. This time it was database management, combined with a safety limit that failed unsafe when exceeded.
Cloudflare’s blog post on the matter has the gritty details. It started with an update to how Cloudflare’s ClickHouse distributed database was responding to queries. A query of system columns was previously only returning data from the default database. As a part of related work, that system was changed so that this query now returned all the databases the given user had access to. In retrospect it seems obvious that this could cause problems, but it wasn’t predicted to cause problems. The result was that a database query to look up bot-management features returned the same features multiple times.
That featurelist is used to feed the Cloudflare bot classification system. That system uses some AI smarts, and runs in the core proxy system. There are actually two versions of the core proxy, and they behaved a bit differently when the featurelist exceeded the 200 item limit. When the older version failed, it classified all traffic as a bot. The real trouble was the newer Rust code. That version of the core proxy threw an error in response, leading to 5XX HTTP errors, and the Internet-wide fallout.
Dangling Azure
There’s a weird pitfall with cloud storage when a storage name is used and then abandoned. It’s very much like what happens when a domain name is used and then allowed to expire: Someone else can come along and register it. Microsoft Azure has its own variation on this, in the form of Azure blob storage. And the folks at Eye Security’s research team found one of these floating blobs in an unexpected place: In Microsoft’s own Update Health Service.
The 1.0 version of this tool was indeed exploitable. A simple payload hosted on one of these claimed blob endpoints could trigger an explorer.exe execution with an arbitrary parameter, meaning trivial code execution. The 1.1 version of the Update Health Service isn’t vulnerable by default, requiring a registry change before reaching out to the vulnerable blob locations. That said, there are thousands of machines looking to these endpoints that would be vulnerable to takeover. After the problem was reported, Microsoft took over the blob names to prevent any future misuse.
BADAUDIO
There’s a new malware strain from APT24, going by the name BADAUDIO. Though “new” is a bit of a misnomer here, as the first signs of this particular malware were seen back in 2022. What is new is that Google Threat Intelligence reporting on it. The campaign uses multiple techniques, like compromising existing websites to serve the malware in “watering hole” attacks, to spam and spearphishing.
Notable here is how obfuscated the BADAUDIO malware loader is, using control flow flattening to resist analysis. First consider how good code uses functions to group code into logical blocks. This technique does the opposite, putting code into blocks randomly. The primary mechanism for execution is DLL sideloading, where a legitimate application is run with a malicious DLL in its search path, again primarily to avoid detection. It’s an extraordinarily sneaky bit of malware.
Don’t Leave The Defaults
There’s an RCE (Remote Code Execution) in the W3 Total Cache WordPress plugin. The vulnerability is an eval() that can be reached by putting code in a page to be cached. So if a WordPress site allows untrusted comments, and has caching enabled, there’s just one more hurdle to clear. And that is the W3TC_DYNAMIC_SECURITY value, which seems to be intended to stave off exactly this sort of weakness. So here’s the lesson, don’t leave this sort of security feature default.
Not a Vulnerability
We have a trio of stories that aren’t technically vulnerabilities. The first two are in the mPDF library, that takes HTML code and generates PDFs — great for packaging documentation. The first item of interest in mPDF is the handling of @import css rules. Interestingly, these statements seem to be evaluated even outside of valid CSS, and are handled by passing the URL off to curl to actually fetch the remote content. Those URLs must end in .css, but there’s no checking whether that is in a parameter or not. So evil.org/?.css is totally valid. The use of curl is interesting for another reason, that the Gopher protocol allows for essentially unrestricted TCP connections.
The next quirk in mPDF is in how .svg files are handled. Specifically, how an image xlink inside an svg behaves, when it uses the phar:// or php:// prefixes. These are PHP Archive links, or a raw php link, and the mPDF codebase already guards against such shenanigans, matching links starting with either prefix. The problem here is that there’s path mangling that happens after that guard code. To skip straight to the punchline, :/phar:// and :/php:// will bypass that filter, and potentially run code or leak information.
Now the big question: Why are neither of those vulnerabilities? Even when one is a bypass for a CVE fix from 2019? Because mPDF is only to be used with sanitized input, and does not do that sanitization as part of its processing. And that does check out. It’s probably the majority of tools and libraries that will do something malicious if fed malicious input.
There’s one more “vulnerable” library, esbuild, that has an XSS (Cross Site Scripting) potential. It comes down to the use of escapeForHTML(), and the fact that function doesn’t sanitize quotation marks. Feed that malicious text, and the unescaped quotation mark allows for plenty of havoc. So why isn’t this one a vulnerability? Because the text strings getting parsed are folder names. And if you can upload an arbitrary folder to the server where esbuild runs, you already have plenty of other ways to run code.
Bits and Bytes
There’s another Fortinet bug being exploited in the wild, though this one was patched with FortiWeb 8.0.2. This one gets the WatchTowr treatment. It’s a path traversal that bypasses any real authentication. There are a couple of validation checks that are straightforward to meet, and then the cgi_process() API can be manipulated as any user without authentication. Ouch.
The Lite XL text editor seems pretty nifty, running on Windows, Linux, and macOS, and supporting lua plugins for extensibility. That Lua code support was quite a problem, as opening a project would automatically run the .lua configuration files, allowing direct use of os.execute(). Open a malicious project, run malicious code.
And finally, sometimes it’s the easy approach that works the best. [Eaton] discovered A Cracker Barrel administrative panel built in React JS, and all it took to bypass authentication was to set isAuthenticated = true in the local browser. [Eaton] started a disclosure process, and noticed the bug had already been fixed, apparently discovered independently.
Dogfooding is usually a good thing: That’s when a company uses their own code internally. It’s not so great when it’s a cloud company, and that code has problems. Oracle had this exact problem, running the Oracle Identity Governance Suite. It had a few authentication bypasses, like the presence of ?WSDL or ;.wadl at the end of a URL. Ah, Java is magical.
It’s likely that Hackaday readers have among them a greater than average number of people who can name one special thing they did on September 23rd, 2002. On that day a new web browser was released, Phoenix version 0.1, and it was a lightweight browser-only derivative of the hugely bloated Mozilla suite. Renamed a few times to become Firefox, it rose to challenge the once-mighty Microsoft Internet Explorer, only to in turn be overtaken by Google’s Chrome.
Now in 2025 it’s a minority browser with an estimated market share just over 2%, and it’s safe to say that Mozilla’s take on AI and the use of advertising data has put them at odds with many of us who’ve kept the faith since that September day 23 years ago. Over the last few months I’ve been actively chasing alternatives, and it’s with sadness that in November 2025, I can finally say I’m Firefox-free.
Just What Went Wrong?
Browser market share, 2009 to 2025. Statcounter, CC BY-SA 3.0.
It was perhaps inevitable that Firefox would lose market share when faced with a challenger from a player with the economic muscle of Google. Chrome is everywhere, it’s the default browser in Android and ChromeOS, and when stacked up against the Internet Explorer of fifteen years or so ago it’s not difficult to see why it made for an easy switch. Chrome is good, it’s fast and responsive, it’s friendly, and the majority of end users either don’t care or don’t know enough to care that it’s Google’s way in to your data. When it first appeared, they still had the “Don’t be evil” aura to them, even if perhaps behind the warm and fuzzy feeling it had already worn away in the company itself.
If Firefox were destined to become a minority player then it could still be a successful one; after all, 2% of the global browser market still represents a huge number of users whose referrals to search engines return a decent income. But the key to being a success in any business is to know your customers, and sitting in front of this particular screen it’s difficult to escape the conclusion that Mozilla have lost touch with theirs. To understand this it’s necessary for all of us to look in the mirror and think for a moment about who uses Firefox.
Somewhere, A Group Of Users Are Being Ignored
Blink, and its name will change: Phoenix version 0.1. Mozilla Foundation; Microsoft, Inc., CC BY-SA 4.0.
A quick straw poll in my hackerspace revealed a majority of Firefox users, while the same straw poll among another group of my non-hackerspace friends revealed none. The former used Firefox because of open-source vibes, while the latter used Edge or Safari because it came with their computer, or Chrome on their phone and on their desktop because of Google services. Hackaday is not a global polling organisation, but we think it’s likely that the same trend would reveal itself more widely. If you’re in the technology space you might use Firefox, but if you aren’t you may not even have heard of it in 2025. It’s difficult to see that changing any time soon, to imagine some killer feature that would make those Chrome, Safari, and Edge users care enough to switch to Firefox.
To service and retain this loyal userbase then, you might imagine that Mozilla would address their needs and concerns with what made Phoenix a great first version back in 2002. A lightweight and versatile standards-compliant and open-source web browser with acceptable privacy standards, and without any other non-browser features attached to it. Just a browser, only a browser, and above all, a fast browser.
Instead, Mozilla appear to be following a course calculated to alarm rather than retain these users. Making themselves an AI-focused organisation, neglecting their once-unbeatable developer network, and trying to sneak data gathering into their products. They appear now to think of themselves as a fad-driven Valley startup rather than the custodians of a valuable open-source package, and unsurprisingly this is concerning to those of us who know something about what a browser does behind the scenes.
Why Is This Important?
If you have ever had to write code like this, you will know. Bret Taylor, CC-BY 2.5.
It is likely that I am preaching to the choir here, but it’s important that there be a plurality of browsers in the world. And by that I mean not just a plurality of front-ends, but a plurality of browser engines. One of the reasons Phoenix appeared all those years ago was to challenge the dominance of Microsoft Internet Explorer, the tool by which the Redmond software company were trying to shape the online world to their tune. If you remember the browser wars of that era, you’ll have tales of incompatibilities seemingly baked in on purpose to break the chances of an open Web, and we were all poorer for it. Writing Javascript with a range of sections to deal with the quirks of different browser families is now largely a thing of the past, and for that you have the people who stuck with Firefox in the 2000s to thank.
The fear is that here in 2025 we are in an analogous situation to the early 2000s, with Google replacing Microsoft. Such is the dominance of Google Chrome and the WebKit-derived Blink engine which powers it, that in effect, Google have immense power to shape the Web just as Microsoft did back in the day. Do you trust them to live up to their now-retired mission statement and not be evil? We can’t say we do. Thus Firefox’s Gecko browser engine is of crucial importance, representing as it does the only any-way serious challenger to Blink and WebKit’s near-monopoly. That it is now tied to a Mozilla leadership treating it in so cavalier a manner does not bode well for the future of the Web.
So I’ve set out my stand here, that after twenty-three years, I’m ready to abandon Firefox. It’s not a decision that has been easy, because it’s important for all of us that there be a plurality of browsers, but such is the direction being taken by Mozilla that I am not anxious to sit idly by and constantly keep an eye out for new hidden privacy and AI features to turn off with obscure checkboxes. In the following piece I’ll take a look at my hunt for alternatives, and you may be surprised by the one I eventually picked.
This week Jonathan chats with Kevin, Colin, and Curtis about Cataclysm: Dark Days Ahead! It’s a rogue-like post-apocalyptic survival game that you can play in the terminal, over SSH if you really want to! Part of the story is a Kickstarter that resulted in a graphics tile-set. And then there’s the mods!
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or have the guest contact us! Take a look at the schedule here.
Login
