Usually when we talk about retrocomputing, we want to look at — and in — some old hardware. But [Z→Z] has a different approach: dissecting MacPaint, the Apple drawing program from the 1980s.

While the program looks antiquated by today’s standards, it was pretty hot stuff back in the day. Things we take for granted today were big deals at the time. For example, being able to erase a part of something you drew prompted applause at an early public demo.

We enjoyed the way the program was tested, too. A software “monkey” was made to type keys, move things, and click menus randomly. The teardown continues with a look inside the Pascal and assembly code with interesting algorithms like how the code would fill an area with color.

The program has been called “beautifully organized,” and [Z→Z] examines that assertion. Maybe the brilliance of it has been overstated, but it did work and it did influence many computer graphics programs over the years.

We love digging through old source code. Even old games. If you do your own teardowns, be sure to send us a tip.

[Antoine Pirrone] and [Grégoire Passault] are making a DIY miniature re-imagining of Disney’s BDX droid design, and while it’s still early, there is definitely a lot of progress to see. Known as the Open Duck Mini v2 and coming in at a little over 40 cm tall, the project is expected to have a total cost of around 400 USD.

Bipedal robots are uncommon, and back in the day they were downright rare. One reason is that the state of controlled falling that makes up a walking gait isn’t exactly a plug-and-play feature.

Walking robots are much more common now, but gait control for legged robots is still a big design hurdle. This goes double for bipeds. That brings us to one of the interesting things about the Open Duck Mini v2: computer simulation of the design is playing a big role in bringing the project into reality.

It’s a work in progress but the repository collects all the design details and resources you could want, including CAD files, code, current bill of materials, and links to a Discord community. Hardware-wise, the main work is being done with very accessible parts: Raspberry Pi Zero 2W, fairly ordinary hobby servos, and an BNO055-based absolute orientation IMU.

So, how far along is the project? Open Duck Mini v2 is already waddling nicely and can remain impressively stable when shoved! (A “testing purposes” shove, anyway. Not a “kid being kinda mean to your robot” shove.)

Check out the videos to see it in action, and if you end up making your own, we want to hear about it, so remember to send us a tip!

We’ve seen a Linux-based operating system made to run on some widely varying pieces of hardware over the years, but [Dimity Grinberg]’s latest project may be one of the most unusual. It’s a PCB with 3 integrated circuits on it which doesn’t seem too interesting at first, but what makes it special is that all three of those chips are in 8-pin SOIC packages. How on earth can Linux run on 8-pin devices? The answer lies as you might expect, in emulation.

Two of the chips are easy to spot, a USB-to-serial chip and an SPI RAM chip. The processor is an STM32G0 series device, which packs a pretty fast ARM Cortex M0+ core. This runs a MIPS emulator that we’ve seen on a previous project, which is ripe for overclocking. At a 148 MHz clock it’s equivalent to a MIPS running at about 1.4 MHz, which is just about usable. Given that the OS in question is a full-featured Debian, it’s not running some special take on Linux for speed, either.

We like some of the hardware hacks needed to get serial, memory, and SD card, onto so few pins. The SD and serial share the same pins, with a filter in place to remove the high-frequency SPI traffic from the low-frequency serial traffic. We’re not entirely sure what use this machine could be put to, but it remains an impressive piece of work.

If you flew or drove anything remote controlled until the last few years, chances are very good that you’d be using some faceless corporation’s equipment and radio protocols. But recently, open-source options have taken over the market, at least among the enthusiast core who are into squeezing every last bit of performance out of their gear. So why not take it one step further and roll your own complete system?

Apparently, that’s what [Malcolm Messiter] was thinking when, during the COVID lockdowns, he started his own RC project that he’s calling LockDownRadioControl. The result covers the entire stack, from the protocol to the transmitter and receiver hardware, even to the software that runs it all. The 3D-printed remote sports a Teensy 4.1 and off-the-shelf radio modules on the inside, and premium FrSky hardware on the outside. He’s even got an extensive folder of sound effects that the controller can play to alert you. It’s very complete. Heck, the transmitter even has a game of Pong implemented so that you can keep yourself amused when it’s too rainy to go flying.

Of course, as we alluded to in the beginning, there is a healthy commercial infrastructure and community around other open-source RC projects, namely ExpressLRS and OpenTX, and you can buy gear that runs those software straight out of the box, but it never hurts to have alternatives. And nothing is easier to customize and start hacking on than something you built yourself, so maybe [Malcolm]’s full-stack RC solution is right for you? Either way, it’s certainly impressive for a lockdown project, and evidence of time well spent.

Thanks [Malcolm] for sending that one in!

We remember when the transputer first appeared. Everyone “knew” that it was going to take over everything. Of course, it didn’t. But [Oscar Toledo G.] gives us a taste of what life could have been like with a JavaScript emulator for the transputer, you can try in your browser.

If you don’t recall, the transputer was a groundbreaking CPU architecture made for parallel processing. Instead of giant, powerful CPUs, the transputer had many simple CPUs and a way to chain them all together. Sounds great, but didn’t quite make it. However, you can see the transputer’s influence on CPUs even today.

Made to work with occam, the transputer was built from the ground up for concurrent programming. Context switching was cheap, along with simple message passing and hardware scheduling.

The ersatz computer has a lot of messages in Spanish, but you can probably muddle through if you don’t hablar español. We did get the ray tracing example to work, but it was fairly slow.

Want to know more about the CPU? We got you. Of course, these days, you can emulate a transputer with nearly anything and probably outperform the original. What we really want to see is a GPU emulation.

[Morten] works very fast. He has already designed, fabbed, populated, and tested a breakout board for the new tiniest microcontroller on the market, and he’s even made a video about it, embedded below.

You might have heard about this new TI ARM Cortex MO micro on these very pages, where we asked you what you’d do with this grain-of-rice-sized chunk of thinking sand. (The number one answer was “sneeze and lose it in the carpet”.)

From the video, it looks like [Morten] would design a breakout board using Kicad 8, populate it, get it blinking, and then use its I2C lines to make a simple digital thermometer demo. In the video, he shows how he worked with the part, from making a custom footprint to spending quite a while nudging it into place before soldering it carefully down.

But he nailed it on the first try, and honestly it doesn’t look nearly as intimidating as we’d feared, mostly because of the two-row layout of the balls. It actually looks easy enough to fan out. Because you can’t inspect the soldering work underneath the chip, he broke out all of the lines to a header to make it quick to check for shorts between those tiny little balls. Smart.

We love to see people trying out the newest hotness. Let us know down in the comments what new parts you’re trying out.

Thanks [Clint] for the tip!

If you’re on the US East Coast, you should head on over to Wall, NJ and check out the Vintage Computer Festival East. After all, [Brian Kernighan] is going to be there. Yes, that [Brian Kernighan].

Events are actually well underway, and you’ve already missed the first few TRS-80 Color Computer programming workshops, but rest assured that they’re going on all weekend. If you’re from the other side of the retrocomputing fence, namely the C64 side, you’ve also got a lot to look forward to, because the theme this year is “The Sounds of Retro” which means that your favorite chiptune chips will be getting a workout.

[Tom Nardi] went to VCF East last year, so if you’re on the fence, just have a look at his writeup and you’ll probably hop in your car, or like us, wish you could. If when you do end up going, let us know how it was in the comments!

We know a bit more about the GitHub Actions supply chain attack from last month. Palo Alto’s Unit 42 has been leading the charge on untangling this attack, and they’ve just released an update to their coverage. The conclusion is that Coinbase was the initial target of the attack, with the open source agentkit package first (unsuccessfully) attacked. This attack chain started with pull_request_target in the spotbugs/sonar-findbugs repository.

The pull_request_target hook is exceptionally useful in dealing with pull requests for a GitHub repository. The workflow here is that the project defines a set of Continuous Integration (CI) tests in the repository, and when someone opens a new Pull Request (PR), those CI tests run automatically. Now there’s an obvious potential problem, and Github thought of it and fixed it a long time ago. The GitHub Actions are defined right in the repository, and letting any pull request run arbitrary actions is a recipe for disaster. So GitHub always uses actions as they are defined in the repository itself, ignoring any incoming changes in the PR. So pull_request_target is safe now, right? Yes, with some really big caveats.

The simplest security problem is that many projects have build scripts in the repository, and those are not considered part of GitHub Actions by GitHub. So include malicious code in such a build script, make it a PR that runs automatically, and you have access to internal elements like organization and repository secrets and access tokens. The most effective mitigation against this is to require approval before running workflows on incoming PRs.

So back to the story. The spotbugs/sonar-findbugs repository had this vulnerability, and an attacker used it to export secrets from a GitHub Actions run. One of those secrets happened to be a Personal Access Token (PAT) belonging to a spotbugs maintainer. That PAT was used to invite a throwaway account, [jurkaofavak], into the main spotbugs repository. Two minutes after being added, the [jurkaofavak] account created a new branch in spotbugs/spotbugs, and deleted it about a second later. This branch triggered yet another malicious CI run, now with arbitrary Github Actions access rather than just access through a build script. This run leaked yet another Personal Access Token, belonging to a maintainer that worked on both the spotbugs and reviewdog projects.

That token had access to create and edit tags in reviewdog/action-setup, a GitHub Action that runs as a dependency for multiple other actions. The attacker created a fork of this repository, added malicious code, and then overwrote the v1 git tag to point to this malicious code. The tj-actions/changed-files ran a CI flow that made use of the malicious reviewdog/action-setup fork, leaking a GitHub token with write permission to tj-actions/changed-files.

The tag override trick does a lot of heavy lifting in this story, and that’s what was used on tj-actions/changed-files too. Another malicious fork, and a specific tag was overridden to point there. The tag chosen was one used in a Coinbase repository. Specifically coinbase/agentkit used the newly malicious tag in one of its workflows. A Coinbase maintainer discovered this, and deleted the targeted workflow, putting an end to the Coinbase-specific attack. At this point, the attacker opted to burn the pilfered access, and pushed malicious code to every tj-actions/changed-files tag. The idea apparently being that there would likely be some interesting secrets that were leaked. It’s also possible this was intended to hide Coinbase as the primary target. Regardless, that’s the widespread attack we’ve already covered, and now you know the rest of the story.

ZendTo: No CVE, No Problem?

ZendTo is a nifty Open Source, web-based file sharing platform. It’s been around for a while, and the release notes from a 2021 release makes reference to a “security fix” with no additional details given. That caught the attention of [Jay] from Project Black. It sounds like a potential vulnerability, but it seems like no CVE was ever assigned, and no further details were given.

Here’s the issue: ZendTo has an anonymous file upload feature on by default. This has a security feature built in, in the form of scanning the uploaded file with ClamAV in a temporary location, before moving the file to its long term storage directory. Part of this process includes the ever lovely exec("/bin/chmod go+r " . $ccfilelist); line. PHP has some footguns to be aware of, and calling exec() with any user-provider input is one of them. And of course, the user-provided tmp_name value is used to construct the $ccfilelist string. Set tmp_name to 1;command, and you’ve got code execution.

There is another outstanding issue, where legacy md5 passwords that happen to begin with 0e will be interpreted as a number in scientific notation. PHP handles some type comparisons a bit weirdly. These scientific notation values all evaluate as 0. Using any password that also evaluates to one of these special “scientific” md5 hashes, and the comparison collapses to 0 == 0. So one out of every 256 users have a trivially bypassed password — if their account was still using a md5 password hash.

So here we have a pair of serious vulnerabilities, though one has limited exposure, with neither being fully disclosed nor given CVEs. What’s the result of this lack of transparency? Old, vulnerable installs of ZendTo are still on the Internet. Without a CVE, there’s much less pressure to update. No CVE doesn’t necessarily mean no vulnerabilities.

Leaking Call Records

Researcher [Evan Connelly] was looking into the Verizon Call Filter iOS app, and found it to be using an interesting web service. The callLogRetrieval endpoint allows a user to look up call logs for their own Verizon number. Authorization is done using JSON Web Tokens (JWT), which included a “sub” field, indicating the phone number the token was authorized to fetch. The request itself also has a field to indicate the number being queried. This particular endpoint uses a JWT for authorization, but returns the information requested in the query field — without comparing the two values. Yes, any customer that could obtain a valid JWT could query the call records of virtually any other Verizon number. While this is particularly bad, Verizon acknowledged it quickly, and rolled a fix out in less than a month.

When Parameterized Queries Aren’t

What’s the single most powerful tool to prevent SQL injection attacks? Easy: Parameterized queries. Write the SQL query ahead of time, the library converts it into native database code, and only then are the user-generated values plugged in. In theory that means those values can never be understood as part of the SQL logic. While there are ways this can still go wrong, the basic approach is sound. But what if a language, like Nim, had a parameterization option that didn’t actually do parameterized queries?

Yes, Nim’s db_postgres module provides the facility to run code like getRow(sql"SELECT username FROM users WHERE username=?;", "user"), which is intended to protect against SQL injection. But, under the hood, it really is just doing string replacement with character escaping, like replacing null characters with \\0. Now consider PostreSQL’s standard_conforming_strings setting, which among other things, removes the backslash as a special character. But if that setting is disabled, the backslash can be used to escape quotes. Nim doesn’t know anything about that behavior. This combination of not-actually-parameterized parameterization, and lack of awareness of the standard_conforming_strings behavior, means that ./poc '\' ' OR user_id=1; --' is once again a potential SQL injection. Whoops.

Oracle: Oh, That Oracle Cloud!

We finally have a bit more insight into what’s going on at Oracle. You probably remember that the company has continually denied a breach into Oracle Cloud. It seems this is a bit of verbal sleight-of-hand, as Oracle has renamed part of their cloud offering to Oracle Cloud Classic. The remaining, current generation service is the Oracle Cloud. Oracle Cloud Classic has suffered the breach, not technically Oracle Cloud.

It’s not clear that this is really all there is to the story, though, as more data is getting released by the attacker, including video of a web meeting from 2019. Oracle has started reaching out to customers and confirmed the breach, though apparently strictly avoiding putting anything in writing.

Microsoft Joins the Hotpatch Game

Enterprise Linux distros have long had support for various forms of live-patching. We even interviewed TuxCare about this feature for FLOSS Weekly a few weeks ago. It seems that Microsoft finally wants in on the fun. Windows 11 Enterprise has in-memory security patching starting with the 24H2 update. This support is strictly for machines with an Enterprise or certain Education Microsoft subscriptions. The Hotpatches will be available for 8 of the 12 monthly security patches, with an enforced quarterly update via traditional updates and a reboot.

Bits and Bytes

Researchers at GreyNoise have noted an uptick in IPs scanning for Palo Alto device login pages for several days in March. The scanning had as many as 20,000 unique IPs hunting for these login interfaces, which suggests a botnet has been tasked with finding these devices. It’s very possible that a threat actor has found a new vulnerability in Palo Alto devices, and is preparing to launch an attack.

And finally, a pair of posts from ZDI caught our attention this week. The first is a dive into how Binary Ninja’s static code analysis can find potential use-after-free vulnerabilities. The second is all about building an electric car simulator, that can actually plug into real electric vehicle charging stations, and actually fool the charger into believing a car is attached. How is this problem approached safely, given the high voltages and amperages involved? Very carefully.

Bears! Are they scared of massive arcs that rip through the air, making a lot of noise in the process? [Jay] from the Plasma Channel sure hopes so, because that’s how his bear deterrent works!

[Jay] calls it the Bear Blaster 5000. Right from the drop, this thing looks like some crazy weapon out of Halo. That’s because it throws huge arcs at 280,000 volts. The basic concept behind it is simple enough—a battery drives a circuit which generates (kinda) low voltage AC. This is fed to the two voltage multipliers which are set up with opposite polarity to create the greatest possible potential difference between the two electrodes they feed. The meaty combination is able to arc across electrodes spaced over four inches apart. It’s all wrapped up in a super-cool 3D printed housing that really shows off the voltage multiplier banks.

Given its resemblance to a stun gun, you might think the idea is to jab an attacking bear with it. But the reality is, if the bear is close enough that you could press this device against it, you’re already lunch. [Jay] explains that it’s more about scaring the animal off with the noise and light it produces. We’d certainly take a few steps back if we heard this thing fire off in the woods.

[Jay] does a great job of explaining how the whole setup works, as well as showing off its raw ability to spark. We’ve seen some great builds from [Jay] before, too, like this beefy custom flyback transformer.

You don’t see them as often as you used to, but it used to be common to see “electronics trainers” which were usually a collection of components and simple equipment combined with a breadboard, often in a little suitcase. We think [Pro Maker_101’s] portable electronics workstation is in the same kind of spirit, and it looks pretty nice.

The device uses a 3D printed case and a custom PC board. There are a number of components, although no breadboard. There is a breakout board for Raspberry Pi GPIO, though. So you could use the screw terminals to connect to an external breadboard. We were thinking you could almost mount one as a sort of lid so it would open up like a book with the breadboard on one side and the electronics on the other. Maybe version two?

One thing we never saw on the old units? An HDMI flat-screen display! We doubt you’d make one exactly like this, of course, but that’s part of the charm. You can mix and match exactly what you want and make the prototyping station of your dreams. Throw in a small portable soldering iron, a handheld scopemeter, and you can hack anywhere.

We’d love to see something like this that was modular. Beats what you could build in 1974.

Odd hardware designs crop up in art and renders far more frequently than in the flesh, but console modder [GingerOfOz] felt the need to bring [Anh Dang]’s image of the inevitable carcinization of our gaming consoles to life.

Starting with the image as inspiration, [GingerOfOz] got to work in CAD, creating an entirely new shell for the battered PSOne he adopted for the project. The final product is slightly less curvy than the picture, but some artistic license was necessary to go from the page to the real world.

The enclosure itself looks straightforward, if a bit tedious, but the articulating crab controller is a work of art itself. He could’ve made the arms static or non-functional, but they’re a fully-functional PlayStation controller that can move around just like on your favorite crustacean at the beach, minus the pinching. We love this whimsical take on the console mod which is a breath of salty air to the continuous race to get increasingly complex consoles into handheld form, although there’s certainly nothing wrong with that!

If you’re looking for some other console mods, how about this Apple M1 inside a Wii or getting your old Ouya up-and-running again?

The console wars of the early 1990s had several players, but the battle that mattered was between Nintendo’s SNES and Sega’s Genesis, or Megadrive if you are European. They are both famous for their games, but in terms of software they can only run what’s on a cartridge. The Genesis has a Motorola 68000 on board though, which is capable of far more than just Sonic the Hedgehog. [EythorE] evidently thinks so, because here’s a port of Fusix, a UNIX-like OS, for the Sega platform.

As it stands, the OS is running on the BlastEm emulator, but given a Sega Saturn keyboard or a modified PC keyboard for the Sega, it could be run on real hardware. What you get is a basic UNIX-like OS with a working shell and the usual UNIX utilities. With 64k of memory to play with this will never be a powerhouse, but on the other hand we’d be curious to see it in a working cartridge.

Meanwhile, if the console interests you further, someone has been into its workings in great detail.

Header: Evan-Amos, CC BY-SA 3.0.

We’re used to there being an array of high-end microprocessor architectures, and it’s likely that many of us will have sat in front of machines running x86, ARM, or even PowerPC processors. There are other players past and present you may be familiar with, for example SPARC, RISC-V, or MIPS. Back in the 1990s there was another, now long gone but at the time the most powerful of them all, of course we’re speaking of DEC’s Alpha architecture. [JP] has a mid-90s AlphaStation that doesn’t work, and as part of debugging it we’re treated to a description of its unusual boot procedure.

Conventionally, an x86 PC has a ROM at a particular place in its address range, and when it starts, it executes from the start of that range. The Alpha is a little different, on start-up it needs some code from a ROM which configures it and sets up its address space. This is applied as a 1-bit serial stream, and like many things DEC, it’s a little unusual. This code lives in a conventional ROM chip with 8 data lines, and each of those lines contains a separate program selectable by a jumper. It’s a handy way of providing a set of diagnostics at the lowest level, but even with that discovery the weirdness isn’t quite over. We’re treated to a run-down of DEC Alpha code encoding, and should you have one of these machines, there’s all the code you need.

The Alpha was so special in the 1990s because with 64-bit and retargetable microcode in its architecture it was significantly faster than its competitors. From memory it could be had with DEC Tru64 UNIX, Microsoft Windows NT, or VMS, and with the last of which it was the upgrade path for VAX minicomputers. It faded away in the takeover by Compaq and subsequently HP, and we are probably the poorer for it. We look forward to seeing more about this particular workstation, should it come back to life.

Everyone knows that ultrasonic cleaners are great, but not every device that’s marketed as an ultrasonic cleaner is necessarily such a device. In a recent video on the Cheap & Cheerful YouTube channel the difference is explored, starting with a teardown of a fake one. The first hint comes with the use of the description ‘Multifunction cleaner’ on the packaging, and the second in the form of it being powered by two AAA batteries.

Unsurprisingly, inside you find not the ultrasonic transducer that you’d expect to find in an actual ultrasonic cleaner, but rather a vibration motor. In the demonstration prior to the teardown you can see that although the device makes a similar annoying buzzing noise, it’s very different. Subsequently the video looks at a small ultrasonic cleaner and compares the two.

Among the obvious differences are that the ultrasonic cleaner is made out of metal and AC-powered, and does a much better job at cleaning things like rusty parts. The annoying thing is that although the cleaners with a vibration motor will also clean things, they rely on agitating the water in a far less aggressive way than the ultrasonic cleaner, so marketing them as something which they’re not is very unpleasant.

In the video the argument is also made that you do not want to clean PCBs with an ultrasonic cleaner, but we think that people here may have different views on that aspect.

On 31 March of this year we had to bid farewell to Charlotte Elizabeth “Betty” Webb (née Vine-Stevens) at the age of 101. She was one of the cryptanalysts who worked at Bletchley Park during World War 2, as well as being one of the few women who worked at Bletchley Park in this role. At the time existing societal biases held that women were not interested in ‘intellectual work’, but as manpower was short due to wartime mobilization, more and more women found themselves working at places like Bletchley Park in a wide variety of roles, shattering these preconceived notions.

Betty Webb had originally signed up with the Auxiliary Territorial Service (ATS), with her reasoning per a 2012 interview being that she and a couple of like-minded students felt that they ought to be serving their country, ‘rather than just making sausage rolls’. After volunteering for the ATS, she found herself being interviewed at Bletchley Park in 1941. This interview resulted in a years-long career that saw her working on German and Japanese encrypted communications, all of which had to be kept secret from then 18-year old Betty’s parents.

Until secrecy was lifted, all her environment knew was that she was a ‘secretary’ at Bletchley Park. Instead, she was fighting on the frontlines of cryptanalysis, an act which got acknowledged by both the UK and French governments years later.

Writing The Rulebook

Although encrypted communications had been a part of warfare for centuries, the level and scale was vastly different during World War 2, which spurred the development of mechanical and electronic computer systems. At Bletchley Park these were the Bombe and Colossus computers, with the former being an electro-mechanical system. Both were used for deciphering German Enigma machine encrypted messages, with the tube-based Colossus taking over starting in 1943.

After enemy messages were intercepted, it was the task of these systems and the cryptanalysis experts to decipher them as quickly as possible. With the introduction of the Enigma machine by the Axis, this had become a major challenge. Since each message was likely to relate to a current event and thus time-sensitive, any delay in decrypting it would render the resulting decrypted message less useful. Along with the hands-on decrypting work, there were many related tasks to make this process work as smoothly and securely as possible.

Betty’s first task at Bletchley was to do the registering of incoming messages, which she began with as soon as she had been subjected to the contents of the Official Secrets Act. This forbade her from disclosing even the slightest detail of what she did or had seen at Bletchley, at the risk of severe punishment.

As was typical at Bletchley Park, each member of the staff there was kept as much in the dark of the whole as possible for operational security reasons. This meant that of the thousands of incoming messages per day, each had to be carefully kept in order and marked with a date and obfuscated location. She did see a Colossus computer once when it was moved into one of the buildings, but this was not one of her tasks, and snooping around Bletchley was discouraged for obvious reasons.

Paraphrasing

Although Betty’s German language skills were pretty good thanks to her mother’s insistence that she’d be able to take care of herself whilst travelling on the continent, the requirements for the translators at Bletchley were much more strict, and thus eventually she ended up working in the Japanese section located in Block F. After decrypting and translating the enemy messages, the texts were not simply sent to military headquarters or similar, but had to be paraphrased first.

The paraphrasing task entails pretty much what it says: taking the original translated message and paraphrasing it so that the meaning is retained, but any clues about what the original message was from which it was paraphrased is erased. In the case that such a message then falls into enemy hands, via a spy at HQ, it is made much harder to determine where this particular information was intercepted.

Betty was deemed to be very good at this task, which she attributed to her mother, who encouraged her to relate stories in her own words. As she did this paraphrasing work, the looming threat of the Official Secrets Act encouraged those involved with the work to not dwell on or remember much of the texts they read.

In May of 1945 with the war in Europe winding down, Betty was transferred to the Pentagon in the USA to continue her paraphrasing work on translated Japanese messages. Here she was the sole ATS girl, but met up with a girl from Hull with whom she had to share a room, and bed, in the rundown Cairo hotel.

With the surrender of Japan the war officially came to an end, and Betty made her way back to the UK.

Secrecy’s Long Shadow

When the work at Bletchley Park was finally made public in 1975, Betty’s parents had sadly already passed away, so she was never able to tell them the truth of what she had been doing during the war. Her father had known that she was keeping a secret, but because of his own experiences during World War 1, he had shown great understanding and appreciation of his daughter’s work.

After keeping her secrets along with everyone else at Bletchley, the Pentagon and elsewhere, Betty wasn’t about to change anything about this. Her husband had never indicated any interest in talking about it either. In her eyes she had just done her duty and that was good enough, but when she got asked to talk about her experiences in 1990, this began a period in which she would not only give talks, but also write about her experiences. In 2015 Betty was appointed a Member of the Order of the British Empire (MBE) and in 2021 as a Chevalier de la Légion d’Honneur (Knight of the Legion of Honour) in France.

Today, as more and more voices from of those who experienced World War 2 and who were involved the heroic efforts to stop the Axis forces fall silent, it is more important than ever to recognize their sacrifices and ingenuity. Even if Betty Webb didn’t save the UK by her lonesome, it was the combined effort from thousands of individuals like her that cracked the Enigma encryption and provided a constant flow of intel to military command, saving countless lives in the process and enabling operations that may have significantly shortened the war.

Top image: A Colossus Mark 2 computer being operated by Dorothy Du Boisson (left) and Elsie Booker (right), 1943 (Credit: The National Archives, UK)

It’s not often you’ll see us singing the praises of Microsoft on these pages, but credit where credit is due, this first-person account of how the software giant got its foot in the proverbial door by Bill Gates himself is pretty slick.

Now it’s not the story that has us excited, mind you. It’s the website itself. As you scroll down the page, the text and images morph around in a very pleasing and retro-inspired way. Running your cursor over the text makes it flip through random ASCII characters, reminding us a bit of the “decryption” effect from Sneakers. Even the static images have dithering applied to them as if they’re being rendered on some ancient piece of hardware. We don’t know who’s doing Billy’s web design, but we’d love to have them come refresh our Retro Edition.

Presentation aside, for those who don’t know the story: back in 1975, Gates and Paul Allen told the manufacturer of the Altair 8800 that they had a version of BASIC that would run on the computer and make it easier for people to use. Seeing the potential for increased sales, the company was very interested, and asked them to come give a demonstration of the software in a few weeks.

There was just one problem — Bill and Paul lied. They had never even seen an Altair in person, let alone wrote any code for one. So they set off on a mad dash to complete the project in time, with Allen famously still working on the code on the plane as they flew to the meeting. As you’ve probably guessed, they ended up pulling it off, and the rest is history.

At the very end of the page, you can download the actual source code for Altair BASIC that Gates and Allen co-delivered, presented as scans of the original printout. A little light reading as you wait to find out if that latest Windows update that’s installing is going to tell you that your machine is too old to use anymore.

You can salvage lithium 18650 cells from all sorts of modern gadgets, from disposable vapes to cordless power tools. The tricky part, other than physically liberating them from whatever they are installed in, is figuring out if they’re worth keeping or not. Just because an 18650 cell takes a charge doesn’t necessarily mean it’s any good — it could have vastly reduced capacity, or fail under heavy load.

If you’re going to take salvaging these cells seriously, you should really invest in a charger that is capable of running some capacity tests against the cell. Or if you’re a bit more adventurous, you can build this “Battery Health Monitor” designed by [DIY GUY Chris]. Although the fact that it can only accept a single cell at a time is certainly a limitation if you’ve got a lot of batteries to go though, the fact that it’s portable and only needs a USB-C connection for power means you can take it with you on your salvaging adventures.

The key to this project is a pair of chips from Texas Instruments. The BQ27441 is a “Fuel Gauge” IC, and is able to determine an 18650’s current capacity, which can be compared to the cell’s original design capacity to come up with an estimate of its overall health. The other chip, the BQ24075, keeps an eye on all the charging parameters to make sure the cell is being topped up safely and efficiently.

With these two purpose-built chips doing a lot of the heavy lifting, it only takes a relatively simple microcontroller to tie them together and provide user feedback. In this case [DIY GUY Chris] has gone with the ATmega328P, with a pair of addressable WS2812B LED bars to show the battery’s health and charge levels. As an added bonus, if you plug the device into your computer, it will output charging statistics over the serial port.

The whole project is released under the MIT license, and everything from the STL files for the 3D printed enclosure to the MCU’s Arduino-flavored firmware is provided. If you’re looking to build one yourself, you can either follow along with the step-by-step assembly instructions, or watch the build video below. Or really treat yourself and do both — you deserve it.

If your battery salvaging operation is too large for a single-cell tester, perhaps it’s time to upgrade to this 40-slot wall mounted unit.

There seems to be nothing a 555 can’t do. We’ve seen it before, but [electronzapdotcom] reminds us you can use a 555 and a few parts to make a reasonable touch switch in this video, embedded below.

The circuit uses some very large resistors so that noise from your body can overcome the logic level on the trigger and threshold inputs. You can easily adapt this idea if you need a simple touch switch. Though we imagine this circuit wouldn’t work well if you were in a quiet environment. We suspect 50 or 60 Hz hum is coupling through your finger and triggering the pins, but it could be a different effect.

How reliable is it? Beats us. The circuit is a bistable, so essentially your finger pumps a signal into a flip-flop. This is old trick, but could be useful. Of course, if you really need a touch switch, you have plenty of options. You can get little modules. Or, directly measure skin resistance.

The plethora of smart home devices available today deliver all manner of opportunities, but it’s fair to say that interfacing with them is more often done in the browser or an app than in the terminal. WattWise from [Naveen Kulandaivelu] is a tool which changes all that, it’s a command-line interface (CLI) for power monitoring smart plugs.

Written in Python, the tool can talk either directly to TP-Link branded smart plugs, or via Home Assistant. It tracks the power consumption with a simple graph, but the exciting part lies in how it can be used to throttle the CPU of a computer in order to use power at the points in the day when it is cheapest. You can find the code in a GitHub repository.

We like the idea of using smart plugs as instruments, even if they may not be the most accurate of measurement tools. It takes them even further beyond the simple functionality and walled-garden interfaces provided by their manufacturers, which in our view can only be a good thing.

Meanwhile, for further reading we’ve looked at smart plugs in detail in the past.