Are you eager to get your feet wet in the keyboard surf, but not quite ready to stand up and ride the waves of designing a full-size board? You should paddle out with a macro pad instead, and take on the foam face-first and lying down.

Luckily, you have a great instructor in [Robert Feranec]. In a series of hour-long videos, [Robert] guides you step by step through each part of the process, from drawing the schematic, to designing a PCB and enclosure, to actually putting the thing together and entering a new world of macros and knobs and enhanced productivity.

Naturally, the fewer keys and things you want, the easier it will be to build. But [Robert] is using the versatile Raspberry Pi 2040, which has plenty of I/O pins if you want to expand on his basic plan. Not ready to watch the videos? You can see the schematic and the 3D files on GitHub.

As [Robert] says, this is a great opportunity to learn many skills at once, while ending up with something terrifically useful that could potentially live on your desk from then on. And who knows where that could lead?

Holy Leather Work, Batman!

[Notxtwhiledrive] had long wanted to design a keyboard from scratch, but could never think of a compelling concept from which to get going. Then one day while doing some leather work, it dawned on him to design a portable keyboard much the same way as he would a wallet.

The result? A stunning keyboard wallet that can go anywhere and may outlast most of us. The Wallet42 is based on the FFKB layout by Fingerpunch. This hand-wired unibody split uses the Supermini nRF52840 microcontroller with ZMK firmware and rests inside 2 mm-thick chrome-tanned leather in chocolate and grey.

Switch-wise, it has Otemu low-profile reds wearing TPU keycaps. [Notxtwhiledrive] is thinking about making a hot swap version before open-sourcing everything and/or taking commissions. Even better, he apparently recorded video throughout the process and is planning to upload a  video about designing and building this beautiful board.

The Centerfold: Levels, the Prototype

At the risk of dating myself, this ’80s kid definitely appreciates the aesthetic of Levels, a new prototype by redditor [timbetimebe]. This is a centerfold because look at it, but also because there is like basically no detail at this time. But watch this space.

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: the Secor

When we last left Historical Clackers, we examined the Williams machine with its curious grasshopper-like type bars. If you’ll recall, the Williams Typewriter Company was acquired by Jerome Burgess Secor, a former superintendent of the Williams Typewriter Company.

Secor, an inventor in his own right, began working at Williams in 1899. By 1902, he was filing typewriter patents for frontstrike machines that looked nothing like the Williams grasshopper number. By the summer of 1910, Secor took over the failed company.

Though radically different, the Secor typewriters were not radically better than the Williams grasshopper. And though the typist could see more with the Secor, the only real hype surrounded the removable, interchangeable escapement.

The Secor Company produced about 7,000 machines between three models, one with a wide carriage. Between the impending war, competition, and alleged labor issues, the writing was on the wall for the Secor Company, and it folded in 1916.

But you shouldn’t feel sorry for Mr. Secor. His main wheelhouse was mechanical toy and sewing machine manufacture. He did well for himself in these realms, and those items are far more sought after by collectors than his typewriters, interestingly enough.

Finally, a Quick Guide to Cleaning That Awful Keyboard Of Yours

Oh, I’m pointing one finger back at myself, trust me. You should see this thing. I really should go at it with the compressor sometime soon. And I might even take all the steps outlined in this keyboard deep-cleaning guide by [Ben Smith].

[Ben] estimates that this exercise will take 30 minutes to an hour, but also talks about soaking the keycaps, so (in my experience) you can add several hours of drying time to that ballpark. Plan for that and have another keyboard to use.

Apparently he has two cats that sit directly on the keyboard at every opportunity. I’m not so lucky, so although there is definitely cat hair involved, it doesn’t blanket the switch plate or anything. But you should see [Ben]’s keyboard.

So basically, start by taking a picture of it so you can reassemble the keycaps later. He recommends looking up the key map online; I say just take a picture. You’re welcome. Then you should unplug the thing or power it down. Next up is removing the keycaps. This is where I would take it out to the garage and use the ol’ pancake compressor, or maybe just use the vacuum cleaner turned down low with the brushy attachment. But [Ben] uses canned air. Whatever you’ve got.

For any hangers-on, bust out an old toothbrush and go to town on those browns. This is as good a time as any to put your keycaps in a bowl with some warm water and a bit of dish soap.

My suggestion — if they’re super gross, put them in something with a lid so you can shake the whole concoction around and knock the dirt off with force.

After about half an hour, use a colander to strain and drain them while rinsing them off. Then let them get good and dry, and put your board back together.

Enjoy the feeling of non-oily keycaps and the sound of full thock now that the blanket of cat hair has been lifted. Rejoice!

---

Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.

The hits just keep coming for the International Space Station (ISS), literally in the case of a resupply mission scheduled for June that is now scrubbed thanks to a heavy equipment incident that damaged the cargo spacecraft. The shipping container for the Cygnus automated cargo ship NG-22 apparently picked up some damage in transit from Northrop Grumman’s Redondo Beach plant in Los Angeles to Florida. Engineers inspected the Cygnus and found that whatever had damaged the container had also damaged the spacecraft, leading to the June mission’s scrub.

Mission controllers are hopeful that NG-22 can be patched up enough for a future resupply mission, but that doesn’t help the ISS right now, which is said to be running low on consumables. To fix that, the next scheduled resupply mission, a SpaceX Cargo Dragon slated for an April launch, will be modified to include more food and consumables for the ISS crew. That’s great, but it might raise another problem: garbage. Unlike the reusable Cargo Dragons, the Cygnus cargo modules are expendable, which makes them a great way to dispose of the trash produced by the ISS crew since everything just burns up on reentry. The earliest a Cygnus is scheduled to dock at the ISS again is sometime in this autumn, meaning it might be a long, stinky summer for the crew.

By now you’ve probably heard the news that genetic testing company 23andMe has filed for bankruptcy. The company spent years hawking their spit-in-a-tube testing kits, which after DNA sequence analysis returned a report revealing all your genetic secrets. This led to a lot of DNA surprises, like finding a whole mess of half-siblings, learning that your kid isn’t really related to you, and even catching an alleged murderer. But now that a bankruptcy judge has given permission for the company to sell that treasure trove of genetic data to the highest bidder, there’s a mad rush of 23andMe customers to delete their data. It’s supposed to be as easy as signing into your account and clicking a few buttons to delete your data permanently, with the option to have any preserved samples destroyed as well. Color us skeptical, though, that the company would willingly allow its single most valuable asset to be drained. Indeed, there were reports of the 23andMe website crashing on Monday, probably simply because of the rush of deletion requests, but then again, maybe not.

It may not have been 121 gigawatts-worth, but the tiny sample of plutonium that a hapless Sydney “science nerd” procured may be enough to earn him some jail time. Emmanuel Lidden, 24, pleaded guilty to violations of Australia’s nuclear proliferation laws after ordering a small sample of the metal from a US supplier, as part of his laudable bid to collect a sample of every element in the periodic table. Shipping plutonium to Australia is apparently a big no-no, but not so much that the border force officials who initially seized the shipment didn’t return some of the material to Lidden. Someone must have realized they made a mistake, judging by the outsized response to re-seize the material, which included shutting down the street where his parents live and a lot of people milling about in hazmat suits. We Googled around very briefly for plutonium samples for sale, which is just another in a long list of searches since joining Hackaday that no doubt lands us on a list, and found this small chunk of trinitite encased in an acrylic cube for $100. We really hope this isn’t what the Australian authorities got so exercised about that Lidden now faces ten years in prison. That would be really embarrassing.

And finally, we couldn’t begin to tote up the many happy hours of our youth spent building plastic models. New model day was always the best day, and although it’s been a while since we’ve indulged, we’d really get a kick out of building models of some of the cars we had an emotional connection to, like the 1972 Volkswagen Beetle that took us on many high school adventures, or our beloved 1986 Toyota 4×4 pickup with the amazing 22R engine. Sadly, those always seemed to be vehicles that wouldn’t appeal to a broad enough market to make it worth a model company’s while to mass-produce. But if you’re lucky, the car of your dreams might just be available as a download thanks to the work of Andrey Bezrodny, who has created quite a collection of 3D models of off-beat and quirky vehicles. Most of the files are pretty reasonably priced considering the work that obviously went into them, and all you have to do is download the files and print them up. It’s not quite the same experience as taking the shrink-wrap off a Revell or Monogram box and freeing the plastic parts from they’re trees to glue them together, but it still looks like a lot of fun.

We ran a story about a wall-mounted plotter bot this week, Mural. It’s a simple, but very well implemented, take on a theme that we’ve seen over and over again in various forms. Two lines, or in this case timing belts, hang the bot on a wall, and two motors drive it around. Maybe a servo pulls the pen in and out, but that’s about it. The rest is motor driving and code.

We were thinking about the first such bot we’ve ever seen, and couldn’t come up with anything earlier than Hektor, a spray-painting version of this idea by [Juerg Lehni]. And since then, it’s reappeared in numerous variations.

Some implementations mount the motors on the wall, some on the bot. There are various geometries and refinements to try to make the system behave more like a simple Cartesian one, but in the end, you always have to deal with a little bit of geometry, or just relish the not-quite-straight lines. (We have yet to see an implementation that maps out the nonlinearities using a webcam, for instance, but that would be cool.) If you’re feeling particularly reductionist, you can even do away with the pen-lifter entirely and simply draw everything as a connected line, Etch-a-Sketch style. Maslow CNC swaps out the pen for a router, and cuts wood.

What I love about this family of wall-plotter bots is that none of them are identical, but they all clearly share the same fundamental idea. You certainly wouldn’t call any one of them a “copy” of another, but they’re all related, like riffing off of the same piece of music, or painting the same haystack in different lighting conditions: robot jazz, or a study in various mechanical implementations of the same core concept. The collection of all wall bots is more than the sum of its parts, and you can learn something from each one. Have you made yours yet?

(Fantastic plotter-bot art by [Sarah Petkus] from her write-up ten years ago!)

This week, researchers from Wiz Research released a series of vulnerabilities in the Kubernetes Ingress NGINX Controller  that, when chained together, allow an unauthorized attacker to completely take over the cluster. This attack chain is known as IngressNightmare, and it affected over 6500+ Kubernetes installs on the public Internet.

The background here is that web applications running on Kubernetes need some way for outside traffic to actually get routed into the cluster. One of the popular solutions for this is the Ingress NGINX Controller. When running properly, it takes incoming web requests and routes them to the correct place in the Kubernetes pod.

When a new configuration is requested by the Kubernetes API server, the Ingress Controller takes the Kubernetes Ingress objects, which is a standard way to define Kubernetes endpoints, and converts it to an NGINX config. Part of this process is the admission controller, which runs nginx -t on that NGINX config, to test it before actually deploying.

As you might have gathered, there are problems. The first is that the admission controller is just a web endpoint without authentication. It’s usually available from anywhere inside the Kubernetes cluster, and in the worst case scenario, is accessible directly from the open Internet. That’s already not great, but the Ingress Controller also had multiple vulnerabilities allowing raw NGINX config statements to be passed through into the config to be tested.

And then there’s nginx -t itself. The man page states, “Nginx checks the configuration for correct syntax, and then tries to open files referred in the configuration.” It’s the opening of files that gets us, as those files can include shared libraries. The ssl_engine fits the bill, as this config line can specify the library to use.

That’s not terribly useful in itself. However, NGINX saves memory by buffering large requests into temporary files. Through some trickery, including using the /proc/ ProcFS pseudo file system to actually access that temporary file, arbitrary files can be smuggled into the system using HTTP requests, and then loaded as shared libraries. Put malicious code in the _init() function, and it gets executed at library load time: easy remote code execution.

This issue was privately disclosed to Kubernetes, and fixed in Ingress NGINX Controller version 1.12.1 and 1.11.5, released in February. It’s not good in any Kubernetes install that uses the Ingress NGINX Controller, and disastrously bad if the admission controller is exposed to the public Internet.

Next.js

Another project, Next.js, has a middleware component that serves a similar function as an ingress controller. The Nixt.js middleware can do path rewriting, redirects, and authentication. It has an interesting behavior, in that it adds the x-middleware-subrequest HTTP header to recursive requests, to track when it’s talking to itself. And the thing about those headers is that they’re just some extra text in the request. And that’s the vulnerability: spoof a valid x-middleware-subrequest and the Next.js middleware layer just passes the request without any processing.

The only hard part is to figure out what a valid header is. And that’s changed throughout the last few versions of Next.js. The latest iteration of this technique is to use x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware or a minor variant, to trigger the middleware’s infinite recursion detection, and pass right through. In some use cases that’s no problem, but if the middleware is also doing user authentication, that’s a big problem. The issue can be mitigated by blocking x-middleware-subrequest requests from outside sources, and the 14.x and 15.x releases have been updated with fixes.

Linux’ No-op Security Function

The linux kernel uses various hardening techniques to make exploitation of bugs difficult. One technique is CONFIG_RANDOM_KMALLOC_CACHES, which makes multiple copies of memory allocation caches, and then randomizes which copy is actually used, to make memory corruption exploitation harder. Google researchers found a flaw in nftables, and wrote up the exploit, which includes the observation that this mitigation is completely non-functional when used from kvmalloc_node.

This happens as a result of how that randomization process is done. The function that calculates which of the copies to actually call actually uses its own return address as the seed value for the random value. That makes sense in some cases, but the calling function is an “exported symbol”, which among other things, means the return value is always the same, rendering the hardening attempt completely ineffective. Whoops. This was fixed in the Linux 6.15 merge window, and will be backported to the stable kernels series.

Your DNA In Bankruptcy

I’ve always had conflicting feelings about the 23andMe service. On one hand, there is some appeal to those of us that may not have much insight to our own genetic heritage, to finally get some insight into that aspect of our own history. On the other hand, that means willingly giving DNA to a for-profit company, and just trusting them to act responsibly with it. That concern has been brought into sharp focus this week, as 23andMe has filed for Chapter 11 bankruptcy. This raises a thorny question, of what happens to that DNA data as the company is sold?

The answer seems to be that the data will be sold as well, leading to calls for 23andMe customers to log in and request their data be deleted. Chapter 11 bankruptcy does not prevent them from engaging in business activities, and laws like the GDPR continue to apply, so those requests should be honored. Regardless, it’s a stark reminder to be careful what data you’re willing to entrust to what business, especially something as personal as DNA. It’s unclear what the final fallout is going to be from the company going bankrupt, but it’s sure to be interesting.

Appsmith and a Series of Footguns

Rhino Security did a review of the Appsmith platform, and found a series of CVEs. On the less severe side, that includes a error handling problem that allows an unauthorized user to restart the system, and an easily brute-forced unique ID that allows read-only users to send arbitrary SQL queries to databases in their workspace. The more serious problem is a pseudo-unauthenticated RCE that is in some ways more of a default-enabled footgun than a vulnerability.

On a default Appsmith install, the default postgres database allows local connections to any user, on any database. Appsmith applications use that local socket connection. Also in the default configuration, Appsmith will allow new users to sign up and create new applications without needing permission. And because that new user created their own application on the server, the user has permissions to set up database access. And from there postgres will happily let the user run a FROM PROGRAM query that runs arbitrary bash code.

Bits and Bytes

There’s been a rumor for about a week that Oracle Cloud suffered a data breach, that Oracle has so far denied. It’s beginning to look like the breach is a real one, with Bleeping Computer confirming that the data samples are legitimate.

Google’s Project Zero has a blast from the past, with a full analysis of the BLASTPASS exploit. This was a 2003 NSO Group exploit used against iMessage on iOS devices, and allowed for zero-click exploitation. It’s a Huffman tree decompression vulnerability, where attempting to decompress the tree overwrites memory and triggers code execution. Complicated, but impressive work.

Resecurity researchers cracked the infrastructure of the BlackLock ransomware group via a vulnerability in the group’s Data Leak Site. Among the treasures from this action, we have the server’s history logs, email addresses, some passwords, and IP address records. While no arrests have been reported in connection with this action, it’s an impressive hack. Here’s hoping it leads to some justice for ransomware crooks.

And finally, Troy Hunt, master of pwned passwords, has finally been stung by a phishing attack. And had a bit of a meta-moment when receiving an automated notice from his own haveibeenpwned.com service. All that was lost was the contents of Troy’s Mailchimp mailing list, so if your email address was on that list, it’s available in one more breach on the Internet. It could have been worse, but it’s a reminder that it can happen to even the best of us. Be kind.

This is too many levels of meta for my head to grasp pic.twitter.com/Pr0iFQGNlh

— Troy Hunt (@troyhunt) March 25, 2025

Do you consider your keyboard to be a fragile thing? Meet the glass keyboard by [BranchNo9329], which even has a glass PCB. At least, I think the whole thing is glass.

There are so frustratingly few details that this might as well have been a centerfold, but I thought you all should see it just the same. What we do have are several pictures and a couple of really short videos, so dive in.

I can tell you that [BranchNo2939] chose a glass substrate mainly due to curiosity about its durability compared with FR4. And that the copper circuitry was applied with physical vapor deposition (PVD) technology.

Apparently one of [BranchNo2939]’s friends is researching the bonding of copper on to glass panels, so they thought they’d give a keyboard a go. Right now the thing is incomplete — apparently there’s going to be RGB. Because of course there’s going to be RGB.

erkbd Can Be yrkbd, Too

Erik + Keyboard = erkbd, and now [EarflapsOpen]’s wide split is open-source and now has a fully documented build guide on GitHub by special request.

Inspired mostly by the Corne and the Void Ergo S layout, this is a 44-key, hand-wired number that runs on a pair of Waveshare RP2040 Zeros programmed with QMK.

I really like the inclusion of OLEDs and rotary encoders, although I feel I would inadvertently turn them by accident. Maybe not. At the very least, they appear to be taller than the keys and might get in the way.

[EarflapsOpen] addresses this a bit at the bottom of the reddit thread, stating that they are not in the way when typing. But since they are kind of far from the home row, you have to move your entire hand to use them. Currently, [EarflapsOpen] uses them for scrolling, adjusting volume, video scrubbing, and so on.

The Centerfold: Battle Axes

So perhaps [delusionalreddit]’s setup is a bit of a departure from the regular centerfold material, but that’s okay. Just look at all those guitars! Yours truly is down to just six or so, and really ought to have them situated similarly around the laboratory. Maybe someday.

So there isn’t much detail here, especially about the peripherals, and I apologize for that. Please see the next paragraph. Almost no one sends me centerfolds! You know your keeb is sexy; now get it out there.

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: the Williams

When the people demand some new advancement in technology, the early response by manufacturers can sometimes be less than appealing, visually speaking.

This is not the case with the stunning Williams line of  typewriters, which were developed in response to heavy demand for visible typewriters — machines that let the typist see what was being typed without having to stop and do something first. Of course, you could only see a few lines at a time, and just by peering over the tippy-top of the machine, but this was revolutionary.

Form follows function in these lovely machines, which don’t seem to waste an inch of space on frivolity. To create visibility, the Williams typewriters had the platen situated in the center, between two sets of type bars that struck from the front and rear, kicking like grasshopper legs. The paper is first secured along the top and curled downward into the basket.

Don’t quite understand? Don’t blame you. Check out this short video, which demonstrates how to insert paper and type on a Williams Academy model.

Isn’t that cool? The earliest Williams models like the No. 1 pictured above became available in 1891. The keyboard was curved slightly, and the body featured Victorian-inspired filigree. Beginning in 1895, the No. 1 was manufactured with a straight keyboard. The No. 2 came out in 1897 and were nearly identical to the straight-keyboarded No. 1s, but they got an upgrade in the form of typebar alignment. No. 2s were also called Academy like the one in the video, or Englewood.

Inventor John Williams was quite the character and inventor, and was known to rub elbows with Alexander Graham Bell and Emile Berliner. He patented all kinds of things, from cigar cutters to one of the first helicopters in 1912. Unfortunately, the Williams Typewriter Company was fairly short-lived, as they were in litigation for patent infringement pretty much the whole time, until 1909. They were acquired by Jerome Burgess Secor, who would go on to produce a completely different typewriter. Stay tuned!

Finally, Another Use for All Those Melty Beads

So [humanplayer2] was having some fun last Saturday while his daughter played with those melty beads. After some trial and error, it seems we have a new viable switch plate material!

The trial and error was, of course, about finding out what inner bead configuration would result in the snuggest fit. As it turns out, a plain old open square holds them the best, followed by hand-cut-away corners, then full interiors.

For what it’s worth, [humanplayer2] was using Hama beads specifically, which is why the holes are almost all completely melted shut.

Keep in mind that not all melty beads are created equally, so your mileage may vary depending on what you’ve got. But it probably shouldn’t matter too-too much in this case, unless you use the ones that are supposed to be really terrible.

Be sure to check out the custom Hama bead game pad he made for her so she can play Paw Patrol in style.

---

Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.

What a long, strange trip it’s been for NASA astronauts Suni Williams and Bruce Wilmore, who finally completed their eight-day jaunt to space after 289 days. The duo returned to Earth from the ISS on Tuesday along with two other returning astronauts in a picture-perfect splashdown, complete with a dolphin-welcoming committee. For the benefit of those living under rocks these past nine months, Williams and Wilmore slipped the surly bonds way back in June on the first crewed test flight of the Boeing Starliner, bound for a short stay on the ISS before a planned return in the same spacecraft. Alas, all did not go to plan as their ride developed some mechanical difficulties on the way upstairs, and so rather than risk their lives on a return in a questionable capsule, NASA had them cool their heels for a couple of months while Starliner headed home without them.

There’s been a lot of talk about how Butch and Suni were “stranded,” but that doesn’t seem fair to us. Sure, their stay on the ISS was unplanned, or at least it wasn’t Plan A; we’re sure this is always a contingency NASA allows for when planning missions. Also unfortunate is the fact that they didn’t get paid overtime for the stay, not that you’d expect they would. But on the other hand, if you’re going to get stuck on a work trip, it might as well be at the world’s most exclusive and expensive resort.

Speaking of space, while it’s statistically unlikely that anyone reading this will ever get there, you can still get a little taste of what space travel is like if you’re willing to give up ten days of your life to lie in a waterbed. What’s more, the European Space Agency will pay you 5,000 euros to do it. The experiment is part of the ESA’s Vivaldi III campaign, an exploration of the effects of extended spaceflight on the human body. The “waterbed” thing is a little misleading, though; since the setup is designed to simulate the posture the body takes in microgravity, they use a tank of water (heated, we hope) with a waterproof cover to submerge volunteers up to their torso. This neutral body posture looks pretty comfortable if you’re sleeping in space, but we tend to think it’d get annoying pretty quickly down here. Especially for potty breaks, which aren’t done astronaut-style but rather by being transferred to a trolley which lets you do your business without breaking from the neutral posture. Still, 5,000 euros is 5,000 euros.

Bad news for the meme-making community, as it appears AI might be coming for you, too. A recent study found that LLMs like ChatGPT can meme better than humans, at least under certain conditions. To come to that conclusion, researchers used some pretty dank meme templates and pitted humans against ChatGPT-4o to come up with meme-worthy captions. They also had a different group of humans collaborate with the LLM to come up with meme captions, which for practical purposes probably means the humans let the chatbot do the heavy lifting and just filtered out the real stinkers. When they showed the memes to crowdsourced participants to rate them on humor, creativity, and shareability, they found that the LLM consistently produced memes that scored higher across all three categories. This makes sense when you think about it; the whole job of an LLM is to look at a bunch of words and come up with a consensus on what the next word should be. Happily, the funniest memes were written by humans, and the human-LLM collaborations were judged more creative and shareable. So we’ve got that going for us, which is good.

We noted the passing of quite a few surplus electronics shops in this space before, and the closing of each of them, understandable as they may, marks the end of an era. But we recently learned about one surplus outfit that’s still going strong. Best Electronics, which specializes in Atari retrocomputing, has been going strong for over 40 years, a neat trick when Atari itself went bankrupt over 30 years ago. While they appear to have a lot of new old stock bits and bobs — they’re said to have acquired “thousands and thousands” of pallets of Atari goods from their Sunnyvale warehouse when the company folded — they also claim to spend a lot of money on engineering development. Their online presence is delightfully Web 1.0, making it pretty hard to sort through, but we think that development is mainly upgraded PCBs for things like joysticks and keyboards. Whatever they’re doing, they should just keep on doing it.

And finally, have you ever seen a knitted breadboard? Now you have, and while it’s of no practical value, we still love it. Alanna Okun made it for the ITP Stupid Hackathon at NYU back in February. There aren’t any instructions or build docs, so it’s not clear how it works, but from the photos we’d guess there’s either conductive yarn or solid copper wire knitted into the pattern to serve as bus bars.

We just got back from Hackaday Europe last weekend, and we’re still coming down off the high. It was great to be surrounded by so many crazy, bright, and crazy-bright folks all sharing what they are pouring their creative energy into. The talks were great, and the discussions and impromptu collaborations have added dramatically to our stack of to-do projects. (Thanks?) Badges were hacked, stories were shared, and a good time was had by all.

At the event, we were approached by someone who wanted to know if we could replicate something like Hackaday Europe in a different location, one where there just isn’t as vibrant a hacking scene. And the answer, of course, was maybe, but probably not.

It’s not that we don’t try to put on a good show, bring along fun schwag, and schedule up a nice location. But it’s the crowd of people who attend who make a Hackaday event a Hackaday event. Without you all, it just wouldn’t work.

So in that spirit, thanks to everyone who attended, and who brought along their passions and projects! It was great to see you all, and we’ll do it again soon.

Last Friday Github saw a supply chain attack hidden in a popular Github Action. To understand this, we have to quickly cover Continuous Integration (CI) and Github Actions. CI essentially means automatic builds of a project. Time to make a release? CI run. A commit was pushed? CI run. For some projects, even pull requests trigger a CI run. It’s particularly handy when the project has a test suite that can be run inside the CI process.

Doing automated builds may sound straightforward, but the process includes checking out code, installing build dependencies, doing a build, determining if the build succeeded, and then uploading the results somewhere useful. Sometimes this even includes making commits to the repo itself, to increment a version number for instance. For each step there are different approaches and interesting quirks for every project. Github handles this by maintaining a marketplace of “actions”, many of which are community maintained. Those are reusable code snippets that handle many CI processes with just a few options.

One other element to understand is “secrets”. If a project release process ends with uploading to an AWS store, the process needs an access key. Github stores those secrets securely, and makes them available in Github Actions. Between the ability to make changes to the project itself, and the potential for leaking secrets, it suddenly becomes clear why it’s very important not to let untrusted code run inside the context of a Github Action.

And this brings us to what happened last Friday. One of those community maintained actions, tj-actions/changed-files, was modified to pull an obfuscated Python script and run it. That code dumps the memory of the Github runner process, looks for anything there tagged with isSecret, and writes those values out to the log. The log, that coincidentally, is world readable for public repositories, so printing secrets to the log exposes them for anyone that knows where to look.

Researchers at StepSecurity have been covering this, and have a simple search string to use: org:changeme tj-actions/changed-files Action. That just looks for any mention of the compromised action. It’s unclear whether the compromised action was embedded in any other popular actions. The recommendation is to search recent Github Action logs for any mention of changed-files, and start rotating secrets if present.

Linux Supply Chain Research

The folks at Fenrisk were also thinking about supply chain attacks recently, but specifically in how Linux distributions are packaged. They did find a quartet of issues in Fedora’s Pagure web application, which is used for source code management for Fedora packages. The most severe of them is an argument injection in the logging function, allowing for arbitrary file write.

The identifier option is intended to set the branchname for a request, but it can be hijacked in a request, injecting the output flag: http://pagure.local/test/history/README.md?identifier=--output=/tmp/foo.bar. That bit of redirection will output the Git history to the file specified. Git history consists of a git hash, and then the short commit message. That commit message has very little in the way of character scrubbing, so Bash booleans like || can be used to smuggle a command in. Add the cooked commit to your local branch of something, query the URL to write the file history to your .bashrc file, and then attempt to SSH in to the Pagure service. The server does the right thing with the SSH connection, refusing to give the user a shell, but not before executing the code dropped into the .bashrc file. This one was disclosed in April 2024, and was fixed within hours of disclosure by Red Hat.

Pagure was not the only target, and Fenrisk researchers also discovered a critical vulnerability in OpenSUSE’s Open Build Service. It’s actually similar to the Fedora Pagure issue. Command options can be injected into the wget command used to download the package source file. The --output-document argument can be used to write arbitrary data to a file in the user’s home directory, but there isn’t an obvious path to executing that file. There are likely several ways this could be accomplished, but the one chosen for this Proof of Concept (PoC) was writing a .proverc file in the home directory. Then a second wget argument is injected, using --use-askpass to trigger the prove binary. It loads from the local rc file, and we have arbitrary shell code execution. The OpenSUSE team had fixes available and rolled out within a few days of the private disclosure back in June of 2024.

Breaking Ransomware Encryption

What do you do when company data is hit with Akira ransomware, and the backups were found wanting? If you’re [Yohanes Nugroho], apparently you roll up your sleeves and get to work. This particular strain of Akira has a weakness that made decryption and recovery seemingly easy. The encryption key was seeded by the current system time, and [Yohanes] had both system logs and file modification timestamps to work with. That’s the danger of using timestamps for random seeds. If you know the timestamp, the pseudorandom sequence can be derived.

It turns out, it wasn’t quite that easy. This strain of Akira actually used four separate nanosecond scale time values in determining the per-file encryption key. Values we’ll call t3 and t4 are used to seed the encryption used for the first eight bytes of each file. If there’s any hope of decrypting these files, those two values will have to be found first. Through decompiling the malware binaries, [Yohanes] knew that the malware process would start execution, then run a fixed amount of code to generate the t3 key, and a fixed amount of code before generating the t4 key. In an ideal world, that fixed code would take a fixed amount of time to run, but multi-core machines, running multi-threaded operations on real hardware will introduce variations in that timing.

The real-world result is a range of possible time offsets for both those values. Each timestamp from the log results in about 4.5 quadrillion timestamp pairs. Because the timing is more known, once t3 and t4 are discovered, finding t1 and t2 is much quicker. There are some fun optimizations that can be done, like generating a timestamp to pseudorandom value lookup table. It works well ported to CUDA, running on an RTX 4090. In the end, brute-forcing a 10 second slice of timestamps cost about $1300 dollars when renting GPUs through a service like vast.ai. The source code that made this possible isn’t pretty, but [Yohanes] has made it all available if you want to attempt the same trick.

Github and Ruby-SAML — The Rest of the Story

Last week we briefly talked about Github’s discovery of the multiple parser problem in Ruby-SAML, leading to authentication bypass. Researchers at Portswigger were also working on this vulnerability, and have their report out with more details. One of those details is that while Github had already moved away from using this library, Gitlab Enterprise had not. This was a real vulnerability on Gitlab installs, and if your install is old enough, maybe it still is.

The key here is a CDATA section wrapped in an XML comment section is only seen by one of the parsers. Include two separate assertion blocks, and you get to drive right through the difference between the two parsers.

Paragon

There’s a new player in the realm of legal malware. Paragon has reportedly targeted about 90 WhatsApp users with a zero-click exploit, using a malicious PDF attachment to compromise Android devices. WhatsApp has mitigated this particular vulnerability on the server side.

It’s interesting that apparently there’s something about the process of adding the target user to the WhatsApp group that was important to making the attack work. Paragon shares some similarities with NSO Group, but maintains that it’s being more careful about who those services are being offered to.

Bits and Bytes

We have a pair of local privilege escalation attacks. This is useful when an attacker has unprivileged access to a machine, but can use already installed software to get further access. The first is Google’s Web Designer, that starts a debug port, and exposes an account token and file read/right to the local system. The other is missing quotation marks in Plantronics Hub, which leads to the application attempting to execute C:\Program.exe before it descends into Program Files to look for the proper location.

This is your reminder, from Domain Guard, to clean up your DNS records. I’ve now gone through multiple IP address changes of my “static” IP Addresses. At the current rate of IPv4 exhaustion, those IPs are essentially guaranteed to be given out to somebody else. Is it a problem to have dangling DNS records? It’s definitely not a good situation, because it enables hacks from cross-site scripting vulnerabilities, to cookie stealing, to potentially defeating domain verification schemes with the errant subdomain.

MacOS has quite a fine history of null-pointer dereference vulnerabilities. That’s when a pointer is still set to NULL, or 0, and the program errantly tries to access that memory location. It used to be that a clever attacker could actually claim memory location 0, and take advantage of the bogus dereference. But MacOS put an end to that technique in a couple different ways, the most effective being disallowing 32 bit processes altogether in recent releases. It seems that arbitrary code execution on MacOS as result of a NULL Pointer Dereference is a thing of the past. And yes, we’re quite aware that this statement means that somehow, someone will figure out a way to make it happen.

And Finally, watchTowr is back with their delightful blend of humor and security research. This time it’s a chain of vulnerabilities leading to an RCE in Kentico, a proprietary web Content Management System. This vulnerability has one of my least favorite data formats, SOAP XML. It turns out Kentico’s user authentication returns an empty string instead of a password hash when dealing with an invalid username. And that means you can craft a SOAP authenticaiton token with nothing more than a valid nonce and timestamp. Whoops. The issue was fixed in a mere six days, so good on Kentico for that.

If you spend a lot of time at the command line, you probably have either a very basic prompt or a complex, information-dense prompt. If you are in the former camp, or you just want to improve your shell prompt, have a look at Starship. It works on the most common shells on most operating systems, so you can use it everywhere you go, within reason. It has the advantage of being fast and you can also customize it all that you want.

What Does It Look Like?

It is hard to explain exactly what the Starship prompt looks like. First, you can customize it almost infinitely, so there’s that. Second, it adapts depending on where you are. So, for example, in a git-controlled directory, you get info about the git status unless you’ve turned that off. If you are in an ssh session, you’ll see different info than if you are logged in locally.

However, here’s a little animation from their site that will give you an idea of what you might expect:

Installation

The web site says you need a Nerd Font in your terminal. I didn’t remember doing that on purpose, but apparently I had one already.

Next, you just have to install using one of the methods they provide, which depends on your operating system. For Linux, you can run the installer:

curl -sS https://starship.rs/install.sh | sh

Sure, you should download it first and look to make sure it won’t reformat your hard drive or something, but it was fine when we did it.

Finally, you have to run an init command. How you do that depends on your shell and they have plenty of examples. There’s even a way to use it with cmd.exe on Windows!

Customization

The default isn’t bad but, of course, you are going to want to change things. Oddly, the system doesn’t create a default configuration file. It just behaves a certain way if it doesn’t find one. You must make your own ~/.config/starship.toml file. You can change where the file lives using an environment variable, if you prefer, but you still have to create it.

The TOML file format has sections like an INI file. Just be aware that any global options have to come before any section (that is, there’s no [global] tag). If you put things towards the bottom of the file, they won’t seem to work and it is because they have become part of the last tag.

There are a number of modules and each module reads data from a different section. For example, on my desktop I have no need for battery status so:

[battery]
disabled = true

Strings

In the TOML file you can use single or double quotes. You can also triple a quote to make a string break lines (but the line breaks are not part of the string). The single quotes are treated as a literal, while double quotes require escape characters for special things.

You can use variables in strings like $version or $git_branch. You can also place part of a string in brackets and then formating for the string in parenthesis immediately following. For example:

'[off](fg:red bold)'

Finally, you can have a variable print only if it exists:

 '(#$id)'

If $id is empty, this does nothing. Otherwise, it will print the # and the value.

Globals and Modules

You can find all the configuration options — and there are many — in the Starship documentation. Of primary interest is the global format variable. This sets each module that is available. However, you can also use $all to get all the otherwise unspecified modules. By default, the format variable starts with $username $hostname. Suppose you wanted it to be different. You could write:

format='$hostname ! $username $all'

You’ll find many modules that show the programming language used for this directory, version numbers, and cloud information. You can shut things off, change formatting, or rearrange. Some user-submitted customizations are available, too. Can’t find a module to do what you want? No problem.

Super Custom

I wanted to show the status of my watercooler, so I created a custom section in the TOML file:

[custom.temp]
command = 'temp-status|grep temp|cut -d " " -f 7'
when = true
format='$output°'

The command output winds up in, obviously, $output. In this case, I always want the module to output and the format entry prints the output with a degree symbol after it. Easy!

Of Course, There are Always Others

There are other prompt helpers out there, especially if you use zsh (e.g., Oh My Zsh). However, if you aren’t on zsh, your options are more limited. Oh My Posh is another cross-shell entry into the field. Of course, you don’t absolutely need any of these. They work because shells give you variables like PS1 and PROMPT_COMMAND, so you can always roll your own to be as simple or complex as you like. People have been doing their own for a very long time.

If you want to do your own for bash, you can get some help online. Or, you could add help to bash, too.

“The brickings will continue until the printer sales improve!” This whole printer-bricking thing seems to be getting out of hand with the news this week that a firmware update caused certain HP printers to go into permanent paper-saver mode. The update was sent to LaserJet MFP M232-M237 models (opens printer menu; checks print queue name; “Phew!) on March 4, and was listed as covering a few “general improvements and bug fixes,” none of which seem very critical. Still, some users reported not being able to print at all after the update, with an error message suggesting printing was being blocked thanks to non-OEM toner. This sounds somewhat similar to the bricked Brother printers we reported on last week (third paragraph).

The trouble is, some users are reporting the problem even if they had genuine HP toner installed. Disturbingly, HP support seems to be fine with this, saying that older HP toner “may no longer be recognized due to new security measures.” Well, there’s your problem, lady! The fix, of course, is to buy yet more genuine HP toner, even if your current cartridge still has plenty of life left in it. That’s a pretty deplorable attitude on HP’s part, and more than enough reason to disable automatic firmware updates, or better yet, just disconnect your printer from the Internet altogether.

Here’s a pro-tip for all you frustrated coders out there: no matter how hard the job gets, planting a logic bomb in your code is probably not the right way to go. That’s the lesson that one Davis Lu learned after being convicted of “causing intentional damage to protected computers” thanks to malicious code he planted in his employer’s system. Apparently not optimistic about his future prospects with Eaton Corp. back in 2018, Lu started adding code designed to run a series of infinite loops to delete user profiles. He also went for the nuclear option, adding code to shut the whole system down should it fail to find an Active Directory entry for him. That code was apparently triggered on the day he was fired in 2019, causing global problems for his former employer. Look, we’ve all been there; coding is often lonely work, and it’s easy to fantasize about coding up something like this and watching them squirm once they fire you. But if it gets that bad, you should probably put that effort into finding a new gig.

Then again, maybe the reason you’re dissatisfied with your coding job is that you know some smart-ass LLM is out there waiting to tell you that you don’t know how to code. That’s what happened to one newbie Cursor user who tried to get help writing some video game code from the AI code editor. The LLM spat back about 750 lines of code but refused to reveal the rest, and when he asked to explain why, it suggested that he should develop the logic himself so that he’d be able to understand and maintain the code, and that “Generating code for others can lead to dependency and reduced learning opportunities.” True enough, but do we really need our AI tools to cop an attitude?

And finally, if you’re anything like us, you’re really going to love this walking tour of a container ship’s mechanical spaces. The ship isn’t named, but a little sleuthing suggests it’s one of the Gülsün-class ships built for MSC in 2019, possibly the MSC Mina, but that’s just a guess. This 400-meter monster can carry 23,656 twenty-foot equivalent units, and everything about it is big. Mercifully, the tour isn’t narrated, not that it would have been possible, thanks to the screaming equipment in the engine room. There are captions, though, so you’ll at least have some idea of what you’re looking at in the immaculately clean and cavernously huge spaces. Seriously, the main engine room has to have at least a dozen floors; being on the engineering crew must mean getting your steps in every day. The most striking thing about the tour was that not a single other human being was visible during the entire hour. We suppose that’s just a testament to how automated modern vessels have become, but it still had a wonderfully creepy liminal feeling to it. Enjoy!

We would be remiss if we didn’t address the X Distributed Denial of Service (DDoS) attack that’s been happening this week. It seems like everyone is is trying to make political hay out of the DDoS, but we’re going to set that aside as much as possible and talk about the technical details. Elon made an early statement that X was down due to a cyberattack, with the source IPs tracing back to “the Ukraine area”.

The latest reporting seems to conclude that this was indeed a DDoS, and a threat group named “Dark Storm” has taken credit for the attack. Dark Storm does not seem to be of Ukrainian origin or affiliation.

We’re going to try to read the tea leaves just a bit, but remember that about the only thing we know for sure is that X was unreachable for many users several times this week. This is completely consistent with the suspected DDoS attack. The quirk of modern DDoS attacks is that the IP addresses on the packets are never trustworthy.

There are two broad tactics used for large-scale DDoS attacks, sometimes used simultaneously. The first is the simple botnet. Computers, routers, servers, and cameras around the world have been infected with malware, and then remote controlled to create massive botnets. Those botnets usually come equipped with a DDoS function, allowing the botnet runner to task all the bots with sending traffic to the DDoS victim IPs. That traffic may be UDP packets with spoofed or legitimate source IPs, or it may be TCP Synchronization requests, with spoofed source IPs.

The other common approach is the reflection or amplification attack. This is where a public server can be manipulated into sending unsolicited traffic to a victim IP. It’s usually DNS, where a short message request can return a much larger response. And because DNS uses UDP, it’s trivial to convince the DNS server to send that larger response to a victim’s address, amplifying the attack.

Put these two techniques together, and you have a botnet sending spoofed requests to servers, that unintentionally send the DDoS traffic on to the target. And suddenly it’s understandable why it’s so difficult to nail down attribution for this sort of attack. It may very well be that a botnet with a heavy Ukrainian presence was involved in the attack, which at the same time doesn’t preclude Dark Storm as the originator. The tea leaves are still murky on this one.

That ESP32 Backdoor

As Maya says, It Really Wasn’t a backdoor. The Bleeping Computer article and Tarlogic press release have both been updated to reflect the reality that this wasn’t really a backdoor. Given that the original research and presentation were in Spanish, we’re inclined to conclude that the “backdoor” claim was partially a translation issue.

The terminology storm set aside, what researchers found really was quite interesting. The source of information was official ESP32 binaries that implement the Bluetooth HCI, the Host Controller Interface. It’s a structured format for talking to a Bluetooth chip. The official HCI has set aside command space for vendor-specific commands. The “backdoor” that was discovered was this set of undocumented vendor-specific commands.

These commands were exposed over the HCI interface, and included low-level control over the ESP32 device. However, for the vast majority of ESP32 use cases, this interface is only available to code already running on the device, and thus isn’t a security boundary violation. To Espressif’s credit, their technical response does highlight the case of using an ESP32 in a hosted mode, where an external processor is issuing HCI commands over something like a serial link. In that very narrow case, the undocumented HCI commands could be considered a backdoor, though still requires compromise of the controlling device first.

All told, it’s not particularly dangerous as a backdoor. It’s a set of undocumented instructions that expose low-level functions, but only from inside the house. I propose a new term for this: a Basementdoor.

The Fake Recruitment Scam

The fake recruitment scam isn’t new to this column, but this is the first time we’ve covered a first-hand account of it. This is the story of [Ron Jansen], a freelance developer with impressive credentials. He got a recruiter’s message, looking to interview him for a web3 related position. Interviews often come with programming tasks, so it wasn’t surprising when this one included instructions to install something from Github using npm and do some simple tasks.

But then, the recruiter and CTO both went silent, and [Ron] suddenly had a bad feeling about that npm install command. Looking through the code, it looked boring, except for the dependency NPM package, process-log. With only 100-ish weekly downloads, this was an obvious place to look for something malicious. It didn’t disappoint, as this library pulled an obfuscated blob of JSON code and executed it during install. The deobfuscated code establishes a websocket connection, and uploads cookies, keychains, and any other interesting config or database files it can find.

Once [Ron] new he had been had, he started the infuriating-yet-necessary process of revoking API keys, rotating passwords, auditing everything, and wiping the affected machine’s drive. The rest of the post is his recommendations for how to avoid falling for this scam yourself. The immediate answer is to run untrusted code in a VM or sandbox. There are tools like Deno that can also help, doing sandboxing by default. Inertia is the challenge, with a major change like that.

Camel CamelCase RCE

Apache Camel is a Java library for doing Enterprise Integration Patterns. AKA, it’s network glue code for a specific use case. It sends data between endpoints, and uses headers to set certain options. One of the important security boundries there is that internal headers shouldn’t be set by outside sources. To accomplish that, those headers are string compared with Camel and org.apache.camel as the starting characters. The problem is that the string comparison is exact, while the header names themselves are not case sensitive. It’s literally a camelCase vulnerability. The result is that all the internal headers are accessible from any client, via this case trickery.

The vulnerability has been fixed in the latest release of Camel. The seriousness of this vulnerability depends on the component being connected to. Akamai researchers provided a sample application, where the headers were used to construct a command. The access to these internal values makes this case an RCE. This ambiguity is why the severity of this vulnerability is disputed.

Bits and Bytes

Researchers at Facebook have identified a flaw in the FreeType font rending library. It’s a integer underflow leading to a buffer overflow. An attacker can specify a very large integer value, and the library will add to that variable during processing. This causes the value to wrap around to a very small value, resulting in a buffer much too small to hold the given data. This vulnerability seems to be under active exploitation.

We don’t normally see problems with a log file leading to exploitation, but that seems to be the situation with the Below daemon. The service runs as root, and sets the logfile to be world readable. Make that logfile a symlink to some important file, and when the service starts, it overwrites the target file’s permissions.

Microsoft’s Patch Tuesday includes a whopping six 0-day exploits getting fixed this month. Several of these are filesystem problems, and at least one is an NTFS vulnerability that can be triggered simply by plugging in a USB drive.

The ruby-saml library had a weird quirk: it used two different XML parsers while doing signature validations. That never seems to go well, and this is not any different. It was possible to pack two different signatures into a single XML document, and the two different parsers would each see the file quite differently. The result was that any valid signature could be hijacked to attest as any other user. Not good. An initial fix has already landed, with a future release dropping one of the XML parsers and doing a general security hardening pass.

Hackaday Europe 2025 is just days away, and we’ve got the finalized speaker schedule hot off the digital press. We’re also pleased to announce that the event page is now officially live, where you can find all the vital information about the weekend’s festivities in one place.

Whether you’ll be joining the fun in Berlin, or watching the live stream from home, we’ve got a fantastic lineup of speakers this year who are eager to tell us all about the projects that have been keeping them up at night recently:

Saturday Schedule

 

Time Has Run Out!

Tickets sold out a few days ago, so if you’ve got one we’ll see you soon, and if not, we will be streaming all of the Saturday talks live, so hit up Hackaday on the weekend and you can play along, at least virtually. And for back-channel chat, join us on the Hackaday Discord #europe-2025 channel.

This week, Jonathan Bennett chats with Doc Searls about SCaLE and Personal AI! What’s the vision of an AI that consumers run themselves, what form factor might that take, and how do we get there?

• https://www.kwaai.ai/
• https://blog.cryptographyengineering.com/2025/02/23/three-questions-about-apple-encryption-and-the-u-k/

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

---

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

It’s been a busy week in space news, and very little of it was good. We’ll start with the one winner of the week, Firefly’s Blue Ghost Mission 1, which landed successfully on the Moon’s surface on March 2. The lander is part of NASA’s Commercial Lunar Payload Services program and carries ten scientific payloads, including a GPS/GNSS receiver that successfully tracked signals from Earth-orbiting satellites. All of the scientific payloads have completed their missions, which is good because the lander isn’t designed to withstand the long, cold lunar night only a few days away. The landing makes Firefly the first commercial outfit to successfully soft-land something on the Moon, and being the first at anything is always a big deal.

Slightly less impressive was Intuitive Machines’ attempt at a landing a day later. Their NOVA-C robotic lander Athena managed a somewhat controlled landing, but the spacecraft is lying on its side rather than upright, a surprisingly common failure mode for recent lunar landings. Also in the failure category is the loss of the world’s first private asteroid mining mission, as well as SpaceX Starship test flight 8, which ended in spectacular fashion this week as Starship exploded soon after booster separation. As usual, Scott Manley has the best analysis of the incident, which seemed to involve a fire in the engine bay that led to a rapid loss of thrust from four of its six engines, and sent the spacecraft tumbling before tearing itself apart. The only good news from the flight was the third successful catch of the returning booster by the chopsticks, which just never gets old.

What does get old is stories about printer manufacturers and their anti-consumer hijinks, especially when it involves one of the only manufacturers who wasn’t playing the “buy our consumables or we brick it” game. In addition to just about every other printer maker, Brother now stands accused of sending firmware up to printers that turns off functionality if non-OEM cartridges are used. The accusations come from Louis Rossman, well-known for his right-to-repair advocacy and, ironically, long-time proponent of Brother printers as least likely to be bricked. His accusation that “Brother is now among the rest of them” is based on a pretty small sample of affected users, and a self-selected one at that, so take that with the requisite amount of salt. For their part, Brother denies the claim, stating simply that “Brother firmware updates do not block the use of third-party ink in our machines.” They don’t go much beyond that by way of an explanation of what’s happening to the users reporting problems other than to say that the users may be confused by the fact that “we like to troubleshoot with Brother Genuine supplies.” What the real story is is anyone’s guess at this point, and the best advice we can offer is either to avoid printers altogether, or just buy the cheapest one you can get and harvest it for parts once the starter cartridges are empty.

If like us you’ve accumulated a large collection of physical media films and TV shows to while away the long dark days of a post-apocalyptic nightmare where Netflix and Hulu are but a distant memory, you might want to rethink your strategy. Some DVD aficionados have found a troubling trend with “DVD rot,” especially with discs manufactured by Warner Brothers Discovery between 2006 and 2008. It’s not clear what’s going on, but it looks like the polycarbonate cover is delaminating from the inner Mylar layer, resulting in cloudy areas that obscure the data. Warner is aware of the problem and will replace defective discs with the same title if possible, or exchange it for a title of like value if the original is no longer available. We’re dismayed that this defect probably includes our beloved Looney Tunes collection, but on the upside, now we have an excuse to sit through forty straight hours of cartoons.

And finally, if you were a NASA rocket engineer in the 1960s, skipping leg day wasn’t an option. That’s because the Saturn V full-stack shake test on the Apollo program was a very hands-on feet-on process. The shake test was performed to make sure nothing was loose on the stack, and that it would be able to withstand not only the shaking induced by those five massive F-1 engines, but also the occasional hurricane that Florida is famous for. To get the rocket shaking, engineers sat on the deck of the gantry with their legs bridging the gap and their feet up against the side of the service module and gave it all they had. Other engineers literally backed them up, to provide something to push against, while another team on the uppermost platform used a rope to play tug-of-war with the command module. They were able to get the stack moving pretty good, with a meter or so of deflection at the escape tower. It does raise the question, though: what would they have done if the test failed?

This week, Jonathan Bennett and Aaron Newcomb talk with Joao Correia about TuxCare! What’s live patching, and why is it so hard? And how is this related to .NET 6? Watch to find out!

• https://tuxcare.com/blog/
• https://tuxcare.com/endless-lifecycle-support/net-eol-support/
• https://enterpriselinuxsecurity.show/

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

---

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

It’s been quite a week for asteroid 2024 YR4, which looked like it was going to live up to its “city killer” moniker only to be demoted to a fraction of a percent risk of hitting us when it swings by our neighborhood in 2032. After being discovered at the end of 2024, the 55-meter space rock first popped up on the (figurative) radar a few weeks back as a potential risk to our home planet, with estimates of a direct strike steadily increasing as more data was gathered by professional and amateur astronomers alike. The James Webb Space Telescope even got in on the action, with four precious hours of “director’s discretionary” observation time dedicated to characterizing the size and shape of the asteroid before it gets too far from Earth. The result of all this stargazing is that 2024 YR4 is now at a Level 1 on the Torino Scale of NEO collision risk, with a likely downgrade to 0 by the time the asteroid next swings through again in 2028. So, if like us you were into the whole “Fiery Space Rock 2032” thing, you’ll just have to find something else to look forward to.

On the other hand, if you’re going to go out in a fiery cataclysm, going out as a trillionaire wouldn’t be a bad way to go. One lucky Citibank customer could have done that if only an asteroid had hit during the several hours it took to correct an $81 trillion credit to their account back in April, a mistake that only seems to be coming to light now. You’d think a mistake 80% the size of the global economy would have caused an overflow error somewhere along the way, or that somebody would see all those digits and think something was hinky, but apparently not since it was only the third person assigned to review the transaction that caught it. The transaction, which falls into the “near-miss” category, was reversed before any countries were purchased or fleets of space yachts were commissioned, which seems a pity but also points out the alarming fact that this happens often enough that banks have a “near-miss” category — kind of like a Broken Arrow.

We all know that near-Earth space is getting crowded, with everyone and his brother launching satellite megaconstellations to monetize our collective dopamine addiction. But it looks like things are even starting to get crowded around the Moon, at least judging by this lunar photobomb. The images were captured by the Lunar Reconnaisance Orbiter, which has been orbiting the Moon and studying the landscape for the last 16 years but stretched its capabilities a bit to capture images of the South Korean Danuri. The two probes are in parallel orbits but opposite directions and about 8 kilometers apart at the time, meaning the relative velocity between the two was an unreasonably fast 11,500 km/h. The result is a blurred streak against the lunar surface, which isn’t all that much to look at but is still quite an accomplishment. It’s not the first time these two probes have played peek-a-boo with each other; back in 2023, Danuri took a similar picture when LRO was 18 kilometers below it.

We don’t do much air travel, but here’s a tip: if you want to endear yourself to fellow travelers, it might be best to avoid setting up a phone hotspot named “I Have a Bomb.” That happened last week on American Airlines flight 2863 from Austin, Texas to Charlotte, North Carolina, with predictable results. The prank was noticed while the flight was boarding, causing law enforcement officers to board the plane and ask the prankster to own up to it. Nobody volunteered, so everyone had to deplane and go back through screening, resulting in a four-hour delay and everyone missing their connections. We’re all for fun SSIDs, mind you, but there’s a time and a place for everything.

And finally, we wanted to share this fantastic piece from Brian Potter over at Construction Physics on “Why it’s so hard to build a jet engine.” The answer might seem obvious — because it’s a jet engine, duh — but the article is a fascinating look at the entire history of jet propulsion, from their near-simultaneous invention by the principal belligerents at the end of World War II right through to their modern incarnations. The article is an exploration into the engineering of complex systems, and shows how non-obvious the problems were that needed to be solved to make jet engines practical. It’s also a lesson in the difficulties of turning a military solution into a practical commercial product. Enjoy!

This week, Jonathan Bennett and Rob Campbell talk with Shimon Schocken about Nand2Tetris, the free course about building a computer from first principles. What was the inspiration for the course? Is there a sequel or prequel in the works? Watch to find out!

• Nand2Tetris

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

---

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

Ho-hum — another week, another high-profile bricking. In a move anyone could see coming, Humane has announced that their pricey AI Pin widgets will cease to work in any meaningful way as of noon on February 28. The company made a splash when it launched its wearable assistant in April of 2024, and from an engineering point of view, it was pretty cool. Meant to be worn on one’s shirt, it had a little bit of a Star Trek: The Next Generation comm badge vibe as the primary UI was accessed through tapping the front of the thing. It also had a display that projected information onto your hand, plus the usual array of sensors and cameras which no doubt provided a rich stream of user data. Somehow, though, Humane wasn’t able to make the numbers work out, and as a result they’ll be shutting down their servers at the end of the month, with refunds offered only to users who bought their AI Pins in the last 90 days.

How exactly Humane thought that offering what amounts to a civilian badge cam was going to be a viable business model is a bit of a mystery. Were people really going to be OK walking into a meeting where Pin-wearing coworkers could be recording everything they say? Wouldn’t wearing a device like that in a gym locker room cause a stir? Sure, the AI Pin was a little less obtrusive than something like the Google Glass — not to mention a lot less goofy — but all wearables seem to suffer the same basic problem: they’re too obvious. About the only one that comes close to passing that hurdle is the Meta Ray-Ban smart glasses, and those still have the problem of obvious cameras built into their chunky frames. Plus, who can wear Ray-Bans all the time without looking like a tool?

Good news for everyone worried about a world being run by LLMs and chatbots. It looks like all we’re going to have to do is wait them out, if a study finding that older LLMs are already showing signs of cognitive decline pans out. To come to that conclusion, researchers gave the Montreal Cognitive Assessment test to a bunch of different chatbots. The test uses simple questions to screen for early signs of impairment; some of the questions seem like something from a field sobriety test, and for good reason. Alas for the tested chatbots, the general trend was that the older the model, the poorer they did on the test. The obvious objection here is that the researchers aren’t comparing each model’s current score with results from when the model was “younger,” but that’s pretty much what happens when the test is used for humans.

You’ve got to feel sorry for astronomers. Between light pollution cluttering up the sky and an explosion in radio frequency interference, astronomers face observational challenges across the spectrum. These challenges are why astronomers prize areas like dark sky reserves, where light pollution is kept to a minimum, and radio quiet zones, which do the same for the RF part of the spectrum. Still, it’s a busy world, and noise always seems to find a way to leak into these zones. A case in point is the recent discovery that TV signals that had been plaguing the Murchison Wide-field Array in Western Australia for five years were actually bouncing off airplanes. The MWA is in a designated radio quiet zone, so astronomers were perplexed until someone had the bright idea to use the array’s beam-forming capabilities to trace the signal back to its source. The astronomers plan to use the method to identify and exclude other RFI getting into their quiet zone, both from terrestrial sources and from the many satellites whizzing overhead.

And finally, most of us are more comfortable posting our successes online than our failures, and for obvious reasons. Everyone loves a winner, after all, and admitting our failures publicly can be difficult. But Daniel Dakhno finds value in his failures, to the point where he’s devoted a special section of his project portfolio to them. They’re right there at the bottom of the page for anyone to see, meticulously organized by project type and failure mode. Each failure assessment includes an estimate of the time it took; importantly, Daniel characterizes this as “time invested” rather than “time wasted.” When you fall down, you should pick something up, right?

This week, Jonathan Bennett talks Rocky Linux with Gregory Kurtzer and Krista Burdine! Where did the project come from, and what’s the connection with CIQ and RESF? Listen to find out!

• CentOS primer
• Migration from CentOS
• Rocky Linux
• RESF FAQ
• CIQ Open Source Ethos

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

---

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License