The nights are drawing in for Europeans, and Elliot Williams is joined this week by Jenny List for an evening podcast looking at the past week in all things Hackaday. After reminding listeners of the upcoming Hackaday Supercon and Jawncon events, we take a moment to mark the sad passing of the prolific YouTuber, Robert Murray-Smith.

Before diving into the real hacks, there are a couple of more general news stories with an effect on our community. First, the takeover of Arduino by Qualcomm, and what its effect is likely to be. We try to speculate as to where the Arduino platform might go from here, and even whether it remains the player it once was, in 2025. Then there’s the decision by Google to restrict Android sideloading to only approved-developer APKs unless over ADB. It’s an assault on a user’s rights over their own hardware, as well as something of a blow to the open-source Android ecosystem. What will be our community’s response?

On more familiar territory we have custom LCDs, algorithmic art, and a discussion of non-stepper motors in 3D printing. Even the MakerBot Cupcake makes an appearance. Then there’s a tiny RV, new creative use of an ESP32 peripheral, and the DVD logo screensaver, in hardware. We end the show with a look at why logic circuits use the voltages they do. It’s a smorgasbord of hacks for your listening enjoyment.

html5-player.libsyn.com/embed/…

Download yourself an MP3 even without a Hackaday Listeners’ License.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 341 Show Notes:

News:

• 2025 Hackaday Supercon: More Wonderful Speakers
• JawnCon Returns This Weekend
• Honoring The Legacy Of Robert Murray-Smith

What’s that Sound?

• Fill in the form with your best guess to be entered to win next week.

Interesting Hacks of the Week:

• Qualcomm Introduces The Arduino Uno Q Linux-Capable SBC
• Google Confirms Non-ADB APK Installs Will Require Developer Registration
• Mesmerizing Patterns From Simple Rules
• How To Design Custom LCDs For Your Own Projects
  
  • [Joey Castillo] on everything about LCDs

  
  

• Why Stepper Motors Still Dominate 3D Printing
• How Your SID May Not Be As Tuneful As You’d Like

Quick Hacks:

• Elliot’s Picks:
  
  • A Childhood Dream, Created And Open Sourced
  • Tips For C Programming From Nic Barker
  • Finding Simpler Schlieren Imaging Systems

  
  

• Jenny’s Picks:
  
  • Building The DVD Logo Screensaver With LEGO
  • ESP32 Decodes S/PDIF Like A Boss (Or Any Regular Piece Of Hi-Fi Equipment)
  • Kei Truck Becomes Tiny RV

  
  

Can’t-Miss Articles:

• Ask Hackaday: Why Is TTL 5 Volts?
  
  • The 7400 Quad 2-Input NAND Gate, A Neglected Survivor From A Pre-Microprocessor World

  
  

• Know Audio: Distortion Part Two

hackaday.com/2025/10/10/hackad…

Everyone knows that Weird Al lampooned computers in a famous parody song (It’s All About the Pentiums). But if you want more hardcore (including more hardcore language, so if you are offended by rap music-style explicit lyrics, maybe don’t look this up), you probably want “Kill Dash 9” by Monzy. There’s a line in that song about “You thought the seven-layer model referred to a burrito.” In fact, it refers to how networking applications operate, and it is so ingrained that you don’t even hear about it much these days. But as [Codemia] points out, QUIC aims to disrupt the model, and for good reason.

Historically, your application (at layer 7) interacts with the network through other layers like the presentation layer and session layer. At layer 4, though, there is the transport layer where two names come into play: TCP and UDP. Generally, UDP is useful where you want to send data and you don’t expect the system to do much. Data might show up at its destination. Or not. Or it might show up multiple times. It might show up in the wrong order. TCP solves all that, but you have little control over how it does that.

When things are congested, there are different strategies TCP can use, but changing them can be difficult. That’s where QUIC comes in. It is like a user-space TCP layer built over a UDP transport. There are a lot of advantages to that, and if you want to know more, or even just want a good overview of network congestion control mitigations, check the post out.

If you want to know more about congestion control, catch a wave.

hackaday.com/2025/10/10/quic-j…

Discord had a data breach back on September 20th, via an outsourced support contractor. It seems it was a Zendesk instance that was accessed for 58 hours through a compromised contractor user account. There have been numbers thrown around from groups claiming to be behind the breach, like 1.6 Terabytes of data downloaded, 5.5 million user affected, and 2.1 million photos of IDs.

Discord has pushed back on those numbers, stating that it’s about 70,000 IDs that were leaked, with no comments on the other claims. To their credit, Discord has steadfastly refused to pay any ransom. There’s an interesting question here: why were Discord users’ government issued IDs on record with their accounts?

The answer is fairly simple: legal compliance. Governments around the world are beginning to require age verification from users. This often takes the form of a scan of valid ID, or even taking a picture of the user while holding the ID. There are many arguments about whether this is a good or bad development for the web, but it looks like ID age verification is going to be around for a while, and it’ll make data breaches more serious.

In similar news, Salesforce has announced that they won’t be paying any ransoms to the group behind the compromise of 39 different Salesforce customers. This campaign was performed by calling companies that use the Salesforce platform, and convincing the target to install a malicious app inside their Saleforce instance.

Unity

[RyotaK] from Flatt Security found an issue in the Unity game engine, where an intent could influence the command line arguments used to launch the Unity runtime. So what’s an intent?

On Android, an Intent is an object sent between applications indicating an intention. It’s an intra-process messaging scheme. So the problem here is that when sending an intent to a Unity application on Android, a command line option can be included as an extra option. One of those command line options allows loading a local library by name. Since a malicious library load results in arbitrary code execution, this seems like a pretty big problem.

At first it seems that this doesn’t gain an attacker much. Doesn’t a malicious app already need to be running on the device to send a malicious intent? The reality is that it’s often possible to manipulate an innocent app into sending intents, and the browser is no exception. The bigger problem is that a malicious library must first be loaded into a location from which the Unity app can execute. It’s a reasonably narrow window for practical exploitation, but was still scores an 8.4 severity. Unity has released fixes for versions all the way back to 2019.1.

Code Smell: Perl?

We have two stories from WatchTwr, packed full of the sardonic wit we have to expect from these write-ups. The first is about Dell’s UnityVSA, a Virtual Storage Appliance that recently received a whole slew of security fixes for CVEs. So WatchTowr researchers took a look at the patch set from those fixes, looking for code smell, and found… Perl?

Turns out it wasn’t the presence of Perl that was considered bad code smell, though I’m sure some would argue that point. It was the $exec_cmd variable that wasn’t escaped, and Perl backticks were used to execute that string on the system. Was there a way to inject arbitrary bash commands into that string? Naturally, there is. And it’s a reasonably simple HTTP query to run a command. A security advisory and updated release was published by Dell at the end of July, fixing this issue.

Poetic Flow of Vulnerabilities

There’s an active exploitation campaign being waged against Oracle E-Business Suite instances, using a zero-day vulnerability. This exploit works over the network, without authentication, and allows Remote Code Execution (RCE). It appears that a threat group known as Graceful Spider, another great name, is behind the exploitation.

The folks at WatchTowr got their hands on a Proof of Concept, and have reverse engineered it for our edification. It turns out it’s a chain of little weaknesses that add up to something significant.

It starts with a Server-Side Request Forgery (SSRF), a weakness where a remote service can be manipulated into sending an additional HTTP request on to another URL. This is made more significant by the injection of a Carriage Return/Line Feed (CRLF) attack, that allows injecting additional HTTP headers.

Another quirk of the PoC is that it uses HTTP keep-alive to send all of the malicious traffic down a single HTTP session. And the actual authentication bypass is painfully classic. A /help path doesn’t require authentication, and there is no path traversal protection. So the SSRF connection is launched using this /help/../ pattern, bypassing authentication and landing at a vulnerable .jsp endpoint.

That endpoint assembles a URL using the Host: header from the incoming connection, and fetches and parses it as an eXtensible Stylesheet Language (XSL) document. And XSL documents are unsafe to load from untrusted sources, because they can lead directly to code execution. It’s a wild ride, and a great example of how multiple small issues can stack up to be quite significant when put together.

Bits and Bytes

Caesar Creek Software did an audit on a personal medical device and found issues, but because fixes are still being reviewed by the FDA, we don’t get many details on what exactly this is. Reading between the lines, it sounds like a wearable glucose monitor. It’s based on the nRF52 platform, and the best bit of this research may be using power line fault injection to get Single Wire Debug access to the MCU. They also found what appears to be a remote leak of uninitialized memory, and a Bluetooth Low Energy Man in the Middle attack. Interesting stuff.

And finally, [LaurieWired] has a great intro to the problem of trusting trust with a bit of bonus material on how to build and obfuscate quines while at it. How do you know your compiler binary doesn’t have malware in it? And how do you establish trust again? Enjoy!

youtube.com/embed/Fu3laL5VYdM?…

hackaday.com/2025/10/10/this-w…

Il 10 ottobre, sono uscite nuove rivelazioni riguardo una delle chiavi di licenza più note della storia informatica: FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8, legata a Windows XP. Per anni, questa sequenza di caratteri è stata sinonimo di software pirata, ma oggi emerge una verità diversa.

Dave W. Plummer, storico ingegnere Microsoft e creatore del sistema di attivazione Windows Product Activation (WPA), ha confermato che quella chiave non fu generata da un crack, bensì frutto di una grave fuga di dati interna.

Secondo Plummer, la chiave era stata concepita come Volume License Key (VLK) destinata esclusivamente alle aziende, per consentire installazioni multiple e automatizzate di Windows XP. Tuttavia, a causa di un errore di gestione e di scarsa vigilanza, il codice trapelò all’esterno, diffondendosi rapidamente tra hacker e comunità di pirateria. Da quel momento, fu condiviso ovunque in rete, permettendo a chiunque di installare copie non autorizzate del sistema operativo.

Come funzionava il sistema di attivazione

Nelle prime versioni di WPA, il processo di convalida di Windows XP prevedeva la generazione di un ID hardware basato su CPU, RAM e altri componenti del computer. Tale ID, insieme alla chiave del prodotto, veniva inviato ai server Microsoft per la verifica dell’autenticità.
Se la chiave risultava sospetta o non corrispondeva a un profilo valido, il sistema segnalava l’installazione come non genuina.

Tuttavia, essendo la chiave FCKGW un codice aziendale ufficiale, essa figurava nella whitelist del sistema di attivazione. Ciò significava che, durante l’installazione, bastava selezionare “Sì, possiedo un codice Product Key” e inserirla per bypassare completamente la verifica, senza necessità di attivazione o limiti di tempo.

L’impatto della diffusione

L’assenza di controlli effettivi rese la chiave estremamente appetibile. In breve tempo, CD e immagini ISO di Windows XP “pre-attivati” iniziarono a circolare in rete, rendendo la pirateria di XP un fenomeno di massa.

Persino i primi aggiornamenti di sicurezza non erano in grado di individuare le copie illegittime, poiché il sistema non associava alcun ID hardware al codice di licenza.

Con il tempo, Microsoft inserì FCKGW nella propria blacklist, impedendone l’uso nelle versioni successive. A partire dal Service Pack 2 (SP2), la chiave e il meccanismo VLK originario furono completamente rimossi, segnando la fine di una delle più celebri fughe di dati nella storia del software.

L'articolo La verità sulla chiave di licenza di Windows XP: FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8 proviene da il blog della sicurezza informatica.

The European Pirate Party is proud to officially endorse the European Citizens’ Initiative for Psychedelic Assisted Therapy, a campaign calling on the European Commission to support research, access, and responsible regulation of psychedelic-assisted therapy.

Mental health remains one of the most pressing public health challenges of our time. Across Europe, millions of people are struggling with depression, PTSD, anxiety disorders and other mental health conditions. Traditional treatment options do not work for everyone — which is why new, evidence-based approaches are urgently needed.

Psychedelic-assisted therapy has shown strong clinical potential in recent research, but legal barriers, outdated stigma, and lack of harmonized EU policies continue to block progress. This ECI aims to change that by calling for a European strategy to support scientific research, training, and safe access to these therapies under medical supervision.

“This is an important opportunity for the EU to take mental health seriously and to base its decisions on science rather than outdated fear. Psychedelic-assisted therapy offers real hope to many people for whom existing treatments are not enough. Supporting research and responsible regulation is not just sensible policy — it’s a matter of human dignity.”
— Florian Roussel, Chair of the European Pirate Party

The European Pirates stand firmly for evidence-based policy, personal autonomy, and human rights. We believe mental health policy should be guided by scientific evidence and respect for individual choice, not by stigma or fear.

This European Citizens’ Initiative is a unique democratic tool that allows citizens to place issues directly on the EU agenda — but it needs one million signatures to succeed.

Sign the initiative today and help us push the EU toward a modern, rational, and compassionate approach to mental health care. Every signature counts.

european-pirateparty.eu/why-yo…

Dopo un delitto efferato internet viene regolarmente sommersa di proponimenti forcaioli.
Una persona seria invece cerca sempre di mantenersi costruttiva. Al di là del biasimo è normale che essa assuma lo stesso atteggiamento anche nei casi più abietti.
Pare proprio che Emanuele Ragnedda di Arzachena, un ricco ben nutrito già criticabile perché ricco e perché ben nutrito, abbia molto maldestramente ucciso una certa Cinzia Pinna.
I dettagli sono sulle gazzette. Qui non ci interessano molto.
Ci interessa invece il fatto che per molti anni Emanuele -ancorché ricco e ben nutrito- dovrà affrontare una quotidianità che si annuncia molto triste, soprattutto perché dovrà adottare comportamenti poco conformi alle abitudini di un ricco e soprattutto a quelle di un ben nutrito, dal momento che il regime alimentare carcerario non è davvero dei più allettanti.
Come sappiamo Emanuele faceva raccogliere uva, ne faceva fermentare il succo e poi cercava di venderlo a caro prezzo, il più delle volte riuscendoci anche. A meno che qualcuno non si sbrighi a far sparire tutto quanto -fra gentiluomini in casi come questo è prassi far finta di non essersi mai conosciuti- sul web si trova molta e fastidiosa pubblicità al suo succo fermentato. Comunque, nulla vieta di sperare che Emanuele non possa cercare di assecondare la sua grande passione anche nelle condizioni in cui si trova adesso.

Prendete dieci arance sbucciate e una scatola di frutta sciroppata mista da duecentoquaranta grammi. Strizzate la frutta in un sacchettino di plastica e mescolate il succo alla poltiglia, aggiungete mezzo litro d'acqua e chiudete bene il sacchetto.
Mettete il sacchetto nel lavandino e riscaldatelo facendo scorrere per quindici minuti l'acqua calda.
Avvolgete dei tovaglioli attorno al sacchetto per tenerlo tiepido affinché fermenti.
Lasciate il sacchetto in cella senza toccarlo per quarantotto ore.
Passato questo tempo, aggiungete da quaranta a sessanta zollette di zucchero e sei cucchiaini di ketchup, poi riscaldate di nuovo per trenta minuti e infine richiudete il sacchetto.
Lasciate di nuovo il sacchetto senza toccarlo, stavolta per settantadue ore. Riscaldate ogni giorno per quindici minuti.
Trascorse le settantadue ore, con un cucchiaio scremate via la poltiglia e mettete quello che rimane in due tazze da mezzo litro.

Il detenuto statunitense Jarvis Jay Masters ha incluso questa ricetta per il pruno -uno spaventoso beverone fermentato facendola in barba agli agenti di custodia- in una poesia sulla sua condizione di condannato a morte. Si sono adattate le dosi al sistema metrico decimale senza troppo curarsi della precisione; ricette del genere lasciano per forza di cose moltissimo spazio all'inventiva ed è sicuro che al signorino Ragnedda non mancherà certo il tempo per perfezionare il risultato.

Capisco benissimo la gioia dei palestinesi per il piano di "pace": finalmente possono tornare a casa, finalmente smetteranno di essere uccisi come mosche, finalmente smetterà quella pioggia di bombe durata due anni.

Ma noi che possiamo permettercelo, perché a casa ci siamo già, perché non siamo stati uccisi come mosche, perché non siamo da due anni sotto una pioggia di bombe, noi dovremmo dire quello che è: hanno fatto un deserto e l'hanno chiamato pace.

#Gaza
#Pace
#PalestinaLibera