This week’s Hackaday Podcast sees Elliot Williams joined by Jenny List for an all-European take on the week, and have we got some hacks for you!

In the news this week is NASA’s Maven Mars Orbiter, which may sadly have been lost. A sad day for study of the red planet, but at the same time a chance to look back at what has been a long and successful mission.

In the hacks of the week, we have a lo-fi camera, a very refined Commodore 64 laptop, and a MIDI slapophone to entertain you, as well as taking a detailed look at neutrino detectors. Then CYMK printing with laser cut stencils draws our attention, as well as the arrival of stable GPIB support for Linux. Finally both staffers let loose; Elliot with an epic rant about spreadsheets, and Jenny enthusiastically describing the Haiku operating system.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

It’s dangerous to go alone. Here, take this MP3.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 349 Show Notes:

News:

• NASA May Have Lost The MAVEN Mars Orbiter

What’s that Sound?

• Congratulations to [kenbob] for guessing the spinning down washing machine. Everyone else tune in next year for your shot at the first sound of 2026.

Interesting Hacks of the Week:

• Liberating AirPods With Bluetooth Spoofing
  
  • GitHub – tyalie/AAP-Protocol-Defintion: Decoding the Apple Accessory Protocol
  • Bypassing Airpods Hearing Aid Georestriction With A Faraday Cage

  
  

• Nostalgic Camera Is A Mashup Of Analog Video Gear
  
  • Hidden Camera Build Proves You Can’t Trust Walnuts

  
  

• Neutrino Transmutation Observed For The First Time
  
  • Detecting Anti-Neutrinos From Distant Fission Reactors Using Pure Water At SNO+
  • Engineering Lessons From The Super-Kamiokande Neutrino Observatory Failure
  • Detecting Neutrinos, The Slippery Ghost Particles That Don’t Want To Interact

  
  

• Building A Commodore 64 Laptop
  
  • 3D Printed Pi Laptop Honors The Iconic GRiD Compass

  
  

• Taking Electronics To A Different Level
  
  • Taking It To Another Level: Making 3.3V Speak With 5V
  • Philips application note 97055, Bi-directional level shifter for I²C-bus and other systems.

  
  

• Finally, A Pipe Slapophone With MIDI

Quick Hacks:

• Elliot’s Picks:
  
  • WiFi Menorah For Eight Nights Of Bandwidth
  • Laser Cutter Plus CYMK Spraypaint Equals Full-Color Prints
  • Why Push A Button When A Machine Can Do It For You

  
  

• Jenny’s Picks:
  
  • After Decades, Linux Finally Gains Stable GPIB Support
  • 3D Printing And Metal Casting Are A Great Match
  • The Lethal Danger Of Combining Welding And Brake Cleaner

  
  

Can’t Miss Articles:

• A Brief History Of The Spreadsheet
• Jenny’s Daily Drivers: Haiku R1/beta5

hackaday.com/2025/12/19/hackad…

The Kodak Charmera is a tiny keychain camera produced by licencing out the name of the famous film manufacturer, and it’s the current must-have cool trinket among photo nerds. Inside is a tiny sensor and a fixed-focus M7 lens, and unlike many toy cameras it has better quality than its tiny package might lead you to expect. There will always be those who wish to push the envelope though, and [微攝 Macrodeon] is here to fit a lens mount for full-size lenses (Chinese language, subtitle translation available).

The hack involves cracking the camera open and separating the lens mount from the sensor. This is something we’re familiar with from other cameras, and it’s a fiddly process which requires a lot of care. A C-mount is then glued to the front, from which all manner of other lenses can be attached using a range of adapters. The focus requires a bit of effort to set up and we’re guessing that every lens becomes extreme telephoto due to the tiny sensor, but we’re sure hours of fun could be had.

The Charmera is almost constantly sold out, but you should be able to place a preorder for about $30 USD if you want one. If waiting months for delivery isn’t your bag, there are other cameras you can upgrade to C-mount.

youtube.com/embed/FMZ74QCaLdw?…

hackaday.com/2025/12/19/attach…

As the saying goes — when life gives you lemons, you make lemonade. When life gives you a two-ton surplus industrial robot arm, if you’re [Brian Brocken], you apparently make a massive 3D printer.

The arm in question is an ABB IRB6400, a serious machine that can sling 100 to 200 kilograms depending on configuration. Compared to that, the beefiest 3D printhead is effectively weightless, and the Creality Sprite unit he’s using isn’t all that beefy. Getting the new hardware attached uses (ironically) a 3D printed mount, which is an easy enough hack. The hard work, as you might imagine, is in software.

As it turns out, there’s no profile in Klipper for this bad boy. It’s 26-year-old controller doesn’t even speak G-code, requiring [Brian] to feed the arm controller the “ABB RAPID” dialect it expects line-by-line, while simultaneously feeding G-code to the RAMPS board controlling the extruder. If you happen to have the same arm, he’s selling the software that does this. Getting that synchronized reliably was the biggest challenge [Brian] faced. Unfortunately that means things are slowed down compared to what the arm would otherwise be able to do, with a lot of stop-and-start on complex models, which compromises print quality. Check the build page above for more pictures, or the video embedded below.

[Brian] hopes to fix that by making better use of the ABB arm’s controller, since it does have enough memory for a small buffer, if not a full print. Still, even if it’s rough right now, it does print, which is not something the engineers at ABB probably ever planned for back before Y2K. [Brian]’s last use of the arm, carving a DeLorean out of styrofoam, might be closer to the original design brief.

Usually we see people using 3D printers to build robot arms, so this is a nice inversion, though not the first.

youtube.com/embed/peY_KK_nGc8?…

hackaday.com/2025/12/19/surplu…

There’s something immensely satisfying about taking a series of low impact CVEs, and stringing them together into a full exploit. That’s the story we have from [Mehmet Ince] of Prodraft, who found a handful of issues in the default PostHog install instructions, and managed to turn it into a full RCE, though only accessible as a user with some configuration permissions.

As one might expect, it all starts with a Server Side Request Forgery (SSRF). That’s a flaw where sending traffic to a server can manipulate something on the server side to send a request somewhere else. The trick here is that a webhook worker can be primed to point at localhost by sending a request directly to a system API.

One of the systems that powers a PostHog install is the Clickhouse database server. This project had a problem in how it sanitized SQL requests, namely attempting to escape a single quote via a backslash symbol. In many SQL servers, a backslash would properly escape a single quote, but Clickhouse and other Postgresql servers don’t support that, and treat a backslash as a regular character. And with this, a read-only SQL API is vulnerable to SQL injection.

These vulnerabilities together just allow for injecting an SQL string to create and run a shell command from within the database, giving an RCE and remote shell. The vulnerabilities were reported through ZDI, and things were fixed earlier this year.

FreePBX

Speaking of SQL injections, FreePBX recently fixed a handful of SQL injections and an authentication bypass, and researchers at horizon3.ai have the scoop. None of these particular issues are vulnerable without either questionable configuration changes, or access to a valid PHP session ID token. The weakness here seems to be a very similar single quote injection.

Another fun SQL injection in FreePBX requires the authorization type swapped to webserver. But with that setting in place, an injected authentication header with only a valid user name is enough to pull off an SQL injection. The attack chosen for demonstration was to add a new user to the users table. This same authentication header spoof can be used to upload arbitrary files to the system, leading to an easy webshell.

Google Project Zero’s Refresh

We’ve often covered Google’s Project Zero on this column, as their work is usually quite impressive. As their blog now points out, the homepage design left something to be desired. That’s changed now, with a sleek and modern new look! And no, that’s not actually newsworthy here; stop typing those angry comments. The real news is the trio of new posts that came with the refresh.

The most recent is coverage of a VirtualBox VM excape via the NAT network driver. It’s covering a 2017 vulnerability, so not precisely still relevant, but still worth a look. The key here is a bit of code that changes the length of the data structure based on the length of the IP header. Memory manipulation from an untrusted value. The key to exploitation is to manipulate memory to control some of the memory where packets are stored. Then use IP fragmentation packets to interleave that malicious data together and trigger the memory management flaw.

The second post is on Windows exploitation through race conditions and path lookups. This one isn’t an exploit, but an examination of techniques that you could use to slow the Windows kernel down, when doing a path lookup, to exploit a race condition. The winner seems to be a combination of nested directories, with shadow directories and symbolic links. This combination can cost the kernel a whopping three minutes just to parse a path. Probably enough time.

The third entry is on an image-based malware campaign against Samsung Android phones. Malicious DNG files get processed by the Quram image processing library on Samsung devices. DNG images are a non-proprietary replacement for .raw image files, and the DNG format even includes features like embedding lens correction code right in the file format. This correction code is in the form of opcodes, that are handled very much like a script or small program on the host device. The Quram library didn’t handle those programs safely, allowing them to write outside of the allocated memory for the image.

Bits and Bytes

The E-note domain and servers have been seized by law enforcement. It’s believed that $70 million worth of ransomware and cryptocurrency theft has passed through this exchange service, as part of a money laundering operation. A Russian national has been named as the man behind the service, and an indictment has been made, but it seems that no actual arrests have been made.

Dropbear 2025.89 has been released, fixing a vulnerability where a user with SSH access could connect to any unix socket as root. This mishandling of socket permissions can lead to escalation of privilege in a multitude of ways.

React2shell was exploited in the wild almost as soon as it was announced. We covered the vulnerability as it was happening a couple weeks ago, and now it’s clear that ransomware campaigns were launched right away to take advantage of the exploit. It’s also reported that it was used in Advanced Persistent Threat (APT) campaigns right away as well. Real Proof of Concept code is also now available.

Thanks for All the Fish!

And lastly, on a personal note: Thank you to all the readers of this column over the last six years, and to the Hackaday editors for making it happen. I’ve found myself in the position of having four active careers at once, and with the birth of my son in November, I have four children as well. Something has to give, and it’s not going to be any of the kids, so it’s time for me to move on from a couple of those careers. This Week in Security has been a blast, ever since the first installment back in May of 2019. With any luck, another writer will pick up the mantle early next year. (Editor’s note: We’re working on it, but we’ll miss you!)

And if you’re a fan of FLOSS Weekly, the other thing I do around here, don’t worry, as it’s not going anywhere. Hope to see you all there!

hackaday.com/2025/12/19/this-w…

Una nuova vulnerabilità nei componenti FreeBSD responsabili della configurazione IPv6 consente l’esecuzione remota di codice arbitrario su un dispositivo situato sulla stessa rete locale dell’aggressore. Il problema riguarda tutte le versioni supportate del sistema operativo e richiede un’azione immediata per proteggere i dispositivi.

È stata scoperta una vulnerabilità nelle utility “rtsold” e “rtsol“, utilizzate per elaborare i messaggi pubblicitari del router come parte del meccanismo di configurazione automatica degli indirizzi IPv6. È stato scoperto che questi programmi non convalidano il parametro del suffisso di dominio passato in tali messaggi, inviandolo direttamente all’utility “resolvconf“, responsabile dell’aggiornamento della configurazione DNS.

Tuttavia, “resolvconf” è scritto come uno script shell e non filtra i dati in arrivo. L’assenza di escape implica che qualsiasi codice dannoso passato tramite il parametro domain list può essere eseguito sul sistema. Pertanto, un aggressore sulla stessa subnet può eseguire comandi sul dispositivo di destinazione senza richiedere privilegi di amministratore o interazioni precedenti.

Secondo gli sviluppatori di FreeBSD , il problema è limitato alle reti locali, poiché gli annunci del router non vengono instradati e non possono attraversare i confini dei segmenti di rete. Tuttavia, riguarda tutti i sistemi che utilizzano l’autoconfigurazione IPv6, in particolare le interfacce con il flag “ACCEPT_RTADV” abilitato, verificabile tramite “ifconfig“.

Per gli utenti che non utilizzano IPv6, non vi è alcun rischio. In caso contrario, si consiglia di aggiornare urgentemente il sistema all’ultima versione.

Gli aggiornamenti sono ora disponibili per tutte le branch di FreeBSD supportate, incluse le versioni 15.0, 14.3 e 13.5. L’aggiornamento è possibile sia tramite il meccanismo di patching binario integrato sia applicando modifiche al codice sorgente.

L’identificatore della vulnerabilità registrata è CVE-2025-14558. Le correzioni sono state pubblicate il 16 dicembre 2025 e sono incluse nei rami stabile e di rilascio di FreeBSD.

L'articolo Vulnerabilità critica in FreeBSD: eseguibile codice arbitrario via IPv6 proviene da Red Hot Cyber.

Contro la falsa informazione pro-inceneritore.

Nell’articolo dell’edizione romana di ieri a firma di Salvatore Giuffrida leggiamo “Il cantiere a Santa Palomba partirà entro il primo trimestre del 2026 e durerà 32 mesi, fino a oltre la metà del 2028”. Il sottotitolo contiene la prima menzogna o bufala, come preferite. Le attività di costruzione dureranno 39 mesi e non 32 come scrive il giornalista e il cantiere terminerà nel maggio 2029. Attenzione, non siamo noi a dichiaralo ma è scritto nero su bianco sul più recente cronoprogramma del proponente.

“Il 2026 sarà l’anno del termovalorizzatore di Roma”. Nell’attacco del pezzo si condensa tutto lo strumentario della retorica tipica dei fan dell’incenerimento che si guarda bene dal ricordare, neppure incidentalmente che i poteri straordinari sono stati attributi per impiantistica destinata a far fronte all’afflusso straordinario dei pellegrini del Giubileo 2025. Un impianto che a Giubileo terminato non è ancora autorizzato e il cui iter è potuto andar avanti esclusivamente a forza di ordinanze, con la Procura di Roma che sta indagando al riguardo. Profili questi, guarda caso, del tutto omessi.

“Bisogna ancora aspettare due anni per inaugurare l’impianto, ma il percorso è già avviato: di fatto è ormai concluso il procedimento autorizzatorio unico regionale, Paur, che riunisce in un unico atto tutte le valutazioni, i pareri e le autorizzazioni di competenza regionale necessarie a realizzare il progetto e avviare il cantiere.”

Il procedimento non è affatto concluso. Ci sono i pareri contrari dei comuni di Albano, Ardea e Pomezia. C’è soprattutto la Soprintendenza Speciale di Roma ha tutta la competenza e decisive motivazioni per bocciare gli elaborati progettuali nella conferenza di servizi in corso e per contestare la procedura avviata in virtù delle proprie prerogative istituzionali discendenti dall’articolo 9 della Costituzione, attuato dal codice dei beni culturali.

Seguono poi i consueti ritornelli della propaganda inceneritorista: “Saranno inoltre realizzati quattro impianti ausiliari per recuperare le ceneri pesanti, un impianto fotovoltaico, una rete di teleriscaldamento e un sistema sperimentale per catturare l’anidride carbonica. Il termovalorizzatore sarà capace di bruciare 600mila tonnellate l’anno di rifiuti e di produrre energia elettrica per circa 200mila abitazioni”.

Al riguardo solo due repliche lampo a proposito di teleriscaldamento e sistema sperimentale cattura CO2. Il teleriscaldamento, conti alla mano, riguarderà un centinaio di famiglie. Dovranno provare di avere il contratto di fornitura indispensabile per la verifica del coefficiente R1 indice di efficienza energetica per ricondurre l’impianto tra quelli di recupero energetico.

Sull’impianto di cattura della CO2, oltre a non essere sperimentale come evidenziato dallo stesso proponente basti ricordare che la massima cattura equivale ad appena l’1per mille della Co 2 emessa. Su questo ci sono ben due esposti alla Corte dei conti ma anche su questo silenzio tombale.
Le 200 mila abitazioni che vorranno l’energia elettrica prodotta, non l’avranno certo a gratis ma dovranno pagarla a prezzi di mercato.

“Infine, a ottobre il Comune ha ratificato un protocollo d’intesa con Ferrovie dello Stato per gestire la logistica ambientale in merito al trasporto dei rifiuti senza costi aggiuntivi per le parti.” Un protocollo d’intesa privo di qualsivoglia autentica portata, chissà perché riportarlo?
Davanti a tanta spudorata propaganda rispondiamo con il nostro prossimo appuntamento: la mattina di lunedì 29 dicembre sit-in presso la Soprintendenza speciale di Roma per smuoverla a tutelare i beni archeologici presenti nell’area del progetto e che verrebbero irrimediabilmente distrutti.

Concludiamo il nostro comunicato richiamando il recentissimo parere contrario della Regione Lazio nella conferenza di servizi sulla discarica di Tor Tignosa che lascia l’inceneritore privo della sua discarica di servizio.
Non serve il giornalismo di inchiesta, sarebbe sufficiente il semplice giornalismo.
Buona serata!

19 dicembre 2025