A common ratchet from your garage may work wonders for tightening hard to reach bolts on whatever everyday projects around the house. However, those over at [Chronova Engineering] had a particularly unusual project where a special ratchet mechanism needed to be developed. And developed it was, an absolutely beautiful machining job is done to create a ratcheting actuator for tendon pulling. Yes, this mechanical steampunk-esk ratchet is meant for yanking on the fleshy strings found in all of us.

The unique mechanism is necessary because of the requirement for bidirectional actuation for bio-mechanics research. Tendons are meant to be pulled and released to measure the movement of the fingers or toes. This is then compared with the distance pulled from the actuator. Hopefully, this method of actuation measurement may help doctors and surgeons treat people with impairments, though in this particular case the “patient” is a chicken’s foot.

Blurred for viewing ease
Manufacturing the mechanism itself consisted of a multitude of watch lathe operations and pantographed patterns. A mixture of custom and commercial screws are used in combination with a peg gear, cams, and a high performance servo to complete the complex ratchet. With simple control from an Arduino, the system completes its use case very effectively.

In all the actuator is an incredible piece of machining ability with one of the least expected use cases. The original public listed video chose to not show the chicken foot itself due to fear of the YouTube overlords.

If you wish to see the actuator in proper action check out the uncensored and unlisted video here.

youtube.com/embed/u22Oe7FugCw?…

Thanks to [DjBiohazard] on our Discord server tips-line!

hackaday.com/2025/05/03/ratche…

L’app cinese per video brevi TikTok dovrà pagare 530 milioni di euro all’autorità irlandese per la protezione dei dati personali per mancato rispetto della normativa europea sulla privacy. La multa di quasi 600 milioni di dollari deriva dall’archiviazione da parte di TikTok dei dati degli utenti europei su server in Cina e dalla mancata comunicazione dei trasferimenti di dati verso la Cina da luglio 2020 a novembre 2022.

Queste mancanze hanno determinato violazioni del Regolamento generale sulla protezione dei dati (GDPR). Il regolamento impone alle aziende di informare adeguatamente i propri utenti in merito al trasferimento di dati verso una nazione terza, nonché di garantire adeguate garanzie di privacy prima del trasferimento dei dati.

Anche la Commissione irlandese per la protezione dei dati ha affermato che TikTok ha fornito informazioni inesatte durante la sua indagine sull’azienda. Nonostante le affermazioni secondo cui TikTok avrebbe interrotto i trasferimenti di dati verso la Cina, TikTok ha informato la commissione ad aprile che “limitati” dati degli utenti europei “erano stati in realtà archiviati su server in Cina”. L’ordinanza concede a TikTok sei mesi di tempo per adeguare le sue pratiche di trattamento dei dati alla normativa europea.

“I trasferimenti di dati personali di TikTok verso la Cina hanno violato il GDPR perché TikTok non è riuscita a verificare, garantire e dimostrare che i dati personali degli utenti SEE, a cui il personale in Cina accedeva da remoto, ricevessero un livello di protezione sostanzialmente equivalente a quello garantito all’interno dell’UE”, ha affermato il vice commissario del DPC Graham Doyle.

Doyle ha aggiunto che il DPC sta valutando ulteriori azioni regolatorie contro l’azienda. TikTok ha dichiarato alle autorità di regolamentazione di aver cancellato i dati scoperti sui server cinesi.

Dopo aver inizialmente trasferito i dati in centri situati a Singapore e negli Stati Uniti, dal 2023 TikTok ha affermato che i dati degli utenti europei sono archiviati in un’enclave ospitata in data center situati in Norvegia, Irlanda e Stati Uniti. Si è impegnata a spendere 12 miliardi di euro in un decennio per migliorare la sicurezza dei dati degli utenti europei, in un’iniziativa denominata “Project Clover“. Reuters ha riferito mercoledì che TikTok prevede di investire 1 miliardo di euro per costruire un data center in Finlandia.

TikTok non ha risposto immediatamente alla richiesta di commento.

Nel 2023, le autorità di regolamentazione irlandesi avevano già multato TikTok per 345 milioni di euro per aver consentito ai giovani utenti di creare account visibili di default al pubblico e per aver consentito che gli account degli utenti bambini fossero associati a utenti non bambini non verificati. L’agenzia di regolamentazione dei dati del Regno Unito ha inoltre multato l’azienda di 12,7 milioni di sterline per non aver protetto la privacy dei bambini.

L'articolo TikTok multata per 530 milioni: dati europei archiviati in Cina senza autorizzazione proviene da il blog della sicurezza informatica.

La Cina ha lanciato ufficialmente un nuovo regime per i minori sull’uso di Internet mobile, in un contesto di crescente preoccupazione per l’impatto dei contenuti online su bambini e adolescenti. Il nuovo regime è il risultato di un lavoro sistematico avviato dalla Cyberspace Administration of China (CAC) e ora riguarda sia i dispositivi sia le applicazioni.

La versione aggiornata della modalità per i minorenni ha superato una serie di barriere tecniche ed è stata completamente riprogettata. Il sistema ora riunisce produttori di dispositivi mobili, sviluppatori di software e piattaforme di distribuzione di applicazioni per fornire una sincronizzazione “a tre vie”. I genitori devono solo cliccare su un’icona speciale e tutti i programmi installati passeranno automaticamente a un formato sicuro, creando un ambiente digitale chiuso per il bambino.

Anche l’elenco dei contenuti accettabili è stato notevolmente ampliato. Le principali piattaforme si affidano alla collaborazione con i creatori di contenuti per bambini, i titolari dei diritti d’autore e gli enti ufficiali per selezionare i materiali. Viene utilizzato un sistema di filtraggio multilivello: i contenuti vengono suddivisi in base ad età, argomento e focus, e gli algoritmi di raccomandazione vengono adattati al profilo di ogni bambino specifico.

Anche la funzionalità della modalità è stata notevolmente aggiornata. Ora consente di limitare il tempo totale trascorso su Internet, impostare un programma di utilizzo, ricevere promemoria per le pause, gestire l’accesso alle applicazioni e raccogliere statistiche sulle attività. Tutti questi parametri possono essere adattati in modo flessibile alla routine quotidiana e alle esigenze del bambino.

Per quanto riguarda la disponibilità, la modalità è già integrata nei nuovi modelli di smartphone Xiaomi, Honor e vivo, ed è arrivata anche sui dispositivi Huawei, OPPO e ZTE con gli aggiornamenti di sistema. Inoltre, negli app store sono apparse sezioni speciali per i minorenni e i servizi più popolari nei settori video, social network, commercio online e istruzione sono già stati adattati al nuovo formato. In futuro si progetta di ampliare la copertura e di introdurre la modalità su ancora più piattaforme digitali.

Il rappresentante del CAC ha sottolineato che il regime non può operare efficacemente senza unire le forze. Da un lato, le autorità continueranno a stimolare lo sviluppo tecnico e il miglioramento della funzionalità. D’altro canto, contano sulla partecipazione attiva dei genitori e dei bambini stessi: il loro feedback e le loro idee contribuiranno a rendere l’ambiente digitale non solo sicuro, ma anche davvero confortevole.

L'articolo Cina, rivoluzione digitale per i minori: ecco il nuovo “internet sicuro” obbligatorio proviene da il blog della sicurezza informatica.

L’autorità europea per la protezione dei dati noyb ha presentato un reclamo contro Ubisoft in Austria. Il motivo non è un bug o un acquisto in-game, bensì la necessità di una connessione Internet costante per giocare ai titoli per giocatore singolo. Il motivo era un’indagine su Far Cry Primal, che non ha funzionalità online ma richiede comunque una connessione a internet.

Il reclamo viene presentato ai sensi dell’articolo 6(1) del GDPR, che obbliga le aziende a raccogliere solo i dati necessari e solo con il consenso dell’utente. Secondo gli avvocati di noyb, Ubisoft viola il principio costringendo i giocatori a connettersi a Internet anche quando avviano giochi completamente offline.

Uno degli utenti citati nel reclamo ha scoperto che Far Cry Primal ha inviato 150 richieste DNS uniche in soli 10 minuti dall’avvio. L’analisi del traffico di rete ha mostrato che i dati non venivano inviati solo ai server di Ubisoft, ma anche ad Amazon, Google e alla società di analisi statunitense Datadog. Non era possibile decifrare il contenuto delle informazioni trasmesse: tutto era criptato. Tuttavia, il giocatore non ha mai dato il consenso a tale monitoraggio, il che rende la raccolta dei dati legalmente discutibile. A quanto pare, questa è una pratica comune per i progetti single-player di Ubisoft, tra cui serie come Assassin’s Creed e Prince of Persia.

Ubisoft ha affermato che il gioco avrebbe dovuto avere una modalità offline, ma le istruzioni fornite al giocatore si sono rivelate praticamente inutili. Secondo i rappresentanti di noyb, neanche un esperto di sicurezza informatica è riuscito a lanciare il gioco senza una connessione Internet. Ciò, secondo gli attivisti per i diritti umani, indica che tale modalità non funziona o che è troppo difficile da attivare.

Ubisoft sostiene che la connessione sia necessaria solo per verificare la proprietà del gioco. Ma l’azienda conferma anche nel suo contratto con l’utente e nell’informativa sulla privacy si spiega che l’azienda usa servizi di analisi di terze parti per monitorare il comportamento dei giocatori, raccogliere dati di gioco e di rete e inviarli ai suoi server.

Secondo gli avvocati di noyb, tale trattamento dei dati personali non può essere considerato necessario e pertanto viola l’articolo 6(1) del GDPR. Acquistando il gioco tramite Steam la proprietà viene già verificata e la presenza di una modalità offline nascosta indica che la connessione a Internet non è un requisito tecnico obbligatorio. Se un’azienda è realmente interessata a migliorare la qualità dei giochi, può chiedere direttamente ai giocatori il permesso di raccogliere informazioni o accettare segnalazioni volontarie di bug.

In caso di violazioni, l’azienda rischia una multa fino a 92 milioni di euro, pari al 4% del suo fatturato annuo (oltre 2 miliardi di euro). Noyb fa anche notare che questo probabilmente non sarà l’ultimo reclamo contro i produttori di giochi: è solo che, secondo il GDPR, ogni caso viene presentato per conto di uno specifico utente i cui diritti sono stati violati. Quindi dobbiamo agire a turno.

L'articolo Ubisoft nei guai: rischia 92 milioni di euro per violazione GDPR proviene da il blog della sicurezza informatica.

Le organizzazioni governative della russia e della mongolia sono diventate bersaglio di una nuova ondata di attacchi informatici che utilizzano una versione aggiornata deltrojan di accesso remoto MysterySnail.

Secondo i ricercatori, il malware MysterySnail è già stato utilizzato nel 2021 in attacchi legati al gruppo informatico IronHusky. Nella campagna attuale, gli aggressori utilizzano l’ultima versione di un Trojan modulare adattato a nuovi obiettivi e metodi di distribuzione.

L’infezione inizia con il lancio di uno script dannoso camuffato da documento di un’agenzia ufficiale mongola, l’Agenzia nazionale per la gestione del territorio (ALAMGAC). Lo script è progettato per essere eseguito tramite Microsoft Management Console, un componente standard di Windows utilizzato dagli amministratori per configurare e monitorare i sistemi. Quando il file viene aperto, vengono caricati altri componenti dannosi, tra cui la libreria CiscoSparkLauncher.dll.

È questa libreria che agisce da backdoor, scaricando e attivando il trojan principale MysterySnail. Una volta installato, il malware si connette ai server di comando e controllo creati dagli aggressori utilizzando il protocollo HTTP.

L’analisi ha dimostrato che questa versione di MysterySnail è in grado di eseguire circa 40 comandi diversi. Tra queste rientrano la gestione dei file (creazione, lettura, eliminazione), la gestione dei processi, l’ottenimento di un elenco di directory e unità e l’apertura di un canale proxy per il trasferimento dei dati. Il malware può anche monitorare silenziosamente in background le connessioni di archiviazione esterne.

In seguito, gli aggressori hanno utilizzato un’altra modifica del malware: una versione alleggerita chiamata MysteryMonoSnail. Questa variante è costituita da un singolo componente e utilizza il protocollo WebSocket per comunicare con il server di comando e controllo, anziché HTTP come nella versione principale. Nonostante le sue funzionalità ridotte (solo 13 comandi di base), gli esperti non ritengono che la minaccia rappresentata da MysteryMonoSnail sia trascurabile.

L’azienda ricorda che il gruppo informatico IronHusky è attivo almeno dal 2012 e ha ripetutamente utilizzato MysterySnail in attacchi di cyberspionaggio contro aziende IT e organizzazioni diplomatiche.

L'articolo Operazione MysterySnail: nuova ondata di cyber attacchi contro enti governativi proviene da il blog della sicurezza informatica.

[sprite_tm] had a problem. He needed a clock for the living room, but didn’t want to just buy something off the shelf. In his own words, “It’s an opportunity for a cool project that I’d rather not let go to waste.” Thus started a project to build a fun e-paper digit clock!

There were several goals for the build from the outset. It had to be battery driven, large enough to be easily readable, and readily visible both during the day and in low-light conditions. It also needed to be low maintenance, and “interesting,” as [sprite_tm] put it. This drove the design towards an e-paper solution. However, large e-paper displays can be a bit pricy. That spawned a creative idea—why not grab four smaller displays and make a clock with separate individual digits instead?

The build description covers the full design, from the ESP32 at the heart of things to odd brownout issues and the old-school Nokia batteries providing the juice. Indeed, [sprite_tm] even went the creative route, making each individual digit of the clock operate largely independently. Each has its own battery, microcontroller, and display. To save battery life, only the hours digit has to spend energy syncing with an NTP time server, and it uses the short-range ESPNow protocol to send time updates to the other digits.

It’s an unconventional clock, to be sure; you could even consider it four clocks in one. Ultimately, though, that’s what we like in a timepiece here at Hackaday. Meanwhile, if you’ve come up with a fun and innovative way to tell time, be sure to let us know on the tipsline!

[Thanks to Maarten Tromp for the tip!]

hackaday.com/2025/05/02/a-neat…

Impedance matching is one of the perpetual confusions for new electronics students, and for good reason: the idea that increasing the impedance of a circuit can lead to more power transmission is frighteningly unintuitive at first glance. Even once you understand this, designing a circuit with impedance matching is a tricky task, and it’s here that [Ralph Gable]’s introduction to impedance matching is helpful.

The goal of impedance matching is to maximize the amount of power transmitted from a source to a load. In some simple situations, resistance is the only significant component in impedance, and it’s possible to match impedance just by matching resistance. In most situations, though, capacitance and inductance will add a reactive component to the impedance, in which case it becomes necessary to use the complex conjugate for impedance matching.

The video goes over this theory briefly, but it’s real focus is on explaining how to read a Smith chart, an intimidating-looking tool which can be used to calculate impedances. The video covers the basic impedance-only Smith chart, as well as a full-color Smith chart which indicates both impedance and admittance.

This video is the introduction to a planned series on impedance matching, and beyond reading Smith charts, it doesn’t really get into many specifics. However, based on the clear explanations so far, it could be worth waiting for the rest of the series.

If you’re interested in more practical details, we’ve also covered another example before.

youtube.com/embed/J_kujlActGo?…

hackaday.com/2025/05/02/a-gent…

Let me throw in a curveball—watching your 3D print fail in real-time is so much more satisfying when you have a crisp, up-close view of the nozzle drama. That’s exactly what [Mellow Labs] delivers in his latest DIY video: transforming a generic HD endoscope camera into a purpose-built nozzle cam for the Prusa Mini. The hack blends absurd simplicity with delightful nerdy precision, and comes with a full walkthrough, a printable mount, and just enough bad advice to make it interesting. It’s a must-see for any maker who enjoys solder fumes with their spaghetti monsters.

What makes this build uniquely brilliant is the repurposing of a common USB endoscope camera—a tool normally reserved for inspecting pipes or internal combustion engines. Instead, it’s now spying on molten plastic. The camera gets ripped from its aluminium tomb, upgraded with custom-salvaged LEDs (harvested straight from a dismembered bulb), then wrapped in makeshift heat-shrink and mounted on a custom PETG bracket. [Mellow Labs] even micro-solders in a custom connector just so the camera can be detached post-print. The mount is parametric, thanks to a community contribution.

This is exactly the sort of hacking to love—clever, scrappy, informative, and full of personality. For the tinkerers among us who like their camera mounts hot and their resistor math hotter, this build is a weekend well spent.

youtube.com/embed/VBmO2SMDnJU?…

hackaday.com/2025/05/02/prusa-…

Sometimes you find a commercial product that is almost, but not exactly perfect for your needs. Your choices become: hack together a DIY replacement, or hack the commercial product to do what you need. [Daniel Epperson] chose door number two when he realized his Yamaha MusicCast smart speaker was perfect for his particular use case, except for its tragic lack of line out. A little surgery and a Digital-to-Analog Converter (DAC) breakout board solved that problem.
You can’t hear it in this image, but the headphones work.
[Daniel] first went diving into the datasheet of the Yamaha amplifier chip inside of the speaker, before realizing it did too much DSP for his taste. He did learn that the chip was getting i2s signals from the speaker’s wifi module. That’s a lucky break, since i2s is an open, well-known protocol. [Daniel] had an adafruit DAC; he only needed to get the i2s signals from the smart speaker’s board to his breakout. That proved to be an adventure, but we’ll let [Daniel] tell the tale on his blog.

After a quick bit of OpenSCAD and 3D printing, the DAC was firmly mounted in its new home. Now [Daniel] has the exact audio-streaming-solution he wanted: Yamaha’s MusicCast, with line out to his own hi-fi.

[Daniel] and hackaday go way back: we featured his robot lawnmower in 2013. It’s great to see he’s still hacking. If you’d rather see what’s behind door number one, this roll-your-own smart speaker may whet your appetite.

hackaday.com/2025/05/02/smart-…

La polizia del Cheshire ha utilizzato la tecnologia dell’intelligenza artificiale per trovare il pericoloso criminale Richard Burrows, dopo 28 anni di ricerche senza successo. Il tribunale lo ha condannato a 46 anni di carcere per 97 capi d’accusa di abusi sessuali su minori.

Per diversi decenni, dalla fine degli anni ’60 fino agli anni ’90, Burrows commise reati mentre lavorava come direttore di un collegio nel Cheshire e come capo scout nelle West Midlands. Nel 1997 fuggì dal Regno Unito e molte vittime non credevano più che lo avrebbero mai ritrovato.

La storia della fuga ebbe inizio quando Burroughs non si presentò al tribunale di Chester dove avrebbe dovuto testimoniare sulle accuse. Le sue vittime si prepararono a testimoniare rivivendo l’esperienza traumatica. Secondo l’ispettrice investigativa Eleanor Atkinson, che ha condotto le indagini nel 2024, all’epoca il sospettato era addirittura pronto a essere rilasciato su cauzione. Quando la polizia è arrivata a casa sua a Birmingham, ha scoperto che l’uomo aveva venduto la sua auto poco prima della scomparsa, il che indica una fuga pianificata.

Nel corso degli anni la polizia locale ha provato diversi metodi di ricerca, finché nel 2024 non si è rivolta al servizio PimEyes. Il sistema ha trovato online le foto dell’uomo in pochi secondi, indicando la sua posizione in Thailandia. Il dettaglio decisivo era il segno distintivo sul collo di Burroughs, immortalato nelle fotografie della sua festa d’addio nel 2019. Le immagini furono pubblicate su un quotidiano di Phuket, dove si nascondeva sotto il nome di Peter Smith.

Durante le indagini è emerso che il criminale aveva utilizzato un metodo di travestimento semplice ma efficace. Negli anni Novanta ottenne un vero passaporto utilizzando non solo la sua foto, ma anche i dati del suo amico malato terminale Peter Leslie Smith. Il pedofilo viaggiava con questo documento e lo rinnovava più volte senza destare sospetti.

Il giornalista thailandese Tim Newton, che incontrava regolarmente Burrows in occasione di eventi aziendali per espatriati a Phuket, ha affermato che nessuno sospettava del suo passato: “Per noi era solo il caro vecchio Peter Smith. Nessuno conosceva nemmeno il suo vero nome. Mantenne questo segreto per tutti i 27 anni che trascorse sull’isola.”

Dopo aver iniziato la sua carriera come insegnante d’inglese, il fuggitivo si è poi dedicato al mondo dei media, lavorando nel reparto pubblicità di un’azienda proprietaria di giornali e siti web locali. I suoi superiori sostengono inoltre di non essere a conoscenza di alcun precedente penale del dipendente. Durante i suoi ultimi anni in Thailandia, Burroughs visse in un container riconvertito. Circolavano addirittura voci secondo cui fosse stato vittima di estorsori. Nei suoi appunti definì questo periodo “paradiso”, ma nel marzo 2024 tornò lui stesso nel Regno Unito, giustificando la sua decisione con il fatto che aveva “finito i soldi”. Fu lì che venne arrestato, proprio mentre stava scendendo dall’aereo.

PimEyes è una piattaforma open source per la ricerca di immagini creata otto anni fa in Polonia. Gli utenti possono scaricare una foto e vedere dove è stata pubblicata online.

Tuttavia, l’uso di tali servizi è attualmente controverso. La polizia di Londra ha già bloccato l’accesso a PimEyes sui dispositivi ufficiali, pur mantenendo attivi altri sistemi di riconoscimento facciale.

L'articolo Preso e condannato a 46 anni il pedofilo latitante di 81 anni. Grazie all’intelligenza artificiale proviene da il blog della sicurezza informatica.

Who else remembers Spirograph? When making elaborate spiral doodles, did you ever wish for a much, much bigger version? [Fortress Fine Woodworks] had that thought, and “slapped a router onto it” to create a gorgeous walnut table.
This printed sanding block was a nice touch.
The video covers not only 3D printing the giant Spirograph, which is the part most of us can easily relate to, but all the woodworking magic that goes into creating a large hardwood table. Assembling the table out of choice lumber from the “rustic” pile is an obvious money-saving move, but there were a lot of other trips and tricks in this video that we were happy to learn from a pro. The 3D printed sanding block he designed was a particularly nice detail; it’s hard to imagine getting all those grooves smoothed out without it.

Certainly this pattern could have been carved with a CNC machine, but there is a certain old school charm in seeing it done (more or less) by hand with the Spirograph jig. [Fortress Fine Woodworks] would have missed out on quite the workout if he’d been using a CNC machine, too, which may or may not be a plus to this method depending on your perspective. Regardless, the finished product is a work of art and worth checking out in the video below.

Oddly enough, this isn’t the first time we’ve seen someone use a Spirograph to mill things. It’s not the first giant-scale Spirograph we’ve highlighted, either. To our knowledge, it’s the first time someone has combined them with an artful walnut table.

youtube.com/embed/zW5nZ0Hp95k?…

hackaday.com/2025/05/02/3d-pri…

Most of us have some dream project or three that we’d love to make a reality. We bring it up all the time with friends, muse on it at work, and research it during our downtime. But that’s just talk—and it doesn’t actually get the project done!

At the 2024 Hackaday Supercon, Sarah Vollmer made it clear—her presentation is about turning talk into action. It’s about how to overcome all the hurdles that get in the way of achieving your grand project, so you can actually make it a reality. It might sound like a self-help book—and it kind of is—but it’s rooted in the experience of a bonafide maker who’s been there and done that a few times over.

youtube.com/embed/lOWqkVV9P1M?…

At the outset, Sarah advises us on the value of friends when you’re pursuing a project. At once, they might be your greatest cheerleaders, or full of good ideas. In her case, she also cites several of her contacts in the broader community that have helped her along the way—with a particular shoutout to Randy Glenn, who also gave us a great Supercon talk last year on the value of the CAN bus. At the same time, your friends might—with good intentions—lead you in the wrong direction, with help or suggestions that could derail your project. Her advice is to take what’s useful, and politely sidestep or decline what won’t help your project.

Next, Sarah highlights the importance of watching out for foes. “Every dream has your dream crushers,” says Sarah. “It could be you, it could be the things that are being told to you.” Excessive criticism can be crushing, sapping you of the momentum you need to get started. She also relates it to her own experience, where her project faced a major hurdle—the tedious procurement process of a larger organization, and the skepticism around whether she could overcome it. Whatever threatens the progress of your project could be seen as a foe—but the key is knowing what is threatening your project.
Sarah’s talk is rooted in her personal experiences across her haptics work and other projects.
The third step Sarah recommends? Finding a way to set goals amidst the chaos. Your initial goals might be messy or vague, but often the end gets clearer as you start moving. “Be clear about what you’re doing so you can keep your eye on the prize,” says Sarah. “No matter what gets in your way, as long as you’re clear about what you’re doing, you can get there.” She talks about how she started with a simple haptics project some years ago. Over the years, she kept iterating and building on what she was trying to do with it, with a clear goal, and made great progress in turn.

Once you’re project is in motion, too, it’s important not to let it get killed by criticism. Cries of “Impossible!” might be hard to ignore, but often, Sarah notes, these brick walls are really problems you create actions items to solve. She also notes the value of using whatever you can to progress towards your goals. She talks about how she was able to parlay a Hackaday article on her work (and her previous 2019 Supercon talk) to help her gain access to an accelerator program to help her start her nascent lab supply business.

youtube.com/embed/aRkfiQZNx3I?…

Sarah’s previous Hackaday Supercon appearance helped open doors for her work in haptics.

Anyone who has ever worked in a corporate environment will also appreciate Sarah’s advice to avoid the lure of endless planning, which can derail even the best planned project. “Once upon a time I went to meetings, those meetings became meetings about meetings,” she says. “Those meetings about meetings became about planning, they went on for four hours on a Friday, [and] I just stopped going,” Her ultimate dot point? “We don’t talk, talk is cheap, but too much talk is bankrupting.”

“When all else fails, laugh and keep going,” Sarah advises. She provides an example of a 24/7 art installation she worked on that was running across multiple physical spaces spread across the globe. “During the exhibit, China got in a fight with Google,” she says. This derailed plans to use certain cloud buckets to run things, but with good humor and the right attitude, the team were able to persevere and work around what could have been a disaster.

Overall, this talk is a rapid fire crash course in how she pushed her projects on through challenges and hurdles and came out on top. Just beware—if you’re offended by the use of AI art, this one might not be for you. Sarah talks fast and covers a lot of ground in her talk, but if you can keep up and follow along there’s a few kernels of wisdom in there that you might like to take forward.

hackaday.com/2025/05/02/superc…

It’s the podcast so nice we recorded it twice! Despite some technical difficulties (note to self: press the record button significantly before recording the outro), Elliot and Dan were able to soldier through our rundown of the week’s top hacks. We kicked things off with a roundup of virtual keyboards for the alternate reality crowd, which begged the question of why you’d even need such a thing. We also looked at a couple of cool demoscene-adjacent projects, such as the ultimate in oscilloscope music and a hybrid knob/jack for eurorack synth modules. We also dialed the Wayback Machine into antiquity to take a look at Clickspring’s take on the origins of precision machining; spoiler alert — you can make gas-tight concentric brass tubing using a bow-driven lathe. There’s a squishy pneumatic robot gripper, an MQTT-enabled random number generator, a feline-friendly digital stethoscope, and a typewriter that’ll make you Dymo label maker jealous. We’ll also mourn the demise of electronics magazines and ponder how your favorite website fills that gap, and learn why it’s really hard to keep open-source software lean and clean. Short answer: because it’s made by people.

html5-player.libsyn.com/embed/…
Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Download the zero-calorie MP3.

Episode 319 Show Notes:

News:

• There’s A Venusian Spacecraft Coming Our Way
• You Wouldn’t Steal A Font…
• Sigrok Website Down After Hosting Data Loss

What’s that Sound?

• Fill out this form for your chance to win!

Interesting Hacks of the Week:

• Weird And Wonderful VR/MR Text Entry Methods, All In One Place
  
  • Just a moment…

  
  

• Clickspring’s Experimental Archaeology: Concentric Thin-Walled Tubing
• Amazing Oscilloscope Demo Scores The Win At Revision 2025
  
  • osci-render
  • Tripping On Oscilloshrooms With An Analog Scope
  • Crossing Commodore Signal Cables On Purpose

  
  

• Look! It’s A Knob! It’s A Jack! It’s Euroknob!
• Robot Gets A DIY Pneumatic Gripper Upgrade
  
  • Vastly Improved Servo Control, Now Without Motor Surgery

  
  

• Remembering Heathkit

Quick Hacks:

• Elliot’s Picks
  
  • A New And Weird Kind Of Typewriter
  • Terminal DAW Does It In Style
  • Comparing ‘AI’ For Basic Plant Care With Human Brown Thumbs

  
  

• Dan’s Picks:
  
  • Quantum Random Number Generator Squirts Out Numbers Via MQTT
  • Onkyo Receiver Saved With An ESP32
  • Quick And Easy Digital Stethoscope Keeps Tabs On Cat

  
  

Can’t-Miss Articles:

• Libogc Allegations Rock Wii Homebrew Community
• The DIY 1982 Picture Phone

hackaday.com/2025/05/02/hackad…

While the COVID-19 pandemic wasn’t an experience anyone wants to repeat, infections disease experts like [Dr. Pardis Sabeti] are looking at what we can do to prepare for the next one.

While the next pandemic could potentially be anything, there are a few high profile candidates, and bird flu (H5N1) is at the top of the list. With birds all over the world carrying the infection and the prevalence in poultry and now dairy agriculture operations, the possibility for cross-species infection is higher than for most other diseases out there, particularly anything with an up to 60% fatality rate. Only one of the 70 people in the US who have contracted H5N1 recently have died, and exposures have been mostly in dairy and poultry workers. Scientists have yet to determine why cases in the US have been less severe.

To prevent an H5N1 pandemic before it reaches the level of COVID and ensure its reach is limited like earlier bird and swine flu variants, contact tracing of humans and cattle as well as offering existing H5N1 vaccines to vulnerable populations like those poultry and dairy workers would be a good first line of defense. So far, it doesn’t seem transmissible human-to-human, but more and more cases increase the likelihood it could gain this mutation. Keeping current cases from increasing, improving our science outreach, and continuing to fund scientists working on this disease are our best bets to keep it from taking off like a meme stock.

Whatever the next pandemic turns out to be, smartwatches could help flatten the curve and surely hackers will rise to the occasion to fill in the gaps where traditional infrastructure fails again.

youtube.com/embed/5CyVi4UzKxE?…

hackaday.com/2025/05/02/prepar…

Renata Morresi:
Dunque, con calma, vagliando ogni sintagma: ieri notte, in acque internazionali, dei #droni da guerra, forse mandati dal governo di #israele , hanno attaccato una nave con #aiutiumanitari diretta verso un luogo dove non c'è più cibo, acqua, elettricità, medicine, ecc., #Gaza . Ripeto: AIUTI UMANITARI - PER GAZA - BOMBARDATI - DA DRONI - IN ACQUE INTERNAZIONALI. Quando apriremo gli occhi su quello che stanno facendo il criminale #Netanyahu & i suoi complici? Per quanto tempo ancora potremo assecondare questo scempio? Potremo dire che non sapevamo? Che non arrivavano immagini o notizie? Che non conoscevamo i #genocidi ? Né i #criminidiguerra ? Come faremo a parlare di umanesimo? Di studiare la storia per non ripeterla? Come faremo a credere ai 'valori cristiani' o 'occidentali'? All'uguaglianza e all'equità? Al progresso e alla civiltà europea? Come faremo a guardarci allo specchio?

#genocidio

This week, Oligo has announced the AirBorne series of vulnerabilities in the Apple Airdrop protocol and SDK. This is a particularly serious set of issues, and notably affects MacOS desktops and laptops, the iOS and iPadOS mobile devices, and many IoT devices that use the Apple SDK to provide AirPlay support. It’s a group of 16 CVEs based on 23 total reported issues, with the ramifications ranging from an authentication bypass, to local file reads, all the way to Remote Code Execution (RCE).

AirPlay is a WiFi based peer-to-peer protocol, used to share or stream media between devices. It uses port 7000, and a custom protocol that has elements of both HTTP and RTSP. This scheme makes heavy use of property lists (“plists”) for transferring serialized information. And as we well know, serialization and data parsing interfaces are great places to look for vulnerabilities. Oligo provides an example, where a plist is expected to contain a dictionary object, but was actually constructed with a simple string. De-serializing that plist results in a malformed dictionary, and attempting to access it will crash the process.

Another demo is using AirPlay to achieve an arbitrary memory write against a MacOS device. Because it’s such a powerful primative, this can be used for zero-click exploitation, though the actual demo uses the music app, and launches with a user click. Prior to the patch, this affected any MacOS device with AirPlay enabled, and set to either “Anyone on the same network” or “Everyone”. Because of the zero-click nature, this could be made into a wormable exploit.

youtube.com/embed/ZmOvRLBL3Ys?…

Apple has released updates for their products for all of the CVEs, but what’s going to really take a long time to clean up is the IoT devices that were build with the vulnerable SDK. It’s likely that many of those devices will never receive updates.

EvilNotify

It’s apparently the week for Apple exploits, because here’s another one, this time from [Guilherme Rambo]. Apple has built multiple systems for doing Inter Process Communications (IPC), but the simplest is the Darwin Notification API. It’s part of the shared code that runs on all of Apple’s OSs, and this IPC has some quirks. Namely, there’s no verification system, and no restrictions on which processes can send or receive messages.

That led our researcher to ask what you may be asking: does this lack of authentication allow for any security violations? Among many novel notifications this technique can spoof, there’s one that’s particularly problematic: The device “restore in progress”. This locks the device, leaving only a reboot option. Annoying, but not a permanent problem.

The really nasty version of this trick is to put the code triggering a “restore in progress” message inside an app’s widget extension. iOS loads those automatically at boot, making for an infuriating bootloop. [Guilherme] reported the problem to Apple, made a very nice $17,500 in the progress. The fix from Apple is a welcome surprise, in that they added an authorization mechanism for sensitive notification endpoints. It’s very likely that there are other ways that this technique could have been abused, so the more comprehensive fix was the way to go.

Jenkins

Continuous Integration is one of the most powerful tools a software project can use to stay on top of code quality. Unfortunately as those CI toolchains get more complicated, they are more likely to be vulnerable, as [John Stawinski] from Praetorian has discovered. This attack chain would target the Node.js repository at Github via an outside pull request, and ends with code execution on the Jenkins host machines.

The trick to pulling this off is to spoof the timestamp on a Pull Request. The Node.js CI uses PR labels to control what CI will do with the incoming request. Tooling automatically adds the “needs-ci” label depending on what files are modified. A maintainer reviews the PR, and approves the CI run. A Jenkins runner will pick up the job, compare that the Git timestamp predated the maintainer’s approval, and then runs the CI job. Git timestamps are trivial to spoof, so it’s possible to load an additional commit to the target PR with a commit timestamp in the past. The runner doesn’t catch the deception, and runs the now-malicious code.

[John] reported the findings, and Node.js maintainers jumped into action right away. The primary fix was to do SHA sum comparisons to validate Jenkins runs, rather than just relying on timestamp. Out of an abundance of caution, the Jenkins runners were re-imaged, and then [John] was invited to try to recreate the exploit. The Node.js blog post has some additional thoughts on this exploit, like pointing out that it’s a Time-of-Check-Time-of-Use (TOCTOU) exploit. We don’t normally think of TOCTOU bugs where a human is the “check” part of the equation.

2024 in 0-days

Google has published an overview of the 75 zero-day vulnerabilities that were exploited in 2024. That’s down from the 98 vulnerabilities exploited in 2023, but the Threat Intelligence Group behind this report are of the opinion that we’re still on an upward trend for zero-day exploitation. Some platforms like mobile and web browsers have seen drastic improvements in zero-day prevention, while enterprise targets are on the rise. The real stand-out is the targeting of security appliances and other network devices, at more than 60% of the vulnerabilities tracked.

When it comes to the attackers behind exploitation, it’s a mix between state-sponsored attacks, legal commercial surveillance, and financially motivated attacks. It will be interesting to see how 2025 stacks up in comparison. But one thing is for certain: Zero-days aren’t going away any time soon.

Perplexing Passwords for RDP

The world of computer security just got an interesting surprise, as Microsoft declared it not-a-bug that Windows machines will continue to accept revoked credentials for Remote Desktop Protocol (RDP) logins. [Daniel Wade] discovered the issue and reported it to Microsoft, and then after being told it wasn’t a security vulnerability, shared his report with Ars Technica.

So what exactly is happening here? It’s the case of a Windows machine login via Azure or a Microsoft account. That account is used to enable RDP, and the machine caches the username and password so logins work even when the computer is “offline”. The problem really comes in how those cached passwords get evicted from the cache. When it comes to RDP logins, it seems they are simply never removed.

There is a stark disconnect between what [Wade] has observed, and what Microsoft has to say about it. It’s long been known that Windows machines will cache passwords, but that cache will get updated the next time the machine logs in to the domain controller. This is what Microsoft’s responses seem to be referencing. The actual report is that in the case of RDP, the cached passwords will never expire, regardless of changing that password in the cloud and logging on to the machine repeatedly.

Bits and Bytes

Samsung makes a digital signage line, powered by the MagicINFO server application. That server has an unauthenticated endpoint, accepting file uploads with insufficient filename sanitization. That combination leads to arbitrary pre-auth code execution. While that’s not great, what makes this a real problem is that the report was first sent to Samsung in January, no response was ever received, and it seems that no fixes have officially been published.

A series of Viasat modems have a buffer overflow in their SNORE web interface. This leads to unauthenticated, arbitrary code execution on the system, from either the LAN or OTA interface, but thankfully not from the public Internet itself. This one is interesting in that it was found via static code analysis.

IPv6 is the answer to all of our IPv4 induced woes, right? It has Stateless Address Autoconfiguration (SLAAC) to handle IP addressing without DHCP, and Router Advertisement (RA) to discover how to route packets. And now, taking advantage of that great functionality is Spellbinder, a malicious tool to pull off SLACC attacks and do DNS poisoning. It’s not entirely new, as we’ve seen Man in the Middle attacks on IPv4 networks for years. IPv6 just makes it so much easier.

hackaday.com/2025/05/02/this-w…