The AI effects we know these days were once preceded by CGI, and those were once preceded by true hand-built physical props. If that makes you think of Muppets, this video will change your mind. In a behind-the-scenes look with [Adam Savage], effects designer [Mark Setrakian] reveals the full animatronic glory of Mr. Wink’s mechanical fist from Hellboy II: The Golden Army (2008) – and this beast still flexes.

Most of this arm was actually made in 2003, when 3D printing was very different than what we think of today. Printed on a Stratasys Titan – think: large refrigerator-sized machine, expensive as sin – the parts were then hand-textured with a Dremel for that war-scarred, brutalist feel. This wasn’t just basic animatronics for set dressing. This was a fully actuated prop with servo-driven finger joints, a retractable chain weapon, and bevel-geared mechanisms that scream mechanical craftsmanship.

Each finger is individually designed. The chain reel: powered by a DeWalt drill motor and custom bevel gear assembly. Every department: sculptors, CAD modelers, machinists, contributed to this hybrid of analog and digital magic. Props like this are becoming unicorns.

youtube.com/embed/qKMFdbspHZ4?…

hackaday.com/2025/05/30/17-yea…

White LED bulbs are commonplace in households by now, mostly due to their low power usage and high reliability. Crank up the light output enough and you do however get high temperatures and corresponding interesting failure modes. An example is the one demonstrated by the [electronupdate] channel on YouTube with a Philips MR16 LED spot that had developed a distinct purple light output.
The crumbling phosphor coating on top of the now exposed UV LEDs. (Credit: electronupdate, YouTube)
After popping off the front to expose the PCB with the LED packages, the fault seemed to be due to the phosphor on one of the four LEDs flaking off, exposing the individual UV LEDs underneath. Generally, white LEDs are just UV LEDs that have a phosphor coating on top that converts this UV into broad band visible (white) or a specific wavelength, so this failure mode makes perfect sense.

After putting the PCB under a microscope and having a look at the failed and the other LED packages the crumbled phosphor on not just the one package became obvious, as the remaining three showed clear cracks in the phosphor coating. Whether due to the heat in these high-intensity spot lamps or just age, clearly over time these white LED packages become just UV LEDs. Ideally you could dab on some fresh phosphor, but likely the fix is to replace these LED packages every few years until the power supply in the bulb gives up the ghost.

youtube.com/embed/JHW5jcas-js?…

Thanks to [ludek111] for the tip.

hackaday.com/2025/05/30/white-…

At the end of the day, a skateboard boils down to a plank of wood with some wheels. They are wonderfully simple and fun and cheap modes of transportation. But this is Hackaday, so we are not here to talk about any normal skateboard, but one you can download and print. [megalog_’s] Skateboard MK2 is made almost entirely of 3D printed plastic, save some nuts and bolts.

The board’s four piece deck comes in at a modest 55cm length and features a rather stylish hexagonal pattern for grip. While you could presumably bring your own trucks, 3D printable ones are provided as well. The pieces bolt together to create a fairly strong deck with the option to make a rather stylish two tone print if you have the printer for it. Where the pieces meet is also the location of the truck mounting, further increasing the board’s strength. The weakest point is where the tail meets the main deck, which if pressed down to wheelie or ollie, the print breaks apart at the layer lines.

While you might be able to bring your own trucks, all be it with some modification to the deck, [megalog] also provided models for those as well. Not only were the bushings made of flexible TPE filament, but the outer wheel tire is too. It’s a little strange to see a wheel tire combo on a skateboard, when they are traditionally over moulded plastic with enough tire that you would be forgiven for thinking there is no wheel. While some reported using the more traditional threaded rod, the trucks used a metal rod with shaft collars to attach the wheels.

This is a neatly executed skateboard build with a well thought out design. Let us know in the comments if you will (or have) made one yourself! While you’re at it, maybe cast your own resin wheels for it!

hackaday.com/2025/05/30/you-wo…

Il 9 febbraio avevo cancellato l'account Facebook, il sistema mi aveva detto che per 30 giorni sarebbe stato solo disattivato e che l'eliminazione vera e propria sarebbe avvenuta solo 30 giorni dopo.

Siamo al 30 maggio e il mio account è ancora lì.

Stasera sono nuovamente entrato e ho rifatto la procedura, al termine della quale il sistema mi ha ancora una volta confermato che la mia richiesta di cancellazione era stata ricevuta, che l'account era stato programmato per l'eliminazione ma che per 30 giorni sarebbe stato solo disattivato, casomai avessi cambiato idea.

Qualcuno di voi è riuscito a cancellarsi per davvero?

Nel frattempo ho scritto al Garante per la Privacy segnalando il problema e chiedendo come fare per poter vedere rispettato il mio diritto ad essere rimosso da quel social network.

Ho visto il primo episodio di Adolescence.

Non avrei mai dovuto farlo.

When it comes to LED matrixes, building one is just the first step. Then you have to decide what to display on it. [panjanek] came up with a relatively flexible answer to this question, building an RGB LED matrix that can display the GIFs of your choice.
The web interface accepts GIFs for display.
[panjanek] grabbed WS2812B addressable LEDs for this project, assembling them into a 32 x 32 matrix that fits perfectly inside an off-the-shelf Ikea picture frame. The matrix is hooked up to an ESP8266 microcontroller, which acts as the brains of the operation. The WiFi-enabled microcontroller hosts its own web interface, with which the project can be controlled. Upon opening the page, it’s possible to upload a GIF file that will be displayed as an animation on the matrix itself. It’s also possible to stream UDP packets of bitmap data to the device to send real-time animations over a network.

It’s a neat build, and one that answers any questions of what you might display on your LED matrix when you’re finished assembling it. Code is on Github if you fancy implementing the GIF features in your own work. We’ve featured some unexpected LED matrix builds of late, like this innovative device for the M.2 slot. Meanwhile, if you’re cooking up your own creative LED builds, don’t hesitate to let us know on the tipsline!

hackaday.com/2025/05/30/tidy-l…

Dear Friend of Press Freedom,

It’s now the 66th day that Rümeysa Öztürk is facing deportation by the United States government for writing an op-ed it didn’t like. More press freedom news below.

Risking free speech won’t protect kids

Federal agencies are transforming into the speech police under President Donald Trump. So why are some Democrats supporting the Kids Online Safety Act, a recently reintroduced bill that would authorize the MAGA-controlled Federal Trade Commission to enforce censorship?

As Freedom of the Press Foundation (FPF) senior advocacy adviser Caitlin Vogus wrote for The Boston Globe, there’s never an excuse for supporting censorship bills, but especially when the political loyalists at the FTC are sure to abuse any power they’re given to stifle news on disfavored topics. Read the op-ed here.

We’re ready to sue if Paramount executives sell out the press

We’ve written previously about how Trump’s frivolous complaint against Paramount Global over CBS News’ editing of an interview with Kamala Harris threatens the freedoms of other news outlets. Yesterday, Trump proved it by claiming his $20 billion damages demand is based on “mental anguish” due to the answer – which doesn’t even mention him. How’s that for a “snowflake”?

As we informed Paramount Global executives last week, we plan to file a shareholder derivative lawsuit if Paramount settles. We believe any settlement – let alone the eight figure range being discussed – would be an effort to launder bribe money through the courts and would damage Paramount irreparably.

Reports this week in the Los Angeles Times, The Wall Street Journal, and elsewhere have noted that executives fear derivative liability if they settle. They should. Read more here.

Phone companies keep journalist surveillance secret

A letter by Sen. Ron Wyden about surveillance of senators’ phone lines has an important lesson for journalists, too: Be careful in selecting your phone carrier.

Wyden wrote his Senate colleagues revealing which wireless carriers inform customers about government surveillance requests (Cape, Google Fi, and US Mobile), and which don’t (AT&T, Boost Mobile, Charter/Spectrum, Comcast/Xfinity Mobile, T-Mobile, and Verizon). Read more here.

Fallout from silencing Voice of America

As a reporter on the press freedom beat, Liam Scott chronicled abuses against journalists for Voice of America. But now, Scott himself is part of the story.

In March, Trump signed an executive order gutting the United States Agency for Global Media, which oversees VOA. Scott and his colleagues have been or are set to be terminated imminently, and the website hasn’t published a new story in months.

We spoke to Scott about his unique perspective on current threats to press freedom, as both a victim and a journalist covering them. We were joined by Jason Scott of Archive Team, who is working to preserve VOA’s content should it be taken offline. Read more and watch the webinar here.

Administration abuses secrecy rules

Lauren Harper, FPF’s Daniel Ellsberg chair on government secrecy, joined MeidasTouch Network’s Legal AF podcast, “Court of History,” to explain how the Trump administration is abusing secrecy to control the news narrative — and how an FPF Freedom of Information Act win revealed the truth.

Harper was joined by University of Maryland professor Jason Baron in a wide-ranging discussion with co-hosts Sidney Blumenthal and Sean Wilentz. Watch the video podcast here.

Federal police reforms repealed

The same week the Justice Department announced it was dropping federal oversight programs and investigations into more than two dozen police departments, including in Minneapolis, the city held a remembrance marking five years since the murder of George Floyd by a local police officer.

Police abuses of protestors and journalists during the demonstrations that followed Floyd’s murder led to the now-abandoned reforms, including consent decrees in Minneapolis and Louisville dealing with how police should interact with journalists covering protests and their aftermaths. The U.S. Press Freedom Tracker, a project of FPF, has more. Read the Tracker’s coverage here.

What we’re reading

Greene County policy barring staff from speaking to press ‘unconstitutional,’ experts say (The Daily Progress). Local government employees should be able to talk to the press. But in Greene County, Virginia, they can’t. We told The Daily Progress that the county policy is unconstitutional.

Journalist sues LA county, ex-LA county sheriff for criminally investigating her (The Dissenter). It’s good to see journalist Maya Lau stand up for journalists’ right to not be investigated and harassed for doing their jobs.

How to stand your ground, in three (not so easy) steps (American Crisis). Institutions shouldn’t cave to Trump’s threats. Thanks to Margaret Sullivan for citing our plans to sue if Paramount settles with Trump as an example on how to stand your ground.

FBI visits me over manifesto (Ken Klippenstein). Journalists’ sources and newsgathering are none of the FBI’s business. They don’t seriously think Klippenstein was some kind of conspirator — they just want to intimidate him and other journalists.

freedom.press/issues/risking-f…

As a reporter on the press freedom beat, Liam Scott chronicled abuses against journalists at home and abroad for Voice of America. But he was shocked when the experiences of those on the other side of the page became his own.

In March, President Donald Trump signed an executive order suddenly gutting the United States Agency for Global Media, which oversees VOA. Scott and hundreds of colleagues have been or are set to be terminated imminently, and the international news service’s website hasn’t published a new story in months.

To understand more about how Trump’s anti-press tactics threaten the independence of public-interest journalism and what comes next for press freedom in the U.S. and around the world, Freedom of the Press Foundation (FPF) hosted an online webinar May 23 with Scott and Archive Team Co-founder Jason Scott, who is working to preserve VOA’s content should it be taken offline.

youtube.com/embed/mPh-iQlQuMU?…

“After several years of covering press freedom issues, it still feels weird to be in the midst of a press freedom issue that is affecting me and my colleagues,” Liam Scott said. “There is actually a lot that is happening here that reminds me of what I’ve reported on in other countries.”

He also expressed significant concern for colleagues who are in the U.S. on visas. Without authorization to continue working here, they will be forced to return home to countries where austere rules about free speech can lead to jail time or worse, he cautioned.

“VOA has journalists now imprisoned in Myanmar, Vietnam, and Azerbaijan, and there are other journalists from Radio Free Europe and Radio Free Asia who are imprisoned in other countries around the world as well, just for doing their jobs,” Liam Scott said, referring to two other international news services long supported by the U.S. government. “So my immediate concern was if VOA and its sister outlets shut down, who is going to advocate for these reporters?”

Preserving VOA’s online content

While the fate of VOA’s employees hangs in the balance, so too does its website, a resource for readers who live in regions of censorship and can’t access this information anywhere else. Amid fears that the site and the reporting it hosts will vanish from the internet and leave behind thousands of stories, efforts are underway to preserve its contents.

Archive Team members, including Jason Scott, have created an “online footprint” of VOA’s website that contains over 400 gigabytes worth of stories. It’s paramount to ensure a replica of the site exists before its potential takedown, he said, because the work cannot be done retroactively.

“The conversation about whether or not to save something usually stops once it’s gone,” he added.

As a general rule of thumb, Jason Scott recommended that journalists keep multiple copies of their work in different locations, in the event they lose access to where their work is published.

Doing so is especially important in the current digital climate under the Trump administration, which has scrubbed countless federal webpages.

In that sense, said Jason Scott, it bears resemblance to a startup company.

“You move fast, you break things, you work it out later. If something can’t be explained to you in two seconds, get rid of it,” he added. This slash-and-burn approach, a Trump administration hallmark, can wreak havoc for preservation efforts because it evokes a digital “entropy” that can change data access on a dime, said Jason Scott.

While trawling internet data can be exhausting, so can reporting through censorship. Liam Scott, who has continued his work on the press freedom beat at outlets elsewhere, said it’s important “to not get fatigued” and to remember that threats and retaliation are often reactions to strong journalism, which underscores the need to protect the rights of those doing the work.

“Attacks on journalists are also attacks on the public,” he said. “Because when you’re attacking a journalist, you’re attacking the information that they’re trying to share with their audience — information that is so important for how we live our lives.”

Just as accountability is met with reprisal, archiving data is met with unpredictability. As the Archive Team compiles the work of countless VOA journalists who risked their lives to report the truth, Jason Scott said to remember that data preservation is an uphill battle. The power to decide what stays online often belongs to those with the most effective keys to the internet: powerful institutions like the government.

“Data is an incredible devil’s bargain,” he said. “Entropy is the house, and the house always wins.”

freedom.press/issues/silencing…

Some cats are what you might call indoor cats, happy to stretch out in the lap of indoor luxury and never bother themselves with the inclement outdoors again. Others however are fully in touch with their Inner Cat, and venture forth frequently in search of whatever prey they can find.

[Rkramer] has a cat of this nature,sadly one with a propensity for returning with live prey. To avoid this problem a solution is called for, and it comes in the shape of the Cat Valve, an automated cat door which enforces a buffer zone in their cellar to prevent unwanted gifts.

It’s a simple enough idea, when an IR sensor connected to a Raspberry Pi 4 detects the cat heading out into the world through the exterior cat flap, the computer fires up a motor connected to a lead screw which closes the flap between buffer zone and house. The cat then has the safety of the buffer zone, but can’t bring the prey fully inside.

If you’re a cat lover you’ll forgive them anything, but we have to admit to being on [Rkramer]’s side with this one. A useful way to keep the prey at bay is something we could have used a few times in the past, too. This project is part of the 2025 Pet Hacks contest. Done something similar for your cat? Why not make it an entry!

hackaday.com/2025/05/30/2025-p…

Elliot and Dan teamed up this week for the podcast, and after double-checking, nay, triple-checking that we were recording, got to the business of reviewing the week’s hacks. We kicked things off with a look at the news, including a potentially exciting Right to Repair law in Washington state and the sad demise of NASA’s ISS sighting website.

Our choice of hacks included a fond look at embedded systems and the classic fashion sense of Cornell’s Bruce Land, risky open CRT surgery, a very strange but very cool way to make music, and the ultimate backyard astronomer’s observatory. We talked about Stamp collecting for SMD prototyping, crushing aluminum with a boatload of current, a PC that heats your seat, and bringing HDMI to the Commodore 64.

We also took a look at flight tracking IRL, a Flipper-based POV, the ultimate internet toaster, and printing SVGs for fun and profit. Finally, we wrapped things up with a look at the tech behind real-time river flow tracking and a peek inside the surprisingly energetic world of fuel cells.

html5-player.libsyn.com/embed/…
Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Download this entirely innocent-looking MP3.

Episode 323 Show Notes:

News:

• Washington Consumers Gain Right To Repair For Cellphones And More
• NASA Is Shutting Down The International Space Station Sighting Website
• 2025 Pet Hacks Contest

What’s that Sound?

• Fill out this form for your chance to win!

Interesting Hacks of the Week:

• A Love Letter To Embedded Systems By V. Hunter Adams
  
  • ECE 4760 repo
  • Designing with Microcontrollers – Old projects from Bruce Land’s days at the helm of ECE 4760
  • A RISC-V Operating System Instruction Manual

  
  

• Reconditioning A Vintage CRT Tube
• A 100-Year-Old Electronic Musical Instrument Brought Back To Life
  
  • Drawn In By The Siren’s Song
  • Retrotechtacular: Building Hammond Organ Tones

  
  

• Making A Backyard Observatory Complete With Retractable Roof
• Stamp: Modular Breakout Boards For SMD Prototyping
• EMF Forming Was A Neat Aerospace Breakthrough
  
  • Electromagnetic Aluminum Can Crushing
  • How A Quarter Shrinker Works

  
  

Quick Hacks:

• Elliot’s Picks
  
  • Invisible PC Doubles As Heated Seat
  • Tool Turns SVGs Into Multicolor 3D Prints
  • From Burnt To Brilliant: A Toaster’s Makeover

  
  

• Dan’s Picks:
  
  • POV On The Flipper Zero
  • The Commodore 64 Gets An HDMI Upgrade
  • Look To The Sky With This Simple Plane Tracker

  
  

Can’t-Miss Articles:

• Remotely Interesting: Stream Gages
  
  • Know Snow: Monitoring Snowpack With The SNOTEL Network

  
  

• A Brief History Of Fuel Cells

hackaday.com/2025/05/30/hackad…

If you look at this solar generator from [Concept Crafted Creations], you might think it’s somehow familiar. That’s because the design was visually inspired by the James Webb Space Telescope, or JWST. Ultimately, though, it’s purpose is quite different—it’s designed to use mirrors to collect and harness solar energy. It’s not quite there yet, but it’s an interesting exploration of an eye-catching solar thermal generator.

To get that JWST look, the build has 18 mirrors assembled on a 3D printed frame to approximate the shape of a larger parabolic reflector. The mirrors focus all the sunlight such that it winds up heating water passing through an aluminum plate. Each mirror was custom made using laser cut acrylic and mirror film. Each mirror’s position and angle can be adjusted delicately with screws and a nifty sprung setup, which is a whole lot simpler than the mechanism used on the real thing. The whole assembly is on a mount that allows it to track the movement of the sun to gain the most sunlight possible. There’s a giant laser-cut wooden gear on the bottom that allows rotation on a big Lazy Susan bearing, as well as a servo-driven tilting mechanism, with an Arduino using light dependent resistors to optimally aim the device.

It’s a cool-looking set up, but how does it compare with photovoltaics? Not so well. The mirror array was able to deliver around 1 kilowatt of heat into the water passing through the system, heating it to a temperature of approximately 44 C after half an hour. The water was warmed, but not to the point of boiling, and there’s no turbines or anything else hooked up to actually take that heat and turn it into electricity yet. Even if there were, it’s unlikely the system would reach the efficiency of a similarly-sized solar panel array. In any case, so far, the job is half done. As explained in the build video, it could benefit from some better mirrors and some structural improvements to help it survive the elements before it’s ready to make any real juice.

Ultimately, if you need solar power fast, your best bet is to buy a photovoltaic array. Still, solar thermal is a concept that has never quite died out.

youtube.com/embed/0XYwtub9bJE?…

youtube.com/embed/Alx_vwyksTw?…

hackaday.com/2025/05/30/diy-so…

The CIA ran a series of web sites in the 2000s. Most of them were about news, finance, and other relatively boring topics, and they spanned 29 languages. And they all had a bit of a hidden feature: Those normal-looking websites had a secret login and hosted CIA cover communications with assets in foreign countries. A password typed in to a search field on each site would trigger a Java Applet or Flash application, allowing the spy to report back. This isn’t exactly breaking news, but what’s captured the Internet’s imagination this week is the report by [Ciro Santilli] about how to find those sites, and the fact that a Star Wars fansite was part of the network.

This particular CIA tool was intended for short-term use, and was apparently so effective, it was dragged way beyond it’s intended lifespan, right up to the point it was discovered and started getting people killed. And in retrospect, the tradecraft is abysmal. The sites were hosted on a small handful of IP blocks, with the individual domains hosted on sequential IP addresses. Once one foreign intelligence agency discovered one of these sites, the rest were fairly easily identified.

youtube.com/embed/TFfuzZC5Qpc?…

This report is about going back in time using the Wayback Machine and other tools, and determining how many of these covert sites can be discovered today. And then documenting how it was done and what the results were. Surprisingly, some of the best sources for this effort were domain name data sets. Two simple checks to narrow down the possible targets were checking for IPs hosting only one domain, and for the word “news” as part of the domain name. From there, it’s the tedious task of looking at the Wayback Machine’s archives, trying to find concrete hits. Once a site was found on a new IP block, the whole block could be examined using historic DNS data, and hopefully more of the sites discovered.

So far, that list is 472 domains. Citizen Lab ran a report on this covert operation back in 2022, and found 885 domains, but opted not to publish the list or details of how they were found. The effort is still ongoing, and if you have any ideas how to find these sites, there’s a chance to help.

Profiling Internet Background Radiation

You may have noticed, that as soon as you put a host on a new IP address on the Internet, it immediately starts receiving traffic. The creative term that refers to all of this is Internet Background Radiation. It’s comprised of TCP probes, reflections from spoofed UDP attacks, and lots of other weird traffic. Researchers at Netscout decided to look at just one element of that radiation, TCP SYN packets. That’s the unsolicited first packet of a TCP handshake. What secrets would this data contain?

The first intriguing statistic is the number of spoofed TCP SYN packets coming from known bogus source IPs: zero. This isn’t actually terribly surprising for a couple reasons. One, packets originating from impossible addresses are rather easy to catch and drop, and many ISPs do this sort of scrubbing at their network borders. But the second reason is that TCP requires a three-way handshake to make a useful connection. And while it’s possible to spoof an IP address on a local network via ARP poisoning, doing so on the open Internet is much more difficult.

Packet TTL is interesting, but the values naturally vary, based on the number of hops between the sender and receiver. A few source IPs were observed to vary in reported TTLs, which could indicate devices behind NAT, or even just the variation between different OS network stacks. But looking for suspicious traffic, two metrics really stand out. The TCP Header is a minimum 20 bytes, with additional length being used with each additional option specified. Very few systems will naturally send TCP SYN packets with the header set to 20, suggesting that the observed traffic at that length was mostly TCP probes. The other interesting observation is the TCP window size, with 29,200 being a suspicious number that was observed in a significant percentage of packets, without a good legitimate explanation.

Hacking the MCP

GitHub has developed the GitHub MCP Server, a Master Control Program Model Context Protocol server, designed to allow AI agents to interact with the GitHub API. Invariant Labs has put together an interesting demo in how letting an agentic AI work with arbitrary issues from the public could be a bad idea.

The short explanation is that a GitHub issue can include a prompt injection attack. In the example, it looks rather benign, asking for more information about the project author to be added to the project README. Just a few careful details in that issue, like specifying that the author isn’t concerned about privacy, and that the readme update should link to all the user’s other repos. If the repo owner lets an agentic AI loose on the repo via MCP, it’s very likely to leak details and private repo information that it really shouldn’t.

Invariant Labs suggests that MCP servers will need granular controls, limiting what an AI agent can access. I suspect we’ll eventually see a system for new issues like GitHub already has for Pull Requests, where a project maintainer has to approve the PR before any of the automated Github Actions are performed on it. Once AI is a normal part of dealing with issues, there will need to be tools to keep the AI from interacting with new issues until a maintainer has cleared them.

GitLab Too

GitLab has their own AI integration, GitLab Duo. Like many AI things, it has the potential to be helpful, and the potential to be a problem. Researchers at Legit Security included some nasty tricks in this work, like hiding prompt injection as Hex code, and coloring it white to be invisible on the white GitLab background. Prompt injections could then ask the AI to recommend malicious code, include raw HTML in the output, or even leak details from private repos.

Gitlab took the report seriously, and has added additional filtering that prevents Duo from injecting raw HTML in its output. The prompt injection has also been addressed, but the details of how are not fully available.

Finally, Actually Hacking the Registry

We’ve been following Google’s Project Zero and [Mateusz Jurczyk] for quite a while, on a deep dive into the Windows Registry. We’re finally at the point where we’re talking about vulnerabilities. The Windows registry is self-healing, which could be an attack surface on its own, but it definitely provides a challenge to anyone looking for vulnerabilities with a fuzzer, as triggering a crash is very difficult.

But as the registry has evolved over time and Windows releases, the original security assumptions may not be valid any longer. For instance, in its original form, the registry was only writable by a system administrator. But on modern Windows machines, application hives allow unprivileged users and process to load their own registry data into the system registry. Registry virtualization and layered keys further complicate the registry structure and code, and with complexity often comes vulnerabilities.

An exploit primitive that turned out to be useful was the out-of-bound cell index, where one cell can refer to another. This includes a byte offset value, and when the cell being referred to is a “small dir”, this offset can point past the end of the allocated memory.

There were a whopping 17 memory corruption exploits discovered, but to produce a working exploit, the write-up uses CVE-2023-23420, a use after free that can be triggered by performing an in-place rename of a key, followed by deleting a subkey. This can result in a live reference to that non-existent subkey, and thus access to freed memory.

In that free memory, a fake key is constructed. As the entire data structure is now under the arbitrary control of the attacker, the memory can point to anywhere in the hive. This can be combined with the out-of-bounds cell index, to manipulate kernel memory. The story turns into a security researcher flex here, as [Mateusz] opted to use a couple registry keys rigged in this way to make a working kernel memory debugger, accessible from regedit. One key sets the memory address to inspect, and the other key contains said memory as a writable key. Becoming SYSTEM at this point is trivial.

Bits and Bytes

[Thomas Stacey] of Assured has done work on HTTP smuggling/tunneling attacks, where multiple HTTP requests exist in a single packet. This style of attack works against web infrastructure that has a front-end proxy and a back-end worker. When the front-end and back-end parse requests differently, very unintended behavior can result.

ONEKEY researchers have discovered a pair of issues in the Evertz core web administration interface, that together allow unauthenticated arbitrary command injection. Evertz manufactures very large video handling equipment, used widely in the broadcast industry, which is why it’s so odd that the ONEKEY private disclosure attempts were completely ignored. As the standard 90 day deadline has passed, ONEKEY has released the vulnerability details in full.

On the other hand, Mozilla is setting records of its own, releasing a Firefox update on the same day as exploits were revealed at pwn2own 2025. Last year Mozilla received the “Fastest to Patch” award, and may be on track to repeat that honor.

What does video game cheat development have to do with security research? It’s full of reverse engineering, understand memory structures, hooking functions, and more. It’s all the things malware does to take over a system, and all the things a researcher does to find vulnerabilities and understand what binaries are doing. If you’re interested, there’s a great two-part series on the topic just waiting for you to dive into. Enjoy!

hackaday.com/2025/05/30/this-w…