Inside an Edison Phonograph
If you think of records as platters, you are of a certain age. If you don’t remember records at all, you are even younger. But there was a time when audio records were not flat — they were drums, which was how the original Edison phonograph worked. [Our Own Devices] did a video earlier showing one of these devices, but since it was in a museum, he didn’t get to open it up. Lucky for us, he now has one of his own, and we get to see inside in the video below.
Ironically, Edison was deaf yet still invented the phonograph. While he did create the working phonograph — his self-identified most important invention — the original invention wasn’t commercially viable. You could record and playback audio on tin foil wrapped around a drum. But you couldn’t remove the foil without destroying it.
Edison was busy, but another inventor related to Bell created a similar system that used wax cylinders instead of foil. Edison’s vision for his invention didn’t include popular music, which hurt sales.
If you want to skip the history lesson — although it is well worth watching — you can skip to the 9-minute mark. You can hear the machine play and then see the box come off.
Oddly, people were recording things before they were able to play them back. Keeping a machine like this running can be quite a challenge.
youtube.com/embed/fFjpRdBtoBc?…
How Shrinking Feature Size Made Modern Wireless Work
If you’re living your life right, you probably know what as MOSFET is. But do you know the MESFET? They are like the faster, uninsulated, Schottky version of a MOSFET, and they used to rule the roost in radio-frequency (RF) silicon. But if you’re like us, and you have never heard of a MESFET, then give this phenomenal video by [Asianometry] a watch. In it, among other things, he explains how the shrinking feature size in CMOS made RF chips cheap, which brought you the modern cellphone as we know it.
The basic overview is that in the 1960s, most high-frequency stuff had to be done with discrete parts because the bipolar-junction semiconductors of the time were just too slow. At this time, MOSFETs were just becoming manufacturable, but were even slower still. The MESFET, without its insulating oxide layer between the metal and the silicon, had less capacitance, and switched faster. When silicon feature sizes got small enough that you could do gigahertz work with them, the MESFET was the tech of choice.
As late as the 1980s, you’d find MESFETs in radio devices. At this time, the feature size of the gates and the thickness of the oxide layer in MOSFETs kept them out of the game. But as CPU manufacturers pushed CMOS theses features smaller, not only did we get chips like the 8086 and 80386, two of Intel’s earliest CMOS designs, but the tech started getting fast enough for RF. And the world never looked back.
If you’re interested in the history of the modern monolithic RF ICs, definitely give the 18-minute video a watch. (You can skip the first three or so if you’re already a radio head.) If you just want to build some radio circuits, this fantastic talk from [Michael Ossmann] at the first-ever Supercon will make you an RF design hero. His secrets? Among them, making the most of exactly these modern everything-in-one-chip RF ICs so that you don’t have to think about that side of things too hard.
Thanks [Stephen] for the tip!
How a Tiny Relay Became a USB Swiss Army Knife
Meet the little board that could: [alcor6502]’s tiny USB relay controller, now evolved into a multifunction marvel. Originally built as a simple USB relay to probe the boundaries of JLCPCB’s production chops, it has become a compact utility belt for any hacker’s desk drawer. Not only has [alcor6502] actually built the thing, he even provided intstructions. If you happened to be at Hackaday in Berlin, you now might even own one, as he handed out twenty of them during his visit. If not, read on and build it yourself.
This thing is not just a relay, and that is what makes it special. Depending on a few solder bridges and minimal components, it shape-shifts into six different tools: a fan controller (both 3- and 4-pin!), servo driver, UART interface, and of course, the classic relay. It even swaps out a crystal oscillator for USB self-sync using STM32F042‘s internal RC – no quartz, less cost, same precision. A dual-purpose BOOT0 button lets you flash firmware and toggle outputs, depending on timing. Clever reuse, just like our mothers taught us.
It’s the kind of design that makes you want to tinker again. Fewer parts. More function. And that little smile when it just works. If this kind of clever compactness excites you too, read [alcor6502]’s build log and instructions here.
If You’re 3D Scanning, You’ll Want a Way To Work with Point Clouds
3D scanning is becoming much more accessible, which means it’s more likely that the average hacker will use it to solve problems — possibly odd ones. That being the case, a handy tool to have in one’s repertoire is a way to work with point clouds. We’ll explain why in a moment, but that’s where CloudCompare comes in (GitHub).
CloudCompare is an open source tool with which one can load up and do various operations on point clouds, including generating mesh models from them. Point clouds are what 3D scanners create when an object is scanned, and to become useful, those point clouds are usually post-processed into 3D models (specifically, meshes) like an .obj or .stl file.
We’ve gone into detail in the past about how 3D scanning works, what to expect from it, and taken a hands-on tour of what an all-in-one wireless scanner can do. But what do point clouds have to do with getting the most out of 3D scanning? Well, if one starts to push the boundaries of how and to what purposes 3D scanning can be applied, it sometimes makes more sense to work with point clouds directly instead of the generated meshes, and CloudCompare is an open-source tool for doing exactly that.
For example, one may wish to align and merge two or more different clouds, such as from two different (possibly incomplete) scans. Or, you might want to conduct a deviation analysis of how those different scans have changed. Alternately, if one is into designing wearable items, it can be invaluable to be able to align something to a 3D scan of a body part.
It’s a versatile tool with numerous tutorials, so if you find yourself into 3D scanning but yearning for more flexibility than you can get by working with the mesh models — or want an alternative to modeling-focused software like Blender — maybe it’s time to work with the point clouds directly.
A Look Inside MacPaint
Usually when we talk about retrocomputing, we want to look at — and in — some old hardware. But [Z→Z] has a different approach: dissecting MacPaint, the Apple drawing program from the 1980s.
While the program looks antiquated by today’s standards, it was pretty hot stuff back in the day. Things we take for granted today were big deals at the time. For example, being able to erase a part of something you drew prompted applause at an early public demo.
We enjoyed the way the program was tested, too. A software “monkey” was made to type keys, move things, and click menus randomly. The teardown continues with a look inside the Pascal and assembly code with interesting algorithms like how the code would fill an area with color.
The program has been called “beautifully organized,” and [Z→Z] examines that assertion. Maybe the brilliance of it has been overstated, but it did work and it did influence many computer graphics programs over the years.
We love digging through old source code. Even old games. If you do your own teardowns, be sure to send us a tip.
Disney’s Bipedal, BDX-Series Droid Gets the DIY Treatment
[Antoine Pirrone] and [Grégoire Passault] are making a DIY miniature re-imagining of Disney’s BDX droid design, and while it’s still early, there is definitely a lot of progress to see. Known as the Open Duck Mini v2 and coming in at a little over 40 cm tall, the project is expected to have a total cost of around 400 USD.
Bipedal robots are uncommon, and back in the day they were downright rare. One reason is that the state of controlled falling that makes up a walking gait isn’t exactly a plug-and-play feature.
Walking robots are much more common now, but gait control for legged robots is still a big design hurdle. This goes double for bipeds. That brings us to one of the interesting things about the Open Duck Mini v2: computer simulation of the design is playing a big role in bringing the project into reality.
It’s a work in progress but the repository collects all the design details and resources you could want, including CAD files, code, current bill of materials, and links to a Discord community. Hardware-wise, the main work is being done with very accessible parts: Raspberry Pi Zero 2W, fairly ordinary hobby servos, and an BNO055-based absolute orientation IMU.
So, how far along is the project? Open Duck Mini v2 is already waddling nicely and can remain impressively stable when shoved! (A “testing purposes” shove, anyway. Not a “kid being kinda mean to your robot” shove.)
Check out the videos to see it in action, and if you end up making your own, we want to hear about it, so remember to send us a tip!
8 Pins For Linux
We’ve seen a Linux-based operating system made to run on some widely varying pieces of hardware over the years, but [Dimity Grinberg]’s latest project may be one of the most unusual. It’s a PCB with 3 integrated circuits on it which doesn’t seem too interesting at first, but what makes it special is that all three of those chips are in 8-pin SOIC packages. How on earth can Linux run on 8-pin devices? The answer lies as you might expect, in emulation.
Two of the chips are easy to spot, a USB-to-serial chip and an SPI RAM chip. The processor is an STM32G0 series device, which packs a pretty fast ARM Cortex M0+ core. This runs a MIPS emulator that we’ve seen on a previous project, which is ripe for overclocking. At a 148 MHz clock it’s equivalent to a MIPS running at about 1.4 MHz, which is just about usable. Given that the OS in question is a full-featured Debian, it’s not running some special take on Linux for speed, either.
We like some of the hardware hacks needed to get serial, memory, and SD card, onto so few pins. The SD and serial share the same pins, with a filter in place to remove the high-frequency SPI traffic from the low-frequency serial traffic. We’re not entirely sure what use this machine could be put to, but it remains an impressive piece of work.
Lockdown Remote Control Project is Free and Open
If you flew or drove anything remote controlled until the last few years, chances are very good that you’d be using some faceless corporation’s equipment and radio protocols. But recently, open-source options have taken over the market, at least among the enthusiast core who are into squeezing every last bit of performance out of their gear. So why not take it one step further and roll your own complete system?
Apparently, that’s what [Malcolm Messiter] was thinking when, during the COVID lockdowns, he started his own RC project that he’s calling LockDownRadioControl. The result covers the entire stack, from the protocol to the transmitter and receiver hardware, even to the software that runs it all. The 3D-printed remote sports a Teensy 4.1 and off-the-shelf radio modules on the inside, and premium FrSky hardware on the outside. He’s even got an extensive folder of sound effects that the controller can play to alert you. It’s very complete. Heck, the transmitter even has a game of Pong implemented so that you can keep yourself amused when it’s too rainy to go flying.
Of course, as we alluded to in the beginning, there is a healthy commercial infrastructure and community around other open-source RC projects, namely ExpressLRS and OpenTX, and you can buy gear that runs those software straight out of the box, but it never hurts to have alternatives. And nothing is easier to customize and start hacking on than something you built yourself, so maybe [Malcolm]’s full-stack RC solution is right for you? Either way, it’s certainly impressive for a lockdown project, and evidence of time well spent.
Thanks [Malcolm] for sending that one in!
The Transputer in your Browser
We remember when the transputer first appeared. Everyone “knew” that it was going to take over everything. Of course, it didn’t. But [Oscar Toledo G.] gives us a taste of what life could have been like with a JavaScript emulator for the transputer, you can try in your browser.
If you don’t recall, the transputer was a groundbreaking CPU architecture made for parallel processing. Instead of giant, powerful CPUs, the transputer had many simple CPUs and a way to chain them all together. Sounds great, but didn’t quite make it. However, you can see the transputer’s influence on CPUs even today.
Made to work with occam, the transputer was built from the ground up for concurrent programming. Context switching was cheap, along with simple message passing and hardware scheduling.
The ersatz computer has a lot of messages in Spanish, but you can probably muddle through if you don’t hablar español. We did get the ray tracing example to work, but it was fairly slow.
Want to know more about the CPU? We got you. Of course, these days, you can emulate a transputer with nearly anything and probably outperform the original. What we really want to see is a GPU emulation.
First PCB with the Smallest MCU?
[Morten] works very fast. He has already designed, fabbed, populated, and tested a breakout board for the new tiniest microcontroller on the market, and he’s even made a video about it, embedded below.
You might have heard about this new TI ARM Cortex MO micro on these very pages, where we asked you what you’d do with this grain-of-rice-sized chunk of thinking sand. (The number one answer was “sneeze and lose it in the carpet”.)
From the video, it looks like [Morten] would design a breakout board using Kicad 8, populate it, get it blinking, and then use its I2C lines to make a simple digital thermometer demo. In the video, he shows how he worked with the part, from making a custom footprint to spending quite a while nudging it into place before soldering it carefully down.
But he nailed it on the first try, and honestly it doesn’t look nearly as intimidating as we’d feared, mostly because of the two-row layout of the balls. It actually looks easy enough to fan out. Because you can’t inspect the soldering work underneath the chip, he broke out all of the lines to a header to make it quick to check for shorts between those tiny little balls. Smart.
We love to see people trying out the newest hotness. Let us know down in the comments what new parts you’re trying out.
Thanks [Clint] for the tip!
youtube.com/embed/XSAPGh9um_k?…
Vintage Computer Festival East This Weekend
If you’re on the US East Coast, you should head on over to Wall, NJ and check out the Vintage Computer Festival East. After all, [Brian Kernighan] is going to be there. Yes, that [Brian Kernighan].
Events are actually well underway, and you’ve already missed the first few TRS-80 Color Computer programming workshops, but rest assured that they’re going on all weekend. If you’re from the other side of the retrocomputing fence, namely the C64 side, you’ve also got a lot to look forward to, because the theme this year is “The Sounds of Retro” which means that your favorite chiptune chips will be getting a workout.
[Tom Nardi] went to VCF East last year, so if you’re on the fence, just have a look at his writeup and you’ll probably hop in your car, or like us, wish you could. If when you do end up going, let us know how it was in the comments!
Supercon 2024: Quick High-Feature Boards With The Circuit Graver
These days, if you want to build something with modern chips and components, you probably want a custom PCB. It lets you build a neat and compact project that has a certain level of tidiness and robustness that you can’t get with a breadboard or protoboard. The only problem is that ordering PCBs takes time, and it’s easy to grow tired of shipping delays when you don’t live in the shadow of the Shenzhen board houses.
[Zach Fredin] doesn’t suffer this problem, himself. He’s whipping up high-feature PCBs at home with speed and efficiency that any maker would envy. At the 2024 Hackaday Supercon, he was kind enough to give a talk to explain the great engineering value provided by the Circuit Graver. (He was demoing it in the alley too, but you had to be there.)
youtube.com/embed/aGVqcYA3kkA?…
It’s always been possible to make PCBs at home. Many have experimented with irons and toner and etchant baths to varying levels of success. You can do great things if you invest in tools and upskilling, but fundamentally, it can be difficult to make good PCBs that do what you want. After all, there are a things that you might want out of your custom PCBs—fine traces a being prime among them. These can be challenging to do at home with traditional techniques.
[Zach’s] focus was on finding a way to make these “high feature” boards at home—specifically, referring to boards with an excellent minimum feature size. Right away, his talk shows off an example board, featuring an 0.5 mm-pitch DFN chip, paired with 0804 resistors and 0402 LEDs. [Zach] made this board in his apartment, using a machine of his own creation—the Circuit Graver.
You might be expecting some kind of laser-etching machine or a PCB mill, but the Circuit Graver is a little different. Instead of a high-speed spinning engraving head, it uses a pointy tool to scrape copper-clad boards to create the desired traces. [Zach] was inspired to go with this route due to the limitations he’d found during his experiences with traditional PCB milling machines. He found them be loud, messy, and slow, and limited in their resolution. He’d found it difficult to build designs with anything smaller than DIP or SOIC chips when relying on milled boards.
The Circuit Graver was spawned by a technique [Zach] developed years ago, when he started carving boards using a modified box cutter blade by hand, before realizing the same technique could benefit from the magic of Computer Numerical Control (CNC). Rather than move the tool yourself, why not have the computer do it more accurately?
The machine design itself is conventional, but packed with clever details, and built with eBay parts and 3D-printed components. [Zach] built a Cartesian motion platform to move the tool over a copper clad board, with X and Y axes for positioning and a Z axis to lift the tool when necessary and also control the downward pressure. There’s also a stepper motor for the tool, to keep the cutter lined up with the direction of the trace to be carved.
You could do this with a box-cutter blad, but that is not quite good enough for the resolution that [Zach] was hoping to achieve. To that end, he equipped the Circuit Graver with a carbide insert intended for use as lathe tooling. The tool has a 100 micron tip radius which can create a 0.2 mm trench in copper-clad board, right out of the box. That allows the creation of traces roughly around 8 mil or so. You can even sharpen the tooling and get it down to 0.1 mm or less, which is theoretically good enough for 4 mil spaces. That’s perfect for working with smaller feature size parts.
[Zach]’s talk provides a realistic assessment of the Circuit Graver’s real-world performance. Right now, it’s capable of carving 8/8 (0.2 mm) features on small boards quite well, while 6/6 (0.15 mm) features are “marginal.” The hope is to get down to 4/4 (0.1 mm) level with future upgrades. Speed is excellent, however—the Circuit Graver can carve good traces at 20-50 mm/s. For now, though, manual setup is still required—to ensure correct zeroing and that the tooling pressure is correct, for example.
It’s not something you’d use for production PCBs, per se—a real board house will always win for those sort of applications. However, for producing boards for quick prototyping, even with modern fine-featured components? It’s easy to see the value of the Circuit Graver. Imagine ordering some new parts and whipping up a unique project board just minutes or hours after you finish the design on your PC—it’s almost intoxicating to think about.
We actually featured the Circuit Graver on the blog last year—and there are design files on Hackaday.io for the curious. If you’re eager to start whipping up simple high-feature boards at home, it might be a build worth looking into!
Hackaday Podcast Episode 315: Conductive String Theory, Decloudified Music Players, and Wild Printing Tech
This week, Hackaday’s Elliot Williams and Kristina Panos met up across the (stupid, lousy) time zones to bring you the latest news, mystery sound, and of course, a big bunch of hacks from the previous week.
Again, no news is good news. On What’s That Sound, Kristina didn’t get close at all, but at least had a guess this time. If you think you can identify the sound amid all the talking, you could win a Hackaday Podcast t-shirt!
After that, it’s on to the hacks and such, beginning with a Dr. Jekyll and Mr. Hyde situation when it comes to a pair of formerly-cloud music players. We take a look at a crazy keyboard hack, some even crazier conductive string, and a perfectly cromulent list of 70 DIY synths on one wild webpage. Finally, we rethink body art with LEDs, and take a look at a couple of printing techniques that are a hundred years or so apart in their invention.
Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
html5-player.libsyn.com/embed/…
Download in DRM-free MP3 and savor at your leisure.
Where to Follow Hackaday Podcast
Places to follow Hackaday podcasts:
Episode 315 Show Notes:
News:
- No news is good news!
What’s that Sound?
Interesting Hacks of the Week:
- Open Source Framework Aims To Keep Tidbyt Afloat
- Can Hackers Bring Jooki Back To Life?
- DIY Split Keyboard Made With A Saw
- 70 DIY Synths On One Webpage
- Programmer’s Macro Pad Bangs Out Whole Functions
- Supercon 2024: Rethinking Body Art With LEDs
- Make DIY Conductive, Biodegradable String Right In Your Kitchen
Quick Hacks:
- Elliot’s Picks:
- The Magic Touch: A 555 Touch Switch
- Handheld 18650 Analyzer Scopes Out Salvaged Cells
- The Lowly Wall Wart Laid Bare
- A Forgotten Photographic Process Characterised
- Pictures From A High Altitude Balloon
- Kristina’s Picks:
Can’t-Miss Articles:
hackaday.com/2025/04/04/hackad…
3D Print (and Play!) The Super Mario Tune as a Fidget Toy
[kida] has a highly innovative set of 3D-printable, musical fidget toys that play classic video game tunes. Of course there’s the classic Super Mario ditty, but there’s loads more. How they work is pretty nifty, and makes great use of a 3D printer’s strengths.
To play the device one uses a finger to drag a tab (or striker) across the top, and as it does so it twangs vertical tines one-by-one. Each tine emits a particular note — defined by how tall the thicker part is — and plays a short tune as a result. Each one plays a preprogrammed melody, with the tempo and timing up to the user. Listen to them in action in the videos embedded just under the page break!
Fidget toys are a niche all their own when it comes to 3D printed devices. The fidget knife has a satisfying snap action to it, and this printable linear toggle design is practically a fidget toy all on its own.
youtube.com/embed/BnbsPARrkss?…
youtube.com/embed/InFddXVHsRE?…
This Week in Security: Target Coinbase, Leaking Call Records, and Microsoft Hotpatching
We know a bit more about the GitHub Actions supply chain attack from last month. Palo Alto’s Unit 42 has been leading the charge on untangling this attack, and they’ve just released an update to their coverage. The conclusion is that Coinbase was the initial target of the attack, with the open source agentkit package first (unsuccessfully) attacked. This attack chain started with pull_request_target in the spotbugs/sonar-findbugs repository.
The pull_request_target hook is exceptionally useful in dealing with pull requests for a GitHub repository. The workflow here is that the project defines a set of Continuous Integration (CI) tests in the repository, and when someone opens a new Pull Request (PR), those CI tests run automatically. Now there’s an obvious potential problem, and Github thought of it and fixed it a long time ago. The GitHub Actions are defined right in the repository, and letting any pull request run arbitrary actions is a recipe for disaster. So GitHub always uses actions as they are defined in the repository itself, ignoring any incoming changes in the PR. So pull_request_target is safe now, right? Yes, with some really big caveats.
The simplest security problem is that many projects have build scripts in the repository, and those are not considered part of GitHub Actions by GitHub. So include malicious code in such a build script, make it a PR that runs automatically, and you have access to internal elements like organization and repository secrets and access tokens. The most effective mitigation against this is to require approval before running workflows on incoming PRs.
So back to the story. The spotbugs/sonar-findbugs repository had this vulnerability, and an attacker used it to export secrets from a GitHub Actions run. One of those secrets happened to be a Personal Access Token (PAT) belonging to a spotbugs maintainer. That PAT was used to invite a throwaway account, [jurkaofavak], into the main spotbugs repository. Two minutes after being added, the [jurkaofavak] account created a new branch in spotbugs/spotbugs, and deleted it about a second later. This branch triggered yet another malicious CI run, now with arbitrary Github Actions access rather than just access through a build script. This run leaked yet another Personal Access Token, belonging to a maintainer that worked on both the spotbugs and reviewdog projects.
That token had access to create and edit tags in reviewdog/action-setup, a GitHub Action that runs as a dependency for multiple other actions. The attacker created a fork of this repository, added malicious code, and then overwrote the v1 git tag to point to this malicious code. The tj-actions/changed-files ran a CI flow that made use of the malicious reviewdog/action-setup fork, leaking a GitHub token with write permission to tj-actions/changed-files.
The tag override trick does a lot of heavy lifting in this story, and that’s what was used on tj-actions/changed-files too. Another malicious fork, and a specific tag was overridden to point there. The tag chosen was one used in a Coinbase repository. Specifically coinbase/agentkit used the newly malicious tag in one of its workflows. A Coinbase maintainer discovered this, and deleted the targeted workflow, putting an end to the Coinbase-specific attack. At this point, the attacker opted to burn the pilfered access, and pushed malicious code to every tj-actions/changed-files tag. The idea apparently being that there would likely be some interesting secrets that were leaked. It’s also possible this was intended to hide Coinbase as the primary target. Regardless, that’s the widespread attack we’ve already covered, and now you know the rest of the story.
ZendTo: No CVE, No Problem?
ZendTo is a nifty Open Source, web-based file sharing platform. It’s been around for a while, and the release notes from a 2021 release makes reference to a “security fix” with no additional details given. That caught the attention of [Jay] from Project Black. It sounds like a potential vulnerability, but it seems like no CVE was ever assigned, and no further details were given.
Here’s the issue: ZendTo has an anonymous file upload feature on by default. This has a security feature built in, in the form of scanning the uploaded file with ClamAV in a temporary location, before moving the file to its long term storage directory. Part of this process includes the ever lovely exec("/bin/chmod go+r " . $ccfilelist); line. PHP has some footguns to be aware of, and calling exec() with any user-provider input is one of them. And of course, the user-provided tmp_name value is used to construct the $ccfilelist string. Set tmp_name to 1;command, and you’ve got code execution.
There is another outstanding issue, where legacy md5 passwords that happen to begin with 0e will be interpreted as a number in scientific notation. PHP handles some type comparisons a bit weirdly. These scientific notation values all evaluate as 0. Using any password that also evaluates to one of these special “scientific” md5 hashes, and the comparison collapses to 0 == 0. So one out of every 256 users have a trivially bypassed password — if their account was still using a md5 password hash.
So here we have a pair of serious vulnerabilities, though one has limited exposure, with neither being fully disclosed nor given CVEs. What’s the result of this lack of transparency? Old, vulnerable installs of ZendTo are still on the Internet. Without a CVE, there’s much less pressure to update. No CVE doesn’t necessarily mean no vulnerabilities.
Leaking Call Records
Researcher [Evan Connelly] was looking into the Verizon Call Filter iOS app, and found it to be using an interesting web service. The callLogRetrieval endpoint allows a user to look up call logs for their own Verizon number. Authorization is done using JSON Web Tokens (JWT), which included a “sub” field, indicating the phone number the token was authorized to fetch. The request itself also has a field to indicate the number being queried. This particular endpoint uses a JWT for authorization, but returns the information requested in the query field — without comparing the two values. Yes, any customer that could obtain a valid JWT could query the call records of virtually any other Verizon number. While this is particularly bad, Verizon acknowledged it quickly, and rolled a fix out in less than a month.
When Parameterized Queries Aren’t
What’s the single most powerful tool to prevent SQL injection attacks? Easy: Parameterized queries. Write the SQL query ahead of time, the library converts it into native database code, and only then are the user-generated values plugged in. In theory that means those values can never be understood as part of the SQL logic. While there are ways this can still go wrong, the basic approach is sound. But what if a language, like Nim, had a parameterization option that didn’t actually do parameterized queries?
Yes, Nim’s db_postgres module provides the facility to run code like getRow(sql"SELECT username FROM users WHERE username=?;", "user"), which is intended to protect against SQL injection. But, under the hood, it really is just doing string replacement with character escaping, like replacing null characters with \\0. Now consider PostreSQL’s standard_conforming_strings setting, which among other things, removes the backslash as a special character. But if that setting is disabled, the backslash can be used to escape quotes. Nim doesn’t know anything about that behavior. This combination of not-actually-parameterized parameterization, and lack of awareness of the standard_conforming_strings behavior, means that ./poc '\' ' OR user_id=1; --' is once again a potential SQL injection. Whoops.
Oracle: Oh, That Oracle Cloud!
We finally have a bit more insight into what’s going on at Oracle. You probably remember that the company has continually denied a breach into Oracle Cloud. It seems this is a bit of verbal sleight-of-hand, as Oracle has renamed part of their cloud offering to Oracle Cloud Classic. The remaining, current generation service is the Oracle Cloud. Oracle Cloud Classic has suffered the breach, not technically Oracle Cloud.
It’s not clear that this is really all there is to the story, though, as more data is getting released by the attacker, including video of a web meeting from 2019. Oracle has started reaching out to customers and confirmed the breach, though apparently strictly avoiding putting anything in writing.
Microsoft Joins the Hotpatch Game
Enterprise Linux distros have long had support for various forms of live-patching. We even interviewed TuxCare about this feature for FLOSS Weekly a few weeks ago. It seems that Microsoft finally wants in on the fun. Windows 11 Enterprise has in-memory security patching starting with the 24H2 update. This support is strictly for machines with an Enterprise or certain Education Microsoft subscriptions. The Hotpatches will be available for 8 of the 12 monthly security patches, with an enforced quarterly update via traditional updates and a reboot.
Bits and Bytes
Researchers at GreyNoise have noted an uptick in IPs scanning for Palo Alto device login pages for several days in March. The scanning had as many as 20,000 unique IPs hunting for these login interfaces, which suggests a botnet has been tasked with finding these devices. It’s very possible that a threat actor has found a new vulnerability in Palo Alto devices, and is preparing to launch an attack.
And finally, a pair of posts from ZDI caught our attention this week. The first is a dive into how Binary Ninja’s static code analysis can find potential use-after-free vulnerabilities. The second is all about building an electric car simulator, that can actually plug into real electric vehicle charging stations, and actually fool the charger into believing a car is attached. How is this problem approached safely, given the high voltages and amperages involved? Very carefully.
Keep Bears at Bay with the Crackle of 280,000 Volts
Bears! Are they scared of massive arcs that rip through the air, making a lot of noise in the process? [Jay] from the Plasma Channel sure hopes so, because that’s how his bear deterrent works!
[Jay] calls it the Bear Blaster 5000. Right from the drop, this thing looks like some crazy weapon out of Halo. That’s because it throws huge arcs at 280,000 volts. The basic concept behind it is simple enough—a battery drives a circuit which generates (kinda) low voltage AC. This is fed to the two voltage multipliers which are set up with opposite polarity to create the greatest possible potential difference between the two electrodes they feed. The meaty combination is able to arc across electrodes spaced over four inches apart. It’s all wrapped up in a super-cool 3D printed housing that really shows off the voltage multiplier banks.
Given its resemblance to a stun gun, you might think the idea is to jab an attacking bear with it. But the reality is, if the bear is close enough that you could press this device against it, you’re already lunch. [Jay] explains that it’s more about scaring the animal off with the noise and light it produces. We’d certainly take a few steps back if we heard this thing fire off in the woods.
[Jay] does a great job of explaining how the whole setup works, as well as showing off its raw ability to spark. We’ve seen some great builds from [Jay] before, too, like this beefy custom flyback transformer.
youtube.com/embed/-Ng3fyUHoLA?…
A journey into forgotten Null Session and MS-RPC interfaces, part 2
In the first part of our research, I demonstrated how we revived the concept of no authentication (null session) after many years. This involved enumerating domain information, such as users, without authentication. I walked you through the entire process, starting with the difference between no-auth in the MS-RPC interfaces and the well-known null session, and ending with the methodology used to achieve our goal.
Today, as promised, we’ll dive into part two. Here, we’ll explore why Windows behaves the way it does – allowing domain information to be enumerated without authentication. I’ll also explain why this activity is difficult to prevent and monitor.
First, we’ll examine why this activity is hard to stop by looking at how WMI works. We’ll also discuss the methods available for detecting and addressing this issue.
After that, we’ll cover some basics about MS-RPC security and how to secure your RPC server. Then we’ll analyze the security of the MS-NRPC interface using two approaches: theoretical insight and reverse engineering to gain a deeper understanding.
So, buckle up and let’s continue our journey!
The group policy that punches your domain in the face
When it comes to stopping certain activities in Windows, group policies are often the first line of defense, and our case is no exception. As we discussed in part one, the Restrict Unauthenticated RPC Clients policy can be used to block no-auth activity against interfaces. This policy comes with three settings: “None”, “Authenticated”, and “Authenticated without exceptions”.
While testing, we discovered that even with the policy set to “Authenticated”, it’s still possible to enumerate domain information using MS-NRPC and network interfaces using the
IObjectExporter interface. Naturally, the next logical step would be to use the “Authenticated without exceptions” setting to completely block such activity.
At first, enabling “Authenticated without exceptions” seems to work perfectly – blocking all enumeration activity with no authentication. Over time, however, we would notice significant issues: many of the domain controller’s functions would stop working. This is not surprising, as Microsoft has explicitly warned that using this policy setting can severely disrupt domain controller functionality. In fact, it has been described as “the group policy that punches your domain in the face,” effectively rendering the domain controller inoperable.
To better understand this issue, let’s use WMI as an example and examine why setting this policy to “Authenticated without exceptions” causes domain functionality to fail.
WMI as DCOM object
Windows Management Instrumentation (WMI) is the infrastructure for managing data and operations on Windows-based operating systems. It’s widely used by system administrators for everyday tasks, including remote management of Windows machines.
To test the effect of setting the Restrict Unauthenticated RPC Clients policy to “Authenticated without exceptions”, let’s try to access WMI on a remote machine using the
wmic command to list processes. In this case, we’ll use valid administrator credentials for the remote machine.
Listing remote processes using wmic
As shown in the screenshot above, the attempt to list remote processes fails with an “Access Denied” error, even with valid administrator credentials. But why does this happen?
Remote WMI access relies on the DCOM architecture. To interact with the WMI server, a DCOM object must first be created on the remote machine. As explained in part one, interfaces such as
IObjectExporter (IOXIDResolver) are responsible for locating and connecting to DCOM objects.
In simpler terms native Windows libraries typically use the
IObjectExporter interface by default during the initial steps of creating a DCOM object, although it is technically optional. When binding the interface, the authentication level is set to “no authentication” (level 1). Next, the libraries use the ServerAlive2 function.
When the Restrict Unauthenticated RPC Clients policy is set to “Authenticated without exceptions”, it blocks these no-auth activities. This prevents the creation of DCOM objects, so the WMIC command that creates a DCOM object fails and returns an “Access Denied” error, even if the credentials are valid.
Furthermore, since DCOM object creation is integral to many domain controller functions, blocking these activities can disrupt most operations on the domain controller. In short, setting the policy to “Authenticated without exceptions” not only breaks remote WMI access, it also impacts broader domain functionality.
To better understand this behavior, let’s examine what happens under the hood when we set the Restrict Unauthenticated RPC Clients policy to “Authenticated” or “None”. Using Wireshark, we’ll capture the traffic while running the same PowerShell command as before.
Network traffic for remote WMI
In the captured traffic, we can see that before the DCOM object is created, the
IOXIDResolver interface must be bound, and the ServerAlive2 function is called (packets 21-24).
If we inspect packet 21, which contains the bind request, we see that the native libraries bind the interface without authentication – because the authentication length is zero.
Binding without authentication
Next, let’s inspect the traffic when the Restrict Unauthenticated RPC Clients policy is set to “Authenticated without exceptions”.
Network traffic for WMI
From the captured traffic, we can see several “Access Denied” responses when attempting to call the
ServerAlive2 function with valid credentials. This happens because the policy blocks the no-authentication behavior, effectively stopping the initial binding of the IOXIDResolver interface (which binds without authentication by default). The failure to bind the interface at the beginning of the process is what causes this error, proving that it does not come from WMI itself.
The event that never occurs
As we saw earlier, preventing enumeration of domain information seems impossible, but detecting it might be another story. The first place to look for detection is Windows audit policies. I found the audit policy under event ID 5712, which should generate an event like “Audit RPC Events 5712(S): A Remote Procedure Call (RPC) was attempted.”
However, Microsoft states that this event never occurs, and after enabling this audit policy, I indeed found no related events in the event viewer for any RPC attempts.
The event that never occurs seemed like a dead end for detecting RPC activity. However, after further research, I found two additional ways to detect RPC activity.
The first method is Event Tracing for Windows, which logs RPC-related events. However, it lacks useful details such as the IP address of the RPC client and generates many events, including local RPC activity, making it difficult to parse.
The second method is to use third-party open source software called RPC-Firewall. This tool audits all remote RPC calls, allowing you to track RPC UUIDs and opnums, block specific ones, and filter by source address. It integrates with the event viewer to display logs, as shown in the screenshot below of an RPC event generated by RPC-Firewall.
RPC-Firewall RPC event
Prior to conducting this research, I had found these three ways to detect such activity that I mentioned earlier. However, due to the lack of native detection, the process remains challenging. You can rely on third-party tools or develop your own detection method. But even with these approaches, it’s difficult because you need to identify which machines in your domain are making RPC requests without authentication and track the frequency of this activity.
MS-RPC security
Now let’s explore why Windows behaves this way, why there are issues with policies, and what exceptions really mean. But before diving into all that, we need to discuss MS-RPC security – basically, how to secure your RPC server.
From this point on, I’ll be referring to a new term, the RPC server. The RPC server is where the logic of the interface is defined. A single server can have multiple interfaces.
Securing an RPC server is a complex process because of the variety of access methods, such as named pipes or TCP endpoints. In addition, security measures for RPC servers have evolved over time.
In this research, I will focus on the security methods relevant to our study, but there are several other methods, some of which are described in this post.
Registration flags
When registering an interface for an RPC server, specific flags can be set using the RpcServerRegisterIf2 function. Three flags are of particular relevance:
- RPC_IF_ALLOW_LOCAL_ONLY: Rejects calls from remote clients.
- RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH: Invokes a security callback for authentication checks.
- RPC_IF_ALLOW_SECURE_ONLY: Limits connections to clients with an authentication level higher than RPC_C_AUTHN_LEVEL_NONE.
The RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag registers a security callback (e.g.,
MySecurityCallback), as shown in the examples below, which takes over security checks from the RPC runtime.
RPCServerRegisterIf2 with security callback
If the callback returns
RPC_S_OK (mapped to 0), the client passes; otherwise, the client fails the security check.
The security callback
By default, the RPC runtime (
rpcrt4.dll library) handles client authentication using mechanisms such as NTLM or Kerberos. However, its behavior is influenced by two factors:
- The Restrict Unauthenticated RPC Clients policy:
- If set to “None”, unauthenticated clients are allowed.
- If set to “Authenticated”, only authenticated clients can connect.
This flag overrides the default policy, allowing the security callback to handle authentication even when clients are unauthenticated. The only exception is the “Authenticated without exceptions” policy value, which blocks all unauthenticated clients regardless of this flag.This explains the exceptions we discussed earlier: they occur when interfaces inside RPC servers are registered with this flag, enabling unauthenticated connections even when the policy is set to “Authenticated”. The source and behavior of these exceptions should now be clear.
Securing the endpoint
As mentioned earlier, RPC servers can be accessed through various transport layers. For remote connections, TCP ports and named pipes are commonly used.
When registering an endpoint for an RPC server using the RpcServerUseProtseqEp function, you can include a security descriptor (SD) to control who can connect to the endpoint. It’s important to note that this SD only applies to named pipes, not TCP ports. Additionally, it can also be used for local connections using ALPC ports as endpoints.
Securing the interface
Microsoft has introduced a newer version of the RpcServerRegisterIf2 function, called RpcServerRegisterIf3, which allows you to add an optional SD when registering your interface. This enables you to control who can connect directly to the interface.
This security mechanism raises an important question: if an interface has registered an SD, and a client connects via TCP without authentication (authentication level = 1), how is the security check performed? Specifically, what security token is assigned to the client for the SD check?
To answer this, we need to do some reverse engineering magic against the RPC runtime library (
rpcrt4.dll).
The figure below shows the decompiled view from IDA for the function called when a client connects without authentication. As you can see, it uses the ImpersonateAnonymousToken function, which allows the thread to impersonate the system’s anonymous logon token. In other words, a client connecting via a TCP endpoint without authentication is represented as an anonymous user.
Called function for unauthenticated clients
After that, the access check is performed using the AccessCheck function:
Access check
Binding authentication
The final RPC security issue to discuss is binding authentication. As you recall, the authentication method is specified in the binding packet (the first packet in an RPC connection). But what does that mean?
An RPC server can register its preferred authentication method for clients using the RpcServerRegisterAuthInfo function. For instance, in the following example, NTLM authentication is registered as the chosen method.
After that, the client can connect using RPCBindSetAuthInfoEx and specify the correct authentication service and authentication level.
Now that we’ve covered RPC security, it’s time to answer questions about our interface (MS-NRPC): What security is applied on the server that defines this interface, and why were we able to access it without authentication?
To do this, I used two approaches:
- Surface analysis: I examined the internal security checks of the RPC server using a flowchart from a great RPC toolkit. This chart provides valuable insight for our research, allowing us to analyze the security applied by the RPC server in more detail. I’ll go through it step by step, following the path described in the chart to conduct the investigation.
- In-depth analysis: In this approach, I interacted directly with the RPC server using reverse engineering to gain further insight into the enabled security.
Surface analysis
I will now attempt to determine the security mechanism used by the RPC server that’s related to the MS-NRPC (Netlogon) interface. I will assume that we are the RPC client calling a function from (MS-NRPC) Netlogon to enumerate domain information without using any authentication.
Let’s start with transport protocols, as outlined in the flowchart:
In the chart above, the RPC client has two options for connecting to the RPC server: via TCP or SMB named pipes. In our research, we are using TCP, which is highlighted.
Next, we encounter the Restrict Unauthenticated RPC Client policy, which has two values: “None” or “Authenticated”. If set to “None”, we proceed to the next step. If set to “Authenticated”, a check is performed to see if the client has authenticated. If it has, the flow continues; however, if the client connects without authentication (as in our case), the RPC runtime checks for the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag and either accepts or denies the connection based on its presence.
Since the policy is set to “Authenticated” and our client does not perform authentication, we need the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag to be registered in order to proceed to the next step, thereby making an exception to the policy. The presence of this flag allows us to conclude that a security callback has also been registered.
Our path now looks like this:
Next, there is another check to see if the server has registered an authentication service. If the server hasn’t registered one and the client tries to authenticate, it will be denied with an “authentication service unknown” error. However, if the client doesn’t attempt authentication, the process continues.
If the server has registered an authentication service, the check against the endpoint (the SD registered via RpcServerUseProtseqEp) is performed. If the client passes this, another check is made against the interface SD (registered using RpcServerRegisterIf3). Failure to pass either of these checks will result in access being denied.
In our case, we know the server has already registered an authentication service because it’s a well-known Microsoft protocol. We don’t need to worry about the endpoint check either, as it’s intended for clients connecting via named pipes. As for the interface security descriptor, we either passed this check if the SD doesn’t exist at all, or the SD does exist and it allows anonymous users (representing clients without authentication).
Next, we check two flags: the first, RPC_IF_ALLOW_LOCAL_ONLY, determines if the interface can be accessed remotely, and the second checks for RPC_IF_ALLOW_SECURE_ONLY. If the latter is present, it ensures that we are using an authentication level higher than “None”, denying or allowing access based on the authentication level. Finally, we check for the presence of a security callback. If it doesn’t exist, we can access the server immediately. If it does exist, we must pass the custom checks within the security callback to access the server.
In our case, we know that RPC_IF_ALLOW_LOCAL_ONLY doesn’t exist because we can access the interface remotely. We also know that RPC_IF_ALLOW_SECURE_ONLY isn’t present because we’re using an authentication level of “None”. Finally, we conclude that a security callback is registered based on the previous use of RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH, and we successfully pass the security callback check to gain access to the server.
Our final path looks like this:
Surface analysis conclusion
At this stage, we can conclude that the RPC server has the following characteristics:
- Regarding registration flags:
- Has RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH (indicating a security callback).
- Doesn’t have RPC_IF_ALLOW_LOCAL_ONLY.
- Doesn’t have RPC_IF_ALLOW_SECURE_ONLY.
- We’re unsure if it has a security descriptor (SD) or not.
- The RPC server registers authentication.
As shown, the surface analysis couldn’t provide a complete security overview for the Netlogon (MS-NRPC) interface, so I decided to proceed with an in-depth analysis.
In-depth analysis
The goal of our in-depth analysis is to leverage reverse engineering techniques to assess the security of the RPC server under the MS-NRPC interface. As we saw before, the interface is accessible through the LSASS process, specifically via the Netlogon DLL. Here we have two approaches to analysis:
- Use automated tools to examine the security of the interface.
- Go directly to IDA and manually locate the interface and its associated security mechanisms.
Automated tools
Let’s begin with a tool called PE RPC Scraper. If we provide the Netlogon DLL as an argument, this tool reveals information about the RPC server, its interfaces, functions and security details.
PE RPC Scraper output
The output of the tool shows that it successfully identified the Netlogon interface (UUID) and confirmed that it contains 59 functions. It also revealed the presence of a security callback and a set of flags with a value of
0x91. After decoding this value, we can see that the following flags have been registered:
- RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH
- RPC_IF_SEC_CACHE_PER_PROC
- RPC_IF_AUTOLISTEN
The output from PE RPC Scraper also indicates that the interface has no security descriptor.
The information obtained from both the surface analysis and the automated tool provides the answer to the security bypass issue and allows me to conclude the investigation at this point. However, I personally don’t trust automated tools, and I have a good reason for that. So, for further confirmation, let’s dive into IDA.
IDA like a superhero
At this point, I’ve loaded
netlogon.dll into IDA and started my investigation.
A. Locate the interface
The first step is to determine where the interface is registered. As shown in the figure below, the UUID registered using RPCServerRegisterIf3 is related to the MS-NRPC interface.
MS-NRPC interface registration
B. Endpoint registration
At this stage, we’ll check the endpoint registration for the server. As you can see in the screenshot below, RpcServerUseProtseqEpW and RpcServerUseProtseqExW have been used to register three endpoints:
- SMB named pipe, lsass
- Local ALPC port, NETLOGON_LRPC
- High dynamic TCP ports
Endpoint registration
C. Interface registration
As I mentioned earlier, RpcServerRegisterIf3 is used to register the interface.
Interface registration
The function used the
0x91 value as a set of flags, which are: RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH | RPC_IF_SEC_CACHE_PER_PROC | RPC_IF_AUTOLISTEN. RpcServerRegisterIf3 also has a security callback (sub_18002EF60), in addition to a security descriptor (hMem). This finding contradicts what was previously confirmed by an automated tool – that’s why I don’t trust them for reverse engineering.
D. Security callback
Now let’s go inside the security callback and see how the security check is performed. From the screenshot below, we can see that RpcServerInqCallAttributesW is called first with the
Flags field inside the RpcCallAttributes struct set to 96. After decoding this value, we can see that this function used two flags – RPC_QUERY_IS_CLIENT_LOCAL | RPC_QUERY_NO_AUTH_REQUIRED – to request the client information.
The security callback has a condition statement.
The security callback conditions
First, the callback verifies that the RpcServerInqCallAttributesW function was called successfully, then it checks if the opnum is less than 59. If both previous conditions are met and the client is local, access to the server is granted. If the client is remote, the callback uses an access array (a matrix) to determine if the opnum is allowed to be called by the remote client.
The access matrix is just hardcoded bytes in memory:
Access matrix
All of the previously mentioned functions in the MS-NRPC interface that can be accessed without authentication (as outlined in the table in the first part) pass the access matrix check.
Now, let’s analyze what happens when the conditions are met or not, using assembly language since the IDA decompiler tab lacks precise interpretations.
The security callback conditions in assembly
- For the security callback, as we mentioned earlier, returning 0 indicates a successful call.
- For the first condition (RpcServerInqCallAttributesW), failure results in an error value.
- For the second condition (operation number compared to 59), failure still returns 0. This only ensures that the matrix index doesn’t exceed its size and doesn’t validate implemented functions that are handled elsewhere.
- For the third condition, if both the access matrix and local client checks fail, the callback returns 5 (access denied). If either of them succeeds, execution continues.
If all of the above checks in the IF statement are passed, the security callback proceeds to check the Windows version with another IF statement that verifies the value of a DWORD in memory.
The second IF statement
This DWORD is initialized using the code shown below. The value is set based on whether or not the machine is a domain controller (DC).
Checking the machine type
- If the machine is a DC, execution continues and returns 0, indicating that the security callback check was successfully passed.
- If it is not a DC, further checks are performed.
This sequence of checks shows that passing the security callback for the remote client on a DC requires only that the access matrix check be successfully passed.
E. Interface security descriptor
As we saw before, the security descriptor is assigned through the RpcServerRegisterIf3 function. It is set up by calling another function that contains many instructions. The security descriptor definition language (SDDL) for the security descriptor is shown below.
SDDL for security descriptor
From the SDDL, we can see that the following groups of users have read access: Anonymous Logon, Everyone, Restricted Code, Built-in Administrators, Application Package, and a specific security identifier (SID).
But I ran into a problem. The function where the security descriptor is set up contained numerous operations, and I wasn’t sure if any changes had been made to the SDDL representation of the security descriptor. That’s why I decided to find an alternative method to verify that the SDDL interpretation remained the same.
To achieve this goal, I considered two approaches:
- Memory search: I considered searching memory at runtime for the known value in the header of the relative security descriptor to intercept and extract the discretionary access control list (DACL) inside LSASS. However, since this involves interacting with the LSASS process, which is risky, I took a different approach.
- ALPC Port Security Descriptor: The ALPC port NETLOGON_LRPC, registered during endpoint setup, shares the same security descriptor as the interface:
Endpoint and interface registration
Using the ALPC port’s name, I used the NtObjectManager PowerShell module (you can use any programming alternative) to extract the security descriptor from the ALPC port.
Extracting the SD from the ALPC port in PowerShell
After that, I obtained the DACL from the security descriptor.
Security descriptor for ALPC port
The screenshot above shows that the DACL obtained from the ALPC port’s security descriptor matches the SDDL representation we obtained earlier. As we can see in the first line of the ACL entries, anonymous login is allowed on the interface, which explains why we can pass the security descriptor access check for the interface (if there is no client token, the Anonymous LOGON token is assigned).
In-depth analysis conclusion
From the in-depth analysis, we now have the whole scenario of the MS-NRPC security mechanism, which allowed us to understand how we could successfully pass the security checks of the MS-NRPC interface and call multiple functions without authentication, even if the RPC policy is set to “Authenticated”.
To summarize, here’s how we were able to bypass the security of MS-NRPC:
- Registration flags:We found that the interface has the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag: for this reason, we were able to get past the RPC policy.
- Security callback:We found that this flag has a security callback, which in our case is used to check if we pass the check against the access array, and all of our functions passed the check.
- Interface security descriptor:
The interface has a security descriptor that permits multiple user groups to connect, including anonymous users. Since we are using no authentication, the access check is performed against the anonymous user, allowing to access the interface’s functions.
Research conclusion
At the end of this part and my research, I hope I was able to provide all the details related to this research and the approaches that I used. I also hope that you are now able to understand why we have this kind of no-authentication enumeration. Furthermore, I hope you are now equipped to develop your own ways to detect this kind of activity.
Thank you for reading, and see you soon with more research projects.
A Portable Electronics Workstation
You don’t see them as often as you used to, but it used to be common to see “electronics trainers” which were usually a collection of components and simple equipment combined with a breadboard, often in a little suitcase. We think [Pro Maker_101’s] portable electronics workstation is in the same kind of spirit, and it looks pretty nice.
The device uses a 3D printed case and a custom PC board. There are a number of components, although no breadboard. There is a breakout board for Raspberry Pi GPIO, though. So you could use the screw terminals to connect to an external breadboard. We were thinking you could almost mount one as a sort of lid so it would open up like a book with the breadboard on one side and the electronics on the other. Maybe version two?
One thing we never saw on the old units? An HDMI flat-screen display! We doubt you’d make one exactly like this, of course, but that’s part of the charm. You can mix and match exactly what you want and make the prototyping station of your dreams. Throw in a small portable soldering iron, a handheld scopemeter, and you can hack anywhere.
We’d love to see something like this that was modular. Beats what you could build in 1974.
youtube.com/embed/81NDDDT1xus?…
Trump silura il capo della NSA! Il Caos Regna sull’intelligence USA dopo gli attacchi di Salt Typhoon
Il direttore della National Security Agency, il generale dell’aeronautica Timothy Haugh, sarebbe stato licenziato giovedì dal suo incarico di capo dell’agenzia. La rimozione di Haugh dal ruolo di direttore della NSA, la principale agenzia nazionale per lo spionaggio informatico e le intercettazioni elettroniche, avviene nello stesso giorno in cui, secondo quanto riferito, almeno tre membri dello staff del Consiglio per la sicurezza nazionale della Casa Bianca sono stati allontanati.
Il capo del Dipartimento per l’efficienza governativa, Elon Musk, è stato ospitato da Haugh presso la sede centrale della NSA il mese scorso. Si è trattato della sua prima visita nota a un’agenzia di intelligence statunitense. Secondo il Washington Post, il tenente generale William J. Hartmann, vice di Haugh al Cyber Command, assumerà la carica di direttore ad interim della NSA.
Stando a quanto riportato dal Washington Post, che cita funzionari statunitensi in carica ed ex dirigenti, anche la vice civile del direttore estromesso della NSA, Wendy Noble, è stata licenziata giovedì. Secondo quanto riportato dal quotidiano, a Noble è stato assegnato un nuovo incarico presso l’ufficio del Sottosegretario alla Difesa per l’intelligence del Pentagono .
Il senatore Mark Warner (D-Va.), membro di spicco della Commissione Intelligence del Senato, ha condannato il licenziamento di Haugh. “Il generale Haugh ha servito il nostro paese in uniforme, con onore e distinzione, per più di 30 anni. In un momento in cui gli Stati Uniti stanno affrontando minacce informatiche senza precedenti, come ha chiaramente evidenziato il cyberattacco Salt Typhoon dalla Cina, in che modo licenziarlo rende gli americani più sicuri?” ha scritto Warner su X.
I funzionari statunitensi hanno dichiarato alla testata giornalistica che il motivo dietro il rimpasto della NSA è sconosciuto. Haugh, che è anche capo del Cyber Command del Pentagono, ha guidato la NSA dal febbraio 2024. Non è chiaro se il generale dell’Aeronautica Militare rimarrà al suo posto di comando informatico dopo la sua rimozione dall’agenzia di spionaggio con sede a Fort Meade, nel Maryland.
Il senatore ha anche attaccato il presidente Trump, facendo riferimento alle segnalazioni secondo cui i licenziamenti di membri dello staff del Consiglio per la sicurezza nazionale sarebbero avvenuti subito dopo un incontro con l’influencer di destra Laura Loomer.”È sorprendente che il presidente Trump abbia licenziato il leader imparziale ed esperto della NSA senza riuscire a ritenere responsabile alcun membro del suo team per la fuga di informazioni riservate su un’app di messaggistica commerciale, anche se apparentemente riceve indicazioni sul personale per la sicurezza nazionale da un teorico della cospirazione screditato nello Studio Ovale”, ha scritto Warner in un post separato.
L'articolo Trump silura il capo della NSA! Il Caos Regna sull’intelligence USA dopo gli attacchi di Salt Typhoon proviene da il blog della sicurezza informatica.
Playstacean Evolves The PSOne Into The Crab It Was Always Meant to Be
Odd hardware designs crop up in art and renders far more frequently than in the flesh, but console modder [GingerOfOz] felt the need to bring [Anh Dang]’s image of the inevitable carcinization of our gaming consoles to life.
Starting with the image as inspiration, [GingerOfOz] got to work in CAD, creating an entirely new shell for the battered PSOne he adopted for the project. The final product is slightly less curvy than the picture, but some artistic license was necessary to go from the page to the real world.
The enclosure itself looks straightforward, if a bit tedious, but the articulating crab controller is a work of art itself. He could’ve made the arms static or non-functional, but they’re a fully-functional PlayStation controller that can move around just like on your favorite crustacean at the beach, minus the pinching. We love this whimsical take on the console mod which is a breath of salty air to the continuous race to get increasingly complex consoles into handheld form, although there’s certainly nothing wrong with that!
If you’re looking for some other console mods, how about this Apple M1 inside a Wii or getting your old Ouya up-and-running again?
youtube.com/embed/dSBNs3TeINc?…
A Proper OS For The Sega Genesis/Megadrive
The console wars of the early 1990s had several players, but the battle that mattered was between Nintendo’s SNES and Sega’s Genesis, or Megadrive if you are European. They are both famous for their games, but in terms of software they can only run what’s on a cartridge. The Genesis has a Motorola 68000 on board though, which is capable of far more than just Sonic the Hedgehog. [EythorE] evidently thinks so, because here’s a port of Fusix, a UNIX-like OS, for the Sega platform.
As it stands, the OS is running on the BlastEm emulator, but given a Sega Saturn keyboard or a modified PC keyboard for the Sega, it could be run on real hardware. What you get is a basic UNIX-like OS with a working shell and the usual UNIX utilities. With 64k of memory to play with this will never be a powerhouse, but on the other hand we’d be curious to see it in a working cartridge.
Meanwhile, if the console interests you further, someone has been into its workings in great detail.
Header: Evan-Amos, CC BY-SA 3.0.
The Weird Way A DEC Alpha Boots
We’re used to there being an array of high-end microprocessor architectures, and it’s likely that many of us will have sat in front of machines running x86, ARM, or even PowerPC processors. There are other players past and present you may be familiar with, for example SPARC, RISC-V, or MIPS. Back in the 1990s there was another, now long gone but at the time the most powerful of them all, of course we’re speaking of DEC’s Alpha architecture. [JP] has a mid-90s AlphaStation that doesn’t work, and as part of debugging it we’re treated to a description of its unusual boot procedure.
Conventionally, an x86 PC has a ROM at a particular place in its address range, and when it starts, it executes from the start of that range. The Alpha is a little different, on start-up it needs some code from a ROM which configures it and sets up its address space. This is applied as a 1-bit serial stream, and like many things DEC, it’s a little unusual. This code lives in a conventional ROM chip with 8 data lines, and each of those lines contains a separate program selectable by a jumper. It’s a handy way of providing a set of diagnostics at the lowest level, but even with that discovery the weirdness isn’t quite over. We’re treated to a run-down of DEC Alpha code encoding, and should you have one of these machines, there’s all the code you need.
The Alpha was so special in the 1990s because with 64-bit and retargetable microcode in its architecture it was significantly faster than its competitors. From memory it could be had with DEC Tru64 UNIX, Microsoft Windows NT, or VMS, and with the last of which it was the upgrade path for VAX minicomputers. It faded away in the takeover by Compaq and subsequently HP, and we are probably the poorer for it. We look forward to seeing more about this particular workstation, should it come back to life.
Teardown of a Scam Ultrasonic Cleaner
Everyone knows that ultrasonic cleaners are great, but not every device that’s marketed as an ultrasonic cleaner is necessarily such a device. In a recent video on the Cheap & Cheerful YouTube channel the difference is explored, starting with a teardown of a fake one. The first hint comes with the use of the description ‘Multifunction cleaner’ on the packaging, and the second in the form of it being powered by two AAA batteries.
Unsurprisingly, inside you find not the ultrasonic transducer that you’d expect to find in an actual ultrasonic cleaner, but rather a vibration motor. In the demonstration prior to the teardown you can see that although the device makes a similar annoying buzzing noise, it’s very different. Subsequently the video looks at a small ultrasonic cleaner and compares the two.
Among the obvious differences are that the ultrasonic cleaner is made out of metal and AC-powered, and does a much better job at cleaning things like rusty parts. The annoying thing is that although the cleaners with a vibration motor will also clean things, they rely on agitating the water in a far less aggressive way than the ultrasonic cleaner, so marketing them as something which they’re not is very unpleasant.
In the video the argument is also made that you do not want to clean PCBs with an ultrasonic cleaner, but we think that people here may have different views on that aspect.
youtube.com/embed/GUmaT2IhUJo?…
Australia’s Silliac Computer
When you think about the dawn of modern computers, you often think about the work done in the UK and the US. But Australia had an early computer scene, too, and [State of Electronics] has done a series of videos about the history of computers down under. The latest episode talks about SILLIAC, a computer similar to ILLIAC built for the University of Sydney in the late 1950s.
This episode joins earlier episodes about CSIRAC, and WREDAC. The series starts with the CSIR Mark I, which was the first computer in the southern hemisphere.
The -AC computers have a long history. While you often hear statements like, “…in the old days, a computer like this would fill a room,” SILLIAC, in fact, filled three rooms. The three meters of cabinets were in one room, the power supply in another. The third room? Air conditioning. A lot of tubes (valves, in Australia at the time) generate a lot of heat.
It is hard to put an exact cost on SILLIAC, but the original estimate was about AU£35,200. That sounds modest, but at the time, you could buy about ten suburban homes near Sydney for that price. Like most projects, the cost rose, and completion depended on a larger donation from a horse race. At the end, the cost was about AU£75,000!
SILLIAC had a reputation of being more reliable than some other computers based on the same design. That was probably because most computers use 6J6 tubes, but SILLIAC used 2C51 devices. Bell Labs created the 2C51 for use in undersea cables. Of course, they were also about six times the cost of a 6J6.
The computer did important work until 1968. It was, sadly, dismantled, but pieces of it are hanging around the Powerhouse Museum and at the University as display items.
This series is a great look at what was happening in the computer world south of the equator during these days. While SILLIAC is fascinating, you might want to start with episode 1. Supercomputers have come a long way.
youtube.com/embed/tJdB3QZpVKA?…
Ditto That
In the 1982 movie Fast Times At Ridgemont High, a classroom of students receives a set of paperwork to pass backward. Nearly every student in the room takes a big whiff of their sheet before setting it down. If you know, you know, I guess, but if you don’t, keep reading.
Those often purple-inked papers were fresh from the ditto machine, or spirit duplicator. Legend has it that not only did they smell good when they were still wet, inhaling the volatile organic compounds within would make the sniffer just a little bit lightheaded. But the spirit duplicator didn’t use ghosts, it used either methanol (wood alcohol), isopropyl, or, if you were loaded, ethyl alcohol.
Invented in 1923 by Wilhelm Ritzerfeld, ditto machines were popular among schools, churches, and clubs for making copies of worksheets, fliers, and so on before the modern copy machine became widespread in the 1980s. Other early duplicating machines include the mimeograph, the hectograph, and the cyclostyle.
Getting A Handle On Duplication
To use the ditto machine, one would first make a master copy using a special sheet of paper with a special type of waxy ink on the back that dissolves in alcohol. These types of sheets are still around today, in a way — if you’ve ever gotten a tattoo, you know that they don’t usually just freehand it; the artist will draw out your design on special paper that they can then use to lay down a temporary tattoo on your freshly-shaved skin before going for it.
But don’t get too excited; tattoo transfer sheets aren’t compatible with ditto machines for a number of reasons. As I mentioned, ditto sheets use alcohol to transfer the ink, and tattoo sheets use heat and pressure. They’re too thin for the mechanics of the ditto machine’s drum, anyway.
So once you’ve typed or drawn up your master sheet, you’d mount it on the drum of the ditto machine. Then, with a big crank handle, you’d roll the drum over sheet after sheet until you had what you needed. The average master could make roughly 50 to 500 copies depending a number of factors.
The rise of higher-quality master sheets is largely responsible for this wide range, but there are other factors at play, like the color that gets used. Purple was made from a dye called aniline purple and lasted longest on paper, although there was also green, red, and black. You see a lot of purple dittos because of its vibrancy and the fact that it was highly soluble in alcohol.
The type of paper entered into the equation as well: absorbent paper like newsprint would make fewer copies than smoother, less porous bond paper. And, as you might imagine, dense text and images used more ink and would wear out the master faster.
youtube.com/embed/ccYLLzpeVnU?…
As with many paper-based things from decades ago, the durability of dittoes is not so great. They will fade gradually when exposed to UV light. Although there is no citation, Wikipedia claims that the average ditto would fade in direct sunlight after about a month. It goes on to assume that most ditto machine users printed onto low-quality paper and will eventually “yellow and degrade due to residual acid in the untreated pulp”.
Not a Mimeograph
It’s worth mentioning that mimeographs are not quite the same thing as ditto machines. For one thing, ditto machines were often hand cranked, and many mimeographs were motorized. Interestingly enough, the mimeograph predates the spirit duplicator, having been patented on August 8, 1876 by Thomas Edison and popularized by the A.B. Dick Company in the 1880s.
Also known as stencil duplicators, mimeographs were a competing technology that used ink and stencils to produce 50 to several thousand copies. A special stencil sheet bearing a wax coating would be typed on a regular typewriter with the ribbon disengaged and the machine set to this mode, and/or written or drawn upon using a special stylus and lettering guides.
The stencil sheet would then be fed into the machine, which had a large drum with an ink pad. The mimeograph would then squish ink through the stencil and onto the paper. You can see all this and more in the video below, which illustrates just how much of an art this whole process was compared to makin’ copies today.
youtube.com/embed/gYjj62eGwc8?…
Mimeographs were largely done in black, but color could be done “easily”, as the video demonstrates. You basically had to hand paint the colors onto your stencil. It doesn’t seem as though changing out the giant ink pad was an option. Unlike dittoes, mimeographs required better paper, so they should last longer in theory.
Before You Run Off
Duplication for the common man is as important as the printing press itself. While today you might just set the printer to provide the number of copies you need, the history of duplication shows that we’ve come a long way in terms of effort on the user’s end. Keep this in mind the next time you want to go Office Space on it.
MIT Wants You to Secure Your Hardware Designs
When you think of attacking or defending computer systems, you probably think of software viruses and the corresponding anti-virus software. But MIT’s 6.5950 class teaches secure hardware design — how to attack and defend CPUs from bad actors. Interested? The course is open source, so you can follow along as long as you don’t mind not getting a grade.
Browsing some of the lecture slides shows that the material isn’t as stuffy as you might imagine. A slide about side channel attacks, for example, features an article called “And Bomb the Anchovies,” which says that Washington DC pizza places know when big news is about to break because pizza delivery to places like the White House or the Pentagon trend upward (something spies call pizza-int, by the way).
Even if you don’t have a burning desire to design more secure hardware, some of the lecture slides make for an interesting flip through on a rainy weekend day. For example, the charts about RowHammer (“RowHammer in One Sentence”) is a great explanation about how software can cause DRAM failures to attack a computer. We only wished they’d identified companies A, B, and C in their study. There are also labs and they politely clarify what setup you need to do each lab (typically, just a Linux server, although some you can do with just a browser).
One of the great things about the Internet is that you can virtually audit classes from anywhere in the world, often for free. MIT is always up to something interesting.
Remembering Betty Webb: Bletchley Park & Pentagon Code Breaker
On 31 March of this year we had to bid farewell to Charlotte Elizabeth “Betty” Webb (née Vine-Stevens) at the age of 101. She was one of the cryptanalysts who worked at Bletchley Park during World War 2, as well as being one of the few women who worked at Bletchley Park in this role. At the time existing societal biases held that women were not interested in ‘intellectual work’, but as manpower was short due to wartime mobilization, more and more women found themselves working at places like Bletchley Park in a wide variety of roles, shattering these preconceived notions.
Betty Webb had originally signed up with the Auxiliary Territorial Service (ATS), with her reasoning per a 2012 interview being that she and a couple of like-minded students felt that they ought to be serving their country, ‘rather than just making sausage rolls’. After volunteering for the ATS, she found herself being interviewed at Bletchley Park in 1941. This interview resulted in a years-long career that saw her working on German and Japanese encrypted communications, all of which had to be kept secret from then 18-year old Betty’s parents.
Until secrecy was lifted, all her environment knew was that she was a ‘secretary’ at Bletchley Park. Instead, she was fighting on the frontlines of cryptanalysis, an act which got acknowledged by both the UK and French governments years later.
Writing The Rulebook
Although encrypted communications had been a part of warfare for centuries, the level and scale was vastly different during World War 2, which spurred the development of mechanical and electronic computer systems. At Bletchley Park these were the Bombe and Colossus computers, with the former being an electro-mechanical system. Both were used for deciphering German Enigma machine encrypted messages, with the tube-based Colossus taking over starting in 1943.
After enemy messages were intercepted, it was the task of these systems and the cryptanalysis experts to decipher them as quickly as possible. With the introduction of the Enigma machine by the Axis, this had become a major challenge. Since each message was likely to relate to a current event and thus time-sensitive, any delay in decrypting it would render the resulting decrypted message less useful. Along with the hands-on decrypting work, there were many related tasks to make this process work as smoothly and securely as possible.
Betty’s first task at Bletchley was to do the registering of incoming messages, which she began with as soon as she had been subjected to the contents of the Official Secrets Act. This forbade her from disclosing even the slightest detail of what she did or had seen at Bletchley, at the risk of severe punishment.
As was typical at Bletchley Park, each member of the staff there was kept as much in the dark of the whole as possible for operational security reasons. This meant that of the thousands of incoming messages per day, each had to be carefully kept in order and marked with a date and obfuscated location. She did see a Colossus computer once when it was moved into one of the buildings, but this was not one of her tasks, and snooping around Bletchley was discouraged for obvious reasons.
Paraphrasing
Although Betty’s German language skills were pretty good thanks to her mother’s insistence that she’d be able to take care of herself whilst travelling on the continent, the requirements for the translators at Bletchley were much more strict, and thus eventually she ended up working in the Japanese section located in Block F. After decrypting and translating the enemy messages, the texts were not simply sent to military headquarters or similar, but had to be paraphrased first.
The paraphrasing task entails pretty much what it says: taking the original translated message and paraphrasing it so that the meaning is retained, but any clues about what the original message was from which it was paraphrased is erased. In the case that such a message then falls into enemy hands, via a spy at HQ, it is made much harder to determine where this particular information was intercepted.
Betty was deemed to be very good at this task, which she attributed to her mother, who encouraged her to relate stories in her own words. As she did this paraphrasing work, the looming threat of the Official Secrets Act encouraged those involved with the work to not dwell on or remember much of the texts they read.
In May of 1945 with the war in Europe winding down, Betty was transferred to the Pentagon in the USA to continue her paraphrasing work on translated Japanese messages. Here she was the sole ATS girl, but met up with a girl from Hull with whom she had to share a room, and bed, in the rundown Cairo hotel.
With the surrender of Japan the war officially came to an end, and Betty made her way back to the UK.
Secrecy’s Long Shadow
When the work at Bletchley Park was finally made public in 1975, Betty’s parents had sadly already passed away, so she was never able to tell them the truth of what she had been doing during the war. Her father had known that she was keeping a secret, but because of his own experiences during World War 1, he had shown great understanding and appreciation of his daughter’s work.
After keeping her secrets along with everyone else at Bletchley, the Pentagon and elsewhere, Betty wasn’t about to change anything about this. Her husband had never indicated any interest in talking about it either. In her eyes she had just done her duty and that was good enough, but when she got asked to talk about her experiences in 1990, this began a period in which she would not only give talks, but also write about her experiences. In 2015 Betty was appointed a Member of the Order of the British Empire (MBE) and in 2021 as a Chevalier de la Légion d’Honneur (Knight of the Legion of Honour) in France.
Today, as more and more voices from of those who experienced World War 2 and who were involved the heroic efforts to stop the Axis forces fall silent, it is more important than ever to recognize their sacrifices and ingenuity. Even if Betty Webb didn’t save the UK by her lonesome, it was the combined effort from thousands of individuals like her that cracked the Enigma encryption and provided a constant flow of intel to military command, saving countless lives in the process and enabling operations that may have significantly shortened the war.
Top image: A Colossus Mark 2 computer being operated by Dorothy Du Boisson (left) and Elsie Booker (right), 1943 (Credit: The National Archives, UK)
Phishing come se non ci fosse un domani! Arriva Lucid PhaaS, la piattaforma cinese per truffe globali
Gli esperti hanno scoperto una piattaforma PhaaS (phishing-as-a-service) chiamata Lucid che ha attaccato 169 organizzazioni in 88 paesi utilizzando messaggi inviati tramite iMessage (iOS) e RCS (Android).
Gli analisti di Prodaft riferiscono che Lucid è nata a metà del 2023 ed è gestita da hacker cinesi del gruppo XinXin (noto anche come Black Technology). Lucid viene venduto ad altri aggressori tramite abbonamento, dando loro accesso a 1.000 domini di phishing, siti di phishing generati automaticamente e strumenti di invio di spam di livello professionale.
Si nota inoltre che in precedenza XinXin utilizzava la piattaforma Darcula per le sue operazioni, il che indica una potenziale connessione tra le due piattaforme PhaaS. Gli abbonamenti Lucid vengono venduti tramite un canale Telegram dedicato (con oltre 2.000 membri) e vengono forniti ai clienti con licenze settimanali. XinXin sostiene di inviare oltre 100.000 messaggi di phishing al giorno a potenziali vittime tramite Rich Communication Services (RCS) e Apple iMessage. Poiché i messaggi sono protetti dalla crittografia end-to-end, è possibile aggirare i filtri antispam.
“La piattaforma utilizza un meccanismo automatizzato per effettuare attacchi, distribuendo siti di phishing personalizzati, i cui link vengono distribuiti principalmente tramite esca SMS”, scrive Prodaft. “Per migliorare l’efficienza, Lucid sfrutta le tecnologie Apple iMessage e Android RCS per aggirare i tradizionali filtri antispam e migliorare significativamente la recapitabilità e l’efficacia.”
Per inviare messaggi, gli operatori Lucid utilizzano grandi quantità di dispositivi iOS e Android. Per lavorare con iMessage vengono utilizzati ID Apple temporanei, mentre per RCS gli aggressori sfruttano errori specifici nella convalida del mittente per determinati operatori.
Le campagne di phishing prendono di mira principalmente i paesi europei, il Regno Unito e gli Stati Uniti. I messaggi di phishing sono solitamente camuffati da notifiche di consegna, avvisi fiscali, notifiche di pagamento del parcheggio.
Ciò comporta l’utilizzo di tutti i loghi e marchi necessari, nonché del linguaggio appropriato, per soddisfare il target demografico e filtrare le vittime in base alla geolocalizzazione.
Quando le vittime cliccano sui link di phishing, vengono reindirizzate a false landing page che si spacciano per siti web governativi o del settore privato, tra cui USPS, DHL, Royal Mail, FedEx, Revolut, Amazon, American Express, HSBC, E-ZPass, SunPass, Transport for London e altri.
Queste pagine di phishing sono progettate per rubare informazioni personali e finanziarie, tra cui nomi completi, indirizzi e-mail, indirizzi fisici e dati delle carte di credito. Lucid offre ai propri clienti un validatore di carte bancarie affinché gli aggressori possano verificare immediatamente i dati rubati.
Le carte funzionanti vengono poi vendute ad altri criminali informatici o utilizzate per scopi fraudolenti.
L'articolo Phishing come se non ci fosse un domani! Arriva Lucid PhaaS, la piattaforma cinese per truffe globali proviene da il blog della sicurezza informatica.
A Very Trippy Look at Microsoft’s Beginnings
It’s not often you’ll see us singing the praises of Microsoft on these pages, but credit where credit is due, this first-person account of how the software giant got its foot in the proverbial door by Bill Gates himself is pretty slick.
Now it’s not the story that has us excited, mind you. It’s the website itself. As you scroll down the page, the text and images morph around in a very pleasing and retro-inspired way. Running your cursor over the text makes it flip through random ASCII characters, reminding us a bit of the “decryption” effect from Sneakers. Even the static images have dithering applied to them as if they’re being rendered on some ancient piece of hardware. We don’t know who’s doing Billy’s web design, but we’d love to have them come refresh our Retro Edition.
There was just one problem — Bill and Paul lied. They had never even seen an Altair in person, let alone wrote any code for one. So they set off on a mad dash to complete the project in time, with Allen famously still working on the code on the plane as they flew to the meeting. As you’ve probably guessed, they ended up pulling it off, and the rest is history.
At the very end of the page, you can download the actual source code for Altair BASIC that Gates and Allen co-delivered, presented as scans of the original printout. A little light reading as you wait to find out if that latest Windows update that’s installing is going to tell you that your machine is too old to use anymore.
Handheld 18650 Analyzer Scopes Out Salvaged Cells
You can salvage lithium 18650 cells from all sorts of modern gadgets, from disposable vapes to cordless power tools. The tricky part, other than physically liberating them from whatever they are installed in, is figuring out if they’re worth keeping or not. Just because an 18650 cell takes a charge doesn’t necessarily mean it’s any good — it could have vastly reduced capacity, or fail under heavy load.
If you’re going to take salvaging these cells seriously, you should really invest in a charger that is capable of running some capacity tests against the cell. Or if you’re a bit more adventurous, you can build this “Battery Health Monitor” designed by [DIY GUY Chris]. Although the fact that it can only accept a single cell at a time is certainly a limitation if you’ve got a lot of batteries to go though, the fact that it’s portable and only needs a USB-C connection for power means you can take it with you on your salvaging adventures.
With these two purpose-built chips doing a lot of the heavy lifting, it only takes a relatively simple microcontroller to tie them together and provide user feedback. In this case [DIY GUY Chris] has gone with the ATmega328P, with a pair of addressable WS2812B LED bars to show the battery’s health and charge levels. As an added bonus, if you plug the device into your computer, it will output charging statistics over the serial port.
The whole project is released under the MIT license, and everything from the STL files for the 3D printed enclosure to the MCU’s Arduino-flavored firmware is provided. If you’re looking to build one yourself, you can either follow along with the step-by-step assembly instructions, or watch the build video below. Or really treat yourself and do both — you deserve it.
If your battery salvaging operation is too large for a single-cell tester, perhaps it’s time to upgrade to this 40-slot wall mounted unit.
youtube.com/embed/RCJagutQ1Ck?…
Kidflix è crollato! La piattaforma dell’orrore è stata smantellata: 79 arresti e 39 bambini salvati
Oggi i bambini sono un po’ più al sicuro grazie ad una operazione di polizia coordinata da Europol che ha portato alla chiusura di Kidflix. Si tratta di una delle più grandi piattaforme online di sfruttamento sessuale minorile. L’operazione ha condotto a 79 arresti e alla protezione di 39 bambini in tutto il mondo.
In un’azione coordinata senza precedenti, le autorità di oltre 35 paesi hanno messo a tacere Kidflix, una delle più grandi piattaforme pedofile al mondo, nell’ambito di un’operazione internazionale contro lo sfruttamento sessuale dei minori.
L’indagine, supportata da Europol e guidata dalla Polizia Criminale Statale della Baviera (Bayerisches Landeskriminalamt) insieme all’Ufficio Centrale Bavarese per la Repressione dei Reati Informatici (ZCB), ha dimostrato ancora una volta come la cooperazione transfrontaliera sia essenziale nella lotta contro il crimine.
Un Successo Operativo su Scala Globale
Tra aprile 2022 e marzo 2025, ben 1,8 milioni di utenti in tutto il mondo si sono collegati alla piattaforma, rendendola un vero e proprio punto di riferimento per il traffico illecito di materiale pedopornografico. L’11 marzo 2025, le autorità tedesche e olandesi hanno sequestrato il server che, all’epoca, ospitava circa 72.000 video, dando il via a una serie di operazioni che hanno portato all’identificazione di quasi 1.400 sospettati.
Fino ad oggi, 79 individui sono stati arrestati per aver condiviso e distribuito CSAM, e alcuni di loro sono stati coinvolti non solo nel caricamento e nella visione dei video, ma anche in veri e propri abusi sui minori. L’indagine, tuttora in corso, continua a far luce su questa rete criminale che sfrutta la tecnologia per alimentare una delle forme più efferate di sfruttamento.
Una Piattaforma dal Doppio Volto
Kidflix, nata nel 2021 dall’iniziativa di un criminale informatico, ha rapidamente guadagnato popolarità tra i pedofili grazie a un modello di business innovativo e spregiudicato. La piattaforma non si limitava a consentire il download di CSAM: offriva anche la possibilità di trasmettere in streaming file video, con sistemi di pagamento basati su criptovalute convertite in token. Gli utenti potevano guadagnare token caricando contenuti, verificando titoli e descrizioni, e assegnando categorie ai video, che venivano poi resi disponibili in versioni di bassa, media e alta qualità.
Secondo le autorità, su Kidflix sono stati caricati e condivisi ben 91.000 video unici, per una durata complessiva di 6.288 ore, con una media di circa 3,5 nuovi video ogni ora. Questi numeri preoccupanti evidenziano quanto la piattaforma abbia facilitato e amplificato il traffico di materiale illecito, spesso precedentemente sconosciuto alle forze dell’ordine.
Il Ruolo Cruciale dell’Europol e una lezione per il futuro
L’operazione, denominata “Stream“, ha segnato un punto di svolta nella lotta contro lo sfruttamento sessuale dei minori online, rappresentando la più grande azione di questo genere mai condotta da Europol.
Gli analisti del Centro Europeo per la Criminalità Informatica (EC3) hanno fornito un supporto operativo fondamentale, analizzando migliaia di video e incrociando dati in tempo reale per facilitare l’indagine.
La lotta contro il crimine informatico richiede unità, determinazione e una vigilanza costante. La vicenda di Kidflix è un monito e un invito a non abbassare mai la guardia: proteggere i bambini è una responsabilità che riguarda ognuno di noi.
L'articolo Kidflix è crollato! La piattaforma dell’orrore è stata smantellata: 79 arresti e 39 bambini salvati proviene da il blog della sicurezza informatica.
Arriva Flipper One! : Kali Linux, FPGA e SDR in un solo dispositivo?
Uno degli autori di Flipper Zero, Pavel Zhovner, ha condiviso i dettagli su come stanno procedendo i lavori su una nuova versione del multi-strumento per hacker: Flipper One. Lo sviluppatore ha pubblicato un video di circa mezz’ora sul suo canale Telegram, in cui parla della creazione di un’interfaccia per il nuovo dispositivo.
Ricordiamo che nel 2020 Flipper Zero è stato annunciato come modello junior nella linea di strumenti di pentesting. All’epoca, Pavel Zhovner dichiarò che Flipper One, era stato progettato come una versione più avanzata per attacchi alle reti cablate e wireless. Si supponeva che l’One avesse tutte le funzionalità dello Zero, più un computer ARM separato con Kali Linux a bordo.
Sebbene da allora non ci fossero praticamente più notizie sullo sviluppo di Flipper One, nel 2023 Pavel Zhovner disse a Dana Shepovalov in un’intervista che erano in corso lavori attivi su Flipper One. “Vogliamo creare una soluzione potente e versatile, combinando FPGA e SDR per consentire la definizione programmabile di qualsiasi protocollo. Tuttavia, resta il dubbio se gli utenti sarebbero disposti ad acquistare un dispositivo dal costo compreso tra 300 e 500 dollari. Per questo motivo, il progetto è ancora in piena fase di ricerca e sviluppo. Ad esempio, la scelta del modulo Wi-Fi non è stata ancora finalizzata, poiché tutti i chip attualmente disponibili e adatti agli attacchi risultano ormai obsoleti”, ha dichiarato Zhovner.
Come si è capito dal nuovo video, la forma del dispositivo è quasi approvata per Flipper One ed è in fase di realizzazione uno schermo personalizzato con una risoluzione di 256×144 pixel. Lo schermo e la risoluzione vengono selezionati in base alla lingua, alle tastiere e alle proporzioni del nuovo prodotto.
Attualmente gli sviluppatori sono impegnati a “inventare un’interfaccia” e a lavorare sull’ergonomia del dispositivo. “Innanzitutto, devi sapere che il dispositivo opera in due modalità. Dispone di un coprocessore, ovvero un microcontrollore sempre attivo, che gestisce alcune funzioni anche quando il sistema principale è spento. In questa modalità, il dispositivo permette di visualizzare il livello di carica e di funzionare come power bank. Quando colleghi un dispositivo a Flipper per la ricarica, il display mostra la potenza erogata e il consumo. Inoltre, può accendere la retroilluminazione dello schermo, attivare i pulsanti e offrire un semplice menu di navigazione. Può persino essere utilizzato come tester USB: basta collegarlo a un alimentatore per verificare l’erogazione di energia. La seconda modalità si attiva quando entra in funzione il processore principale. Il primo passo in questo stato è il caricamento del bootloader, che ti permette di scegliere quale sistema operativo avviare (ad esempio, Android TV, Linux o un’altra variante di Linux). Successivamente, il sistema operativo selezionato si avvia e diventa completamente operativo”, afferma Zhovner nel video.
Attualmente, gli sviluppatori sono giunti alla conclusione che per controllare il dispositivo saranno necessari otto pulsanti: uno stick, un D-pad con un pulsante “OK”, un pulsante Alt+Tab (per passare da un programma all’altro), quattro pulsanti software e un pulsante di accensione.
A giudicare dalla foto pubblicata sul canale Telegram, si suppone che Flipper One avrà questo aspetto.
Lo sviluppatore spiega che, secondo lui, tutti i cyberdeck sono pessimi perché nessuno scrive un’interfaccia grafica specifica per essi e un sistema operativo completo su uno schermo piccolo è semplicemente scomodo da usare. “Nessuno scrive mai una GUI, ma io voglio creare una GUI che implementi le funzionalità di sistema: esegua SystemD, NetworkManager e così via. Più wrapper per il software applicativo. Cioè, una specie di linguaggio nostro, un sottoprocesso Python e un wrapper per i programmi applicativi userspace, e affinché la comunità possa aggiungervi qualcosa. Cioè, oggi hanno creato un wrapper per nmap, domani un wrapper per il programma Traceroute, dopodomani per htop e così via. Mi sembra che sia molto più semplice, quindi mi aspetto che la comunità scriverà molti di questi wrapper per i propri programmi”, afferma Zhovner. Sottolinea che sarebbe fantastico se l’idea di un’interfaccia utente grafica per sistemi embedded potesse evolversi e apportare vantaggi agli sviluppatori terzi.
L'articolo Arriva Flipper One! : Kali Linux, FPGA e SDR in un solo dispositivo? proviene da il blog della sicurezza informatica.
The Magic Touch: A 555 Touch Switch
There seems to be nothing a 555 can’t do. We’ve seen it before, but [electronzapdotcom] reminds us you can use a 555 and a few parts to make a reasonable touch switch. The circuit lives on a breadboard, as shown in the video below.
The circuit uses some very large resistors so that noise from your body can overcome the logic level on the trigger and threshold inputs. You can easily adapt this idea if you need a simple touch switch. Though we imagine this circuit wouldn’t work well if you were in a quiet environment. We suspect 50 or 60 Hz hum is coupling through your finger and triggering the pins, but it could be a different effect.
How reliable is it? Beats us. The circuit is a bistable, so essentially your finger pumps a signal into a flip-flop. This is old trick, but could be useful. Of course, if you really need a touch switch, you have plenty of options. You can get little modules. Or, directly measure skin resistance.
youtube.com/embed/IfS6JmnjBhQ?…
Monitor Your Smart Plugs on the Command Line
The plethora of smart home devices available today deliver all manner of opportunities, but it’s fair to say that interfacing with them is more often done in the browser or an app than in the terminal. WattWise from [Naveen Kulandaivelu] is a tool which changes all that, it’s a command-line interface (CLI) for power monitoring smart plugs.
Written in Python, the tool can talk either directly to TP-Link branded smart plugs, or via Home Assistant. It tracks the power consumption with a simple graph, but the exciting part lies in how it can be used to throttle the CPU of a computer in order to use power at the points in the day when it is cheapest. You can find the code in a GitHub repository.
We like the idea of using smart plugs as instruments, even if they may not be the most accurate of measurement tools. It takes them even further beyond the simple functionality and walled-garden interfaces provided by their manufacturers, which in our view can only be a good thing.
Meanwhile, for further reading we’ve looked at smart plugs in detail in the past.
One Book to Boot Them All
Somewhere in the universe, there’s a place that lists every x86 operating system from scratch. Not just some bootloaders, or just a kernel stub, but documentation to build a fully functional, interrupt-handling, multitasking-capable OS. [Erik Helin and Adam Renberg] did just that by documenting every step in The Little Book About OS Development.
This is not your typical dry academic textbook. It’s a hands-on, step-by-step guide aimed at hackers, tinkerers, and developers who want to demystify kernel programming. The book walks you through setting up your environment, bootstrapping your OS, handling interrupts, implementing virtual memory, and even tackling system calls and multitasking. It provides just enough detail to get you started but leaves room for exploration – because, let’s be honest, half the fun is in figuring things out yourself.
Completeness and structure are two things that make this book stand out. Other OS dev guides may give you snippets and leave you to assemble the puzzle yourself. This book documents the entire process, including common pitfalls. If you’ve ever been lost in the weeds of segmentation, paging, or serial I/O, this is the map you need. You can read it online or fetch it as a single 75-page long PDF.
Mockup photo source: Matthieu Dixte
ShadowPad e SparrowDoor 2.0: la nuova minaccia APT che spia governi e istituzioni
Nel luglio 2024, i ricercatori di ESET hanno rilevato una nuova ondata di attività attribuita al gruppo APT FamousSparrow, noto per aver condotto campagne di cyberespionaggio contro obiettivi governativi e istituzionali di alto profilo. Dopo un apparente periodo di inattività durato dal 2022 al 2024, il gruppo è tornato alla ribalta con nuove varianti del backdoor SparrowDoor, miglioramenti tecnici significativi e un arsenale che ora include anche ShadowPad, impiegato per la prima volta.
Target strategici: USA e Messico nel mirino
L’analisi ESET ha rivelato che FamousSparrow ha compromesso una organizzazione del settore finanziario statunitense e un istituto di ricerca messicano. La scelta dei target non è casuale: entrambi rivestono ruoli strategici, rispettivamente nella geopolitica e nello sviluppo tecnologico della regione. Gli attacchi sono avvenuti tra il 11 e il 25 luglio 2024, sfruttando server vulnerabili e sistemi obsoleti, presumibilmente con versioni di Microsoft Exchange Server e Windows Server non aggiornate.
Evoluzione dello strumento: SparrowDoor 2.0
Due nuove versioni del malware SparrowDoor sono state scoperte durante l’analisi forense. La prima è una versione migliorata del backdoor classico, mentre la seconda è modulare e presenta caratteristiche di parallelizzazione dei comandi, una novità assoluta per il gruppo. Entrambe mostrano un salto di qualità a livello architetturale, riducendo l’uso di codice ridondante e migliorando la capacità di evasione.
Una delle due versioni mostra forti analogie con CrowDoor, un backdoor usato da Earth Estries, altro gruppo APT allineato alla Cina. Questo ha portato i ricercatori a ipotizzare una collaborazione o un framework condiviso all’interno di una più ampia infrastruttura offensiva cinese.
ShadowPad: il malware modulare che si evolve
Per la prima volta nella storia operativa del gruppo, FamousSparrow ha fatto uso di ShadowPad, backdoor modulare inizialmente scoperta nel 2017. ShadowPad è stato già collegato a diversi gruppi sponsorizzati dalla Cina ed è noto per le sue capacità di post-exploitation, grazie a un’architettura plugin-based.
Il suo utilizzo da parte di FamousSparrow rappresenta un cambio di passo e una professionalizzazione degli strumenti adottati, coerente con le recenti tendenze di convergenza tra gruppi APT cinesi.
Persistenza e invisibilità
Uno degli aspetti più interessanti di questa campagna è l’evidenza che FamousSparrow non era inattivo, ma semplicemente sotto il radar. Dal 2022 al 2024, infatti, il gruppo ha continuato a sviluppare e perfezionare i propri tool, segno di una pianificazione strategica a lungo termine e di un’elevata OPSEC (Operational Security). L’attacco mostra inoltre un uso bilanciato di:
- Strumenti custom proprietari (SparrowDoor, HemiGate)
- Malware condivisi (ShadowPad)
- Strumenti open source
- Shell web distribuite su server IIS
Analisi Threat Intelligence
Questi aspetti sono ben rappresentati nella mappa relazionale elaborata dai ricercatori, dove FamousSparrow è posto al centro di un ecosistema che collega paesi colpiti (tra cui Stati Uniti, Messico e Honduras), settori strategici (governo e finanza), e una triade di strumenti offensivi: SparrowDoor, HemiGate e ShadowPad. Quest’ultimo è stato utilizzato dal gruppo per la prima volta, segnando un’evoluzione nella loro dotazione tecnica. ShadowPad, noto per essere un backdoor modulare ad alto potenziale, è già stato impiegato da altri gruppi APT cinesi come APT41, Winnti e Earth Lusca. Il suo impiego da parte di FamousSparrow rafforza l’ipotesi di convergenza tattica e tecnica tra più gruppi APT allineati alla Cina, e viene evidenziato nel grafo attraverso l’interconnessione di numerosi indicatori di compromissione condivisi, IP malevoli e tecniche MITRE ATT&CK.
L’immagine è eloquente anche nel mostrare le evidenze digitali che sostengono l’attribuzione: indirizzi IP, hash di file, e payloads tracciati nella rete. Da notare la presenza di tecniche come T1055 (Injection di codice), T1190 (exploit di servizi esposti), e T1543.003 (persistenza tramite servizi di sistema), tutti usati in combinazione per garantire accesso continuo e capacità di comando e controllo.rna difesa cibernetica.
Conclusioni
La rinnovata attività di FamousSparrow dimostra che i gruppi APT di alto profilo continuano a evolversi, raffinando le proprie tecniche in silenzio e colpendo con precisione chirurgica quando si presentano le condizioni favorevoli. L’integrazione di backdoor avanzati come ShadowPad, lo sviluppo modulare e l’uso di tecniche avanzate come la parallelizzazione dei comandi dimostrano un salto qualitativo nelle capacità offensive.
Per le aziende e le istituzioni, è un chiaro segnale: l’apparente silenzio di un attore APT non va mai scambiato per inattività. La minaccia spesso si cela sotto il livello di rilevamento e agisce con sofisticazione, attendendo il momento giusto per colpire.
L'articolo ShadowPad e SparrowDoor 2.0: la nuova minaccia APT che spia governi e istituzioni proviene da il blog della sicurezza informatica.
Programmer’s Macro Pad Bangs Out Whole Functions
Macro pads are handy for opening up your favorite programs or executing commonly used keyboard shortcuts. But why stop there?
That’s what [Jeroen Brinkman] must have been thinking while creating the Programmer’s Macro Pad. Based on the Arduino Pro Micro, this hand-wired pad is unique in that a single press of any of its 16 keys can virtually “type” out multiple lines of text. In this case, it’s a capability that’s being used to prevent the user from having to manually enter in commonly used functions, declarations, and conditional statements.
For example, in the current firmware, pressing the “func” key will type out a boilerplate C function:
int () { //
;
return 0;
}; // f
It will also enter in the appropriate commands to put the cursor where it needs to be so you can actually enter in the function name. The other keys such as “array” and “if” work the same way, saving the user from having to enter (and potentially, even remember) the correct syntax.
The firmware is kept as simple as possible, meaning that the functionality of each key is currently hardcoded. Some kind of tool that would let you add or change macros without having to manually edit the source code and flash it back to the Arduino would be nice…but hey, it is a Programmers Macro Pad, after all.
Looking to speed up your own day-to-day computer usage? We’ve covered a lot of macro pads over the years, we’re confident at least a few of them should catch your eye.
FLOSS Weekly Episode 827: Yt-dlp, Sometimes You Can’t See the Tail
This week, Jonathan Bennett chats with Bashonly about yt-dlp, the audio/video downloader that carries the torch from youtube-dl! Why is this a hard problem, and what does the future hold for this swiss-army knife of video downloading? Watch to find out!
youtube.com/embed/ed93yLiUqxM?…
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.
play.libsyn.com/embed/episode/…
Direct Download in DRM-free MP3.
If you’d rather read along, here’s the transcript for this week’s episode.
Places to follow the FLOSS Weekly Podcast:
Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
hackaday.com/2025/04/02/floss-…
Supercon 2024: Rethinking Body Art With LEDs
Tattoos. Body paint. Henna. All these are popular kinds of body art with varying histories and cultural connotations, many going back centuries or even longer. They all have something in common, though—they all change how the body reflects light back to the viewer. What if, instead, body art could shine a light of its very own?
This is the precise topic which [Katherine Connell] came to discuss at the 2024 Hackaday Supercon. Her talk concerns rethinking body art with the use of light emitting diodes—and is both thoroughly modern and aesthetically compelling. Beyond that, it’s an engineering development story with liquid metal and cutting-edge batteries that you simply don’t want to miss!
youtube.com/embed/nitjlnkYz0Q?…
The inspiration behind this project was simple. [Katherine] grew up in the 80s, and being exposed to that neon-soaked era gave her a desire to glow-in-the-dark. However, she didn’t want to get into any hardcore body modification—hence, she pursued a non-invasive stick-on solution.
As you might imagine, creating these wasn’t trivial. They need to stick to the skin for long periods of time without causing irritation, while also being lightweight and slim enough to be practical to wear. Indeed, to that end, Sprite Lights are less than 1.5 mm thick—an impressive engineering feat.
Her first attempts involved creating a synthetic skin-like material using latex, with LEDs stuck underneath. However, this wasn’t a particularly desirable solution. Latex allergies are relatively common, and producing the designs took a lot of careful hand-soldering and manual work. It was also difficult to attach the latex to the skin, and to color match it with the wearer to make it look right.
From there, [Katherine] experimented with 3D-printing thin films with transparent PLA, with LEDs underneath. This was a much quicker way to work, but still didn’t attach well to the skin and had some aesthetic flaws. Another 3D-printing attempt saw [Katherine] create molds to produce transparent silicone films with LEDs embedded underneath, but this again proved very labor intensive and it’s difficult to get silicone to stick to anything, including humans. [Katherine] even tried experimenting with Galinstan, a very off-beat metallic alloy, to make circuits inside flexible silicone. She created viable stretchable circuits but they were not very robust, particularly since the Galinstan tends to melt at body temperature.
Having developed decent flexible circuits that could light up, power was next on the agenda. Desiring to create stick-on devices with an ultra-thin form factor, there was no room to include a traditional battery, so [Katherine] had to figure out how to power Sprite Lights effectively. She found flexible batteries from a company called Zinergy that could deliver 3V and 20 mAh. She was able to specify a custom flat round design, with the company able to make them just 0.7mm thick and 55 mm round. They use a compound similar to regular AA batteries, which is screen printed onto one layer of plastic and sealed with another layer on top. The batteries have the benefit of being safe to place on skin, with no risk of explosion or chemical exposure, even if they happen to be punctured or cut while worn. Perhaps the only drawback is that they’re non-rechargeable—they’re safe, but single-use.
Armed with her new batteries, [Katherine] developed her concept further. She stepped up to using commercially-available flex PCBs produced by JLCPCB, in place of her homebrewed concepts used previously. She combined these with the flexible Zinergy batteries underneath, and custom-made die-cut stickers from MakeStickers on top. This gave her an art layer, an LED circuit layer, and a battery layer underneath, with a hypoallergenic medical tape used as the final layer to stick the assembly to the skin. An intermediate fabric tape layer is included to connect the battery’s contacts to the flex PCB, which is populated with LEDs. By leaving a paper layer on the fabric tape between the contacts, this allows the Sprite Light to remain off until it’s ready to be used. The combination comes in under 1.5 mm thick.
ED NOTE: Grabbed some pictures from the SpriteLights website.
Ultimately, Sprite Lights are a super-cool piece of body art. But beyond that, [Katherine] told us the great engineering story behind these astounding self-glowing stickers. As her fine example demonstrates, you can do really cool things if you just keep working at it and teach yourself the right skills along the way!
hackaday.com/2025/04/02/superc…
70 DIY Synths on One Webpage
If you want to dip your toes into the deep, deep water of synth DIY but don’t know where to start, [Atarity] has just the resource for you. He’s compiled a list of 70 wonderful DIY synth and noise-making projects and put them all in one place. And as connoisseurs of the bleepy-bloopy ourselves, we can vouch for his choices here.
The collection runs that gamut from [Ray Wilson]’s “Music From Outer Space” analog oddities, through faithful recreations like Adafruit’s XOXBOX, and on to more modern synths powered by simple microcontrollers or even entire embedded Linux devices. Alongside the links to the original projects, there is also an estimate of the difficulty level, and a handy demo video for every example we tried out.
Our only self-serving complaint is that it’s a little bit light on the Logic Noise / CMOS-abuse side of synth hacking, but there are tons of other non-traditional noisemakers, sound manglers, and a good dose of musically useful devices here. Pick one, and get to work!