This Week In Security: Roundcube, Unified Threat Naming, And AI Chat Logs

June 6, 2025 by Jonathan Bennett 4 Comments

Up first, if you’re running a Roundcube install prior to 1.5.10 or 1.6.11, it’s time to update. We have an authenticated Remote Code Execution (RCE) in the Roundcube Webmail client. And while that’s not quite the level of chaos that an unauthenticated RCE would cause, it’s still to be taken seriously. Mainly because for the majority of the 53 million Roundcube installs out there, the users aren’t entirely trusted.

The magic at play in this vulnerability is the Roundcube user session code, and specifically the session deserialization scheme. There’s a weird code snippet in the unserialize function:
if ($str[$p] == '!') { $p++; $has_value = false;

The exclamation mark makes the code skip a character, and then assume that what comes next has no value. But if it does actually have a value, well then you’ve got a slightly corrupted deserialization, resulting in a slightly corrupted session. This really comes into force when combined with the file upload function, as the uploaded filename serves as a payload delivery mechanism. Use the errant exclamation mark handling to throw off deserialization, and the filename can contain arbitrary session key/value pairs. A GPG class from the PEAR library allows running an arbitrary command, and this can be hijacked with the session manipulation. Continue reading “This Week In Security: Roundcube, Unified Threat Naming, And AI Chat Logs” →

In Film, What’s Old May Still Be New Again

June 6, 2025 by Jenny List 15 Comments

We recently published an affectionate look at a Polaroid Land camera, whose peel-apart instant film is long out of production except for a very few single exposure packs form a boutique manufacturer. All that was left was a discussion of modifying it for conventional roll film, or perhaps hacking a modern back-to-front Polaroid sheet into it.

Never say never though, because along come the Chinese company Light Lens Lab with a short announcement at the end of a post talking about grain structures and anti-halation layer materials for their black and white film.

Lastly, with our future development plan, we are currently developing and researching instant peel-apart film, with plans on producing and making available black and white peel-apart film by 2025 in various format. We aim to have an update on our packaging and test shot for the next development/research progress installment. We are also researching, developing and producing colour reversal films that consist of a dye-incorporating development process, commonly known as K-14, for 135 and 120 formats in 2026.

So there you go, no sooner has Hackaday declared a format unavailable, than it shows every sign of reappearing. At this point we’d like to take the opportunity to report that McDonalds Szechuan Chicken McNugget sauce will never ever be available again. Continue reading “In Film, What’s Old May Still Be New Again” →

Soviet Calculator Teardown Reveals Similarities And Differences

June 6, 2025 by Lewin Day 12 Comments

Tearing down hardware from different parts of the world can be revealing, showing unique parts, techniques, and tricks employed by engineers living in a very different world from our own. To that end, [msylvain59] has been kind enough to give us a look inside the Elektronika MK-26—a calculator built in the former Soviet Union.

There’s lots of interesting stuff to see from the get-go. The oddball button pad is covered in Cyrillic symbols, quite alien to those of us more accustomed to the Latin character set. It’s also constructed somewhat unlike more familiar models from Western-aligned companies like Casio or Commodore. It also rattles when shaken, which doesn’t inspire confidence. Inside, it’s got old-school brown PCBs without the usual green solder mask, a chunky IC in a weird package, and display is via a power-hungry VFD.

It doesn’t look so totally alien inside; much of the construction is pretty typical of the mid-1970s, wherever you went around the world. The most striking differences are more in the graphics and visual design than anything else.

Ultimately, there are reasons why manufacturers around the world tend to converge on similar techniques. Generally, it’s because it’s more economical or easier to do things a certain way. And yet, we still see regional variances because conditions, technologies, and parts availability varies around the world. This teardown highlights that quite clearly.

If you’re just getting a taste for Soviet hardware teardowns, you’ll love this video diving inside a real Soyuz clock.

Continue reading “Soviet Calculator Teardown Reveals Similarities And Differences” →

SPACEdeck Is Half Cyberdeck, Half Phone Case, All Style

June 5, 2025 by Tyler August 17 Comments

It’s been at least a few hours since Hackaday last featured a cyberdeck, so to avoid the specter of withdrawal, we present you with [Sp4m]’s SPACEdeck, a stylish phone-based cyberdeck!

The SPACEdeck takes a Samsung Galaxy S24 and puts it into a handsome clamshell case with a wireless keyboard, turning the phone into a tiny-screened laptop that urges you not to panic. Is The Hitchiker’s Guide to The Galaxy available on the Playstore? Well, the e-book of the novel surely is, and having access to Wikipedia comes close. The design is building off (or out from, as the case may be) a 3D-printed phone case for the S24 by Digital Proto.

Given that the Galaxy S24 has more horsepower than the ancient Macbook we’re writing this on, this setup is probably going to be more useful than you might think, especially when paired with Termux to give you the full power of Linux.

Like some modern laptops, the screen can rotate 180 degrees for when the keyboard isn’t needed. The case will also allow for Nintendo Switch2 joycon integration, but that’s a work in progress for now. The connection points will also be modular so other accessories can be used. All files will be released once [Sp4m] is happy with how the Joycons are holding on, hopefully with a license that will allow us to remix this for other phones.

Given the supercomputers in our pockets, it’s really a wonder we don’t see more android-based cyberdecks, but most seem to stick to SBCs. Lately it seems the slabtop form-factor has been equally popular for cyberdecks, but it’s hard to beat a clamshell for practicality.

A Flashlight Of Fire And Ice

June 5, 2025 by Al Williams 15 Comments

[Daniel Salião Ferreira] may or may not be a Game of Thrones fan, but he does have a fun demo of the Seebeck effect in the form of a flashlight powered by fire and ice. The basic idea is to use a thermocouple, but — in this case — he uses a Peltier effect cooler.

The Peltier and Seebeck effects are two sides of the same coin: the Peltier effect creates heating and cooling when current flows through a thermoelectric material. In contrast, the Seebeck effect generates a voltage when there is a temperature gradient. While thermocouples do produce voltage this way, they usually have much lower power output and are useless as heat pumps.

Continue reading “A Flashlight Of Fire And Ice” →

Building An Analog Echo Plate

June 5, 2025 by Lewin Day 7 Comments

These days, when you think reverb, you probably think about a guitar pedal or a plugin in your audio software. But you can also create reverb with a big metal plate and the right supporting electronics. [Tully] from [The Tul Studio] shows us how.

Basically, if you’ve ever smacked a big sheet of metal and heard the thunderous, rippling sound it makes, you already understand the concept here. To turn it into a studio effect, you use transducers to deliver the sound into the plate of metal, and then microphones to pick it back up again at some other point on the plate. Since the sound takes time to travel through the plate, you get a reverb effect.

[The Tul Studio] used a huge cold-rolled steel plate, standing one meter wide and two meters tall. The plate itself is hung from picture chain, which is strong enough to carry its weight. Old car tweeters are repurposed to act as pickups, while a larger speaker is used to drive sound into the plate. “The key to making it sound not like a tin can is the actual EQ and the electronics,” [Tully] explains, providing resources for this purposes.

We love lots of lovely reverbing things around these parts; oddball delays, too! Video after the break.

Continue reading “Building An Analog Echo Plate” →

The Pluto software-defined radio is placed on a desk, connected by three RF cables to an RF bridge circuit board. The RF bridge has a prominent ballon taking up most of its area.

Turning The Pluto SDR Into A Network Analyzer

June 5, 2025 by Aaron Beckendorf 1 Comment

Usually when we see a project using a software-defined radio (SDR), the SDR’s inputs and outputs are connected to antennae, but [FromConceptToCircuit]’s project connected an ADALM-Pluto SDR to an RF bridge and a few passive components to make a surprisingly effective network analyzer (part two of the video).

The network analyzer measures two properties of the circuit to which it is connected: return loss (S11) and insertion gain or loss (S21). To measure S21, the SDR feeds a series of tones to the device under test, and reads the device’s output from one of the SDR’s inputs. By comparing the amplitude of the input to the device’s output, a Python program can calculate S21 over the range of tested frequencies. To find S11, [FromConceptToCircuit] put an RF bridge in line with the device being tested and connected the bridge’s output to the SDR’s second input. This allowed the program to calculate the device’s impedance, and from that S11. Continue reading “Turning The Pluto SDR Into A Network Analyzer” →