This Week In Security: DEF CON Nonsense, Vibepwned, And 0-days

August 29, 2025 by Jonathan Bennett 6 Comments

DEF CON happened just a few weeks ago, and it’s time to cover some of the interesting talks. This year there were two talks in particular that are notable for being controversial. Coincidentally both of these were from Track 3. The first was the Passkeys Pwned, a talk by SquareX about how the passkey process can be hijacked by malware.

[Dan Goodin] lays out both the details on Passkeys, and why the work from SquareX isn’t the major vulnerability that they claim it is. First, what is a Passkey? Technically it’s a public/private keypair that is stored by the user’s browser. A unique keypair is generated for each new website, and the site stores the public key. To authenticate with the Passkey, the site generates a random string, the browser signs it with the private key, and the site checks it against the public key. I stand by my early opinion, that Passkeys are effectively just passwords, but with all the best-practices mandated.

So what is the claim presented at DEF CON? Malicious code running in the context of the browser tab can hijack the passkey process. In the demonstrated attack flow, a browser extension caused the Passkey login to fail, and prompted the user to generate a new Passkey. This is an interesting observation, and a clever attack against Passkeys, but is not a vulnerability in the Passkey spec. Or more accurately, it’s an accepted limitation of Passkeys, that they cannot guarantee security in the presence of a compromised browser. Continue reading “This Week In Security: DEF CON Nonsense, Vibepwned, And 0-days” →

No Die? No Problem: RealDice.org Has You Covered

August 29, 2025 by Tyler August 14 Comments

Have you ever been out and about and needed to make a check against INT, WIS or CON but not had a die handy? Sure, you could use an app on your phone, but who knows what pseudorandom nonsense that’s getting up to. [Lazy Hovercraft] has got the solution with his new site RealDice.org, which, well, rolls real dice.

Well, one die, anyway. The webpage presents a button to roll a single twenty-sided die, or “Dee-Twenty” as the cool kids are calling it these days. The rolling is provided by a unit purchased from Amazon that spins the die inside a plastic bubble, similar to this unit we covered back in 2020. (Alas for fans of the venerable game Trouble, it does not pop.) The die spinner’s button has been replaced by a relay, which is triggered from the server whenever a user hits the “roll” button.

You currently have to look at the camera feed with your own eyes to learn what number was rolled, but [Lazy Hovercraft] assures us that titanic effort will be automated once he trains up the CVE database. To that end you are encouraged to help build the dataset by punching in what number is shown on the die.

This is a fun little hack to get some physical randomness, and would be great for the sort of chatroom tabletop gaming that’s so common these days. It may also become the new way we select the What’s That Sound? winners on the Hackaday Podcast.

Before sitting down for a game session, you might want to make sure you’re all using fair dice. No matter how fair the dice, its hard to beat quantum phenomena for random noise.

CAD, From Scratch: MakerCAD

August 29, 2025 by Jenny List 29 Comments

It’s likely that many of you use some form of CAD package, but how many of you have decided you didn’t like the software on offer? [Marcus Wu] did, and instead of griping, he wrote his own CAD software. It’s called MakerCAD, it’s published under an MIT licence, and you can try it yourself.

It’s written in Go, and it’s superficially similar to OpenSCAD in that the interface is through code. The similarity is skin deep though, as it provides the user with constraint solving as described in the video below the break.

As it stands it’s by no means feature complete, but it is now at a point at which it can be evaluated. Simple models can be created and exported as STEP files, so it can be used as a real-world CAD tool.

Whether it will flourish is down to the path it takes and how its community guides it. But we’re pleased to see any new open source projects in this space, which remains overly dominated by proprietary packages. If you try it, write up your experiences, we’d love to see how this develops.

Continue reading “CAD, From Scratch: MakerCAD” →

Why Super Mario 64 Wastes So Much Memory

August 28, 2025 by Maya Posch 44 Comments

The Nintendo 64 was an amazing video game console, and alongside consoles like the Sony PlayStation, helped herald in the era of 3D games. That said, it was new hardware, with new development tools, and thus creating those early N64 games was a daunting task. In an in-depth review of Super Mario 64’s code, [Kaze Emanuar] goes over the curious and wasteful memory usage, mostly due to unused memory map sections, unoptimized math look-up tables, and greedy asset loading.

The game as delivered in the Japanese and North-American markets also seems to have been a debug build, with unneeded code everywhere. That said, within the context of the three-year development cycle, it’s not bad at all — with twenty months spent by seven programmers on actual development for a system whose hardware and tooling were still being finalized, with few examples available of how to do aspects like level management, a virtual camera, etc. Over the years [Kaze] has probably spent more time combing over SM64‘s code than the original developers, as evidenced by his other videos.

As noted in the video, later N64 games like Legend of Zelda: Ocarina of Time are massively more optimized and streamlined, as lessons were learned and tooling improved. For the SM64 developers, however, they had a gargantuan 4 MB of fast RDRAM to work with, so optimization and memory management likely got kicked down to the bottom on the priority list. Considering the absolute smash hit that SM64 became, it seems that these priorities were indeed correct.

Continue reading “Why Super Mario 64 Wastes So Much Memory” →

Tefifon: Germany’s Tape-Shaped Record Format

August 28, 2025 by Maya Posch 15 Comments

A Tefifon cartridge installed for playback. (Credit: Our Own Devices, YouTube)

Recently the [Our Own Devices] YouTube channel took a gander at the Tefifon audio format. This was an audio format that competed with shellac and vinyl records from the 1930s to the 1960s, when the company behind it went under. Some people may already know Tefifon as [Matt] from Techmoan has covered it multiple times, starting with a similar machine about ten years ago, all the way up to the Stereo Tefifon machine, which was the last gasp for the format.

There’s a lot to be said for the Tefifon concept, as it fixes many of the issues of shellac and vinyl records, including the limited run length and having the fragile grooves exposed to damage and dust. By having the grooves instead on a flexible band that got spooled inside a cartridge, they were protected, with up to four hours of music or eight hours of spoken content, i.e. audio books.

Although the plastic material used for Tefifon bands suffered from many of the same issues as the similar Dictabelt audio recording system, such as relatively rapid wear and degradation (stiffening) of the plastic, it was mostly the lack of interest from the audio labels that killed the format. With the big labels and thus big artists heavily invested in records, the Tefifon never really got any hits and saw little use outside of West Germany throughout the 1950s and 1960s before its last factories were shuttered.

Continue reading “Tefifon: Germany’s Tape-Shaped Record Format” →

A set of three linear actuators set atop a green with yellow grid cutting mat. The electric actuator on the top of the image is silver and has a squarish tube. It is slender compared to the other two. A black, hydraulic actuator sits in the middle and is the largest of the three. A silver pneumatic actuator at the bottom of the image is the middle sized unit.

Linear Actuators 101

August 28, 2025 by Navarre Bartz 16 Comments

Linear actuators are a great help when you’re moving something along a single axis, but with so many options, how do you decide? [Jeremy Fielding] walks us through some of the high level tradeoffs of using one type of actuator over another.

There are three main types of linear actuator available to the maker: hydraulic, pneumatic, and electric. Both the hydraulic and pneumatic types move a cylinder with an attached rod through a tube using pressure applied to either side of the cylinder. [Fielding] explains how the pushing force will be greater than the pulling force on these actuators since the rod reduces the available surface area on the cylinder when pulling the rod back into the actuator.

Electric actuators typically use an electric motor to drive a screw that moves the rod in and out. Unsurprisingly, the electric actuator is quieter and more precise than its fluid-driven counterparts. Pneumatic wins out when you want something fast and without a mess if a leak happens. Hydraulics can be driven to higher pressures and are typically best when power is the primary concern which is why we see them in construction equipment.

You can DIY your own linear actuators, we’ve seen tubular stepper motors, and even a linear actuator inspired by muscles.

Continue reading “Linear Actuators 101” →

Animatronic Eyes Are Watching You

August 28, 2025 by Tyler August 9 Comments

If you haven’t been following [Will Cogley]’s animatronic adventures on YouTube, you’re missing out. He’s got a good thing going, and the latest step is an adorable robot that tracks you with its own eyes.

Yes, the cameras are embedded inside the animatronic eyes.That was a lot easier than expected; rather than the redesign he was afraid of [Will] was able to route the camera cable through his existing animatronic mechanism, and only needed to hollow out the eyeball. The tiny camera’s aperture sits nigh-undetectable within the pupil.

On the software side, face tracking is provided by MediaPipe. It’s currently running on a laptop, but the plan is to embed a Raspberry Pi inside the robot at a later date. MediaPipe tracks any visible face and calculates the X and Y offset to direct the servos. With a dead zone at the center of the image and a little smoothing, the eye motion becomes uncannily natural. [Will] doesn’t say how he’s got it set up to handle more than one face; likely it will just stick with the first object identified.

Eyes aren’t much by themselves, so [Will] goes further by creating a little robot. The adorable head sits on a 3D-printed tapered roller bearing atop a very simple body. Another printed mechanism allows for pivot, and both axes are servo-controlled, bringing the total number of motors up to six. Tracking prefers eye motion, and the head pivots to follow to try and create a naturalistic motion. Judge for yourself how well it works in the video below. (Jump to 7:15 for the finished product.)

We’ve featured [Will]’s animatronic anatomy adventures before– everything from beating hearts, and full-motion bionic hands, to an earlier, camera-less iteration of the eyes in this project.

Don’t forget if you ever find yourself wading into the Uncanny Valley that you can tip us off to make sure everyone can share in the discomfort.

Continue reading “Animatronic Eyes Are Watching You” →