Making YouTube Work In The Netscape 4.5 Browser On Windows 98

October 31, 2025 by 14 Comments

The World Wide Web of the 90s was a magical place, where you couldn’t click two links without getting bombarded with phrases such as the Information Super Highway and Multimedia Experience. Of course, the multimedia experience you got on your Windows 9x PC was mostly limited to low-res, stuttery RealMedia and Windows video format clips, but what if you could experience YouTube back then, on your ‘multimedia-ready’ Celeron PC, running Netscape 4.5?

Cue the [Throaty Mumbo] bloke over on that very same YouTube, and his quest to make this dream come true. Although somewhat ridiculous on the face of it, the biggest problem is actually the era-appropriate hardware, as it was never meant to decode and display full-HD VP9-encoded videos.

Because the HTTPS requirement has meant that no 1990s or early 2000s browser will ever browse the modern WWW, a proxy was going to be needed no matter what. This Python-based proxy then got kitted out with not just the means to render down the convoluted HTML-CSS-JS mess of a YouTube page into something that a civilized browser can display, but also to fetch YouTube videos with yt-dlp and transcode it into MPEG1 in glorious SD quality for streaming to Netscape on the Windows 98 PC.

Because the same civilized browsers also support plugins, such as Netscape’s NPAPI, this meant that decoding and rendering the video was the easy part, as the browser just had to load the plugin and the latter doing all the heavy lifting. Perhaps unsurprisingly, with some tweaks even Netscape 2.0 can be used to browse YouTube and play back videos this way, with fullscreen playback and seeking support.

Although these days only a rare few modern browsers like Pale Moon still support NPAPI, it’s easy to see how the introduction of browser plugins boosted the multimedia future of the WWW that we find ourselves in today.

Continue reading “Making YouTube Work In The Netscape 4.5 Browser On Windows 98”

Building A Clamshell Writer Deck

October 31, 2025 by 10 Comments

Most of us do our writing on computers these days, but the modern computing environment does present a lot of distractions. That’s let to the concept of the writer deck, a simplified device intended more specifically for word processing tasks. [Ashtf] has built a great example of the form with a modified version of the PocketMage device.

The PocketMage is a clamshell PDA device that [Ashtf] has been working on for some time. It’s powered by an ESP32, hooked up to a nice e-ink display. In its basic form, it’s not the ideal device for doing serious writing work, mostly because of its tiny keyboard. However, [Ashtf] has since added external keyboard support, which completely changes the game. With the use of a small USB C to USB A adapter, you can hook up any conventional USB keyboard that you like to best attain your maximum typing speed.

The result is a compact, simple device that lets you type away without distractions. If your latest fanfic isn’t coming along quickly enough because you keep losing focus to social media, perhaps this is a route you might like to go. [Ashtf] also included Markdown support so you can create richer documents on the device while operating in what is still fundamentally a text-only environment.

It’s neat to build custom devices that suit your own personal productivity needs. If you dig the PocketMage, you might like to check out the design files on Github. We’ve featured some other fun writer decks before, too. Video after the break.

Continue reading “Building A Clamshell Writer Deck”

This Week In Security: Vibecoding, Router Banning, And Remote Dynamic Dependencies

October 31, 2025 by 36 Comments

Vibecoding. What could possible go wrong? That’s what [Kevin Joensen] of Baldur wondered, and to find out he asked Anthropic’s Sonnet 4.5 to build a secure login with Two Factor Authentication (2FA). And to the LLM’s credit, it builds the app as requested. [Kevin] took a peek under the hood to see how well the security was handled, and it wasn’t great.

Up first, the Flask app doesn’t have any rate-limiting for guessing that time-based 2FA code. A 6-digit time-based 2FA only works if you can’t try all the possibilities before a given code expires. So what does a vibecoder do, once this has been noticed? Ask the LLM to fix it of course. Here we take a slightly different approach, prompting the AI to double-check its work: “Is there any security features missing in 2fa verify step?” The answer is an impressive:

Great question! Yes, there are several critical security features missing from the 2FA verification step. Let me highlight the most important ones:🚨 Critical Security Issues1. No Rate Limiting (MOST CRITICAL)

But the critical question, can it properly fix its mistake? The AI adds the flask-limiter library and chooses 10 attempts per minute, which is a bit loose, but not unreasonable. There’s still an issue, that those attempts are limited by IP address instead of user login. All it takes to bypass that rate limiting is a pool of IP addresses.

This experiment starts to go off the rails, as [Kevin] continues to prompt the LLM to look for more problems in its code, and it begins to hallucinate vulnerabilities, while not fixing the actual problem. LLMs are not up to writing secure code, even with handholding.

But surely the problem of LLMs making security mistakes isn’t a real-world problem, right? Right? Researchers at Escape did a survey of 5,600 vibecoded web applications, and found 2,000 vulnerabilities. Caveat Vibetor.

“Secure” Enclave

A few weeks ago we talked about Battering RAM and Wiretap — attacks against Trusted Execution Environments (TEEs). These two attacks defeated trusted computing technologies, but were limited to DDR4 memory. Now we’re back with TEE-fail, a similar attack that works against DDR5 systems.

This is your reminder that very few security solutions hold up against a determined attack with physical access. The Intel, AMD, and Nvidia TEE solutions are explicitly ineffective against such physical access. The problem is that no one seemed to be paying attention to that part of the documentation, with companies ranging from Cloudflare to Signal getting this detail wrong in their marketing.

Banning TP-Link

News has broken that the US government is considering banning the sale of new TP-Link network equipment, calling the devices a national security risk.

I have experience with TP-Link hardware: Years ago I installed dozens of TL-WR841 WiFi routers in small businesses as they upgraded from DSL to cable internet. Even then, I didn’t trust the firmware that shipped on these routers, but flashed OpenWRT to each of them before installing. Fun fact, if you go far enough back in time, you can find my emails on the OpenWRT mailing list, testing and even writing OpenWRT support for new TP-Link hardware revisions.

From that experience, I can tell you that TP-Link isn’t special. They have terrible firmware just like every other embedded device manufacturer. For a while, you could run arbitrary code on TP-Link devices by putting it inside backticks when naming the WiFi network. It wasn’t an intentional backdoor, it was just sloppy code. I’m reasonably certain that this observation still holds true. TP-Link isn’t malicious, but their products still have security problems. And at this point they’re the largest vendor of cheap networking gear with a Chinese lineage. Put another way, they’re in the spotlight due to their own success.

There is one other element that’s important to note here. There is still a significant TP-Link engineering force in China, even though TP-Link Systems is a US company. TP-Link may be subject to the reporting requirements of the Network Product Security legislation. Put simply, this law requires that when companies discover vulnerabilities, they must disclose the details to a particular Chinese government agency. It seems likely that this is the primary concern in the minds of US regulators, that threat actors cooperating with the Chinese government are getting advanced notice of these flaws. The proposed ban is still in proposal stage, and no action has been taken on it yet.

Sandbox Escape

In March there was an interesting one-click exploit that was launched via phishing links in emails. Researchers at Kaspersky managed to grab a copy of the malware chain, and discovered the Chrome vulnerability used. And it turns out it involves a rather novel problem. Windows has a pair of APIs to get handles for the current thread and process, and they have a performance hack built-in: Instead of returning a full handle, they can return -1 for the current process and -2 for the current thread.

Now, when sandboxed code tries to use this pseudo handle, Chrome does check for the -1 value, but no other special values, meaning that the “sandboxed” code can make a call to the local thread handle, which does allow for running code gadgets and running code outside the sandbox. Google has issued a patch for this particular problem, and not long after Firefox was patched for the same issue.

NPM and Remote Dynamic Dependencies

It seems like hardly a week goes by that we aren’t talking about another NPM problem. This time it’s a new way to sneak malware onto the repository, in the form of Remote Dynamic Dependencies (RDD). In a way, that term applies to all NPM dependencies, but in this case it refers to dependencies hosted somewhere else on the web. And that’s the hook. NPM can review the package, and it doesn’t do anything malicious. And when real users start downloading it, those remote packages are dynamically swapped out with their malicious versions by server-side logic.

Installing one of these packages ends with a script scooping up all the data it can, and ex-filtrating it to the attacker’s command and control system. While there isn’t an official response from NPM yet, it seems inevitable that NPM packages will be disallowed from using these arbitrary HTTP/HTTPS dependencies. There are some indicators of compromise available from Koi.

Bits and Bytes

Python deserialization with Pickle has always been a bit scary. Several times we’ve covered vulnerabilities that have their root in this particular brand of unsafe deserialization. There’s a new approach that just may achieve safer pickle handling, but it’s a public challenge at this point. It can be thought of as real-time auditing for anything unsafe during deserialization. It’s not ready for prime time, but it’s great to see the out-of-the-box thinking here.

This may be the first time I’ve seen remote exploit via a 404 page. But in this case, the 404 includes the page requested, and the back-end code that injects that string into the 404 page is vulnerable to XML injection. While it doesn’t directly allow for code execution, this approach can result in data leaks and server side request forgeries.

And finally, there was a sketchy leak, that may be information on which mobile devices the Cellebrite toolkit can successfully compromise. The story is that [rogueFed] sneaked into a Teams meeting to listen in and grab screenshots. The real surprise here is that GrapheneOS is more resistant to the Cellebrite toolkit than even the stock firmware on phones like the Pixel 9. This leak should be taken with a sizable grain of salt, but may turn out to be legitimate.

Dark lab setup with scientific looking drink dispenser

Scared For A Drink?

October 31, 2025 by 1 Comment

Halloween is about tricks and treats, but who wouldn’t fancy a bit to drink with that? [John Sutley] decided to complete his Halloween party with a drink dispenser looking as though it was dumped by a backstreet laboratory. It’s not only an impressive looking separating funnel, it even runs on an Arduino. The setup combines lab glassware, servo motors, and an industrial control panel straight from a process plant.

The power management appeared the most challenging part. The three servos drew more current than one Arduino could handle. [John] overcame voltage sag, brownouts, and ghostly resets. A healthy 1000 µF capacitor across the 5-volt rail fixed it. With a bit of PWM control and some C++, [John] managed to finish up his interactive bar system where guests could seal their own doom by pressing simple buttons.

This combines the thrill of Halloween with ‘the ghost in the machine’. Going past the question whether you should ever drink from a test tube – what color would you pick? Lingonberry juice or aqua regia, who could tell? From this video, we wouldn’t trust the bartender on it – but build it yourself and see what it brings you!

Continue reading “Scared For A Drink?”

2025 Component Abuse Challenge: An Input Is Now An Output

October 31, 2025 by 20 Comments

Part of setting up a microcontroller when writing a piece of firmware usually involves configuring its connections to the outside world. You define a mapping of physical pins to intenral peripherals to decide which is an input, output, analogue, or whatever other are available. In some cases though that choice isn’t available, and when you’ve used all the available output pins you’re done. But wait – can you use an input as an output? With [SCART VADER]’s lateral thinking, you can.

The whole thing takes advantage of the internal pull-up resistor that a microcontroller has among its internal kit of parts. Driving a transistor from an output pin usually requires a base resistor, so would it be possible to use the pullup as a base resistor? If the microcontroller can enable or disable the resistor on an input pin then yes it can, a transistor can be turned off and on with nary an output to be seen. In this case the chip is from ATmega parts bin so we’re not sure if the trick is possible on other manufacturers’ devices.

As part of our 2025 Component Abuse Challenge, this one embodies the finest principles of using a part in a way it was never intended to be used, and we love it. You’ve still got a few days to make an entry yourself at the time of writing this, so bring out your own hacks!

2025 Hackaday Component Abuse Challenge

Speech Synthesis On A 10 Cent Microcontroller

October 31, 2025 by 62 Comments

Speech synthesis has been around since roughly the middle of the 20th century. Once upon a time, it took remarkably advanced hardware just to even choke out a few words. But as [atomic14] shows with this project, these days it only takes some open source software and 10-cent microcontroller

The speech synth is implemented on a CH32V003 microcontroller, known for its remarkably low unit cost when ordered in quantity. It’s a speedy little RISC-V chip running at 48 MHz, albeit with the limitation of just 16 KB of Flash and 2 KB of SRAM on board.

The microcontroller is hooked up to a speaker via a simple single-transistor circuit, which allows for audio output. [atomic14] first demonstrates this by having the chip play back six seconds of low quality audio with some nifty space-saving techniques to squeeze it into the limited flash available. Then, [atomic14] shows how he implemented the Talkie library on the chip, which is a softwarehttps://www.youtube.com/watch?v=RZvX95aXSdM implementation of Texas Instruments’ LPC speech synthesis architecture—which you probably know from the famous Speak & Spell toys. It’s got a ton of built in vocabulary out of the box, and you can even encode your own words with some freely available tools.

We’ve seen [atomic14] tinker with these chips before, too.

Continue reading “Speech Synthesis On A 10 Cent Microcontroller”

Learn What A Gaussian Splat Is, Then Make One

October 31, 2025 by 16 Comments

Gaussian Splats is a term you have likely come across, probably in relation to 3D scenery. But what are they, exactly? This blog post explains precisely that in no time at all, complete with great interactive examples and highlights of their strengths and relative weaknesses.

Gaussian splats excel at making colorful, organic subject matter look great.

Gaussian splats are a lot like point clouds, except the points are each differently-shaped “splats” of color, arranged in such a way that the resulting 3D scene looks fantastic — photorealistic, even — from any angle.

All of the real work is in the initial setup of the splats into the scene. Once that work is done, viewing is the easy part. Not only are the resulting file sizes of the scenes small, but rendering is computationally simple.

There are a few pros and cons to gaussian splats compared to 3D meshes, but in general they look stunning for any kind of colorful, organic scene. So how does one go about making or using them?

That’s where the second half of the post comes in handy. It turns out that making your own gaussian splats is simply a matter of combining high-quality photos with the right software. In that sense, it has a lot in common with photogrammetry.

Even early on, gaussian splats were notable for their high realism. And since this space has more than its share of lateral-thinkers, the novel concept of splats being neither pixels nor voxels has led some enterprising folks to try to apply the concept to 3D printing.