This Week In Security: CVSS 0, Chwoot, And Not In The Threat Model

October 3, 2025 by 4 Comments

This week a reader sent me a story about a CVE in Notepad++, and something isn’t quite right. The story is a DLL hijack, a technique where a legitimate program’s Dynamic Link Library (DLL) is replaced with a malicious DLL. This can be used for very stealthy persistence as well as escalation of privilege. This one was assigned CVE-2025-56383, and given a CVSS score of 8.4.

The problem? Notepad++ doesn’t run as a privileged user, and the install defaults to the right permissions for the folder where the “vulnerable” DLL is installed. Or as pointed out in a GitHub issue on the Proof of Concept (PoC) code, why not just hijack the notepad++ executable?

This is key when evaluating a vulnerability write-up. What exactly is the write-up claiming? And what security boundary is actually being broken? The Common Weakness Enumeration (CWE) list can be useful here. This vulnerability is classified as CWE-427, an uncontrolled search path element — which isn’t actually what the vulnerability claims, and that’s another clue that something is amiss here. In reality this “vulnerability” applies to every application that uses a DLL: a CVSS 0.

Continue reading “This Week In Security: CVSS 0, Chwoot, And Not In The Threat Model”

The WindRunner unloading a blade, image Radia.

Giant Airplane Goes Long On Specialization

October 3, 2025 by 63 Comments

While not everyone agrees on the installation of wind turbines in their proverbial back yards, one thing not up for debate is that there is a drive to build them bigger, and bigger. Big turbines means big blades, and big blades need to be transported… somehow. If air freight is going to stay relevant to the industry, we’re gonna need a bigger airplane.

A startup called Radia has a plan for that plane, and it is a doosie. The “WindRunner” would clock in at a massive 108 meters (354 feet) long, but with a wingspan of just 80 m (262 ft). That’s very, very long, but it might not be the largest airplane, depending how you measure it. Comparing to the 88 m wingspan for the late, lamented An-225 Mriya, you can expect a lower payload capacity, but heavy payloads aren’t the point here. Wind turbine blades really aren’t that heavy. They’re big, or they can be — the WindRunner is designed to fit a single 105 m blade within its long fuselage, or a pair of 90 m blades.

Continue reading “Giant Airplane Goes Long On Specialization”

Air Quality Monitor Plays Game Of Life

October 3, 2025 by 8 Comments

The problem with air quality is that you can’t really tell how good or bad it is just by looking…unless it’s really bad, that is. It’s usually more helpful to have some kind of sensor that can tell you what the deal is. To that end, [Arnov Sharma] built a neat air quality monitor with a fun twist.

A Raspberry Pi Pico W acts as the heart of the build, armed with an SGP40 gas sensor. This sensor is intended for monitoring total volatile organic compounds in the air, which can be a useful measure of air quality in at least one dimension. It reports a simple air quality score from 0 to 500, based on a 1-1000 ppm ethanol equivalent reading. Based on the sensor’s output, the Pi Pico drives an LED matrix display — setting it green for good quality air, yellow for moderate, and red for poor air quality (i.e. high VOC content). The fun part is that rather than just show a simple color, the display plays Conway’s Game of Life to create an animated visual. We’d love it even more if poor air quality lead to the premature death of individual cells, making it even more interactive.

We’ve featured other air quality monitors before; often, it’s desirable to monitor CO2 levels to determine whether more ventilation is needed.

Continue reading “Air Quality Monitor Plays Game Of Life

Yes, Gemini, A Wii Server Is Possible

October 2, 2025 by 20 Comments

When [Reit Tech] needed something to do with an old Nintendo Wii, he turned to Google. When the AI overview told him it could not be used as a server, he had his mission: prove that clanker wrong. It already runs Doom, so what else is there to do?

Of course should not that hard: Linux has been available on the Wii for years now. In fact there are several; he settles on “Arch, btw”, after trying Debian, Ubuntu, and even NetBSD. “Of course it runs NetBSD”– but NetBSD didn’t work with his USB network adapter, which is sadly as predictable as the hardware running NetBSD.

OK, it’s not vanilla Arch; it’s the Wii-Linux Continuation Project, based on ArchPOWER fork that compiles Arch for PPC. As the young YouTuber was surprised to discover, despite not being a PC or particularly powerful, the Wii has a PowerPC CPU. (He might be younger than the console, so we’ll give him a pass.) Wii-Linux couldn’t run the USB adapter either (appropriate apologies were offered to NetBSD), but it turns out the internal Ethernet adapter was available all along.

As a file server, python-based Copyparty worked flawlessly, but the rust-based Minecraft server he picked was not particularly usable. A little optimization would fix that, since you can serve Minecraft from an ESP32 and the Wii absolutely has more horsepower than that. Doubtless he could have loaded a web-server, and proved Google’s AI summary wrong, but the iPad-induced ADHD we all suffer from these days kicks in, so he settled for posting a screenshot of someone else’s blog, hosted on a Wii from NetBSD. So the LLM was wrong from the get-go, but the tour of “what home-brew loaded OSes still work in 2025” was certainly educational.

We could hunt that Wii-based blog down for you, but we’d be reluctant to link to it anyway: while the AI summary is wrong, and you can use the Wii as a server, that doesn’t mean it makes a good one. We’d don’t feel the need to inadvertently DDOS some poor unsuspecting shmuck’s Nintendo, so we’ll let you try and find it yourself.

Just be warned that all of this Wii hacking may not rest on the best of foundations. Continue reading “Yes, Gemini, A Wii Server Is Possible”

Implementing A Kalman Filter In PostgreSQL To Smooth GPS Data

October 2, 2025 by 7 Comments

Usually databases are treated primarily as fairly dumb data storage systems, but they can be capable of much more. Case in point the PostgreSQL database and its – Ada-based – PL/pgSQL programming language, which allows you to perform significantly more complex operations than would be realistically possible with raw SQL. Case in point the implementation of a Kalman Filter by the folk over at Traconiq, which thus removes the necessity for an external filtering pipeline.

Using a Kalman Filter is highly desirable when you’re doing something like vehicle tracking using both dead-reckoning and GPS coordinates, as it filters out noise that can be the result of e.g. GPS reception issues. As noted in the article, transferring state from one row to the next requires a bit of lateral thinking, but is doable with some creative SQL usage. As PL/pgSQL is very similar to Oracle’s PL/SQL, this same code should work there too without too much porting required.

The code for the different implementations and associated benchmarks can be found on GitHub, though the benchmark results make it abundantly clear that the most efficient approach is to run an offline aggregate processing routine. This coincides with the other batch processing tasks that are typically performed by a database server to e.g. optimize storage, so this isn’t entirely unsurprising.

A forest green kei truck sits in an actual forest. In its bed is a dark grey box with a small window, wood trim, and a solar panel tilted on its roof. The headlights are on, hinting at the onset of twilight. You have a sudden urge to go glamping now.

Kei Truck Becomes Tiny RV

October 2, 2025 by 16 Comments

Tent camping lets you explore places on foot you could never reach another way, but sometimes you want to camp with a bit more luxury. [Levi Kelly] decided to see how small you could make an RV. [via Autopian]

While we won’t argue one way or another on his claim to world’s smallest, as that likely depends on your definition of an RV, starting with a kei truck certainly puts you in a more compact format than something built on a bus chassis. With four wheel drive and a small footprint, this could be better for overlanding than the Rivian bed camper we featured recently.

The 21 sq. ft. (1.95 m2) camper portion itself is framed in 2 x 2s (38 x 38 mm) to save weight and uses foam board insulation. A working faucet uses a pump to draw drinking water from a 5 gallon (19L) refillable jug and empties into a 7 gallon (26L) grey water tank. A solar panel on the roof charges the battery that drives the pump, ventilation fan, and can also be used to run other devices like a hot plate for cooking.

A teeny tiny wood stove can be used for heat, although [Kelly] is using a different fuel source to reduce unpredictability from a wood fire in such a small space. A faucet-mounted sprayer can be routed to the outside of the camper to create a makeshift shower and is run from the sink water system. There’s even a small cabinet above the foot area of the bed to house a portable toilet and a bubble window to observe your surroundings while you do your business.

We’ve seen some even smaller campers, like this vintage-inspired bike camper, or this more streamlined version. If you want the most efficient RV ever then check out this solar-powered one.

Continue reading “Kei Truck Becomes Tiny RV”

Building A Desk Display For Time And Weather Data

October 2, 2025 by 19 Comments

Just about every laptop, desktop, and smartphone in your life can tell you the date, time, and current weather predictions. However, sometimes it’s nice to have simple data displayed on a bespoke device. That’s what inspired [Mario] to create ESPTimeCast. 

As you might have guessed by the name, the project is designed around the ESP32 and ESP8266 microcontrollers; either one is up to the task of running the show here. Both come with Wi-Fi connectivity out of the box, which makes it easy for them to hook up to the Internet to query NTP servers for the time and weather data from OpenWeatherMap. The data is then displayed on an LED matrix display, made up of four 8×8 LED modules and driven with the aid of the MAX7219 IC. Configuration is handled over a simple web interface hosted on the device itself. All the parts are wrapped up in a 3D-printed housing that would be very fitting in any home that appreciates the magic of late 60s/early 70s decor.

Hackers love building clocks, weather stations, and other useful information displays. We’ve seen a great many examples over the years. If you’re cooking up your own neat project in this area, don’t hesitate to let us know!