Hackaday Podcast Episode 367: Radioactive Weather, Continuous Pickles, And Moon Junk

April 24, 2026 by 3 Comments

When Elliot Williams and Al Williams compare their notes on the week in Hackaday, you know you’ll get at least one or two bad puns. How bad? Tune in and find out.

This week, Tom Nardi visits several in-person events, and Elliot and Al talk about smart buttons, Itanium, ejecting things from a rocket, and the infinite pickle. Will Elliot build the coin flipper? Will Al use plasma at his next cookout? Hard to say.

For the can’t miss articles, this week, Al swept the category with a post on splices and another on what human junk is still sitting on the moon.

What do you think? Leave us a comment or record something and send it to our mailbag.

Download a copy of the podcast with an MP3 from our continuous audio pipeline.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast Episode 367: Radioactive Weather, Continuous Pickles, And Moon Junk”

Spool Roller Gets Touch Screen

April 24, 2026 by 2 Comments

If you have a desktop 3D printer, you probably want something to hang filament spools on. [LVTRC] has a spool roller that fits the bill. It also incorporates a scale and a round touch screen. (Google Translate)

We’ve seen those round screens before, and now we wonder why we didn’t think of this. The GC9A01 display shows a progress ring and lets you save settings or calibrations to EEPROM. An Arduino Nano provides the brain, and the load cell connects to an HX711. The project is made to fit a specific printer, but it should be little trouble to adapt it to a different printer or to mount it in an external mount.

One of the calibration steps, of course, is to program the weight of an empty spool to subtract from the total weight. The device can store up to five specific profiles.

Not the biggest spool holder we’ve seen. We keep thinking that we don’t know why we want a circular screen, and then someone always drops in to show us another thing we didn’t think about.

This Week In Security: Annoyed Researchers, Dangling DNS, And Hacks That Could Have Been Worse

April 24, 2026 by 13 Comments

The author of the BlueHammer exploit, which was released earlier this month and addressed in the last Patch Tuesday, continues to be annoyed with the responses from the Microsoft security research and vulnerability response team, and has released another Windows zero-day attack against Windows Defender.

The RedSun exploit targets a logic and timing error in Windows Defender, convincing it to install the target file in the system, instead of quarantining the file and protecting the system. Not, generally, what you would hope would happen.

Since the RedSun attack requires local access in the first place, it seems unlikely Microsoft will release an out-of-sequence patch for it, however with public code available, we can probably expect to see malware leveraging it to establish higher permissions on an infected system.

Releasing exploits out of spite feels like a return to the late 1990s, and I almost don’t hate it.

University Domains Hijacked

Reported in Bleeping Computer, a group tracked as “Hazy Hawk” has been hijacking unmaintained DNS records of universities and government institutions to serve ad click spam.

The attack seems simple and doesn’t even require compromising the actual institution, using dangling DNS “CNAME” records. A “CNAME” entry in DNS acts essentially as an alias, pointing one domain name at another, which can be used to provide content from an official domain that is hosted on a cloud service where the IP address of the service might change.

A DNS “A” (or “AAAA” if you speak IPv6) record points a hostname – like “foo.example.com” – to an IP address – like “1.1.1.1”. A “CNAME” record points a hostname to another hostname, like “foo.some_cloud_host.com”. Scanning “high value” domains (like Ivy League universities) for “CNAME” records which point to expired domains (or domains on cloud hosted providers which no longer exist) lets anyone able to register that domain (or create an account with the proper naming scheme on the cloud host) to post any content they wish, and still appear to be the original name.

At least 30 educational institutions have been impacted, along with several government agencies including the CDC.

Continue reading “This Week In Security: Annoyed Researchers, Dangling DNS, And Hacks That Could Have Been Worse”

How Anthropic’s Model Context Protocol Allows For Easy Remote Execution

April 24, 2026 by 27 Comments

As part of the effort to push Large Language Model (LLM) ‘AI’ into more and more places, Anthropic’s Model Context Protocol (MCP) has been adopted as the standard to connect LLMs with various external tools and systems in a client-server model. A light oversight with the architecture of this protocol is that remote command execution (RCE) of arbitrary commands is effectively an essential part of its design, as covered in a recent article by [OX Security].

The details of this flaw are found in a detailed breakdown article, which applies to all implementations regardless of the programming language. Essentially the StdioServerParameters that are passed to the remote server to create a new local instance on said server can contain any command and arguments, which are executed in a server-side shell.

Continue reading “How Anthropic’s Model Context Protocol Allows For Easy Remote Execution”

Reviving Nintendo’s Early Arcade Game, Wild Gunman

April 24, 2026 by 13 Comments

There’s retrogaming, and then there’s retro gaming. This next project falls into the second category, as [Callan] of 74XX Arcade Repair digs into the original Wild Gunman, first released by Nintendo way, way back in 1974 — on 16 mm film. Yes, it was a film-based arcade machine, but how else were you going to get realistic graphics just two years after PONG?

The game had two 16 mm projectors, with four different sets of film reels available, each depicting five gunmen. Unfortunately for [Callan], the film is all he has, so he’s not so much repairing as re-creating the historic game. Luckily, he had the manuals, so at least he knew how it was supposed to come together.

One projector did most of the work, showing the gunmen and a hidden timing signal for the game to know when the user could shoot; the other only activated if the user pulled the trigger at the correct time. Interestingly the ‘gun’ has an IR illuminator that bounced infrared light off the screen to a detector in the cabinet — much like later TV remotes. That makes for a rather large circular hitbox around the enemy gunslinger, which is perhaps not a bad thing for a game likely to be found in a bar.

Continue reading “Reviving Nintendo’s Early Arcade Game, Wild Gunman

WSL9x: Add A Linux Subsystem To Your Windows 9x

April 23, 2026 by 18 Comments

Considering that Windows NT has the concept of so-called ‘subsystems’ whereby you can run different systems side-by-side, starting with the POSIX subsystem and later the Windows Subsystem for Linux (WSL), it was probably only a matter of time before someone figured that doing this with Windows 9x was also completely reasonable. Ergo we now got [Hailey Somerville]’s Linux Subsystem for Windows.

To make running Linux inside Windows 9x work, it was necessary to heavily patch a Linux kernel, as normally there are no provisions for such a subsystems in Windows 9x’s kernel unlike the NT kernel. Correspondingly, the Linux kernel is based on user-mode Linux and hacked to call Windows 9x kernel APIs instead of the POSIX ones.

In order to use WSL9x you thus need to build said modified Linux kernel – currently at version 6.19 – along with a disk image containing an installed copy of Windows 9x. From there WSL9x can be loaded with the wsl command and you’re then free to cooperatively run the Win9x and Linux kernel side-by-side. This is reminiscent of Cooperative Linux (coLinux), which did something similar except with Windows NT and Linux kernels running side-by-side, and of course we have WSL2 with Windows 10+.

Thanks to [adistuder] for the tip.

Encrypting Encrypted Traffic To Get Around VPN Bans

April 23, 2026 by 27 Comments

VPNs, Virtual Private Networks, aren’t just a good idea to keep your data secure: for millions of people living under restrictive regimes they’re the only way to ensure full access to the internet. What do you do when your government orders ISPs to ban VPNs, like Russia has done recently?  [LaserHelix] shows us one way you can cope, which is to use a ShadowSocks proxy.

If you’re not deep into network traffic, you might be wondering: how can an ISP block VPN traffic? Isn’t that stuff encrypted? Yes, but while the traffic going over the VPN is encrypted, you still need to connect to your VPN’s servers– and those handshake packets are easy enough to detect. You can do it at home with Wireshark, a tool that shows up fairly often on these pages. Of course if they can ID those packets, they can block them.

So, you just need a way to obfuscate what exactly the encrypted traffic you’re sending is. Luckily that’s a solved problem: Chinese hackers came up with something called Shadowsocks back in 2012 to help get around the Great Firewall, and have been in an arms-race with their authorities ever since.

Shadowsocks is not, in fact, a sibling of Gandalf’s horse as the name might suggest, but a tool to obfuscate the traffic going to your VPN. To invert a meme, you’re telling the authorities: we heard you don’t like encrypted traffic, so we put encryption in your encrypted traffic so you have to decrypt the packets before you recognize the encrypted packets.

What about the VPN? Well, some run their own shadowsocks service, while others will need to be accessed via a shadowsocks bridge: in effect, a proxy that then connects to the VPN for you. That means of course you’re bouncing through two servers you need to trust not to glow in the dark, but if you have to trust someone– otherwise it’s off to a shack in the woods, which never ends well.

Don’t forget that while VPNs can get you around government censorship, they do not provide anonymity on their own. If, like tipster [Keith Olson] –thanks for the tip, [Keith]!– you’re looking side-eyed at your government’s “think of the children!” rhetoric but don’t know where to start, we had a discussion about which VPNs to use last year.