The Deadliest US Nuclear Accident Is Not What You Think

November 5, 2025 by 47 Comments

When you think of a US Nuclear accident, you probably think of Three Mile Island. However, there have been over 50 accidents of varying severity in the US, with few direct casualties. (No one died directly from the Three Mile Island incident, although there are some studies that show increased cancer rates in the area.)

Indeed, where there are fatalities, it hasn’t been really related to the reactor. Take the four people who died at the Surry Nuclear Power Plant accident: they were killed when a steam pipe burst and fatally scalded them. At Arkansas Nuclear One, a 525-ton generator was being moved, the crane failed to hold it, and one person died. That sort of thing could happen in any kind of industrial setting.

But one incident that you have probably never heard of took three lives as a direct result of the reactor. True, it was a misuse of the reactor, and it led to design changes to ensure it can’t happen again. And while the incident was nuclear-related, the radiation didn’t kill them, although it probably would have if they had survived their injuries. Continue reading “The Deadliest US Nuclear Accident Is Not What You Think”

Jenny’s Daily Drivers: ReactOS 0.4.15

November 4, 2025 by 31 Comments

When picking operating systems for a closer look here in the Daily Drivers series, the aim has not been to merely pick the next well-known Linux distro off the pile, but to try out the interesting, esoteric or minority OS. The need remains to use it as a daily driver though, so each one we try has to have at least some chance of being a useful everyday environment in which a Hackaday piece could be written. With some of them such as the then-current BSD or Slackware versions we tried for interest’s sake a while back that’s not a surprising achievement, but for the minority operating systems it’s quite a thing. Today’s choice, ReactOS 0.4.15, is among the closest we’ve come so far to that ideal.

For The N’th Time In The Last 20 Years, I download A ReactOS ISO

A Windows-style ReactOS desktop with a web browser showing Hackaday
It’s fair to say there are still a few quirks, but it works.

ReactOS is an open-source clone of a Windows operating system from the early 2000s, having a lot on common with Windows XP. It started in the late 1990s and has slowly progressed ever since, making periodic releases that, bit-by-bit, have grown into a usable whole. I last looked at it for Hackaday with version 0.4.13 in 2020, so have five years made any difference? Time to download that ISO and give it a go.

Installing ReactOS has that bright blue and yellow screen feeling of a Windows install from around the millennium, but I found it to be surprisingly quick and pain free despite a few messages about unidentified hardware. The display driver it chose was a VESA one but since it supported all my monitor’s resolutions and colour depths that’s not the hardship it might once have been. Continue reading “Jenny’s Daily Drivers: ReactOS 0.4.15”

Pi Zero Powers A Little Indoor Rover

November 2, 2025 by 3 Comments

Not every robot has to be big. Sometimes, you can build something fun that’s better sized for exploring your tabletop rather than the wastelands of Mars. To that end, [philosiraptor] built the diminutive PITANK rover.

As you might guess from the name, the rover is based on the Raspberry Pi Zero 2. It uses the GPIO pins to output PWM signals, commanding a pair of servos that drive the tracks on either side of the ‘bot. The drivetrain and chassis are made from 3D-printed components. Controlling the robot is handled via a web interface, which [philosiraptor] coded in C# to be as responsive as possible. So you can see where you’re driving, the ‘bot is also kitted out with a camera to provide a live video feed.

Given its low ground clearance and diminutive size, you’re not going to go on big outdoor adventures with PITANK. However, if you wish to explore a nice flat indoor environment, its simple tracked drivetrain should do nicely. We’ve featured a great many rovers over the years; if you’ve got a particularly special one, don’t hesitate to notify the tipsline!

Building A PV Solar-Powered Quadcopter

November 1, 2025 by 71 Comments
The solar-powered quadcopter from below. (Credit: Luke Maximo Bell)
The solar-powered quadcopter from below. (Credit: Luke Maximo Bell)

One of the most frustrating parts about flying a quadcopter is having to regularly swap battery packs, as this massively limits what you can do with said quadcopter, never mind its effective range. Obviously, having the sun power said quadcopter during a nice sunny day would be a much better experience, but how workable is this really? While airplanes have used solar power to stay aloft practically indefinitely, a quadcopter needs significantly more power, so is it even possible? Recently, [Luke Maximo Bell] set out to give it a whirl.

His quadcopter build uses a large but very lightweight carbon fiber frame, with large 18″ propellers. This provides the required space and lift for the solar panel array, which uses 27 razor-thin panels in a 9×3 grid configuration supported by a lightweight support frame.

Due to the lightweight construction, the resulting quadcopter actually managed to fly using just the direct power from the panels. It should be noted however that it is an exceedingly fragile design, to the point that [Luke]’s cat broke a panel in the array when walking over it while it was lying upside-down on a table.

After this proof of concept, [Luke] intends to add more panels, as well as a battery to provide some buffer and autonomous flying hardware, with the goal of challenging the world record for the longest flying drone. For the rest of us, this might make for a pretty cool idea for a LoRaWAN mesh node or similar, where altitude and endurance would make for a great combo.

Continue reading “Building A PV Solar-Powered Quadcopter”

DIY Pinball Machine Uses Every Skill

November 1, 2025 by 6 Comments

Pinball machines have something for everyone. They’re engaging, fast-paced games available in a variety of sizes and difficulties, and legend has it that they can be played even while deaf and blind. Wizardry aside, pinball machines have a lot to offer those of us around here as well, as they’re a complex mix of analog and digital components, games, computers, and artistry. [Daniele Tartaglia] is showing off every one of his skills to build a tabletop pinball machine completely from the ground up.

Continue reading “DIY Pinball Machine Uses Every Skill”

This Week In Security: Vibecoding, Router Banning, And Remote Dynamic Dependencies

October 31, 2025 by 37 Comments

Vibecoding. What could possible go wrong? That’s what [Kevin Joensen] of Baldur wondered, and to find out he asked Anthropic’s Sonnet 4.5 to build a secure login with Two Factor Authentication (2FA). And to the LLM’s credit, it builds the app as requested. [Kevin] took a peek under the hood to see how well the security was handled, and it wasn’t great.

Up first, the Flask app doesn’t have any rate-limiting for guessing that time-based 2FA code. A 6-digit time-based 2FA only works if you can’t try all the possibilities before a given code expires. So what does a vibecoder do, once this has been noticed? Ask the LLM to fix it of course. Here we take a slightly different approach, prompting the AI to double-check its work: “Is there any security features missing in 2fa verify step?” The answer is an impressive:

Great question! Yes, there are several critical security features missing from the 2FA verification step. Let me highlight the most important ones:🚨 Critical Security Issues1. No Rate Limiting (MOST CRITICAL)

But the critical question, can it properly fix its mistake? The AI adds the flask-limiter library and chooses 10 attempts per minute, which is a bit loose, but not unreasonable. There’s still an issue, that those attempts are limited by IP address instead of user login. All it takes to bypass that rate limiting is a pool of IP addresses.

This experiment starts to go off the rails, as [Kevin] continues to prompt the LLM to look for more problems in its code, and it begins to hallucinate vulnerabilities, while not fixing the actual problem. LLMs are not up to writing secure code, even with handholding.

But surely the problem of LLMs making security mistakes isn’t a real-world problem, right? Right? Researchers at Escape did a survey of 5,600 vibecoded web applications, and found 2,000 vulnerabilities. Caveat Vibetor.

“Secure” Enclave

A few weeks ago we talked about Battering RAM and Wiretap — attacks against Trusted Execution Environments (TEEs). These two attacks defeated trusted computing technologies, but were limited to DDR4 memory. Now we’re back with TEE-fail, a similar attack that works against DDR5 systems.

This is your reminder that very few security solutions hold up against a determined attack with physical access. The Intel, AMD, and Nvidia TEE solutions are explicitly ineffective against such physical access. The problem is that no one seemed to be paying attention to that part of the documentation, with companies ranging from Cloudflare to Signal getting this detail wrong in their marketing.

Banning TP-Link

News has broken that the US government is considering banning the sale of new TP-Link network equipment, calling the devices a national security risk.

I have experience with TP-Link hardware: Years ago I installed dozens of TL-WR841 WiFi routers in small businesses as they upgraded from DSL to cable internet. Even then, I didn’t trust the firmware that shipped on these routers, but flashed OpenWRT to each of them before installing. Fun fact, if you go far enough back in time, you can find my emails on the OpenWRT mailing list, testing and even writing OpenWRT support for new TP-Link hardware revisions.

From that experience, I can tell you that TP-Link isn’t special. They have terrible firmware just like every other embedded device manufacturer. For a while, you could run arbitrary code on TP-Link devices by putting it inside backticks when naming the WiFi network. It wasn’t an intentional backdoor, it was just sloppy code. I’m reasonably certain that this observation still holds true. TP-Link isn’t malicious, but their products still have security problems. And at this point they’re the largest vendor of cheap networking gear with a Chinese lineage. Put another way, they’re in the spotlight due to their own success.

There is one other element that’s important to note here. There is still a significant TP-Link engineering force in China, even though TP-Link Systems is a US company. TP-Link may be subject to the reporting requirements of the Network Product Security legislation. Put simply, this law requires that when companies discover vulnerabilities, they must disclose the details to a particular Chinese government agency. It seems likely that this is the primary concern in the minds of US regulators, that threat actors cooperating with the Chinese government are getting advanced notice of these flaws. The proposed ban is still in proposal stage, and no action has been taken on it yet.

Sandbox Escape

In March there was an interesting one-click exploit that was launched via phishing links in emails. Researchers at Kaspersky managed to grab a copy of the malware chain, and discovered the Chrome vulnerability used. And it turns out it involves a rather novel problem. Windows has a pair of APIs to get handles for the current thread and process, and they have a performance hack built-in: Instead of returning a full handle, they can return -1 for the current process and -2 for the current thread.

Now, when sandboxed code tries to use this pseudo handle, Chrome does check for the -1 value, but no other special values, meaning that the “sandboxed” code can make a call to the local thread handle, which does allow for running code gadgets and running code outside the sandbox. Google has issued a patch for this particular problem, and not long after Firefox was patched for the same issue.

NPM and Remote Dynamic Dependencies

It seems like hardly a week goes by that we aren’t talking about another NPM problem. This time it’s a new way to sneak malware onto the repository, in the form of Remote Dynamic Dependencies (RDD). In a way, that term applies to all NPM dependencies, but in this case it refers to dependencies hosted somewhere else on the web. And that’s the hook. NPM can review the package, and it doesn’t do anything malicious. And when real users start downloading it, those remote packages are dynamically swapped out with their malicious versions by server-side logic.

Installing one of these packages ends with a script scooping up all the data it can, and ex-filtrating it to the attacker’s command and control system. While there isn’t an official response from NPM yet, it seems inevitable that NPM packages will be disallowed from using these arbitrary HTTP/HTTPS dependencies. There are some indicators of compromise available from Koi.

Bits and Bytes

Python deserialization with Pickle has always been a bit scary. Several times we’ve covered vulnerabilities that have their root in this particular brand of unsafe deserialization. There’s a new approach that just may achieve safer pickle handling, but it’s a public challenge at this point. It can be thought of as real-time auditing for anything unsafe during deserialization. It’s not ready for prime time, but it’s great to see the out-of-the-box thinking here.

This may be the first time I’ve seen remote exploit via a 404 page. But in this case, the 404 includes the page requested, and the back-end code that injects that string into the 404 page is vulnerable to XML injection. While it doesn’t directly allow for code execution, this approach can result in data leaks and server side request forgeries.

And finally, there was a sketchy leak, that may be information on which mobile devices the Cellebrite toolkit can successfully compromise. The story is that [rogueFed] sneaked into a Teams meeting to listen in and grab screenshots. The real surprise here is that GrapheneOS is more resistant to the Cellebrite toolkit than even the stock firmware on phones like the Pixel 9. This leak should be taken with a sizable grain of salt, but may turn out to be legitimate.

How Simple Can A Superhet Be

October 30, 2025 by 20 Comments

If you cultivate an interest in building radios it’s likely that you’ll at some point make a simple receiver. Perhaps a regenerative receiver, or maybe a direct conversion design, it’ll take a couple of transistors or maybe some simple building-block analogue ICs. More complex designs for analogue radios require far more devices; if you’re embarking on a superhetrodyne receiver in which an oscillator and mixer are used to generate an intermediate frequency then you know it’ll be a hefty project. [VK3YE] is here to explode that assumption, with a working AM broadcast band superhet that uses only two transistors.

The circuit diagram of the radio
It doesn’t get much simpler than this.

A modern portable radio will almost certainly use an all-in-one SDR-based chip, but in the golden age of the transistor radio the first stage of the receiver would be a single transistor that was simultaneously RF amplifier, oscillator, and mixer. The circuit in the video below does this , with a ferrite rod, the familiar red-cored oscillator coil, and a yellow-cored IF transformer filtering out the 455 kHz mixer product between oscillator and signal.

There would normally follow at least one more transistor amplifying the 455 kHz signal, but instead the next device is both a detector and an audio amplifier. Back in the day that would have been a germanium point contact diode, but now the transistor has a pair of 1N4148s in its biasing. We’re guessing this applies a DC bias to counteract the relatively high forward voltage of a silicon diode, but we could be wrong.

We like this radio for its unexpected simplicity and clever design, but also because he’s built it spiderweb-style. We never expected to see a superhet this simple, and even if you have no desire to build a radio we hope you’ll appreciate the ingenuity of using simple transistors to the max.

Continue reading “How Simple Can A Superhet Be”