Hackaday Columns

4764 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

Hackaday Podcast Episode 371: Space Computers, Spy Phones, And So Long CHU

May 29, 2026 by No comments

Elliot Williams is out where the deer and the antelope play for the next week, so it’s up to Tom Nardi and Al Williams to wrangle this episode of the Hackaday Podcast. They’ll start off by reading some listener messages before talking about the slow extinction of time broadcasts, Linux on cheap smartphones, microcontroller VPNs, and the computers of Spacelab.

You’ll also hear about using a video game’s “Photo Mode” to capture 3D imagery, strange red lights in deep space, and ASCII fish that you don’t need to feed. The episode wraps up with a discussion of WWII spy tech and the revelation that modern smartphones and powerful magnets don’t always mix.

Check out the links if you want to follow along, and as always, tell us what you think about this episode in the comments!

Direct download in DRM-free MP3.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast Episode 371: Space Computers, Spy Phones, And So Long CHU”

This Week In Security: Ubiquiti Fixes, And FreeBSD Joins The Club You Don’t Want To Join

May 29, 2026 by 12 Comments

Ubiquiti released a new security bulletin detailing fixes for six security issues, including one rated 9.1 (critical) and one scoring a perfect 10.0 on the CVE risk scale.

The vulnerabilities range from path traversal revealing configuration files (escaping from the web server by requesting a path like “../../../../../etc/passwd” for instance), to command injection (running arbitrary shell commands on the system), and actually changing device configurations. Some of the reported vulnerabilities require an account on the management server, but some only require network access .

Fortunately, all of the vulnerabilities require access to the network in the first place to exploit – but this could include access to open guest networks as well as trusted users. If you run Ubiquti or UniFi equipment, chances are the automatic update function has already integrated the fixes, but make sure to check the advisory to see if you’re impacted and update accordingly!

FreeBSD Root Exploit

FatGid lets FreeBSD join the fun of kernel exploits to gain root.

The FatGid vulnerability doesn’t require any manipulation of disk cache; instead it is a direct kernel stack overflow in a system call. The kernel miscalculates the size of a variable as 8 bytes instead of 4, which when used later interacting with a user buffer allows the stack overflow.

Like the recent spate of Linux local privilege escalation attacks, this requires the attacker to already have an account on the system or the ability to run arbitrary programs, but remember that any bug in network services which allows command execution gets you there, so if you run network exposed FreeBSD, it’s time to update!

Kali365 Phishing-as-a-Service

Phishing-as-a-service platforms have been gaining traction, allowing criminals to automate targeting users with crafted lures. The FBI has issued a warning about the Kali365 service in particular.

Kali365 targets credentials for Microsoft 365 accounts by directing users to the official Microsoft portal for linking additional devices to the account, attaching an attacker device directly to the user identity. Alternatively, the framework steals credentials by directing the user through a hostile service which presents a false login page which captures browser sessions along with authentication cookies and tokens once the user answers the fake multi-factor login prompts.

Automating the phishing process lowers the bar for the skill level needed to create authentic-looking lures and makes it simpler for criminal groups to attack large numbers of users; Phishing-as-a-service groups operate as companies offering customer support, tracking dashboards, and pre-made phishing templates.

Glassworm Botnet Takedown

CrowdStrike, Google, and the ShadowServer Foundation have done a coordinated takedown of the infrastructure used by the Glassworm supply-chain botnet.

Glassworm has been mentioned previously; it is one of several major worms infecting the open source package supply chain repositories like NPM and PyPi or the Visual Studio extension repository. Once a victim installs a compromised package or extension, the Glassworm trojan steals any saved authentication tokens for package repositories, GitHub accounts, AI services, and any SSH keys found, and begins the stage two infection. Using the stolen credentials, the worm infects any GitHub workflows, packages, and extensions the user has access to, and installs a remote-access trojan which waits for further commands.

Glassworm used a complex control server structure including blockchain memos, BitTorrent files, and public Google Calendar entries, but the coalition of companies was able to interrupt all control channels simultaneously. Hard-coded aspects of the worm will continue to function, but all behavior which requires downloading payloads from the control servers has been disrupted.

This isn’t the first time multiple Internet companies have coordinated to take down malware, but it’s always good to see action against threats which have been decimating the package repository infrastructure lately.

TechCrunch Spyware Avoidance

On the positive side of things, TechCrunch has an article about modern features to protect users against spyware. If this isn’t news to you, there’s still almost certainly someone in your life who will benefit from a user-friendly write up of best practices!

Both major commercial mobile platforms (iOS and Android) offer advanced protection features which are minimally invasive. For users who are likely to be higher targets of spyware like journalists, lawyers, and human rights activists, or simply those who are worried, these features offer real protection.

The features explained in the article include Apple’s Lockdown mode, Androids Advanced protection mode, and WhatsApp specific application settings, all of which work to reduce common attack surfaces for devices. The advanced security modes typically have minor impacts on performance and battery life due to disabling optimization features which introduce additional complexity and attack surfaces (such as just-in-time compilation of JavaScript code into native instructions.). When situations call for an abundance of caution, a few percent of battery life daily is a reasonable compromise.

Go check out the full write up!

Microsoft Bans NightmareEclipse

An exploit researcher known only as “NightmareEclipse” has been featured here several times in the past months already. Showing intense frustration with their experience with the administrators of the Microsoft security bug bounty program, they have taken to releasing zero-day exploits against Windows, often coinciding with Patch Tuesday (clearly no accident; by releasing a new exploit on the same day as the Microsoft patch set, it’s unlikely to be fixed before the next months Patch Tuesday at the earliest). Previous exploits released by NightmareEclipse include BlueSun and RedHammer (local user to Windows SYSTEM privilege escalation), UnDefend to disable Windows Defender, and YellowKey which unlocks BitLocker drives using a collection of nothing more than magically named files.

Toms Hardware reports that Microsoft has disabled the researchers GitHub accounts (GitHub being owned by Microsoft has long been a point of concern for security researchers who find vulnerabilities in Microsoft products), as well as the actual Microsoft account used by the researcher.

While it’s certainly within the terms of service of Microsoft and GitHub that accounts may be terminated, the optics are particularly poor in this case, given the confusion around the initial interactions which led the researchers original anger. NightmareEclipse has moved their example code repositories to GitLab in the mean time, and promises Microsoft that “I will make sure your bones are shattered on July 14”, implying there will be additional releases (on, you guessed it, what looks like another Patch Tuesday).

Further clouding the issue, an official Microsoft statement indicates they are attempting to bring criminal (not just civil) charges against researchers who do not cooperate with the Microsoft disclosure policies, a stance which will certainly in no way exacerbate the situation.

Fingerprinting Devices by SSD

Dan Goodin at Ars Technica highlights a new paper on fingerprinting users via SSD disk performance, using just standard JavaScript.

The modern web is a hellscape of user tracking, and this attack, dubbed FROST, highlights another technique for identifying unique devices and user patterns based entirely on hardware behavior. By generating a large file using local browser storage via OPFS (origin private file system, an API for JavaScript to create raw files inside the browser storage area) and continually reading and writing data while monitoring the performance, a web page is able to monitor the disk access performance of the device.

Using a neural network trained on timing data, researchers say they are able to determine what apps may be running on the computer alongside the browser – and sometimes even what other websites are being viewed, based solely on the delays in disk IO caused by other applications and websites accessing the SSD. The paper will be presented in July, with researchers saying that the neural network can be trained to recognize “any system which reliably generates SSD accesses”.

Likely, browser developers can mitigate FROST by decreasing the performance of file operations in the OPFS API so that the performance data lacks the fidelity needed to derive user behavior.

FROST is a “side channel attack”; by monitoring one set of characteristics, side channel attacks are able to infer other system behaviors. Side channel attacks can be incredibly subtle and difficult to predict: Another side channel attack method has been to use extremely fine-grained monitoring of the power consumption of a device to derive encryption keys, predicting the CPU instructions and values based on the amount of power used to set the internal registers.

Improving Memory Safety in C#

Programming languages have been moving towards stronger default memory models, making programs more secure by default by eliminating behaviors which are commonly exploitable. Using a memory-safe language does not prevent logic errors or other security issues, but can still help by eliminating common mistakes.

Microsoft has posted an extensive article about new enhancements for C# in .NET 11. Borrowing in many ways (that’s a programming joke) from the Rust memory model, C# 16 will add additional memory enforcement and object lifetime, detecting when memory is no longer available and preventing invalid memory accesses on expired objects, with the goal of eliminating use-after-free memory corruption and attacks.

C# 16 will also increase the meaning of the “unsafe” keyword, a mechanism introduced in C# 1.0 and since heavily adopted by newer languages such as Rust and Swift. Code marked as unsafe in C# 16 is able to bypass the stricter memory model, but all code referencing it must also be marked as unsafe. Making unsafe code more difficult to use increases the overall friction of doing things the dangerous way, while clearly marking code which is higher risk.

There are few magic bullets for secure programming, but reducing the ways a programmer can make simple mistakes can be a big win.

The Frikkin Lasers Contest Starts Now

May 28, 2026 by 7 Comments

We don’t need to tell you: lasers are awesome. Those tiny red beams aren’t just for frustrating cats, but can do real work, be a source of infinite beauty, or constitute a science project in its own right — and you can win a $150 DigiKey gift certificate simply by writing your project up on Hackaday.io. The contest runs until July 23rd.

Of course, red lasers are only the beginning. If you have enough energy to move electrons into higher orbitals, you can make nearly anything lase. RGB setups can be breathtaking. Powerful IR and UV lasers are real tools. And the DIY side of lasering combines physics and electronics, with a spicy side of danger that needs to be contained.

We love laser builds of all sorts, and we’d like to see yours! Create a new Hackaday.io project that features what you’re working on, and we’ll pick our three favorites for a $150 gift certificate courtesy of this contest’s sponsor, DigiKey.

Continue reading “The Frikkin Lasers Contest Starts Now”

AMOC And The Planet-Wide Impact Of Ocean Currents

May 27, 2026 by 16 Comments

Although it can be hard to tell from looking at the often placid waters of the Earth’s oceans, their currents carry immense amounts of water around the globe on a daily basis, underlying a dynamic system that – much like the Earth’s atmosphere – plays a major role in everything from weather systems to local climates and ecosystems.

Of all these ocean currents the Atlantic meridional overturning circulation (AMOC) is perhaps the most famous, as it is basically the sole reason why Europe has the mild climate that it does today, courtesy of it carrying thermal energy from the equator all the way to the coast off Scandinavia.

Although collapsing an ocean current seems as improbable as stopping the jet streams in the upper atmosphere, it’s actually significantly easier due to how much ocean currents rely on factors that we can fairly easily influence. Over the past decades we have seen worrying signs that the AMOC is indeed weakening, with the million-dollar question being what scenario we’ll be looking at.

While collapsing the AMOC within a decade may be theoretically possible, current models seem to point towards a weakening by about half by the end of this century, with a recent research article by Valentin Portmann et al. in Science Advances going over the various statistical models to come to this conclusion.

Continue reading “AMOC And The Planet-Wide Impact Of Ocean Currents”

Linux Fu: The Bluetooth Regression

May 26, 2026 by 23 Comments

There’s a line in a [Weird Al] (no relation) song that says, “I upgrade my system at least twice a day…” I know how that is. I primarily use a rolling distro, OpenSuse Tumbleweed, and if I’m having a problem that I’m too lazy to run down, it is extremely tempting to do an upgrade and see if it just happens to fix the problem.

Of course, the problem is often caused by a previous upgrade. Recently, I’ve been having a lot of trouble with the NVIDIA proprietary drivers, so I updated them yet again. After a huge amount of effort to sort out the video problems, I found that the latest kernel didn’t like my MediaTek Bluetooth adapter, which is built into the motherboard’s WiFi chipset.

This post isn’t about how to fix your Bluetooth problem. You probably don’t have the same setup I do, and even if you do, it will be sorted out in a week or two anyway. But how I temporarily fixed this issue is worth documenting. The details are going to apply to Tumbleweed and this particular adapter, but the general approach should work anywhere with any sort of kernel module problem.

My Own Fault

Part of my problem is my own fault, of course. I have a complex disk setup and do not use the recommended btrfs root file system. That means I can’t do the snapshot thing where I can just undo a bad upgrade. If I did, then sure, I should just roll back and wait for an upstream fix.

I do have “normal” backups, but they are not always totally up to date. Worse, I have found that for things like NVIDIA, the user stuff and the kernel module stuff have to match up. That makes it very hard to roll back a kernel with older modules. The modules themselves live with the kernel, but the user space stuff gets pushed out. Or, if you uninstall things, it uninstalls it for all kernels.

Truthfully, NVIDIA and others like that should keep all the user space stuff in a kernel-specific place, and then symlink it at boot to /usr/bin or wherever. But they don’t. In the end, I didn’t want to go through the trouble of rolling things back and decided to push ahead.

Continue reading “Linux Fu: The Bluetooth Regression”

Hackaday Links Column Banner

Hackaday Links: May 24, 2026

May 24, 2026 by 5 Comments

If your first-generation Chromecast was acting a little wonky this week, don’t worry. Contrary to fears online, the 2014 device hasn’t been excommunicated by Google. In a statement to Ars Technica, a rep for the search giant explained that the issue, which was keeping the devices from being able to stream video from services like Netflix, was temporary and should now be resolved. That said, the OG Chromecast hasn’t officially been supported since 2023, so it’s not clear how much longer they will remain operational. Google be Google, after all.

After resisting for years, this week, Mozilla finally relented and brought Web Serial to Firefox. While there’s been some debate about the wisdom of letting the Internet directly talk to hardware gadgets, anyone who’s flashed Meshtastic or configured their Betaflight-powered drone from the browser can attest to how convenient it is. In the announcement, Mozilla acknowledges that “most folks won’t use this API”, but points out that the “community of builders and tinkerers” (that’s us!) is sure to be excited about the news. They’ve even teamed up with Adafruit to ensure their web-based microcontroller workflows are compatible in Firefox 151 and beyond. If you give it a shot, let us know how it goes.

Speaking of hardware support, the Linux Vendor Firmware Service (LVFS) recently picked up a couple of big-name sponsors. As reported by It’s FOSS, this week, Lenovo, Dell, and HP have signed on as Premier-level sponsors to the tune of $100,000 per year. For those unfamiliar, LVFS offers a central repository where hardware vendors can upload firmware updates. On the client side, fwupd can be used to pull these updates down automatically without having to hunt around on each vendor’s website. The experienced players don’t need a service like LVFS, but it’s certainly one of those quality-of-life improvements that make the desktop experience a bit more accessible.

Continue reading “Hackaday Links: May 24, 2026”

Amazing Stories

May 23, 2026 by 5 Comments

The 2026 installment of Hackaday Europe was last weekend, and I’m still basking in the warm glow of hanging out with such an inspiring group of hackers. It’s hard to emphasize how important it is, maybe especially for those of us on the inside of Hackaday, to get to nerd out together like that. While we do our best to present your stories on our pages, there is just no substitute for getting to talk about projects, hacks, and dreams in real life.

While we can’t bring you all of the side-conversations that took place, we did manage to get the talks recorded, and we’ll be writing them up shortly. We have some bad news on that front, though: due to a technical limitation with the setup that the university had in place, we only got the audio and slide feeds, and not the camera that should have been filming the presenters. Still, we have a record of most everything that went down on the main stage, so stay tuned.

We know that not everyone can make it out to either Supercon or Hackaday Europe, but we heartily recommend keeping your eyes out for local hacker events near you. This weekend, there’s Open Hardware Summit in Berlin, for instance. If you’re near NYC, there’s HOPE coming up in August. If your tastes run more toward retrocomupting, there might be a Vintage Computer Festival chapter near you. Heck, consider looking into some of the more mainstream events as well, if that’s what is in your neighborhood.

It’s definitely more of an effort to get out to an event in the physical world, but the connections you make with fellow hackers are absolutely worth it. Any events that we should know about?

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!