This Week In Security: Escaping Linux VMs, Vulnerable Solar, Confusing AI (Again), And Confusing NPM Malware

The Januscape vulnerability allows a user in a guest VM managed by the Linux Kernel Virtual Machine (KVM) to corrupt memory in the host system and break out of isolation.

KVM virtualization is used by major hosting platforms like Amazon AWS, Google GCP, Digital Ocean, and many more. All of the shared hosting platforms count on virtualization to isolate untrusted guest systems from the physical hardware and each other; being able to corrupt memory for all guests or break isolation presents a major threat.

The bug report says the error has been present for 16 years, which is nearly the entire lifetime of the KVM subsystem in Linux. Fixes are available in mainline, and major hosting providers who count on KVM are likely already updating.

Vulnerabilities In Balcony Solar

Micro solar, or “balcony solar”, installs have been gaining traction in Europe as a way to offset rising electrical costs by connecting solar and battery systems to a house or apartment power system.

Vulnerabilities have been found in the popular Hoymiles micro-inverter, which uses a proprietary RF radio protocol to manage the devices. Unfortunately, it looks like this protocol has no encryption or authentication beyond validating the serial number, and the serial number is also available over a wireless probe command.

Armed with a Nordic nRF radio researchers were able to discover nearby inverters in the wild and collect the serial numbers, though of course they stopped short of issuing commands to random users.

The wireless management control allows controlling the device power and output levels, as well as setting a lockout PIN, which the researchers suspect could be used to disable devices and lock the legitimate owners out completely.

There are an estimated 500,000 units in use, and currently the only known mitigation is to unplug the device entirely and disconnect the solar panels, though the team suggests that setting an anti-theft PIN may also help – or at least prevent an unknown PIN being set.

Be sure to check out the link for an in-depth analysis of the protocol and the surprising lack of protection.

Continue reading “This Week In Security: Escaping Linux VMs, Vulnerable Solar, Confusing AI (Again), And Confusing NPM Malware”

Linux Fu: The Local Phonebook

I’ll admit it: I miss the simplicity of /etc/hosts. There was something elegant about it. You wanted laserprinter to mean 192.168.1.40, so you opened a text file and wrote:

192.168.1.40 laserprinter

Done. No cloud account, no discovery daemon, no dashboard with material-themed icons. Just a name and an address. The trouble, of course, is that /etc/hosts is only simple when you have one machine. The moment you have a desktop, a laptop, a Raspberry Pi, a NAS, a test box, and a phone or two, every little network change becomes a tiny distributed-database problem. Which copy of /etc/hosts is authoritative? Did you update the laptop? What about the machine you only boot once a month?

One Solution

Modern LANs solved this with mDNS, using Avahi on Linux. It resolves addresses that end in .local. Instead of asking a central DNS server “who is thing.local?”, a machine sends a multicast query on the local network: “who has thing.local?” The device that owns the name answers. This is why your Linux box named spock and usually be reached as spock.local on your LAN.

There are limits. mDNS is link-local; it is meant for the local LAN, not the whole Internet and shouldn’t route across subnets. Each device is supposed to publish its own name. That works fine when the device cooperates. But what about devices that do not publish mDNS? Or little embedded things that barely even have an IP address?

That is where I wanted the best of both worlds: keep a small authoritative /etc/hosts file on one Linux box, but publish selected entries onto the LAN using mDNS.

Continue reading “Linux Fu: The Local Phonebook”

When An Engineering Education Doesn’t Teach You How To Really Make Anything

In the sweltering temperatures of an unusually hot European heatwave, I found myself having a chat with  a friend of mine from my university days. After discussing the health of his cat who had solved the problem of a fur coat on a hot day by flattening himself out on the concrete floor in the coolest place in the house, we moved on to tech matters. We’ve known each other for not far short of four decades, so this is familiar territory for us. The problems that come with taking a prototype to manufacturing, a process which even the most seasoned of engineers can slip up on.

The Difference Between Making, And Making For Manufacture

If you’ve ever taken a project and replicated it, you will know the progression. If you’re making five or ten widgets, you can debug and rework as needed, tweak things, and get things going. If you’re making more then this, the process consumes a greater proportion of your time, until a point at which manufacture becomes impractical. Maybe that’s around fifty boards, sometimes more or less. Continue reading “When An Engineering Education Doesn’t Teach You How To Really Make Anything”

Hackaday Europe 2026: Is Your Blood Pressure Monitor Lying To You?

Blood pressure is one of the so-called “vital signs” that medical practitioners use to determine the basic state of a patient in any given moment. It’s exactly what it sounds like—a measurement of the pressure of the blood flowing through the body, with some complications to account for the pulsatile nature of human blood flow.

You might think measuring blood pressure is a solved concern, and it mostly is. With that said, some blood pressure monitors out there aren’t quite doing their job properly, and [Milos Rasic] came to Hackaday Europe 2026 to spell out the problem.

Continue reading “Hackaday Europe 2026: Is Your Blood Pressure Monitor Lying To You?”

Hackaday Links Column Banner

Hackaday Links: July 5, 2026

Happy belated July 4th to all the readers from the United States — hopefully you aren’t reading this from a hospital bed after losing a hand or burning off your eyebrows. While we suspect amateur firework shows and their related injuries will be around for many years to come, we did note that many major cities switched over to drone shows this year.

At least on paper, the appeal is obvious. Beyond the fact that drones are safer and quieter than pyrotechnics, they’re also capable of far more complex displays. Good luck trying to draw George Washington’s face in the sky with exploding rockets. But even if it’s a little more than nostalgia, there’s still something about the sights and sounds of fireworks that enthrall audiences. For many, the whole “rockets’ red glare” thing is a bit more meaningful than the “drones’ red LEDs.”

Earlier this week, we brought you news that Sony would stop producing physical PlayStation discs in January 2028. Many gamers are understandably concerned about the long-term implications such a move will have for software ownership, and while the negative reactions online haven’t bothered Sony enough to get them to amend their plans, they have clarified the situation with developers by explaining that games published before the cutoff date aren’t impacted. So if a developer has a hit title that drops in the summer of 2027 and they want to keep cranking out discs, additional orders can still be placed. Not much of a reprieve, but it will give the community a little more time to figure out what comes next.

Continue reading “Hackaday Links: July 5, 2026”

Yesterday’s Technology, Re-engineered Today

Watching [sprite_tm]’s build of a handheld 486-based gaming computer, we got to thinking about retro computers and the eternal questions of how much of the computer needs to be actually “old” for it it be retro. Where is the soul of a retro computer? The CPU? The old yellowing plastic case? Maybe it depends on what you’re trying to get out of the hobby.

There is of course a spectrum of people playing around with old computers. For some people, let’s call them “vintage computer enthusiasts”, half of the fun is in keeping the actual old hardware running. This group tends to know what teletype lubricant smells like, and how to tell which capacitors need replacing.

For others, “team retro”, the joy is in using the machine itself, whether that be teaching the old dogs new tricks, or simply loading up nostalgic video games. Team retro is more content with emulations or emulations that are wrapped up neatly in hardware workalikes. They know which registers need POKEing, and whether or not Commander Keen is running at the right framerate.

I think [sprite_tm]’s project falls in with yet another camp, the retro-reengineers. Here, the idea is to step through the engineering lessons of the past by re-designing something from a bygone era. So when [sprite_tm] went with a period 486 CPU backed up by a modern FPGA, perhaps ironically borrowing code from the modern MiSTer project, it makes sense for his goals. Retro-reengineers know the bus architecture and the memory timings, and they are reinventing the wheel as a learning experience. Or in the case of [Voja Antonic]’s imaginary four-bit machine, it’s a teaching experience.

How you work often reflects what you’d like to get out of the project, and at Hackaday, of course, we love all of the above! We’ve identified at least three broad schools of fooling around with old computers. Are we missing any?