This Week In Security: Randomness Is Hard, SNMP Shouldn’t Be Public, And GitHub Malware Delivery

September 26, 2025 by Jonathan Bennett 3 Comments

Randomness is hard. To be precise, without dedicated hardware, randomness is impossible for a computer. This is actually important to keep in mind when writing software. When there’s not hardware providing true randomness, most rnd implementations use a seed value and a pseudo random number generator (PRNG). A PRNG is a function that takes a seed value, and turns it into a seemingly random value, and also produces a new seed for the next time a random value is needed. This could be as simple as a SHA256 sum, where the hash output is split to become the next seed and the random value.

The PRNG approach does still have a challenge. Where does the initial seed come from? There are a few common, if flawed, approaches, and one of the most common is to use the system clock. It’s not a bulletproof solution, but using the microsecond counter since the last system boot is often good enough, because there are a lot of them to choose from — the entropy is high. With that brief background in mind, let’s talk about what happens in VBScript. The Randomize call is used to seed that initial value, but Randomize has some quirks.

The first is a great feature: calling Randomize a second time with the same seed doesn’t reset the PRNG engine back to the same initial state. And second, when called without a value, Randomize uses the number of system ticks since midnight as the PRNG seed. There are 64 ticks per second, giving five-and-a-half million possible seeds, or 22 bits of entropy. This isn’t great on its own, but Randomize internally typecasts that number of ticks into a narrower value, with a maximum possible of time-based seeds set at 65,536, which is a lot easier to brute-force.

We don’t know the exact application where the researchers at Doyensec found VBScript generating secure tokens, but in their Proof of Concept (PoC) test run, the generated token could be found in four guesses. It’s a terrible security fail for basically any use, and it’s a deceptively easy mistake to make.

Continue reading “This Week In Security: Randomness Is Hard, SNMP Shouldn’t Be Public, And GitHub Malware Delivery” →

How Water Vapor Makes Smartphones Faster

September 25, 2025 by Lewin Day 25 Comments

Once upon a time, home computers were low-powered enough that they barely needed any cooling at all. An Amiga 500 didn’t even have a heatsink on the CPU, while the early Macintosh got by with a single teeny little fan.

Modern smartphones are far more powerful than these ancient machines, packed with multi-core processors running at speeds of many gigahertz. Even still, they’ve generally been able to get by without any active cooling devices. However, as manufacturers continue to push the envelope of performance, they’ve had to scramble for ways to suck heat out of these handheld computers. Vapor chamber cooling has risen as a solution to this problem, using simple physics to keep your handset humming along at maximum speed for longer.

Continue reading “How Water Vapor Makes Smartphones Faster” →

FLOSS Weekly Episode 848: Open The Podbay Doors, Siri

September 24, 2025 by Jonathan Bennett 1 Comment

This week Jonathan and Rob chat with Paulus Schoutsen about Home Assistant, ESPHome, and Music Assistant, all under the umbrella of the Open Home Foundation. Watch to see Paulus convince Rob and Jonathan that they need to step up their home automation games!

Continue reading “FLOSS Weekly Episode 848: Open The Podbay Doors, Siri” →

Retrotechtacular: The Ferguson System

September 24, 2025 by Jenny List 37 Comments

Of the many great technological leaps made in the middle of the 20th century, one of the ones with perhaps the greatest impact on our modern life takes a back seat behind the more glamorous worlds of electronics, aeronautics, or computing. But the ancestor of the modern tractor has arguably had more of an impact on the human condition in 2025 than that of the modern computer, and if you’d been down on the farm in the 1940s you might have seen one.

The Ferguson system refers to the three-point implement linkage you’ll find on all modern tractors, the brainchild of the Irish engineer Harry Ferguson. The film below the break is a marketing production for American farmers, and it features the Ford-built American version of the tractor known to Brits and Europeans as the Ferguson TE20.

The evolution of the tractor started as a mechanisation of horse-drawn agriculture, using either horse-drawn implements or ones derived from them. While the basic shape of a modern tractor as a four wheel machine with large driving wheels at the rear evolved during this period, other types of tractor could be found such as rein-operated machines intended to directly replace the horse, or two-wheeled machines with their own ecosystem of attachments.

As the four-wheeled machines grew in size and their implements moved beyond the size of their horse-drawn originals, they started to encounter a new set of problems which the film below demonstrates in detail. In short, a plough simply dragged by a tractor exerts a turning force on the machine, giving the front a tendency to lift and the rear a lack of traction. The farmers of the 1920s and 1930s attempted to counter this by loading their tractors with extra weights, at the expense of encumbering them and compromising their usefulness. Ferguson solved this problem by rigidly attaching the plough to the tractor through his three-point linkage while still allowing for flexibility in its height. The film demonstrates this in great detail, showing the hydraulic control and the feedback provided through a valve connected to the centre linkage spring. Continue reading “Retrotechtacular: The Ferguson System” →

2025 Hackaday Superconference: Announcing Our Workshops And Tickets

September 23, 2025 by Elliot Williams 7 Comments

Can you feel the nip of fall in the air? That can only mean one thing: Supercon is just around the corner. The next few weeks are going to bring a blitz of Supercon-related reveals, and we’re starting off with a big one: the workshops.

Supercon is the Ultimate Hardware Conference, and you need to be there to attend a workshop. Both workshop and general admission tickets are on sale now! Don’t wait — they sell out fast.

Continue reading “2025 Hackaday Superconference: Announcing Our Workshops And Tickets” →

Hackaday Links: September 21, 2025

September 21, 2025 by Dan Maloney 7 Comments

Remember AOL? For a lot of folks, America Online was their first ISP, the place where they got their first exposure to the Internet, or at least a highly curated version of it. Remembered by the cool kids mainly as the place that the normies used as their ISP and for the mark of shame an “@aol.com” email address bore, the company nevertheless became a media juggernaut, to the point that “AOL Time Warner” was a thing in the early 2000s. We’d have thought the company was long gone by now, but it turns out it’s still around and powerful enough of a brand that it’s being shopped around for $1.5 billion. We’d imagine a large part of that value comes from Yahoo!, which previous owner Verizon merged with AOL before selling most of the combined entity off in 2021, but either way, it’s not chump change.

For our part, the most memorable aspect of AOL was the endless number of CDs they stuffed into mailboxes in the 90s. There was barely a day that went by that one of those things didn’t cross your path, either through the mail or in free bins at store checkouts, or even inside magazines. They were everywhere, and unless you were tempted by the whole “You’ve got mail!” kitsch, they were utterly useless; they didn’t even make good coasters thanks to the hole in the middle. So most of the estimated 2 billion CDs just ended up in the trash, which got us thinking: How much plastic was that? A bit of poking around indicates that a CD contains about 15 grams of polycarbonate, so that’s something like 30,000 metric tonnes! To put that into perspective, the Great Pacific Garbage Patch is said to contain “only” around 80,000 metric tonnes of plastic. Clearly the patch isn’t 37% AOL CDs, but it still gives one pause to consider how many resources AOL put into marketing.

Continue reading “Hackaday Links: September 21, 2025” →

Hackaday Podcast Episode 338: Smoothing 3D Prints, Reading CNC Joints, And Detecting Spicy Shrimp

September 19, 2025 by Kristina Panos 8 Comments

This week, Hackaday’s Elliot Williams and Kristina Panos met up over the tubes to bring you the latest news, mystery sound, and of course, a big bunch of hacks from the previous seven days or so.

In Hackaday news, we’ve got a new contest running! Read all about the 2025 Component Abuse Challenge, sponsored by DigiKey, and check out the contest page for all the details. In sad news, American Science & Surplus are shuttering online sales, leaving just the brick and mortar stores in Wisconsin and Illinois.

On What’s That Sound, it’s a results show, which means Kristina gets to take a stab at it. She missed the mark, but that’s okay, because [Montana Mike] knew that it was the theme music for the show Beakman’s World, which was described by one contestant as “Bill Nye on crack”.

After that, it’s on to the hacks and such, beginning with a really cool way to smooth your 3D prints in situ. JWe take a much closer look at that talking robot’s typewriter-inspired mouth from about a month ago. Then we discuss several awesome technological feats such as running code on a PAX credit card payment machine, using the alphabet as joinery, and the invention of UTF-8 in general. Finally, we discuss the detection of spicy shrimp, and marvel at the history of email.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Download in DRM-free MP3 and savor at your leisure.