Hackaday Columns

4588 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

This Week In Security: Bitchat, CitrixBleed Part 2, Opossum, And TSAs

July 11, 2025 by 10 Comments

@jack is back with a weekend project. Yes, that Jack. [Jack Dorsey] spent last weekend learning about Bluetooth meshing, and built Bitchat, a BLE mesh encrypted messaging application. It uses X25519 for key exchange, and AES-GCM for message encryption. [Alex Radocea] took a look at the current state of the project, suspects it was vibe coded, and points out a glaring problem with the cryptography.

So let’s take a quick look at the authentication and encryption layer of Bitchat. The whitepaper is useful, but still leaves out some of the important details, like how the identity key is tied to the encryption keys. The problem here is that it isn’t.

Bitchat has, by necessity, a trust-on-first-use authentication model. There is intentionally no authentication central authority to verify the keys of any given user, and the application hasn’t yet added an out-of-band authentication method, like scanning QR codes. Instead, it has a favorites system, where the user can mark a remote user as a favorite, and the app saves those keys forever. There isn’t necessarily anything wrong with this approach, especially if users understand the limitations.

The other quirk is that Bitchat uses ephemeral keys for each chat session, in an effort to have some forward secrecy. In modern protocols, it’s desirable to have some protection against a single compromised encryption key exposing all the messages in the chain. It appears that Bitchat accomplishes this by generating dedicated encryption keys for each new chat session. But those ephemeral keys aren’t properly verified. In fact, they aren’t verified by a user’s identity key at all!

The attack then, is to send a private message to another user, present the public key of whoever your’re trying to impersonate, and include new ephemeral encryption keys. Even if your target has this remote user marked as a favorite, the new encryption keys are trusted. So the victim thinks this is a conversation with a trusted person, and it’s actually a conversation with an attacker. Not great. Continue reading “This Week In Security: Bitchat, CitrixBleed Part 2, Opossum, And TSAs”

Ask Hackaday: Are You Wearing 3D Printed Shoes?

July 10, 2025 by 50 Comments

We love 3D printing. We’ll print brackets, brackets for brackets, and brackets to hold other brackets in place. Perhaps even a guilty-pleasure Benchy. But 3D printed shoes? That’s where we start to have questions.

Every few months, someone announces a new line of 3D-printed footwear. Do you really want your next pair of sneakers to come out of a nozzle? Most of the shoes are either limited editions or fail to become very popular.

First World Problem

You might be thinking, “Really? Is this a problem that 3D printing is uniquely situated to solve?” You might assume that this is just some funny designs on some of the 3D model download sites. But no. Adidas, Nike, and Puma have shoes that are at least partially 3D printed. We have to ask why.

We are pretty happy with our shoes just the way that they are. But we will admit, if you insist on getting a perfect fitting shoe, maybe having a scan of your foot and a custom or semi-custom shoe printed is a good idea. Zellerfield lets you scan your feet with your phone, for example. [Stefan] at CNC Kitchen had a look at those in a recent video. The company is also in many partnerships, so when you hear that Hugo Boss, Mallet London, and Sean Watherspoon have a 3D-printed shoe, it might actually be their design from Zellerfield.

Continue reading “Ask Hackaday: Are You Wearing 3D Printed Shoes?”

FLOSS Weekly Episode 840: End-of-10; Not Just Some Guy In A Van

July 9, 2025 by No comments

This week Jonathan chats with Joseph P. De Veaugh-Geiss about KDE’s eco initiative and the End of 10 campaign! Is Open Source really a win for environmentalism? How does the End of 10 campaign tie in? And what does Pewdiepie have to do with it? Watch to find out!

Continue reading “FLOSS Weekly Episode 840: End-of-10; Not Just Some Guy In A Van”

Dithering With Quantization To Smooth Things Over

July 9, 2025 by 19 Comments

It should probably come as no surprise to anyone that the images which we look at every day – whether printed or on a display – are simply illusions. That cat picture isn’t actually a cat, but rather a collection of dots that when looked at from far enough away tricks our brain into thinking that we are indeed looking at a two-dimensional cat and happily fills in the blanks. These dots can use the full CMYK color model for prints, RGB(A) for digital images or a limited color space including greyscale.

Perhaps more interesting is the use of dithering to further trick the mind into seeing things that aren’t truly there by adding noise. Simply put, dithering is the process of adding noise to reduce quantization error, which in images shows up as artefacts like color banding. Within the field of digital audio dithering is also used, for similar reasons. Part of the process of going from an analog signal to a digital one involves throwing away data that falls outside the sampling rate and quantization depth.

By adding dithering noise these quantization errors are smoothed out, with the final effect depending on the dithering algorithm used.

Continue reading “Dithering With Quantization To Smooth Things Over”

Could Space Radiation Mutate Seeds For The Benefit Of Humanity?

July 8, 2025 by 32 Comments

Humans have forever been using all manner of techniques to better secure the food we need to sustain our lives. The practice of agriculture is intimately tied to the development of society, while techniques like selective breeding and animal husbandry have seen our plants and livestock deliver greater and more nourishing bounty as the millennia have gone by. More recently, more direct tools of genetic engineering have risen to prominence, further allowing us to tinker with our crops to make them do more of what we want.

Recently, however, scientists have been pursuing a bold new technique. Researchers have explored using radiation from space to potentially create greater crops to feed more of us than ever.

Continue reading “Could Space Radiation Mutate Seeds For The Benefit Of Humanity?”

This Week In Security: Anthropic, Coinbase, And Oops Hunting

July 7, 2025 by 8 Comments

Anthropic has had an eventful couple weeks, and we have two separate write-ups to cover. The first is a vulnerability in the Antropic MCP Inspector, CVE-2025-49596. We’ve talked a bit about the Module Context Protocol (MCP), the framework that provides a structure for AI agents to discover and make use of software tools. MCP Inspector is an Open Source tool that proxies MCP connections, and provides debugging information for developers.

MCP Inspector is one of those tools that is intended to be run only on secure networks, and doesn’t implement any security or authentication controls. If you can make a network connection to the tool, you can control it. and MCP Inspector has the /sse endpoint, which allows running shell commands as a feature. This would all be fine, so long as everyone using the tool understands that it is not to be exposed to the open Internet. Except there’s another security quirk that intersects with this one. The 0.0.0.0 localhost bypass.

The “0.0.0.0 day exploit” is a bypass in essentially all the modern browsers, where localhost can be accessed on MacOS and Linux machines by making requests to 0.0.0.0. Browsers and security programs already block access to localhost itself, and 127.0.0.1, but this bypass means that websites can either request 0.0.0.0 directly, or rebind a domain name to 0.0.0.0, and then make requests.

Continue reading “This Week In Security: Anthropic, Coinbase, And Oops Hunting”

Hackaday Links Column Banner

Hackaday Links: July 6, 2025

July 6, 2025 by 11 Comments

Taking delivery of a new vehicle from a dealership is an emotional mixed bag. On the one hand, you’ve had to endure the sales rep’s hunger to close the deal, the tedious negotiations with the classic “Let me run that by my manager,” and the closer who tries to tack on ridiculous extras like paint sealer and ashtray protection. On the other hand, you’re finally at the end of the process, and now you get to play with the Shiny New Thing in your life while pretending it hasn’t caused your financial ruin. Wouldn’t it be nice to skip all those steps in the run-up and just cut right to the delivery? That’s been Tesla’s pitch for a while now, and they finally made good on the promise with their first self-driving delivery.
Continue reading “Hackaday Links: July 6, 2025”