Hackaday Columns

4560 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

Hackaday Podcast Episode 315: Conductive String Theory, Decloudified Music Players, And Wild Printing Tech

April 4, 2025 by 1 Comment

This week, Hackaday’s Elliot Williams and Kristina Panos met up across the (stupid, lousy) time zones to bring you the latest news, mystery sound, and of course, a big bunch of hacks from the previous week.

Again, no news is good news. On What’s That Sound, Kristina didn’t get close at all, but at least had a guess this time. If you think you can identify the sound amid all the talking, you could win a Hackaday Podcast t-shirt!

After that, it’s on to the hacks and such, beginning with a Dr. Jekyll and Mr. Hyde situation when it comes to a pair of formerly-cloud music players. We take a look at a crazy keyboard hack, some even crazier conductive string, and a perfectly cromulent list of 70 DIY synths on one wild webpage. Finally, we rethink body art with LEDs, and take a look at a couple of printing techniques that are a hundred years or so apart in their invention.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Download in DRM-free MP3 and savor at your leisure.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Continue reading “Hackaday Podcast Episode 315: Conductive String Theory, Decloudified Music Players, And Wild Printing Tech”

This Week In Security: Target Coinbase, Leaking Call Records, And Microsoft Hotpatching

April 4, 2025 by 2 Comments

We know a bit more about the GitHub Actions supply chain attack from last month. Palo Alto’s Unit 42 has been leading the charge on untangling this attack, and they’ve just released an update to their coverage. The conclusion is that Coinbase was the initial target of the attack, with the open source agentkit package first (unsuccessfully) attacked. This attack chain started with pull_request_target in the spotbugs/sonar-findbugs repository.

The pull_request_target hook is exceptionally useful in dealing with pull requests for a GitHub repository. The workflow here is that the project defines a set of Continuous Integration (CI) tests in the repository, and when someone opens a new Pull Request (PR), those CI tests run automatically. Now there’s an obvious potential problem, and Github thought of it and fixed it a long time ago. The GitHub Actions are defined right in the repository, and letting any pull request run arbitrary actions is a recipe for disaster. So GitHub always uses actions as they are defined in the repository itself, ignoring any incoming changes in the PR. So pull_request_target is safe now, right? Yes, with some really big caveats.

The simplest security problem is that many projects have build scripts in the repository, and those are not considered part of GitHub Actions by GitHub. So include malicious code in such a build script, make it a PR that runs automatically, and you have access to internal elements like organization and repository secrets and access tokens. The most effective mitigation against this is to require approval before running workflows on incoming PRs.

So back to the story. The spotbugs/sonar-findbugs repository had this vulnerability, and an attacker used it to export secrets from a GitHub Actions run. One of those secrets happened to be a Personal Access Token (PAT) belonging to a spotbugs maintainer. That PAT was used to invite a throwaway account, [jurkaofavak], into the main spotbugs repository. Two minutes after being added, the [jurkaofavak] account created a new branch in spotbugs/spotbugs, and deleted it about a second later. This branch triggered yet another malicious CI run, now with arbitrary Github Actions access rather than just access through a build script. This run leaked yet another Personal Access Token, belonging to a maintainer that worked on both the spotbugs and reviewdog projects. Continue reading “This Week In Security: Target Coinbase, Leaking Call Records, And Microsoft Hotpatching”

Remembering Betty Webb: Bletchley Park & Pentagon Code Breaker

April 3, 2025 by 30 Comments
S/Sgt Betty Vine-Stevens, Washington DC, May 1945.
S/Sgt Betty Vine-Stevens, Washington DC, May 1945.

On 31 March of this year we had to bid farewell to Charlotte Elizabeth “Betty” Webb (née Vine-Stevens) at the age of 101. She was one of the cryptanalysts who worked at Bletchley Park during World War 2, as well as being one of the few women who worked at Bletchley Park in this role. At the time existing societal biases held that women were not interested in ‘intellectual work’, but as manpower was short due to wartime mobilization, more and more women found themselves working at places like Bletchley Park in a wide variety of roles, shattering these preconceived notions.

Betty Webb had originally signed up with the Auxiliary Territorial Service (ATS), with her reasoning per a 2012 interview being that she and a couple of like-minded students felt that they ought to be serving their country, ‘rather than just making sausage rolls’. After volunteering for the ATS, she found herself being interviewed at Bletchley Park in 1941. This interview resulted in a years-long career that saw her working on German and Japanese encrypted communications, all of which had to be kept secret from then 18-year old Betty’s parents.

Until secrecy was lifted, all her environment knew was that she was a ‘secretary’ at Bletchley Park. Instead, she was fighting on the frontlines of cryptanalysis, an act which got acknowledged by both the UK and French governments years later.

Continue reading “Remembering Betty Webb: Bletchley Park & Pentagon Code Breaker”

FLOSS Weekly Episode 827: Yt-dlp, Sometimes You Can’t See The Tail

April 2, 2025 by 3 Comments

This week, Jonathan Bennett chats with Bashonly about yt-dlp, the audio/video downloader that carries the torch from youtube-dl! Why is this a hard problem, and what does the future hold for this swiss-army knife of video downloading? Watch to find out!

Continue reading “FLOSS Weekly Episode 827: Yt-dlp, Sometimes You Can’t See The Tail”

Supercon 2024: Rethinking Body Art With LEDs

April 2, 2025 by 3 Comments

Tattoos. Body paint. Henna. All these are popular kinds of body art with varying histories and cultural connotations, many going back centuries or even longer. They all have something in common, though—they all change how the body reflects light back to the viewer. What if, instead, body art could shine a light of its very own?

This is the precise topic which [Katherine Connell] came to discuss at the 2024 Hackaday Supercon. Her talk concerns rethinking body art with the use of light emitting diodes—and is both thoroughly modern and aesthetically compelling. Beyond that, it’s an engineering development story with liquid metal and cutting-edge batteries that you simply don’t want to miss!

Continue reading “Supercon 2024: Rethinking Body Art With LEDs”

Illustrated Kristina with an IBM Model M keyboard floating between her hands.

Keebin’ With Kristina: The One With The Leather Keyboard

March 31, 2025 by 13 Comments

Are you eager to get your feet wet in the keyboard surf, but not quite ready to stand up and ride the waves of designing a full-size board? You should paddle out with a macro pad instead, and take on the foam face-first and lying down.

A beautiful purple galaxy-themed macro pad with nine switches and three knobs.
Image by [Robert Feranec] via Hackaday.IO
Luckily, you have a great instructor in [Robert Feranec]. In a series of hour-long videos, [Robert] guides you step by step through each part of the process, from drawing the schematic, to designing a PCB and enclosure, to actually putting the thing together and entering a new world of macros and knobs and enhanced productivity.

Naturally, the fewer keys and things you want, the easier it will be to build. But [Robert] is using the versatile Raspberry Pi 2040, which has plenty of I/O pins if you want to expand on his basic plan. Not ready to watch the videos? You can see the schematic and the 3D files on GitHub.

As [Robert] says, this is a great opportunity to learn many skills at once, while ending up with something terrifically useful that could potentially live on your desk from then on. And who knows where that could lead?

Continue reading “Keebin’ With Kristina: The One With The Leather Keyboard”

Hackaday Links Column Banner

Hackaday Links: March 30, 2025

March 30, 2025 by 12 Comments

The hits just keep coming for the International Space Station (ISS), literally in the case of a resupply mission scheduled for June that is now scrubbed thanks to a heavy equipment incident that damaged the cargo spacecraft. The shipping container for the Cygnus automated cargo ship NG-22 apparently picked up some damage in transit from Northrop Grumman’s Redondo Beach plant in Los Angeles to Florida. Engineers inspected the Cygnus and found that whatever had damaged the container had also damaged the spacecraft, leading to the June mission’s scrub.

Mission controllers are hopeful that NG-22 can be patched up enough for a future resupply mission, but that doesn’t help the ISS right now, which is said to be running low on consumables. To fix that, the next scheduled resupply mission, a SpaceX Cargo Dragon slated for an April launch, will be modified to include more food and consumables for the ISS crew. That’s great, but it might raise another problem: garbage. Unlike the reusable Cargo Dragons, the Cygnus cargo modules are expendable, which makes them a great way to dispose of the trash produced by the ISS crew since everything just burns up on reentry. The earliest a Cygnus is scheduled to dock at the ISS again is sometime in this autumn, meaning it might be a long, stinky summer for the crew.

Continue reading “Hackaday Links: March 30, 2025”