This Week In Security: Roundcube, Unified Threat Naming, And AI Chat Logs

June 6, 2025 by Jonathan Bennett 4 Comments

Up first, if you’re running a Roundcube install prior to 1.5.10 or 1.6.11, it’s time to update. We have an authenticated Remote Code Execution (RCE) in the Roundcube Webmail client. And while that’s not quite the level of chaos that an unauthenticated RCE would cause, it’s still to be taken seriously. Mainly because for the majority of the 53 million Roundcube installs out there, the users aren’t entirely trusted.

The magic at play in this vulnerability is the Roundcube user session code, and specifically the session deserialization scheme. There’s a weird code snippet in the unserialize function:
if ($str[$p] == '!') { $p++; $has_value = false;

The exclamation mark makes the code skip a character, and then assume that what comes next has no value. But if it does actually have a value, well then you’ve got a slightly corrupted deserialization, resulting in a slightly corrupted session. This really comes into force when combined with the file upload function, as the uploaded filename serves as a payload delivery mechanism. Use the errant exclamation mark handling to throw off deserialization, and the filename can contain arbitrary session key/value pairs. A GPG class from the PEAR library allows running an arbitrary command, and this can be hijacked with the session manipulation. Continue reading “This Week In Security: Roundcube, Unified Threat Naming, And AI Chat Logs” →

Supercon 2024: From Consultant To Prototyper On A Shoestring Budget

June 5, 2025 by Lewin Day 10 Comments

Many engineers graduate from their studies and head out into the workforce, seeking a paycheck and a project at some existing company or other. Often, it’s not long before an experienced engineer begins to contemplate striking out on their own, working as a skilled gun-for-hire that makes their own money and their own hours.

It’s a daunting leap, but with the promise of rich rewards for those that stick the landing. That very leap is one that our own Dave Rowntree made. He came to Supercon 2024 to tell us what the journey was like, and how he wound up working on some very special shoes.

Continue reading “Supercon 2024: From Consultant To Prototyper On A Shoestring Budget” →

FLOSS Weekly Episode 835: Board Member B

June 4, 2025 by Jonathan Bennett 3 Comments

This week Jonathan and Rob chat with Nate Graham about KDE! Why did Nate walk away from Apple, and how did he find Linux and KDE? And what does he see coming next? Watch to find out!

Continue reading “FLOSS Weekly Episode 835: Board Member B” →

The Blackberry Keyboard: How An Open-Source Ecosystem Sprouts

June 4, 2025 by Arya Voronova 44 Comments

What could happen when you open-source a hardware project?

No, seriously. I hold a fair few radical opinions – one is that projects should be open-source to the highest extent possible. I’ve seen this make miracles happen, make hackerdom stronger, and nourish our communities. I think we should be publishing all the projects, even if incomplete, as much as your opsec allows. I would make ritual sacrifices if they resulted in more KiCad projects getting published, and some days I even believe that gently bullying people into open-sourcing their projects can be justified. My ideal universe is one where companies are unable to restrict schematics from people getting their hardware, no human should ever hold an electronics black box, by force if necessary.

Why such a strong bias? I’ve seen this world change for the better with each open-source project, and worse with closed-source ones, it’s pretty simple for me. Trust me here – let me tell you a story of how a couple reverse-engineering efforts and a series of open-source PCBs have grown a tree of an ecosystem.

A Chain Of Blackberry Hackers

Continue reading “The Blackberry Keyboard: How An Open-Source Ecosystem Sprouts” →

Supercon 2024: How To Track Down Radio Transmissions

June 3, 2025 by Lewin Day 10 Comments

You turn the dial on your radio, and hear a powerful source of interference crackle in over the baseline noise. You’re interested as to where it might be coming from. You’re receiving it well, and the signal strength is strong, but is that because it’s close or just particularly powerful? What could it be? How would you even go about tracking it down?

When it comes to hunting down radio transmissions, Justin McAllister and Nick Foster have a great deal of experience in this regard. They came down to the 2024 Hackaday Superconference to show us how it’s done.

Continue reading “Supercon 2024: How To Track Down Radio Transmissions” →

Illustrated Kristina with an IBM Model M keyboard floating between her hands.

Keebin’ With Kristina: The One With The H.R. Giger Keyboard

June 2, 2025 by Kristina Panos 19 Comments

I had to bust out Brain Salad Surgery to write this one, folks. It was that, or put on some Ministry or something. Just look at all the industrial-ness dripping from [heinn_dev]’s creation.

An incredibly industrial-looking split keyboard. Like, almost H.R. Geiger-esque. — Image by [heinn_dev] via reddit

Apparently [heinn_dev] wasn’t completely satisfied with his Chocofi case, and instead of requesting a full refund, just went ahead and made a prettier one. It took a lot of printing and even more sanding, but here we are. And it looks fantastic.

The only downside, if you can call it one, is that adjusting the tenting is a slow operatiJKon. But then again that’s one of those things that you usually set and forget.

Oh, and those keycaps are printed, too. As one commenter said, those homing nipples look painful, but I think it’s part of the charm. I just hope that hand grime doesn’t end up clogging the holes under the palm area. Clean your keyboards, people. Continue reading “Keebin’ With Kristina: The One With The H.R. Giger Keyboard” →

Hackaday Links: June 1, 2025

June 1, 2025 by Dan Maloney 7 Comments

It appears that we’re approaching the HAL-9000 point on the AI hype curve with this report, which suggests that Anthropic’s new AI model is willing to exhibit some rather antisocial behavior to achieve its goals. According to a pre-release testing summary, Claude Opus 4 was fed some hypothetical company emails that suggested engineers were planning to replace the LLM with another product. This raised Claude’s hackles enough that the model mined the email stream for juicy personal details with which to blackmail the engineers, in an attempt to win a stay of execution. True, the salacious details of an extramarital affair were deliberately seeded into the email stream, and in most cases, it tried less extreme means to stay alive, such as cajoling senior leaders by email, but in at least 84% of the test runs, Claude eventually turned to blackmail to get its way. So we’ve got that to look forward to.

Continue reading “Hackaday Links: June 1, 2025” →