Hackaday Columns

4352 Articles

This excellent content from the Hackaday writing crew highlights recurring topics and popular series like Linux-Fu, 3D-Printering, Hackaday Links, This Week in Security, Inputs of Interest, Profiles in Science, Retrotechtacular, Ask Hackaday, Teardowns, Reviews, and many more.

This Week In Security: Target Coinbase, Leaking Call Records, And Microsoft Hotpatching

April 4, 2025 by 2 Comments

We know a bit more about the GitHub Actions supply chain attack from last month. Palo Alto’s Unit 42 has been leading the charge on untangling this attack, and they’ve just released an update to their coverage. The conclusion is that Coinbase was the initial target of the attack, with the open source agentkit package first (unsuccessfully) attacked. This attack chain started with pull_request_target in the spotbugs/sonar-findbugs repository.

The pull_request_target hook is exceptionally useful in dealing with pull requests for a GitHub repository. The workflow here is that the project defines a set of Continuous Integration (CI) tests in the repository, and when someone opens a new Pull Request (PR), those CI tests run automatically. Now there’s an obvious potential problem, and Github thought of it and fixed it a long time ago. The GitHub Actions are defined right in the repository, and letting any pull request run arbitrary actions is a recipe for disaster. So GitHub always uses actions as they are defined in the repository itself, ignoring any incoming changes in the PR. So pull_request_target is safe now, right? Yes, with some really big caveats.

The simplest security problem is that many projects have build scripts in the repository, and those are not considered part of GitHub Actions by GitHub. So include malicious code in such a build script, make it a PR that runs automatically, and you have access to internal elements like organization and repository secrets and access tokens. The most effective mitigation against this is to require approval before running workflows on incoming PRs.

So back to the story. The spotbugs/sonar-findbugs repository had this vulnerability, and an attacker used it to export secrets from a GitHub Actions run. One of those secrets happened to be a Personal Access Token (PAT) belonging to a spotbugs maintainer. That PAT was used to invite a throwaway account, [jurkaofavak], into the main spotbugs repository. Two minutes after being added, the [jurkaofavak] account created a new branch in spotbugs/spotbugs, and deleted it about a second later. This branch triggered yet another malicious CI run, now with arbitrary Github Actions access rather than just access through a build script. This run leaked yet another Personal Access Token, belonging to a maintainer that worked on both the spotbugs and reviewdog projects. Continue reading “This Week In Security: Target Coinbase, Leaking Call Records, And Microsoft Hotpatching”

Remembering Betty Webb: Bletchley Park & Pentagon Code Breaker

April 3, 2025 by 30 Comments
S/Sgt Betty Vine-Stevens, Washington DC, May 1945.
S/Sgt Betty Vine-Stevens, Washington DC, May 1945.

On 31 March of this year we had to bid farewell to Charlotte Elizabeth “Betty” Webb (née Vine-Stevens) at the age of 101. She was one of the cryptanalysts who worked at Bletchley Park during World War 2, as well as being one of the few women who worked at Bletchley Park in this role. At the time existing societal biases held that women were not interested in ‘intellectual work’, but as manpower was short due to wartime mobilization, more and more women found themselves working at places like Bletchley Park in a wide variety of roles, shattering these preconceived notions.

Betty Webb had originally signed up with the Auxiliary Territorial Service (ATS), with her reasoning per a 2012 interview being that she and a couple of like-minded students felt that they ought to be serving their country, ‘rather than just making sausage rolls’. After volunteering for the ATS, she found herself being interviewed at Bletchley Park in 1941. This interview resulted in a years-long career that saw her working on German and Japanese encrypted communications, all of which had to be kept secret from then 18-year old Betty’s parents.

Until secrecy was lifted, all her environment knew was that she was a ‘secretary’ at Bletchley Park. Instead, she was fighting on the frontlines of cryptanalysis, an act which got acknowledged by both the UK and French governments years later.

Continue reading “Remembering Betty Webb: Bletchley Park & Pentagon Code Breaker”

FLOSS Weekly Episode 827: Yt-dlp, Sometimes You Can’t See The Tail

April 2, 2025 by 3 Comments

This week, Jonathan Bennett chats with Bashonly about yt-dlp, the audio/video downloader that carries the torch from youtube-dl! Why is this a hard problem, and what does the future hold for this swiss-army knife of video downloading? Watch to find out!

Continue reading “FLOSS Weekly Episode 827: Yt-dlp, Sometimes You Can’t See The Tail”

Supercon 2024: Rethinking Body Art With LEDs

April 2, 2025 by 3 Comments

Tattoos. Body paint. Henna. All these are popular kinds of body art with varying histories and cultural connotations, many going back centuries or even longer. They all have something in common, though—they all change how the body reflects light back to the viewer. What if, instead, body art could shine a light of its very own?

This is the precise topic which [Katherine Connell] came to discuss at the 2024 Hackaday Supercon. Her talk concerns rethinking body art with the use of light emitting diodes—and is both thoroughly modern and aesthetically compelling. Beyond that, it’s an engineering development story with liquid metal and cutting-edge batteries that you simply don’t want to miss!

Continue reading “Supercon 2024: Rethinking Body Art With LEDs”

Illustrated Kristina with an IBM Model M keyboard floating between her hands.

Keebin’ With Kristina: The One With The Leather Keyboard

March 31, 2025 by 13 Comments

Are you eager to get your feet wet in the keyboard surf, but not quite ready to stand up and ride the waves of designing a full-size board? You should paddle out with a macro pad instead, and take on the foam face-first and lying down.

A beautiful purple galaxy-themed macro pad with nine switches and three knobs.
Image by [Robert Feranec] via Hackaday.IO
Luckily, you have a great instructor in [Robert Feranec]. In a series of hour-long videos, [Robert] guides you step by step through each part of the process, from drawing the schematic, to designing a PCB and enclosure, to actually putting the thing together and entering a new world of macros and knobs and enhanced productivity.

Naturally, the fewer keys and things you want, the easier it will be to build. But [Robert] is using the versatile Raspberry Pi 2040, which has plenty of I/O pins if you want to expand on his basic plan. Not ready to watch the videos? You can see the schematic and the 3D files on GitHub.

As [Robert] says, this is a great opportunity to learn many skills at once, while ending up with something terrifically useful that could potentially live on your desk from then on. And who knows where that could lead?

Continue reading “Keebin’ With Kristina: The One With The Leather Keyboard”

Hackaday Links Column Banner

Hackaday Links: March 30, 2025

March 30, 2025 by 11 Comments

The hits just keep coming for the International Space Station (ISS), literally in the case of a resupply mission scheduled for June that is now scrubbed thanks to a heavy equipment incident that damaged the cargo spacecraft. The shipping container for the Cygnus automated cargo ship NG-22 apparently picked up some damage in transit from Northrop Grumman’s Redondo Beach plant in Los Angeles to Florida. Engineers inspected the Cygnus and found that whatever had damaged the container had also damaged the spacecraft, leading to the June mission’s scrub.

Mission controllers are hopeful that NG-22 can be patched up enough for a future resupply mission, but that doesn’t help the ISS right now, which is said to be running low on consumables. To fix that, the next scheduled resupply mission, a SpaceX Cargo Dragon slated for an April launch, will be modified to include more food and consumables for the ISS crew. That’s great, but it might raise another problem: garbage. Unlike the reusable Cargo Dragons, the Cygnus cargo modules are expendable, which makes them a great way to dispose of the trash produced by the ISS crew since everything just burns up on reentry. The earliest a Cygnus is scheduled to dock at the ISS again is sometime in this autumn, meaning it might be a long, stinky summer for the crew.

Continue reading “Hackaday Links: March 30, 2025”

Contagious Ideas

March 29, 2025 by 10 Comments

We ran a story about a wall-mounted plotter bot this week, Mural. It’s a simple, but very well implemented, take on a theme that we’ve seen over and over again in various forms. Two lines, or in this case timing belts, hang the bot on a wall, and two motors drive it around. Maybe a servo pulls the pen in and out, but that’s about it. The rest is motor driving and code.

We were thinking about the first such bot we’ve ever seen, and couldn’t come up with anything earlier than Hektor, a spray-painting version of this idea by [Juerg Lehni]. And since then, it’s reappeared in numerous variations.

Some implementations mount the motors on the wall, some on the bot. There are various geometries and refinements to try to make the system behave more like a simple Cartesian one, but in the end, you always have to deal with a little bit of geometry, or just relish the not-quite-straight lines. (We have yet to see an implementation that maps out the nonlinearities using a webcam, for instance, but that would be cool.) If you’re feeling particularly reductionist, you can even do away with the pen-lifter entirely and simply draw everything as a connected line, Etch-a-Sketch style. Maslow CNC swaps out the pen for a router, and cuts wood.

What I love about this family of wall-plotter bots is that none of them are identical, but they all clearly share the same fundamental idea. You certainly wouldn’t call any one of them a “copy” of another, but they’re all related, like riffing off of the same piece of music, or painting the same haystack in different lighting conditions: robot jazz, or a study in various mechanical implementations of the same core concept. The collection of all wall bots is more than the sum of its parts, and you can learn something from each one. Have you made yours yet?

(Fantastic plotter-bot art by [Sarah Petkus] from her write-up ten years ago!)

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!