Vintage Computer Festival East This Weekend

If you’re on the US East Coast, you should head on over to Wall, NJ and check out the Vintage Computer Festival East. After all, [Brian Kernighan] is going to be there. Yes, that [Brian Kernighan].

Events are actually well underway, and you’ve already missed the first few TRS-80 Color Computer programming workshops, but rest assured that they’re going on all weekend. If you’re from the other side of the retrocomputing fence, namely the C64 side, you’ve also got a lot to look forward to, because the theme this year is “The Sounds of Retro” which means that your favorite chiptune chips will be getting a workout.

[Tom Nardi] went to VCF East last year, so if you’re on the fence, just have a look at his writeup and you’ll probably hop in your car, or like us, wish you could. If when you do end up going, let us know how it was in the comments!

This Week In Security: Target Coinbase, Leaking Call Records, And Microsoft Hotpatching

We know a bit more about the GitHub Actions supply chain attack from last month. Palo Alto’s Unit 42 has been leading the charge on untangling this attack, and they’ve just released an update to their coverage. The conclusion is that Coinbase was the initial target of the attack, with the open source agentkit package first (unsuccessfully) attacked. This attack chain started with pull_request_target in the spotbugs/sonar-findbugs repository.

The pull_request_target hook is exceptionally useful in dealing with pull requests for a GitHub repository. The workflow here is that the project defines a set of Continuous Integration (CI) tests in the repository, and when someone opens a new Pull Request (PR), those CI tests run automatically. Now there’s an obvious potential problem, and Github thought of it and fixed it a long time ago. The GitHub Actions are defined right in the repository, and letting any pull request run arbitrary actions is a recipe for disaster. So GitHub always uses actions as they are defined in the repository itself, ignoring any incoming changes in the PR. So pull_request_target is safe now, right? Yes, with some really big caveats.

The simplest security problem is that many projects have build scripts in the repository, and those are not considered part of GitHub Actions by GitHub. So include malicious code in such a build script, make it a PR that runs automatically, and you have access to internal elements like organization and repository secrets and access tokens. The most effective mitigation against this is to require approval before running workflows on incoming PRs.

So back to the story. The spotbugs/sonar-findbugs repository had this vulnerability, and an attacker used it to export secrets from a GitHub Actions run. One of those secrets happened to be a Personal Access Token (PAT) belonging to a spotbugs maintainer. That PAT was used to invite a throwaway account, [jurkaofavak], into the main spotbugs repository. Two minutes after being added, the [jurkaofavak] account created a new branch in spotbugs/spotbugs, and deleted it about a second later. This branch triggered yet another malicious CI run, now with arbitrary Github Actions access rather than just access through a build script. This run leaked yet another Personal Access Token, belonging to a maintainer that worked on both the spotbugs and reviewdog projects. Continue reading “This Week In Security: Target Coinbase, Leaking Call Records, And Microsoft Hotpatching”

A Very Trippy Look At Microsoft’s Beginnings

It’s not often you’ll see us singing the praises of Microsoft on these pages, but credit where credit is due, this first-person account of how the software giant got its foot in the proverbial door by Bill Gates himself is pretty slick.

Now it’s not the story that has us excited, mind you. It’s the website itself. As you scroll down the page, the text and images morph around in a very pleasing and retro-inspired way. Running your cursor over the text makes it flip through random ASCII characters, reminding us a bit of the “decryption” effect from Sneakers. Even the static images have dithering applied to them as if they’re being rendered on some ancient piece of hardware. We don’t know who’s doing Billy’s web design, but we’d love to have them come refresh our Retro Edition.

Continue reading “A Very Trippy Look At Microsoft’s Beginnings”

Philadelphia Maker Faire Returns This Weekend

While there’s still a vaguely robot-shaped hole in our heart from the loss of the New York World Maker Faire, we do take comfort in the fact that smaller Maker Faire events are still happening all over the world, and some of them have managed to gain quite a bit of momentum over the last few years.

If you’re in the Northeast US, the Philadelphia Maker Faire is your best bet to scratch that peculiar itch that only seems to respond to a healthy blend of art, technology, and the occasional flamethrower. It will be returning to the Cherry Street Pier this Sunday, April 6th, and pay-what-you-can tickets are on sale now. The organizers encourage each attendee to only pay what they are able to afford, with several options ranging from zero to the $25 supporter level.

A look through the exhibits shows the sort of eclectic mix one would expect from a Maker Faire. Where else could you practice picking locks, learn how biodiesel is made, see a display of kinetic sculptures, and stitch together a felt plush monster, all under one roof?

There’s even a few projects on the list that regular Hackaday readers may recognize, such as the ultra-portable Positron 3D printer and the DirectTV dish turned backyard radio telescope built by Professor James Aguirre.

We’ve made the trip to the Philadelphia Maker Faire several times since its inception in 2019, and although it had the misfortune of starting right before COVID-19 came along and screwed up all of our carefully laid plans, the event has managed to find a foothold and continues to grow each year.

This Week In Security: IngressNightmare, NextJS, And Leaking DNA

This week, researchers from Wiz Research released a series of vulnerabilities in the Kubernetes Ingress NGINX Controller  that, when chained together, allow an unauthorized attacker to completely take over the cluster. This attack chain is known as IngressNightmare, and it affected over 6500+ Kubernetes installs on the public Internet.

The background here is that web applications running on Kubernetes need some way for outside traffic to actually get routed into the cluster. One of the popular solutions for this is the Ingress NGINX Controller. When running properly, it takes incoming web requests and routes them to the correct place in the Kubernetes pod.

When a new configuration is requested by the Kubernetes API server, the Ingress Controller takes the Kubernetes Ingress objects, which is a standard way to define Kubernetes endpoints, and converts it to an NGINX config. Part of this process is the admission controller, which runs nginx -t on that NGINX config, to test it before actually deploying.

As you might have gathered, there are problems. The first is that the admission controller is just a web endpoint without authentication. It’s usually available from anywhere inside the Kubernetes cluster, and in the worst case scenario, is accessible directly from the open Internet. That’s already not great, but the Ingress Controller also had multiple vulnerabilities allowing raw NGINX config statements to be passed through into the config to be tested. Continue reading “This Week In Security: IngressNightmare, NextJS, And Leaking DNA”

Dwingeloo telescope with sun shining through

Dwingeloo To Venus: Report Of A Successful Bounce

Radio waves travel fast, and they can bounce, too. If you are able to operate a 25-meter dish, a transmitter, a solid software-defined radio, and an atomic clock, the answer is: yes, they can go all the way to Venus and back. On March 22, 2025, the Dwingeloo telescope in the Netherlands successfully pulled off an Earth-Venus-Earth (EVE) bounce, making them the second group of amateurs ever to do so. The full breakdown of this feat is available in their write-up here.

Bouncing signals off planets isn’t new. NASA has been at it since the 1960s – but amateur radio astronomers have far fewer toys to play with. Before Dwingeloo’s success, AMSAT-DL achieved the only known amateur EVE bounce back in 2009. This time, the Dwingeloo team transmitted a 278-second tone at 1299.5 MHz, with the round trip to Venus taking about 280 seconds. Stockert’s radio telescope in Germany also picked up the returning echo, stronger than Dwingeloo’s own, due to its more sensitive receiving setup.

Post-processing wasn’t easy either. Doppler shift corrections had to be applied, and the received signal was split into 1 Hz frequency bins. The resulting detections clocked in at 5.4 sigma for Dwingeloo alone, 8.5 sigma for Stockert’s recording, and 9.2 sigma when combining both datasets. A clear signal, loud and proud, straight from Venus’ surface.

The experiment was cut short when Dwingeloo’s transmitter started failing after four successful bounces. More complex signal modulations will have to wait for the next Venus conjunction in October 2026. Until then, you can read our previously published article on achievements of the Dwingeloo telescope.

ReactOS 0.4.15 Released With Major Improvements

Recently the ReactOS project released the much anticipated 0.4.15 update, making it the first major release since 2020. Despite what might seem like a minor version bump from the previous 0.4.14 release, the update introduces sweeping changes to everything from the kernel to the user interface and aspects like the audio system and driver support. Those who have used the nightly builds over the past years will likely have noticed a lot of these changes already.

Japanese input with MZ-IME and CJK font (Credit: ReactOS project)
Japanese input with MZ-IME and CJK font (Credit: ReactOS project)

A notable change is to plug-and-play support which enables more third party drivers and booting from USB storage devices. The Microsoft FAT filesystem driver from the Windows Driver Kit can now be used courtesy of better compatibility, there is now registry healing, and caching and kernel access checks are implemented. The latter improvement means that many ReactOS modules can now work in Windows too.

On the UI side there is a much improved IME (input method editor) feature, along with native ZIP archive support and various graphical tweaks.

Meanwhile since 0.4.15 branched off the master branch six months ago, the latter has seen even more features added, including SMP improvements, UEFI support, a new NTFS driver and improvements to power management and application support. All of this accompanied by many bug fixes, which makes it totally worth it to regularly check out the nightly builds.