This Week In Security: Signal DRM, Modern Phone Phreaking, And The Impossible SSH RCE

Digital Rights Management (DRM) has been the bane of users since it was first introduced. Who remembers the battle it was getting Netflix running on Linux machines, or the literal legal fight over the DVD DRM decryption key? So the news from Signal, that DRM is finally being put to use to protect users is ironic.

The reason for this is Microsoft Recall — the AI powered feature that takes a snapshot of everything on the user’s desktop every few seconds. For whatever reason, you might want to exempt some windows from Recall’s memory window. It doesn’t speak well for Microsoft’s implementation that the easiest way for an application to opt out of the feature is to mark its window as containing DRM content. Signal, the private communications platform, is using this to hide from Recall and other screenshotting applications.

The Signal blogs warns that this may be just the start of agentic AI being rolled out with insufficient controls and permissions. The issue here isn’t the singularity or AI reaching sentience, it’s the same old security and privacy problems we’ve always had: Too much information being collected, data being shared without permission, and an untrusted actor having access to way more than it should. Continue reading “This Week In Security: Signal DRM, Modern Phone Phreaking, And The Impossible SSH RCE”

Hackaday Supercon 2025 Call For Participation: We Want You!

We’re tremendously excited to be able to announce that the Hackaday Supercon is on for 2025, and will be taking place October 31st through November 2nd in Pasadena, California.

Supercon is about bringing the Hackaday community together to share our great ideas, big and small. So get to brainstorming, because we’d like to hear what you’ve been up to! Like last year, we’ll be featuring both longer and shorter talks, and hope to get a great mix of both first-time presenters and Hackaday luminaries. If you know someone you think should give a talk, point them here.

The Call for Participation form is online now, and you’ve got until July 3rd to get yourself signed up.

Honestly, just the people that Supercon brings together is reason enough to attend, but then you throw in the talks, the badge-hacking, the food, and the miscellaneous shenanigans … it’s an event you really don’t want to miss. And as always, presenters get in for free, get their moment in the sun, and get warm vibes from the Hackaday audience. Get yourself signed up now!

We’ll have more news forthcoming in the next few weeks, including the start of ticket sales, so be sure to keep your eyes on Hackaday.

[Austin Blake] sitting on line follower cart in garage

Honey, I Blew Up The Line Follower Robot

Some readers may recall building a line-following robot during their school days. Involving some IR LEDs, perhaps a bit of LEGO, and plenty of trial-and-error, it was fun on a tiny scale. Now imagine that—but rideable. That’s exactly what [Austin Blake] did, scaling up a classroom robotics staple into a full-size vehicle you can actually sit on.

The robot uses a whopping 32 IR sensors to follow a black line across a concrete workshop floor, adjusting its path using a steering motor salvaged from a power wheelchair. An Arduino Mega Pro Mini handles the logic, sending PWM signals to a DIY servo. The chassis consists of a modified Crazy Cart, selected for its absurdly tight turning radius. With each prototype iteration, [Blake] improved sensor precision and motor control, turning a bumpy ride into a smooth glide.

The IR sensor array, which on the palm-sized vehicle consisted of just a handful of components, evolved into a PCB-backed bar nearly 0.5 meters wide. Potentiometer tuning was a fiddly affair, but worth it. Crashes? Sure. But the kind that makes you grin like your teenage self. If it looks like fun, you could either build one yourself, or upgrade a similar LEGO project.
Continue reading “Honey, I Blew Up The Line Follower Robot”

Overengineered Freezer Monitor Fills Market Void

A lot of projects we see around here are built not just because they can be built, but because there’s no other option available. Necessity is the mother of invention, as they say. And for [Jeff] who has many thousands of dollars of food stowed in a chest freezer, his need for something to keep track of his freezer’s status was greater than any commercial offering available. Not only are freezers hard on batteries, they’re hard on WiFi signals as well, so [Jeff] built his own temperature monitor to solve both of these issues.

The obvious solution here is to have a temperature probe that can be fished through the freezer in some way, allowing the microcontroller, battery, and wireless module to operate outside of the harsh environment. [Jeff] is using K-type thermocouples here, wired through the back of the freezer. This one also is built into a block of material which allows him to get more diffuse temperature readings than a standard probe would provide. He’s also solving some other problems with commercially available probes here as well, as many of them require an Internet connection or store data in a cloud. To make sure everything stays local, he’s tying this in to a Home Assistant setup which also allows him to easily make temperature calibrations as well as notify him if anything happens to the freezer.

Although the build is very robust (or, as [Jeff] himself argues, overengineered) he does note that since he built it there have been some additional products offered for sale that fit this niche application. But even so, we always appreciate the customized DIY solution that avoids things like proprietary software, subscriptions, or cloud services. We also appreciate freezers themselves; one of our favorites was this restoration of a freezer with a $700,000 price tag.

ChatGPT & Me. ChatGPT Is Me!

For a while now part of my email signature has been a quote from a Hackaday commenter insinuating that an article I wrote was created by a “Dumb AI”. You have my sincerest promise that I am a humble meatbag scribe just like the rest of you, indeed one currently nursing a sore shoulder due to a sporting injury, so I found the comment funny in a way its writer probably didn’t intend. Like many in tech, I maintain a skepticism about the future role of large-language-model generative AI, and have resisted the urge to drink the Kool-Aid you will see liberally flowing at the moment.

Hackaday Is Part Of The Machine

As you’ll no doubt be aware, these large language models work by gathering a vast corpus of text, and doing their computational tricks to generate their output by inferring from that data. They can thus create an artwork in the style of a painter who receives no reward for the image, or a book in the voice of an author who may be struggling to make ends meet. From the viewpoint of content creators and intellectual property owners, it’s theft on a grand scale, and you’ll find plenty of legal battles seeking to establish the boundaries of the field.

Anyway, once an LLM has enough text from a particular source, it can do a pretty good job of writing in that style. ChatGPT for example has doubtless crawled the whole of Hackaday, and since I’ve written thousands of articles in my nearly a decade here, it’s got a significant corpus of my work. Could it write in my style? As it turns out, yes it can, but not exactly. I set out to test its forging skill. Continue reading “ChatGPT & Me. ChatGPT Is Me!”

This Week In Security: Lingering Spectre, Deep Fakes, And CoreAudio

Spectre lives. We’ve got two separate pieces of research, each finding new processor primitives that allow Spectre-style memory leaks. Before we dive into the details of the new techniques, let’s quickly remind ourselves what Spectre is. Modern CPUs use a variety of clever tricks to execute code faster, and one of the stumbling blocks is memory latency. When a program reaches a branch in execution, the program will proceed in one of two possible directions, and it’s often a value from memory that determines which branch is taken. Rather than wait for the memory to be fetched, modern CPUs will predict which branch execution will take, and speculatively execute the code down that branch. Once the memory is fetched and the branch is properly evaluated, the speculatively executed code is rewound if the guess was wrong, or made authoritative if the guess was correct. Spectre is the realization that incorrect branch prediction can change the contents of the CPU cache, and those changes can be detected through cache timing measurements. The end result is that arbitrary system memory can be leaked from a low privileged or even sandboxed user process.

In response to Spectre, OS developers and CPU designers have added domain isolation protections, that prevent branch prediction poisoning in an attack process from affecting the branch prediction in the kernel or another process. Training Solo is the clever idea from VUSec that branch prediction poisoning could just be done from within the kernel space, and avoid any domain switching at all. That can be done through cBPF, the classic Berkeley Packet Filter (BPF) kernel VM. By default, all users on a Linux system can run cBPF code, throwing the doors back open for Spectre shenanigans. There’s also an address collision attack where an unrelated branch can be used to train a target branch. Researchers also discovered a pair of CVEs in Intel’s CPUs, where prediction training was broken in specific cases, allowing for a wild 17 kB/sec memory leak.

Continue reading “This Week In Security: Lingering Spectre, Deep Fakes, And CoreAudio”

Work, Eat, Sleep, Repeat: Become A Human Tamagotchi

When [Terence Grover] set out to build a Tamagotchi-inspired simulator, he didn’t just add a few modern tweaks. He ditched the entire concept and rebuilt it from the ground up. Forget cute wide-eyed blobby animals and pixel-poop. This Raspberry Pi-powered project ditches nostalgia in favour of brutal realism: inflation, burnout, capitalism, and the occasional existential crisis. Think Sims meets cyberpunk, rendered charmingly in Python on a low-res RGB LED matrix.

Instead of hunger and poop meters, this dystopian pet juggles Maslow’s hierarchy: hunger, rest, safety, social life, esteem, and money. Players make real-life-inspired decisions like working, socialising, and going into education – each affecting the stats in logical (and often unfair) ways. No free lunch here: food requires money, money requires mind-numbing labour, and labour tanks your rest. You can even die of overwork à la Amazon warehouse. The UI and animation logic are all hand-coded, and there’s a working buzzer, pixel-perfect sprite movement, and even mini-games to simulate job repetition.

It’s equal parts social commentary and pixel art fever dream. While we have covered Tamagotchi recreations some time ago, this one makes you the needy survivor. Want your own dystopia in 64×32? Head over to [Terence Grover]’s Github and fork the full open source code. We’ll be watching. The Tamagotchi certainly is.

Continue reading “Work, Eat, Sleep, Repeat: Become A Human Tamagotchi”