News

3576 Articles

Gas Burner Reuses Printer Nozzle For Metalwork

June 18, 2025 by 8 Comments

Even if you don’t cast or forge metal yourself, you’re probably aware that you need to get the material very, very hot to make that happen. While some smiths might still stoke coal fires, that’s a minority taste these days; most, like [mikeandmertle] use gas burners to generate the heat. Tired of expensive burners or finicky DIY options [mikeandmertle] built their own Better Burner out of easily-available parts. 

Everything you need to make this burner comes from the hardware store: threaded iron pipes of various sizes, hoses and adapters– except for one key piece: a 3D printer nozzle. The nozzle is used here as the all-important gas jet that introduces flammable gas into the burner’s mixing chamber. A demo video below shows it running with a 0.3mm nozzle, which looks like it is putting out some serious heat, but [mikeandmertle] found that could go out if the breather was opened too wide (allowing too much air in the mixture). Eventually he settled on a 0.4mm nozzle, at least for the LPG that is common down under. If one was to try this with propane, their mileage would differ.

That’s the great thing about using printer nozzles, though: with a tapped M6 hole on the cap of the gas pipe serving as intake, one can quickly and easily swap jets without worrying about re-boring. Printer nozzles are machined to reasonable accuracy and you can get a variety pack with all available sizes (including ones so small you’re probably better off using resin) very cheaply.

These sorts of use-what-you-have-on-hand hacks seem to be [mikeandmertle]’s specialty– we’ve seen their PVC thumb nut and their very simple mostly-wooden wood lathe here before. 

Continue reading “Gas Burner Reuses Printer Nozzle For Metalwork”

This Week In Security: The Localhost Bypass, Reflections, And X

June 13, 2025 by 26 Comments

Facebook and Yandex have been caught performing user-hostile tracking. This sort of makes today just another Friday, but this is a bit special. This time, it’s Local Mess. OK, it’s an attack with a dorky name, but very clever. The short explanation is that web sites can open connections to localhost. And on Android, apps can be listening to those ports, allowing web pages to talk to apps.

That may not sound too terrible, but there’s a couple things to be aware of. First, Android (and iOS) apps are sandboxed — intentionally making it difficult for one app to talk to another, except in ways approved by the OS maker. The browser is similarly sandboxed away from the apps. This is a security boundary, but it is especially an important security boundary when the user is in incognito mode.

The tracking Pixel is important to explain here. This is a snippet of code, that puts an invisible image on a website, and as a result allows the tracker to run JavaScript in your browser in the context of that site. Facebook is famous for this, but is not the only advertising service that tracks users in this way. If you’ve searched for an item on one site, and then suddenly been bombarded with ads for that item on other sites, you’ve been tracked by the pixel.

This is most useful when a user is logged in, but on a mobile device, the user is much more likely to be logged in on an app and not the browser. The constant pressure for more and better data led to a novel and completely unethical solution. On Android, applications with permission to access the Internet can listen on localhost (127.0.0.1) on unprivileged ports, those above 1024.

Facebook abused this quirk by opening a WebRTC connection to localhost, to one of the ports the Facebook app was listening on. This triggers an SDP connection to localhost, which starts by sending a STUN packet, a UDP tool for NAT traversal. Packed into that STUN packet is the contents of a Facebook Cookie, which the Facebook app happily forwards up to Facebook. The browser also sends that cookie to Facebook when loading the pixel, and boom Facebook knows what website you’re on. Even if you’re not logged in, or incognito mode is turned on.

Yandex has been doing something similar since 2017, though with a different, simpler mechanism. Rather than call localhost directly, Yandex just sets aside yandexmetrica.com for this purpose, with the domain pointing to 127.0.0.1. This was just used to open an HTTP connection to the native Yandex apps, which passed the data up to Yandex over HTTPS. Meta apps were first seen using this trick in September 2024, though it’s very possible it was in use earlier.

Both companies have ceased since this report was released. What’s interesting is that this is a flagrant violation of GDPR and CCPA, and will likely lead to record-setting fines, at least for Facebook.

Continue reading “This Week In Security: The Localhost Bypass, Reflections, And X”

Texas’ Right To Repair Bill Is A Signature Away From Becoming Law

June 9, 2025 by 21 Comments

In what could be a big step forward for consumer rights, the Texas Senate recently unanimously voted to pass HB 2963, which references the “Diagnosis, maintenance, and repair of certain digital electronic equipment”. If signed by the governor, this would make Texas the ninth US state to enact such a law, and the seventh pertaining to consumer electronics. Interestingly, this bill saw anti-parts pairing language added, which is something that got stripped from the Oregon bill.

Much like other Right to Repair bills, HB 2963 would require manufacturers to make spare parts, documentation and repair tools available to both consumers and independent repair shops. If signed, the act would take effect in September of 2026. Included in the bill are provisions to prevent overcharging for the provided parts and documentation.

As for how useful this is going to be for consumers, [Louis Rossmann] had a read of the bill and gave his  typically eloquent thoughts. The tl;dw is that while there is a lot of stuff to like, this bill leaves open potentially massive loopholes (e.g. assemblies vs parts), while also carving out massive exemptions, which leaves owners of game consoles, boats, cars, tractors, home appliances, etc. stranded with no new options.

Continue reading “Texas’ Right To Repair Bill Is A Signature Away From Becoming Law”

Let’s Buy Commodore! Well, Somebody Is.

June 7, 2025 by 61 Comments

When a man wearing an Atari T-shirt tells you he’s buying Commodore it sounds like the plot for an improbable 1980s movie in which Nolan Bushnell and Jack Tramiel do battle before a neon synthwave sunset to a pulsating chiptune soundtrack. But here on the screen there’s that guy doing just that, It’s [Retro Recipes], and in the video below he’s assembling a licensing deal for the Commodore brand portfolio from the distant descendant of the Commodore of old.

It’s a fascinating story and we commend him for tracing a path through the mess that unfolded for Commodore in the 1990s. We tried the same research path with a friend a few years ago and ended up with an anonymous Dutch paper company that wouldn’t answer our calls, so we’re impressed. In conjunction with several other players in the Commodore retrocomputing world he’s trying to assemble a favourable percentage deal for manufacturers of new parts, computers, and other goodies, and we’re pleased to see that it’s for the smaller player as much as for the industry giant.

When looking at a story like this though, it’s important not to let your view become clouded by those rose tinted glasses. While it’s great that we’re likely to see a bunch of new Commodore-branded Commodore 64s and parts, there are many pitfalls in taking it beyond that. We’ve seen the Commodore logo on too many regrettable licensed products in the past, and we fear it might be too tempting for it to end up on yet another disappointing all-in-one video game or just another budget PC. If something new comes out under the Commodore brand we’d like it to be really special, exploiting new ground in the way the Amiga did back in the day. We can hope, because the alternative has dragged other famous brands through the mud in recent years.

If you want an insight into the roots of the original Commodore’s demise, have a read of our Hackaday colleague [Bil Herd]’s autobiography.

Continue reading “Let’s Buy Commodore! Well, Somebody Is.”

This Week In Security: Roundcube, Unified Threat Naming, And AI Chat Logs

June 6, 2025 by 4 Comments

Up first, if you’re running a Roundcube install prior to 1.5.10 or 1.6.11, it’s time to update. We have an authenticated Remote Code Execution (RCE) in the Roundcube Webmail client. And while that’s not quite the level of chaos that an unauthenticated RCE would cause, it’s still to be taken seriously. Mainly because for the majority of the 53 million Roundcube installs out there, the users aren’t entirely trusted.

The magic at play in this vulnerability is the Roundcube user session code, and specifically the session deserialization scheme. There’s a weird code snippet in the unserialize function:
if ($str[$p] == '!') {
$p++;
$has_value = false;

The exclamation mark makes the code skip a character, and then assume that what comes next has no value. But if it does actually have a value, well then you’ve got a slightly corrupted deserialization, resulting in a slightly corrupted session. This really comes into force when combined with the file upload function, as the uploaded filename serves as a payload delivery mechanism. Use the errant exclamation mark handling to throw off deserialization, and the filename can contain arbitrary session key/value pairs. A GPG class from the PEAR library allows running an arbitrary command, and this can be hijacked with the session manipulation. Continue reading “This Week In Security: Roundcube, Unified Threat Naming, And AI Chat Logs”

Depositing Metal On Glass With Fiber Laser

June 2, 2025 by 17 Comments

Fiber lasers aren’t nearly as common as their diode and CO2 cousins, but if you’re lucky enough to have one in your garage or local makerspace, this technique for depositing thin films of metals in [Breaking Taps] video, embedded below, might be worth checking out. 

It’s a very simple hack: a metal shim or foil is sandwiched between two pieces of glass, and the laser is focused on the metal. Etching the foil blasts off enough metal to deposit a thin film of it onto the glass.  From electron microscopy, [Breaking Taps] reveals that what’s happening is that microscopic molten metal droplets are splashing up to the ̶m̶e̶t̶a̶l̶  glass, rather than this being any kind of plasma process like sputtering. He found this technique worked best with silver of all the materials tested, and there were a few. While copper worked, it was not terribly conductive — he suggests electroplating a thicker layer onto the (probably rather oxidized) copper before trying to solder, but demonstrates soldering to it regardless, which seems to work. 

This might be a neat way to make artistic glass-substrate PCBs. More testing will be needed to see if this would be worth the effort over just gluing copper foil to glass, as has been done before. [Breaking Taps] suspects, and we agree, that his process would work better under an inert atmosphere, and we’d like to see it tried.

One thing to note is that, regardless of atmosphere, alloys are a bit iffy with this technique, as the ‘blast little drops off’ process can cause them to demix on the glass surface. He also reasons that ‘printing’ a large area of metal onto the glass, and then etching it off would be a more reliable technique than trying to deposit complex patterns directly to the glass in one go. Either way, though, it’s worth a try if you have a fiber laser. 

Don’t have a fiber laser? Maybe you could build one. 

Continue reading “Depositing Metal On Glass With Fiber Laser”

Rusty bathtub outdoors on equally rusty car springs

Hot Rod Backyard Bath On Steel Spring Legs

May 31, 2025 by 16 Comments

In a fusion of scrapyard elegance and Aussie ingenuity, [Mark Makies] has given a piece of old steel a steamy second life with his ‘CastAway Tub’. Call it a bush mechanic’s fever dream turned functional sculpture, starring two vintage LandCruiser leaf springs, and a rust-hugged cast iron tub dug up after 20 years in hiding. And put your welding goggles on, because this one is equal parts brute force and artisan flair.

What makes this hack so bold is, first of all, the reuse of unforgiving spring steel. Leaf springs, notoriously temperamental to weld, are tamed here with oxy-LPG preheating, avoiding thermal shock like a pro. The tub sits proudly atop a custom-welded frame shaped from dismantled spring packs, with each leaf ground, clamped, torched, and welded into a steampunk sled base. The whole thing looks like it might outrun a dune buggy – and possibly bathe you while it’s at it. It’s a masterclass in metalwork with zero CAD, all intuition, and a grinder that’s seen things.

Inspired? For those with a secret love for hot water and hot steel, this build is a blueprint for turning bush junk into backyard art. Read up on the full build at Instructables.