Philadelphia Maker Faire Returns This Weekend

April 1, 2025 by Tom Nardi 1 Comment

While there’s still a vaguely robot-shaped hole in our heart from the loss of the New York World Maker Faire, we do take comfort in the fact that smaller Maker Faire events are still happening all over the world, and some of them have managed to gain quite a bit of momentum over the last few years.

If you’re in the Northeast US, the Philadelphia Maker Faire is your best bet to scratch that peculiar itch that only seems to respond to a healthy blend of art, technology, and the occasional flamethrower. It will be returning to the Cherry Street Pier this Sunday, April 6th, and pay-what-you-can tickets are on sale now. The organizers encourage each attendee to only pay what they are able to afford, with several options ranging from zero to the $25 supporter level.

A look through the exhibits shows the sort of eclectic mix one would expect from a Maker Faire. Where else could you practice picking locks, learn how biodiesel is made, see a display of kinetic sculptures, and stitch together a felt plush monster, all under one roof?

There’s even a few projects on the list that regular Hackaday readers may recognize, such as the ultra-portable Positron 3D printer and the DirectTV dish turned backyard radio telescope built by Professor James Aguirre.

We’ve made the trip to the Philadelphia Maker Faire several times since its inception in 2019, and although it had the misfortune of starting right before COVID-19 came along and screwed up all of our carefully laid plans, the event has managed to find a foothold and continues to grow each year.

This Week In Security: IngressNightmare, NextJS, And Leaking DNA

March 28, 2025 by Jonathan Bennett 9 Comments

This week, researchers from Wiz Research released a series of vulnerabilities in the Kubernetes Ingress NGINX Controller that, when chained together, allow an unauthorized attacker to completely take over the cluster. This attack chain is known as IngressNightmare, and it affected over 6500+ Kubernetes installs on the public Internet.

The background here is that web applications running on Kubernetes need some way for outside traffic to actually get routed into the cluster. One of the popular solutions for this is the Ingress NGINX Controller. When running properly, it takes incoming web requests and routes them to the correct place in the Kubernetes pod.

When a new configuration is requested by the Kubernetes API server, the Ingress Controller takes the Kubernetes Ingress objects, which is a standard way to define Kubernetes endpoints, and converts it to an NGINX config. Part of this process is the admission controller, which runs nginx -t on that NGINX config, to test it before actually deploying.

As you might have gathered, there are problems. The first is that the admission controller is just a web endpoint without authentication. It’s usually available from anywhere inside the Kubernetes cluster, and in the worst case scenario, is accessible directly from the open Internet. That’s already not great, but the Ingress Controller also had multiple vulnerabilities allowing raw NGINX config statements to be passed through into the config to be tested. Continue reading “This Week In Security: IngressNightmare, NextJS, And Leaking DNA” →

Dwingeloo telescope with sun shining through

Dwingeloo To Venus: Report Of A Successful Bounce

March 28, 2025 by Heidi Ulrich 14 Comments

Radio waves travel fast, and they can bounce, too. If you are able to operate a 25-meter dish, a transmitter, a solid software-defined radio, and an atomic clock, the answer is: yes, they can go all the way to Venus and back. On March 22, 2025, the Dwingeloo telescope in the Netherlands successfully pulled off an Earth-Venus-Earth (EVE) bounce, making them the second group of amateurs ever to do so. The full breakdown of this feat is available in their write-up here.

Bouncing signals off planets isn’t new. NASA has been at it since the 1960s – but amateur radio astronomers have far fewer toys to play with. Before Dwingeloo’s success, AMSAT-DL achieved the only known amateur EVE bounce back in 2009. This time, the Dwingeloo team transmitted a 278-second tone at 1299.5 MHz, with the round trip to Venus taking about 280 seconds. Stockert’s radio telescope in Germany also picked up the returning echo, stronger than Dwingeloo’s own, due to its more sensitive receiving setup.

Post-processing wasn’t easy either. Doppler shift corrections had to be applied, and the received signal was split into 1 Hz frequency bins. The resulting detections clocked in at 5.4 sigma for Dwingeloo alone, 8.5 sigma for Stockert’s recording, and 9.2 sigma when combining both datasets. A clear signal, loud and proud, straight from Venus’ surface.

The experiment was cut short when Dwingeloo’s transmitter started failing after four successful bounces. More complex signal modulations will have to wait for the next Venus conjunction in October 2026. Until then, you can read our previously published article on achievements of the Dwingeloo telescope.

ReactOS 0.4.15 Released With Major Improvements

March 25, 2025 by Maya Posch 84 Comments

Recently the ReactOS project released the much anticipated 0.4.15 update, making it the first major release since 2020. Despite what might seem like a minor version bump from the previous 0.4.14 release, the update introduces sweeping changes to everything from the kernel to the user interface and aspects like the audio system and driver support. Those who have used the nightly builds over the past years will likely have noticed a lot of these changes already.

Japanese input with MZ-IME and CJK font (Credit: ReactOS project)

A notable change is to plug-and-play support which enables more third party drivers and booting from USB storage devices. The Microsoft FAT filesystem driver from the Windows Driver Kit can now be used courtesy of better compatibility, there is now registry healing, and caching and kernel access checks are implemented. The latter improvement means that many ReactOS modules can now work in Windows too.

On the UI side there is a much improved IME (input method editor) feature, along with native ZIP archive support and various graphical tweaks.

Meanwhile since 0.4.15 branched off the master branch six months ago, the latter has seen even more features added, including SMP improvements, UEFI support, a new NTFS driver and improvements to power management and application support. All of this accompanied by many bug fixes, which makes it totally worth it to regularly check out the nightly builds.

Microscopic view of chiral magnetic material

Twisting Magnetism To Control Electron Flow

March 22, 2025 by Heidi Ulrich 11 Comments

If you ever wished electrons would just behave, this one’s for you. A team from Tohoku, Osaka, and Manchester Universities has cracked open an interesting phenomenon in the chiral helimagnet α-EuP₃: they’ve induced one-way electron flow without bringing diodes into play. Their findings are published in the Proceedings of the National Academy of Sciences.

The twist in this is quite literal. By coaxing europium atoms into a chiral magnetic spiral, the researchers found they could generate rectification: current that prefers one direction over another. Think of it as adding a one-way street in your circuit, but based on magnetic chirality rather than semiconductors. When the material flips to an achiral (ferromagnetic) state, the one-way effect vanishes. No asymmetry, no preferential flow. They’ve essentially toggled the electron highway signs with an external magnetic field. This elegant control over band asymmetry might lead to low-power, high-speed data storage based on magnetic chirality.

If you are curious how all this ties back to quantum theory, you can trace the roots of chiral electron flow back to the early days of quantum electrodynamics – when physicists first started untangling how particles and fields really interact.

There’s a whole world of weird physics waiting for us. In the field of chemistry, chirality has been covered by Hackaday, foreshadowing the lesser favorable ways of use. Read up on the article and share with us what you think.

This Week In Security: The Github Supply Chain Attack, Ransomware Decryption, And Paragon

March 21, 2025 by Jonathan Bennett 4 Comments

Last Friday Github saw a supply chain attack hidden in a popular Github Action. To understand this, we have to quickly cover Continuous Integration (CI) and Github Actions. CI essentially means automatic builds of a project. Time to make a release? CI run. A commit was pushed? CI run. For some projects, even pull requests trigger a CI run. It’s particularly handy when the project has a test suite that can be run inside the CI process.

Doing automated builds may sound straightforward, but the process includes checking out code, installing build dependencies, doing a build, determining if the build succeeded, and then uploading the results somewhere useful. Sometimes this even includes making commits to the repo itself, to increment a version number for instance. For each step there are different approaches and interesting quirks for every project. Github handles this by maintaining a marketplace of “actions”, many of which are community maintained. Those are reusable code snippets that handle many CI processes with just a few options.

One other element to understand is “secrets”. If a project release process ends with uploading to an AWS store, the process needs an access key. Github stores those secrets securely, and makes them available in Github Actions. Between the ability to make changes to the project itself, and the potential for leaking secrets, it suddenly becomes clear why it’s very important not to let untrusted code run inside the context of a Github Action.

And this brings us to what happened last Friday. One of those community maintained actions, tj-actions/changed-files, was modified to pull an obfuscated Python script and run it. That code dumps the memory of the Github runner process, looks for anything there tagged with isSecret, and writes those values out to the log. The log, that coincidentally, is world readable for public repositories, so printing secrets to the log exposes them for anyone that knows where to look.

Researchers at StepSecurity have been covering this, and have a simple search string to use: org:changeme tj-actions/changed-files Action. That just looks for any mention of the compromised action. It’s unclear whether the compromised action was embedded in any other popular actions. The recommendation is to search recent Github Action logs for any mention of changed-files, and start rotating secrets if present. Continue reading “This Week In Security: The Github Supply Chain Attack, Ransomware Decryption, And Paragon” →

From The Ashes: Coal Ash May Offer Rich Source Of Rare Earth Elements

March 19, 2025 by Dan Maloney 42 Comments

For most of history, the world got along fine without the rare earth elements. We knew they existed, we knew they weren’t really all that rare, and we really didn’t have much use for them — until we discovered just how useful they are and made ourselves absolutely dependent on them, to the point where not having them would literally grind the world to a halt.

This dependency has spurred a search for caches of rare earth elements in the strangest of places, from muddy sediments on the sea floor to asteroids. But there’s one potential source that’s much closer to home: coal ash waste. According to a study from the University of Texas Austin, the 5 gigatonnes of coal ash produced in the United States between 1950 and 2021 might contain as much as $8.4 billion worth of REEYSc — that’s the 16 lanthanide rare earth elements plus yttrium and scandium, transition metals that aren’t strictly rare earths but are geologically associated with them and useful in many of the same ways. Continue reading “From The Ashes: Coal Ash May Offer Rich Source Of Rare Earth Elements” →