Hackaday Podcast Episode 350: Damnation For Spreadsheets, Praise For Haiku, And Admiration For The Hacks In Between

December 19, 2025 by Jenny List No comments

This week’s Hackaday Podcast sees Elliot Williams joined by Jenny List for an all-European take on the week, and have we got some hacks for you!

In the news this week is NASA’s Maven Mars Orbiter, which may sadly have been lost. A sad day for study of the red planet, but at the same time a chance to look back at what has been a long and successful mission.

In the hacks of the week, we have a lo-fi camera, a very refined Commodore 64 laptop, and a MIDI slapophone to entertain you, as well as taking a detailed look at neutrino detectors. Then CYMK printing with laser cut stencils draws our attention, as well as the arrival of stable GPIB support for Linux. Finally both staffers let loose; Elliot with an epic rant about spreadsheets, and Jenny enthusiastically describing the Haiku operating system.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

It’s dangerous to go alone. Here, take this MP3.

Continue reading “Hackaday Podcast Episode 350: Damnation For Spreadsheets, Praise For Haiku, And Admiration For The Hacks In Between” →

This Week In Security: PostHog, Project Zero Refresh, And Thanks For All The Fish

December 19, 2025 by Jonathan Bennett 6 Comments

There’s something immensely satisfying about taking a series of low impact CVEs, and stringing them together into a full exploit. That’s the story we have from [Mehmet Ince] of Prodraft, who found a handful of issues in the default PostHog install instructions, and managed to turn it into a full RCE, though only accessible as a user with some configuration permissions.

As one might expect, it all starts with a Server Side Request Forgery (SSRF). That’s a flaw where sending traffic to a server can manipulate something on the server side to send a request somewhere else. The trick here is that a webhook worker can be primed to point at localhost by sending a request directly to a system API.

One of the systems that powers a PostHog install is the Clickhouse database server. This project had a problem in how it sanitized SQL requests, namely attempting to escape a single quote via a backslash symbol. In many SQL servers, a backslash would properly escape a single quote, but Clickhouse and other Postgresql servers don’t support that, and treat a backslash as a regular character. And with this, a read-only SQL API is vulnerable to SQL injection.

These vulnerabilities together just allow for injecting an SQL string to create and run a shell command from within the database, giving an RCE and remote shell. The vulnerabilities were reported through ZDI, and things were fixed earlier this year. Continue reading “This Week In Security: PostHog, Project Zero Refresh, And Thanks For All The Fish” →

Bare Metal STM32: Increasing The System Clock And Running Dhrystone

December 18, 2025 by Maya Posch 6 Comments

When you start an STM32 MCU with its default configuration, its CPU will tick along at a leisurely number of cycles on the order of 8 to 16 MHz, using the high-speed internal (HSI) clock source as a safe default to bootstrap from. After this phase, we are free to go wild with the system clock, as well as the various clock sources that are available beyond the HSI.

Increasing the system clock doesn’t just affect the CPU either, but also affects the MCU’s internal buses via its prescalers and with it the peripherals like timers on that bus. Hence it’s essential to understand the clock fabric of the target MCU. This article will focus on the general case of increasing the system clock on an STM32F103 MCU from the default to the maximum rated clock speed using the relevant registers, taking into account aspects like Flash wait states and the APB and AHB prescalers.

Although the Dhrystone benchmark is rather old-fashioned now, it’ll be used to demonstrate the difference that a faster CPU makes, as well as how complex accurately benchmarking is. Plus it’s just interesting to get an idea of how a lowly Cortex-M3 based MCU compares to a once top-of-the line Intel Pentium 90 CPU.

Continue reading “Bare Metal STM32: Increasing The System Clock And Running Dhrystone” →

FLOSS Weekly Episode 859: OpenShot: Simple And Fast

December 17, 2025 by Jonathan Bennett 3 Comments

This week Jonathan chats with Jonathan Thomas about OpenShot, the cross-platform video editor that aims to be simple to use, without sacrificing functionality. We did the video edit with OpenShot for this episode, and can confirm it gets the job done. What led to the creation of this project, and what’s the direction it’s going? Watch to find out!

Continue reading “FLOSS Weekly Episode 859: OpenShot: Simple And Fast” →

Illustrated Kristina with an IBM Model M keyboard floating between her hands.

Keebin’ With Kristina: The One With The Curious Keyboards

December 16, 2025 by Kristina Panos 6 Comments

I love first builds! They say so much about a person, because you see what’s paramount to them in a keyboard. You can almost feel their frustration at other keyboards come through their design choices. And the Lobo by [no-restarts] is no exception to any of this.

There’s just something about this Corne-like object with its custom case and highly-tappable and variously tilted keycaps. The list of reasons for being begins innocently enough with [no-restarts] wanting a picture of their dog on the case.

A nicely-tented split keyboard with really interesting, 3D-printed keycap profiles. — Image by [no-restarts] via reddit

From there, things get really personal. You may notice the thumb cluster is slightly different — [no-restarts] doesn’t like the thumb tuck required by the Corne to reach the innermost keys. I really dig the homing bumps on the middle thumb keys. Another difference is the splayed layout, as [no-restarts] is especially prone to pinky splay. Finally, there are a pair of OLEDs hiding on the inner sides of the case, which are designed to be visible when tented.

Overall, [no-restarts] is happy with it, but has some ideas for revision. Yep, that sounds about right. The Lobo is all hand-wired, and there’s a PCB with hot swap sockets in its future. If you’re interested in the case files, GitHub is your friend.

Continue reading “Keebin’ With Kristina: The One With The Curious Keyboards” →

Pufferfish Venom Can Kill, Or It Can Relieve Pain

December 15, 2025 by Lewin Day 21 Comments

Tetrodotoxin (TTX) is best known as the neurotoxin of the puffer fish, though it also appears in a range of other marine species. You might remember it from an episode of The Simpsons involving a poorly prepared dish at a sushi restaurant. Indeed, it’s a potent thing, as ingesting even tiny amounts can lead to death in short order.

Given its fatal reputation, it might be the last thing you’d expect to be used in a therapeutic context. And yet, tetrodotoxin is proving potentially valuable as a treatment option for dealing with cancer-related pain. It’s a dangerous thing to play with, but it could yet hold promise where other pain relievers simply can’t deliver. Continue reading “Pufferfish Venom Can Kill, Or It Can Relieve Pain” →

Hackaday Links: December 14, 2025

December 14, 2025 by Dan Maloney 7 Comments

Fix stuff, earn big awards? Maybe, if this idea for repair bounties takes off. The group is dubbed the FULU Foundation, for “Freedom from Unethical Limitations on Users,” and was co-founded by right-to-repair activist Kevin O’Reilly and perennial Big Tech thorn-in-the-side Louis Rossman. The operating model works a bit like the bug bounty system, but in reverse: FULU posts cash bounties on consumer-hostile products, like refrigerators that DRM their water filters or bricked thermostats. The bounty starts at $10,000, but can increase based on donations from the public. FULU will match those donations up to $10,000, potentially making a very rich pot for the person or team that fixes the problem.

Continue reading “Hackaday Links: December 14, 2025” →