2026-04-25 07:00:10
The humble cathode ray tube (CRT) was once the technology behind almost all of our televisions and computer displays. Its replacements, from LCD screens to OLED and others, are generally cheaper to make and better to look at. Old televisions were comparatively large as well, but their size can be an advantage for people like [ManicMods] aka [Jeff]. His latest build ditches the CRT from an old Bently portable TV and uses the huge space available in the case for a hi-fi audio system and some other parts that turn it into an impressive portable home theater system.
After removing most of the internals of the TV, the first part to go in is the stereo and subwoofer combo as it takes up the most amount of space. The subwoofer section points downward and the two stereo speakers are mounted to the sides. To free up the most space inside, the new display is mounted forward of the original bezel, with a new 3D printed one helping to hold it in place. Behind it goes a Raspberry Pi, loaded with the moOde audio player, a high quality DAC for audio output, and a 1 TB SSD with [Jeff]’s uncompressed audio library. Most of the ports are extended out to the case including the SD card slot so other operating systems can be loaded on the Pi, and there are a ton of options for hooking up external speakers and displays as well, making it an extremely modular and expandable portable media center.
Also added to the finished product are a few small game controllers, since the Pi is perfectly capable of playing retro games, as well as a small wireless keyboard and trackpad combo. Although the CRT’s demise will be felt harder by some than by others, the original look of the case is preserved somewhat by keeping the original tuning display and locations of the original control buttons and knobs. If preserving the CRTs are of upmost importance, though, this build used a pair of them in a VR headset.
2026-04-25 04:00:56
Many HVAC systems in North America operate off 24V systems, which can be readily upgraded with off-the-shelf smart thermostats quite easily. However, there are many people living in buildings with 120-volt fan coil units who aren’t so lucky. [mackswan] is one such individual, who set about building a smart thermostat to work in these situations.
The build is based around an ESP32 running ESPHome firmware. It rocks a 2.42″ OLED screen with automatic brightness adjustment for showing temperature and control parameters. There’s a rotary encoder on the front with an integrated button for control, with [mackswan] building the physical device to look as clean and neat as possible. The device uses a relay to switch the fan coil system on and off to heat or cool as needed, with an SHTC3 temperature and humidity sensor used to monitor current conditions in the home.
If you’re in an apartment building or live in a condo with this kind of setup, [mackswan’s] build might be just what you’re after to improve your HVAC control. We’ve featured plenty of other DIY thermostat hacks over the years, too. Meanwhile, if you’re finding creative ways to better heat and cool your living space, we’d love to hear about it on the tipsline!
2026-04-25 02:30:35
As we learn more about all the nasty stuff floating in the air, it becomes more compelling to monitor the air for pollution levels. [Aleksei Tertychnyi] does just that with pollutagNode2, a solar-powered pollution sensor.
The device uses a Seeed Studio Wia-E5 module for its built-in LoRa low power long-range communication capabilities. Pair that with a cheap 2 watt solar panel and a Li-ion battery, and you have a monitoring device that can stay up indefinitely — or until harsh weather gets the better of it. Even if the solar panel were to be omitted, a full charge would last you about two weeks!
It comes on an open-hardware PCB; no need for giant wire messes, just solder the solar panel, battery, sensor, and anything else you want onto the convenient pads on the side. It also integrates into the existing sensor community nicely via existing LoRa infrastructure. All this combined makes it easy for anyone to deploy one.
2026-04-25 00:10:07
When Elliot Williams and Al Williams compare their notes on the week in Hackaday, you know you’ll get at least one or two bad puns. How bad? Tune in and find out.
This week, Tom Nardi visits several in-person events, and Elliot and Al talk about smart buttons, Itanium, ejecting things from a rocket, and the infinite pickle. Will Elliot build the coin flipper? Will Al use plasma at his next cookout? Hard to say.
For the can’t miss articles, this week, Al swept the category with a post on splices and another on what human junk is still sitting on the moon.
What do you think? Leave us a comment or record something and send it to our mailbag.
Download a copy of the podcast with an MP3 from our continuous audio pipeline.
2026-04-24 23:30:00
If you have a desktop 3D printer, you probably want something to hang filament spools on. [LVTRC] has a spool roller that fits the bill. It also incorporates a scale and a round touch screen. (Google Translate)
We’ve seen those round screens before, and now we wonder why we didn’t think of this. The GC9A01 display shows a progress ring and lets you save settings or calibrations to EEPROM. An Arduino Nano provides the brain, and the load cell connects to an HX711. The project is made to fit a specific printer, but it should be little trouble to adapt it to a different printer or to mount it in an external mount.
One of the calibration steps, of course, is to program the weight of an empty spool to subtract from the total weight. The device can store up to five specific profiles.
Not the biggest spool holder we’ve seen. We keep thinking that we don’t know why we want a circular screen, and then someone always drops in to show us another thing we didn’t think about.
2026-04-24 22:00:30
The author of the BlueHammer exploit, which was released earlier this month and addressed in the last Patch Tuesday, continues to be annoyed with the responses from the Microsoft security research and vulnerability response team, and has released another Windows zero-day attack against Windows Defender.
The RedSun exploit targets a logic and timing error in Windows Defender, convincing it to install the target file in the system, instead of quarantining the file and protecting the system. Not, generally, what you would hope would happen.
Since the RedSun attack requires local access in the first place, it seems unlikely Microsoft will release an out-of-sequence patch for it, however with public code available, we can probably expect to see malware leveraging it to establish higher permissions on an infected system.
Releasing exploits out of spite feels like a return to the late 1990s, and I almost don’t hate it.
Reported in Bleeping Computer, a group tracked as “Hazy Hawk” has been hijacking unmaintained DNS records of universities and government institutions to serve ad click spam.
The attack seems simple and doesn’t even require compromising the actual institution, using dangling DNS “CNAME” records. A “CNAME” entry in DNS acts essentially as an alias, pointing one domain name at another, which can be used to provide content from an official domain that is hosted on a cloud service where the IP address of the service might change.
A DNS “A” (or “AAAA” if you speak IPv6) record points a hostname – like “foo.example.com” – to an IP address – like “1.1.1.1”. A “CNAME” record points a hostname to another hostname, like “foo.some_cloud_host.com”. Scanning “high value” domains (like Ivy League universities) for “CNAME” records which point to expired domains (or domains on cloud hosted providers which no longer exist) lets anyone able to register that domain (or create an account with the proper naming scheme on the cloud host) to post any content they wish, and still appear to be the original name.
At least 30 educational institutions have been impacted, along with several government agencies including the CDC.
A recent patch set to the Linux kernel schedules 18 legacy network drivers for removal, citing an increased maintenance burden due to bugs found by AI and fuzzing tools. This seems to be in line with other recent Linux kernel efforts to deprecate particularly old devices, migrating single-core systems to the multi-core scheduler and flagging i486 support for removal.
All of the devices slated to go are from 2002 or earlier, and are all ISA or PCMCIA Ethernet devices. Ultimately, it probably makes sense to remove problematic drivers for devices which have been out of production for 25 years or more, but it’s personally a bit painful to see the 3COM 3c59x driver going away, which was the first Ethernet card I had in a Linux system.
Following the theme the past month of supply chain hacks, the latest high-profile casualty is the Bitwarden command line client. There are indications this is the same group responsible for several of the previous weeks of supply chain attacks on NPM, GitHub, and VS Code extensions.
Bitwarden is a password manager, with the option of self-hosting, similar to LastPass or OnePassword. The trojan version of the Bitwarden CLI contains malicious code to spread the supply-chain botnet, by stealing authentication tokens , SSH keys, and AI service tokens. Whenever GitHub tokens are found, the script will also attempt to modify the GitHub Actions –automatic scripts run for code validation or package building — to embed itself in any packaged repository it has write access to.
In many ways, what could have been an astoundingly serious incident – the compromise of the password manager vault – turned into a case of the dog catching the car. (If a dog chasing cars caught one, would he even know what to do with it?) A surprising turn of events from code designed to steal credentials.
Anthropic has admitted that there has been “unauthorized access” to the new Mythos model. The company has made copious announcements about the danger their new model brings for security and exploit development, humble-bragging that it is too dangerous for public use. Meanwhile it appears that enthusiasts on an AI-focused Discord were able to social engineer access from a third-party Anthropic contractor.
It is difficult to ascertain what risk Mythos will actually represent once it becomes generally available. Like any new bug discovery tool, the challenge is not only in finding a possible bug, but in validating that it can be triggered. When the concept of fuzzing — spamming programs with invalid or nearly-valid input — was popularized, thousands of bugs were found rapidly. OSS-Fuzz found almost 30,000 bugs in 360 projects, per this paper. That’s truly an intimidating quantity of issues to fix, but hardly heralded as apocalyptic.
The impact of new AI on bug finding will have to be assessed in retrospect, but it’s not exactly comforting that the same company making claims of world-changing danger in their models were still themselves victims to a social engineering campaign that exposed the model for weeks.
Another week, another project ending their bug bounty program. This week it’s Nextcloud, a self-hostable file hosting platform – basically an open source Dropbox analogue.
Like other projects, Dropbox puts the blame on a flood of low-quality but time consuming AI generated bug reports. As of April 22, 2026, Nextcloud will no longer offer rewards for bug reports, regardless of the severity of the bug.
Apple has released iOS 26.4.2 which fixes a notification issue used recently to expose Signal messages.
A recent court case demonstrated that it was possible to extract the content of Signal messages on an iPhone, even if the app and notifications had been deleted. This is not a flaw in Signal itself, or even limited to iOS devices: when Signal is configured to show the content of a message in a notification, it’s no longer under the control of the Signal app itself. For devices which have the option to show notifications on the lock screen, the content of messages is also no longer protected by user authentication!
Investigators were able to extract the notifications database from the phone, and from there, extract previous Signal notifications containing message content thought to have been deleted.
Wrapping up, Newswire reports that Sri Lankan officials have confirmed that $2.5 million in funds were stolen from their Ministry of Finance by redirecting a foreign debt repayment. Few details are available, but such attacks typically take advantage of a compromised email account, using existing email threads to continue a conversation and change payment details.
Similar attacks happen on a smaller scale, often targeting real estate agencies and small banks – institutions likely to have little to no information security processes but who handle large lump sums of money. Having it occur on a national level is certainly a little unusual.
