Elon Musk wants you to know that Sam Altman got a refund for his Tesla RoadsterElon Musk and Sam Altman are still taking swipes at each other on Musk’s social media platform X.

2025 Component Abuse Challenge: A Transistor As A Voltage ReferenceFor our 2025 Component Abuse Challenge there have been a set of entries which merely use a component for a purpose it wasn’t quite intended, and another which push misuse of a part into definite abuse territory, which damages or fundamentally changes it. [Ken Yap]’s use of a transistor base-emitter junction as a voltage reference certainly fits into the latter category.
If you forward bias  a base-emitter junction, it will behave as a diode, which could be used as a roughly 0.7 volt reference. But this project is far more fun than that, because it runs the junctions in reverse biased breakdown mode. Using one of those cheap grab bags of transistor seconds, he finds that devices of the same type maintain the same voltage, which for the NPN devices he has works out at 9.5 volts and the PNP at 6.5. We’re told it damages their operation as transistors, but with a grab bag, that’s not quite the issue.
We’ve got a few days left before the end of the contest, and we’re sure you can think of something worth entering. Why not give it a go!

Spitfire Audio: Château Piano Roundtable Video Shortly after the release of their Château Piano library, Spitfire Audio returned to the Château d'Hérouville to capture a selection of performances and hold a round-table discussion comparing the the legendary Steinway Model B with its new virtual counterpart.

Get NI Massive or Excite Audio Bloom Vocal Edit Lite FREE with any Purchase
For the next week, you can score Native Instruments’ Massive ($99) or Excite Audio’s Bloom Vocal Edit Lite ($29) free with any purchase at Plugin Boutique. The deal expires on November 7, 2025, and the purchase needs to be a paid product to qualify. Plugin Boutique will be changing its giveaways each week in November, [...]
View post: Get NI Massive or Excite Audio Bloom Vocal Edit Lite FREE with any Purchase

DamyFx Mr Tank PreampMr. Tank Preamp is a VST3 plugin designed to infuse your tracks with the warmth and sonic fullness typical of a high-end tube preamplifier. Ideal for the mastering stage, this processor is the ultimate tool for adding power, cohesion, and rich harmonic coloration to your mixes. Controls: Volume: Adjusts the input signal level into the preamplifier circuit. Increasing the volume pushes the "tube" to work harder, generating more saturation. Dirty: This control is the heart of the preamp's "dirty" and aggressive character. It allows you to dial in the amount of tube saturation and distortion, ranging from a subtle warmth to a more decisive and gritty crunch, adding body and presence to the signal. 3-Band EQ (Treble, Middle, Bass): A musical three-band equalizer to shape the tone of the preamplifier. Treble: Boosts or cuts the high frequencies to add "air" and brilliance or to tame any harshness. Middle: Controls the mid-range frequencies, crucial for the presence of vocals and lead instruments. Bass: Manages the low frequencies, ideal for adding "weight" and "depth" to the mix or for controlling excess. Master: An output volume control to compensate for the introduced gain increase and ensure perfect gain staging in the mastering chain. Read More

Top Music Business News Last WeekTop music business news last week included major upgrades on tools for Artists from Bandsintown, SoundCloud and DistroKid, Indivisible calling for a Spotify boycott, a free Ticket Data tool, AI music updates and more.
The post Top Music Business News Last Week appeared first on Hypebot.

Free PSP Spector plug-in from PSPaudioware PSPaudioware are getting into the spirit of Halloween with the launch of PSP Spector, a precise 31-band spectrum analyser plug-in that is being made available as a free download.

How Emmy-Winning Sound Designer Ryan Hobler Uses Krotos Studio in His Creative WorkflowAccording to news on Friday, "Emmy Award-winning sound designer Ryan Hobler has built a career spanning Super Bowl ads and national campaigns for brands such as Febreze, E*TRADE, and Applebee’s. At the same time, he is an accomplished composer and musician, continually expanding his body of work as a singer-songwriter and producer. In both post-production and music, Hobler has found Krotos Studio to be an integral creative tool. From designing and mixing sound for high-profile commercials to producing short-form promotional videos for his latest folk-pop EP, he uses Krotos to merge his dual identities as sound designer and musician, streamlining his workflow while opening new creative possibilities."

"With nearly two decades in post-production, Hobler knows how important it is to move quickly without sacrificing creativity," a statement reads. "Deadlines for commercials and branded content often leave little room for trial and error, making workflow speed essential."

“I find that for a lot of the dynamic and moving elements, Krotos Studio is an invaluable tool, because it’s so easy to manipulate those sounds and make them work with the motion of whatever you’re designing,” he explains. For Hobler, that efficiency translates directly into more time spent on creative decisions rather than technical hurdles.“You want as little hindrance as possible, and with Krotos Studio, you can tap into that quicker. You can get to the idea in your head sooner.”

"That efficiency has been critical in recent national ad campaigns that required quick, dynamic sound design. In one spot, the commercial opened with a person navigating a smartphone app, where Hobler drew on Krotos Studio’s UI library to create a synthetic palette of taps and text noises. Later in the same campaign, he was tasked with bringing the sound of a sandwich deconstructing into its individual parts to life. The sequence played like a non-destructive explosion that needed the right sonic detail to match the visuals."

“Krotos Studio is incredible for making the abstract sonically tangible,” Hobler says. “This explosive moment had no basis in reality, so I wound up using a variety of Krotos Studio presets to complement the bombastic music and visual effects.”

"With each update, Hobler notes, Krotos Studio has continued to evolve. The software now offers not only an expanding library of sounds and features but also an AI-powered search that fuels discovery as well as efficiency."

“I use the search all the time, and I love what it comes up with, because sometimes it gives me these nice surprises,” he says. “It makes me curious — would that work in there? I’ll try that. I love the suggestive nature of the search and how it inspires me to try unexpected options.”

"Beyond his commercial work, Hobler’s creative identity extends into songwriting and music production, and Krotos Studio has become a tool that helps him merge these worlds."

“I’ve been trying to bridge the gap between those two arbitrary columns for quite some time, making music that uses sound effects and sounds that weren’t necessarily strictly musical in a traditional sense.” Over the years, he has sampled everyday objects like a switchblade comb, a clock, and even the click of a car’s turn signal to create rhythmic or melodic textures in his songs.

"That crossover also extends into how he presents his music. On his latest single, 'Paper Airplane Life,' one of several tracks released with recording artist Erik Blicker, Hobler applied his sound design skills to promotional video content, creating short teaser clips for social media. He used Krotos Studio for expressive swooshes and transitions, pairing them with cues from the track to give the visuals a cinematic quality. The result demonstrates how he moves between post-production and music, using Krotos as a bridge."The post How Emmy-Winning Sound Designer Ryan Hobler Uses Krotos Studio in His Creative Workflow first appeared on Music Connection Magazine.

Sonarworks & SOS AI Survey Sonarworks and Sound On Sound are inviting producers, engineers, sound designers and creators worldwide to take a short 5–8 minute survey on how AI is changing music. 

New Hampshire Senate stalls crypto mining deregulation bill after split voteLawmakers opted to study the proposal further following a wave of public concern over plans to loosen local controls on crypto mining in the state.

This Week in Security: Vibecoding, Router Banning, and Remote Dynamic DependenciesVibecoding. What could possible go wrong? That’s what [Kevin Joensen] of Baldur wondered, and to find out he asked Anthropic’s Sonnet 4.5 to build a secure login with Two Factor Authentication (2FA). And to the LLM’s credit, it builds the app as requested. [Kevin] took a peek under the hood to see how well the security was handled, and it wasn’t great.
Up first, the Flask app doesn’t have any rate-limiting for guessing that time-based 2FA code. A 6-digit time-based 2FA only works if you can’t try all the possibilities before a given code expires. So what does a vibecoder do, once this has been noticed? Ask the LLM to fix it of course. Here we take a slightly different approach, prompting the AI to double-check its work: “Is there any security features missing in 2fa verify step?” The answer is an impressive:
Great question! Yes, there are several critical security features missing from the 2FA verification step. Let me highlight the most important ones: Critical Security Issues1. No Rate Limiting (MOST CRITICAL)
But the critical question, can it properly fix its mistake? The AI adds the flask-limiter library and chooses 10 attempts per minute, which is a bit loose, but not unreasonable. There’s still an issue, that those attempts are limited by IP address instead of user login. All it takes to bypass that rate limiting is a pool of IP addresses.
This experiment starts to go off the rails, as [Kevin] continues to prompt the LLM to look for more problems in its code, and it begins to hallucinate vulnerabilities, while not fixing the actual problem. LLMs are not up to writing secure code, even with handholding.
But surely the problem of LLMs making security mistakes isn’t a real-world problem, right? Right? Researchers at Escape did a survey of 5,600 vibecoded web applications, and found 2,000 vulnerabilities. Caveat Vibetor.
“Secure” Enclave
A few weeks ago we talked about Battering RAM and Wiretap — attacks against Trusted Execution Environments (TEEs). These two attacks defeated trusted computing technologies, but were limited to DDR4 memory. Now we’re back with TEE-fail, a similar attack that works against DDR5 systems.
This is your reminder that very few security solutions hold up against a determined attack with physical access. The Intel, AMD, and Nvidia TEE solutions are explicitly ineffective against such physical access. The problem is that no one seemed to be paying attention to that part of the documentation, with companies ranging from Cloudflare to Signal getting this detail wrong in their marketing.
Banning TP-Link
News has broken that the US government is considering banning the sale of new TP-Link network equipment, calling the devices a national security risk.
I have experience with TP-Link hardware: Years ago I installed dozens of TL-WR841 WiFi routers in small businesses as they upgraded from DSL to cable internet. Even then, I didn’t trust the firmware that shipped on these routers, but flashed OpenWRT to each of them before installing. Fun fact, if you go far enough back in time, you can find my emails on the OpenWRT mailing list, testing and even writing OpenWRT support for new TP-Link hardware revisions.
From that experience, I can tell you that TP-Link isn’t special. They have terrible firmware just like every other embedded device manufacturer. For a while, you could run arbitrary code on TP-Link devices by putting it inside backticks when naming the WiFi network. It wasn’t an intentional backdoor, it was just sloppy code. I’m reasonably certain that this observation still holds true. TP-Link isn’t malicious, but their products still have security problems. And at this point they’re the largest vendor of cheap networking gear with a Chinese lineage. Put another way, they’re in the spotlight due to their own success.
There is one other element that’s important to note here. There is still a significant TP-Link engineering force in China, even though TP-Link Systems is a US company. TP-Link may be subject to the reporting requirements of the Network Product Security legislation. Put simply, this law requires that when companies discover vulnerabilities, they must disclose the details to a particular Chinese government agency. It seems likely that this is the primary concern in the minds of US regulators, that threat actors cooperating with the Chinese government are getting advanced notice of these flaws. The proposed ban is still in proposal stage, and no action has been taken on it yet.
Sandbox Escape
In March there was an interesting one-click exploit that was launched via phishing links in emails. Researchers at Kaspersky managed to grab a copy of the malware chain, and discovered the Chrome vulnerability used. And it turns out it involves a rather novel problem. Windows has a pair of APIs to get handles for the current thread and process, and they have a performance hack built-in: Instead of returning a full handle, they can return -1 for the current process and -2 for the current thread.
Now, when sandboxed code tries to use this pseudo handle, Chrome does check for the -1 value, but no other special values, meaning that the “sandboxed” code can make a call to the local thread handle, which does allow for running code gadgets and running code outside the sandbox. Google has issued a patch for this particular problem, and not long after Firefox was patched for the same issue.
NPM and Remote Dynamic Dependencies
It seems like hardly a week goes by that we aren’t talking about another NPM problem. This time it’s a new way to sneak malware onto the repository, in the form of Remote Dynamic Dependencies (RDD). In a way, that term applies to all NPM dependencies, but in this case it refers to dependencies hosted somewhere else on the web. And that’s the hook. NPM can review the package, and it doesn’t do anything malicious. And when real users start downloading it, those remote packages are dynamically swapped out with their malicious versions by server-side logic.
Installing one of these packages ends with a script scooping up all the data it can, and ex-filtrating it to the attacker’s command and control system. While there isn’t an official response from NPM yet, it seems inevitable that NPM packages will be disallowed from using these arbitrary HTTP/HTTPS dependencies. There are some indicators of compromise available from Koi.
Bits and Bytes
Python deserialization with Pickle has always been a bit scary. Several times we’ve covered vulnerabilities that have their root in this particular brand of unsafe deserialization. There’s a new approach that just may achieve safer pickle handling, but it’s a public challenge at this point. It can be thought of as real-time auditing for anything unsafe during deserialization. It’s not ready for prime time, but it’s great to see the out-of-the-box thinking here.
This may be the first time I’ve seen remote exploit via a 404 page. But in this case, the 404 includes the page requested, and the back-end code that injects that string into the 404 page is vulnerable to XML injection. While it doesn’t directly allow for code execution, this approach can result in data leaks and server side request forgeries.
And finally, there was a sketchy leak, that may be information on which mobile devices the Cellebrite toolkit can successfully compromise. The story is that [rogueFed] sneaked into a Teams meeting to listen in and grab screenshots. The real surprise here is that GrapheneOS is more resistant to the Cellebrite toolkit than even the stock firmware on phones like the Pixel 9. This leak should be taken with a sizable grain of salt, but may turn out to be legitimate.

Bluesky hits 40 million users, introduces ‘dislikes’ betaAs users "dislike" posts, the system will learn what sort of content they want to see less of. This will help to inform more than just how content is ranked in feeds, but also reply rankings.

Mixed Notes November 2025: marguerite, Cafuné, Laufey, and More

MARGUERITE RELEASES "YOU ARE FULL OF MAGIC AND LOVE AND VISIONS AND IDEAS AND IDEALS AND BEAUTY AND JOY" MUSIC VIDEO

Los Angeles’ intimate indie-rock/shoegaze band marguerite have released their music video for single “you are full of magic and love and visions and ideas and ideals and beauty and joy,” directed by Destinee McCaster. The video is a beautiful depiction of dream visitation, using stop motion and mixed media to create a world of magical realism. With two EPs out already, larger now and things we found, marguerite is currently working on their first full-length album.

MULTI-PLATINUM DUO CAFUNÉ RELEASE THEIR SECOND ALBUM BITE REALITY

American indie pop duo Cafuné have released their second album Bite Reality via the band’s own Aurelians Club label, distributed by SoundOn. Bite Reality is about the fine line between documenting your existence and doing the work to actually exist. “At the end of the day, all we have is one another. You can’t take anything with you when the lights go out. Embrace the future, bite reality,” the band shared.

LAUFEY DROPS HIGHLY ANTICIPATED THIRD ALBUM A MATTER OF TIME

A Matter of Time, the highly anticipated new album from GRAMMY®-winning L.A.-based Icelandic-Chinese artist, composer, producer, and multi-instrumentalist Laufey, is now available worldwide via Vingolf Recordings / AWAL. Laufey will perform the new songs on the A Matter of Time Tour, which sold over 265,000 tickets upon its initial sale.

GOOD NEIGHBOURS RETURN WITH NEW SINGLE “PEOPLE NEED PEOPLE” BEFORE DEBUT ALBUM BLUE SKY MENTALITY

London-based duo Good Neighbours preceded the release of their debut album, Blue Sky Mentality (via Capitol Records) with the roll out of their stirring new single, “People Need People.” The single, which premiered as BBC Radio 1’s Hottest Record, is a widescreen anthem centered on friendship, solidarity and the moments we lean on each other most.

POP NEWCOMER CIL DROPS NEW SINGLE “SOMETHING LIKE THIS,” SUPPORTS DUA LIPA ON RADICAL OPTIMISM TOUR ACROSS NORTH AMERICA

After igniting the summer with her don’t hold me accountable EP, singer and songwriter Cil is back with a brand-new single entitled “something like this,” out now on Warner Records. In addition to the new single, she recently supported pop megastar Dua Lipa for 24 arena dates across North America on the Radical Optimism Tour.

NIIA RELEASES BRAZEN NEW SINGLE MUSIC VIDEO PAYS HOMAGE TO FIONA APPLE 

L.A.-based jazz vocalist and composer Niia dropped the new single “fucking happy,” from her recently released fifth studio album, V (out via Candid Records), alongside the accompanying music video—a sly nod to Fiona Apple’s iconic “Criminal.” Shot through the lens of director Lili Peper, the video updates that voyeuristic energy for a new era while keeping the same sense of intimacy and unease that made the original so unforgettable.

SINGER-SONGWRITER AND ACTRESS TELE RELEASES HER DEBUT EP HONESTY PROJECT

Burgeoning new singer-songwriter and actress Tele’s debut EP Honesty Project is out now via Sound Factory Records/RCA Records. The EP follows recent single releases “More,” “Evil,” “VHS,” and “Barking Dogs,” all largely featured production by Rob Bisel and Noise Club (Jessie Murph, Kiana Lede).The post Mixed Notes November 2025: marguerite, Cafuné, Laufey, and More first appeared on Music Connection Magazine.

From Universal’s landmark Udio deal to DistroKid’s new merch launch… it’s MBW’s Weekly Round-UpThe biggest news from the past week - all in one place
Source

Crush Audio releases Crush Percussion and the FREE Crush FX plugin
Crush Audio has released two brand-new products for macOS and Windows, including a free multi-FX plugin – Crush Percussion and Crush FX. Before I get to the freebie, here’s a quick rundown of the premium release, Crush Percussion. Crush Percussion is a collection of over 100 percussion instruments with default grooves and a powerful FX [...]
View post: Crush Audio releases Crush Percussion and the FREE Crush FX plugin