Microsoft rilasciato L’avviso più allarmante mai realizzato per gli utenti di Windows 10 che non hanno effettuato l’aggiornamento a Windows 11. L’azienda ha chiarito: il supporto di Windows 10 terminerà il 14 ottobre 2025 e coloro che rimangono sul vecchio sistema rischiano furti di dati, attacchi e altre terribili conseguenze.

“Quando il sistema operativo non riceve più gli aggiornamenti di sicurezza critici, è come lasciare la porta di casa aperta”, si legge nelle e-mail che Microsoft ha iniziato a inviare agli utenti questa settimana. A coloro che ricevono tali messaggi viene chiesto di verificare se il proprio computer è idoneo per un aggiornamento o di valutare l’acquisto di un nuovo dispositivo.

Secondo Statcounter, Windows 10 continua a essere utilizzato su circa 800 milioni di dispositivi. Microsoft sottolinea che, con l’avvicinarsi della fine del supporto, questi computer diventeranno “bersagli facili” per malware e attacchi informatici.

L’azienda sottolinea che gli aggiornamenti di sicurezza sono come le “serrature sulle porte”: proteggono dagli intrusi. E dato che l’aggiornamento di Windows di marzo ha nuovamente corretto le vulnerabilità zero-day, i rischi di rimanere su un sistema obsoleto sono in aumento.

Per le aziende e le organizzazioni, Microsoft offrirà un supporto esteso a pagamento per 30 dollari all’anno, ma questa opzione non è ancora apparsa sui mass media, forse perché teme che molti scelgano di pagare piuttosto che effettuare l’aggiornamento.

L’aggiornamento a Windows 11 rimane gratuito per i possessori di dispositivi con licenza idonea. Microsoft sottolinea che la combinazione del nuovo sistema e dell’hardware più moderno garantisce un livello di protezione notevolmente più elevato.

“Non aspettare che sia troppo tardi”, avverte l’azienda. “L’aggiornamento proteggerà i tuoi dati e ti garantirà tranquillità per la tua vita digitale.”

L'articolo Windows 10 Sta Per Scomparire! Corri o Sarai Hackerato Prima di Finire il Caffè proviene da il blog della sicurezza informatica.

La Corte, chiamata a pronunciarsi sulla disciplina dell'adozione internazionale che non include le persone singole fra coloro che possono adottare, ha affermato che tale esclusione si pone in contrasto con gli articoli 2 e 117, primo comma, della Costituzione, quest'ultimo in relazione all'articolo 8 della Convenzione europea dei diritti dell'uomo.

C'è voluta la Corte Costituzionale per stabilire che per un bambino orfano è meglio avere un genitore adottivo che non averne neanche uno e dover restare in un istituto.

agi.it/cronaca/news/2025-03-21…

Humans weren’t the first organisms on this planet to figure out how to turn the abundance of nitrogen in the atmosphere into a chemically useful form; that honor goes to some microbes that learned how to make the most of the primordial soup they called home. But to our credit, once [Messrs. Haber and Bosch] figured out how to make ammonia from thin air, we really went gangbusters on it, to the tune of 8 million tons per year of the stuff.

While it’s not likely that [benchtop take on the Haber-Bosch process demonstrated by [Marb’s lab] will turn out more than the barest fraction of that, it’s still pretty cool to see the ammonia-making process executed in such an up close and personal way. The industrial version of Haber-Bosch uses heat, pressure, and catalysts to overcome the objections of diatomic nitrogen to splitting apart and forming NH₃; [Marb]’s version does much the same, albeit at tamer pressures.

[Marb]’s process starts with hydrogen made by dripping sulfuric acid onto zinc strips and drying it through a bed of silica gel. The dried hydrogen then makes its way into a quartz glass reaction tube, which is heated by a modified camp stove. Directly above the flame is a ceramic boat filled with catalyst, which is a mixture of aluminum oxide and iron powder; does that sound like the recipe for thermite to anyone else?

A vial of Berthelot’s reagent, which [Marb] used in his recent blood ammonia assay, indicates when ammonia is produced. To start a run, [Marb] first purges the apparatus with nitrogen, to prevent any hydrogen-related catastrophes. After starting the hydrogen generator and flaring off the excess, he heats up the catalyst bed and starts pushing pure nitrogen through the chamber. In short order the Berthelot reagent starts turning dark blue, indicating the production of ammonia.

It’s a great demonstration of the process, but what we like about it is the fantastic tips about building lab apparatus on the cheap. Particularly the idea of using hardware store pipe clamps to secure glassware; the mold-it-yourself silicone stoppers were cool too.

youtube.com/embed/31jpvFuUQBI?…

hackaday.com/2025/03/21/bencht…

Last Friday Github saw a supply chain attack hidden in a popular Github Action. To understand this, we have to quickly cover Continuous Integration (CI) and Github Actions. CI essentially means automatic builds of a project. Time to make a release? CI run. A commit was pushed? CI run. For some projects, even pull requests trigger a CI run. It’s particularly handy when the project has a test suite that can be run inside the CI process.

Doing automated builds may sound straightforward, but the process includes checking out code, installing build dependencies, doing a build, determining if the build succeeded, and then uploading the results somewhere useful. Sometimes this even includes making commits to the repo itself, to increment a version number for instance. For each step there are different approaches and interesting quirks for every project. Github handles this by maintaining a marketplace of “actions”, many of which are community maintained. Those are reusable code snippets that handle many CI processes with just a few options.

One other element to understand is “secrets”. If a project release process ends with uploading to an AWS store, the process needs an access key. Github stores those secrets securely, and makes them available in Github Actions. Between the ability to make changes to the project itself, and the potential for leaking secrets, it suddenly becomes clear why it’s very important not to let untrusted code run inside the context of a Github Action.

And this brings us to what happened last Friday. One of those community maintained actions, tj-actions/changed-files, was modified to pull an obfuscated Python script and run it. That code dumps the memory of the Github runner process, looks for anything there tagged with isSecret, and writes those values out to the log. The log, that coincidentally, is world readable for public repositories, so printing secrets to the log exposes them for anyone that knows where to look.

Researchers at StepSecurity have been covering this, and have a simple search string to use: org:changeme tj-actions/changed-files Action. That just looks for any mention of the compromised action. It’s unclear whether the compromised action was embedded in any other popular actions. The recommendation is to search recent Github Action logs for any mention of changed-files, and start rotating secrets if present.

Linux Supply Chain Research

The folks at Fenrisk were also thinking about supply chain attacks recently, but specifically in how Linux distributions are packaged. They did find a quartet of issues in Fedora’s Pagure web application, which is used for source code management for Fedora packages. The most severe of them is an argument injection in the logging function, allowing for arbitrary file write.

The identifier option is intended to set the branchname for a request, but it can be hijacked in a request, injecting the output flag: [url=http://pagure.local/test/history/README.md?identifier=--output=/tmp/foo.bar]http://pagure.local/test/history/README.md?identifier=--output=/tmp/foo.bar[/url]. That bit of redirection will output the Git history to the file specified. Git history consists of a git hash, and then the short commit message. That commit message has very little in the way of character scrubbing, so Bash booleans like || can be used to smuggle a command in. Add the cooked commit to your local branch of something, query the URL to write the file history to your .bashrc file, and then attempt to SSH in to the Pagure service. The server does the right thing with the SSH connection, refusing to give the user a shell, but not before executing the code dropped into the .bashrc file. This one was disclosed in April 2024, and was fixed within hours of disclosure by Red Hat.

Pagure was not the only target, and Fenrisk researchers also discovered a critical vulnerability in OpenSUSE’s Open Build Service. It’s actually similar to the Fedora Pagure issue. Command options can be injected into the wget command used to download the package source file. The --output-document argument can be used to write arbitrary data to a file in the user’s home directory, but there isn’t an obvious path to executing that file. There are likely several ways this could be accomplished, but the one chosen for this Proof of Concept (PoC) was writing a .proverc file in the home directory. Then a second wget argument is injected, using --use-askpass to trigger the prove binary. It loads from the local rc file, and we have arbitrary shell code execution. The OpenSUSE team had fixes available and rolled out within a few days of the private disclosure back in June of 2024.

Breaking Ransomware Encryption

What do you do when company data is hit with Akira ransomware, and the backups were found wanting? If you’re [Yohanes Nugroho], apparently you roll up your sleeves and get to work. This particular strain of Akira has a weakness that made decryption and recovery seemingly easy. The encryption key was seeded by the current system time, and [Yohanes] had both system logs and file modification timestamps to work with. That’s the danger of using timestamps for random seeds. If you know the timestamp, the pseudorandom sequence can be derived.

It turns out, it wasn’t quite that easy. This strain of Akira actually used four separate nanosecond scale time values in determining the per-file encryption key. Values we’ll call t3 and t4 are used to seed the encryption used for the first eight bytes of each file. If there’s any hope of decrypting these files, those two values will have to be found first. Through decompiling the malware binaries, [Yohanes] knew that the malware process would start execution, then run a fixed amount of code to generate the t3 key, and a fixed amount of code before generating the t4 key. In an ideal world, that fixed code would take a fixed amount of time to run, but multi-core machines, running multi-threaded operations on real hardware will introduce variations in that timing.

The real-world result is a range of possible time offsets for both those values. Each timestamp from the log results in about 4.5 quadrillion timestamp pairs. Because the timing is more known, once t3 and t4 are discovered, finding t1 and t2 is much quicker. There are some fun optimizations that can be done, like generating a timestamp to pseudorandom value lookup table. It works well ported to CUDA, running on an RTX 4090. In the end, brute-forcing a 10 second slice of timestamps cost about $1300 dollars when renting GPUs through a service like vast.ai. The source code that made this possible isn’t pretty, but [Yohanes] has made it all available if you want to attempt the same trick.

Github and Ruby-SAML — The Rest of the Story

Last week we briefly talked about Github’s discovery of the multiple parser problem in Ruby-SAML, leading to authentication bypass. Researchers at Portswigger were also working on this vulnerability, and have their report out with more details. One of those details is that while Github had already moved away from using this library, Gitlab Enterprise had not. This was a real vulnerability on Gitlab installs, and if your install is old enough, maybe it still is.

The key here is a CDATA section wrapped in an XML comment section is only seen by one of the parsers. Include two separate assertion blocks, and you get to drive right through the difference between the two parsers.

Paragon

There’s a new player in the realm of legal malware. Paragon has reportedly targeted about 90 WhatsApp users with a zero-click exploit, using a malicious PDF attachment to compromise Android devices. WhatsApp has mitigated this particular vulnerability on the server side.

It’s interesting that apparently there’s something about the process of adding the target user to the WhatsApp group that was important to making the attack work. Paragon shares some similarities with NSO Group, but maintains that it’s being more careful about who those services are being offered to.

Bits and Bytes

We have a pair of local privilege escalation attacks. This is useful when an attacker has unprivileged access to a machine, but can use already installed software to get further access. The first is Google’s Web Designer, that starts a debug port, and exposes an account token and file read/right to the local system. The other is missing quotation marks in Plantronics Hub, which leads to the application attempting to execute C:\Program.exe before it descends into Program Files to look for the proper location.

This is your reminder, from Domain Guard, to clean up your DNS records. I’ve now gone through multiple IP address changes of my “static” IP Addresses. At the current rate of IPv4 exhaustion, those IPs are essentially guaranteed to be given out to somebody else. Is it a problem to have dangling DNS records? It’s definitely not a good situation, because it enables hacks from cross-site scripting vulnerabilities, to cookie stealing, to potentially defeating domain verification schemes with the errant subdomain.

MacOS has quite a fine history of null-pointer dereference vulnerabilities. That’s when a pointer is still set to NULL, or 0, and the program errantly tries to access that memory location. It used to be that a clever attacker could actually claim memory location 0, and take advantage of the bogus dereference. But MacOS put an end to that technique in a couple different ways, the most effective being disallowing 32 bit processes altogether in recent releases. It seems that arbitrary code execution on MacOS as result of a NULL Pointer Dereference is a thing of the past. And yes, we’re quite aware that this statement means that somehow, someone will figure out a way to make it happen.

And Finally, watchTowr is back with their delightful blend of humor and security research. This time it’s a chain of vulnerabilities leading to an RCE in Kentico, a proprietary web Content Management System. This vulnerability has one of my least favorite data formats, SOAP XML. It turns out Kentico’s user authentication returns an empty string instead of a password hash when dealing with an invalid username. And that means you can craft a SOAP authenticaiton token with nothing more than a valid nonce and timestamp. Whoops. The issue was fixed in a mere six days, so good on Kentico for that.

hackaday.com/2025/03/21/this-w…

[Mikey Sklar] had a problem—namely, running low on the brass material typically used for making PCB stencils. Thankfully, a replacement material was not hard to find. It turns out you can use aluminum business card blanks to make viable PCB stencils.

Why business card blanks? They’re cheap, for a start—maybe 15 cents each in quantity. They’re also the right thickness, at just 0.8 mm, and they’re flat, unlike rolled materials that can tend to flip up when you’re trying to spread paste. They’re only good for small PCBs, of course, but for many applications, they’ll do just fine.

To cut these, you’ll probably want a laser cutter. [Mikey] was duly equipped in that regard already, which helped. Using a 20 watt fiber laser at a power of 80%, he was able to get nice accurate cuts for the stencils. Thanks to the small size of the PCBs in question, the stencils for three PCBs could be crammed on to a single card.

If you’re not happy with your existing PCB stencil material, you might like to try these aluminium blanks on for size. We’ve covered other stenciling topics before, too.

youtube.com/embed/vPO3uMIyp_U?…

hackaday.com/2025/03/21/alumin…

C’è una parola che è diventata quasi un insulto nel dibattito pubblico: socialismo. Un’altra è addirittura un tabù: comunismo.

Eppure, se togliamo per un attimo le etichette, il pregiudizio instillato in quarant’anni anni di berlusconismo, se distogliamo lo sguardo dall’orrenda poltiglia burocratica e sciatta a cui ci ha abituati la compagine progressista, ci accorgiamo che i principi che questi movimenti hanno portato avanti per oltre un secolo sono esattamente quelli di cui oggi abbiamo disperatamente bisogno.

Non parlo di nostalgie, di falci e martelli sventolati per appartenenza, ma di idee. Idee chiare, necessarie.
Sogni da trasformare in utopie, e utopie da trasformare in Futuro - quello maiuscolo - quello che, come l’amore, non vedi l’ora di vedere.

Abbiamo bisogno di un pensiero che rimetta al centro le persone, la società.
Perché oggi il lavoro e i lavoratori sono tornati a essere una merce, qualcosa da svendere al ribasso. Perché il diritto alla salute, all’istruzione, a una casa sono stati trasformati in privilegi sempre più irraggiungibili.

Perché lo Stato sociale, quello che un tempo era un argine alle disuguaglianze, oggi viene smantellato pezzo dopo pezzo nel nome di un “mercato” che, anziché autoregolarsi, concentra ricchezze e potere nelle mani di pochi scaltri.

Abbiamo bisogno di una visione collettiva. Di partiti veri, di intellettuali e politici veri e preparati. Perché stiamo bruciando le energie e il cuore dei pochi giovani dentro istituzioni vecchie e immobili, pesanti e inadeguate a un futuro libero e migliore.

Perché il mito dell’individuo che si fa da solo è servito solo a giustificare le ingiustizie, a colpevolizzare chi rimane indietro.

E invece no, non siamo soli. Non esistiamo fuori dalla comunità, dalla società. Non esistiamo senza diritti, senza solidarietà, senza coscienza, senza l’idea che il benessere del singolo non possa basarsi sul malessere dei molti.

Abbiamo bisogno di un’alternativa al cinismo. Perché la politica di oggi si fonda sull’ignoranza e sulla paura, fomentando la guerra tra poveri attraverso un nazionalismo da bar e un decisionismo da scadente operetta.

Il socialismo e il comunismo italiani hanno sempre parlato di futuro, di cultura, di emancipazione, di una società più equa, più giusta. E quell’idea non è vecchia: è oggi necessaria.

Vecchi sono quelli che si arrogano il diritto di rappresentarla con linguaggi incomprensibili persino a loro stessi.
Vecchio è questo “io” ingombrante, sempre a favore di telecamera, vecchia è la corruzione e la cancellazione della meritocrazia.
Vecchia è l’incapacità di creare tesi, antitesi e sintesi attraverso la collettività e non attraverso un singolo che le faccia calare dall'alto.
Vecchio è vantarsi di slogan ciclostilati, la spocchia borghese di chi non ha idea della vita degli ultimi e nemmeno dei penultimi, eppure straparla di riformismo e di popolo. Vecchia è l'ignoranza e il qualunquismo, la superficialità che diventa stupidità.

Non si tratta di tornare indietro, ma di guardare avanti.

Svegliamoci.
Credere nella giustizia sociale non è utopia.
Pensare di poterne fare a meno, quella sì, è pura follia.

Faccio un salto nel passato anche qui, alla Biennale Arte 2024 di Venezia, la rappresentazione queer era forte e presente, ed è stato potente vederla.

Alcune opere mi hanno colpito particolarmente. Louis Fratino esplora la tensione tra famiglia e desiderio con immagini viscerali, raccontando come le persone LGBTQ+ socializzano da ‘outsider’ e affrontano la violenza della tradizione. Xiyadie documenta la vita queer in Cina dagli anni ’80, con opere intime che parlano di repressione, desiderio e liberazione. In Sewn, la metafora del cucirsi con un filo fatto di sperma e sangue rende fisico il dolore dell’identità negata. Omar Mismar sfida la censura in Libano con Two Unidentified Lovers in a Mirror, forse il mio preferito, dove la riorganizzazione dei volti di due amanti mette in discussione la negazione dell’intimità queer.
Lauren Halsey non lavora sul tema queer nello specifico, ma con la sua installazione monumentale celebra la diaspora nera, creando un ponte tra passato e presente.

Ognuna di queste opere è un atto di resistenza, un modo per riscrivere narrazioni e spazi.
Semplicemente è stato bello vedere così tanta arte queer alla Biennale, non solo come tema, ma come presenza forte e consapevole.

Il tema della Biennale era "Stranieri ovunque" ed era molto presente con opere sulle migrazioni e sui popoli, con tanta rappresentanza di artisti di popolazioni e entie oppresse e marginalizzate. Il rischio di una cornice così internazionale e istituzionale è quello di essere poco incisivi e di essere manipolati, nel mio caso mi ha aiutato a capire di più e ha creato consapevolezza e curiosità su tante altre situazioni anche lontane da noi.
@Arte e Cultura @Cultura
@lgbtqbookstodon group

#arte #biennalevenezia #artequeer

Di Esther Solomon, caporedattrice della versione inglese di Haaretz (quotidiano israeliano)

Esther Solomon, Editor-in-chief, Haaretz English

This week, Israelis woke up to war again, but this time not to the Hamas surprise attack of October 7 but to a conscious decision by their government to restart fighting, against the will of the popular majority, which consistently favors an end to the war and the return of all the hostages. This same week, the Netanyahu government intensified its battles on two other fronts as well: its war on Israeli democracy, and its war on Diaspora Jews.

Prime Minister Netanyahu is baldly exhibiting his 'vision' for the character of his own regime and the principles that govern the Israeli state's behavior at home and abroad. It is a vision that is genuinely revolutionary, in that it rips up and shreds into confetti most of the fundamental values and social contracts that bind the state to its citizens, and the state to the Jewish people outside its borders.

With the Trump administration's backing, but to the consternation of most of the rest of the international community, IDF airstrikes are now raining down on Gaza again. Netanyahu's ministers are using bloodcurdling language, directed at the whole population of Gaza, and not only Hamas.

The declared premise for breaking the cease-fire – that extreme military pressure will force Hamas into capitulation, and will lead to hostages being released alive – is false and illogical. Sixteen months of war has shown that only negotiations bring back significant numbers of hostages alive, that airstrikes kill them, and Hamas, which has repopulated its ranks, has no pangs of conscience to fight to the last Gazan. As Einav Zangauker, warrior mother of hostage Matan, said: "Netanyahu has opened the gates of hell not on Hamas, but on our loved ones."

The real reason for resuming war is to satiate the annexationist warlust of the far right, and win the prime minister more time in power. And both of those reasons factor into the resurgence-on-steroids of the government's judicial coup, now honed to take out the Shin Bet head and the Attorney General, the key remaining gatekeepers of democracy and the rule of law.

There's an urgency to Netanyahu's call to rid himself of these troublesome officials, and it's called Qatargate: the rolling scandal of close aides to Netanyahu allegedly being paid by Doha for positive PR during the war, in which the Shin Bet is a lead investigative agency. In true Trumpist style, and with a nod to his fellow White House populists, Netanyahu took to social media to accuse the "leftist deep state" of conspiring to weaponize the justice system to bring down the right-wing government.

This week there were also dramatic developments in the third front: How the government understands its relationship with Diaspora Jews. Amichai Chikli, the minister in charge of Diaspora relations and Israel's antisemitism czar, is organizing a "combating antisemitism" conference stuffed with representatives of European far-right parties whose antisemitic, neo-Nazi, illiberal record is either a fact of their founding and/or an everyday feature of their activists' rhetoric.

It was an ambush for the high-profile representatives of U.S. and European Jewish communities also invited to attend: To show solidarity with Israel at the cost of their own values and safety. One by one, they have cancelled, from the U.K.'s Chief Rabbi to the head of the ADL: Even Israel's President refused to host the far-right politicians. These are rare, brave moves that may well be a milestone in the breakdown of Israel-Diaspora relations, a sign of how infuriated Diaspora Jews are and how arrogant, cynical and fanatic the Israeli government.

Netanyahu's wars have terrible human costs, but they are also designed to reshape language and the space for dissent. To jumpstart the cease-fire, make war. To save the hostages, bomb them. To save democracy, institute autocracy. To confront antisemitism, welcome antisemites.

Despite their deep fatigue, most Israelis aren't buying it. Forty thousand turned out to protest in Tel Aviv on Tuesday; thousands more in Jerusalem the next day. But Netanyahu has formidable weapons at his disposal, and there is no cease-fire pending for the wars outside and inside Israel's borders.