29.000 server Exchange sono vulnerabili al CVE-2025-53786, che consente agli aggressori di muoversi all’interno degli ambienti cloud Microsoft, portando potenzialmente alla compromissione completa del dominio.

Il CVE-2025-53786 consente agli aggressori che hanno già ottenuto l’accesso amministrativo ai server Exchange locali di aumentare i privilegi nell’ambiente cloud connesso di un’organizzazione falsificando o manipolando token attendibili e richieste API. Questo attacco non lascia praticamente alcuna traccia, rendendolo difficile da rilevare.

La vulnerabilità riguarda Exchange Server 2016, Exchange Server 2019 e Microsoft Exchange Server Subscription Edition nelle configurazioni ibride.

La vulnerabilità è correlata alle modifiche apportate nell’aprile 2025, quando Microsoft ha rilasciato linee guida e un hotfix per Exchange nell’ambito della Secure Future Initiative. In quell’occasione, l’azienda è passata a una nuova architettura con un’applicazione ibrida separata che ha sostituito l’identità condivisa non sicura utilizzata in precedenza dai server Exchange locali ed Exchange Online.

In seguito, i ricercatori hanno scoperto che questo schema lasciava aperta la possibilità di attacchi pericolosi. Alla conferenza Black Hat , Outsider Security dimostrò un simile attacco post-exploit.

“Inizialmente non l’ho considerata una vulnerabilità perché il protocollo utilizzato per questi attacchi era stato progettato tenendo conto delle caratteristiche discusse nel rapporto e mancava semplicemente di importanti controlli di sicurezza”, afferma Dirk-Jan Mollema di Outsider Security.

Sebbene gli esperti Microsoft non abbiano trovato alcun segno di sfruttamento del problema in attacchi reali, la vulnerabilità è stata contrassegnata come “Sfruttamento più probabile“, il che significa che l’azienda prevede che gli exploit appariranno presto.

Come avvertono gli analisti di Shadowserver , ci sono 29.098 server Exchange sulla rete che non hanno ricevuto le patch. Di conseguenza, sono stati trovati più di 7.200 indirizzi IP negli Stati Uniti, oltre 6.700 in Germania e più di 2.500 in Russia.

Il giorno dopo la divulgazione del problema, la Cybersecurity and Infrastructure Security Agency (CISA) degli Stati Uniti ha emesso una direttiva di emergenza ordinando a tutte le agenzie federali (inclusi i dipartimenti del Tesoro e dell’Energia) di affrontare urgentemente la minaccia.

In un bollettino di sicurezza separato , i rappresentanti della CISA hanno sottolineato che la mancata correzione di CVE-2025-53786 potrebbe portare alla “completa compromissione di un cloud ibrido e di un dominio on-premise”.

Come spiegato da Mollema, gli utenti di Microsoft Exchange che hanno già installato l’hotfix menzionato e seguito le raccomandazioni di aprile dell’azienda dovrebbero essere protetti dal nuovo problema. Tuttavia, coloro che non hanno ancora implementato le misure di protezione sono ancora a rischio e dovrebbero installare l’hotfix e seguire anche le istruzioni di Microsoft ( 1 , 2 ) sull’implementazione di un’app ibrida di Exchange separata.

“In questo caso, non è sufficiente applicare semplicemente una patch; sono necessari ulteriori passaggi manuali per migrare a un servizio principale dedicato”, ha spiegato Mollema. “L’urgenza dal punto di vista della sicurezza è determinata dall’importanza per gli amministratori di isolare le risorse di Exchange on-premise da quelle ospitate nel cloud. Nella vecchia configurazione, il sistema Exchange ibrido aveva pieno accesso a tutte le risorse di Exchange Online e SharePoint”.

Lo specialista ha inoltre sottolineato ancora una volta che lo sfruttamento di CVE-2025-53786 avviene dopo la compromissione, ovvero l’aggressore deve compromettere in anticipo l’ambiente locale o i server Exchange e disporre dei privilegi di amministratore.

L'articolo 29.000 server Exchange a rischio. L’exploit per il CVE-2025-53786 è sotto sfruttamento proviene da il blog della sicurezza informatica.

If you learned to type anytime in the mid-part of the 20th century, you probably either had or wanted an IBM Selectric. These were workhorses and changed typing by moving from typebars to a replaceable wheel. They were expensive, though worth it since many of them still work (including mine). But few of us could afford the $1,000 or more that these machines cost back in the day, especially when you consider that $1,000 was enough to buy a nice car for most of that time. [Tech Tangents] looks at something different: a clone Selectric from the sewing machine and printer company Juki.

The typewriter was the brainchild of [Thomas O’Reilly]. He sold typewriters and knew that a $500 compatible machine would sell. He took the prototype to Juki, which was manufacturing typewriters for Olivetti at the time.

Although other typewriters used typeballs, none of them were actual clones and didn’t take IBM typeballs. Juki even made their own typeballs. You’d think IBM might have been upset, but they were already moving towards the “wheelwriter,” which used a daisywheel element. Juki would later make a Xerox-compatible daisywheel printer, again at a fraction of the cost of the original.

Even the Juki manual was essentially a rip-off of the IBM Selectric manual. Sincerest form of flattery, indeed. It did appear that the ribbon was not a standard IBM cartridge. That makes them hard to find compared to Selectric ribbons, but they are nice since they have correction tape built in. The video mentions that you can find them on eBay and similar sites.

There were a few other cost savings. First, the Juki was narrower than most Selectrics. It also had a plastic case, although if you have ever had to carry a Selectric up a few flights of stairs, you might consider that a feature.

The Juki in the video doesn’t quite work, but it is a quirky machine with an odd history. Today, you can print your own typeballs. We wonder if these would be amenable to computer control like the Selectrics?

youtube.com/embed/EQMOWNUJq7U?…

hackaday.com/2025/08/12/thats-…

We would like to share the amazing news that the European Citizen initiative created by the Stop killing games community has reached the required threshold of 1 million signatures across Europe! And you can still add your signature until the end of the month!

At the European Pirate Party, defending digital rights is at the heart of our mission. We believe that when people purchase a videogame, they should be guaranteed the right to use it – not left at the mercy of arbitrary shutdowns by publishers. Consumers should not be treated as renters of entertainment they’ve paid for. That’s why we decided to endorse the Initiative after it launched.

As we noted before, this campaign calls for clear legal obligations: once a game is sold, it must remain in a playable state, even if the publisher steps away. No one should wake up to find their purchased game disabled by a remote switch. We find this unacceptable. We’re encouraged by the grassroots energy behind this effort. From independent developers to influential streamers like Ross Scott, who spearheaded the push, to public figures like PewDiePie, who has previously expressed support for Pirate Party values – this is a powerful coalition of gamers, creators, and digital freedom advocates.

While it seemed unclear for months if the initiative would gather enough signatures before the deadline, it suddenly gathered a huge wave of support in the last week, and today it reached the target of 1 million signatures! At this point it is clear that the European Union will have to address the initiative, and the more signatures we get above the required threshold the bigger the chance that they will decide to actually address the problem with games being killed by the publishers. You can easily see the current numbers of signatures with this tracker.

Let’s further ensure that the voices of European gamers and citizens are heard loud and clear in Brussels! Let’s protect digital ownership! Let’s defend access! Let’s stop the silent destruction of the digital heritage!

Sign the European citizens inititative here: https://eci.ec.europa.eu/045/public/#/screen/home

If you are a UK citizen there’s a separate petition there: https://petition.parliament.uk/petitions/702074/

If you want to join the Stop killing games community for the end stretch of the campaign, they have a lovely discord server that you can check out.

salon-linke.de/2025/07/03/skg-…

[Menadue] had a vintage Compucorp 326 calculator with an aging problem. Specifically, the flex cable that connects the button pad had turned corroded over time. However, thanks to the modern PCB industrial complex, replacing the obscure part was relatively straightforward!

The basic idea was simple enough: measure the original flex cable, and recreate it with the flat-flex PCB options available at many modern PCB houses that cater to small orders and hobbyists. [Menadue] had some headaches, having slightly misjudged the pitch of the individual edge-connector contacts. However, he figured that if lined up just right, it was close enough to still work. With the new flex installed, the calculator sprung into life…only several keys weren’t working. Making a new version with the correct pitch made all the difference, however, and the calculator was restored to full functionality.

It goes to show that as long as your design skills are up to scratch, you can replace damaged flex-cables in old hardware with brand new replacements. There’s a ton of other cool stuff you can do with flex PCBs, too.

youtube.com/embed/QmJaNzWDqbY?…

hackaday.com/2025/08/12/creati…

Fluid-Implicit-Particle or FLIP is a method for simulating particle interactions in fluid dynamics, commonly used in visual effects for its speed. [Nick] adapted this technique into an impressive FLIP business card.

The first thing you’ll notice about this card is its 441 LEDs arranged in a 21×21 matrix. These LEDs are controlled by an Raspberry Pi RP2350, which interfaces with a LIS2DH12TR accelerometer to detect card movement and a small 32Mb memory chip. The centerpiece is a fluid simulation where tilting the card makes the LEDs flow like water in a container. Written in Rust, the firmware implements a FLIP simulation, treating the LEDs as particles in a virtual fluid for a natural, flowing effect.

This eye-catching business card uses clever tricks to stay slim. The PCB is just 0.6mm thick—compared to the standard 1.6mm—and the 3.6mm-thick 3.7V battery sits in a cutout to distribute its width across both sides of the board. The USB-C connection for charging and programming uses clever PCB cuts, allowing the plug to slide into place as if in a dedicated connector.

Inspired by a fluid simulation pendant we previously covered, this board is just as eye-catching. Thanks to [Nick] for sharing the design files for this unique business card. Check out other fluid dynamics projects we’ve featured in the past.

hackaday.com/2025/08/12/leds-t…

During last Sunday’s Pirate National Committee meeting, members voted to endorse the campaign of Timothy Grady, independent candidate for Governor of Ohio in his 2026 gubernatorial race.

Having joined out meeting, which you can catch the recap of here, Mr. Grady gave us his best pitch for not only why we should endorse his campaign, but also an opportunity for Ohio voters to hear from the independent candidate.

After a long meeting and opportunity to ask questions, the decision was unanimous: the US Pirate Party will support the Grady campaign!

You can see the official announcement from Timothy Grady’s page here.

It should be noted that Tim Grady is not running as a proxy of the Ohio Pirate Party (which is active but unofficial), nor is the Grady campaign strictly a Pirate campaign. The United States Pirate Party values honest campaigns, person-first agendas and anyone who fights for free and open.

The 2026 election cycle will feature explicitly Pirate candidates, running as independents, DINOS/RINOS and explicitly as Pirates. While Timothy Grady is not one of those Pirate candidates, we are happy to throw our support towards a candidate who shares our values.

Ohio, you have a chance to say “Enough is enough”.

Timothy Grady, Victory is Arrrs

uspirates.org/endorsed-timothy…

If you want to get active out on the water, you could buy a new kayak, or hunt one down on Craigslist, Or, you could follow [Ivan Miranda]’s example, and print one out instead.

[Ivan] is uniquely well positioned to pursue a build like this. That’s because he has a massive 3D printer which uses a treadmill as a bed. It’s perfect for building long, thin things, and a kayak fits the bill perfectly. [Ivan] has actually printed a kayak before, but it took an excruciating 7 days to finish. This time, he wanted to go faster. He made some extruder tweaks that would allow his treadmill printer to go much faster, and improved the design to use as much of the belt width as possible. With the new setup capable of extruding over 800 grams of plastic per hour, [Ivan] then found a whole bunch of new issues thanks to the amount of heat involved. He steps through the issues one at a time until he has a setup capable of extruding an entire kayak in less than 24 hours.

This isn’t just a dive into 3D printer tech, though. It’s also about watercraft! [Ivan] finishes the print with a sander and a 3D pen to clean up some imperfections. The body is also filled with foam in key areas, and coated with epoxy to make it watertight. It’s not the easiest craft to handle, and probably isn’t what you’d choose for ocean use. It’s too narrow, and wounds [Ivan] when he tries to get in. It might be a floating and functional kayak, just barely, for a smaller individual, but [Ivan] suggests he’ll need to make changes if he were to actually use this thing properly.

Overall, it’s a project that shows you can 3D print big things quite quickly with the right printer, and that maritime engineering principles are key for producing viable watercraft. Video after the break.

youtube.com/embed/9DpMkYDCq9Y?…

hackaday.com/2025/08/12/3d-pri…

Boston Police (BPD) continue their efforts rollout more surveillance tools. This time on social media.

On August 19th, the Boston Public Safety Committee will hold a hearing on the Boston 2024 Surveillance Technology Report including police usage of three new tools to monitor social media posts. Any tool BPD uses will feed into the Boston Regional Information Center (BRIC) and Federal agencies such as ICE, CBP and the FBI.

If you want to tell the Boston Public Safety committee to oppose this expansion of surveillance, please show up on the 19th virtually. Details are posted, but to sign up to speak, email ccc.ps@boston.gov and they will send you a video conference link. We especially encourage Boston Pirates to attend and speak against this proposal. The Docket # is 1357.

masspirates.org/blog/2025/08/1…

Uso spesso podcast e video di persone di madrelingua inglese per migliorare la conoscenza della lingua.

Mi piacerebbe restituire il favore.

Ho pensato che magari da qualche parte sul pianeta c'è qualcuno che studia italiano a cui potrebbe fare altrettanto comodo avere uno sparring partner, quindi non podcast e video ma vere conversazioni on-line (gratuite).

Non so da che parte partire per far arrivare la notizia a chi potrebbe essere interessato, voi come fareste?

The European Commission has launched a public consultation to gather your views about the impact of data retention rules in view of adoption of legislative and non-legislative measures at EU level. Here's EDRi's guide on how to answer the tricky consultation.

The post Public consultation on ”retention of data by service providers for criminal proceedings”. Answering guide for civil society organisations and individuals. appeared first on European Digital Rights (EDRi).