What the Flock? It’s probably just some quirk of The Almighty Algorithm, but ever since we featured a story on Flock’s crime-fighting drones last week, we’ve been flooded with other stories about the company, some of which aren’t very flattering. The first thing that we were pushed was this handy interactive map of the company’s network of automatic license plate readers. We had no idea how extensive the network was, and while our location is relatively free from these devices, at least ones operated on behalf of state, county, or local law enforcement, we did learn to our dismay that our local Lowe’s saw fit to install three of these cameras on the entrances to their parking lot. Not wishing to have our coming and goings documented, we’ll be taking our home improvement dollars elsewhere for now.

But it’s a new feature being rolled out by Flock that really got our attention: the addition of “human distress” detection to their Raven acoustic gunshot detection system. From what we understand, gunshot detection systems use the sudden acoustic impulse generated by the supersonic passage of a bullet, the shock wave from the rapidly expanding powder charge of a fired round, or both to detect a gunshot, and then use the time-of-arrival difference between multiple sensors to estimate the shot’s point of origin. Those impulses carry a fair amount of information, but little of it is personally identifiable, at least directly. On the other hand, human voices carry a lot of personal information, and detecting the sounds of distress, such as screaming, would require very different monitoring techniques. We’d imagine it would be akin to what digital assistants use to monitor for wake words, which would mean turning the world — or at least pockets of it — into a gigantic Alex. We don’t much like the idea of having our every public utterance recorded and analyzed, even with the inevitable assurances from the company that the “non-distress” parts of the audio stream will never be listened to. Yeah, right.

Botnets are bad enough when it’s just routers or smart TVs that are exploited to mine crypto or spam comments on social media. But what if a botnet were made of, you know, actual robots? That might be something to watch out for with the announcement of a vulnerability in certain Unitree robots, including several of their humanoid robots. The vulnerability, still unpatched at the time of the Spectrum story, lies in the Bluetooth system used to set up the robots’ WiFi configuration. It sounds like an attacker can easily craft a BLE packet to become an authenticated user, after which the WiFi SSID and password fields can be used to inject arbitrary code. The fun doesn’t end there, though, since a compromised robot could then go on to infect any other nearby Unitree bots via BLE. And since Unitree seems to be staking out a market position as the leader in affordable humanoid robots, who’s to say what could happen? If you want a zombie robot apocalypse, this seems like a great way to get it.

Also from the “Bad Optics for Robots” files comes this story about a Waymo car that went just a little off course. Or rather, on course — a golf course, to be precise. Viral video shows a Waymo self-driving Jaguar creeping slowly across a golf course fairway as bemused golfers look on. But you can relax, because the robotaxi company says that this isn’t a case of their AI driving system going awry, but rather a human-driven robotaxi preparing for an event at the golf course. The company seems to think this absolves them, and perhaps it does officially and legally. But a very distinctive car that’s well-known for getting into self-driving mischief, appearing in a place one doesn’t typically associate with vehicles larger than golf carts, seems like a bad look for the company.

And finally, back in December of 2023, we dropped a link to My Mechanics’ restoration of a 1973 Datsun 240Z. He’s been making slow but steady progress on the car since then, with the most recent video covering his painstaking restoration of the rear axle and suspension. Where most car rebuild projects use as many replacement parts as possible, My Mechanics prefers to restore the original parts wherever possible. So, where a normal person might look at the chipped cooling fins on the original Z-car’s brake drums and order new ones, My Mechanics instead pulls out the TIG welder and lays up some beads to patch the broken fins. He used a similar technique to restore the severely chowdered compression fittings on the brake lines, something we’ve never seen down before. Over the top? You bet it is, but it still makes for great watching. Enjoy!

youtube.com/embed/LolBuzO8RWw?…

hackaday.com/2025/10/05/hackad…

The GOP wants to shutdown the federal government.

It is true that Congress failed to pass a 2026 appropriation bill. The GOP controlled House passed an extension spending bill, but it did not pass in the Senate. It failed in the Senate because it did not have the 60 votes needed to close debate (i.e. cloture) and the Democrats were not willing to provide those votes without changes such as rolling back the GOP’s increase in health insurance premiums for Affordable Care Act recipients or blocking Trump’s unconstitutional efforts to not spend money Congress has already appropriated.

Requiring 60 votes to close debate is a Senate rule that can be changed by a simple majority vote in the Senate. There is nothing in the constitution that requires it. The GOP majority in the Senate could change the rule to close debate with a majority and pass their appropriations extension.

They choose not to. It allows GOP office holders to blame anyone, except themselves. The corporate media parrot their lies.

The GOP wants the federal government shutdown.

I am not talking about the changes in the bill. It is awful, of course, and would continue to let Trump use ICE to illegally round up people in apartment buildings, whether citizens, or immigrants documented or not. Trump could still force national guard members to illegally act like police in cities in other states. Trump has already laid off 12% of federal all workers and the bill would continue to let him illegally hold back billions of dollars Congress appropriated. Billions that should be given to clean energy projects, state transportation projects, VA benefits and needed medical research.

The GOP wants the federal government shutdown.

They want millions of federal workers to suffer from being furloughed unable to provide needed government services. They want us to face uncertainty and loss because those services are not available or require us to waste even more of our time to access them.

Since Trump was inaugurated the GOP has sought a federal government shutdown. Through the DOGEbros, they started their government shutdown as they held back funding and pushed illegal layoffs. The cost has been high to the rest of us. The economy and hiring has flatlined. Prices increased.

They don’t care.

The GOP wants the federal government shutdown and they will use any tool they have to make it happen.

Vote Pirate!

masspirates.org/blog/2025/10/0…

Steve, Joe and James discuss HorizonMass/BINJ effort to use public records requests to determine if the drones over the Boston Dominican Parade and Caribbean Carnival were owned by the Boston Police Department. We also discussed the Trump administration’s recent efforts to censor free speech and an ex-Florida sheriff’s deputy attempt to spread disinformation from Russia.

youtube.com/embed/rHy8jXfhQVw?…

Sign up to our newsletter to get notified of new events or volunteer. Join us on:

• Mastodon;
• Facebook;
• Blue Sky;
• Twitter.

Some links we mentioned:

• Our Administrative Coup Memory Bank;
• Our Things to Do when Fascists are Taking Over;
• Did The BPD Fly A Surveillance Drone Over The Dominican Parade? They Won’t Tell Us.
• Disney Plus Subscribers Quit in Droves Over Jimmy Kimmel Axe;
• 2025 shootings of Minnesota legislators;
• Russian fake-news network, led by an ex-Florida sheriff’s deputy, storms back into action with 200+ new sites.

Image Credit: CC-By-2.0 image via Wikipedia Commons by Maurizio Pesce.

uspirates.org/mass-pirate-news…

There are all kinds of air quality sensors on the market that rely on all kinds of electro-physical effects to detect gases or contaminants and report them back as a value. [lucascreator] has instead been investigating a method of determining air quality that is closer to divination than measurement—using computer vision and a trained AI model.

The system relies on an Unihiker K10—a microcontroller module based around the ESP32-S3 at heart. The chip is running a lightweight convolutional neural network (CNN) trained on 12,000 images of the sky. These images were sourced from a public dataset; they were taken in India and Nepal, and tagged with the relevant Air Quality Index at the time of capture. [lucascreator] used this data to train their model to look at an image taken with a camera attached to the ESP32 and estimate the air quality index based on what it has seen in that existing dataset.

It might sound like a spurious concept, but it does have some value. [lucascreator] cites studies where video data was used for low-cost air quality estimation—not as a replacement for proper measurement, but as an additional data point that could be sourced from existing surveillance infrastructure. Performance of such models has, in some cases, been remarkably accurate.

[lucascreator] is pragmatic about the limitations of their implementation of this concept, noting that their very compact model didn’t always perform the best in terms of determining actual air quality. The concept may have some value, but implementing it on an ESP32 isn’t so easy if you’re looking for supreme accuracy. We’ve featured some other great air quality projects before, though, if you’re looking for other ways to capture this information. Video after the break.

youtube.com/embed/_N6jWXNrcxI?…

hackaday.com/2025/10/05/divini…

Oracle ha pubblicato un avviso di sicurezza relativo a una vulnerabilità critica identificata come CVE-2025-61882 presente nella suite Oracle E-Business. La falla può essere sfruttata da remoto senza necessità di autenticazione, consentendo potenzialmente l’esecuzione di codice malevolo sui sistemi colpiti.

L’azienda raccomanda ai propri clienti di applicare immediatamente gli aggiornamenti indicati nell’avviso. Oracle sottolinea l’importanza di mantenere le versioni dei prodotti attivamente supportate e di installare senza ritardo tutte le patch di sicurezza critiche. In particolare, l’aggiornamento delle patch critiche rilasciate nell’ottobre 2023 rappresenta un prerequisito per l’implementazione delle nuove correzioni.

Per supportare il rilevamento e il contenimento immediato di eventuali attacchi, l’avviso include una matrice dei rischi con indicatori di compromissione, quali indirizzi IP sospetti, comandi e file associati agli exploit conosciuti.

Prodotti interessati e patch disponibili

La vulnerabilità interessa specificamente le versioni di Oracle E-Business Suite dalla 12.2.3 alla 12.2.14. La documentazione ufficiale, disponibile tramite i link forniti da Oracle, contiene informazioni dettagliate sulle patch e sulle modalità di installazione.

Supporto e versioni legacy

Le patch fornite tramite il programma Security Alert sono disponibili solo per le versioni coperte dal Premier Support o dall’Extended Support secondo la Lifetime Support Policy di Oracle.

Le versioni non incluse in questi programmi non vengono testate per le vulnerabilità segnalate, anche se potrebbero comunque essere interessate. Per questa ragione, Oracle consiglia l’aggiornamento alle versioni supportate per garantire protezione e compatibilità con le patch di sicurezza.

Come verificare se si è affetti dal bug

La vulnerabilità CVE-2025-61882 riguarda Oracle E‑Business Suite ed è sfruttabile da remoto senza autenticazione, con potenziale esecuzione di codice remoto se sfruttata con successo.

Su GitHub è stato pubblicato un metodo pubblico di rilevamento che aiuta a identificare istanze potenzialmente non aggiornate. Il metodo segnala un’istanza come sospetta quando la pagina restituisce la stringa “E-Business Suite Home Page” e l’intestazione HTTP Last-Modified riporta una data precedente al 4 ottobre 2025 (timestamp Unix 1759602752).

Questo approccio è descritto come uno strumento di individuazione — non come un vettore di attacco — e dovrebbe essere usato esclusivamente per scopi di verifica e difesa. Per rimuovere il rischio, Oracle raccomanda l’applicazione delle patch indicate nell’avviso di sicurezza e l’aggiornamento alle versioni supportate.

Indicatori di compromissione (IOC)

Di seguito sono riportati gli indicatori di compromissione (indirizzi IP, comandi osservati e file) per supportare il rilevamento, la ricerca e il contenimento immediati.

L'articolo Vulnerabilità da 9.8 in Oracle E-Business Suite: aggiornamenti urgenti necessari proviene da il blog della sicurezza informatica.

The idea of using the Apple II home computer for digital photography purposes may seem somewhat daft considering that this is not a purpose that they were ever designed for, yet this is the goal that [Colin Leroy-Mira] had, requiring some image decoder optimizations. That said, it’s less crazy than one might assume at first glance, considering that the Apple II was manufactured until 1993, while the Apple QuickTake digital cameras that [Colin] wanted to use for his nefarious purposes saw their first release in 1994.

These QuickTake cameras feature an astounding image resolution of up to 640×480, using 24-bit color. Using the official QuickTake software for Apple Macintosh System 7 through 9 the photographs in proprietary QTK format could be fetched for display and processing. Doing the same on an Apple II would obviously require a bit more work, not to mention adapting of the image to the limitations of the 8-bit Apple II compared to the Motorola 68K and PowerPC-based Macs that the QuickTake was designed to be used with.

Targeting the typical ~1 MHz 6502 CPU in an Apple II, the dcraw QTK decoder formed the basis for an initial decoder. Many memory and buffer optimizations later, an early conversion to monochrome and various other tweaks later – including a conversion to 6502 ASM for speed reasons – the decoder as it stands today manages to decode and render a QTK image in about a minute, compared to well over an hour previously.

Considering how anemic the Apple II is compared to even a budget Macintosh Classic II system, it’s amazing that displaying bitmap images works at all, though [Colin] reckons that more optimizations are possible.

hackaday.com/2025/10/05/optimi…

Gli esperti hanno svelato i dettagli di tre vulnerabilità, ora risolte, presenti nell’assistente di intelligenza artificiale Gemini di Google, collettivamente soprannominate “Gemini Trifecta” .

Se sfruttate con successo, queste falle avrebbero potuto indurre l’intelligenza artificiale a rubare dati e ad altre attività dannose.

Gli esperti di Tenable affermano che le vulnerabilità hanno interessato tre diversi componenti di Gemini:

Iniezioni di prompt in Gemini Cloud Assist. Il bug ha permesso agli aggressori di compromettere servizi e risorse cloud sfruttando la capacità dello strumento di riepilogare i log estratti direttamente dai log grezzi. Ciò ha consentito loro di nascondere un prompt nell’intestazione User-Agent nelle richieste HTTP a Cloud Functions e ad altri servizi, tra cui Cloud Run, App Engine, Compute Engine, Cloud Endpoints, Cloud Asset API, Cloud Monitoring API e Recommender API.

Iniezioni di ricerca nel modello di personalizzazione della ricerca Gemini. Il problema consentiva l’iniezione di prompt e il controllo del comportamento dell’IA per rubare le informazioni memorizzate e i dati sulla posizione di un utente. L’attacco funzionava come segue: l’aggressore manipolava la cronologia delle ricerche di Chrome della vittima utilizzando JavaScript, rendendo il modello incapace di distinguere le query legittime dell’utente dai prompt iniettati esternamente.

Iniezioni indirette di prompt nello strumento di navigazione Gemini. Questa vulnerabilità potrebbe essere utilizzata per estrarre informazioni utente e dati sulla posizione memorizzati su un server esterno. Lo sfruttamento funzionava tramite una chiamata interna effettuata da Gemini per riassumere il contenuto di una pagina web. Ciò significava che l’aggressore avrebbe inserito un prompt dannoso sul proprio sito web e, quando Gemini ne avesse riassunto il contenuto, avrebbe eseguito le istruzioni nascoste dell’aggressore.

I ricercatori hanno osservato che queste vulnerabilità hanno consentito di incorporare dati privati degli utenti nelle richieste dell’aggressore, senza che Gemini avesse bisogno di visualizzare link o immagini.

“Uno degli scenari di attacco più pericolosi si presenta così: un aggressore inserisce un prompt che ordina a Gemini di interrogare tutte le risorse accessibili al pubblico o di trovare errori di configurazione IAM, per poi generare un collegamento ipertestuale con questi dati sensibili”, spiegano gli esperti, citando come esempio un bug di Cloud Assist. “Questo è possibile perché Gemini ha le autorizzazioni per interrogare le risorse tramite la Cloud Asset API.”

Nel secondo caso, gli aggressori dovevano attirare la vittima su un sito web predisposto per iniettare query di ricerca dannose con prompt Gemini nella cronologia del browser dell’utente, infettandola. Quindi, quando la vittima accedeva a Gemini Search Personalization, le istruzioni degli aggressori venivano eseguite, rubando dati riservati.

Dopo aver ricevuto informazioni sulle vulnerabilità, gli specialisti di Google hanno disabilitato il rendering dei collegamenti ipertestuali nelle risposte durante il riepilogo dei log e hanno inoltre implementato ulteriori misure di protezione contro le iniezioni rapide.

“Le di Gemini Trifecta dimostrano che l’intelligenza artificiale può diventare non solo un bersaglio, ma anche uno strumento di attacco. Quando si implementa l’intelligenza artificiale, le organizzazioni non possono trascurare la sicurezza“, sottolineano i ricercatori.

L'articolo Gemini Trifecta: tre bug critici rilevati nell’AI di Google proviene da il blog della sicurezza informatica.