Evolution Of the Internet

Comparing the internet’s growth to Darwin’s theory of evolution helps explain how it has changed over time, with each stage adapting to the needs, behaviours, and technologies of its time.

The initial phase, known as Web 1 (spanning the 1990s to the early 2000s), was characterised by the internet’s primary function as an information dissemination tool. During this period, only site owners managed content, resulting in a read-only experience for users and a unidirectional flow of information similar to a digital brochure.

Tim O’Reilly introduced the term “Web 2.0” in 2004, marking a new era as mobile services expanded, broadband connectivity improved, and technologies such as AJAX and HTML5 emerged. The internet became interactive, enabling users to create, share, and engage with content without needing special skills. This change opened new ways for people to communicate and connect worldwide.

But as Web 2.0 grew, a few big companies gained significant power and control over data. They decided how information was shared, which voices were heard, and how personal data was handled. Algorithms control every piece of information and opinion. At the same time, many of these platforms rely on business models that depend on extensive data collection, with user behaviour fueling targeted advertising. While these services often appear free, the trade-off is a gradual loss of privacy, autonomy, and control over one’s digital presence.

Concerns about this central control, privacy, and reliance on these platforms led to the idea of a new kind of internet, now called Web 3.0.

What is Web 3.0?

The internet is now moving toward a more user-focused phase, where data ownership is decentralised. Web 3.0 uses technologies such as blockchain and the Semantic Web to return control of data and digital assets to users rather than large technology companies. This change aims to enhance the transparency, security, and personalisation of online experiences.

Key Characteristics of Web 3.0

1. Decentralisation

Control is shared across networks rather than held by a single company or authority. This means that people need not rely on centralised platforms as much.

2. User control over data and identity

Users have more control over their digital identities and personal data, rather than giving that control to platforms by default.

3. Reduced intermediaries

Web 3.0 aims to cut out intermediaries by enabling people to interact, share, and make transactions directly, without needing a central platform to manage these actions.

4. Transparency by design

Many Web 3.0 systems are designed to make rules, transactions, and changes open and verifiable, rather than hidden within private systems.

5. Permissionless participation

Anyone can participate without approval from a central authority, provided they comply with the network’s rules.

6. Resilience and censorship resistance

The distribution of data and services increases the difficulty for any single entity to shut down platforms or completely silence users.

People often use the term Web 3.0 to refer to technologies such as cryptocurrencies, tokens, or blockchain-based finance. However, the main features listed above also make Web 3.0 useful in many areas, including supply chain management, gaming and the metaverse, healthcare, content creation and social media, intellectual property, and digital identity.

​

How Does Web 3.0 Work – A Brief Sneak Peek

At its core, Web 3.0 changes how information is stored and managed. Instead of storing data on servers owned by a single company, information is distributed across networks. The action is cryptographically signed by the user, verified by multiple participants, and recorded in a shared ledger that is difficult to alter. This structure reduces reliance on central intermediaries and makes manipulation or data abuse more difficult, while shifting greater control and responsibility to users. Although the technology driving Web 3.0 is complex, the primary goal is simple: to give users greater control and responsibility.

​

Web 3.0: An Emerging, Yet Unsettled, Part of the EU’s Digital Vision

Freedom, Democracy, and Respect for human rights have been the core pillars of the European Union since its inception. These principles have been a centre of discussion whenever policies are framed, and the digital space is no exception. The European Union has signalled a clear willingness to invest in the development of Web 3.0-relevant technologies through official strategies, infrastructure development, and research funding. The European Union is actively shaping the digital world by protecting users, ensuring fair competition, and defending fundamental rights.

​

A Few Examples:

• The Commission’s blockchain and Web3 strategy outlines policy support, funding programmes, and legal frameworks to foster innovation in decentralised systems.
• Web 3.0-aligned technologies are being evaluated for identity and credential management and secure data exchange.
• EU funding programmes support projects on decentralised data, privacy-preserving technologies, and interoperability. (In recent times, 2016-2019, the EU invested 180 million Euros in a project called Horizon Europe, with grants expected to flow in the future as well)

Web 3.0 Is Still A probability, Not A Concrete Solution Yet.

However, the EU also values legal certainty, accountability, and consumer protection, which can be challenging to achieve in decentralised systems. As a result, the relationship between Web 3.0 and EU policy is still developing, reflecting both a willingness to innovate and a careful approach to potential risks. In this light, it is imperative to understand the complications and challenges associated with Web 3.0.

Challenges of Web 3.0:

• Still in its nascent stage, the technology underlying Web 3.0 is complex and not widely known. Concepts such as private keys, smart contracts, wallets, and decentralised storage are still largely unfamiliar and challenging for non-tech-savvy users.
• Centralised platforms outperform Web 3.0 due to easier user navigation. Influencing users to shift from a seamless platform to a complex option would require substantial investment in digital education and community building, as well as time.
• Beneath the layers of immutable privacy structures, due to a decentralised mechanism for data sharing and storage, technologies such as Web 3.0 lack accountability systems. In the absence of a centralised moderation mechanism, addressing harmful or illegal content, misinformation, and responding to abuse becomes challenging. Once the content is stored, its removal becomes nearly impossible.
• Protocols may be decentralised in theory, but small groups of developers or influential participants still influence many major decisions. This can recreate power imbalances similar to centralised platforms, undermining ideals of shared governance.
• Although Web 3.0 may be emerging as a technical solution to censorship, it is critical to understand that technology alone cannot address deeper social and political issues. Issues such as governance, community norms, power dynamics, and regulatory compliance require broader approaches beyond code.
• For less experienced users, the sole onus for online security, privacy, and data management, owing to greater control, could be overwhelming.

Looking ahead: between regulation and re-imagining

As Europe debates the future of its digital space, organisations such as European Digital Rights reiterate that technology alone does not secure freedom or fairness online. ERDi firmly believes that human rights, data protection, and democratic accountability should be the core of any discussion of new digital systems. From this perspective, Web 3.0 is neither a solution nor a threat in itself, but offers a new avenue of technological experimentation that must operate within existing legal frameworks and fundamental rights.

In the current political landscape, EU initiatives such as the Digital Services Act, the Digital Markets Act, and ongoing discussions around chat control and the Digital Omnibus reflect growing concern about platform dominance, surveillance, and the limits of the Web 2.0 model. These laws aim to correct structural harms through regulation, but also raise deeper questions about how digital infrastructures are designed and who ultimately holds power over them.

In this context, Web 3.0 can be seen as part of a broader conversation about decentralisation and user agency rather than a finished alternative. While its principles resonate with long-standing European Pirate values around privacy, autonomy, and resistance to excessive central control, decentralised technologies also risk creating new concentrations of power if left unchecked. EDRI’s cautious approach emphasises the need for civic interest control, civil society involvement, and robust safeguards.

The interaction between regulation and experimentation will likely shape Europe’s digital future. If approached critically and inclusively, discussions around Web 3.0 can help imagine an internet where innovation supports user rights, rather than undermining them.

​

​

​

​

​

​

europeanpirates.eu/europes-nex…

This week’s Hackaday Podcast sees Elliot Williams joined by Jenny List for an all-European take on the week, and have we got some hacks for you!

In the news this week is NASA’s Maven Mars Orbiter, which may sadly have been lost. A sad day for study of the red planet, but at the same time a chance to look back at what has been a long and successful mission.

In the hacks of the week, we have a lo-fi camera, a very refined Commodore 64 laptop, and a MIDI slapophone to entertain you, as well as taking a detailed look at neutrino detectors. Then CYMK printing with laser cut stencils draws our attention, as well as the arrival of stable GPIB support for Linux. Finally both staffers let loose; Elliot with an epic rant about spreadsheets, and Jenny enthusiastically describing the Haiku operating system.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

It’s dangerous to go alone. Here, take this MP3.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 349 Show Notes:

News:

• NASA May Have Lost The MAVEN Mars Orbiter

What’s that Sound?

• Congratulations to [kenbob] for guessing the spinning down washing machine. Everyone else tune in next year for your shot at the first sound of 2026.

Interesting Hacks of the Week:

• Liberating AirPods With Bluetooth Spoofing
  
  • GitHub – tyalie/AAP-Protocol-Defintion: Decoding the Apple Accessory Protocol
  • Bypassing Airpods Hearing Aid Georestriction With A Faraday Cage

  
  

• Nostalgic Camera Is A Mashup Of Analog Video Gear
  
  • Hidden Camera Build Proves You Can’t Trust Walnuts

  
  

• Neutrino Transmutation Observed For The First Time
  
  • Detecting Anti-Neutrinos From Distant Fission Reactors Using Pure Water At SNO+
  • Engineering Lessons From The Super-Kamiokande Neutrino Observatory Failure
  • Detecting Neutrinos, The Slippery Ghost Particles That Don’t Want To Interact

  
  

• Building A Commodore 64 Laptop
  
  • 3D Printed Pi Laptop Honors The Iconic GRiD Compass

  
  

• Taking Electronics To A Different Level
  
  • Taking It To Another Level: Making 3.3V Speak With 5V
  • Philips application note 97055, Bi-directional level shifter for I²C-bus and other systems.

  
  

• Finally, A Pipe Slapophone With MIDI

Quick Hacks:

• Elliot’s Picks:
  
  • WiFi Menorah For Eight Nights Of Bandwidth
  • Laser Cutter Plus CYMK Spraypaint Equals Full-Color Prints
  • Why Push A Button When A Machine Can Do It For You

  
  

• Jenny’s Picks:
  
  • After Decades, Linux Finally Gains Stable GPIB Support
  • 3D Printing And Metal Casting Are A Great Match
  • The Lethal Danger Of Combining Welding And Brake Cleaner

  
  

Can’t Miss Articles:

• A Brief History Of The Spreadsheet
• Jenny’s Daily Drivers: Haiku R1/beta5

hackaday.com/2025/12/19/hackad…

The Kodak Charmera is a tiny keychain camera produced by licencing out the name of the famous film manufacturer, and it’s the current must-have cool trinket among photo nerds. Inside is a tiny sensor and a fixed-focus M7 lens, and unlike many toy cameras it has better quality than its tiny package might lead you to expect. There will always be those who wish to push the envelope though, and [微攝 Macrodeon] is here to fit a lens mount for full-size lenses (Chinese language, subtitle translation available).

The hack involves cracking the camera open and separating the lens mount from the sensor. This is something we’re familiar with from other cameras, and it’s a fiddly process which requires a lot of care. A C-mount is then glued to the front, from which all manner of other lenses can be attached using a range of adapters. The focus requires a bit of effort to set up and we’re guessing that every lens becomes extreme telephoto due to the tiny sensor, but we’re sure hours of fun could be had.

The Charmera is almost constantly sold out, but you should be able to place a preorder for about $30 USD if you want one. If waiting months for delivery isn’t your bag, there are other cameras you can upgrade to C-mount.

youtube.com/embed/FMZ74QCaLdw?…

hackaday.com/2025/12/19/attach…

As the saying goes — when life gives you lemons, you make lemonade. When life gives you a two-ton surplus industrial robot arm, if you’re [Brian Brocken], you apparently make a massive 3D printer.

The arm in question is an ABB IRB6400, a serious machine that can sling 100 to 200 kilograms depending on configuration. Compared to that, the beefiest 3D printhead is effectively weightless, and the Creality Sprite unit he’s using isn’t all that beefy. Getting the new hardware attached uses (ironically) a 3D printed mount, which is an easy enough hack. The hard work, as you might imagine, is in software.

As it turns out, there’s no profile in Klipper for this bad boy. It’s 26-year-old controller doesn’t even speak G-code, requiring [Brian] to feed the arm controller the “ABB RAPID” dialect it expects line-by-line, while simultaneously feeding G-code to the RAMPS board controlling the extruder. If you happen to have the same arm, he’s selling the software that does this. Getting that synchronized reliably was the biggest challenge [Brian] faced. Unfortunately that means things are slowed down compared to what the arm would otherwise be able to do, with a lot of stop-and-start on complex models, which compromises print quality. Check the build page above for more pictures, or the video embedded below.

[Brian] hopes to fix that by making better use of the ABB arm’s controller, since it does have enough memory for a small buffer, if not a full print. Still, even if it’s rough right now, it does print, which is not something the engineers at ABB probably ever planned for back before Y2K. [Brian]’s last use of the arm, carving a DeLorean out of styrofoam, might be closer to the original design brief.

Usually we see people using 3D printers to build robot arms, so this is a nice inversion, though not the first.

youtube.com/embed/peY_KK_nGc8?…

hackaday.com/2025/12/19/surplu…

There’s something immensely satisfying about taking a series of low impact CVEs, and stringing them together into a full exploit. That’s the story we have from [Mehmet Ince] of Prodraft, who found a handful of issues in the default PostHog install instructions, and managed to turn it into a full RCE, though only accessible as a user with some configuration permissions.

As one might expect, it all starts with a Server Side Request Forgery (SSRF). That’s a flaw where sending traffic to a server can manipulate something on the server side to send a request somewhere else. The trick here is that a webhook worker can be primed to point at localhost by sending a request directly to a system API.

One of the systems that powers a PostHog install is the Clickhouse database server. This project had a problem in how it sanitized SQL requests, namely attempting to escape a single quote via a backslash symbol. In many SQL servers, a backslash would properly escape a single quote, but Clickhouse and other Postgresql servers don’t support that, and treat a backslash as a regular character. And with this, a read-only SQL API is vulnerable to SQL injection.

These vulnerabilities together just allow for injecting an SQL string to create and run a shell command from within the database, giving an RCE and remote shell. The vulnerabilities were reported through ZDI, and things were fixed earlier this year.

FreePBX

Speaking of SQL injections, FreePBX recently fixed a handful of SQL injections and an authentication bypass, and researchers at horizon3.ai have the scoop. None of these particular issues are vulnerable without either questionable configuration changes, or access to a valid PHP session ID token. The weakness here seems to be a very similar single quote injection.

Another fun SQL injection in FreePBX requires the authorization type swapped to webserver. But with that setting in place, an injected authentication header with only a valid user name is enough to pull off an SQL injection. The attack chosen for demonstration was to add a new user to the users table. This same authentication header spoof can be used to upload arbitrary files to the system, leading to an easy webshell.

Google Project Zero’s Refresh

We’ve often covered Google’s Project Zero on this column, as their work is usually quite impressive. As their blog now points out, the homepage design left something to be desired. That’s changed now, with a sleek and modern new look! And no, that’s not actually newsworthy here; stop typing those angry comments. The real news is the trio of new posts that came with the refresh.

The most recent is coverage of a VirtualBox VM excape via the NAT network driver. It’s covering a 2017 vulnerability, so not precisely still relevant, but still worth a look. The key here is a bit of code that changes the length of the data structure based on the length of the IP header. Memory manipulation from an untrusted value. The key to exploitation is to manipulate memory to control some of the memory where packets are stored. Then use IP fragmentation packets to interleave that malicious data together and trigger the memory management flaw.

The second post is on Windows exploitation through race conditions and path lookups. This one isn’t an exploit, but an examination of techniques that you could use to slow the Windows kernel down, when doing a path lookup, to exploit a race condition. The winner seems to be a combination of nested directories, with shadow directories and symbolic links. This combination can cost the kernel a whopping three minutes just to parse a path. Probably enough time.

The third entry is on an image-based malware campaign against Samsung Android phones. Malicious DNG files get processed by the Quram image processing library on Samsung devices. DNG images are a non-proprietary replacement for .raw image files, and the DNG format even includes features like embedding lens correction code right in the file format. This correction code is in the form of opcodes, that are handled very much like a script or small program on the host device. The Quram library didn’t handle those programs safely, allowing them to write outside of the allocated memory for the image.

Bits and Bytes

The E-note domain and servers have been seized by law enforcement. It’s believed that $70 million worth of ransomware and cryptocurrency theft has passed through this exchange service, as part of a money laundering operation. A Russian national has been named as the man behind the service, and an indictment has been made, but it seems that no actual arrests have been made.

Dropbear 2025.89 has been released, fixing a vulnerability where a user with SSH access could connect to any unix socket as root. This mishandling of socket permissions can lead to escalation of privilege in a multitude of ways.

React2shell was exploited in the wild almost as soon as it was announced. We covered the vulnerability as it was happening a couple weeks ago, and now it’s clear that ransomware campaigns were launched right away to take advantage of the exploit. It’s also reported that it was used in Advanced Persistent Threat (APT) campaigns right away as well. Real Proof of Concept code is also now available.

Thanks for All the Fish!

And lastly, on a personal note: Thank you to all the readers of this column over the last six years, and to the Hackaday editors for making it happen. I’ve found myself in the position of having four active careers at once, and with the birth of my son in November, I have four children as well. Something has to give, and it’s not going to be any of the kids, so it’s time for me to move on from a couple of those careers. This Week in Security has been a blast, ever since the first installment back in May of 2019. With any luck, another writer will pick up the mantle early next year. (Editor’s note: We’re working on it, but we’ll miss you!)

And if you’re a fan of FLOSS Weekly, the other thing I do around here, don’t worry, as it’s not going anywhere. Hope to see you all there!

hackaday.com/2025/12/19/this-w…

Una nuova vulnerabilità nei componenti FreeBSD responsabili della configurazione IPv6 consente l’esecuzione remota di codice arbitrario su un dispositivo situato sulla stessa rete locale dell’aggressore. Il problema riguarda tutte le versioni supportate del sistema operativo e richiede un’azione immediata per proteggere i dispositivi.

È stata scoperta una vulnerabilità nelle utility “rtsold” e “rtsol“, utilizzate per elaborare i messaggi pubblicitari del router come parte del meccanismo di configurazione automatica degli indirizzi IPv6. È stato scoperto che questi programmi non convalidano il parametro del suffisso di dominio passato in tali messaggi, inviandolo direttamente all’utility “resolvconf“, responsabile dell’aggiornamento della configurazione DNS.

Tuttavia, “resolvconf” è scritto come uno script shell e non filtra i dati in arrivo. L’assenza di escape implica che qualsiasi codice dannoso passato tramite il parametro domain list può essere eseguito sul sistema. Pertanto, un aggressore sulla stessa subnet può eseguire comandi sul dispositivo di destinazione senza richiedere privilegi di amministratore o interazioni precedenti.

Secondo gli sviluppatori di FreeBSD , il problema è limitato alle reti locali, poiché gli annunci del router non vengono instradati e non possono attraversare i confini dei segmenti di rete. Tuttavia, riguarda tutti i sistemi che utilizzano l’autoconfigurazione IPv6, in particolare le interfacce con il flag “ACCEPT_RTADV” abilitato, verificabile tramite “ifconfig“.

Per gli utenti che non utilizzano IPv6, non vi è alcun rischio. In caso contrario, si consiglia di aggiornare urgentemente il sistema all’ultima versione.

Gli aggiornamenti sono ora disponibili per tutte le branch di FreeBSD supportate, incluse le versioni 15.0, 14.3 e 13.5. L’aggiornamento è possibile sia tramite il meccanismo di patching binario integrato sia applicando modifiche al codice sorgente.

L’identificatore della vulnerabilità registrata è CVE-2025-14558. Le correzioni sono state pubblicate il 16 dicembre 2025 e sono incluse nei rami stabile e di rilascio di FreeBSD.

L'articolo Vulnerabilità critica in FreeBSD: eseguibile codice arbitrario via IPv6 proviene da Red Hot Cyber.

Contro la falsa informazione pro-inceneritore.

Nell’articolo dell’edizione romana di ieri a firma di Salvatore Giuffrida leggiamo “Il cantiere a Santa Palomba partirà entro il primo trimestre del 2026 e durerà 32 mesi, fino a oltre la metà del 2028”. Il sottotitolo contiene la prima menzogna o bufala, come preferite. Le attività di costruzione dureranno 39 mesi e non 32 come scrive il giornalista e il cantiere terminerà nel maggio 2029. Attenzione, non siamo noi a dichiaralo ma è scritto nero su bianco sul più recente cronoprogramma del proponente.

“Il 2026 sarà l’anno del termovalorizzatore di Roma”. Nell’attacco del pezzo si condensa tutto lo strumentario della retorica tipica dei fan dell’incenerimento che si guarda bene dal ricordare, neppure incidentalmente che i poteri straordinari sono stati attributi per impiantistica destinata a far fronte all’afflusso straordinario dei pellegrini del Giubileo 2025. Un impianto che a Giubileo terminato non è ancora autorizzato e il cui iter è potuto andar avanti esclusivamente a forza di ordinanze, con la Procura di Roma che sta indagando al riguardo. Profili questi, guarda caso, del tutto omessi.

“Bisogna ancora aspettare due anni per inaugurare l’impianto, ma il percorso è già avviato: di fatto è ormai concluso il procedimento autorizzatorio unico regionale, Paur, che riunisce in un unico atto tutte le valutazioni, i pareri e le autorizzazioni di competenza regionale necessarie a realizzare il progetto e avviare il cantiere.”

Il procedimento non è affatto concluso. Ci sono i pareri contrari dei comuni di Albano, Ardea e Pomezia. C’è soprattutto la Soprintendenza Speciale di Roma ha tutta la competenza e decisive motivazioni per bocciare gli elaborati progettuali nella conferenza di servizi in corso e per contestare la procedura avviata in virtù delle proprie prerogative istituzionali discendenti dall’articolo 9 della Costituzione, attuato dal codice dei beni culturali.

Seguono poi i consueti ritornelli della propaganda inceneritorista: “Saranno inoltre realizzati quattro impianti ausiliari per recuperare le ceneri pesanti, un impianto fotovoltaico, una rete di teleriscaldamento e un sistema sperimentale per catturare l’anidride carbonica. Il termovalorizzatore sarà capace di bruciare 600mila tonnellate l’anno di rifiuti e di produrre energia elettrica per circa 200mila abitazioni”.

Al riguardo solo due repliche lampo a proposito di teleriscaldamento e sistema sperimentale cattura CO2. Il teleriscaldamento, conti alla mano, riguarderà un centinaio di famiglie. Dovranno provare di avere il contratto di fornitura indispensabile per la verifica del coefficiente R1 indice di efficienza energetica per ricondurre l’impianto tra quelli di recupero energetico.

Sull’impianto di cattura della CO2, oltre a non essere sperimentale come evidenziato dallo stesso proponente basti ricordare che la massima cattura equivale ad appena l’1per mille della Co 2 emessa. Su questo ci sono ben due esposti alla Corte dei conti ma anche su questo silenzio tombale.
Le 200 mila abitazioni che vorranno l’energia elettrica prodotta, non l’avranno certo a gratis ma dovranno pagarla a prezzi di mercato.

“Infine, a ottobre il Comune ha ratificato un protocollo d’intesa con Ferrovie dello Stato per gestire la logistica ambientale in merito al trasporto dei rifiuti senza costi aggiuntivi per le parti.” Un protocollo d’intesa privo di qualsivoglia autentica portata, chissà perché riportarlo?
Davanti a tanta spudorata propaganda rispondiamo con il nostro prossimo appuntamento: la mattina di lunedì 29 dicembre sit-in presso la Soprintendenza speciale di Roma per smuoverla a tutelare i beni archeologici presenti nell’area del progetto e che verrebbero irrimediabilmente distrutti.

Concludiamo il nostro comunicato richiamando il recentissimo parere contrario della Regione Lazio nella conferenza di servizi sulla discarica di Tor Tignosa che lascia l’inceneritore privo della sua discarica di servizio.
Non serve il giornalismo di inchiesta, sarebbe sufficiente il semplice giornalismo.
Buona serata!

19 dicembre 2025