slowforward.net/2024/08/14/sit…

slowforward

2024-08-14 16:07:56

• Situationist Films (the site)
• SI Film Texts
• SI Films
• Situationist Library

plus: 1000littlehammers.wordpress.co…
_

slowforward.net/2024/08/14/sit…

#000000 #archive #archives #archivi #archivio #cinema #ffffff #film #films #freePdfs #freelyDownloadableTexts #GuyDebord #InternazionaleSituazionista #pdf #pdfs #RaoulVaneigem #Sì #SIFilmTexts #situationistInternational #SituationistLibrary #Situazionismo #situazionisti

SI Film Texts

I’ll limit texts here as they pertain to SI film. If you are interested in more Situationist texts I’ve also compiled an extensive SI library at 1000littlehammers, which includes links …

^{Situationist Archive}

slowforward.net/2024/08/14/ong…

slowforward

2024-08-14 14:12:09

strong content. beware:

slowforward.net/2024/08/14/ong…

#apartheid #Gaza #genocide #genocidio #izrahell #massMurders #massacres #massacri #omicidiDiMassa #Palestina #Palestine

ongoing video and photo updates on izrahell slaughtering innocents in palestine with the complicity of u.s. and u.e.

^slowforward

Remember the game 2048? You slide numbered tiles around on a grid, combining them until you have one tile with a value of 2048 (although it’s possible to go higher). Legend has it that 2048 was created by a bored teenager in the space of a weekend to see if he could program a game from scratch.

It only took a couple of weekends for [David] to get Tiny2048 up and running. In this version, each RGB value represents a number value, and input comes from a rudimentary gesture detector — tilt it this way and that to move the LEDs and combine the ‘numbers’. As you might imagine, it was a bit tricky to use colors to represent numbers, so each one had to be sufficiently unique.

[David] says that the LED matrix is a string of WS2812 LEDs in a grid formation, controlled by an ESP32-S3-MINI-1. Although this may be overkill, [David] broke out a bunch of IO at the top of the board so it can be used in the future as a dev board. Be sure to check it out in blinkenlight action after the break!

youtube.com/embed/jsQ5zGucPhM?…

I try not to go off on security rants in the newsletter, but this week I’m unable to hold back. An apparent breach of a data aggregator has resulted in a monster dataset of US, UK, and Canadian citizens names, addresses, and social security numbers. As a number of reports have pointed out, the three billion records in the breach likely contain duplicate individuals, because they include all the addresses where you’ve lived, and there have only been on the order of 450 million US social security numbers issued anyway.

But here’s the deal. Each of these data aggregators, and each of the other companies that keep tons of data on you, are ticking time bombs. Maybe not every one of them gets breached, but there’s certainly enough incentive for the bad guys to try to do so. (They are looking to sell the NPD dataset mentioned above for $3.5 million.)

My gut feeling is that eventually all of the information on everyone will be released. Maybe then it will cease to be interesting to new crops of crooks, because there’s nothing new to learn.

On the other hand, the sheer quantity of identity thefts that this, and future breaches, will unleash on us all is mind-boggling. In the case of legitimate data aggregators like this one, requesting to have had your data out of their dataset appears to have been a viable defense. But for every one legit operator, there are others that simply track you. When they get hacked, you lose.

This breach is likely going to end in a large lawsuit against the company in question, but it almost certainly won’t be big enough to cover the damage to everyone in the affected countries. Is it time that companies that hold large datasets will have to realize that the data is a liability as well as an asset?

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

Una nuova ricerca pubblicata sul New England Journal of Medicine mostra progressi significativi nello sviluppo di impianti cerebrali che consentono ai pazienti affetti da sclerosi laterale amiotrofica (SLA) di riacquistare la capacità di comunicare.

Due studi indipendenti, ciascuno dei quali ha coinvolto un paziente affetto da SLA, hanno dimostrato l’efficacia dell’utilizzo di interfacce cervello-computer (BCI) per ripristinare la parola in pazienti paralizzati.

Lo studio su un uomo di 45 anni

Uno studio è stato condotto su un uomo di 45 anni affetto da sclerosi laterale amiotrofica (SLA), nota anche come malattia di Lou Gehrig. A causa della malattia, ha praticamente perso la capacità di parlare e solo la sua infermiera poteva comunicare con lui, comprendendo solo circa sette parole al minuto, un valore significativamente inferiore alla norma, poiché la velocità media in un normale discorso è di circa 160 parole al minuto.

Durante l’esperimento, nel cervello del paziente sono stati impiantati quattro array di microelettrodi realizzati da Blackrock Neurotech, che hanno registrato l’attività neurale nelle aree del cervello responsabili del linguaggio e della parola, utilizzando 256 elettrodi, significativamente di più rispetto agli studi precedenti.

Il software che decodificava i segnali poteva adattarsi rapidamente e apprendere nuove parole, cosa che prima era impossibile da ottenere. Già il secondo giorno di utilizzo del sistema, il paziente ha iniziato a comunicare utilizzando un dizionario di 125mila parole. Le parole decodificate sono state visualizzate su uno schermo e pronunciate utilizzando un programma di sintesi vocale che simulava la voce pre-SLA del paziente.

Il paziente ha espresso grande gioia di poter riconnettersi con amici e familiari. Ha notato che sua figlia di cinque anni, che non ricordava la sua voce prima della malattia, all’inizio era un po’ timida, ma ora è orgogliosa che suo padre sia “diventato un robot”.

I risultati dell’esperimento

Durante l’esperimento è stato possibile raggiungere una velocità vocale di 32 parole al minuto, mentre il numero di errori è stato solo del 2,5%. In confronto, le app di dettatura sugli smartphone hanno un tasso di errore di circa il 5% e le persone sane commettono errori dell’1-2% quando leggono ad alta voce.

Il secondo studio si è concentrato su una donna che sette anni fa, all’età di 58 anni, ha ricevuto una neuroprotesi più primitiva da Medtronic. Il dispositivo ha funzionato con successo per sei anni, consentendo al paziente di comunicare tramite clic. Tuttavia, la progressiva atrofia cerebrale causata dalla SLA ha reso l’interfaccia inefficace, sebbene non siano stati riscontrati difetti tecnici.

Il dottor Edward Chang, neurochirurgo dell’Università della California, San Francisco, non coinvolto nella ricerca, ha affermato che i risultati forniscono prove convincenti che le interfacce cervello-computer potrebbero essere una soluzione clinica praticabile per ripristinare la comunicazione nelle persone con paralisi. Tuttavia, a suo avviso, ulteriori ricerche potrebbero richiedere la scoperta di nuove aree del cervello con cui interagire e che siano meno suscettibili alla degenerazione durante lo sviluppo della malattia.

L'articolo Un Uomo affetto da SLA riparla dopo 5 anni grazie allo sviluppo di impianti celebrali proviene da il blog della sicurezza informatica.

Although the designation ‘Air Force One’ is now commonly known to refer to the airplane used by the President of the United States, it wasn’t until Eisenhower that the US President would make significant use of a dedicated airplane. He would have a Lockheed VC-121A kitted out to act as his office as commander-in-chief. Called the Columbine II after the Colorado columbine flower, it served a crucial role during the Korean War and would result the coining of the ‘Air Force One’ designation following a near-disaster in 1954.

This involved a mix-up between Eastern Air Lines 8610 and Air Force 8610 (the VC-121A). After the Columbine II was replaced with a VC-121E model (Columbine III), the Columbine II was mistakenly sold to a private owner, and got pretty close to being scrapped.
In 2016, the plane made a “somewhat scary and extremely precarious” 2,000-plus-mile journey to Bridgewater, Virginia, to undergo a complete restoration. (Credit: Dynamic Aviation)
Although nobody is really sure how this mistake happened, it resulted in the private owner stripping the airplane for parts to keep other Lockheed C-121s and compatible airplanes flying. Shortly before scrapping the airplane, he received a call from the Smithsonian Institution, informing him that this particular airplane was Eisenhower’s first presidential airplane and the first ever Air Force One. This led to him instead fixing up the airplane and trying to sell it off. Ultimately the CEO of the airplane maintenance company Dynamic Aviation, [Karl D. Stoltzfus] bought the partially restored airplane after it had spent another few years baking in the unrelenting sun.

Although in a sorry state at this point, [Stoltzfus] put a team led by mechanic [Brian Miklos] to work who got the airplane in a flying condition by 2016 after a year of work, so that they could fly the airplane over to Dynamic Aviation facilities for a complete restoration. At this point the ‘nuts and bolts’ restoration is mostly complete after a lot of improvisation and manufacturing of parts for the 80 year old airplane, with restoration of the Eisenhower-era interior and exterior now in progress. This should take another few years and another $12 million or so, but would result in a fully restored and flight-worthy Columbine II, exactly as it would have looked in 1953, plus a few modern-day safety upgrades.

Although [Stoltzfus] recently passed away unexpectedly before being able to see the final result, his legacy will live on in the restored airplane, which will after so many years be able to meet up again with the Columbine III, which is on display at the National Museum of the USAF.

All’inizio del prossimo anno, OpenAI introdurrà la prossima versione del suo principale modello linguistico, ChatGPT5. Si prevede che il nuovo modello sarà in grado di risolvere problemi logici complessi e problemi complessi alla stregua di una persona con un dottorato di ricerca.

Tuttavia, anche con questi impressionanti miglioramenti, è improbabile che ChatGPT5 raggiunga il livello di comprensione del mondo che avrebbe anche un bambino di cinque anni.

Abilità linguistiche: chi è migliore?

I modelli linguistici moderni come ChatGPT dimostrano già capacità impressionanti nell’elaborazione e nella generazione di testi. Possono creare poesie, scrivere articoli scientifici e spiegare argomenti complessi come se stessero discutendo di qualcosa di semplice. Tuttavia, la loro comprensione del testo si basa sull’analisi di enormi quantità di dati e su statistiche piuttosto che sull’esperienza personale o sull’intuizione.

Allo stesso tempo, un bambino di cinque anni, pur non avendo un vocabolario così ampio, si distingue per la sua capacità di inventare e raccontare storie. Le loro storie possono includere trame fantasy in cui gli unicorni combattono i robot e il cane di famiglia si rivela un eroe segreto. Questa immaginazione spontanea e senza restrizioni crea la magia speciale delle storie per bambini.

Conoscenza del mondo: Enciclopedia contro immaginazione

Quando si tratta di fatti, i modelli linguistici non sono secondi a nessuno. Possono rispondere immediatamente a una domanda sulla capitale del Bhutan o sulla formula chimica del sale da cucina. Tuttavia, comprendere le situazioni della vita reale come il comportamento umano o le leggi fisiche rimane una sfida per l’intelligenza artificiale.

Un bambino di cinque anni, anche se fa infinite domande come “Perché la luna ci segue?” o “Come mangiano gli alberi?” ha una comprensione intuitiva dei principi di base della realtà. Ad esempio, un bambino sa che se cade un bicchiere dal tavolo si romperà e che gli alberi crescono perché hanno bisogno di acqua e luce. Se manca la conoscenza, è piena di immaginazione, che dà origine a idee sorprendenti sul mondo che ci circonda.

Buon senso e contesto: dov’è che l’IA resta indietro?

Nonostante le loro capacità logiche, i modelli linguistici continuano a non essere all’altezza. Possono fare inferenze basate su dati testuali, ma spesso mancano di comprensione contestuale. Ad esempio, l’IA potrebbe capire che se piove il terreno si bagna, ma potrebbe non rendersi conto che è una buona idea portare un ombrello se il testo non lo indica.

Un bambino di cinque anni, al contrario, capisce intuitivamente che i libri non dovrebbero essere messi sulla torta, anche se potrebbe provare a farlo per curiosità. Sa anche che deve mettersi il pigiama e lavarsi i denti prima di andare a letto, ma può insistere per indossare un mantello da supereroe nel caso debba volare nel sonno.

Immaginazione e creatività: intelligenza artificiale contro pensiero infantile

I modelli linguistici possono generare storie su draghi e cavalieri o creare storie futuristiche di fantascienza combinando elementi da un enorme database. La loro scrittura può essere creativa, ma spesso non è originale perché limitata dai dati su cui è stata formata.

Allo stesso tempo, un bambino di cinque anni può creare mondi in cui ogni cane indossa un cappello e degli occhiali e un arcobaleno è accanto a una giraffa, perché è quello che vuole. L’immaginazione dei bambini non ha limiti e questa è la sua forza.

Intelligenza emotiva: abilità che l’intelligenza artificiale non ha ancora padroneggiato

I modelli linguistici possono rilevare sfumature emotive nel testo e generare risposte appropriate, ma il loro coinvolgimento nelle emozioni rimane superficiale. Agiscono come “detective delle emozioni” piuttosto che come partecipanti attivi.

Un bambino di cinque anni, al contrario, sente profondamente le emozioni di chi lo circonda. Se qualcuno piange, il bambino può offrirgli il suo giocattolo preferito o semplicemente un abbraccio per confortarlo. È importante per lui non solo capire cosa dire, ma anche come agire in risposta allo stato emotivo degli altri.

Risultati: macchina contro uomo

ChatGPT5 rappresenterà sicuramente un significativo passo avanti nello sviluppo dell’intelligenza artificiale, offrendo enormi capacità di elaborazione e generazione di testi. Tuttavia, nonostante ciò, i modelli di intelligenza artificiale rimangono limitati nella comprensione del mondo, nel buon senso e nella profondità emotiva. I bambini di cinque anni, pur non possedendo una conoscenza enciclopedica, compensano con la loro immaginazione, comprensione intuitiva del contesto e genuina capacità di empatia. Sono queste qualità che rendono le persone così uniche e inimitabili, anche rispetto alle tecnologie più avanzate.

L'articolo Arriva Chat-GPT5! Una Super Intelligenza da PhD con un intuito ben al di sotto di un bambino proviene da il blog della sicurezza informatica.

Have you ever heard of Fordite? It was a man-made agate-like stone that originated from the Ford auto factories in the 1920s. Multiple layers of paint would build up as cars were painted different colors, and when it was thick enough, workers would cut it, polish it, and use it in jewelry. [SheltonMaker] uses a similar technique to create artwork using a laser engraver and shares how it works by showing off a replica of [Van Gogh’s] “Starry Night.”
A piece of Fordite on a pendant
The technique does have some random variation, so the result isn’t a perfect copy but, hey, it is art, after all. While true Fordite has random color layers, this technique uses specific colors layered from the lightest to the darkest. Each layer of paint is applied to a canvas. Only after all the layers are in place does the canvas go under the laser.

The first few layers of paint are white and serve as a backer. Each subsequent layer is darker until the final black layer. The idea is that the laser will cut at different depths depending on the desired lightness. A program called ImagR prepared the image as a negative image. Adjustments to the brightness, contrast, and gamma will impact the final result.

Of course, getting the exact power settings is tricky. The best result was to start at a relatively low power and then make more passes at an even lower power until things looked right. In between, compressed air cleared the print, although you have to be careful not to move the piece, of course.

There are pictures of each pass, and the final product looks great. If art’s not your thing, you can also do chip logos. While the laser used in this project is a 40-watt unit, we’ve noted before that wattage isn’t everything. You could do this—probably slower—with a lower-powered engraver.

Fordite image By [Rhonda] CC BY-SA 2.0.

Il 9 agosto 2024, gli utenti russi hanno segnalato in massa problemi con Signal. Allo stesso tempo, alcuni hanno notato che Signal non funzionava neanche con l’uso di una VPN, e i problemi sono iniziati l’8 agosto.

I rappresentanti del Roskomnadzor (RKN) della Federazione Russa hanno riferito che l’agenzia ha un accesso limitato al sistema di messaggistica sicuro “a causa della violazione dei requisiti della legislazione russa”.

Roskomnadzor, ha successivamente confermato che il Messenger è stato effettivamente bloccato in Russia.

“L’accesso al messenger Signal è limitato a causa della violazione dei requisiti della legislazione russa, la cui attuazione è necessaria per impedire l’uso per scopi terroristici ed estremisti“, ha riferito il servizio stampa RKN.

Roskomnadzor non ha specificato quali requisiti legali siano stati violati.

L'articolo Muri Digitali: Signal fuori dalla Federazione Russa proviene da il blog della sicurezza informatica.

E’ una provocazione? Ovviamente.

Anche perché il pagamento del premio è direttamente proporzionale alla “insicurezza” aziendale che viene valutata durante la stipula. Oggi come oggi l’assicurazione cyber deve essere paragonata ad un rischio comune, come un incendio ad un capannone di produzione o ad un incidente sul lavoro.

La Casa Bianca sta sviluppando una nuova polizza assicurativa informatica volta a proteggere da incidenti informatici catastrofici. La nuova politica dovrebbe essere introdotta entro la fine dell’anno. Lo ha affermato il direttore nazionale della Cyber ​​Security Harry Coker alla conferenza Black Hat 2024 .therecord.media/white-house-cy…

L’obiettivo della nuova politica è gestire i rischi, non evitarli. Ciò è necessario per stabilizzare i mercati assicurativi e migliorare il livello di sicurezza informatica nel Paese. Il governo degli Stati Uniti vuole prepararsi in anticipo a possibili incidenti informatici, per non affrettarsi a sviluppare misure di emergenza quando il disastro si è già verificato. Tale preparazione dovrebbe migliorare la resilienza economica e la fiducia del mercato.

Una delle sfide principali rimane la mancanza di dati per la valutazione del rischio. Coker ha osservato che il lavoro è ora concentrato su questo problema.

Sebbene i dettagli della nuova polizza non siano stati ancora resi noti, i rappresentanti dell’ONCD hanno confermato che l’attuale mercato assicurativo non è sufficientemente preparato per incidenti informatici catastrofici. Le agenzie stanno prendendo in considerazione una serie di misure che potrebbero migliorare la sicurezza informatica della nazione e garantire la stabilità del mercato.

Il mercato delle assicurazioni informatiche è da tempo controverso. Gli esperti ritengono che i pagamenti assicurativi possano contribuire ad aumentare il numero di attacchi da estorsione. Alcuni hacker stabiliscono addirittura l’importo del riscatto in base alle polizze assicurative delle vittime.

Inoltre, è in corso un dibattito giuridico sul ruolo dell’assicurazione informatica in caso di attacchi da parte di uno stato-nazione.

L'articolo Ma se la Casa Bianca fa l’Assicurazione Cyber, a che serve un programma di Cybersecurity? proviene da il blog della sicurezza informatica.

A luglio è apparso nel cyberspazio un nuovo gruppo di ransomware, chiamato Mad Liberator, che utilizza il programma Anydesk e tecniche di ingegneria sociale per infiltrarsi nei sistemi aziendali, rubare dati e chiedere riscatti.

Gli esperti di Sophos hanno rivelato i metodi di attacco del gruppo utilizzando l’esempio di un incidente in fase di studio.

A differenza della maggior parte dei ransomware, Mad Liberator non crittografa i file, ma si concentra piuttosto sul furto di informazioni e sulle minacce di fuga di dati. Mad Liberator gestisce anche un sito web dove pubblica i dati rubati se il riscatto non è stato pagato.

Per penetrare nei sistemi, Mad Liberator utilizza Anydesk, che viene spesso utilizzato dalle aziende per gestire da remoto i computer. Le vittime, ignare del pericolo, accettano richieste di connessione, credendo che la richiesta provenga dal reparto IT dell’organizzazione. Dopo aver ottenuto l’accesso al dispositivo, gli aggressori avviano un falso processo di aggiornamento di Windows.

Mentre l’utente guarda il falso aggiornamento, gli hacker ottengono l’accesso allo spazio di archiviazione e ai file di OneDrive sul server aziendale. Utilizzando la funzione FileTransfer di Anydesk, gli aggressori scaricano dati riservati e utilizzano anche lo strumento Advanced IP Scanner per cercare di sondare altri dispositivi sulla rete. In questo caso il ransomware non ha trovato alcun sistema prezioso e si è limitato solo al computer principale. Una volta completato il furto, gli hacker lasciano una richiesta di riscatto sul dispositivo.

L’attacco è durato quasi 4 ore, al termine delle quali gli aggressori hanno completato il falso aggiornamento e disabilitato la sessione di Anydesk, restituendo il controllo del dispositivo alla vittima.

È interessante notare che il malware è stato lanciato manualmente, senza riavvio automatico. Ciò significa che il malware è rimasto inattivo sul sistema della vittima anche dopo la conclusione dell’attacco.

L'articolo Mad Liberator: La vulnerabilità sei solo tu! Anydesk e aggiornamento Windows per per un hack di successo proviene da il blog della sicurezza informatica.

A feature of many modern network-connected entertainment devices is that they will play streamed music while on standby mode. This so-called “network standby”is very useful if you fancy some gentle music but don’t want the Christmas lights or the TV. It was a feature [Caramelfur] missed on their Sony AV receiver, something especially annoying because it’s present on the US-market equivalent of their European model. Some gentle hackery ensued, and now the rece3iver follows its American cousin.

A first examination of the firmware found the two downloads to be identical, so whatever differences had to be in some form of configuration. Investigating what it exposed to the network led to a web server with device configuration parameters. Some probing behind the scenes and a bit of lucky guesswork identified the endpoint to turn on network standby, and there it was, the same as the US market model. Should you need it, the tooling is in a GitHub repository.

This isn’t the first time we’ve seen identical hardware being shipped with different firmwares in Europe from that in the USA, perhaps our most egregious example was a Motorola phone with a much earlier Android version for Europeans. We don’t understand why manufacturers do it, in particular with such an innocuous feature as network standby. If you have a Sony receiver you can now fix it, but you shouldn’t have to.

RJ45, Devcore, CC0.

Recently Canada’s Canadarm2 caught its 50th spacecraft in the form of a Northrop Grumman Cygnus cargo vessel since 2009. Although perhaps not the most prominent part of the International Space Station (ISS), the Canadarm2 performs a range of very essential functions on the outside of the ISS, such as moving equipment around and supporting astronauts during EVAs.
Power and Data Grapple Fixture on the ISS (Credit: NASA)
Officially called the Space Station Remote Manipulator System (SSRMS), it is part of the three-part Mobile Servicing System (MSS) that allows for the Canadarm2 and the Dextre unit to scoot around the non-Russian part of the ISS, attach to Power Data Grapple Fixtures (PDGFs) on the ISS and manipulate anything that has a compatible Grapple Fixture on it.

Originally the MSS was not designed to catch spacecraft when it was installed in 2001 by Space Shuttle Endeavour during STS-100, but with the US moving away from the Space Shuttle to a range of unmanned supply craft which aren’t all capable of autonomous docking, this became a necessity, with the Japanese HTV (with grapple fixture) becoming the first craft to be caught this way in 2009. Since the Canadarm2 was originally designed to manipulate ISS modules this wasn’t such a major shift, and the MSS is soon planned to also started building new space stations when the first Axiom Orbital Segment is launched by 2026. This would become the Axiom Station.

With the Axiom Station planned to have its own Canadarm-like system, this will likely mean that Canadarm2 and the rest of the MSS will be decommissioned with the rest of the ISS by 2031.

Top image: Canadarm2 captures Cygnus OA-5 S.S. Alan Poindexter in late 2016 (Credit: NASA)

[Mellow_Labs] wanted an Everything Presence Lite kite but found it was always out of stock. Therefore, he decided to create his own. The kit uses a millimeter wave sensor as a super-sensitive motion tracker for up to three people. It can even read your heart rate remotely. You can see a video of the project below.

There are a few differences from the original kit. Both use the C4001 24 GHz human presence detection sensor. However, the homebrew version also includes a BME680 environmental sensor.

If you haven’t seen a millimeter wave sensor—often written mmwave—before, it is essentially a tiny radar that can measure movement, acceleration, and angles very accurately. They are available at different microwave wavelengths and have onboard processing to easily provide useful information for a processor like the one in this project. The processor on board is an ESP32, which works well with [Mellow_Labs’] home automation system.

A 3D-printed case rounds everything out. Circuit-wise, there isn’t much going on since everything is on a module PCB. You essentially just have to connect everything together.

These sensors can do a lot of things. For example, inspecting pipelines. Another common way to detect people is to use a specialized camera.

youtube.com/embed/P8RO9gjs_h4?…

We’ve all got our favorite hand tools, and while the selection criteria are usually pretty subjective, it usually boils down to a combination of looks and feel. In our opinion, the king of both these categories when it comes to screwdrivers is those clear, hard acetate plastic handles, which are a joy to use — at least until the plastic starts to degrade and exude a characteristically funky aroma.

But perhaps we can change that if these experiments on screwdriver “mange” hold up. That’s [357magdad]’s unappealing but accurate description of the chemical changes that eventually occur in the strong, hard, crystal-clear handles of your favorite screwdrivers. The polymer used for these handles is cellulose acetate butyrate, or CAB, which is mostly the same cellulose acetate that replaced the more explode-y cellulose nitrate in things like pool balls and movie film, except with some of the acetate groups replaced with a little butyric acid. The polymer is fine at first, but add a little UV light and over time the outer layer of CAB decomposes into a white flaky cellulose residue while the butyric acid volatilizes, creating the characteristic odor of vomitus. Lovely.

In the video below, [357magdad] takes a look at different concoctions that all allegedly cure the mange. TL, DW; it was a dunk in household ammonia that performed the best, well ahead of other common agents like vinegar and bleach. The ammonia — or more precisely, ammonium hydroxide — works very quickly on the cellulose residue, dissolving it readily and leaving the handle mange-free and looking nearly new after some light scrubbing. None of the other agents came close, although acetone did manage to clear up the mange a bit, at the cost of softening the underlying CAB in a process that’s probably similar to acetone smoothing ABS prints.

As for the funky smell, well, the results were less encouraging. Nothing really got rid of the pukey smell, even a roll in baking soda. We suspect there won’t be much for that, since humans can detect it down to 10 parts per million. Consider it the price to pay for a nice-looking screwdriver that feels so good in your hand.

youtube.com/embed/n_Q4zsE_bFA?…

If you’re thinking about building a single tiny game or even a platform, you might be tempted to use a single button for everything. Such is the case with [Alex]’s Salsa ONE minimalist game console, which is inspired by both the Arduboy and the ergonomics of the SanDisk Sansa music player.

With Salsa ONE, [Alex] aimed to make something that is both simple and challenging. The result is something that, awesomely enough, doesn’t need a PCB, and can be comfortably controlled with just one thumb. There isn’t much to this thing, which is essentially an RP2040, an OLED, a vibration motor, a buzzer, a button, and a CR2032 coin cell. [Alex] chose to program Salsa ONE in MicroPython. Be sure to check it out in action in the brief demo after the break.

Have you got an idea for a tiny game? Don’t hesitate to enter the 2024 Tiny Games Contest! You have until September 10th, so head on over to Hackaday.io and get started today.

youtube.com/embed/o96_ZfCg81I?…

You may have heard about a very large data breach, exposing the Social Security numbers of three billion individuals. Now hang on. Social Security numbers are a particularly American data point, and last time we checked there were quite a few Americans shy of even a half of a billion’s worth. As [Troy Hunt] points out, there are several things about this story that seem just a bit odd.

First up, the claim is that this is data grabbed from National Public Data, and there’s even a vague notice on their website about it. NPD is a legitimate business, grabbing data on as many people as possible, and providing services like background checks and credit checks. It’s not impossible that this company has records on virtually every citizen of the US, UK, and Canada. And while that’s far less than 2.9 billion people, it could feasibly add up to 2.9 billion records as was originally claimed.

The story gets strange as we consider the bits of data that have been released publicly, like a pair of files shared with [Troy] that have names, birthdays, addresses, phone numbers, and social security numbers. Those had a total of 2.69 billion records, with an average of 3 records for each ID number. That math is still just a little weird, since the US has to date only generated 450 million SSNs and change.

So far all we have are partial datasets, and claims on the Internet. The story is that there’s a grand total of 4 TB of data once uncompressed. The rest of the details are unclear, and it’s likely to take some time for the rest of the story to come out.

Windows IPv6 RCE

Microsoft has patched a Remote Code Execution (RCE) in Windows 10, 11, and server systems. By all accounts, it’s a nasty one, but there’s a redeeming wrinkle to the story, that may also be bad news. It’s an IPv6 vulnerability. The actual details are scarce, for obvious reasons. By next week, I anticipate someone will have reverse engineered the patch enough to have some details on the flaw.

What we do know is that Microsoft scores this a 9.8 out of 10 for severity, and considers it a low complexity attack that is likely to be used in the wild. Trend Micro considers it a wormable flaw. The built-in Windows firewall doesn’t block it, because the vulnerability triggers before processing by the firewall. This leads to a theory that it’s another problem related to defragmenting incoming IPv6 packets, or a similar process.

The good news is that it requires actual IPv6 connectivity, which at least in my corner of the world is a rather rare thing. It’s hard to know definitively without more details, but it’s at least likely that a proper stateful firewall would block these unsolicited IPv6 packets from the wider Internet. There’s still a lot of room for trouble inside the network — where you probably have working IPv6 connectivity even without routable IPv6 from your ISP. In conclusion, get this one patched ASAP.

Considering its harm, I will not disclose more details in the short term.

— wei (@XiaoWei___) August 14, 2024

Don’t Roll Your Own Crypto!

There’s a rallying cry, aimed at anyone responsible for build secure systems: “Don’t roll your own crypto!” But why? Surely a secret algorithm that only you understand is more secure, right? No. Particularly not when tools like Ghidra that put firmware reverse engineering within grasp of every security researcher. Case in point, the Vstarcam CB73 security camera that [Brown Fine Security] took a look at.

The first clue that somethign was wrong was that packets were being repeated, byte-for-byte identically. As [Brown] points out, a good cryptography scheme has some sort of protection against replay attacks. This one had none at all. Another issue with this homebrew crypto scheme is that it only has 256 possible internal states, and once you know the trick the whole thing is trivially decryptable, no key required. This is why you don’t roll your own crypto.

Old School CSS Trick

This write-up from Adepts of 0xCC is a trip down memory lane, to a time when browsers let websites get away with way more, like detecting whether links had been visited by detecting the style that the browser used to display them. Browsers eventually locked down those sorts of tricks, but what’s old is new again, with just a bit of cleverness. In this case, generate a captcha, and set the page’s CSS to make the visited links blend in with the background. The user completes the captcha, and based on which characters were typed, you have some basic history information. Clever!

Ring -2

The classic x86 architecture has a four ring system, where userspace applications run in Ring 3 and the kernel runs in Ring 0. But the sneaky truth is that our X86 processors are actually emulating the x86 instruction set, Rings 1 and 2 are never used, and there’s a CPU management engine running all the way down at Ring -3. This suggests to the security minded, that it would be particularly bad for something malicious to run at one of those hidden ring levels. And that’s exactly what [jjensn] managed to pull off.

In this case it’s in the motherboard firmware, in the System Management Engine. A bit of vulnerable code in a couple places allows writing data into protected SMRAM memory, into Ring -2. A bit of clever work corrupts the SMRAM just enough to jump into shellcode without crashing the machine. And suddenly an attacker can own a machine on a level two layers below the OS.

Bits and Bytes

Careful with your artifacts. Apparently quite a few Github CI scripts take the easy wqy out, and just zip up the entire work directory as an artifact. That’s not great, as generally artifacts are accessible to anyone with a GitHub account, and the .git folder very likely has a Github token in it.

Speaking of GitHub, another Chrome type confusion vulnerability was written up there in detail. As objects in JavaScript are manipulated, the engine is continually updating the underlying data structures. Cloning objects can be particularly tricky, and changing the properties of an object after a shallow copy can result in memory corruption. Memory corruption, fake objects, and finally code execution outside the JavaScript sandbox.

In Windows, the mark of the Web is rather important for security, warning users when they’re about to access or execute something from the Internet. It’s also been broken in many interesting ways over the years. Most recently, Web-based Distruted Authoring and Versioning (WEBDAV) shares are used, as they can be accessed by either the browser, or the Windows File Explorer. The most recent fix here adds Mark of the Web to files copied from WEBDAV shares using Explorer. Sneaky.

The summer doldrums are here, but that doesn’t mean that Elliot and Dan couldn’t sift through the week’s hack and find the real gems. It was an audio-rich week, with a nifty microsynth, music bounced off the moon, and everything you always wanted to know about Raspberry Pi audio but were afraid to ask. We looked into the mysteries of waveguides and found a math-free way to understand how they work, and looked at the way Mecanum wheels work in the most soothing way possible. We also each locked in on more classic hacks, Elliot with a look at a buffer overflow in Tony Hawks Pro Skater and Dan with fault injection user a low-(ish) cost laser setup. From Proxxon upgrades to an RC submarine to Arya’s portable router build, we’ve got plenty of material for your late summer listening pleasure.

html5-player.libsyn.com/embed/…
Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Worried about attracting the Black Helicopters? Download the DRM-free MP3 and listen offline, just in case.

Episode 284 Show Notes:

News:

• Possible Discovery Of Liquid Water In Mars’ Mid-Crust By The Insight Lander
• Superdeep Borehole Samples Create Non-boring Music

What’s that Sound?

• Last week’s sound was the startup chime from an SGI Indigo. But nobody guessed it right!
• Computer and Console Boot Sounds Compilation : Various : Free Download, Borrow, and Streaming : Internet Archive
• Boot chime for an SGI O2 — Dan used to use an O2, but wouldn’t have gotten it either.

Interesting Hacks of the Week:

• Kickflips And Buffer Slips: An Exploit In Tony Hawk’s Pro Skater
• Building AI Models To Diagnose HVAC Issues
• Inside The Mecanum Wheel
• Laser Fault Injection On The Cheap
  
  • Low-Cost Nanopositioning Hack Chat

  
  

• Tulip Is A Micropython Synth Workstation, In An ESP32
  
  • GitHub – shorepine/amy: AMY – the Additive Music synthesizer librarY
  • Generative Music Created In Minimalistic Javascript Code
  • Sonic Pi – The Live Coding Music Synth for Everyone

  
  

• The Waveguide Explanation You Wish You’d Had At School
  
  • Coax Stub Filters Demystified

  
  

Quick Hacks:

• Elliot’s Picks
  
  • Cheap DIY Button Pad Uses Neat Punchcard Trick
  • RC Submarine Build Starts With Plenty Of Research
  • Moonbounce Music

  
  

• Dan’s Picks:
  
  • Proxxon CNC Conversion Makes A Small Mill A Bit Bigger
  • Magnesium And Copper Makes An Emergency Flashlight
  • A Tiny Knob Keeps You In Control
    
    • For the curious

    
    

  
  

Can’t-Miss Articles:

• Audio On Pi: Here Are Your Options
• Portable Router Build: Picking Your CPU
  
  • Fail Of The Week: This Flash Drive Will NOT Self-Destruct In Five Seconds

  
  

Everyone likes a good lunar landing simulator, and [Dominic Doty] wrote a fun take on the idea: your goal is to write an autopilot controller to manage the landing. Try it out!
Virtual landers are far cheaper than real ones, thank goodness.
[Dominic] was inspired in part by this simple rocket landing game which is very much an exercise in reflex and intuition, not to mention being much faster-paced than the classic 1979 video game (which you can also play in your browser here.)

[Dominic]’s version has a similar classic look to the original, but embraces a more thoughtful approach. In it, one uses plain JavaScript to try to minimize the lander’s angle, velocity, and angular velocity in order to land safely on the generated terrain.

Want to see if you have the right stuff? Here’s a direct link to Lunar Pilot. Don’t get discouraged if you don’t succeed right away, though. Moon landings have had plenty of failures, and are actually very hard.

Some old computer languages are destined to never die. They do, however, evolve. For example, Fortran, among the oldest of computer languages, still has adherents, not to mention a ton of legacy code to maintain. But it doesn’t force you to pretend you are using punched cards anymore. In the 1970s, if you wanted to crunch numbers, Fortran was a good choice. But there was another very peculiar language: APL. Turns out, APL is alive and well and has a thriving community that still uses it.

APL has a lot going for it if you are crunching serious numbers. The main data type is a multidimensional array. In fact, you could argue that a lot of “modern” ideas like a REPL, list types, and even functional programming entered the mainstream through APL. But it did have one strange thing that made it difficult to use and learn.

[Kenneth E. Iverson] was at Harvard in 1957 and started working out a mathematical notation for dealing with arrays. By 1960, he’d moved to IBM and a few years later wrote a book entitled “A Programming Language.” That’s where the name comes from — it is actually an acronym for the book’s title. Being a mathematician, [Iverson] used symbols instead of words. For example, to create an array with the numbers 1 to 5 in it and then print it, you’d write:
⎕←⍳5
Since modern APL has a REPL (read-eval-print loop), you could remove the box and the arrow today.

What Key Was That?

Wait. Where are all those keys on your keyboard? Ah, you’ve discovered the one strange thing. In 1963, CRTs were not very common. While punched cards were king, IBM also had a number of Selectric terminals. These were essentially computer-controlled typewriters that had type balls instead of bars that were easy to replace.

With the right type ball, you could have 26 upper-case letters, 10 digits, a few control characters, and then a large number of “weird” characters. But it is actually worse than that. The available symbols were still not numerous enough for APL’s appetite. So some symbols required you to type part of the symbol, press backspace, then type more of the symbols, sometimes repeating the process several times. On a printing terminal, that works fine. For the CRTs that would soon take over, this was tough to do.

For example, a comment (like a REM in Basic or a // in C++) is represented by a thumbnail (⍝). In other words, this would be an APL comment:
⍝ This is a comment
To make that character, you’d type the “arch” part, backspace, then the “dot” part. Not very speedy. Not very practical on old CRT terminals, either.

The characters aren’t the only strange thing. For example, APL evaluates math right to left.

That is, 3×2+5 is 21 because the 2+5 happens first. You just have to get used to that.

A Solution

Of course, modern screens can handle this easily and most people use an APL keyboard mapping that looks like your normal keyboard, but inserts special symbols when you use the right Alt key (with or without the shift modifier). This allows the keyboard to directly enter every possible symbol.

Of course, your keyboard’s keycaps probably don’t have those symbols etched in, so you’ll probably want a cheat sheet. You can buy APL keycaps or even entire keyboards if you really get into it.

What’s GNU With You?

While there have been many versions of APL over the years, GNU APL is certainly the easiest to setup, at least for Linux. According to the website, the project has more than 100,000 lines of C++ code! It also has many modern things like XML parsers.
A US APL keyboard layout
The real trick is making your keyboard work with the stranger characters. If you are just playing around, you can consider doing nothing. You can see the keyboard layout by issuing the ]KEYBD command at the APL prompt. That will give you something like the adjacent keyboard layout image.

From that image, you can copy and paste odd characters. That’s a pain, though. I had good luck with this command line:
setxkbmap -layout us,apl -variant ,dyalog -option grp:switch
With this setup, I can use the right alt key to get most APL characters. I never figured out how to get the shifted alternate characters, though. If you want to try harder, or if you use a different environment than I do, you might read the APL Wiki.

An Example

Rather than do a full tutorial, here’s my usual binary search high low game. The computer asks you to think of a number, and then it guesses it. Not the best use of APL’s advanced math capabilities, but it will give you an idea of what it can do.

Here’s a survival guide. The upside-down triangle is the start or end of a function. You already know the thumbnail is a comment. A left-pointing arrow is an assignment statement. A right-pointing arrow is a goto (this was created in the 1960s; modern APL has better control structures, but they can vary between implementations). Square boxes are for I/O, and the diamond separates multiple statements on a single line.

∇ BinarySearchGame
⍝ Initialize variables
lower ← 1
upper ← 1024
turns ← 0
cheating ← 0

⍝ Start the game
'Think of a number between 1 and 1024.' ⋄ ⎕ ← ''

Loop:
turns ← turns + 1
guess ← ⌊(lower + upper) ÷ 2 ⍝ Make a guess using binary search

⍞ ← 'Is your number ', ⍕ guess, '? (h for high, l for low, c for correct): '
response ← ⍞

→ (response = 'c')/Finish ⍝ Jump to Finish if correct
→ (response = 'h')/TooHigh ⍝ Jump to TooHigh if too high
→ (response = 'l')/TooLow ⍝ Jump to TooLow if too low
→ InvalidInput ⍝ Invalid input

TooHigh:
upper ← guess - 1
→ (lower > upper)/CheatingDetected ⍝ Detect cheating
→ Loop

TooLow:
lower ← guess + 1
→ (lower > upper)/CheatingDetected ⍝ Detect cheating
→ Loop

InvalidInput:
⍞ ← 'Invalid input. Please enter "h", "l", or "c".' ⋄ ⎕ ← ''
turns ← turns - 1 ⍝ Invalid input doesn't count as a turn
→ Loop

CheatingDetected:
⍞ ← 'Hmm... Something doesn''t add up. Did you make a mistake?' ⋄ ⎕ ← ''
cheating ← 1
→ Finish

Finish:
→ (cheating = 0)/Continue ⍝ If no cheating, continue
→ EndGame

Continue:
⍞ ← 'Great! The number is ', ⍕ guess, '. It took ', ⍕ turns, ' turns to guess it.' ⋄ ⎕ ← ''

EndGame:
⍞ ← 'Would you like to play again? (y/n): '
restart ← ⍞
→ (restart = 'y')/Restart ⍝ Restart the game if 'y'
→ Exit ⍝ Exit the game otherwise

Restart:
BinarySearchGame ⍝ Restart the game

Exit:
⍞ ← 'Thank you for playing!' ⋄ ⎕ ← '' ⍝ Exit message
∇

What’s Next?

If you want to get an idea of how APL’s special handling of data make some programs easier, the APL Wiki has a good page for that. If you don’t want to install anything, you can run APL in your browser (although it is the Dyalog version, a very common choice for modern APL).

If you don’t want to read the documentation, check out [phoebe’s] video below. We always wanted the IBM computer that had the big switch to go from Basic to APL.

youtube.com/embed/UltnvW83_CQ?…

APL Keyboard image via Reddit

Come spesso riportiamo, il cybercrime non si ferma mai, soprattutto quando le difese delle aziende sono al minimo come il periodo delle ferie estive.

Ieri, in pieno ferragosto, la cyber gang Ciphbit rivendica un attacco informatico che ha coinvolto la FD-SRL, un’azienda dinamica e innovativa specializzata in soluzioni avanzate per diversi settori industriali.

L’attacco è stato rivendicato all’interno del Data Leak Site (DLS) di Ciphbit, che ha dichiarato di aver compromesso i sistemi della FD-SRL, minacciando di pubblicare i dati sottratti entro 3-4 giorni.

Al momento, non possiamo confermare la veridicità della notizia, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Pertanto, questo articolo deve essere considerato come ‘fonte di intelligence‘.

Chi è FD-SRL?

FD-SRL è un’azienda italiana specializzata in opere pubbliche, con particolare attenzione alla costruzione di strade e ferrovie.

Grazie all’impiego di tecnologie avanzate e di una forza lavoro qualificata, l’azienda è in grado di offrire soluzioni efficienti, affidabili e sostenibili ai propri clienti, guadagnandosi così una reputazione di partner fidato nel suo settore.

Conclusione

L’attacco rappresenta una seria minaccia per FD-SRL, che ora si trova di fronte alla possibilità di vedere esposti dati sensibili relativi ai propri progetti e clienti. L’attacco è stato annunciato dalla piattaforma web Ransomfeed.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

L'articolo Ransomware di Ferragosto! Ciphbit rivendica un attacco informatico all’italiana FD-SRL proviene da il blog della sicurezza informatica.

Il gruppo RansomHub ha iniziato a utilizzare un nuovo software dannoso che disabilita le soluzioni EDR sui dispositivi per aggirare i meccanismi di sicurezza e ottenere il pieno controllo del sistema. Lo strumento, chiamato EDRKillShifter, è stato scoperto da Sophos dopo un attacco fallito nel maggio 2024.

EDRKillShifter è un malware che consente di condurre un attacco Bring Your Own Vulnerable Driver ( BYOVD ), utilizzando un driver legittimo ma vulnerabile per aumentare i privilegi, disabilitare i controlli di sicurezza e ottenere il controllo completo del sistema.

Sophos ha scoperto 2 diversi campioni EDRKillShifter, entrambi i quali utilizzano exploit PoC disponibili pubblicamente da GitHub. Uno degli esempi sfrutta il driver vulnerabile RentDrv2 e l’altro sfrutta il driver ThreatFireMonitor, che è un componente di un pacchetto di monitoraggio del sistema obsoleto.

EDRKillShifter è anche in grado di caricare driver diversi a seconda delle esigenze degli aggressori.
Catena di attacco EDRKillShifter
Il processo di esecuzione di EDRKillShifter è composto da tre passaggi. Innanzitutto, l’aggressore esegue un file binario con una password per decrittografare ed eseguire la risorsa BIN incorporata in memoria. Il codice quindi decomprime ed esegue il payload finale, che carica il driver vulnerabile per aumentare i privilegi ed uccidere i processi attivi dei sistemi EDR.

Il malware crea un nuovo servizio per il driver, lo avvia e carica il driver, quindi entra in un ciclo infinito, controllando continuamente i processi in esecuzione e terminandoli se i nomi dei processi corrispondono all’elenco crittografato di obiettivi.

Sophos consiglia di abilitare la protezione anti-manomissione nei prodotti per la sicurezza degli endpoint, di mantenere la separazione tra diritti utente e amministrativi per impedire agli aggressori di scaricare driver vulnerabili e di aggiornare regolarmente i sistemi, dato che Microsoft revoca regolarmente i certificati per i driver firmati che sono stati utilizzati in attacchi precedenti.

L'articolo Con EDRKillShifter vengono eluse le difese EDR da RansomHub per introdurre il ransomware proviene da il blog della sicurezza informatica.

When thinking of the first PCs, most of us might imagine something like the Apple I or the TRS-80. But even before that, there were a set of computers that often had no keyboard, or recognizable display beyond a few blinking lights. [Artem Kalinchuk] is attempting to recreate one of these very early digital computers, the Kenbak-1, using as many period-correct parts as possible.

Considered by many to be the world’s first personal computer, the Kenbak-1 was an 8-bit machine with 256 bytes of memory, using TTL integrated circuits for the logic as there was no commercially available microprocessor available at the time it was designed. For [Artem]’s build, most of these parts can still be sourced including the 7400-series chips and carbon resistors although the shift registers were a bit of a challenge to find. A custom PCB was built to replicate the original, and with all the parts in order it’s ready to be assembled and put into a case which was built using the drawings for the original unit.

Although [Artem] plans to build a period-correct linear power supply for this computer, right now he’s using a modern switching power supply for testing. The only other major components that are different are the status lamps, in this case switched to LEDs because he wasn’t able to source incandescent bulbs that drew low enough current, and the switches which he’s replaced with MX-style keys. We’ll stay tuned as he builds and tests this over the course of several videos, but in the meantime if you’re curious how this early computer actually worked we featured an emulator for it a while back.

youtube.com/embed/ffsnZ321Xv4?…