Le emozioni non sono solo una prerogativa degli individui, ma permeano anche gli ambienti lavorativi. Per lungo tempo, il mondo del lavoro è stato visto come un ambito esclusivamente razionale, dove le emozioni dovevano essere tenute a bada. Tuttavia, negli ultimi anni, è emersa sempre più chiaramente l’importanza di riconoscere e gestire le emozioni in ambito aziendale ed in particolar modo in quello informatico.

Perché le emozioni contano in azienda?

La gestione delle emozioni è un asset importante, è un tesoro nascosto. Un’azienda che valorizza e gestisce le emozioni dei suoi dipendenti, infatti, può trarre numerosi benefici, migliorando la produttività, la creatività e il benessere organizzativo.

Il mondo della cybersecurity, è spesso caratterizzato da ritmi frenetici, scadenze serrate e una costante necessità di aggiornamento. Questo genera inevitabilmente stress e pressione, che possono portare a emozioni negative come ansia, frustrazione e burnout.

L’informatica, pur essendo un campo spesso associato alla logica e alla razionalità, è profondamente influenzata dalle emozioni. Le emozioni negative, in particolare, possono avere un impatto significativo sulla creatività, un elemento fondamentale per la risoluzione di problemi complessi e l’innovazione.

In che modo le emozioni negative inibiscono la creatività?

• Un programmatore bloccato da un bug: la frustrazione di non riuscire a risolvere un problema può portare a un blocco mentale, impedendogli di trovare una soluzione creativa.
• Un project management office: la pressione di dover consegnare un progetto entro una scadenza può limitare la sua capacità di esplorare diverse opzioni.
• Un team di sviluppo in conflitto: Le tensioni all’interno di un team possono creare un ambiente ostile alla creatività, inibendo lo scambio di idee e la collaborazione.

Come gestire le emozioni in azienda?

Il primo passo è prendere consapevolezza delle proprie emozioni e di quelle degli altri e cercare di capire cosa scatena le emozioni negative.

Come gestire le emozioni negative sul lavoro?

• Riconoscere le emozioni: Il primo passo è prendere consapevolezza di ciò che si sta provando.
• Comprendere le cause: Cercare di capire cosa sta scatenando le emozioni negative può aiutare a trovare soluzioni.
• Comunicare apertamente: Parlare con un collega di fiducia, un superiore o un professionista può essere utile per sfogarsi e trovare supporto.
• Utilizzare tecniche di rilassamento: La meditazione, lo yoga e la respirazione profonda possono aiutare a ridurre lo stress e l’ansia.
• Stabilire dei limiti: Imparare a dire di no e a delegare può aiutare a evitare il sovraccarico di lavoro.

• Programmi di mindfulness: Pratiche come la meditazione e la respirazione consapevole possono aiutare a ridurre lo stress e a migliorare la concentrazione.
• Coaching emotivo: Un coach può aiutare i dipendenti a sviluppare le proprie competenze emotive e a raggiungere i loro obiettivi.
• Team building: Attività di gruppo possono rafforzare i legami tra i colleghi e migliorare la collaborazione.
• Feedback costruttivo: Fornire feedback regolari e specifici può aiutare i dipendenti a migliorare le loro prestazioni e a sentirsi valorizzati.

In conclusione, le emozioni sono una parte integrante della vita lavorativa e non possono essere ignorate. Riconoscere, comprendere e gestire le emozioni in modo efficace è fondamentale per creare un ambiente di lavoro sano, produttivo e soddisfacente per tutti.

Un ambiente di lavoro stimolante e creativo può fare la differenza, favorendo la nascita di nuove idee e soluzioni, soprattutto in ambito cyber. La cybersecurity non è solo una questione tecnica, ma anche un’avventura umana.

L'articolo Cybersecurity e Emozioni: il Segreto per Evitare il Burnout e Sbloccare la Creatività proviene da il blog della sicurezza informatica.

Buongiorno a tutti. 😊
Da quando, anni fa, ho abbandonato Facebook (e tutti gli altri social classici e tossici) e sono approdato nel Fediverso, tante cose sono cambiate nel mio modo di percepire il mondo social e il web in generale.
Per prima cosa ho aperto un account su Mastodon, poi ho conosciuto Friendica, Peertube e Pixelfed, ma ho sempre scritto quasi esclusivamente su Mastodon, a parte i video pubblicati su Peertube.
Stamattina ho pensato che sarebbe carino iniziare delle interazioni anche qui e cominciare a pubblicare pure su Pixelfed.
Questo messaggio è il primo passo del mio buon proposito.
Voi come siete giunti sul Fediverso? Quali sono state le motivazioni che vi hanno spinto a cambiare?

In lak'ech. 🙏
Marco

The schematic diagram of the experimental centrifuge. (Credit: Jianyong Liu et al., 2024)
Recently China’s new CHIEF hypergravity facility came online to begin research projects after beginning construction in 2018. Standing for Centrifugal Hypergravity and Interdisciplinary Experiment Facility the name covers basically what it is about: using centrifuges immense acceleration can be generated. With gravity defined as an acceleration on Earth of 1 g, hypergravity is thus a force of gravity >1 g. This is distinct from simple pressure as in e.g. a hydraulic press, as gravitational acceleration directly affects the object and defines characteristics such as its effective mass. This is highly relevant for many disciplines, including space flight, deep ocean exploration, materials science and aeronautics.

While humans can take a g-force (g₀) of about 9 g₀ (88 m/s²) sustained in the case of trained fighter pilots, the acceleration generated by CHIEF’s two centrifuges is significantly above that, able to reach hundreds of g. For details of these centrifuges, this preprint article by [Jianyong Liu] et al. from April 2024 shows the construction of these centrifuges and the engineering that goes into their operation, especially the aerodynamic characteristics. Both air pressure (30 – 101 kPa) and arm velocity (200 – 1000 g) are considered, with the risks being overpressure and resonance, which if not designed for can obliterate such a centrifuge.

The acceleration of CHIEF is said to max out at 1,900 gravity tons (gt, weight of one ton due to gravity), which is significantly more than the 1,200 gt of the US Army Corps of Engineers’ hypergravity facility.

hackaday.com/2024/11/19/most-e…

La Divisione Antitrust del Dipartimento di Giustizia degli Stati Uniti sta preparando una richiesta senza precedenti per costringere Alphabet Inc. (società madre di Google ) a vendere il browser Chrome, riportanto fonti a Bloomberg. Questa potrebbe essere la più grande restrizione alle attività del colosso tecnologico da decenni.

Il caso è iniziato sotto la prima amministrazione Trump ed è continuato sotto Joe Biden. Ad agosto, il giudice federale Amit Mehta ha stabilito che Google aveva monopolizzato illegalmente il mercato dei motori di ricerca e della pubblicità associata alla ricerca.

Chrome è uno strumento chiave per l’attività pubblicitaria dell’azienda. Il browser, che controlla circa il 61% del mercato negli Stati Uniti, tiene traccia delle attività degli utenti registrati e raccoglie dati per un targeting preciso degli annunci, la principale fonte di entrate di Google. L’azienda indirizza inoltre gli utenti tramite Chrome al suo prodotto AI di punta, Gemini.

I funzionari antitrust e i rappresentanti degli stati che hanno aderito al caso intendono presentare al giudice federale una serie di restrizioni che sono:

1. Obbligo per Google di vendere il browser Chrome.
2. Richiedere a Google di concedere in licenza i risultati e i dati del suo popolare motore di ricerca.
3. Concedere ai siti web più potere per impedire che i loro contenuti vengano utilizzati nei prodotti IA di Google.
4. Separare il sistema operativo dello smartphone Android dagli altri prodotti dell’azienda, tra cui la ricerca e l’app store Google Play, che ora sono in bundle.
5. Fornire agli inserzionisti maggiori informazioni e controllo sul posizionamento della loro pubblicità.

Allo stesso tempo, come hanno affermato gli interlocutori della pubblicazione, le autorità antimonopolio hanno rifiutato “misure più rigorose”, tra cui la vendita di Android. Alcuni dettagli potrebbero ancora cambiare, osserva la pubblicazione.

Google ora mostra le risposte basate sull’intelligenza artificiale nella parte superiore delle pagine. Sebbene i siti web possano scegliere di non utilizzare le proprie informazioni per creare i modelli di intelligenza artificiale di Google, non possono permettersi di rinunciare alle recensioni poiché rischiano di essere retrocessi nei risultati di ricerca e di rendere più difficile raggiungere il loro pubblico. I proprietari dei siti lamentano che la funzionalità riduce il traffico e le entrate pubblicitarie perché gli utenti raramente fanno clic per raggiungere i siti stessi.

Una decisione definitiva in questo caso dovrà essere presa entro agosto 2025. Ad aprile si terrà un’udienza di due settimane per valutare misure specifiche per limitare le attività della società.

LeeAnne Mulholland, vicepresidente degli affari normativi di Google, ha affermato che il Dipartimento di Giustizia “continua a portare avanti un vasto programma che va ben oltre le questioni legali in questo caso”. Tale interferenza potrebbe danneggiare i consumatori, gli sviluppatori e la leadership tecnologica degli Stati Uniti, ha affermato.

È il tentativo più serio di frenare l’influenza di un’azienda tecnologica dal caso antitrust contro Microsoft vent’anni fa. Il successo di una vendita forzata di Chrome dipenderà dall’avere un acquirente interessato. Secondo gli analisti di Bloomberg Intelligence, anche se la probabilità di una simile vendita è estremamente bassa, un potenziale acquirente potrebbe essere OpenAI, il creatore di ChatGPT, per il quale l’acquisizione del browser offrirà l’opportunità di espandere il sistema di distribuzione e integrare l’attività pubblicitaria con abbonamenti a chatbot.

Sullo sfondo di questa notizia, azioni di Alphabet Inc.. sono scesi dell’1,8% a 172,16 dollari negli scambi after-hour, sebbene siano aumentati del 25% da inizio anno.

L'articolo Chrome in Vendita? L’Antitrust USA Potrebbe Costringere Google a Vendere il Famoso Browser proviene da il blog della sicurezza informatica.

Il ritorno di Donald Trump alla presidenza degli Stati Uniti promette cambiamenti drammatici riporta Wired soprattutto nel campo della sicurezza informatica. La sua amministrazione prevede di annullare molte iniziative lanciate sotto Joe Biden, comprese regole più severe per le infrastrutture critiche, restrizioni sullo spyware e controlli sull’intelligenza artificiale.

L’accento sarà invece posto sul sostegno alle imprese e sulle politiche informatiche aggressive contro Cina, Russia, Iran e Corea del Nord.

Il passo principale sarà il rifiuto di nuove normative per settori come quello sanitario e dell’approvvigionamento idrico, nonostante la loro vulnerabilità agli attacchi informatici. Secondo Brian Harrell, ex direttore della sicurezza delle infrastrutture della CISA, Trump si concentrerà sulla riduzione degli oneri normativi che secondo le aziende frenano la crescita.

Anche il lavoro della CISA per combattere la disinformazione sarà sotto attacco. Trump ha già dichiarato che intende smantellare “l’industria della censura tossica” sostenuta da Biden. È probabile che le restanti iniziative dell’agenzia in questo settore verranno ridotte.

Nel campo dell’intelligenza artificiale, sembrerebbe che Trump eliminerà i requisiti per il monitoraggio della formazione dei modelli e la lotta alla discriminazione. L’ordine esecutivo di Biden sull’intelligenza artificiale sarà probabilmente rivisto per ridurre al minimo la regolamentazione, secondo Nick Reese, direttore della politica tecnologica.

La tecnologia spia, a sua volta, riceverà un “secondo vento”. È probabile che le aziende che producono programmi come NSO Group trovino sostegno nella nuova amministrazione, nonostante le critiche ai loro strumenti per violare i diritti umani. Ciò è particolarmente vero per i paesi con stretti legami con Trump, come l’Arabia Saudita e gli Emirati Arabi Uniti.

Anche le iniziative imprenditoriali di Biden che richiedono alle aziende tecnologiche di migliorare la sicurezza informatica dei loro prodotti cadranno in disuso. L’iniziativa “Secure by Design”, secondo gli esperti, rimarrà al livello della retorica.

Tuttavia, è probabile che l’amministrazione Trump intensifichi le operazioni informatiche militari, proseguendo gli sforzi di Biden in questo settore. Si prevede un aumento della frequenza degli attacchi contro hacker stranieri e un approccio più duro nei confronti della Cina, comprese nuove restrizioni sulla tecnologia cinese.

Le modifiche influenzeranno anche la regolamentazione della segnalazione degli incidenti informatici per le infrastrutture critiche. Le regole proposte dalla CISA potrebbero essere riviste per ridurre gli oneri a carico delle imprese.

Il ritorno di Trump promette una revisione significativa della politica informatica statunitense: minimizzare la regolamentazione, sostenere le imprese e concentrarsi sulla protezione delle industrie chiave. Tuttavia, tali misure sollevano preoccupazioni sul fatto che l’allentamento dei controlli creerà maggiori rischi per le infrastrutture critiche del paese.

L'articolo Trump e Cybersecurity: più Spyware e meno Regole sull’AI. Una Rivoluzione in Arrivo proviene da il blog della sicurezza informatica.

Tinkerers and tech enthusiasts, brace yourselves: the frontier of biohacking has just expanded. Picture implantable medical devices that don’t need batteries—no more surgeries for replacements or bulky contraptions. Though not all new (see below), ChemistryWorld recently shed new light on these innovations. It’s as exciting as it is unnerving; we, as hackers, know too well that tech and biology blend a fine ethical line. Realising our bodies can be hacked both tickles our excitement and unsettlement, posing deeper questions about human-machine integration.

Since the first pacemaker hit the scene in 1958, powered by rechargeable nickel-cadmium batteries and induction coils, progress has been steady but bound by battery limitations. Now, researchers like Jacob Robinson from Rice University are flipping the script, moving to designs that harvest energy from within. Whether through mechanical heartbeats or lung inflation, these implants are shifting to a network of energy-harvesting nodes.

From triboelectric nanogenerators made of flexible, biodegradable materials to piezoelectric devices tapping body motion is quite a leap. John Rogers at Northwestern University points out that the real challenge is balancing power extraction without harming the body’s natural function. Energy isn’t free-flowing; overharvesting could strain or damage organs. A topic we also addressed in April of this year.

As we edge toward battery-free implants, these breakthroughs could redefine biomedical tech. A good start on diving into this paradigm shift and past innovations is this article from 2023. It’ll get you on track of some prior innovations in this field. Happy tinkering, and: stay critical! For we hackers know that there’s an alternative use for everything!

hackaday.com/2024/11/19/batter…

Who doesn’t like dial-up internet? Even if those who survived the dial-up years are happy to be on broadband, and those who are still on dial-up wish that they weren’t, there’s definitely a nostalgic factor to the experience. Yet recreating the experience can be a hassle, with signing up for a dial-up ISP or jumping through many (POTS) hoops to get a dial-up server up and running. An easier way is demonstrated by [Minh Danh] with a Viking DLE-200B telephone line simulator in a recent blog post.

This little device does all the work of making two telephones (or modems) think that they’re communicating via a regular old POTS network. After picking up one of these puppies for a mere $5 at a flea market, [Minh Danh] tested it first with two landline phones to confirm that yes, you can call one phone from the other and hold a conversation. The next step was thus to connect two PCs via their modems, with the other side of the line receiving the ‘call’. In this case a Windows XP system was configured to be the dial-up server, passing through its internet connection via the modem.

With this done, a 33.6 kbps dial-up connection was successfully established on the client Windows XP system, with a blistering 3.8 kB/s download speed. The reason for 33.6 kbps is because the DLE-200B does not support 56K, and according to the manual doesn’t even support higher than 28.8 kbps, so even reaching these speeds was lucky.

youtube.com/embed/1MnNI-pDYOo?…

hackaday.com/2024/11/19/dial-u…

Last Thursday we were at Electronica, which is billed as the world’s largest electronics trade show, and it probably is! It fills up twenty airplane-hangar-sized halls in Munich, and only takes place every two years.

And what did we see on the wall in the Raspberry Pi department? One of the relatively new AI-enabled cameras running a real-time pose estimation demo, powered by nothing less than a brand-new Raspberry Pi Compute Module 5. And it seemed happy to be running without a heatsink, but we don’t know how much load it was put under – most of the AI processing is done in the camera module.

We haven’t heard anything about the CM5 yet from the Raspberry folks, but we can’t imagine there’s all that much to say except that they’re getting ready to start production soon. The test board looks very similar to the RP4 CM demo board, so we imagine that the footprint hasn’t changed. If you look really carefully, this one seems to have mouse bites on it that haven’t been ground off, so we’re speculating that this is still a pre-production unit, but feel free to generate wild rumors in the comment section.

The CM4 was a real change for the compute module series, coming with a brand-new pinout that enabled them to break out more PCIe lanes. Despite the special connectors, it wasn’t all that hard to work with if you’re dedicated. So if you need more computing power in that smaller form factor, we’re guessing that you won’t have to wait all that much longer!

Thanks [kuro] for the tip, and for walking around Electronica with me.

hackaday.com/2024/11/19/raspbe…

Last week I completed the SAO flower badge redrawing task, making a complete KiCad project. Most of the SAO petals are already released as KiCad projects, except for the Petal Matrix. The design features 56 LEDs arranged in eight spiral arms radiating from the center. What it does not feature are straight lines, right angles, nor parts placed on a regular grid.

Importing into KiCad

Circuit Notes for LEDs, Thanks to [spereinabox]I followed the same procedures as the main flower badge with no major hiccups. This design didn’t have any released schematics, but backing out the circuits was straightforward. It also helped that user [sphereinabox] over on the Hackaday Discord server had rung out the LED matrix connections and gave me his notes.

Grep Those Positons

I first wanted to only read the data from the LEDs for analysis, and I didn’t need the full Kicad + Python scripting for that. Using grep on the PCB file, you get a text file that can be easily parsed to get the numbers. I confirmed that the LED placements were truly as irregular as they looked.

My biggest worry was how obtain and re-apply the positions and angles of the LEDs, given the irregular layout of the spiral arms. Just like the random angles of six SAO connector on the badge board, [Voja] doesn’t disappoint on this board, either. I fired up Python and using Matplotlib to get a visual perspective of the randomness of the placements, as one does. Due to the overall shape of the arms, there is a general trend to the numbers. But no obvious equation is discernable.

It was obvious that I needed a script of some sort to locate 56 new KiCad LED footprints onto the board. (Spoiler: I was wrong.) Theoretically I could have processed the PCB text file with bash or Python, creating a modified file. Since I only needed to change a few numbers, this wasn’t completely out of the question. But that is inelegant. It was time to get familiar with the KiCad + Python scripting capabilities. I dug in with gusto, but came away baffled.

KiCad’s Python Console to the Rescue — NOT

This being a one-time task for one specific PCB, writing a KiCad plugin didn’t seem appropriate. Instead, hacking around in the KiCad Python console looked like the way to go. But I didn’t work well for quick experimenting. You open the KiCad PCB console within the PCB editor. But when the console boots up, it doens’t know anything about the currently loaded PCB. You need to import the Kicad Python interface library, and then open the PCB file. Also, the current state of the Python REPL and the command history are not maintained between restarts of KiCad. I don’t see any advantages of using the built-in Python console over just running a script in your usual Python environment.

Clearly there is a use case for this console. By all appearances, a lot of effort has gone into building up this capability. It appears to be full of features that must be valuable to some users and/or developers. Perhaps I should have stuck with it longer and figured it out.

KiCad Python Script Outside KiCad

This seemed like the perfect solution. The buzz in the community is that modern KiCad versions interface very well with Python. I’ve also been impressed with the improved KiCad project documentation on recent years. “This is going to be easy”, I thought.

First thing to note, the KiCad v8 interface library works only with Python 3.9. I run pyenv on my computers and already have 3.9 installed — check. However, you cannot just do a pip install kicad-something-or-other... to get the KiCad python interface library. These libraries come bundled within the KiCad distribution. Furthermore, they only work with a custom built version of Python 3.9 that is also included in the bundle. While I haven’t encountered this situation before, I figured out you can make pyenv point to a Python that has been installed outside of pyenv. But before I got that working, I made another discovery.

The Python API is not “officially” supported. KiCad has announced that the current Simplified Wrapper and Interface Generator-based Python interface bindings are slated to be deprecated. They are to be replaced by Inter-Process Communication-based bindings in Feb 2026. This tidbit of news coincided with learning of a similar 3rd party library.

Introducing KiUtils

Many people were asking questions about including external pip-installed modules from within the KiCad Python console. This confounded my search results, until I hit upon someone using the KiUtils package to solve the same problem I was having. Armed with this tool, I was up and running in no time. To be fair, I susepct KiUtils may also break when KiCad switched from SWIG to IPC interface, but KiUtils was so much easier to get up and running, I stuck with it.

I wrote a Python script to extract all the information I needed for the LEDs. The next step was to apply those values to the 56 new KiCad LED footprints to place each one in the correct position and orientation. As I searched for an example of writing a PCB file from KiUtils, I saw issue #113, “Broken as of KiCAD 8?”, on the KiUtils GitHub repository. Looks like KiUtils is already broken for v8 files. While I was able to read data from my v8 PCB file, it is reported that KiCad v8 cannot read files written by KiUtils.

Scripting Not Needed — DOH

At a dead end, I was about to hand place all the LEDs manually when I realized I could do it from inside KiCad. My excursions into KiCad and Python scripting were all for naught. The LED footprints had been imported from Altium Circuit Maker as one single footprint per LED (as opposed to some parts which convert as one footprint per pad). This single realization made the problem trivial. I just needed to update footprints from the library. While this did require a few attempts to get the cathode and anodes sorted out, it was basically solved with a single mouse click.

Those Freehand Traces

The imported traces on this PCB were harder to cleanup than those on the badge board. There were a lot of disconinuities in track segments. These artifacts would work fine if you made a real PCB, but because some segment endpoints don’t precisely line up, KiCad doesn’t know they belong to the same net. Here is how these were fixed:

• Curved segments endpoints can’t be dragged like a straight line segment can. Solutions:
  
  • If the next track is a straight line, drag the line to connect to the curved segment.
  • If the next track is also a curve, manually route a very short track between the two endpoints.

  
  

• If you route a track broadside into a curved track, it will usually not connect as far as KiCad is concerned. The solution is to break the curved track at the desired intersection, and those endpoints will accept a connection.
• Some end segments were not connected to a pad. These were fixed by either dragging or routing a short trace.

Applying these rules over and over again, I finaly cleared all the discontinuities. Frustratingly, the algorithm to do this task already exists in a KiCad function: Tools -> Cleanup Graphics... -> Fix Discontinuities in Board Outline, and an accompanying tolerance field specified as a length in millimeters. But this operation, as noted in the its name, is restricted to lines on the Edge.Cuts layer.

PCB vs Picture

Detail of Test Pad Differences
When I was all done, I noticed a detail in the photo of the Petal Matrix PCB assembly from the Hackaday reveal article. That board (sitting on a rock) has six debugging / expansion test points connected to the six pins of the SAO connector. But in the Altium Circuit Maker PCB design, there are only two pads, A and B. These connect to the two auxiliary input pins of the AS1115 chip. I don’t know which is correct. (Editor’s note: they were just there for debugging.) If you use this project to build one of these boards, edit it according to your needs.

Conclusion

The SAO Petal Matrix redrawn KiCad project can be found over at this GitHub repository. It isn’t easy to work backwards using KiCad from the PCB to the schematic. I certainly wouldn’t want to reverse engineer a 9U VME board this way. But for many smaller projects, it isn’t an unreasonable task, either. You can also use much simpler tools to get the job done. Earlier this year over on Hackaday.io, user [Skyhawkson] did a gread job backing out schematics from an Apollo-era PCB with Microsoft Paint 3D — a tool released in 2017 and just discontinued last week.

L’Unione Europea ha approvato una nuova legislazione che amplia le norme sulla responsabilità del prodotto. Ora copre anche i prodotti digitali come software e piattaforme online. L’innovazione dovrebbe rendere più semplice per gli utenti richiedere il risarcimento dei danni causati.

Il 10 ottobre 2024 il Consiglio dell’UE ha approvato la direttiva sulla responsabilità per prodotti difettosi, includendo nel suo concetto i prodotti digitali. Le uniche eccezioni sono i programmi open source. In precedenza, le regole si applicavano solo agli oggetti materiali e all’elettricità.

Secondo le nuove regole, gli importatori o i rappresentanti dei produttori nell’UE saranno responsabili per i danni causati da prodotti forniti da paesi extra UE. Ciò vale anche per le piattaforme online, che avranno la stessa responsabilità di qualsiasi altro operatore economico se svolgono le loro funzioni.

La legge ora si applica a sistemi operativi, firmware, applicazioni e sistemi di intelligenza artificiale che possono causare danni se utilizzati. Ciò vale per il software, sia locale che disponibile tramite tecnologie cloud e modelli SaaS.

Ora sarà più semplice per gli utenti interessati chiedere un risarcimento in tribunale richiedendo l’accesso alle prove al produttore. Se è difficile dimostrare un difetto e il suo rapporto di causa-effetto con il danno, il tribunale può richiedere solo la prova della probabilità di questi fatti. Se il prodotto è stato modificato da terzi fuori dal controllo del produttore originale, tali soggetti saranno ritenuti responsabili dei difetti.

La legge regola anche il risarcimento per danni fisici, danni alla proprietà e perdita di dati laddove il recupero è costoso. Ma la perdita di dati non sarà compensata se sarà possibile ripristinarli gratuitamente.

La Direttiva esclude la responsabilità per la fuga di dati, poiché questa è regolata da altri atti. Tuttavia, i produttori saranno ritenuti responsabili della sicurezza informatica del prodotto se il prodotto non soddisfa i requisiti di sicurezza. Il ministro della Giustizia ungherese Bence Tuzson ha osservato che la nuova legge avvantaggia sia i consumatori che i produttori fornendo regole chiare per i prodotti digitali e i modelli di economia circolare. La direttiva è già entrata in vigore e ai paesi dell’UE sono stati concessi due anni per recepirla nella legislazione nazionale.

Lo stesso giorno, tra l’altro, l’UE ha approvato anche il Cyber ​​Resilience Act, che rafforza i requisiti di sicurezza per i dispositivi IoT come telecamere IP, frigoriferi intelligenti e aspirapolvere robot.

L'articolo Si volta pagina! L’UE introduce la Responsabilità Digitale sui prodotti Software Closed Source proviene da il blog della sicurezza informatica.

A common criticism we hear of cyberdecks is that functionality too often takes a backseat to aesthetics — in other words, they might look awesome, but they aren’t the kind of thing you’re likely to use a daily driver. It’s not an assessment that we necessarily disagree with, though we also don’t hold it against anyone if they’re more interested in honing their build’s retro-futuristic looks than its computational potential.

That said, when a build comes along that manages to strike a balance between style and function, we certainly take notice. The vecdec, built by [svenscore] is a perfect example. We actually came across this one in the Desert of the Real, also known as the outskirts of Philadelphia, while we stalked the chillout room at JawnCon 0x1. When everyone else in the room is using a gleaming MacBook or a beat-up ThinkPad, its wildly unconventional design certainly grabs your attention. But spend a bit of time checking the hardware out and chatting with its creator, and you realize it’s not just some cyberpunk prop.

vecdec connected to the JawnCon modem badge
It all started when [svenscore] caught the ergonomic split keyboard bug awhile back. After getting used to the layout on his desktop, he found going back to the standard keyboard on his laptop was rather unpleasant. Carrying an external keyboard wherever you go is pretty much a non-starter when doing any serious traveling, so he decided his best bet was to build a portable machine that integrated his keyboard layout of choice.

The size and shape of said keyboard ultimately dictated the outline of the vecdec, leaving little room for luxuries. Still, [svenscore] managed to sneak a few surprises into this Raspberry Pi 4 powered cyberdeck: a SX1262 LoRa transceiver allows for experimenting with Meshtastic on the go, and a I2C connected PAJ7620U2 gesture sensor located between the keyboard halves allows the user to navigate through documents with a literal wave of the hand.

We’ve seen some ergonomic cyberdecks before, but the fit and finish on the vecdec certainly helps it stand out from the pack. With machines like this out in the wild, perhaps it’s time for another Cyberdeck Contest?

hackaday.com/2024/11/19/the-ve…

Remember Redbox? Those bright red DVD vending machines that dotted every strip mall and supermarket in America, offering cheap rentals when Netflix was still stuffing discs into paper envelopes? After streaming finally delivered the killing blow to physical rentals, Redbox threw in the towel in June 2024, leaving around 34,000 kiosks standing as silent monuments to yet another dead media format.

Last month, we reported that these machines were still out there, barely functional and clinging to life. Now, a company called The Junkluggers has been tasked with the massive undertaking of clearing these mechanical movie dispensers from the American retail landscape, and they’re doing it in a surprisingly thoughtful way. I chatted to them to find out how it’s going.

Redbox vending machines weigh anywhere up to 850 pounds, and are often displayed along with additional promotional signage as seen here. Moving them isn’t the easiest. Credit: The Junkluggers, supplied
In a symbolic end to the DVD rental era, thousands of distinctive red kiosks are being methodically removed from storefronts across America. The Junkluggers, a specialized removal company, has been tasked with the final chapter of the Redbox story – dismantling and responsibly disposing of these once-ubiquitous machines that changed how we consumed movies.

When Redbox filed for bankruptcy in June this year, thousands of kiosks still stood sentinel outside grocery stores, malls, and big box store locations nationwide. Now, The Junkluggers is orchestrating what amounts to a massive logistics operation to clear these remnants of the physical media age. The company operates nationwide—and thus was able to offer a one-stop shop for disposing of these machines across the nation.

“We’ve successfully removed thousands of Redbox units nationwide, including servicing major retailers in all major metropolitan areas,” explains Justin Waltz, Brand President of The Junkluggers. The company has been working at remarkable speed, completing their first phase of removals from major retailers like Dollar General, McDonald’s, Walmart, and various grocery chains in less than three weeks. “When Redbox shut down in October, there were about 34,000 kiosks still in operation,” says Waltz. “However, most of these have been defunct, removed, and broken down for parts nationwide.”
The main phase of the removal job is easy: grab the boxes, and throw ’em on the truck. From there, they’re disassembled to have their discs redistributed and their components recycled. Credit: The Junkluggers, supplied
But what happens to these decommissioned movie dispensers? Rather than simply scrapping the machines, The Junkluggers has implemented a methodical process to maximize recycling and reuse. “Sustainable junk removal” is the ethos of the company, and that’s guided what happens to the Redbox hardware. “For the Redbox units being handled by The Junkluggers, we help to recycle the metal components and return them to the production supply chain,” explains Waltz. “There are multiple types of Redbox units out there and each must be handled differently… for each unit that comes into our possession, we carefully evaluate its components to identify what parts can be recycled or donated.”

Media enthusiasts will be most keen to know what’s happening to the discs inside these machines. Redbox vending machines are capable of holding up to 630 DVDs each. If we imagine the fleet is around half full, at an average of 300 discs per unit, that would have left over 10,000,000 DVDs to be disposed of. Some might think it a shame for all these to end up in landfill. Thankfully, that’s not the case, as the company has found creative ways to give the DVD libraries within these machines a second life.
Shortly after bankruptcy (and later liquidation) was declared, these sad notices started appearing on Redbox machines. TaurusEmerald, CC BY-SA 4.0
“The majority of the DVDs we’ve collected from removals are being rehomed,” says Waltz. “We’ve donated DVDs to local artists, assisted living facilities, homeless shelters, veterans’ clinics, and other community organizations nationwide.” The goal is to see as many discs as possible go to new homes.

The Redbox removal project serves as a case study in responsible corporate dismantling. While the red kiosks may be disappearing from our streets, their components are being recycled into new products, and their content continues to serve communities that can benefit from them. It’s a fitting epilogue for a service that democratized movie rentals, ensuring that even in its sunset, Redbox continues to make entertainment accessible to those who seek it out.

Seasons Changing

As streaming services dominate our viewing habits, the disappearance of these kiosks marks more than just a business transition – it’s the end of an era in how we consumed entertainment. Physical media has long been on the decline as far as mainstream consumption goes. At the same time, we’ve see it bounce back time and again in the music space, first with vinyls, then cassettes, and now CDs. With Redbox collapsing in on itself, we’re either witnessing the true final days of the DVD, or the lull before it becomes retro and hip again. We’ll find out soon enough.

It’s one of those times where technology has made an existing business obsolete. Traditional video rentals went the way of the dodo because nobody wanted to drive to pick up a movie when they could just stream one at home. Redbox perhaps lasted longer than most if only for the fact that its overheads were so much lower by using vending machines instead of staffed retail locations. Even then, it wasn’t enough to survive. It seems that the Redbox rental concept is now definitively consigned to history.

hackaday.com/2024/11/19/the-gr…

Gli hacker hanno trovato un nuovo metodo ingegnoso per bypassare le difese di sicurezza: l’uso della concatenazione dei file ZIP. Questo trucco avanzato consente di mascherare i payload malevoli all’interno di archivi compressi, rendendoli invisibili ai software di sicurezza.

Concatenazione ZIP: un inganno ben studiato

La tecnica sfrutta il modo in cui diversi software di estrazione gestiscono i file ZIP concatenati. Un team di ricerca di Perception Point ha scoperto questo stratagemma analizzando un attacco di phishing che sfruttava una falsa notifica di spedizione per trarre in inganno le vittime. Nel caso analizzato, l’archivio ZIP celava un trojan, utilizzando il linguaggio di scripting AutoIt per eseguire azioni malevole in automatico.

Malware nascosto in ZIP “corrotti”

Ma come si articola l’attacco? Per prima cosa, i cybercriminali creano due o più file ZIP separati: uno contiene il payload malevolo, mentre gli altri sono innocui. Successivamente, questi file vengono concatenati, cioè uniti in un unico archivio con una semplice aggiunta di dati binari. Così facendo, il file finale appare come un singolo ZIP, ma in realtà è una combinazione di strutture ZIP multiple.

Sfruttamento delle vulnerabilità delle app ZIP

Il successo di questo attacco dipende da come i software di estrazione gestiscono i file ZIP concatenati:

• 7Zip: legge solo il primo archivio, che potrebbe sembrare innocuo, e segnala eventuali dati aggiuntivi, che però gli utenti spesso ignorano.
• WinRAR: riconosce entrambi gli archivi e mostra tutti i file, rivelando quindi anche quelli malevoli.
• Esplora File di Windows: può fallire nell’apertura del file concatenato o, se rinominato in formato .RAR, mostra solo il secondo archivio, nascondendo il contenuto pericoloso.

Gli hacker modulano l’attacco proprio in base al comportamento delle diverse app, scegliendo se nascondere il malware nel primo o nel secondo file ZIP concatenato per passare inosservati.

Difendersi contro i file ZIP concatenati

Gli esperti di sicurezza consigliano alcune misure per contrastare questi attacchi:

1. Usare soluzioni di sicurezza avanzate con supporto per l’analisi ricorsiva, in grado di esaminare i file ZIP concatenati.
2. Trattare con sospetto qualsiasi email con allegati ZIP o archivi compressi, specialmente se arrivano da mittenti sconosciuti o sospetti.
3. Implementare filtri rigorosi per bloccare le estensioni di file legate agli archivi compressi in ambienti critici.

Conclusioni

Questo attacco dimostra ancora una volta la creatività e la perseveranza dei cybercriminali, pronti a sfruttare ogni vulnerabilità o comportamento ambiguo dei sistemi di gestione file. La concatenazione dei file ZIP è solo l’ultima trovata per sfuggire ai controlli di sicurezza, rendendo più evidente l’importanza di adottare misure difensive robuste, aggiornate e capaci di andare oltre le apparenze.

L'articolo Cyber minaccia nascosta: Gli Hacker raggirano i sistemi di difesa con la nuova tecnica della Concatenazione ZIP! proviene da il blog della sicurezza informatica.

[CentyLab]’s PocketPD isn’t just adorably tiny — it also boasts some pretty useful features. It offers a lightweight way to get a precisely adjustable output of 0 to 20 V at up to 5 A with banana jack output, integrating a rotary encoder and OLED display for ease of use.

PocketPD leverages USB-C Power Delivery (PD), a technology with capabilities our own [Arya Voronova] has summarized nicely. In particular, PocketPD makes use of the Programmable Power Supply (PPS) functionality to precisely set and control voltage and current. Doing this does require a compatible USB-C charger or power bank, but that’s not too big of an ask these days.

Even if an attached charger doesn’t support PPS, PocketPD can still be useful. The device interrogates the attached charger on every bootup, and displays available options. By default PocketPD selects the first available 5 V output mode with chargers that don’t support PPS.

The latest hardware version is still in development and the GitHub repository has all the firmware, which is aimed at making it easy to modify or customize. Interested in some hardware? There’s a pre-launch crowdfunding campaign you can watch.

hackaday.com/2024/11/19/power-…

Intro

The e-commerce market continues to grow every year. According to FTI consulting, in Q1 2024, online retail comprised 57% of total sales in the US, and it is expected to increase by 9.8% over 2023 by the end of this year. In Europe, 72% of those aged 16–74 buy online, their share growing by the year. Globally, according to eMarketer, e-commerce sales are to reach $6.9 trillion by the end of 2024.

At Kaspersky, we closely monitor the evolving landscape of shopping-related cybersecurity threats. Each year, we track how cybercriminals target this rapidly expanding sector and the challenges they pose to consumers, especially during peak shopping seasons. As shoppers seek the best deals in the run-up to major sales events like Black Friday, cybercriminals and fraudsters gear up to exploit this demand, attempting to steal personal data, funds, and spread malware through deceptive shopping lures.

This report continues the series of annual analyses we’vewe published on Securelist in 2023, 2022 and 2021, which track the evolving landscape of shopping-related cybersecurity threats. In it, we present our findings on the dynamic nature of shopping threats, with a particular focus on the tactics used by cybercriminals during Black Friday, and offer insights into how consumers can stay safe in the face of the growing risks.

Methodology

To assess the current state of the shopping threat landscape, we conduct an annual analysis of various threat vectors. These include financial malware, phishing sites impersonating major global retailers, banks and payment systems, and spam emails that may lead to fraudulent websites or spread malware. This year, we also specifically analyzed the rise of fake mobile applications designed to steal shopping data. The threat data we rely on is sourced from Kaspersky Security Network (KSN), which processes anonymized cybersecurity data shared consensually by Kaspersky users. This report draws on data collected from January through October 2024.

Alongside this, with the help of Kaspersky Digital Footprint Intelligence, we explored what happens to all the stolen information, and specifically, how scammers offload it on dark web forums.

Key findings

• In the first ten months of 2024, Kaspersky identified more than 38 million phishing attacks targeting users of online stores, payment systems, and banks.
• As many as 44.41% of these attacks targeted banking service users.
• We detected 198,000 Black Friday-themed spam messages in the first two weeks of November.
• More than 13 million banking trojan-related attacks were detected in 2024.
• Despite the high number, the overall activity of PC banking trojans continues to decline.
• Credit card data is widely offered on the dark web, alongside shopping accounts.
• Dark web sellers offer Black Friday discounts, just like regular shops.

Shopping fraud and phishing

Phishing and scams are among the top threats for online shoppers. Fraudsters often create fake websites, emails or ads that closely resemble those of legitimate retailers. Given that shoppers are often busy or distracted, they may not take the time to carefully review links or emails, which makes them more vulnerable to these threats.

Kaspersky’s automated technologies are designed to detect and prevent various forms of financial phishing and scams that fraudsters run during the Black Friday season, including fake pages that mimic bank websites, payment systems such as PayPal, Visa or Mastercard, and online stores such as Amazon, eBay or AliExpress. These pages may target victims’ login credentials and payment information or trick users into transferring money to the scammers. Additionally, they may also steal other personal details from unsuspecting shoppers.

From January through October 2024, Kaspersky products successfully blocked more than 38,473,274 attempts to access phishing links targeting users of online shopping platforms, payment systems and banks. This represents a significant increase of 24.9% over the same period last year, when 30,803,840 phishing attacks were recorded.

If we break this down, 44.41% of these phishing attempts targeted users of banking services, 18.01% mimicked payment systems, and 37.5% attempted to impersonate e-shops. Notably, there has been a shift in the types of targets. While last year online store impersonation accounted for the largest share (43.47%), this year, attacks targeting banking users became prevalent, increasing slightly from 35.19%.

Financial phishing attacks by category, January–October 2024 (download)

Although the share of online store phishing and scams dropped insignificantly against 2023, the overall number of detected attempts to follow a phishing link grew slightly from roughly 13 million to 14,428,512. The top brands mimicked by the scammers remained the same as in the previous year, however, our analysis revealed that the overall number of phishing attacks per examined platform in 2024 appeared somewhat lower than in 2023. Given the growth in the number of all online store-themed phishing attempts, this may mean that the attacks have become more targeted and region-specific or that the number of platforms mimicked by the fake sites has increased.

TOP 5 popular online stores mimicked by the scammers, January–October 2024 (download)

In 2024, Kaspersky products detected and blocked 3,807,116 phishing attempts, primarily those distributing Amazon-related scam and phishing pages that were designed to steal personal and banking data from users, or trick them into buying non-existent goods.

Phishing attempts were also widespread across other major e-commerce platforms. In 2024, eBay was mimicked in 512,107 phishing attempts we blocked, while Walmart was used as a lure in 31,638, and MercadoLibre, the Latin American marketplace, in 214,834 cases. Phishing pages mimicking Alibaba Group stores were accessed 919,770 times.

Major scam campaigns preying on Black Friday 2024

Black Friday scams commonly spread through social media, search engine ads and, most frequently, mass email campaigns. Since many retailers rely on email to promote upcoming sales ahead of the holiday season, cybercriminals often exploit this by sending fraudulent messages with links to scam websites. Starting at the beginning of September, Kaspersky’s telemetry detected a week-by-week increase in spam emails containing the term “Black Friday”. As the shopping event approached, the volume of these emails surged, reaching a total of more than 198,428 spam messages just in the first two weeks of November.

Scammers often impersonate major retailers like Amazon, Walmart or Etsy with deceptive emails to lure unsuspecting victims. These emails typically claim to come from the companies themselves and promote exclusive discounts, especially during high-traffic shopping periods like Black Friday. For example, one spam campaign circulating this year falsely claimed that Amazon’s “special buyers team” had handpicked top items not to miss, offering an exclusive sale of up to 70% off. Emails like this are designed to exploit the urgency and excitement of seasonal sales to trick consumers into clicking potentially dangerous links.

The email typically contains a link that redirects to a fake online store website, where unsuspecting victims may make fake purchases. Such pages are typically designed to look identical to the real ones, although sometimes they feature poor spelling or minor inconsistencies in domain names. However, if the victim tries to buy something on a site like that, they usually just lose money. Moreover, any data they entered on a fake website, such as their payment details, ends up in the hands of scammers. This can lead to various harmful outcomes, such as unauthorized purchases or further exploitation of the stolen data for fraudulent purposes.

Another common scam making the rounds this year capitalizes on consumers’ inclination to try their chances. Scammers know consumers are eager to win even minor prizes, so they craft messages that offer a limited-time survey with prize draws, the prizes being valuable goods, such as a free iPhone 14. To heighten the sense of urgency, these scams emphasize that the recipient is one of only a handful of “select” users eligible for the deal.

The catch is always the same: the recipient must act quickly, or they risk missing out on the “exclusive” offer. These tactics prey on consumers’ fear of losing out, tricking them into acting impulsively. In reality, there is no deal — just a carefully designed scam aimed at manipulating victims into making small payments to the scammers, thus losing money and giving away their payment details.

A similar scheme goes for gift cards. Scammers offer a “reward” for sharing some “basic info”, such as an email address, and spending some money on a fake site.

It is not only buyers that are targeted by Black Friday scams — sellers are also at risk. For example, we have seen a fake Etsy verification scam targeting individuals registered as sellers on the platform — the scammers must have obtained a copy of the seller database. The victim receives an email claiming that their account has been temporarily locked. The message urges them to click a link to unlock it. On a fake site, they are asked to enter their bank card details, including the card number, expiration date, CVV and billing address, supposedly for identity verification. The scam page may faithfully reproduce the design of the Etsy website, with only a few minor differences in the URL or visuals. Once the victim provides the card details, the scammers can steal their financial information or use it for fraudulent transactions.

While in the West, these scams are widespread before and during Black Friday, in the APAC region, scammers often capitalize on 11.11 (Singles’ Day), taking advantage of the unique shopping culture and timing. We’ve observed phishing campaigns targeting users across the entire Asia-Pacific, with fake online store pages appearing much earlier than expected. These pages, in languages like Vietnamese and Japanese, are distributed well in advance of 11.11, highlighting how scammers are tailoring their tactics to the region’s shopping habits. For example, the page on the screenshot below was detected in September 2024. This early targeting reflects a deeper understanding of the APAC market, with scammers taking advantage of the heightened consumer activity leading up to the event.

Fake app offers

This year, we have also discovered some malicious campaigns targeting users by spreading fake mobile shopping apps. Designed to imitate official retailer apps, they seem to offer lucrative deals but ask for payment upfront or collect personal data, such as credit card numbers or login credentials. Our security solutions blocked more than 8000 attacks during this campaign, which might potentially be targeting a broad spectrum of users worldwide.

Fake closely resembling an official online store app

Banking trojans

In addition to phishing, banking trojans, or “bankers”, are a key tool for cybercriminals looking to exploit busy shopping seasons like Black Friday. These malicious programs are designed to steal sensitive data from online banking and payment systems. In this section, we analyze the activity of PC banking trojans, which, having sneaked onto the victim device, typically start monitoring their browser. Once the user opens a banking website the malware is interested in, it may use tactics such as web injection and form-grabbing to capture login credentials, credit card details and other personal information entered on the website. Some banking trojans can also monitor the victim’s clipboard in search of crypto wallet addresses. Once an address is detected, the malware substitutes it with a malicious one.

As online shopping surges during major sales events like Black Friday, cybercriminals target e-commerce sites and online marketplaces in addition to banks. Banking trojans can inject fake forms into legitimate sites, tricking users into entering sensitive data when making purchases or checking out. This increases the risk of identity theft, financial fraud and data theft, making consumers particularly vulnerable during peak shopping seasons.

Interestingly, this year, we’ve seen a continued decline in the number of PC banking trojan attacks following a sharp rise in 2022, when we observed a 92% year-over-year increase. This year, the number of attacks has dropped to 13,313,155, down from 18 million last year and representing a 46% decrease in just two years. This trend suggests a shift in cybercriminal tactics, which may be explained by the users increasingly switching to mobile banking. However, the threat of PC banking trojans remains significant, as illustrated by such families as Grandoreiro, which, in spite of the recent group member arrests, is ramping up its operations and targeting more than 1700 banks all over the globe. This underscores the necessity for users to stay vigilant, especially during high-traffic shopping events.

Overall number of banking Trojan attacks, January–October 2021–2024 (download)

Stolen shopping data on dark web forums

What do scammers do with all the stolen data? After a phishing attack, scammers who steal shopping accounts or credit card data may use it for their own profit or sell it on dark web forums or marketplaces. These platforms operate in a highly anonymous environment, allowing cybercriminals to benefit from stolen personal and financial information without revealing their identities.

The stolen data is often sold in bulk, with scammers arranging it into bundles. These bundles may include usernames, passwords, credit card details, shipping addresses and sometimes even security question answers. The more valuable the data, the higher the price. For example, full sets of stolen credit card details, known as “fullz”, often include not only the credit card number, expiration date and CVV code, but also the cardholder’s name, billing address and phone number. This makes them particularly valuable for fraudulent transactions.

An example of a dark web ad selling user shopping data, retrieved with Kaspersky Digital Footprint Intelligence

Similarly, stolen shopping account credentials for popular platforms like Amazon, eBay or Walmart are highly sought after, as these accounts often contain saved payment methods, shipping addresses and other sensitive information that can be exploited by the buyer. Whoever acquires this data can monetize it by buying goods with the victim’s credit card, use it for money laundering and other malicious purposes.

Interestingly, darknet markets often mirror the pricing strategies and marketing techniques of legitimate online stores. Some sellers even offer special Black Friday promotions, such as discounts or bundled deals, much like what you’d see during seasonal sales in common online stores. For instance, one seller we observed offered a 10% discount on stolen card details from various countries: Canada, Australia, Italy and Spain. The sets were priced between $70 and $315 per card depending on its quality and the region it was from. This competitive pricing strategy reflects the demand and supply dynamics on the dark web, with sellers adjusting their offerings to attract buyers during specific periods much like any other retail market.

Black Friday sales on the dark web, retrieved with Kaspersky Digital Footprint Intelligence

Cybercriminals who deal with stolen credit cards — including those who sell, buy or cash them out — are known as carders. These may be individual fraudsters who use the data for their own profits or members of organized groups. Carders often buy credit cards in huge volumes to resell or capitalize on by buying high-ticket items, which they then resell or ship to drop addresses. In case of organized groups, the data may be also used for more complex schemes, like creating fake identities, opening new credit accounts or laundering money.

Conclusions

As Black Friday continues to be a major shopping event, it also remains a source of profit for cybercriminals looking to exploit consumers and businesses alike. Our analysis highlights a range of growing threats, from phishing attacks to the rise of fake mobile applications, all designed to steal money and sensitive shopping data. Scammers capitalize on the urgency and high traffic surrounding Black Friday sales, with phishing campaigns harder to spot among streams of other limited time offers.

Furthermore, the dark web continues to be a marketplace where stolen data can be swiftly sold, offering fraudsters easy access to compromised accounts, payment information and personal details. Beyond bank cards, cybercriminals target stolen credentials for popular shopping platforms like Amazon and eBay, granting them direct access to victims’ financial information and facilitating widespread fraud and identity theft.

Consumers must remain vigilant, especially during peak shopping periods, and adopt stronger security measures like two-factor authentication, secure payment options, and cautious browsing habits. Additionally, a comprehensive security solution detecting and blocking malware and phishing pages and providing financial data protection features may help stay safe amid the shopping rush.

securelist.com/black-friday-re…

Un uomo di 49 anni, originario di Trieste, è stato rinviato a giudizio dal Tribunale di Latina con l’accusa di tentata estorsione. Secondo gli inquirenti, l’uomo avrebbe minacciato diverse aziende, tra cui l’azienda vinicola Casale del Giglio di Borgo Le Ferriere, chiedendo pagamenti in criptovalute per evitare l’avvelenamento dei loro prodotti. Il giudice per le indagini preliminari, Giuseppe Cario, ha accolto la richiesta del pubblico ministero Simona Gentile, fissando l’inizio del processo per dicembre del prossimo anno.

L’accusato, descritto come un esperto informatico, agiva seguendo un modus operandi ben definito. Utilizzando falsi account, registrava video in cui simulava l’iniezione di sostanze velenose, come tallio e cianuro, in bottiglie con marchi riconoscibili. Questi video venivano poi inviati alle aziende, accompagnati da richieste di denaro che potevano arrivare fino a 200.000 euro in criptovalute. Tra le vittime delle sue minacce figurano marchi noti come Ferrarelle, tre aziende di acque minerali e una casa vinicola pugliese legata alla famiglia di Bruno Vespa.

Nonostante le gravi minacce, nessuna delle aziende avrebbe ceduto al ricatto. Le sue richieste estorsive, che si sono protratte da agosto 2021 a maggio 2022, non hanno mai prodotto i risultati sperati. Le indagini, condotte dalla Polizia Postale del Lazio, hanno infine permesso di individuare e arrestare l’uomo, ponendo fine alla sua rete di intimidazioni.

Tra le azioni criminali attribuite spicca il caso di Casale del Giglio, azienda vinicola pontina. Ai titolari, aveva inviato e-mail minacciose chiedendo pagamenti in Bitcoin per evitare di contaminare le bottiglie. L’indagine su questo episodio è stata affidata ai Carabinieri della provincia di Latina. Nel frattempo, l’uomo ha già subito una condanna per tentata estorsione in un processo abbreviato a Roma e resta coinvolto in altri procedimenti penali.

L'articolo Vino Avvelenato? Solo se non paghi! Il ricatto folle di un Esperto Informatico di Trieste proviene da il blog della sicurezza informatica.

Over the years we’ve featured many projects which attempt to replicate the feel of physical media when playing music. Usually this involves some kind of token representation of the media, but here’s [Bas] with a different twist (Dutch language, Google Translate link). He’s using the CDs themselves in their cases, identifying them by their barcodes.

At its heart is a Raspberry Pi Pico W and a barcode scanner — after reading the barcode, the Pi calls Discogs to find the tracks, and then uses the Spotify API to find the appropriate links. From there, Home Assistant forwards them along to a smart speaker for playback. As a nice touch, [Bas] designed a 3D printed holder for the electronics which makes the whole thing a bit neater to use.

We this approach for its relative simplicity, and because the real CDs ad the retro touch it’s a real winner. You can find all the resources in a GitHub repository, should you wish to make your own. Meanwhile, it’s certainly not the first barcode scanner we’ve seen.

hackaday.com/2024/11/19/the-ba…

È stata rilevata una vulnerabilità critica nel plugin Really Simple Security (ex Really Simple SSL) per WordPress, che potrebbe portare alla compromissione completa di 4.000.000 di siti. Gli specialisti di Defiant che hanno scoperto il bug hanno avvertito che questa è una delle vulnerabilità più gravi che abbiano identificato in tutti i loro 12 anni di storia di lavoro.

Il plugin Really Simple Security viene utilizzato su quattro milioni di siti WordPress. Con esso, gli amministratori possono aggiungere una varietà di funzionalità di sicurezza, tra cui la configurazione SSL, l’autenticazione a due fattori, ulteriore sicurezza dell’accesso, rilevamento delle vulnerabilità e altro ancora.

La vulnerabilità è stata identificata come CVE-2024-10924 (punteggio CVSS 9.8) ed è un bypass di autenticazione che consente a un utente malintenzionato non autorizzato di accedere come qualsiasi utente del sito, incluso l’amministratore.

Il CVE-2024-10924 influisce sulle versioni di Really Simple Security dalla 9.0.0 alla 9.1.1.1, interessando sia la versione gratuita che le versioni Pro e Pro Multisite.

Secondo gli analisti di Defiant, la vulnerabilità si verifica a causa di una gestione errata dell’autenticazione degli utenti e di un’implementazione non sicura delle funzioni relative all’API REST. In particolare, l’errore compare se è abilitata l’autenticazione a due fattori (2FA). Sebbene sia disabilitato per impostazione predefinita, molti amministratori ne consentono l’utilizzo per migliorare la sicurezza.

I ricercatori spiegano che la funzione check_login_and_get_user() verifica gli utenti utilizzando i parametri user_id e login_nonce. Ma nel caso in cui login_nonce non sia valido, la richiesta non viene rifiutata e viene invece chiamato authenticate_and_redirect(), che autentica l’utente solo in base a user_id. Di conseguenza, l’utente viene autenticato semplicemente in base all’ID fornito.

Gli sviluppatori di Really Simple Security sono stati informati del problema il 6 novembre e il 12 e 14 novembre hanno rilasciato correzioni per le versioni gratuita e Pro del plug-in. Data la gravità della situazione, gli sviluppatori e il team di WordPress.org stanno distribuendo forzatamente agli utenti la versione corretta di Really Simple Security 9.1.2. Si consiglia tuttavia a tutti gli amministratori dei siti che utilizzano il plug-in di assicurarsi di essere passati definitivamente alla versione sicura.

Secondo le statistiche ufficiali, circa 3.500.000 siti su cui è installato Really Simple Security potrebbero essere ancora vulnerabili agli attacchi.

L'articolo Allarme WordPress: 4 milioni di siti in pericolo a causa di un bug critico in Really Simple Security proviene da il blog della sicurezza informatica.