And, what's better than ⌊π⌋ great CCE's (Content Creators in Educational, or Circle Constant Enthusiasts) teaming together to celebrate #PiDay?
Well, of course, it's ⌈3.9⌉ amazing guys messing around with sliding blocks on an air table to calculate π=3.9 on #PiDay2025!
😍
youtube.com/watch?v=vlUTlbZT4i…

#MattParker #StandUpMaths @Matt Parker #SteveMould #3Blue1Brown @3blue1brown @Grant Sanderson #HughHunt

I responsabili di Mozilla avvisano gli utenti di Firefox di aggiornare il proprio browser all’ultima versione per evitare potenziali crash e problemi di sicurezza. Il fatto è che uno dei certificati di root sta per scadere.

Il certificato di Mozilla scade domani, 14 marzo 2025. Questo certificato è stato utilizzato per firmare contenuti, tra cui componenti aggiuntivi di vari progetti Mozilla e di Firefox stesso.

Si consiglia agli utenti di aggiornare i propri browser alla versione 128 di Firefox (rilasciata a luglio 2024) o successiva e alla versione ESR 115.13 o successiva per gli utenti ESR (Extended Support Release).

Si noti che il problema riguarda Firefox su tutte le piattaforme, tra cui Windows, Android, Linux e macOS, ad eccezione di iOS, che utilizza un sistema di gestione dei certificati radice indipendente.

“Il certificato root (la risorsa utilizzata per verificare che un componente aggiuntivo sia approvato da Mozilla) scade il 14 marzo, il che significa che gli utenti di Firefox che utilizzano versioni precedenti alla 128 (o ESR 115) non potranno utilizzare i loro componenti aggiuntivi”, ha affermato Mozilla in un post sul blog. “Vogliamo che gli sviluppatori ne siano a conoscenza nel caso in cui alcuni utenti utilizzino versioni precedenti di Firefox che potrebbero essere interessate dal problema.”

Un altro documento di supporto di Mozilla spiega che il mancato aggiornamento di Firefox potrebbe comportare rischi e problemi significativi per gli utenti. Per esempio:

• Le estensioni dannose possono compromettere i dati o la privacy degli utenti aggirando le misure di sicurezza;
• i certificati non attendibili ti consentiranno di visitare siti fraudolenti e non sicuri senza preavviso;
• Gli avvisi sulle password compromesse potrebbero smettere di funzionare, lasciando gli utenti ignari della potenziale minaccia di compromissione dell’account.

Mozilla fa notare che gli utenti delle vecchie versioni di Firefox possono continuare a utilizzare il browser anche dopo la scadenza del certificato, se accettano i possibili rischi. Tuttavia, ciò potrebbe compromettere seriamente le prestazioni e la funzionalità del browser.

“Sebbene sia possibile utilizzare Firefox senza aggiornarlo, potrebbero verificarsi problemi quali la disattivazione delle estensioni, difficoltà con i supporti DRM e altri problemi. Saltare un aggiornamento significherà anche perdersi importanti correzioni di sicurezza e miglioramenti delle prestazioni. Consigliamo vivamente di aggiornare il browser all’ultima versione per evitare questi problemi e garantirne la sicurezza e le prestazioni”, scrivono gli sviluppatori.

L’organizzazione ha creato un thread separato per gli utenti che riscontrano problemi o hanno bisogno di aiuto per aggiornare Firefox.

L'articolo Mozilla avvisa gli utenti: Il certificato scade domani, aggiorna subito! proviene da il blog della sicurezza informatica.

We love unique displays here at Hackaday. If you can figure out how to show information on some weird object, we’re all about it. So when [Julius Curt] wrote in to share his work on the Pasta Analog Display, we were hooked from the subject line.

But in reading his account, it ended up being even better than we hoped for. Because it turns out, getting pasta to behave properly in an electromechanical device is trickier than you might think. Oh sure, as [Julius] points out, those ridges on the side of penne might make them look like gears — but after spending the time and effort to build a particularly slick 3D printed frame to actually use them as such, it turns out they just won’t cooperate. You’d think the pasta makers of the world would have some respect for mechanical tolerances, but unfortunately not.

This version of the pasta display didn’t work, but we love the design.
So if [Julius] couldn’t use the natural shape of the penne to get them to rotate, what was the alternative? First, he switched to the far larger cannelloni. Their increased internal volume, most commonly used to hold spinach and ricotta, has in this case been stuffed with a 3D printed armature. Thus each cannelloni is physically attached to a gear, which means when one of them is rotated by a 28BYJ-48 stepper motor, the rest follow.

All that’s left is to apply some artwork to the pasta (again, easier said than done), and rotate them into position. Depending on how much you can cram onto each cannelloni, the display can be rotated to show several different messages. In the video below, [Julius] shows off three distinct images rendered at the push of a button.

If you get hungry while trying to turn pasta into a workable display medium, you can always cook and eat some of your building materials. Luckily, a couple years ago Barilla released the design for an open source device to help you cook their pasta more efficiently.

youtube.com/embed/mlT0Z5JhcTU?…

hackaday.com/2025/03/14/the-tr…

Have you seen Severance? Chances are good that you have; the TV series has become wildly popular in its second season, to the point where the fandom’s dedication is difficult to distinguish from the in-universe cult of [Kier]. Part of the show’s appeal comes from its overall aesthetic, which is captured in this description of the building of one of the show’s props.

A detailed recap of the show is impossible, but for the uninitiated, a mega-corporation called Lumon has developed a chip that certain workers have implanted in their brains to sever their personalities and memories into work and non-work halves. The working “Innies” have no memory of what their “Outies” do when they aren’t at work, which sounds a lot better than it actually ends up being. It’s as weird as it sounds, and then some.

The prop featured here is the “WoeMeter” from episode seven of season two, used to quantify the amount of woe in a severed worker — told you it was weird. The prop was built by design house [make3] on a short timeline and after seeing only some sketches and rough renders from the production designers, and had to echo the not-quite-midcentury modern look of the whole series. The builders took inspiration from, among other things, a classic Nagra tape recorder, going so far as to harvest its knobs and switches to use in the build. The controls are all functional and laid out in a sensible way, allowing the actors to use the device in a convincing way. For visual feedback, the prop has two servo-operated meters and a string of seven-segment LED displays, all controlled by an ESP-32 mounted to a custom PCB. Adding the Lumon logo to the silkscreen was a nice touch.

The prop maker’s art is fascinating, and the ability to let your imagination run wild while making something that looks good and works for the production has got to be a blast. [make3] really nailed it with this one.

Thanks to [Aaron’s Outie] for the tip.

hackaday.com/2025/03/13/the-my…

All’interno del Patch Tuesday di marzo è stata inclusa la CVE-2025-24983, una Vulnerabilità di elevazione dei privilegi del sottosistema kernel Win32 di Microsoft Windows.

La Cybersecurity and Infrastructure Security Agency (CISA) ha aggiunto due nuove vulnerabilità al suo catalogo delle vulnerabilità note sfruttate, una delle quali è il CVE-2025-24983, il quale risulta sfruttato attivamente dagli attaccanti. Stessa cosa ha fatto lo CSIRT dell’Agenzia della cybersicurezza nazionale ACN con un bollettino specifico che comprende anche questa CVE.

Secondo l’azienda di sicurezza informatica ESET, che ha scoperto e segnalato la vulnerabilità, gli aggressori sfruttano questa falla in natura da marzo 2023, rendendola uno degli exploit attivi più longevi prima della correzione.

Il bug di sicurezza è presente nel sottosistema del kernel Win32 di Windows ed è stata classificata come debolezza di tipo use-after-free (UAF) che consente agli aggressori con privilegi bassi di elevare i privilegi a quelli di SYSTEM senza richiedere l’interazione dell’utente.

Nonostante il suo impatto significativo, Microsoft ha classificato la vulnerabilità come “Importante” anziché “Critica” a causa dell’elevata complessità dello sfruttamento, che richiede agli aggressori di trovarsi di fronte ad una race condition.

“La vulnerabilità è un tipo di vulnerabilità use-after-free nel driver Win32k”, ha spiegato ESET nella sua analisi tecnica. In un certo scenario ottenuto utilizzando l’API WaitForInputIdle, la struttura W32PROCESS viene dereferenziata una volta in più del dovuto, causando UAF.”

Il ricercatore ESET Filip Jurčacko, che ha scoperto l’exploit, ha scoperto che questo veniva diffuso tramite una backdoor sofisticata nota come PipeMagic.

L'articolo Una PE in Microsoft Windows sfruttata da 2 anni Nel Patch Tuesday. Aggiornare avverte CISA e ACN proviene da il blog della sicurezza informatica.

Fortinet ha rilasciato un importante aggiornamento di sicurezza che risolve diverse vulnerabilità in FortiSandbox, FortiOS e altri prodotti che potrebbero consentire agli aggressori l’accesso non autorizzato o l’esecuzione di comandi.

• Le vulnerabilità critiche identificate in FortiSandbox e FortiOS potrebbero causare l’esecuzione di comandi non autorizzati.
• I problemi più gravi includono l’iniezione di comandi del sistema operativo e i rischi di autorizzazione errata.
• I prodotti interessati sono disponibili in diverse versioni e richiedono aggiornamenti immediati per motivi di sicurezza.

Fortinet ha riconosciuto gravi vulnerabilità nei principali prodotti di sicurezza, tra cui FortiSandbox e FortiOS, con implicazioni che potrebbero esporre le organizzazioni a significativi rischi per la sicurezza.

In particolare, la vulnerabilità di command injection del sistema operativo ad alta gravità in FortiSandbox (CVE-2024-52961) consente agli aggressori di eseguire comandi arbitrari sfruttando la funzionalità di download della macchina virtuale, il che potrebbe portare a un accesso non autorizzato al sistema.

Una neutralizzazione impropria di elementi speciali utilizzati in una vulnerabilità del comando del sistema operativo [CWE-78] in Fortinet FortiSandbox versione 5.0.0, da 4.4.0 a 4.4.7, da 4.2.0 a 4.2.7 e prima della 4.0.5 consente a un aggressore autenticato con almeno l’autorizzazione di sola lettura di eseguire comandi non autorizzati tramite richieste contraffatte.

Un altro difetto ad alta gravità riguarda un’autorizzazione errata (CVE-2024-45328) che potrebbe consentire agli utenti con privilegi bassi di ottenere l’accesso alle funzioni amministrative, esponendo le operazioni sensibili a potenziali usi impropri.

Oltre a questi problemi, vulnerabilità come format string e SQL injection (CVE-2024-45324 e CVE-2024-33501) sono presenti anche in più prodotti, consentendo crash delle applicazioni o esecuzioni di comandi non autorizzati.

La portata e la gravità di queste vulnerabilità evidenziano l’importanza di un’azione immediata da parte degli utenti dei prodotti Fortinet per implementare le patch e gli aggiornamenti necessari, disponibili tramite il Product Security Incident Response Team (PSIRT) dedicato di Fortinet. Le organizzazioni devono dare priorità a questi aggiornamenti per mitigare il potenziale sfruttamento da parte di attori malintenzionati.

Fortinet consiglia vivamente ai clienti di eseguire l’aggiornamento alle versioni più recenti dei prodotti interessati, come indicato negli avvisi di sicurezza. Le organizzazioni che utilizzano FortiOS, FortiSandbox o altri prodotti interessati dovrebbero dare priorità a questi aggiornamenti in base ai livelli di gravità e alle configurazioni di distribuzione.

L'articolo Fortinet risolve molteplici vulnerabilità in FortiOS e FortiSandbox proviene da il blog della sicurezza informatica.

La Federal Communications Commission (FCC) degli Stati Uniti ha deciso di rafforzare le difese del Paese contro gli attacchi informatici e creare Consiglio speciale per la sicurezza nazionale. Il nuovo organismo si occuperà della lotta contro minacce dalla Cina e aiuterà gli Stati Uniti a mantenere la propria posizione nel campo dell’intelligenza artificiale e delle tecnologie 5G.

Il nuovo consiglio riunirà le risorse dell’FCC e proteggerà sia i cittadini sia le grandi aziende. I compiti principali del consiglio sono prevenire gli attacchi informatici, proteggere da spionaggio e riducendo la dipendenza degli Stati Uniti dalla tecnologia cinese. Il consiglio affronterà anche la concorrenza strategica con la Cina nei settori del 5G, 6G, dei computer quantistici, dei satelliti e dei sistemi autonomi.

Inoltre, negli ultimi anni, la FCC non si è limitata solo alle telecomunicazioni, ma ha iniziato a supervisionare anche i droni e i cavi sottomarini, che possono anch’essi rappresentare una minaccia per la sicurezza.

Una delle prime cose che farà il nuovo consiglio è indagine su un attacco informatico di larga che ha coinvolto il threat actors Volt Typhoon. Da mesi gli hacker cinesi sono penetrati nelle reti di telecomunicazioni americane e intercettano le chiamate.

La creazione del consiglio rientra in una più ampia strategia degli Stati Uniti per contrastare le minacce cinesi. In precedenza, strutture simili erano apparse nella CIA e nel Dipartimento di Stato. Il Dipartimento del Commercio sta già limitando l’accesso della Cina a tecnologie importanti, in particolare nei settori dell’intelligenza artificiale e della produzione di chip.

Mentre in precedenza gli Stati Uniti avevano imposto sanzioni a singole aziende cinesi, ora l’approccio cambierà: la FCC si concentrerà sulla protezione di interi settori. Ciò contribuirà a impedire che le sanzioni vengano aggirate quando le aziende cambiano semplicemente nome. Particolare attenzione sarà rivolta ai servizi cloud, ai data center, ai droni, alle auto intelligenti e all’elettronica di consumo.

L’ambasciata cinese non ha ancora commentato la creazione del consiglio.

Ricordiamo che un gruppo di repubblicani al Senato degli Stati Uniti ha invitato l’amministrazione di Donald Trump a lanciare operazioni informatiche offensive contro la Cina. La mossa è stata motivata dai recenti attacchi hacker collegati alle agenzie di intelligence cinesi, che hanno colpito importanti reti americane.

L'articolo Guerra Digitale: Gli USA Alzano le Difese contro gli Hacker Cinesi! proviene da il blog della sicurezza informatica.

Astrophotography, and astronomy in general, takes some fairly specialized tools and a high amount of precision. Setting up the equipment can also take a lot of time, especially for amateurs traveling to various locations with their equipment, so anything that can reduce the amount of time spent looking for objects and increasing the amount of time looking at them is a welcome addition, especially since nights where conditions are ideal for these activities can be rare. [Anton] developed this real-time tracking tool for deep sky objects (DSOs) to keep tabs on most of the interesting things out there a telescope can be pointed at.

[Anton] calls his tool the Nova DSO Altitude Tracker and gets its information from SIMBAD, updating every minute for a given location on the planet. With that location data, the program calculates altitude and azimuth for various objects and also helps the user keep track of other important variables like moon illumination and angle above the horizon. It also allows the user to highlight specific objects of interest, making sure they are front and center throughout the session. Each DSO can be selected from a list to display detailed information about it such as its path, time visible in the sky, and other properties.

To get the program running, essentially all that’s required is a computer capable of running Python and a display of some sort. From there it provides a quick view of the best objects to point one’s telescope or camera at without any guesswork. With all of the code available it shouldn’t be too much of a leap to do other things with the underlying software, either, such as tying it into a tracker of some sort like this DIY telescope tracking device we featured a while back.

hackaday.com/2025/03/13/tracki…

Everyone knows that there is only one proper English, with the rest being mere derivatives that bastardize the spelling and grammar. Despite this, the hoodlums who staged a violent uprising against British rule in the American colonies have somehow made their uncouth dialect dominant in the information technologies that have taken the world by storm these past decades. In this urgent mission to restore the King’s English to its rightful place, we fortunately have patriotic British citizens who have taken it upon themselves to correct this grave injustice. Brave citizens such as [Declan Chidlow], whose BritCSS project is a bright beacon in these harrowing times.

Implemented as a simple, 14 kB JavaScript script to be included in an HTML page, it allows one to write CSS files using proper spelling, such as background-colour and centre. Meanwhile harsh language such as !important is replaced with the more pleasant !if-you-would-be-so-kind. It is expected that although for now this script has to be included on each page to use BritCSS, native support will soon be implemented in every browser, superseding the US dialect version. [Declan] has also been recommended to be awarded the Order of the British Empire for his outstanding services.

hackaday.com/2025/03/13/britcs…

The proliferation of affordable lithium batteries has made modern life convenient in a way we could only imagine in the 80s when everything was powered by squadrons of AAs, or has it? [Ian Bogost] ponders whether sticking a lithium in every new device is really the best idea.

There’s no doubt, that for some applications, lithium-based chemistries are a critically-enabling technology. NiMH-based EVs of the 1990s suffered short range and slow recharge times which made them only useful as commuter cars, but is a flashlight really better with lithium than with a replaceable cell? When household electronics are treated as disposable, and Right to Repair is only a glimmer in the eye of some legislators, a worn-out cell in a rarely-used device might destine it to the trash bin, especially for the less technically inclined.

[Bogost] decries “the misconception that rechargeables are always better,” although we wonder why his article completely fails to mention the existence of rechargeable NiMH AAs and AAAs which are loads better than their forebears in the 90s. Perhaps even more relevantly, standardized pouch and cylindrical lithium cells are available like the venerable 18650 which we know many makers prefer due to their easy-to-obtain nature. Regardless, we can certainly agree with the author that easy to source and replace batteries are few and far between in many consumer electronics these days. Perhaps new EU regulations will help?

Once you’ve selected a battery for your project, don’t forget to manage it if it’s a Li-ion cell. With great power density, comes great responsibility.

hackaday.com/2025/03/13/have-l…

A piece of glass, some bits of tinfoil, a sheet of plastic, a couple of razor blades, and a few assorted bits and bobs are all it takes to build this TEA nitrogen laser. Oh, and a 5,000-volt flyback supply with enough amperage to stop your heart. You’ll need that too.

Seriously, if you choose to follow [MultiverseCurator] ‘s example and build this laser, you’ll want to take the proper precautions. A transversely excited atmospheric laser is simple in concept, but there are plenty of ways for them to go wrong. Unlike the gas lasers used in laser cutters, there’s no enclosed resonator cavity or mirrors. Rather, the excitation takes place across a narrow gap between two electrodes, using atmospheric nitrogen as the lasing medium. This results in hard UV emissions, which means you can’t see them with the naked eye. Add to that the spark gap creating extremely loud discharges as the laser operates, and hazards abound. Proceed with caution.

Construction starts with a flat glass plate and a pair of large capacitors made from aluminum foil plates separated by a plastic dielectric. The razor blades are connected across the capacitors, separated by a narrow gap, with an inductor made from magnet wire in parallel. A spark gap made from nuts and bolts goes in series, and the whole assembly gets connected to a high-voltage power supply — [Multiverse] used a ZVS driver and a CRT flyback transformer with an eight-megohm resistor in series. The video below has all the build details.

It’ll take a little fiddling to get it lasing, and you’ll need something phosphorescent to see the UV light — a scrap of copy paper should do. But the results are pretty amazing for something made from scrap. If you want to take the design to the next level, you’ll want to check out [Les Wright]’s TEA laser build.

youtube.com/embed/uLyVpYIYT1E?…

hackaday.com/2025/03/13/got-ju…

You can argue if bash is a good programming language or not, but you can’t argue that it is a programming language. However, there are a few oddities about it that make it different from most other languages you probably know. For one thing, variables are dynamically scoped. Second, you can easily change variables in an upper scope. This leads to a problem when you want to do something like reset your path:
#!/bin/bash
#: This does NOT work
PATH=/usr/bin:/bin

Well, actually, it does work; it just doesn’t work the way you imagine it might. The key is to realize that when you execute our script (say, resetpath), a new copy of bash runs. It inherits all the variables from your shell. Now the script sets PATH for the new copy of bash. Anything else you run in that script will see your change. But when the script exits, the new copy of bash is gone and the old copy sees the same old PATH it always did.

Sometimes, this is a benefit, similar to “call by value” in other languages. However, what if you want to influence things? What’s more is that the situation is just the opposite within bash functions. For example:
#!/bin/bash

b() {
echo B: $x
x=200
}

a() {
x=100
b
echo A: $x
}

a
#: output
#: B: 100
#: A: 200

Function b has no difficulty reading and even setting variable x.

The Answer, Of Source Course

The answer to the first problem is to use the source command (which can be either the word source or a single period). This tells bash to avoid running a new interpreter and just pretend you’d entered all the lines in a file from the console.

This is great sometimes. Our resetpath script will actually work just fine with either of these commands:
source resetpath
. resetpath

You don’t even need the #! line, although it doesn’t hurt. However, there are a few problems.

The Catches

First, if you exit, then you exit the entire shell, not something you probably meant to do. Second, you wind up polluting the variable space of the parent. For example, if your script creates a function X, with a regular shell script, that function goes away as soon as your script stops. With a source script, function X now will live forever unless you do something about it.

Neither of these problems are insurmountable, of course, and you’ll see a few ways to address it in the example code in this post.

A Simple Example

If you spend a lot of time on the command line, you might want to have shortcut names for directories. What’s more, you might want to execute a little script when you go to particular directories or even when you leave them.

My plan is to keep a simple file in ~/.proj_dirs. To keep things simple, I’m assuming you can figure out the bash format:
PROJ_DIRS["docs"]="~/library/documents"
PROJ_DIRS["video"]="~/library/videos"
PROJ_DIRS["arduino"]="/home/alw/projects/embedded/Arduino"
. . .
The eventual goal is to replace the cd command (or, at least, allow for that). However, it would be a pain to have to write something like “source pcd arduino” every time.

The Alias Solution

The answer is pretty simple. You can create a script that can install itself as an alias. Here’s the basic flow:
#!/bin/bash
#: This is not a bash shell script
#: But needs to be sourced. However...
#: Try:
#: eval $(__project_dir.sh --__install project_dir)
if [ "$1" == "--__install" ] # this should only be called from "real" script
then
aname="$2"
if [ "$aname" == "" ]
then
aname="pcd"
fi
echo -n "alias '$aname'='source "
aname=$(realpath -s "$0")
echo "$aname'"
exit 0
fi
#: Your source script goes here
...

The idea is that if you run as a regular script with –__install, it returns the alias command. You can then eval that in, for example, a startup script (like .bashrc or .profile), and then you’ll have the alias you want. By default, the code uses pcd, although you can set up any name you like on the command line. You could even create an alias for cd if you wanted to do that.

Why Not Automatic?

You could, of course, detect if you were running normally or as a source automatically. Turns out this is somewhat finicky across shells, although if you are sure you are always using real bash, it is feasible. For example:
if [[ "${BASH_SOURCE[0]}" == "$0" ]]
then
echo I am not sourced!
fi

Variables

Once you have the basic framework, it is easy to write the scripts to read the “database” (also using source) and do the actual work. However, there is a slight problem. Once you produce all the variables you need to do the work, it leaves all that pollution in your shell’s namespace.

Of course, you could write a function to clean up everything you use, but that’s a pain and error prone, too. A better idea is to write your code in a bash function. Then you can use local variables that will go away when the function returns. That leaves you with just your function to clear up with unset.

That leads to this simple framework:
#!/bin/bash
if [[ "${BASH_SOURCE[0]}" == "$0" ]]
then
if [ "$1" == "--__install" ] # this should only be called from "real" script
then
aname="$2"
if [ "$aname" == "" ]
then
aname="pcd" # default alias name
fi
echo -n "alias '$aname'='source "
aname=$(realpath -s "$0")
echo "$aname'"
exit 0
fi
echo "You must source this script"
exit 1
fi

#: Ok your script goes here

main() {
. . .

}

#: Be sure to have this at the end
#: Actually named with underscores in the real code
#: But that upsets the rendering in browser
#: Actual code at gist.github.com/wd5gnr/c5681f2…
go() {
local tmprv
main "$@"
tmprv=$?
unset main, go
return $tmprv
}

go "$@"
return $?
The very bottom calls the go function, which calls your main function. Then the go function destroys your main function and itself. If you create new functions that you don’t want to keep around, you’ll need to destroy them yourself. Besides, you might be creating functions you want to keep, so the framework can’t decide.

The Whole Thing

You can find the entire example on GitHub. Outside of the management of the alias and the variable scope, the script is unremarkable. Note the optional scripts in the directories (.dir_enter and .dir_exit) are sourced also, so they only need to be readable (-r) not executable (-x).

The only other nuance is that if you enter anything as a directory that the program doesn’t recognize, it assumes it is an actual directory, so you can use this to replace the cd command entirely if you want.

Since the script can tell if it is sourced or not, it is possible to start in the source mode and then call yourself as a normal script to do work where that makes more sense. As usual with bash, there are lots of possibilities.

We talk about bash programming a lot around here. Debugging can be helpful, although they haven’t packaged the debugger for newer versions of bash lately.

hackaday.com/2025/03/13/linux-…