Ci sono avvenimenti musicali unici ed irripetibili, performance che riescono a fondere in maniera profonda e forte formando un legame alchemico ed indissolubile fra musica e luogo come nel caso del concerto dei Bosco Sacro presso la Chiesa Armena, diventato ora un disco “Live at Chiesa Armena” su Go Down Records. #musica @Musica Agorà

iyezine.com/bosco-sacro-live-a…

Bosco Sacro - Live At Chiesa Armena

Bosco Sacro - Live At Chiesa Armena - Bosco Sacro - Live At Chiesa Armena: Uno di quei rari capolavori che liberano mente e anima. - Bosco Sacro

^{Massimo Argo (In Your Eyes ezine)}

Elliot does the podcast on the road to Supercon Europe, and Al is in the mood for math and nostalgia this week. Listen in and find out what they were reading on Hackaday this week.

The guys talked about the ESP-32 non-backdoor and battery fires. Then it was on to the hacks.

Self-balancing robots and satellite imaging were the appetizers, but soon they moved on to Kinect cameras in the modern day. Think you can’t travel at the speed of light? Turns out that maybe you already are.

Did you know there was a chatbot in 1957? Well, sort of. For the can’t miss stories: watches monitor your heart and what does the number e really mean?

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

Download in DRM-free MP3 and stream it on the big speakers.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 312 Show Notes:

News:

• The ESP32 Bluetooth Backdoor That Wasn’t
• Open Safety In The Auto Business: Renault Shares Its Battery Fire Suppression Tech
• Hackaday Europe 2025 Welcomes David Cuartielles, Announces Friday Night Bring-a-Hack

What’s that Sound?

• We had a ton of answers this week, and many of them were correct. It was a disposable film camera being wound and shot. Congratulations to [Bobby Tables] for getting the correct answer and winning the webcam-driven dice toss.

Interesting Hacks of the Week:

• Taming The Wobble: An Arduino Self-Balancing Bot
  
  • PIDDYBOT – A Self Balancing Teaching Tool
  • Building A Self-Balancing Robot Made Easy
  • Self-balancing Arduino Does It Without An IMU
  • Yet Another Self-Balancing Unicycle
  • Self-balancing Robot Keeps Things On The Straight And Narrow
  • en.wikipedia.org/wiki/Model_pr…
  • github.com/kerrj/segway

  
  

• Satellite Imagery You Can Play With
• The Strange Afterlife Of The Xbox Kinect
• You Are Already Traveling At The Speed Of Light
• Lies, Damned Lies, And IGBT Datasheets
• Fictional Computers: EMERAC Was The Chatbot Of 1957

Quick Hacks:

• Elliot’s Picks:
  
  • FlyingCam Is A Sweet DIY Webcam On A Stick
  • How To Use LLMs For Programming Tasks
  • Some Useful Notes On The 6805-EC10 Addressable RGB LED

  
  

• Al’s Picks:
  
  • Classy Paper Tape Reader Complements Homebrew Retrocomputer
  • What’s Wrong With This Antenna Tuner?
  • Clock Mechanism Goes Crazy For Arduino

  
  

Can’t-Miss Articles:

• Pixel Watch 3’s Loss Of Pulse Detection: The Algorithms That Tell Someone Is Dying
• You Know Pi But Do You Really Know E?

hackaday.com/2025/03/14/hackad…

Apple prevede di introdurre una funzione di traduzione simultanea nelle cuffie AirPods, secondo le informazioni provenienti da fonti Bloomberg. La nuova funzionalità consentirà agli utenti di comunicare con gli stranieri in tempo reale, senza bisogno di dispositivi aggiuntivi.

La tecnologia verrà introdotta come parte di un aggiornamento software degli AirPods, previsto per la fine dell’anno. Secondo quanto riportato da fonti anonime, la funzionalità sarà integrata in iOS 19, il prossimo aggiornamento del sistema operativo per i dispositivi mobili Apple.

Vale la pena notare che le cuffie della concorrenza, come le Google Pixel Buds, offrono una funzionalità simile da diversi anni. Anche Apple stessa ha presentato la propria app di traduzione Translate per iPhone nel 2020.

Nonostante ciò, l’innovazione promette di offrire agli utenti di AirPods un’esperienza che ricorda la tecnologia di Star Trek. La funzionalità funzionerà in questo modo: se un madrelingua inglese ascolta qualcuno che parla spagnolo, l’iPhone tradurrà il discorso e lo trasmetterà in inglese agli AirPods dell’utente.

Allo stesso tempo, le parole dell’utente di lingua inglese verranno tradotte in spagnolo e riprodotte tramite l’iPhone. Un portavoce di Apple con sede a Cupertino, California, ha rifiutato di rilasciare dichiarazioni.

La nuova funzionalità fa parte di un importante aggiornamento software Apple che include anche modifiche a macOS. Si prevede che iOS 19 apporterà miglioramenti alla tecnologia di traduzione, che andranno oltre gli AirPods.

Apple continua a migliorare gli AirPods senza richiedere la sostituzione dei dispositivi. L’anno scorso, l’azienda ha aggiunto funzionalità per la salute dell’udito agli AirPods Pro di seconda generazione. Sono in fase di sviluppo anche nuove versioni delle cuffie, tra cui le AirPods Pro di terza generazione e un modello con telecamere dotate di intelligenza artificiale per analizzare l’ambiente circostante.

Si prevede che i dettagli dell’aggiornamento verranno svelati durante la conferenza annuale WWDC nell’estate del 2025.

L'articolo Apple promette la Traduzione Simultanea. Gli AirPods avranno una tecnologia alla Star Trek proviene da il blog della sicurezza informatica.

Pi Day is here! We bet that you know that famous constant to a few decimal points, and you could probably explain what it really means: the ratio of a circle’s circumference to its diameter. But what about the constant e? Sure, you might know it is a transcendental number around 2.72 or so. You probably know it is the base used for natural logarithms. But what does it mean?

The poor number probably needed a better agent. After all, pi is a fun name, easy to remember, with a distinctive Greek letter and lots of pun potential. On the other hand, e is just a letter. Sometimes it is known as Euler’s number, but Leonhard Euler was so prolific that there is also Euler’s constant and a set of Euler numbers, none of which are the same thing. Sometimes, you hear it called Napier’s constant, and it is known that Jacob Bernoulli discovered the number, too. So, even the history of this number is confusing.

But back to math, the number e is the base rate of growth for any continually growing process. That didn’t help? Well, consider that many things grow or decay through growth. For example, a bacteria culture might double every 72 hours. Or a radioactive sample might decay a certain amount per century.

Classic

The classic example is compound interest. Suppose you have $100, and you put it in the bank for a 10% per year return (please tell us where we can find that, by the way). So at the end of the year, we have $110, right? But what if you compound it every six months?

To figure that out, you look at the $100 after six months. The annual interest on the money is still $10, but we are only at 6 months, so prorated, that $5. Therefore, after six months, we have $105. At the end of the year, we look at the 10% of $105 ($10.50). That’s still for a year, so we need to halve it ($5.25) and add it in ($105+105.25=110.25). So, compounding every six months means we get an extra quarter compared to simple interest.

What if it was compounded monthly? Now, we divide our interest by 12, but we have a little more money every month. After the first month, we have $100.83 ($100.00 + 10/12). The second month’s net is $101.67. By the end of the year, you have $110.47. Not quite twice as much extra as you had before.

So what if you could compound weekly? Or daily? Or hourly? Generally, you’ll get more, at least up to a point. Eventually, the interest will be split up so much that it will balance the increase and, at that point, you won’t make any more. There is an upper limit to how much money we can have at the end of the year at 10%, no matter how often you compound the interest.

So Where’s e?

Assume you could get a 100% return on your money (definitely let us know how to do that). That means if you go for a year, that’s a return of 2 — you double your money. But if you split the year in half and compound, you get 2.25 times the original amount. You can try a few more splits, and you’ll find the equation for growth is (1+1/n)[sup]n[/sup]. That is, if you only compute it once (n=1), you get double (1+1). If you compute interest twice, you get 2.25 (that is, (1+1/2)[sup]2[/sup]).

If you set n to 1,000, the return will be 2.7169. That’s even better than 2.25. So 100,000 should be wildly better, right? Not so much. At 100,000 you get a 2.71814 return. At 10,000,000 the rate is 2.71828 (or so).

Look at those numbers. Going from 1,000 to 10,000,000 only increases yield by about 0.001. If you know calculus, you might know how to take the limit of the growth equation. If not, you can still see it is going to top off at around 2.718. Those are the first digits of e.

Of course, e is like pi — transcendental — so you can’t ever get all the digits. You just keep getting closer and closer to the actual value. But 2.718 is pretty close for practical purposes.

Scaling

We can scale e to whatever problem we have at hand. We just have to be mindful of the starting amount, the rate, and what a time period means. For example, to work with our 10% rate (instead of 100%) we have to consider the rate e^0.10 or about 1.105. Then, to scale for amounts, we have to multiply by the rate. So remember our $100 at 10% example? Our maximum return is 100 x 1.105 = 110.50. Why did we only get $110.47? Because we compounded 12 times. The $110.50 result is the maximum.

More Years

You can also multiply the rate by the number of periods. So if we left the money in for five years: 100 x e^{(0.10 x 5)}. If you think about it, then, making 50% for one year has the same maximum as making 10% for 5 years (or 25% for 2 years).

Negative Growth?

Suppose you have 120 grams of some radioactive material that decays at a rate of 50% per year. How much will be left after three years? Simplistically, it seems like the answer is that it will be depleted after two years. But that’s not true.

Just as compounding adds more money, a decay rate removes some of the radioactive material, meaning the absolute decay rate gets slower and slower with time because it is a percentage of the radioactive material’s mass.

Just for the sake of an example, suppose at some imaginary small period, the sample is at 100 grams and, thus, the decay rate is 50 grams/year. Later, the sample is at 80 grams. The decay rate is 40 grams/year, so it will take longer to go from 80 to 60 than it did to go from 100 to 80.

In this case, the rate is negative, so the formula will be 120 x e[sup](-0.5 x 3)[/sup]. That means you will have about 26.8 grams of radioactive material left in three years.

Modeling

Consider the classic equation for an RC circuit: Vc=Vs(1-e[sup](-t/(RC))[/sup]). Here, Vc is the capacitor voltage, Vs is the supply voltage, t is in seconds, and RC is the product of the resistance in ohms and the capacitance in farads.

What can we infer from this? Well, you could also write this as: Vc=Vs-Vs x e[sup](-t/(RC))[/sup]. Looking at our earlier model for money, it is plain that Vs is the voltage we start with, t is the time, and rate is -1/RC (time can’t be negative, after all). That makes sense because RC is the time constant in seconds, so 1/RC is the rate per second. The formula tells us how much voltage is charged in the capacitor, and subtracting that from Vs gives us the voltage drop across the capacitor.

Think about this circuit:

At t=0, we have Vs(1-e⁰), which is 0. At t=0.5, the voltage should be about 7.86V; at t=1, it should be up to 10.57V. As you can see, the simulation matches the math well enough.

Discharging is nearly the same: Vc=V0 x e[sup](-t/(RC))[/sup]. Obviously, V0 is the voltage you started with and, again -1/RC is the rate.

So Now You Know!

There’s a common rule of thumb that after a time period (RC) a capacitor will charge to about 63% or discharge to about 37%. Now that you know the math, you can see that e[sup]-1[/sup]=0.37 and 1-e[sup]-1[/sup]=0.63. If you want to do the actual math, you can always set up a spreadsheet.

Anything that grows or shrinks exponentially is a candidate for using an equation involving e. That’s why it is a common base for logarithms. Of course, most slide rules use logarithms, but not all of them do.

(Title image showing e living in pi’s shadow adapted from “Pi” by [Taso Katsionis] via Unsplash.)

Sono stata assente dalla rete per svariati motivi: alcuni dei quali sono la stanchezza e il disorientamento, non per il passaggio da meta al fediverso, ma a livello psicologico.
Ora va meglio, anche se non benissimo.

Piccole ma importanti novità: martedì ho iniziato una formazione (formatrice - animazione di formazione, per adulti) che durerà fino a fine anno (corsi serali), vediamo dove mi porterà.
E lunedì prossimo avrò un colloquio di lavoro, il luogo di lavoro è a 2 km da casa e le condizioni sembrano buone🤞

Geothermal heat is a tantalizing source of energy that’s quite literally right below our feet. At the same time geothermal energy is hard to develop as the Earth’s crust is too thick in most places, limiting this to areas where magma is close enough to the surface and the underground rock permeable enough for water. The Utah FORGE facility is a field site were researchers are developing and testing ways to increase the scope of geothermal energy.

An Enhanced Geothermal System (EGS) is designed to be capable of using geothermal energy where this is normally not feasible through a technique that’s reminiscent of the hydraulic fracturing (‘fracking’) used by the oil and gas industry, but rather than creating more fractures, it instead uses hydro-shearing to prop open existing fractures and thus create the through-flow of water needed to extract geothermal energy.

So far FORGE has reported the successful creation of a geothermal reservoir where before there was none. This facility is located in the Milford valley in southwest Utah, which has some hydrothermal activity at the nearby Roosevelt Hot Springs, but through EGS other parts of this valley and similar areas could conceivably be used for generating electricity and for community heating as well. In a 2024 study by University of Utah scientists, it is described how the Milford valley’s volcanic past has left a large body of magma below a thick barrier of granitic rock that could provide access to geothermal resources with EGS to create the requisite fluid permeability.

FORGE is not the only facility working on EGS, but many other sites around the world having ceased activities after issues ranging from induced seismicity, susceptibility to earthquakes and budget shortages. Much like fracking, EGS is likely to cause earthquakes. Whether EGS can be made economically feasible still remains to be seen.

hackaday.com/2025/03/14/utahs-…

We would be remiss if we didn’t address the X Distributed Denial of Service (DDoS) attack that’s been happening this week. It seems like everyone is is trying to make political hay out of the DDoS, but we’re going to set that aside as much as possible and talk about the technical details. Elon made an early statement that X was down due to a cyberattack, with the source IPs tracing back to “the Ukraine area”.

The latest reporting seems to conclude that this was indeed a DDoS, and a threat group named “Dark Storm” has taken credit for the attack. Dark Storm does not seem to be of Ukrainian origin or affiliation.

We’re going to try to read the tea leaves just a bit, but remember that about the only thing we know for sure is that X was unreachable for many users several times this week. This is completely consistent with the suspected DDoS attack. The quirk of modern DDoS attacks is that the IP addresses on the packets are never trustworthy.

There are two broad tactics used for large-scale DDoS attacks, sometimes used simultaneously. The first is the simple botnet. Computers, routers, servers, and cameras around the world have been infected with malware, and then remote controlled to create massive botnets. Those botnets usually come equipped with a DDoS function, allowing the botnet runner to task all the bots with sending traffic to the DDoS victim IPs. That traffic may be UDP packets with spoofed or legitimate source IPs, or it may be TCP Synchronization requests, with spoofed source IPs.

The other common approach is the reflection or amplification attack. This is where a public server can be manipulated into sending unsolicited traffic to a victim IP. It’s usually DNS, where a short message request can return a much larger response. And because DNS uses UDP, it’s trivial to convince the DNS server to send that larger response to a victim’s address, amplifying the attack.

Put these two techniques together, and you have a botnet sending spoofed requests to servers, that unintentionally send the DDoS traffic on to the target. And suddenly it’s understandable why it’s so difficult to nail down attribution for this sort of attack. It may very well be that a botnet with a heavy Ukrainian presence was involved in the attack, which at the same time doesn’t preclude Dark Storm as the originator. The tea leaves are still murky on this one.

That ESP32 Backdoor

As Maya says, It Really Wasn’t a backdoor. The Bleeping Computer article and Tarlogic press release have both been updated to reflect the reality that this wasn’t really a backdoor. Given that the original research and presentation were in Spanish, we’re inclined to conclude that the “backdoor” claim was partially a translation issue.

The terminology storm set aside, what researchers found really was quite interesting. The source of information was official ESP32 binaries that implement the Bluetooth HCI, the Host Controller Interface. It’s a structured format for talking to a Bluetooth chip. The official HCI has set aside command space for vendor-specific commands. The “backdoor” that was discovered was this set of undocumented vendor-specific commands.

These commands were exposed over the HCI interface, and included low-level control over the ESP32 device. However, for the vast majority of ESP32 use cases, this interface is only available to code already running on the device, and thus isn’t a security boundary violation. To Espressif’s credit, their technical response does highlight the case of using an ESP32 in a hosted mode, where an external processor is issuing HCI commands over something like a serial link. In that very narrow case, the undocumented HCI commands could be considered a backdoor, though still requires compromise of the controlling device first.

All told, it’s not particularly dangerous as a backdoor. It’s a set of undocumented instructions that expose low-level functions, but only from inside the house. I propose a new term for this: a Basementdoor.

The Fake Recruitment Scam

The fake recruitment scam isn’t new to this column, but this is the first time we’ve covered a first-hand account of it. This is the story of [Ron Jansen], a freelance developer with impressive credentials. He got a recruiter’s message, looking to interview him for a web3 related position. Interviews often come with programming tasks, so it wasn’t surprising when this one included instructions to install something from Github using npm and do some simple tasks.

But then, the recruiter and CTO both went silent, and [Ron] suddenly had a bad feeling about that npm install command. Looking through the code, it looked boring, except for the dependency NPM package, process-log. With only 100-ish weekly downloads, this was an obvious place to look for something malicious. It didn’t disappoint, as this library pulled an obfuscated blob of JSON code and executed it during install. The deobfuscated code establishes a websocket connection, and uploads cookies, keychains, and any other interesting config or database files it can find.

Once [Ron] new he had been had, he started the infuriating-yet-necessary process of revoking API keys, rotating passwords, auditing everything, and wiping the affected machine’s drive. The rest of the post is his recommendations for how to avoid falling for this scam yourself. The immediate answer is to run untrusted code in a VM or sandbox. There are tools like Deno that can also help, doing sandboxing by default. Inertia is the challenge, with a major change like that.

Camel CamelCase RCE

Apache Camel is a Java library for doing Enterprise Integration Patterns. AKA, it’s network glue code for a specific use case. It sends data between endpoints, and uses headers to set certain options. One of the important security boundries there is that internal headers shouldn’t be set by outside sources. To accomplish that, those headers are string compared with Camel and org.apache.camel as the starting characters. The problem is that the string comparison is exact, while the header names themselves are not case sensitive. It’s literally a camelCase vulnerability. The result is that all the internal headers are accessible from any client, via this case trickery.

The vulnerability has been fixed in the latest release of Camel. The seriousness of this vulnerability depends on the component being connected to. Akamai researchers provided a sample application, where the headers were used to construct a command. The access to these internal values makes this case an RCE. This ambiguity is why the severity of this vulnerability is disputed.

Bits and Bytes

Researchers at Facebook have identified a flaw in the FreeType font rending library. It’s a integer underflow leading to a buffer overflow. An attacker can specify a very large integer value, and the library will add to that variable during processing. This causes the value to wrap around to a very small value, resulting in a buffer much too small to hold the given data. This vulnerability seems to be under active exploitation.

We don’t normally see problems with a log file leading to exploitation, but that seems to be the situation with the Below daemon. The service runs as root, and sets the logfile to be world readable. Make that logfile a symlink to some important file, and when the service starts, it overwrites the target file’s permissions.

Microsoft’s Patch Tuesday includes a whopping six 0-day exploits getting fixed this month. Several of these are filesystem problems, and at least one is an NTFS vulnerability that can be triggered simply by plugging in a USB drive.

The ruby-saml library had a weird quirk: it used two different XML parsers while doing signature validations. That never seems to go well, and this is not any different. It was possible to pack two different signatures into a single XML document, and the two different parsers would each see the file quite differently. The result was that any valid signature could be hijacked to attest as any other user. Not good. An initial fix has already landed, with a future release dropping one of the XML parsers and doing a general security hardening pass.

hackaday.com/2025/03/14/this-w…

Cisco ha recentemente pubblicato avvisi di sicurezza riguardanti diverse vulnerabilità nel suo software IOS XR, con particolare attenzione alla CVE-2025-20115, una grave falla di corruzione della memoria nell’implementazione della confederazione Border Gateway Protocol (BGP).

In telecomunicazioni e informatica il Border Gateway Protocol (BGP) è un protocollo di routing di tipo EGP usato per connettere tra loro più router che appartengono a sistemi autonomi (Autonomous System, AS) distinti e che vengono chiamati router gateway o router di bordo/confine. È quindi un protocollo di routing inter-AS, nonostante possa essere utilizzato anche tra router appartenenti allo stesso AS (nel qual caso è indicato con il nome di iBGP, Interior Border Gateway Protocol), o tra router connessi tramite un ulteriore AS che li separa (eBGP, External Border Gateway Protocol).

Il bug rilevato su IOS XR

Questa vulnerabilità, con un punteggio CVSS di 8,6, potrebbe consentire ad attaccanti remoti non autenticati di provocare una condizione di negazione del servizio (DoS) sull’infrastruttura di rete colpita. Il problema deriva da un errore di gestione della memoria che si verifica quando un aggiornamento BGP include un attributo AS_CONFED_SEQUENCE contenente 255 o più numeri di sistema autonomo (AS).

Secondo l’avviso di sicurezza pubblicato da Cisco il 12 marzo 2025, un attaccante potrebbe sfruttare questa vulnerabilità inviando aggiornamenti BGP manipolati, provocando un buffer overflow che causa il riavvio del processo BGP e un’interruzione della rete. Il rischio è particolarmente elevato per le organizzazioni che utilizzano IOS XR con la confederazione BGP attiva, comprese le versioni 7.11 e precedenti, 24.1 e precedenti, e da 24.2 a 24.2.20. L’exploit richiede che l’attaccante controlli uno speaker della confederazione BGP all’interno dello stesso sistema autonomo della vittima o che l’attributo AS_CONFED_SEQUENCE superi naturalmente la soglia critica.

Per mitigare il rischio, Cisco ha rilasciato aggiornamenti che risolvono la vulnerabilità nelle versioni 24.2.21, 24.3.1 e 24.4 di IOS XR. Le organizzazioni che non possono aggiornare immediatamente possono applicare una soluzione temporanea, limitando l’attributo AS_CONFED_SEQUENCE a un massimo di 254 numeri AS tramite una policy di routing dedicata. Gli amministratori di rete possono verificare la vulnerabilità dei propri dispositivi eseguendo il comando “show running-config router bgp”: se l’output include “bgp confederation peers”, il dispositivo potrebbe essere esposto al rischio.

Al momento, il Product Security Incident Response Team (PSIRT) di Cisco non ha segnalato attacchi attivi che sfruttano questa vulnerabilità. Tuttavia, le organizzazioni sono invitate ad aggiornare i propri sistemi o ad adottare le contromisure suggerite il prima possibile per ridurre il rischio di interruzioni di servizio e garantire la stabilità della rete.

L'articolo Reti BGP a rischio Crash! Un bug in Cisco IOS XR può causare il down delle reti! proviene da il blog della sicurezza informatica.

Il quarto round del concorso PQC (Post Quantum Cryptography) del National Institute of Standards and Technology (NIST) statunitense ha selezionato l’HQC come meccanismo di incapsulamento secondario delle chiavi (KEM) rispetto al precedente algoritmo post-quantistico ML-KEM (basato su CRYSTALS-Kyber).

L’HQC o “Hamming Quasi-Cyclic” è un KEM basato su codice che utilizza il problema di decodifica della Quasi-Cyclic syndrome, crittograficamente impegnativo, come base e costruito attorno al concetto di codici di correzione degli errori. Il NIST ha dichiarato di aver scelto l’HQC come algoritmo di riserva per ML-KEM, che utilizza un approccio matematico diverso.

ML-KEM è un algoritmo modulare basato su reticolo che è stato selezionato dal NIST nel 2022 e standardizzato nel Federal Information Processing Standard FIPS 203 nell’agosto 2024. Date queste differenze, se ML-KEM si rivela vulnerabile agli attacchi quantistici, l’HQC sarebbe improbabile avere la stessa vulnerabilità e potrebbe essere invece utilizzato.

“Le organizzazioni dovrebbero continuare a migrare i loro sistemi di crittografia agli standard NIST finalizzati nel 2024. Stiamo annunciando la selezione di HQC perché vogliamo avere uno standard di backup che si basa su un approccio matematico diverso rispetto a ML-KEM.” — Ha detto Dustin Moody, matematico presso NIST. Source.

Lo Status Report rilasciato al quarto round del concorso PQC discute i quattro algoritmi finalisti – HQC, BIKE, Classic McEliece e SIKE. Anche se ci sono vantaggi simili a BIKE in quanto potrebbe anche completare ML-KEM sulla base delle sue differenze matematiche, e la sua base in codice quasi-ciclico, il fattore decisivo per il NIST di selezionare l’HQC sopra gli altri algoritmi era la sua stima relativamente stabile e bassa Decryption Failure Rate (DFR) – dove il testo cifrato non può essere decodificato a causa di un errore.

Perché abbiamo bisogno della crittografia post-quantica?

Lo sviluppo sempre più rapido dell’informatica quantistica è una grande conquista del XXI secolo, tuttavia per la comunità della sicurezza informatica comporta un rischio molto elevato. Gran parte della crittografia che utilizziamo oggi potrebbe essere minacciata da un computer quantistico sufficientemente avanzato, che sfrutta alcuni principi fisici per ‘bypassare‘ le ipotesi matematiche che continuano a proteggere i dati dai tentativi di decrittazione dei computer classici.

Post-Quantum Cryptography (PQC) è la crittografia progettata per essere sicura da attacchi quantistici e classici, che possono essere eseguiti su macchine classiche. Man mano che vengono fatte sempre più scoperte con la tecnologia dei computer quantistici, compreso il recente annuncio di Majorana 1 da parte di Microsoft, l’avvento di un computer quantistico crittograficamente rilevante si avvicina.

Per garantire che la nostra vita digitale quotidiana continui ad essere protetta da una forte crittografia, è necessario sviluppare e attuare algoritmi speciali che non siano suscettibili di attacchi quantistici. Il concorso NIST PQC ha finora selezionato 5 algoritmi progettati per funzionare su computer classici, di cui tre già standardizzati lo scorso anno.

Il recente annuncio da parte del NIST della selezione di HQC come meccanismo chiave di incapsulamento post-quantistico segna un altro passo positivo per la sicurezza delle informazioni digitali nel l’era quantistica che si avvicina.

References:

• NIST Status Report 8545: nvlpubs.nist.gov/nistpubs/ir/2…
• NIST Announcement nist.gov/news-events/news/2025…
• HQC Website pqc-hqc.org/

L'articolo Il NIST sceglie il secondo algoritmo Post Quantum di incapsulamento delle chiavi KEM proviene da il blog della sicurezza informatica.

Il gruppo Volt Typhoon ha operato segretamente nei sistemi del Dipartimento di luce e acqua elettrica di Littleton, nel Massachusetts, per quasi un anno. L’attacco informatico faceva parte di un’operazione più ampia che, secondo le autorità statunitensi, è condotta dalla Cina. Lo scopo di tali attacchi è quello di preparare in anticipo un possibile conflitto e, se necessario, danneggiare infrastrutture critiche degli Stati Uniti.

L’FBI e la CISA sono stati i primi a venire a conoscenza della compromissione della rete aziendale. Venerdì pomeriggio, un dirigente della Littleton Electric ha ricevuto una chiamata dall’FBI che lo avvisava di un attacco informatico e, lunedì, agenti e specialisti della sicurezza informatica si sono presentati presso la sede dell’azienda.

Il dipartimento di luce elettrica e acqua di Littleton serve le città di Littleton e Boxborough e fornisce servizi di elettricità e acqua alle città da oltre 100 anni. Tuttavia, negli ultimi anni, l’azienda ha dovuto far fronte a una crescente minaccia di attacchi informatici. Dopo aver identificato la compromissione, gli specialisti di Dragos hanno avviato un’indagine e scoperto che Volt Typhoon era penetrato nelle reti dell’organizzazione già nel febbraio 2023.

Come si è scoperto, Volt Typhoon si è infiltrato nel sistema attraverso vulnerabilità nel firewall FortiGate 300D. Sebbene Fortinet abbia rilasciato una correzione a dicembre 2022, la società di gestione IT LELWD non ha aggiornato il firmware.

Di conseguenza, l’MSP responsabile della gestione della rete è stato licenziato. Entro dicembre 2023, il governo federale aveva installato i suoi sensori sulla rete LELWD e aveva chiesto di lasciare aperta la vulnerabilità per sorvegliare le attività degli hacker. Nonostante il timore che l’attacco potesse ripetersi, l’azienda ha deciso di collaborare con le autorità.

Gli hacker non solo hanno messo piede nei sistemi, ma si sono anche spostati nella rete e hanno rubato dati. Tuttavia, durante l’attacco non è stato compromesso alcun dato personale dei clienti. Grazie alle misure adottate, l’azienda ha modificato la propria architettura di rete, eliminando potenziali vulnerabilità che avrebbero potuto essere sfruttate dagli aggressori.

L’obiettivo di Volt Typhoon non era solo la presenza a lungo termine nel sistema: gli hacker volevano anche raccogliere informazioni sul funzionamento degli impianti di automazione industriale. In particolare, dati sulle procedure operative e sulla topografia della rete elettrica. Tali informazioni possono essere fondamentali se l’attacco non è mirato solo a interrompere le operazioni, ma anche a causare danni fisici all’infrastruttura.

Un rappresentante dell’azienda non sa ancora perché Volt Typhoon abbia scelto LELWD. Potrebbe essere stata parte di un’operazione di intelligence più ampia. “Le nostre sottostazioni e i nostri sistemi di pubblica utilità non sono stati compromessi, ma gli hacker sapevano dove si trovavano i firewall vulnerabili e hanno cercato di aggirarli”, ha affermato il portavoce. Per LELWD l’incidente ha rappresentato una seria lezione di sicurezza informatica.

Nonostante le misure adottate, alcuni dettagli dell’attacco restano top secret a causa delle indagini in corso da parte delle forze dell’ordine statunitensi. Allo stesso tempo, la Cina nega il suo coinvolgimento nell’operazione Volt Typhoon, nonostante la CISA e l’FBI abbiano ripetutamente avvertito che gli hacker stanno cercando di mettere piede nelle reti informatiche delle infrastrutture critiche americane per attacchi successivi.

L'articolo Colpire gli USA Silentemente ed in profondità. Gli hacker cinesi erano nella rete elettrica da un anno proviene da il blog della sicurezza informatica.

Do you like scientific calculators? Don’t bother answering that question, you’re reading Hackaday so we already know the answer. We also know you’re a fan of building things yourself and open source, which makes us fairly sure you’ll be just as interested in the recently announced ClockworkPi PicoCalc as we are.

On the surface, it looks like a chunky scientific calculator, though on further inspection you’ll note it comes equipped with a QWERTY keyboard. But open up the case and what you’ve really got is an elaborate carrier board for the Raspberry Pi Pico. The PicoCalc supports all variants of the microcontroller, but realistically we can’t think of any reason that you wouldn’t just use the latest version.

With the MCU connected, you’ll have access to the PicoCalc’s 320×320 4-inch IPS screen, backlit I2C-connected keyboard, SD card slot, 8 MB PSRAM, and dual PWM speakers. Power is provided by a pair of 18650 cells (which you’ll need to supply on your own), and the board has the necessary circuitry to charge them up over USB-C.

Everything is housed in an injection molded case, but the project page says all the necessary CAD files will be eventually be released under the GPL v3 so you can 3D print or CNC your own enclosure. For now though, the only thing of note that seems to be in the PicoCalc GitHub repository is a PCB schematic.

The software side of things is a little less clear. The page mentions a BASIC interpreter, MP3 playback, and support for various programming languages, but we get the impression that’s just a list of stuff you can run on the Pi Pico. There are a few images that clearly show the PicoCalc actually being used as a calculator however, so there may be an official firmware yet to be revealed.

The PicoCalc kit is on sale now, and will set you back $75 USD — which actually includes a first-generation Pi Pico, on the off chance that you don’t already have a few laying around. We’ve been impressed with the previous offerings from ClockworkPi, so assuming this new kit maintains that same build quality, it seems like a fair enough price.

hackaday.com/2025/03/14/clockw…