I fallimenti fanno parte della nostra vita, quanti di noi ne ha avuti e quanti ne continueremo avere?

Oggi parliamo di un codice, un codice semplice snello e schietto, il codice 404. Scopriremo che non è soltanto un banale errore che tutti quanti conosciamo. Ma che l’errore 404 nel tempo è divenuto molto di più di una pagina internet che ci descrive un posto dove non abbiamo trovato quello che ci aspettavamo.

E’ difficile crederci, ma l’errore più famoso nella storia di Internet compie oggi 35 anni. Nacque con i primi server web e in seguito divenne un meme, un codice culturale e, ironia della sorte, un motivo di festa. Ogni anno il 4 aprile, ovvero il 4.04, migliaia di persone in tutto il mondo ricordano pagine inesistenti come se fossero vecchi amici. Ed è vero: in un certo senso, è quello che sono diventati.

L’errore 404 si è evoluto da un semplice codice tecnico a simbolo di tutto ciò che è digitale, perduto e inaspettato. Questo è più di un messaggio del server. Questo fa già parte della nostra identità online.

Cosa significa 404 e da dove viene?

Tutto è iniziato con qualcosa di semplice: l’utente inserisce l’indirizzo della pagina, il server lo cerca, ma non lo trova. Di conseguenza, il browser riceve il codice 404 – Non trovato. Vale a dire “non trovato”. Nessuno scandalo, nessun intrigo, solo vuoto. Ma c’è un vuoto tale che ognuno di noi ha provato almeno una volta quando si è trovato di fronte a una pagina bianca e a un messaggio di errore noioso.

Questo errore è diventato parte dello standard HTTP all’inizio degli anni ’90, quando Internet sembrava un insieme di semplici documenti di testo. All’epoca nessuno avrebbe potuto immaginare che il numero breve 404 sarebbe diventato un’icona nella storia di internet. Perché non sta solo parlando di un problema tecnico, sta dicendo: “Sei nel posto sbagliato, ma continua a cercare”.

Perché il 4 aprile? Una coincidenza che è diventata tradizione

La scelta della data è quasi uno scherzo. Il 4 aprile, 04.04, somiglia all’errore 404, solo che è sul calendario. Ecco perché nelle comunità di Internet degli anni ’90 questa giornata ha iniziato a essere utilizzata come un’occasione simbolica per celebrare tutto ciò che è connesso a Internet, con i suoi bug, le sue perdite e lo strano fascino dell’inesistente.

A poco a poco questa data è diventata una specie di Internet Day, ma senza il pathos. Piuttosto, è una festa per coloro che sono su Internet fin dall’inizio, che ricordano i modem, le chat con persone anonime, lo scaricamento di immagini riga per riga.

Come l’errore è diventato parte della cultura digitale

Inizialmente, le pagine di errore 404 erano il più noiose possibile. Sfondo bianco, testo nero: niente immaginazione. Ma con l’avvento della creatività nel web design, le cose sono cambiate. Il numero 404 cominciò a essere decorato con umorismo, assurdità e talvolta anche filosofia.

Ora ci sono siti web che visualizzano un minigioco invece di un messaggio di errore. Oppure un cartone animato. Oppure l’immagine di un robot stanco che si scusa per un problema tecnico.

A volte il 404 si trasforma in un oggetto d’arte: i designer organizzano concorsi, per creare raccolte di pagine creative e persino allestire mostre di assurdità digitale. Ogni errore del genere è una piccola storia, in cui l’importante non è il risultato, ma la forma.

404 nella vita: un meme, una diagnosi e un modo per dire “sono perso”

L’errore 404 è ormai noto anche oltre i browser. È diventata una metafora universale. Le persone lo usano nelle conversazioni: “Ho il cervello in 404“, oppure, “Mi sento come se fossi su una pagina che non esiste“. Si tratta di un modo breve per indicare confusione, mancanza di risposta o semplicemente stanchezza dovuta al rumore di fondo delle informazioni.

Ciò che sorprende particolarmente è che in un’epoca in cui quasi tutto viene rilanciato, l’errore 404 è rimasto invariato. Non è stato tradotto in slang di moda né trasformato in un’abbreviazione. È la stessa di trentacinque anni fa: onesta, un po’ asciutta, ma molto precisa. Ed è questo il suo fascino.

Cosa festeggiamo il 4 aprile? Un po’ di ironia e tanto significato

Se ci pensate, il numero 404 riguarda i nostri infiniti tentativi di trovare qualcosa. E non sempre con successo. Cerchiamo informazioni, persone, idee, significati. Ma a volte finiamo nel posto sbagliato. E invece della pagina prevista, otteniamo un campo bianco con la scritta “non trovato”.

E questa sensazione è stranamente familiare. Ecco perché la festa in suo onore è percepita come un riconoscimento del fatto che anche i fallimenti fanno parte della vita. Che anche gli errori sono esperienza. E a volte anche l’estetica.

Alcuni festeggiano questa giornata a modo loro. Alcune persone creano la propria versione della pagina 404. Alcune persone ricordano vecchi siti preferiti che non esistono più. Alcune persone si concedono il lusso di perdersi un po’ una volta all’anno e non trovano nulla.

Il mondo cambia, ma il 404 resta

I siti web vanno e vengono, le tendenze del web design cambiano, i linguaggi di programmazione vengono aggiornati. Ma il codice 404 sopravvive. Perché è semplice. Lui è onesto.

E dice che a volte anche l’assenza è informazione.

Quindi, benvenuti nell’errore, che si è rivelato più preciso di molte altre istruzioni. E che quest’anno tu possa trovare tutto ciò che cerchi.

O almeno, quando vedrai un bel 404, ti ricorderai di questo articolo e sorriderai.

L'articolo Buon Compleanno Errore 404, 35 anni e non sentirli. Viva gli errori e i posti mai trovati! proviene da il blog della sicurezza informatica.

These days, if you want to build something with modern chips and components, you probably want a custom PCB. It lets you build a neat and compact project that has a certain level of tidiness and robustness that you can’t get with a breadboard or protoboard. The only problem is that ordering PCBs takes time, and it’s easy to grow tired of shipping delays when you don’t live in the shadow of the Shenzhen board houses.

[Zach Fredin] doesn’t suffer this problem, himself. He’s whipping up high-feature PCBs at home with speed and efficiency that any maker would envy. At the 2024 Hackaday Supercon, he was kind enough to give a talk to explain the great engineering value provided by the Circuit Graver. (He was demoing it in the alley too, but you had to be there.)

youtube.com/embed/aGVqcYA3kkA?…

It’s always been possible to make PCBs at home. Many have experimented with irons and toner and etchant baths to varying levels of success. You can do great things if you invest in tools and upskilling, but fundamentally, it can be difficult to make good PCBs that do what you want. After all, there are a things that you might want out of your custom PCBs—fine traces a being prime among them. These can be challenging to do at home with traditional techniques.
Why mill when you can carve trenches into a PCB for isolation routing instead?
[Zach’s] focus was on finding a way to make these “high feature” boards at home—specifically, referring to boards with an excellent minimum feature size. Right away, his talk shows off an example board, featuring an 0.5 mm-pitch DFN chip, paired with 0804 resistors and 0402 LEDs. [Zach] made this board in his apartment, using a machine of his own creation—the Circuit Graver.

You might be expecting some kind of laser-etching machine or a PCB mill, but the Circuit Graver is a little different. Instead of a high-speed spinning engraving head, it uses a pointy tool to scrape copper-clad boards to create the desired traces. [Zach] was inspired to go with this route due to the limitations he’d found during his experiences with traditional PCB milling machines. He found them be loud, messy, and slow, and limited in their resolution. He’d found it difficult to build designs with anything smaller than DIP or SOIC chips when relying on milled boards.
The Circuit Graver.
The Circuit Graver was spawned by a technique [Zach] developed years ago, when he started carving boards using a modified box cutter blade by hand, before realizing the same technique could benefit from the magic of Computer Numerical Control (CNC). Rather than move the tool yourself, why not have the computer do it more accurately?

The machine design itself is conventional, but packed with clever details, and built with eBay parts and 3D-printed components. [Zach] built a Cartesian motion platform to move the tool over a copper clad board, with X and Y axes for positioning and a Z axis to lift the tool when necessary and also control the downward pressure. There’s also a stepper motor for the tool, to keep the cutter lined up with the direction of the trace to be carved.

You could do this with a box-cutter blad, but that is not quite good enough for the resolution that [Zach] was hoping to achieve. To that end, he equipped the Circuit Graver with a carbide insert intended for use as lathe tooling. The tool has a 100 micron tip radius which can create a 0.2 mm trench in copper-clad board, right out of the box. That allows the creation of traces roughly around 8 mil or so. You can even sharpen the tooling and get it down to 0.1 mm or less, which is theoretically good enough for 4 mil spaces. That’s perfect for working with smaller feature size parts.
An example board built using the Circuit Graver, featuring 0402 LEDs and an 0.5 mm pitch IC.
[Zach]’s talk provides a realistic assessment of the Circuit Graver’s real-world performance. Right now, it’s capable of carving 8/8 (0.2 mm) features on small boards quite well, while 6/6 (0.15 mm) features are “marginal.” The hope is to get down to 4/4 (0.1 mm) level with future upgrades. Speed is excellent, however—the Circuit Graver can carve good traces at 20-50 mm/s. For now, though, manual setup is still required—to ensure correct zeroing and that the tooling pressure is correct, for example.

It’s not something you’d use for production PCBs, per se—a real board house will always win for those sort of applications. However, for producing boards for quick prototyping, even with modern fine-featured components? It’s easy to see the value of the Circuit Graver. Imagine ordering some new parts and whipping up a unique project board just minutes or hours after you finish the design on your PC—it’s almost intoxicating to think about.

We actually featured the Circuit Graver on the blog last year—and there are design files on Hackaday.io for the curious. If you’re eager to start whipping up simple high-feature boards at home, it might be a build worth looking into!

hackaday.com/2025/04/04/superc…

This week, Hackaday’s Elliot Williams and Kristina Panos met up across the (stupid, lousy) time zones to bring you the latest news, mystery sound, and of course, a big bunch of hacks from the previous week.

Again, no news is good news. On What’s That Sound, Kristina didn’t get close at all, but at least had a guess this time. If you think you can identify the sound amid all the talking, you could win a Hackaday Podcast t-shirt!

After that, it’s on to the hacks and such, beginning with a Dr. Jekyll and Mr. Hyde situation when it comes to a pair of formerly-cloud music players. We take a look at a crazy keyboard hack, some even crazier conductive string, and a perfectly cromulent list of 70 DIY synths on one wild webpage. Finally, we rethink body art with LEDs, and take a look at a couple of printing techniques that are a hundred years or so apart in their invention.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

Download in DRM-free MP3 and savor at your leisure.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 315 Show Notes:

News:

• No news is good news!

What’s that Sound?

• Can you figure it out?

Interesting Hacks of the Week:

• Open Source Framework Aims To Keep Tidbyt Afloat
• Can Hackers Bring Jooki Back To Life?
  
  • Reddit – The heart of the internet

  
  

• DIY Split Keyboard Made With A Saw
• 70 DIY Synths On One Webpage
• Programmer’s Macro Pad Bangs Out Whole Functions
• Supercon 2024: Rethinking Body Art With LEDs
• Make DIY Conductive, Biodegradable String Right In Your Kitchen

Quick Hacks:

• Elliot’s Picks:
  
  • The Magic Touch: A 555 Touch Switch
  • Handheld 18650 Analyzer Scopes Out Salvaged Cells
  • The Lowly Wall Wart Laid Bare
  • A Forgotten Photographic Process Characterised
  • Pictures From A High Altitude Balloon

  
  

• Kristina’s Picks:
  
  • An ESP32 Pomodoro Timer
  • Yaydio, A Music Player For Kids
  • An Elegant Writer For A More Civilized Age

  
  

Can’t-Miss Articles:

• Zink Is Zero Ink — Sort Of
• Ditto That

hackaday.com/2025/04/04/hackad…

[kida] has a highly innovative set of 3D-printable, musical fidget toys that play classic video game tunes. Of course there’s the classic Super Mario ditty, but there’s loads more. How they work is pretty nifty, and makes great use of a 3D printer’s strengths.

To play the device one uses a finger to drag a tab (or striker) across the top, and as it does so it twangs vertical tines one-by-one. Each tine emits a particular note — defined by how tall the thicker part is — and plays a short tune as a result. Each one plays a preprogrammed melody, with the tempo and timing up to the user. Listen to them in action in the videos embedded just under the page break!

There are some really clever bits to the design. One is that the gadget is made in two halves, which effectively doubles the notes one can fit into the space. Another is that it’s designed so that holding it against something like a tabletop makes it louder because the surface acts like a sounding board. Finally, the design is easily modified so making new tunes is easy. [kida]’s original design has loads of non-videogame tunes (like the Jeopardy! waiting theme) as well as full instructions on making your very own versions.

Fidget toys are a niche all their own when it comes to 3D printed devices. The fidget knife has a satisfying snap action to it, and this printable linear toggle design is practically a fidget toy all on its own.

youtube.com/embed/BnbsPARrkss?…

youtube.com/embed/InFddXVHsRE?…

hackaday.com/2025/04/04/3d-pri…

È stata individuata una grave vulnerabilità di sicurezza nel plugin Kubio AI Page Builder per WordPress, che rappresenta un rischio significativo per i siti web che utilizzano questo popolare strumento.

Kubio è un website builder WordPress noto per il suo approccio innovativo basato su blocchi, progettato per estendere la funzionalità dell’editor di blocchi. Fornisce agli utenti una gamma di nuovi blocchi e ampie opzioni di stile, consentendo la creazione di siti Web in modo rapido e semplice, senza richiedere conoscenze di programmazione. Il plugin vanta oltre 90.000 installazioni attive, evidenziando il suo uso diffuso all’interno della comunità WordPress.

La vulnerabilità, tracciata come CVE-2025-2294, è un difetto Local File Inclusion (LFI) presente nel plugin Kubio AI Page Builder. Questo difetto riguarda tutte le versioni del plugin fino alla 2.5.1 inclusa. Il ricercatore di sicurezza Mikemyers è stato ritenuto il responsabile della scoperta e della segnalazione di questa falla.

La vulnerabilità risiede nella funzione kubio_hybrid_theme_load_template. Lo sfruttamento di questa vulnerabilità LFI consente ad aggressori non autenticati di includere ed eseguire file arbitrari sul server. Questa capacità consente agli aggressori di eseguire qualsiasi codice PHP contenuto in tali file.

Le conseguenze di questa vulnerabilità sono gravi. Uno sfruttamento riuscito può portare a:

• Aggirare i controlli di accesso: gli aggressori possono aggirare le misure di sicurezza progettate per limitare l’accesso a determinati file e directory.
• Ottenere dati sensibili: gli aggressori possono accedere alle informazioni riservate memorizzate sul server.
• Esecuzione del codice: in scenari in cui gli aggressori possono caricare file apparentemente innocui, come immagini, possono quindi includerli ed eseguirli per eseguire codice PHP dannoso.

Alla vulnerabilità è stato assegnato un punteggio CVSS critico di 9,8, che ne sottolinea l’elevata gravità e il potenziale di danni estesi. La vulnerabilità è stata risolta nella versione patchata del plugin, versione 2.5.2. Si consiglia vivamente agli utenti del plugin Kubio AI Page Builder di aggiornarlo immediatamente alla versione 2.5.2 o successiva per proteggere i propri siti web da potenziali attacchi.

L'articolo Oltre 90.000 siti WordPress vulnerabili: grave falla di sicurezza in Kubio proviene da il blog della sicurezza informatica.

We know a bit more about the GitHub Actions supply chain attack from last month. Palo Alto’s Unit 42 has been leading the charge on untangling this attack, and they’ve just released an update to their coverage. The conclusion is that Coinbase was the initial target of the attack, with the open source agentkit package first (unsuccessfully) attacked. This attack chain started with pull_request_target in the spotbugs/sonar-findbugs repository.

The pull_request_target hook is exceptionally useful in dealing with pull requests for a GitHub repository. The workflow here is that the project defines a set of Continuous Integration (CI) tests in the repository, and when someone opens a new Pull Request (PR), those CI tests run automatically. Now there’s an obvious potential problem, and Github thought of it and fixed it a long time ago. The GitHub Actions are defined right in the repository, and letting any pull request run arbitrary actions is a recipe for disaster. So GitHub always uses actions as they are defined in the repository itself, ignoring any incoming changes in the PR. So pull_request_target is safe now, right? Yes, with some really big caveats.

The simplest security problem is that many projects have build scripts in the repository, and those are not considered part of GitHub Actions by GitHub. So include malicious code in such a build script, make it a PR that runs automatically, and you have access to internal elements like organization and repository secrets and access tokens. The most effective mitigation against this is to require approval before running workflows on incoming PRs.

So back to the story. The spotbugs/sonar-findbugs repository had this vulnerability, and an attacker used it to export secrets from a GitHub Actions run. One of those secrets happened to be a Personal Access Token (PAT) belonging to a spotbugs maintainer. That PAT was used to invite a throwaway account, [jurkaofavak], into the main spotbugs repository. Two minutes after being added, the [jurkaofavak] account created a new branch in spotbugs/spotbugs, and deleted it about a second later. This branch triggered yet another malicious CI run, now with arbitrary Github Actions access rather than just access through a build script. This run leaked yet another Personal Access Token, belonging to a maintainer that worked on both the spotbugs and reviewdog projects.

That token had access to create and edit tags in reviewdog/action-setup, a GitHub Action that runs as a dependency for multiple other actions. The attacker created a fork of this repository, added malicious code, and then overwrote the v1 git tag to point to this malicious code. The tj-actions/changed-files ran a CI flow that made use of the malicious reviewdog/action-setup fork, leaking a GitHub token with write permission to tj-actions/changed-files.

The tag override trick does a lot of heavy lifting in this story, and that’s what was used on tj-actions/changed-files too. Another malicious fork, and a specific tag was overridden to point there. The tag chosen was one used in a Coinbase repository. Specifically coinbase/agentkit used the newly malicious tag in one of its workflows. A Coinbase maintainer discovered this, and deleted the targeted workflow, putting an end to the Coinbase-specific attack. At this point, the attacker opted to burn the pilfered access, and pushed malicious code to every tj-actions/changed-files tag. The idea apparently being that there would likely be some interesting secrets that were leaked. It’s also possible this was intended to hide Coinbase as the primary target. Regardless, that’s the widespread attack we’ve already covered, and now you know the rest of the story.

ZendTo: No CVE, No Problem?

ZendTo is a nifty Open Source, web-based file sharing platform. It’s been around for a while, and the release notes from a 2021 release makes reference to a “security fix” with no additional details given. That caught the attention of [Jay] from Project Black. It sounds like a potential vulnerability, but it seems like no CVE was ever assigned, and no further details were given.

Here’s the issue: ZendTo has an anonymous file upload feature on by default. This has a security feature built in, in the form of scanning the uploaded file with ClamAV in a temporary location, before moving the file to its long term storage directory. Part of this process includes the ever lovely exec("/bin/chmod go+r " . $ccfilelist); line. PHP has some footguns to be aware of, and calling exec() with any user-provider input is one of them. And of course, the user-provided tmp_name value is used to construct the $ccfilelist string. Set tmp_name to 1;command, and you’ve got code execution.

There is another outstanding issue, where legacy md5 passwords that happen to begin with 0e will be interpreted as a number in scientific notation. PHP handles some type comparisons a bit weirdly. These scientific notation values all evaluate as 0. Using any password that also evaluates to one of these special “scientific” md5 hashes, and the comparison collapses to 0 == 0. So one out of every 256 users have a trivially bypassed password — if their account was still using a md5 password hash.

So here we have a pair of serious vulnerabilities, though one has limited exposure, with neither being fully disclosed nor given CVEs. What’s the result of this lack of transparency? Old, vulnerable installs of ZendTo are still on the Internet. Without a CVE, there’s much less pressure to update. No CVE doesn’t necessarily mean no vulnerabilities.

Leaking Call Records

Researcher [Evan Connelly] was looking into the Verizon Call Filter iOS app, and found it to be using an interesting web service. The callLogRetrieval endpoint allows a user to look up call logs for their own Verizon number. Authorization is done using JSON Web Tokens (JWT), which included a “sub” field, indicating the phone number the token was authorized to fetch. The request itself also has a field to indicate the number being queried. This particular endpoint uses a JWT for authorization, but returns the information requested in the query field — without comparing the two values. Yes, any customer that could obtain a valid JWT could query the call records of virtually any other Verizon number. While this is particularly bad, Verizon acknowledged it quickly, and rolled a fix out in less than a month.

When Parameterized Queries Aren’t

What’s the single most powerful tool to prevent SQL injection attacks? Easy: Parameterized queries. Write the SQL query ahead of time, the library converts it into native database code, and only then are the user-generated values plugged in. In theory that means those values can never be understood as part of the SQL logic. While there are ways this can still go wrong, the basic approach is sound. But what if a language, like Nim, had a parameterization option that didn’t actually do parameterized queries?

Yes, Nim’s db_postgres module provides the facility to run code like getRow(sql"SELECT username FROM users WHERE username=?;", "user"), which is intended to protect against SQL injection. But, under the hood, it really is just doing string replacement with character escaping, like replacing null characters with \\0. Now consider PostreSQL’s standard_conforming_strings setting, which among other things, removes the backslash as a special character. But if that setting is disabled, the backslash can be used to escape quotes. Nim doesn’t know anything about that behavior. This combination of not-actually-parameterized parameterization, and lack of awareness of the standard_conforming_strings behavior, means that ./poc '\' ' OR user_id=1; --' is once again a potential SQL injection. Whoops.

Oracle: Oh, That Oracle Cloud!

We finally have a bit more insight into what’s going on at Oracle. You probably remember that the company has continually denied a breach into Oracle Cloud. It seems this is a bit of verbal sleight-of-hand, as Oracle has renamed part of their cloud offering to Oracle Cloud Classic. The remaining, current generation service is the Oracle Cloud. Oracle Cloud Classic has suffered the breach, not technically Oracle Cloud.

It’s not clear that this is really all there is to the story, though, as more data is getting released by the attacker, including video of a web meeting from 2019. Oracle has started reaching out to customers and confirmed the breach, though apparently strictly avoiding putting anything in writing.

Microsoft Joins the Hotpatch Game

Enterprise Linux distros have long had support for various forms of live-patching. We even interviewed TuxCare about this feature for FLOSS Weekly a few weeks ago. It seems that Microsoft finally wants in on the fun. Windows 11 Enterprise has in-memory security patching starting with the 24H2 update. This support is strictly for machines with an Enterprise or certain Education Microsoft subscriptions. The Hotpatches will be available for 8 of the 12 monthly security patches, with an enforced quarterly update via traditional updates and a reboot.

Bits and Bytes

Researchers at GreyNoise have noted an uptick in IPs scanning for Palo Alto device login pages for several days in March. The scanning had as many as 20,000 unique IPs hunting for these login interfaces, which suggests a botnet has been tasked with finding these devices. It’s very possible that a threat actor has found a new vulnerability in Palo Alto devices, and is preparing to launch an attack.

And finally, a pair of posts from ZDI caught our attention this week. The first is a dive into how Binary Ninja’s static code analysis can find potential use-after-free vulnerabilities. The second is all about building an electric car simulator, that can actually plug into real electric vehicle charging stations, and actually fool the charger into believing a car is attached. How is this problem approached safely, given the high voltages and amperages involved? Very carefully.

hackaday.com/2025/04/04/this-w…

Bears! Are they scared of massive arcs that rip through the air, making a lot of noise in the process? [Jay] from the Plasma Channel sure hopes so, because that’s how his bear deterrent works!

[Jay] calls it the Bear Blaster 5000. Right from the drop, this thing looks like some crazy weapon out of Halo. That’s because it throws huge arcs at 280,000 volts. The basic concept behind it is simple enough—a battery drives a circuit which generates (kinda) low voltage AC. This is fed to the two voltage multipliers which are set up with opposite polarity to create the greatest possible potential difference between the two electrodes they feed. The meaty combination is able to arc across electrodes spaced over four inches apart. It’s all wrapped up in a super-cool 3D printed housing that really shows off the voltage multiplier banks.

Given its resemblance to a stun gun, you might think the idea is to jab an attacking bear with it. But the reality is, if the bear is close enough that you could press this device against it, you’re already lunch. [Jay] explains that it’s more about scaring the animal off with the noise and light it produces. We’d certainly take a few steps back if we heard this thing fire off in the woods.

[Jay] does a great job of explaining how the whole setup works, as well as showing off its raw ability to spark. We’ve seen some great builds from [Jay] before, too, like this beefy custom flyback transformer.

youtube.com/embed/-Ng3fyUHoLA?…

hackaday.com/2025/04/04/keep-b…

La piattaforma OnlyFans si è ritrovata al centro di una causa legale, questa volta per accuse di frode ai danni degli utenti. Due residenti dell’Illinois hanno intentato una class action contro l’azienda, sostenendo che invece delle promesse interazioni faccia a faccia con le modelle, stavano interagendo con lavoratori assunti che si spacciavano per creatori di contenuti.

I querelanti, identificati nei documenti come M. Brunner e J. Fry, sostengono di essere stati tratti in inganno circa la natura delle comunicazioni sulla piattaforma. Credevano di ricevere messaggi privati ​​e video direttamente dalle modelle che seguivano. Secondo loro, se avessero saputo in anticipo che i responsabili della corrispondenza erano i dipendenti dell’agenzia e non le autrici delle pagine, non avrebbero pagato l’intero abbonamento o si sarebbero rifiutati di partecipare.

La causa è diretta contro Fenix ​​​​Internet, LLC e Fenix ​​​​International Limited, i proprietari della piattaforma OnlyFans. Sebbene la causa non contenga prove dirette che le comunicazioni fossero effettivamente con dipendenti assunti, gli utenti affermano di essere diventati sospettosi dopo aver notato delle incongruenze nelle risposte e un volume irrealistico di messaggi provenienti da quella che sembra essere la stessa persona, soprattutto se si tratta di un account con centinaia di migliaia di follower.

I documenti affermano che J. Fry ha creato l’account per intrattenere conversazioni amichevoli con le modelle e condividere le foto dei piatti che cucinava. Tuttavia, ben presto cominciò a notare errori e incongruenze nella corrispondenza, il che fece sorgere dubbi sull’autenticità della comunicazione. Gli attori sostengono che OnlyFans ha consapevolmente permesso che questa situazione si verificasse, traendo profitto dall’inganno degli utenti e violando così le aspettative degli abbonati e i termini dell’accordo implicito tra la piattaforma e i suoi clienti.

La pratica di assumere agenzie per gestire gli account e comunicare con gli abbonati su OnlyFans esiste da diversi anni. Alcune agenzie offrono apertamente servizi di corrispondenza con i fan per conto delle modelle, anche se non tutti i creatori di contenuti ricorrono a tale assistenza.

Nel 2021 è stata intentata una causa simile contro la Unruly Agency, accusata di aver ingannato i suoi dipendenti e di aver estorto loro dati intimi con il pretesto di una comunicazione sincera.

L’anno scorso, un portavoce di OnlyFans ha affermato che i creatori possono collaborare con una serie di terze parti, dai fotografi ai manager alle agenzie, per migliorare l’efficienza. Tuttavia, è stato sottolineato che questi appaltatori non rappresentano la piattaforma stessa e non sono ad essa direttamente associati.

I rappresentanti di OnlyFans non hanno ancora risposto alle richieste di commento dei giornalisti sulla nuova causa.

L'articolo Class action contro OnlyFans! Ma quali modelle formose, erano i dipendenti dell’agenzia proviene da il blog della sicurezza informatica.

In the first part of our research, I demonstrated how we revived the concept of no authentication (null session) after many years. This involved enumerating domain information, such as users, without authentication. I walked you through the entire process, starting with the difference between no-auth in the MS-RPC interfaces and the well-known null session, and ending with the methodology used to achieve our goal.

Today, as promised, we’ll dive into part two. Here, we’ll explore why Windows behaves the way it does – allowing domain information to be enumerated without authentication. I’ll also explain why this activity is difficult to prevent and monitor.

First, we’ll examine why this activity is hard to stop by looking at how WMI works. We’ll also discuss the methods available for detecting and addressing this issue.

After that, we’ll cover some basics about MS-RPC security and how to secure your RPC server. Then we’ll analyze the security of the MS-NRPC interface using two approaches: theoretical insight and reverse engineering to gain a deeper understanding.

So, buckle up and let’s continue our journey!

The group policy that punches your domain in the face

When it comes to stopping certain activities in Windows, group policies are often the first line of defense, and our case is no exception. As we discussed in part one, the Restrict Unauthenticated RPC Clients policy can be used to block no-auth activity against interfaces. This policy comes with three settings: “None”, “Authenticated”, and “Authenticated without exceptions”.

While testing, we discovered that even with the policy set to “Authenticated”, it’s still possible to enumerate domain information using MS-NRPC and network interfaces using the
IObjectExporter interface. Naturally, the next logical step would be to use the “Authenticated without exceptions” setting to completely block such activity.
At first, enabling “Authenticated without exceptions” seems to work perfectly – blocking all enumeration activity with no authentication. Over time, however, we would notice significant issues: many of the domain controller’s functions would stop working. This is not surprising, as Microsoft has explicitly warned that using this policy setting can severely disrupt domain controller functionality. In fact, it has been described as “the group policy that punches your domain in the face,” effectively rendering the domain controller inoperable.

To better understand this issue, let’s use WMI as an example and examine why setting this policy to “Authenticated without exceptions” causes domain functionality to fail.

WMI as DCOM object

Windows Management Instrumentation (WMI) is the infrastructure for managing data and operations on Windows-based operating systems. It’s widely used by system administrators for everyday tasks, including remote management of Windows machines.

To test the effect of setting the Restrict Unauthenticated RPC Clients policy to “Authenticated without exceptions”, let’s try to access WMI on a remote machine using the
wmic command to list processes. In this case, we’ll use valid administrator credentials for the remote machine.

Listing remote processes using wmic

As shown in the screenshot above, the attempt to list remote processes fails with an “Access Denied” error, even with valid administrator credentials. But why does this happen?

Remote WMI access relies on the DCOM architecture. To interact with the WMI server, a DCOM object must first be created on the remote machine. As explained in part one, interfaces such as
IObjectExporter (IOXIDResolver) are responsible for locating and connecting to DCOM objects.
In simpler terms native Windows libraries typically use the
IObjectExporter interface by default during the initial steps of creating a DCOM object, although it is technically optional. When binding the interface, the authentication level is set to “no authentication” (level 1). Next, the libraries use the ServerAlive2 function.
When the Restrict Unauthenticated RPC Clients policy is set to “Authenticated without exceptions”, it blocks these no-auth activities. This prevents the creation of DCOM objects, so the WMIC command that creates a DCOM object fails and returns an “Access Denied” error, even if the credentials are valid.

Furthermore, since DCOM object creation is integral to many domain controller functions, blocking these activities can disrupt most operations on the domain controller. In short, setting the policy to “Authenticated without exceptions” not only breaks remote WMI access, it also impacts broader domain functionality.

To better understand this behavior, let’s examine what happens under the hood when we set the Restrict Unauthenticated RPC Clients policy to “Authenticated” or “None”. Using Wireshark, we’ll capture the traffic while running the same PowerShell command as before.

Network traffic for remote WMI

In the captured traffic, we can see that before the DCOM object is created, the
IOXIDResolver interface must be bound, and the ServerAlive2 function is called (packets 21-24).
If we inspect packet 21, which contains the bind request, we see that the native libraries bind the interface without authentication – because the authentication length is zero.

Binding without authentication

Next, let’s inspect the traffic when the Restrict Unauthenticated RPC Clients policy is set to “Authenticated without exceptions”.

Network traffic for WMI

From the captured traffic, we can see several “Access Denied” responses when attempting to call the
ServerAlive2 function with valid credentials. This happens because the policy blocks the no-authentication behavior, effectively stopping the initial binding of the IOXIDResolver interface (which binds without authentication by default). The failure to bind the interface at the beginning of the process is what causes this error, proving that it does not come from WMI itself.

The event that never occurs

As we saw earlier, preventing enumeration of domain information seems impossible, but detecting it might be another story. The first place to look for detection is Windows audit policies. I found the audit policy under event ID 5712, which should generate an event like “Audit RPC Events 5712(S): A Remote Procedure Call (RPC) was attempted.”

However, Microsoft states that this event never occurs, and after enabling this audit policy, I indeed found no related events in the event viewer for any RPC attempts.

The event that never occurs seemed like a dead end for detecting RPC activity. However, after further research, I found two additional ways to detect RPC activity.

The first method is Event Tracing for Windows, which logs RPC-related events. However, it lacks useful details such as the IP address of the RPC client and generates many events, including local RPC activity, making it difficult to parse.

The second method is to use third-party open source software called RPC-Firewall. This tool audits all remote RPC calls, allowing you to track RPC UUIDs and opnums, block specific ones, and filter by source address. It integrates with the event viewer to display logs, as shown in the screenshot below of an RPC event generated by RPC-Firewall.

RPC-Firewall RPC event

Prior to conducting this research, I had found these three ways to detect such activity that I mentioned earlier. However, due to the lack of native detection, the process remains challenging. You can rely on third-party tools or develop your own detection method. But even with these approaches, it’s difficult because you need to identify which machines in your domain are making RPC requests without authentication and track the frequency of this activity.

MS-RPC security

Now let’s explore why Windows behaves this way, why there are issues with policies, and what exceptions really mean. But before diving into all that, we need to discuss MS-RPC security – basically, how to secure your RPC server.

From this point on, I’ll be referring to a new term, the RPC server. The RPC server is where the logic of the interface is defined. A single server can have multiple interfaces.

Securing an RPC server is a complex process because of the variety of access methods, such as named pipes or TCP endpoints. In addition, security measures for RPC servers have evolved over time.

In this research, I will focus on the security methods relevant to our study, but there are several other methods, some of which are described in this post.

Registration flags

When registering an interface for an RPC server, specific flags can be set using the RpcServerRegisterIf2 function. Three flags are of particular relevance:

• RPC_IF_ALLOW_LOCAL_ONLY: Rejects calls from remote clients.
• RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH: Invokes a security callback for authentication checks.
• RPC_IF_ALLOW_SECURE_ONLY: Limits connections to clients with an authentication level higher than RPC_C_AUTHN_LEVEL_NONE.

The RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag registers a security callback (e.g.,
MySecurityCallback), as shown in the examples below, which takes over security checks from the RPC runtime.

RPCServerRegisterIf2 with security callback

If the callback returns
RPC_S_OK (mapped to 0), the client passes; otherwise, the client fails the security check.

The security callback

By default, the RPC runtime (
rpcrt4.dll library) handles client authentication using mechanisms such as NTLM or Kerberos. However, its behavior is influenced by two factors:

1. The Restrict Unauthenticated RPC Clients policy:
   

• If set to “None”, unauthenticated clients are allowed.
• If set to “Authenticated”, only authenticated clients can connect.

Securing the endpoint

As mentioned earlier, RPC servers can be accessed through various transport layers. For remote connections, TCP ports and named pipes are commonly used.

When registering an endpoint for an RPC server using the RpcServerUseProtseqEp function, you can include a security descriptor (SD) to control who can connect to the endpoint. It’s important to note that this SD only applies to named pipes, not TCP ports. Additionally, it can also be used for local connections using ALPC ports as endpoints.

Securing the interface

Microsoft has introduced a newer version of the RpcServerRegisterIf2 function, called RpcServerRegisterIf3, which allows you to add an optional SD when registering your interface. This enables you to control who can connect directly to the interface.

This security mechanism raises an important question: if an interface has registered an SD, and a client connects via TCP without authentication (authentication level = 1), how is the security check performed? Specifically, what security token is assigned to the client for the SD check?

To answer this, we need to do some reverse engineering magic against the RPC runtime library (
rpcrt4.dll).
The figure below shows the decompiled view from IDA for the function called when a client connects without authentication. As you can see, it uses the ImpersonateAnonymousToken function, which allows the thread to impersonate the system’s anonymous logon token. In other words, a client connecting via a TCP endpoint without authentication is represented as an anonymous user.

Called function for unauthenticated clients

After that, the access check is performed using the AccessCheck function:

Access check

Binding authentication

The final RPC security issue to discuss is binding authentication. As you recall, the authentication method is specified in the binding packet (the first packet in an RPC connection). But what does that mean?

An RPC server can register its preferred authentication method for clients using the RpcServerRegisterAuthInfo function. For instance, in the following example, NTLM authentication is registered as the chosen method.

After that, the client can connect using RPCBindSetAuthInfoEx and specify the correct authentication service and authentication level.

Now that we’ve covered RPC security, it’s time to answer questions about our interface (MS-NRPC): What security is applied on the server that defines this interface, and why were we able to access it without authentication?

To do this, I used two approaches:

1. Surface analysis: I examined the internal security checks of the RPC server using a flowchart from a great RPC toolkit. This chart provides valuable insight for our research, allowing us to analyze the security applied by the RPC server in more detail. I’ll go through it step by step, following the path described in the chart to conduct the investigation.
2. In-depth analysis: In this approach, I interacted directly with the RPC server using reverse engineering to gain further insight into the enabled security.

Surface analysis

I will now attempt to determine the security mechanism used by the RPC server that’s related to the MS-NRPC (Netlogon) interface. I will assume that we are the RPC client calling a function from (MS-NRPC) Netlogon to enumerate domain information without using any authentication.

Let’s start with transport protocols, as outlined in the flowchart:

In the chart above, the RPC client has two options for connecting to the RPC server: via TCP or SMB named pipes. In our research, we are using TCP, which is highlighted.

Next, we encounter the Restrict Unauthenticated RPC Client policy, which has two values: “None” or “Authenticated”. If set to “None”, we proceed to the next step. If set to “Authenticated”, a check is performed to see if the client has authenticated. If it has, the flow continues; however, if the client connects without authentication (as in our case), the RPC runtime checks for the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag and either accepts or denies the connection based on its presence.

Since the policy is set to “Authenticated” and our client does not perform authentication, we need the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag to be registered in order to proceed to the next step, thereby making an exception to the policy. The presence of this flag allows us to conclude that a security callback has also been registered.

Our path now looks like this:

Next, there is another check to see if the server has registered an authentication service. If the server hasn’t registered one and the client tries to authenticate, it will be denied with an “authentication service unknown” error. However, if the client doesn’t attempt authentication, the process continues.

If the server has registered an authentication service, the check against the endpoint (the SD registered via RpcServerUseProtseqEp) is performed. If the client passes this, another check is made against the interface SD (registered using RpcServerRegisterIf3). Failure to pass either of these checks will result in access being denied.

In our case, we know the server has already registered an authentication service because it’s a well-known Microsoft protocol. We don’t need to worry about the endpoint check either, as it’s intended for clients connecting via named pipes. As for the interface security descriptor, we either passed this check if the SD doesn’t exist at all, or the SD does exist and it allows anonymous users (representing clients without authentication).

Next, we check two flags: the first, RPC_IF_ALLOW_LOCAL_ONLY, determines if the interface can be accessed remotely, and the second checks for RPC_IF_ALLOW_SECURE_ONLY. If the latter is present, it ensures that we are using an authentication level higher than “None”, denying or allowing access based on the authentication level. Finally, we check for the presence of a security callback. If it doesn’t exist, we can access the server immediately. If it does exist, we must pass the custom checks within the security callback to access the server.

In our case, we know that RPC_IF_ALLOW_LOCAL_ONLY doesn’t exist because we can access the interface remotely. We also know that RPC_IF_ALLOW_SECURE_ONLY isn’t present because we’re using an authentication level of “None”. Finally, we conclude that a security callback is registered based on the previous use of RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH, and we successfully pass the security callback check to gain access to the server.

Our final path looks like this:

Surface analysis conclusion

At this stage, we can conclude that the RPC server has the following characteristics:

1. Regarding registration flags:

• Has RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH (indicating a security callback).
• Doesn’t have RPC_IF_ALLOW_LOCAL_ONLY.
• Doesn’t have RPC_IF_ALLOW_SECURE_ONLY.

• We’re unsure if it has a security descriptor (SD) or not.

• The RPC server registers authentication.

As shown, the surface analysis couldn’t provide a complete security overview for the Netlogon (MS-NRPC) interface, so I decided to proceed with an in-depth analysis.

In-depth analysis

The goal of our in-depth analysis is to leverage reverse engineering techniques to assess the security of the RPC server under the MS-NRPC interface. As we saw before, the interface is accessible through the LSASS process, specifically via the Netlogon DLL. Here we have two approaches to analysis:

1. Use automated tools to examine the security of the interface.
2. Go directly to IDA and manually locate the interface and its associated security mechanisms.

Automated tools

Let’s begin with a tool called PE RPC Scraper. If we provide the Netlogon DLL as an argument, this tool reveals information about the RPC server, its interfaces, functions and security details.

PE RPC Scraper output

The output of the tool shows that it successfully identified the Netlogon interface (UUID) and confirmed that it contains 59 functions. It also revealed the presence of a security callback and a set of flags with a value of
0x91. After decoding this value, we can see that the following flags have been registered:

• RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH
• RPC_IF_SEC_CACHE_PER_PROC
• RPC_IF_AUTOLISTEN

The output from PE RPC Scraper also indicates that the interface has no security descriptor.

The information obtained from both the surface analysis and the automated tool provides the answer to the security bypass issue and allows me to conclude the investigation at this point. However, I personally don’t trust automated tools, and I have a good reason for that. So, for further confirmation, let’s dive into IDA.

IDA like a superhero

At this point, I’ve loaded
netlogon.dll into IDA and started my investigation.

A. Locate the interface

The first step is to determine where the interface is registered. As shown in the figure below, the UUID registered using RPCServerRegisterIf3 is related to the MS-NRPC interface.

MS-NRPC interface registration

B. Endpoint registration

At this stage, we’ll check the endpoint registration for the server. As you can see in the screenshot below, RpcServerUseProtseqEpW and RpcServerUseProtseqExW have been used to register three endpoints:

1. SMB named pipe, lsass
2. Local ALPC port, NETLOGON_LRPC
3. High dynamic TCP ports

Endpoint registration

C. Interface registration

As I mentioned earlier, RpcServerRegisterIf3 is used to register the interface.

Interface registration

The function used the
0x91 value as a set of flags, which are: RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH | RPC_IF_SEC_CACHE_PER_PROC | RPC_IF_AUTOLISTEN. RpcServerRegisterIf3 also has a security callback (sub_18002EF60), in addition to a security descriptor (hMem). This finding contradicts what was previously confirmed by an automated tool – that’s why I don’t trust them for reverse engineering.

D. Security callback

Now let’s go inside the security callback and see how the security check is performed. From the screenshot below, we can see that RpcServerInqCallAttributesW is called first with the
Flags field inside the RpcCallAttributes struct set to 96. After decoding this value, we can see that this function used two flags – RPC_QUERY_IS_CLIENT_LOCAL | RPC_QUERY_NO_AUTH_REQUIRED – to request the client information.
The security callback has a condition statement.

The security callback conditions

First, the callback verifies that the RpcServerInqCallAttributesW function was called successfully, then it checks if the opnum is less than 59. If both previous conditions are met and the client is local, access to the server is granted. If the client is remote, the callback uses an access array (a matrix) to determine if the opnum is allowed to be called by the remote client.

The access matrix is just hardcoded bytes in memory:

Access matrix

All of the previously mentioned functions in the MS-NRPC interface that can be accessed without authentication (as outlined in the table in the first part) pass the access matrix check.

Now, let’s analyze what happens when the conditions are met or not, using assembly language since the IDA decompiler tab lacks precise interpretations.

The security callback conditions in assembly

• For the security callback, as we mentioned earlier, returning 0 indicates a successful call.
• For the first condition (RpcServerInqCallAttributesW), failure results in an error value.
• For the second condition (operation number compared to 59), failure still returns 0. This only ensures that the matrix index doesn’t exceed its size and doesn’t validate implemented functions that are handled elsewhere.
• For the third condition, if both the access matrix and local client checks fail, the callback returns 5 (access denied). If either of them succeeds, execution continues.

If all of the above checks in the IF statement are passed, the security callback proceeds to check the Windows version with another IF statement that verifies the value of a DWORD in memory.

The second IF statement

This DWORD is initialized using the code shown below. The value is set based on whether or not the machine is a domain controller (DC).

Checking the machine type

• If the machine is a DC, execution continues and returns 0, indicating that the security callback check was successfully passed.
• If it is not a DC, further checks are performed.

This sequence of checks shows that passing the security callback for the remote client on a DC requires only that the access matrix check be successfully passed.

E. Interface security descriptor

As we saw before, the security descriptor is assigned through the RpcServerRegisterIf3 function. It is set up by calling another function that contains many instructions. The security descriptor definition language (SDDL) for the security descriptor is shown below.

SDDL for security descriptor

From the SDDL, we can see that the following groups of users have read access: Anonymous Logon, Everyone, Restricted Code, Built-in Administrators, Application Package, and a specific security identifier (SID).

But I ran into a problem. The function where the security descriptor is set up contained numerous operations, and I wasn’t sure if any changes had been made to the SDDL representation of the security descriptor. That’s why I decided to find an alternative method to verify that the SDDL interpretation remained the same.

To achieve this goal, I considered two approaches:

1. Memory search: I considered searching memory at runtime for the known value in the header of the relative security descriptor to intercept and extract the discretionary access control list (DACL) inside LSASS. However, since this involves interacting with the LSASS process, which is risky, I took a different approach.
2. ALPC Port Security Descriptor: The ALPC port NETLOGON_LRPC, registered during endpoint setup, shares the same security descriptor as the interface:

Endpoint and interface registration

Using the ALPC port’s name, I used the NtObjectManager PowerShell module (you can use any programming alternative) to extract the security descriptor from the ALPC port.

Extracting the SD from the ALPC port in PowerShell

After that, I obtained the DACL from the security descriptor.

Security descriptor for ALPC port

The screenshot above shows that the DACL obtained from the ALPC port’s security descriptor matches the SDDL representation we obtained earlier. As we can see in the first line of the ACL entries, anonymous login is allowed on the interface, which explains why we can pass the security descriptor access check for the interface (if there is no client token, the Anonymous LOGON token is assigned).

In-depth analysis conclusion

From the in-depth analysis, we now have the whole scenario of the MS-NRPC security mechanism, which allowed us to understand how we could successfully pass the security checks of the MS-NRPC interface and call multiple functions without authentication, even if the RPC policy is set to “Authenticated”.

To summarize, here’s how we were able to bypass the security of MS-NRPC:

1. Registration flags:We found that the interface has the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag: for this reason, we were able to get past the RPC policy.
2. Security callback:We found that this flag has a security callback, which in our case is used to check if we pass the check against the access array, and all of our functions passed the check.
3. Interface security descriptor:

The interface has a security descriptor that permits multiple user groups to connect, including anonymous users. Since we are using no authentication, the access check is performed against the anonymous user, allowing to access the interface’s functions.

Research conclusion

At the end of this part and my research, I hope I was able to provide all the details related to this research and the approaches that I used. I also hope that you are now able to understand why we have this kind of no-authentication enumeration. Furthermore, I hope you are now equipped to develop your own ways to detect this kind of activity.

Thank you for reading, and see you soon with more research projects.

securelist.com/ms-rpc-security…

Gli specialisti IT nordcoreani hanno iniziato a infiltrarsi con più frequenza nelle aziende europee fingendosi dipendenti assunti in full remote. Gli operatori nordcoreani hanno intensificato le operazioni in Germania, Portogallo, Serbia, Slovacchia e altri paesi, utilizzando falsi curriculum, passaporti contraffatti e foto generate dall’intelligenza artificiale per ottenere colloqui di lavoro.

L’obiettivo di questi lavoratori è quello di ottenere un impiego nel settore IT e di inviare i loro stipendi al bilancio di Pyongyang. A volte lanciano malware sui dispositivi aziendali, rubano informazioni riservate ed estorcono denaro. Ci sono anche casi in cui questi specialisti trovano lavoro in più aziende contemporaneamente, ricevendo più stipendi da più organizzazioni, ma contemporaneamente svolgono i loro compiti in modo scadente.

Spesso si usano tattiche per nascondere le origini “webcam rotta” Assistenza VPN e rivenditori locali. Questi ultimi accettano computer portatili aziendali, li mantengono connessi alla rete e aiutano anche a trasferire fondi guadagnati tramite criptovaluta o servizi come Payoneer e TransferWise. Questo schema è stato denominato “La fattoria dei computer portatili” . In un caso, è stato scoperto che un dispositivo aziendale destinato agli Stati Uniti era attivo a Londra, il che indica una catena di fornitura complessa.

L’indagine ha rivelato la presenza di istruzioni dettagliate in materia di impiego su siti web europei, tra cui consigli su come cambiare fuso orario e ottenere una cittadinanza fittizia. Nei documenti si parla di biografie false, con diplomi presumibilmente dell’Università di Belgrado e indirizzi in Slovacchia. Sono stati trovati anche i dettagli di accesso agli account sui siti web di reclutamento e sulle piattaforme di gestione delle risorse umane.

Gli esperti di Google sottolineano che i truffatori prendono sempre più di mira le aziende che adottano la politica BYOD (Bring Your Own Device). Questo approccio consente di lavorare da dispositivi personali non controllati dagli strumenti di sicurezza aziendale ed elimina inoltre la necessità di inviare computer portatili, riducendo così il rischio di esposizione tramite verifica tramite indirizzo.

Si nota che, con la crescente pressione internazionale e le indagini negli Stati Uniti, i dipendenti IT nordcoreani stanno sempre più spostando le loro attività in Europa, dove il livello di consapevolezza di tali schemi è inferiore. Alcuni specialisti hanno iniziato a ricorrere sempre più spesso al ricatto: dopo essere stati licenziati, minacciano di divulgare dati riservati o di passarli ai concorrenti. Le fughe di notizie riguardano codici sorgente e progetti interni.

Le agenzie federali raccomandano di prestare attenzione ai segnali di sostituzione: rifiuto di effettuare videochiamate, frequenti modifiche nei dettagli di pagamento, mancanza di foto nei profili e discrepanze negli indirizzi. Individuare tali abusi diventerà sempre più difficile man mano che i truffatori diventeranno più sofisticati e le grandi aziende tecnologiche diventeranno sempre più i loro bersagli.

L'articolo Quell’accento Nord Coreano ancora trae in inganno! I falsi lavoratori rubano dati e stipendi! proviene da il blog della sicurezza informatica.

You don’t see them as often as you used to, but it used to be common to see “electronics trainers” which were usually a collection of components and simple equipment combined with a breadboard, often in a little suitcase. We think [Pro Maker_101’s] portable electronics workstation is in the same kind of spirit, and it looks pretty nice.

The device uses a 3D printed case and a custom PC board. There are a number of components, although no breadboard. There is a breakout board for Raspberry Pi GPIO, though. So you could use the screw terminals to connect to an external breadboard. We were thinking you could almost mount one as a sort of lid so it would open up like a book with the breadboard on one side and the electronics on the other. Maybe version two?

One thing we never saw on the old units? An HDMI flat-screen display! We doubt you’d make one exactly like this, of course, but that’s part of the charm. You can mix and match exactly what you want and make the prototyping station of your dreams. Throw in a small portable soldering iron, a handheld scopemeter, and you can hack anywhere.

We’d love to see something like this that was modular. Beats what you could build in 1974.

youtube.com/embed/81NDDDT1xus?…

hackaday.com/2025/04/04/a-port…