È stata scoperta una grande botnet chiamata RondoDox che sfrutta 56 vulnerabilità in più di 30 dispositivi diversi, tra cui bug dimostrati per la prima volta durante la competizione di hacking Pwn2Own.

Gli aggressori prendono di mira un’ampia gamma di dispositivi accessibili tramite Internet, tra cui videoregistratori digitali (DVR), videoregistratori di rete (NVR), sistemi di videosorveglianza e server web.

RondoDox utilizza una strategia che i ricercatori di Trend Micro chiamano “exploit shotgun”: il malware utilizza più exploit contemporaneamente per massimizzare il numero di infezioni, nonostante la natura di alto profilo di tale attività.

I ricercatori segnalano che, tra le altre vulnerabilità, RondoDox attacca CVE-2023-1389, un bug nel router Wi-Fi TP-Link Archer AX21, inizialmente dimostrato al Pwn2Own Toronto 2022. Si sottolinea che gli sviluppatori della botnet monitorano attentamente gli exploit dimostrati al Pwn2Own e poi iniziano a utilizzarli nella pratica.

Tra le vulnerabilità n-day che RondoDox ha già aggiunto al suo arsenale ci sono:

• Digiever – CVE-2023-52163;
• Qnap – CVE-2023-47565;
• LB-LINK – CVE-2023-26801;
• TRENDnet – CVE-2023-51833;
• D-Link – CVE-2024-10914;
• TBK – CVE-2024-3721;
• Netgear – CVE-2024-12847;
• AVTECH – CVE-2024-7029;
• TOTOLINK – CVE-2024-1781;
• Tenda – CVE-2025-7414;
• TOTOLINK – CVE-2025-1829;
• Meteobridge – CVE-2025-4008;
• Edimax – CVE-2025-22905;
• Linksys – CVE-2025-34037;
• TOTOLINK – CVE-2025-5504;
• TP-Link – CVE-2023-1389.

Gli esperti scrivono che le vecchie vulnerabilità, soprattutto nei dispositivi che hanno superato il periodo di supporto, rappresentano un problema serio, poiché è meno probabile che ricevano patch. I problemi più recenti nell’hardware supportato non sono meno pericolosi, poiché molti utenti semplicemente ignorano gli aggiornamenti del firmware dopo la configurazione iniziale del dispositivo.

Gli analisti di Trend Micro segnalano che RondoDox utilizza exploit per 18 vulnerabilità di command injection a cui non è ancora stato assegnato un identificatore CVE. Queste vulnerabilità interessano i dispositivi NAS D-Link, i DVR TVT e LILIN, i router Fiberhome, ASMAX e Linksys, le telecamere Brickcom e altri dispositivi non specificati.

Come precedentemente riportato da FortiGuard Labs, RondoDox è in grado di lanciare attacchi DDoS utilizzando HTTP, UDP e TCP. Per evitare di essere rilevata, la botnet maschera il suo traffico dannoso sotto forma di giochi e piattaforme popolari, tra cui Minecraft, Dark and Darker, Roblox, DayZ, Fortnite e GTA di Valve, oltre a strumenti come Discord, OpenVPN, WireGuard e RakNet.

Per proteggersi dagli attacchi RondoDox, i ricercatori raccomandano di installare gli ultimi aggiornamenti firmware disponibili e di sostituire tempestivamente l’hardware scaduto. Inoltre, si raccomanda di segmentare la rete, isolando i dati critici dai dispositivi IoT accessibili tramite Internet e dalle connessioni guest, nonché di modificare le credenziali predefinite e utilizzare password complesse.

L'articolo Scoperta la botnet RondoDox: migliaia di dispositivi a rischio proviene da il blog della sicurezza informatica.

In this video our hacker [Inkbox] shows us how to create a computer game that runs directly on computer hardware, without an operating system!

[Inkbox] briefly explains what BIOS is, then covers how UEFI replaces it. He talks about the genesis of UEFI from Intel in the late 90s. After Intel’s implementation of UEFI was made open source it got picked up by the TianoCore community who make tools such as the TianoCore EDK II.

[Inkbox] explains that the UEFI implementation provides boot services and runtime services. Boot services include things such as loading memory management facilities or running other UEFI applications, and runtime services include things like system clock access and system reset. In addition to these services there are many more UEFI protocols that are available.

[Inkbox] tells us that when an x64 CPU boots it jumps to memory address 0xfffffff0 that contains the initialization instructions which will enter protected mode, verify the firmware, initialize the memory, load the storage and graphics drivers, then run the UEFI Boot Manager. The UEFI Boot Manager will in turn load the appropriate EFI application, such as the firmware settings manager application (the “BIOS settings”), Windows Boot Manager, or GRUB. In this video we make our very own EFI application that the UEFI Boot Manager can be configured to load and run.

The system used for development and testing has a AMD Ryzen AI 9 HX 370 CPU and 32GB DDR5 RAM.

Having explained how everything gets started [Inkbox] goes on to explain how to write and deploy the assembly language program which will load and play the game. [Inkbox] shows how to read and write to the console and mentions that he did his testing on QEMU with an image on an external USB thumbdrive. He goes on to show how to use the system time and date facilities to get the current month. When trying to read nanoseconds from the system clock he ended up needing to refer to the UEFI Specification Release 2.10 (2.11 is latest as of this writing).

In the rest of the video [Inkbox] does some arithmetic for timing, uses LocateProtocol to load the graphics output provider, configures an appropriate video mode, writes to the screen using BLT operations, and makes the program run on multiple CPU cores (the CPU used has 24). At last, with some simple graphics programming and mouse input, [Inkbox] manages to get Space Game for x86 to run.

If you’re interested in knowing more about UEFI a good place to start is What’s The Deal With UEFI?

youtube.com/embed/ZFHnbozz7b4?…

hackaday.com/2025/10/10/progra…

Researchers call it “hallucination”; you might more accurately refer to it as confabulation, hornswaggle, hogwash, or just plain BS. Anyone who has used an LLM has encountered it; some people seem to find it behind every prompt, while others dismiss it as an occasional annoyance, but nobody claims it doesn’t happen. A recent paper by researchers at OpenAI (PDF) tries to drill down a bit deeper into just why that happens, and if anything can be done.

Spoiler alert: not really. Not unless we completely re-think the way we’re training these models, anyway. The analogy used in the conclusion is to an undergraduate in an exam room. Every right answer is going to get a point, but wrong answers aren’t penalized– so why the heck not guess? You might not pass an exam that way going in blind, but if you have studied (i.e., sucked up the entire internet without permission for training data) then you might get a few extra points. For an LLM’s training, like a student’s final grade, every point scored on the exam is a good point.

The problem is that if you reward “I don’t know” in training, you may eventually produce a degenerate model that responds to every prompt with “IDK”. Technically, that’s true– the model is a stochastic mechanism; it doesn’t “know” anything. It’s also completely useless. Unlike some other studies, however, the authors do not conclude that so-called hallucinations are an inevitable result of the stochastic nature of LLMs.

While that may be true, they point out it’s only the case for “base models”– pure LLMs. If you wrap the LLM with a “dumb” program able to parse information into a calculator, for example, suddenly the blasted thing can pretend to count. (That’s how undergrads do it these days, too.) You can also provide the LLM with a cheat-sheet of facts to reference instead of hallucinating; it sounds like what’s being proposed is a hybrid between an LLM and the sort of expert system you used to use Wolfram Alpha to access. (A combo we’ve covered before.)

In that case, however, some skeptics might wonder why bother with the LLM at all, if the knowledge in the expert system is “good enough.” (Having seen one AI boom before, we can say with the judgement of history that the knowledge in an expert system isn’t good enough often enough to make many viable products.)

Unfortunately, that “easy” solution runs back into the issue of grading: if you want your model to do well on the scoreboards and beat ChatGPT or DeepSeek at popular benchmarks, there’s a certain amount of “teaching to the test” involved, and a model that occasionally makes stuff up will apparently do better on the benchmarks than one that refuses to guess. The obvious solution, as the authors propose, is changing the benchmarks.

If you’re interested in AI (and who isn’t, these days?), the paper makes an interesting, read. Interesting if, perhaps disheartening if you were hoping the LLMs would graduate from their eternal internship any time soon.

Via ComputerWorld, by way of whereisyouredat.

hackaday.com/2025/10/10/your-l…

Anyone who has ever snapped a chain or a crank knows how much torque a bicycle’s power train has to absorb on a daily basis; it’s really more than one might naively expect. For that reason, [Well Done Tips]’s idea of 3D printing a gear chain from PLA did not seem like the most promising of hacks to us.

Contrary to expectations, though, it actually worked; at the end of the video (at about 13:25), he’s on camera going 20 km/h, which while not speedy, is faster than we thought the fixed gearing would hold up. The gears themselves, as you can see, are simple spurs, and were modeled in Fusion360 using a handy auto-magical gear tool. The idler gears are held in place by a steel bar he welded to the frame, and are rolling on good old-fashioned skateboard bearings–two each. (Steel ones, not 3D printed bearings.) The healthy width of the spur gears probably goes a long way to explaining how this contraption is able to survive the test ride.

The drive gear at the wheel is steel-reinforced by part of the donor bike’s cassette, as [Well Done Tips] recognized that the shallow splines on the freewheel hub were not exactly an ideal fit for PLA. He does complain of a squeaking noise during the test ride, and we can’t help but wonder if switching to helical gears might help with that. That or perhaps a bit of lubricant, as he’s currently riding the gears dry. (Given that he, too, expected them to break the moment his foot hit the pedal, we can’t hardly blame him not wanting to bother with grease.)

We’ve seen studies suggesting PLA might not be the best choice of plastic for this application; if this wasn’t just a fun hack for a YouTube video, we’d expect nylon would be his best bet. Even then, it’d still be a hack, not a reliable form of transportation. Good thing this isn’t reliable-transportation-a-day!

youtube.com/embed/PHHgMWuk23o?…

hackaday.com/2025/10/10/pla-ge…

Back when the IBM PC was new, laying out an ISA board was a daunting task. You probably didn’t have a very fast ‘scope, if you had one at all. Board layout was almost certainly done on a drafting table with big pieces of tape. It was hard for small companies, much less hobbyists, to make a new card. You could buy a prototype board and wirewrap or otherwise put together something, but that was also not for the faint of heart. But with modern tools, something like that is a very doable project and [profdc9] has, in fact, done it. The card uses an ATMega328P and provides two SD cards for use as mass storage on an old computer.

The design tries to use parts that won’t be hard to get in the future. At least for a while, yet. There’s capacity for expansion, too, as there is an interface for a Wiznet 5500 Ethernet adapter.

Can you imagine if you could transport this card back to the days when the ISA bus was what you had? Just having a computer fast enough to manipulate the bus would have been sorcery in those days.

We don’t know if you need an ISA mass storage card, but if you do, [profdc9] has you covered. Then again, you do have options. Or, if you’d rather take a deep dive into the technology, we can help there, too.

hackaday.com/2025/10/10/possib…

Press freedom wins in Chicago court, but fight continues

Chicago journalists won a big First Amendment victory Oct. 9, when a federal court temporarily curbed federal officers’ abuses at protests. But the fight isn’t over.

The order still allows officers to potentially remove journalists along with protesters, a serious threat to press freedom that must be fixed.

We also can’t rely on courts alone. Local officials must step up, especially to protect independent journalists, who’ve been the main targets of these violations.

That’s why Freedom of the Press Foundation (FPF) led a coalition letter urging the Broadview, Illinois, Police Department and Illinois State Police to investigate attacks on independent journalists covering protests.

Read more about the order here.

Strengthen presidential library transparency

A segment on “Last Week Tonight with John Oliver” about corruption and secrecy surrounding presidential libraries cited FPF’s Lauren Harper, who has been warning about Trump’s purported library since before his inauguration.

Oliver is right. Secret donations to presidential libraries enable bribery, while public access to presidential records is at an all-time low. Use our action center tool to tell Congress to close the secrecy loopholes and increase transparency.

Write to your lawmakers here.

Army lawyer thinks journalists are stenographers

The Pentagon attempted to walk back its policy restricting reporters from publishing news the government doesn’t authorize. But the revised policy is still a nonstarter to which no journalist should agree.

Meanwhile, a nominee for general counsel for the Department of the Army, Charles L. Young III, effectively endorsed the unconstitutional restrictions during a Senate hearing this week, opining that the First Amendment authorizes the government to punish journalists for publishing information that it did not approve for public release.

That’s disqualifying. A journalist’s job isn’t to keep the government’s secrets. It’s to report news the government does not want reported.

Tell Congress to reject Young’s nomination.

State Department must stand up for journalists detained on flotillas

Israel continues to hold American journalists captured in international waters aboard aid flotillas. The latest are Jewish Currents reporter Emily Wilder and Drop Site News reporter Noa Avishag Schnall. Previously, Israel detained Drop Site News reporter Alex Colston, who has said he and other detainees were abused and denied medical care.

But the State Department is doing little if anything about these detainments, presumably because the journalists in question don’t agree with the administration’s policies. Lawmakers need to raise their voices and pressure the administration to do more.

Write to your member of Congress here.

Student journalists fight Trump’s anti-speech deportations

It’s not every day a student newspaper takes on the federal government. But that’s exactly what The Stanford Daily is doing.

The Daily sued Secretary of State Marco Rubio and Secretary of Homeland Security Kristi Noem in August over the Trump administration’s push to deport foreign students for exercising free speech, like writing op-eds and attending protests.

We spoke at the start of Stanford University’s fall term with Editor-in-Chief Greta Reich about why the Daily is fighting back. Read more here.

It’s time to end the SEC gag rule

We’ve written before about the unconstitutionality of the Securities and Exchange Commission’s “gag rule,” which bars those who settle with the SEC from talking to reporters, to protect the SEC’s reputation.

We shouldn’t need to say this, but the government doesn’t get to censor its critics to make itself look good. Last week, we filed a legal brief explaining to a federal appellate court why the ridiculous rule must be struck down. Read the brief here.

What we’re reading

ICE goes masked for a single reason (The New York Times). FPF’s Adam Rose tells the Times that immigration officers “seem to feel they can just willy-nilly shoot tear gas canisters at people and shoot them with foam rounds that can permanently maim people.”

The New York Times wins right to obtain info Musk wanted kept private (The New Republic). A court ruled that the public’s interest in knowing if Elon Musk has a security clearance and access to classified information outweighs any potential privacy interests.

Press Freedom Partnership newsletter (The Washington Post). “Journalists who are considering covering the story are going to think twice about it and stay home because they don’t want to be jailed and shot. It’s a major problem,” we told the Post about law enforcement targeting journalists covering anti-deportation protests in and around Chicago.

Journalism has become more challenging, for reporters and sources (Sentient). Sources have backed out of news stories — even seemingly uncontroversial ones — out of fear of being targeted by the Trump administration.

MAGA slams ‘fake news’ but embraces ‘The Benny Show’s’ misinformation (Straight Arrow News). “Plenty of past presidents would have loved to exclude serious journalists … and bring in the Benny Johnsons of their time. They just were under the impression that the public wouldn’t tolerate that,” we told Straight Arrow News. Now it’s up to the public to prove those past presidents right and the current one wrong.

freedom.press/issues/fight-for…

It’s always a pleasure to find a hardware hacker who you haven’t seen before, and page back through their work. [Bettina Neumryr]’s niche comes in building projects from old electronics magazines, and her latest, a function generator from the British Everyday Electronics magazine in April 1983, is a typical build.

The project uses the XR2206 function generator chip, a favourite of the time. It contains a current controlled oscillator and waveform shaper, and can easily produce square, triangle, and sine waves. It was always a puzzle back in the day why this chip existed as surely the global market for function generators can’t have been that large, however a little bit of background reading for this write-up reveals that its intended application was for producing frequency-shift-keyed sinusoidal tones.
Yellow-stained boards for the win!
The EE project pairs the XR2206 with an op-amp current generator to control the frequency, and another op-amp as an amplifier and signal conditioner. The power supply is typical of the time too, a mains transformer, rectifier, and linear regulators. There are a pair of very period PCBs supplied as print-outs in the magazine for home etching. This she duly does, though with toner transfer which would have been unheard of in 1983. After a few issues with faulty pots and a miswired switch, she has a working function generator which she puts in a very period project box.

It’s interesting to look at this and muse on what’s changed in electronic construction at our level in the last four decades. The PCB is single sided and has that characteristic yellow of ferric chloride etching, it takes up several times the space achievable with the same parts on the professionally-made dual-sided board designed using a modern PCB CAD package we’d use today. A modern take on the same project would probably use a microcontroller and a DAC, and a small switch-mode supply for less money than that transformer would provide the power. But we like the 1983 approach, and we commend [Bettina] for taking it on. The full video is below the break.

youtube.com/embed/CIuWX-6ER_8?…

hackaday.com/2025/10/10/a-func…

Sappiamo bene che la fine del supporto dei prodotti (End of Life) comporta rischi di sicurezza e l’accumulo di vulnerabilità, poiché i produttori smettono di rilasciare patch correttive. Tuttavia, avviare un replatforming con cinque anni di anticipo appare una scelta forse eccessiva.

Microsoft sta lavorando per correggere un bug nella sua piattaforma di sicurezza aziendale Defender for Endpoint che causava la segnalazione errata da parte del software di sicurezza di SQL Server 2017 e 2019 come “obsoleti”.

BleepingComputer segnala che l’interruzione ha interessato i clienti di Defender XDR già mercoledì mattina. Microsoft stessa conferma che SQL Server 2019 sarà supportato fino a gennaio 2030 e SQL Server 2017 fino a ottobre 2027.

L’errore si è verificato a causa di un recente aggiornamento del codice relativo al sistema di rilevamento dei programmi “di fine supporto” (EoL), ovvero programmi il cui periodo di supporto è scaduto.

Di conseguenza, Defender ha contrassegnato erroneamente le versioni correnti di SQL Server come obsolete. “Gli utenti con SQL Server 2019 e 2017 installati potrebbero visualizzare etichette errate nella sezione Gestione minacce e vulnerabilità. Abbiamo già iniziato a distribuire una correzione che annullerà le modifiche errate”, ha riferito Microsoft.

L’azienda ha chiarito che il problema potrebbe riguardare tutti i clienti che utilizzano SQL Server 2017 e 2019, ma che si tratta di un incidente di portata limitata. Microsoft ha promesso di pubblicare un programma per l’implementazione completa della correzione non appena sarà pronta. Non è la prima volta che Defender for Endpoint risponde erroneamente agli aggiornamenti.

Una settimana prima, il prodotto aveva identificato erroneamente il BIOS di alcuni dispositivi Dell come obsoleto, richiedendo un aggiornamento inesistente.

All’inizio di settembre, l’azienda ha affrontato un altro problema: i falsi positivi del suo servizio antispam, che impedivano agli utenti di Exchange Online e Microsoft Teams di aprire i link nelle e-mail e nelle chat. Sembra che gli ingegneri Microsoft abbiano avuto un autunno particolarmente caldo.

L'articolo Microsoft Defender segnala erroneamente SQL Server 2019 in End Of Life proviene da il blog della sicurezza informatica.

A federal judge just reminded the government that the First Amendment still applies in Chicago.

On Oct. 9, Chicago journalists and protesters scored a major legal win, when Judge Sara Ellis issued a temporary restraining order reigning in federal officers’ repeated First Amendment violations at protests.

It’s a big victory for press freedom. The order prohibits arrests and use of physical force against journalists and restricts the use of dangerous crowd-control munitions. It defines “journalists” broadly, in a way that includes independent, freelance, and student reporters. It also enhances transparency by requiring federal officers to wear “visible identification,” like a unique serial number.

This order and similar rulings in Los Angeles last month are powerful reminders that journalists working together can vindicate their rights in the courts. They also highlight the crucial role that independent journalists and smaller news organizations play in defending press freedom. In both Chicago and Los Angeles, it’s been freelancers, community news outlets, local press clubs, and unions who’ve taken the lead, teaming up with protesters, legal observers, and clergy to take the government to court.

Unconstitutional dispersals of press still possible

But the fight isn’t over. The Chicago order unfortunately leaves open the possibility that, at least in some instances, federal officers may order journalists to leave areas where protests are being broken up or officers are attacking protesters.

Although the order prohibits dispersal of journalists from protests as a general matter, it also states that officers can “order” journalists to “change location to avoid disrupting law enforcement,” as long as they have “an objectively reasonable time to comply and an objectively reasonable opportunity to report and observe.” (In contrast, a similar order in Los Angeles states only that federal officers may “ask” journalists to change location.)

Federal officers are likely to use this as a loophole to continue to violently remove the press from protests, on the pretext that it’s necessary to avoid disruption. The order’s requirement that press must be able to continue to report and observe is also too lax; far better would have been an order specifically requiring that press be able to continue to see and hear the protest and law enforcement response.

Even when police can disperse protesters who break the law, the First Amendment doesn’t allow them to disperse journalists, too.

The weaker language around dispersals of journalists in the court’s order is a shame, especially for the public’s right to know. In recent days, Chicago journalists have been reporting about the violent tactics used by federal agents to disperse protests. If journalists can be ordered to leave alongside protesters, they can’t observe what’s happening or capture the images they need to keep the public informed.

It also makes dispersals more dangerous for protesters. As Unraveled Press noted, “Again and again, we’ve seen cops are most likely to get more violent with demonstrators when out of public view.” (Unraveled Press co-founder Raven Geary is a plaintiff in the Chicago lawsuit.) And while the court’s order prohibits dispersal orders aimed at peaceful protesters, if federal officers violate that order and also disperse the press to avoid a “disruption,” it will be much harder for the public to learn about it.

By declining to simply prohibit federal officers from dispersing the press, except when necessary to serve an essential government need such as public safety, the court also got the law wrong. Even when police can disperse protesters who break the law, the First Amendment doesn’t allow them to disperse journalists, too.

We’re not the only ones who say so. Just last year, the Department of Justice issued guidance stating as much:

“In the case of mass demonstrations, there may be situations—such as dispersal orders or curfews—where the police may reasonably limit public access. In these circumstances, to ensure that these limitations are narrowly tailored, the police may need to exempt reporters from these restrictions. …”

The DOJ also said so in a previous report, reprimanding the Minneapolis Police Department for its suppression of protesters and the press following George Floyd’s murder:

“The First Amendment requires that any restrictions on when, where, and how reporters gather information ‘leave open ample alternative channels’ for gathering the news. Blanket enforcement of dispersal orders and curfews against press violates this principle because they foreclose the press from reporting about what happens after the dispersal or curfew is issued, including how police enforce those orders.”

And in an important decision from 2020, the federal court of appeals in the 9th Circuit also disapproved of blanket dispersal orders being enforced against the press. That case arose from very similar circumstances to those today: federal authorities abusing the First Amendment while policing federal property during Black Lives Matter protests in Portland, Oregon.

In the 2020 case, the 9th Circuit affirmed a legal order that exempted journalists from general dispersal orders issued by the federal government. Journalists, it wrote, “cannot be punished for the violent acts of others.”

These authorities make it clear: Journalists cannot be ordered to move simply because it would be more convenient for officers. Journalists can only be dispersed if it’s essential to a compelling government interest, and only if they continue to have another vantage point from which they can see and hear what’s going on in order to report.

It’s frustrating that the court’s order leaves the door open for the government to evade this well-established principle. But the fight isn’t over. The court’s temporary restraining order is just a first step. When it issues a more permanent ruling, it will have another opportunity to get the prohibition on dispersing the press right.

freedom.press/issues/court-bac…

The nights are drawing in for Europeans, and Elliot Williams is joined this week by Jenny List for an evening podcast looking at the past week in all things Hackaday. After reminding listeners of the upcoming Hackaday Supercon and Jawncon events, we take a moment to mark the sad passing of the prolific YouTuber, Robert Murray-Smith.

Before diving into the real hacks, there are a couple of more general news stories with an effect on our community. First, the takeover of Arduino by Qualcomm, and what its effect is likely to be. We try to speculate as to where the Arduino platform might go from here, and even whether it remains the player it once was, in 2025. Then there’s the decision by Google to restrict Android sideloading to only approved-developer APKs unless over ADB. It’s an assault on a user’s rights over their own hardware, as well as something of a blow to the open-source Android ecosystem. What will be our community’s response?

On more familiar territory we have custom LCDs, algorithmic art, and a discussion of non-stepper motors in 3D printing. Even the MakerBot Cupcake makes an appearance. Then there’s a tiny RV, new creative use of an ESP32 peripheral, and the DVD logo screensaver, in hardware. We end the show with a look at why logic circuits use the voltages they do. It’s a smorgasbord of hacks for your listening enjoyment.

html5-player.libsyn.com/embed/…

Download yourself an MP3 even without a Hackaday Listeners’ License.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 341 Show Notes:

News:

• 2025 Hackaday Supercon: More Wonderful Speakers
• JawnCon Returns This Weekend
• Honoring The Legacy Of Robert Murray-Smith

What’s that Sound?

• Fill in the form with your best guess to be entered to win next week.

Interesting Hacks of the Week:

• Qualcomm Introduces The Arduino Uno Q Linux-Capable SBC
• Google Confirms Non-ADB APK Installs Will Require Developer Registration
• Mesmerizing Patterns From Simple Rules
• How To Design Custom LCDs For Your Own Projects
  
  • [Joey Castillo] on everything about LCDs

  
  

• Why Stepper Motors Still Dominate 3D Printing
• How Your SID May Not Be As Tuneful As You’d Like

Quick Hacks:

• Elliot’s Picks:
  
  • A Childhood Dream, Created And Open Sourced
  • Tips For C Programming From Nic Barker
  • Finding Simpler Schlieren Imaging Systems

  
  

• Jenny’s Picks:
  
  • Building The DVD Logo Screensaver With LEGO
  • ESP32 Decodes S/PDIF Like A Boss (Or Any Regular Piece Of Hi-Fi Equipment)
  • Kei Truck Becomes Tiny RV

  
  

Can’t-Miss Articles:

• Ask Hackaday: Why Is TTL 5 Volts?
  
  • The 7400 Quad 2-Input NAND Gate, A Neglected Survivor From A Pre-Microprocessor World

  
  

• Know Audio: Distortion Part Two

hackaday.com/2025/10/10/hackad…

Everyone knows that Weird Al lampooned computers in a famous parody song (It’s All About the Pentiums). But if you want more hardcore (including more hardcore language, so if you are offended by rap music-style explicit lyrics, maybe don’t look this up), you probably want “Kill Dash 9” by Monzy. There’s a line in that song about “You thought the seven-layer model referred to a burrito.” In fact, it refers to how networking applications operate, and it is so ingrained that you don’t even hear about it much these days. But as [Codemia] points out, QUIC aims to disrupt the model, and for good reason.

Historically, your application (at layer 7) interacts with the network through other layers like the presentation layer and session layer. At layer 4, though, there is the transport layer where two names come into play: TCP and UDP. Generally, UDP is useful where you want to send data and you don’t expect the system to do much. Data might show up at its destination. Or not. Or it might show up multiple times. It might show up in the wrong order. TCP solves all that, but you have little control over how it does that.

When things are congested, there are different strategies TCP can use, but changing them can be difficult. That’s where QUIC comes in. It is like a user-space TCP layer built over a UDP transport. There are a lot of advantages to that, and if you want to know more, or even just want a good overview of network congestion control mitigations, check the post out.

If you want to know more about congestion control, catch a wave.

hackaday.com/2025/10/10/quic-j…

Discord had a data breach back on September 20th, via an outsourced support contractor. It seems it was a Zendesk instance that was accessed for 58 hours through a compromised contractor user account. There have been numbers thrown around from groups claiming to be behind the breach, like 1.6 Terabytes of data downloaded, 5.5 million user affected, and 2.1 million photos of IDs.

Discord has pushed back on those numbers, stating that it’s about 70,000 IDs that were leaked, with no comments on the other claims. To their credit, Discord has steadfastly refused to pay any ransom. There’s an interesting question here: why were Discord users’ government issued IDs on record with their accounts?

The answer is fairly simple: legal compliance. Governments around the world are beginning to require age verification from users. This often takes the form of a scan of valid ID, or even taking a picture of the user while holding the ID. There are many arguments about whether this is a good or bad development for the web, but it looks like ID age verification is going to be around for a while, and it’ll make data breaches more serious.

In similar news, Salesforce has announced that they won’t be paying any ransoms to the group behind the compromise of 39 different Salesforce customers. This campaign was performed by calling companies that use the Salesforce platform, and convincing the target to install a malicious app inside their Saleforce instance.

Unity

[RyotaK] from Flatt Security found an issue in the Unity game engine, where an intent could influence the command line arguments used to launch the Unity runtime. So what’s an intent?

On Android, an Intent is an object sent between applications indicating an intention. It’s an intra-process messaging scheme. So the problem here is that when sending an intent to a Unity application on Android, a command line option can be included as an extra option. One of those command line options allows loading a local library by name. Since a malicious library load results in arbitrary code execution, this seems like a pretty big problem.

At first it seems that this doesn’t gain an attacker much. Doesn’t a malicious app already need to be running on the device to send a malicious intent? The reality is that it’s often possible to manipulate an innocent app into sending intents, and the browser is no exception. The bigger problem is that a malicious library must first be loaded into a location from which the Unity app can execute. It’s a reasonably narrow window for practical exploitation, but was still scores an 8.4 severity. Unity has released fixes for versions all the way back to 2019.1.

Code Smell: Perl?

We have two stories from WatchTwr, packed full of the sardonic wit we have to expect from these write-ups. The first is about Dell’s UnityVSA, a Virtual Storage Appliance that recently received a whole slew of security fixes for CVEs. So WatchTowr researchers took a look at the patch set from those fixes, looking for code smell, and found… Perl?

Turns out it wasn’t the presence of Perl that was considered bad code smell, though I’m sure some would argue that point. It was the $exec_cmd variable that wasn’t escaped, and Perl backticks were used to execute that string on the system. Was there a way to inject arbitrary bash commands into that string? Naturally, there is. And it’s a reasonably simple HTTP query to run a command. A security advisory and updated release was published by Dell at the end of July, fixing this issue.

Poetic Flow of Vulnerabilities

There’s an active exploitation campaign being waged against Oracle E-Business Suite instances, using a zero-day vulnerability. This exploit works over the network, without authentication, and allows Remote Code Execution (RCE). It appears that a threat group known as Graceful Spider, another great name, is behind the exploitation.

The folks at WatchTowr got their hands on a Proof of Concept, and have reverse engineered it for our edification. It turns out it’s a chain of little weaknesses that add up to something significant.

It starts with a Server-Side Request Forgery (SSRF), a weakness where a remote service can be manipulated into sending an additional HTTP request on to another URL. This is made more significant by the injection of a Carriage Return/Line Feed (CRLF) attack, that allows injecting additional HTTP headers.

Another quirk of the PoC is that it uses HTTP keep-alive to send all of the malicious traffic down a single HTTP session. And the actual authentication bypass is painfully classic. A /help path doesn’t require authentication, and there is no path traversal protection. So the SSRF connection is launched using this /help/../ pattern, bypassing authentication and landing at a vulnerable .jsp endpoint.

That endpoint assembles a URL using the Host: header from the incoming connection, and fetches and parses it as an eXtensible Stylesheet Language (XSL) document. And XSL documents are unsafe to load from untrusted sources, because they can lead directly to code execution. It’s a wild ride, and a great example of how multiple small issues can stack up to be quite significant when put together.

Bits and Bytes

Caesar Creek Software did an audit on a personal medical device and found issues, but because fixes are still being reviewed by the FDA, we don’t get many details on what exactly this is. Reading between the lines, it sounds like a wearable glucose monitor. It’s based on the nRF52 platform, and the best bit of this research may be using power line fault injection to get Single Wire Debug access to the MCU. They also found what appears to be a remote leak of uninitialized memory, and a Bluetooth Low Energy Man in the Middle attack. Interesting stuff.

And finally, [LaurieWired] has a great intro to the problem of trusting trust with a bit of bonus material on how to build and obfuscate quines while at it. How do you know your compiler binary doesn’t have malware in it? And how do you establish trust again? Enjoy!

youtube.com/embed/Fu3laL5VYdM?…

hackaday.com/2025/10/10/this-w…

Il 10 ottobre, sono uscite nuove rivelazioni riguardo una delle chiavi di licenza più note della storia informatica: FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8, legata a Windows XP. Per anni, questa sequenza di caratteri è stata sinonimo di software pirata, ma oggi emerge una verità diversa.

Dave W. Plummer, storico ingegnere Microsoft e creatore del sistema di attivazione Windows Product Activation (WPA), ha confermato che quella chiave non fu generata da un crack, bensì frutto di una grave fuga di dati interna.

Secondo Plummer, la chiave era stata concepita come Volume License Key (VLK) destinata esclusivamente alle aziende, per consentire installazioni multiple e automatizzate di Windows XP. Tuttavia, a causa di un errore di gestione e di scarsa vigilanza, il codice trapelò all’esterno, diffondendosi rapidamente tra hacker e comunità di pirateria. Da quel momento, fu condiviso ovunque in rete, permettendo a chiunque di installare copie non autorizzate del sistema operativo.

Come funzionava il sistema di attivazione

Nelle prime versioni di WPA, il processo di convalida di Windows XP prevedeva la generazione di un ID hardware basato su CPU, RAM e altri componenti del computer. Tale ID, insieme alla chiave del prodotto, veniva inviato ai server Microsoft per la verifica dell’autenticità.
Se la chiave risultava sospetta o non corrispondeva a un profilo valido, il sistema segnalava l’installazione come non genuina.

Tuttavia, essendo la chiave FCKGW un codice aziendale ufficiale, essa figurava nella whitelist del sistema di attivazione. Ciò significava che, durante l’installazione, bastava selezionare “Sì, possiedo un codice Product Key” e inserirla per bypassare completamente la verifica, senza necessità di attivazione o limiti di tempo.

L’impatto della diffusione

L’assenza di controlli effettivi rese la chiave estremamente appetibile. In breve tempo, CD e immagini ISO di Windows XP “pre-attivati” iniziarono a circolare in rete, rendendo la pirateria di XP un fenomeno di massa.

Persino i primi aggiornamenti di sicurezza non erano in grado di individuare le copie illegittime, poiché il sistema non associava alcun ID hardware al codice di licenza.

Con il tempo, Microsoft inserì FCKGW nella propria blacklist, impedendone l’uso nelle versioni successive. A partire dal Service Pack 2 (SP2), la chiave e il meccanismo VLK originario furono completamente rimossi, segnando la fine di una delle più celebri fughe di dati nella storia del software.

L'articolo La verità sulla chiave di licenza di Windows XP: FCKGW-RHQQ2-YXRKT-8TG6W-2B7Q8 proviene da il blog della sicurezza informatica.

Durante un’intervista con Jim Cramer, conduttore del programma Mad Money, il CEO di NVIDIA, Jen-Hsun Huang, ha ricordato un episodio chiave del passato che lo vide protagonista insieme a Intel.

L’intervista, riportata il 9 ottobre da Fast Technology, ha rivelato dettagli interessanti sull’evoluzione del rapporto tra le due aziende, un tempo acerrime concorrenti e oggi partner strategici.

All’inizio degli anni 2000, Intel rappresentava il punto di riferimento assoluto nel settore informatico, con una posizione dominante sia nei prodotti consumer che in quelli professionali. In quel periodo, NVIDIA collaborava con Intel per la produzione di chipset, ma successivamente decise di sviluppare internamente la propria tecnologia.

Questa scelta generò una controversia legale relativa ai diritti di licenza, che si concluse con una vittoria per NVIDIA. Nel corso dell’intervista, Huang ha ricordato ironicamente quel periodo dichiarando che “Intel ha trascorso 33 anni cercando di distruggerci”, sottolineando però che si trattava di un commento scherzoso.

Oggi, la situazione è completamente diversa: le due società collaborano attivamente.

Huang ha spiegato che la chiave di questa nuova alleanza risiede nella sua amicizia personale con l’attuale CEO di Intel, Lip-Bu Tan.

Secondo il numero uno di NVIDIA, la cooperazione tra le due aziende rappresenta un passo importante verso una sinergia strategica nel campo dell’hardware per l’intelligenza artificiale, settore in rapida trasformazione.

“Non siamo più rivali, ma amici”, ha concluso Huang, evidenziando come la competizione del passato si sia trasformata in un rapporto di collaborazione che punta a rafforzare entrambe le parti nel nuovo panorama tecnologico globale.

L'articolo Intel e NVIDIA: da rivali storici a partner nel nuovo mercato dell’intelligenza artificiale proviene da il blog della sicurezza informatica.

È stata scoperta una nuova vulnerabilità, CVE-2025-61984, in OpenSSH. Consente l’esecuzione di codice remoto (RCE) manipolando il parametro ProxyCommand e la gestione dei caratteri della shell.

Lo sfruttamento è possibile anche con protezioni contro i metacaratteri standard della shell, a causa dell’uso di caratteri di controllo ed errori di sintassi che non interrompono l’esecuzione dei comandi in alcune shell.

OpenSSH fornisce il meccanismo ProxyCommand per la connessione tramite un proxy intermedio. In genere, viene utilizzato in questo modo: ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p . Tuttavia, nella configurazione di ~/.ssh/config, se viene specificato %r, il nome utente potrebbe contenere caratteri di controllo.

Sebbene la maggior parte dei caratteri pericolosi siano filtrati, come ;, |, (, ), &, in precedenza non filtrati erano “\n” (nuova riga), $, [ e altri, che in alcune shell possono modificare il comportamento del comando. Questo comportamento consente a un aggressore di costruire un valore di nome utente falso contenente un comando dannoso dopo l’errore sulla prima riga.

Se un repository Git contiene un sottomodulo dannoso con un URL del tipo url = “$[+]nsource poc.sh n@foo.example.com :foo”, e l’utente ha la seguente riga in ~/.ssh/config: ProxyCommand some-command %r@%h:%p, la clonazione con git clone –-recursive eseguirà la seconda riga (source poc.sh) se la shell utilizzata è Bash, Fish o csh. Ciò è possibile perché l’errore di sintassi $[+] causa un’interruzione di riga. Zsh, a differenza di altre shell, interrompe automaticamente tali errori.

Teleport è uno degli strumenti interessati, che genera un ProxyCommand con %r nella configurazione tsh. Questo consente a un aggressore che conosce il nome del cluster di avviare un attacco tramite sottomoduli git.

La patch OpenSSH abilita il filtraggio rigoroso dei caratteri di controllo nella funzione valid_ruser(): if (iscntrl((u_char)s[i])) return 0;. Si consiglia inoltre: aggiornare a OpenSSH 10.1; modificare ProxyCommand per utilizzare gli apici singoli: ‘%r’ per evitare interpretazioni; disabilitare SSH nei sottomoduli: git config –global protocol.ssh.allow user; disabilitare i gestori URL per ssh:// se consentono i caratteri di controllo; passare a shell con un comportamento più rigoroso (ad esempio Zsh).

Sebbene l’attacco richieda una configurazione specifica , è un ulteriore esempio della complessità e dell’imprevedibilità delle interazioni tra git, SSH e gli interpreti shell. Anche senza uno sfruttamento diretto, tali vulnerabilità dimostrano l’importanza di una gestione rigorosa dell’input utente negli strumenti da riga di comando e di automazione.

L'articolo Il PoC è online per OpenSSH! Remote Code Execution (RCE) tramite ProxyCommand proviene da il blog della sicurezza informatica.

Due vulnerabilità critiche nell’archiviatore 7-Zip consentivano l’esecuzione di codice remoto durante l’elaborazione di file ZIP. Le falle riguardano il modo in cui il programma gestisce i collegamenti simbolici all’interno degli archivi, consentendo l’attraversamento delle directory e la sostituzione dei file di sistema.

I problemi sono tracciati con gli identificatori CVE-2025-11002 e CVE-2025-11001. In entrambi i casi, un aggressore deve semplicemente preparare un archivio ZIP con una struttura speciale, inclusi link che puntano a directory esterne.

Quando una versione vulnerabile di 7-Zip decomprime tale archivio, il programma segue il link ed estrae il contenuto oltre la cartella di destinazione. Ciò consente la sostituzione o l’iniezione di componenti dannosi in aree critiche del sistema.

Un potenziale attacco potrebbe apparire così: viene creato un archivio contenente un elemento che fa riferimento, ad esempio, a una libreria dannosa nella directory system32. Se un file di questo tipo viene decompresso da un processo con privilegi di amministratore, la libreria viene inserita nella directory di sistema e può essere avviata automaticamente, tramite un’utilità di pianificazione o quando viene caricato un modulo necessario. Lo sfruttamento non richiede privilegi elevati; è sufficiente l’interazione dell’utente con l’archivio dannoso.

Secondo i team di ricerca, la minaccia è particolarmente pericolosa per i sistemi aziendali in cui i file ZIP vengono elaborati automaticamente, ad esempio durante i backup, la condivisione di file o l’installazione di aggiornamenti. In tali scenari, l’iniezione di codice arbitrario potrebbe compromettere l’intera infrastruttura.

Gli sviluppatori di 7-Zip hanno risolto le vulnerabilità nella versione 25.00. L‘aggiornamento implementa un controllo rigoroso del percorso e blocca i link simbolici che si estendono oltre la directory di estrazione. Gli autori del problema sono stati avvisati il 2 maggio 2025, con una correzione pubblicata il 5 luglio e un annuncio pubblico il 7 ottobre.

Gli esperti raccomandano di installare la versione più recente del programma e di controllare i sistemi che decomprimono automaticamente gli archivi. I segnali di un hack possono includere la presenza di librerie o file eseguibili sconosciuti in directory protette e la presenza di file ZIP con percorsi sospettosamente lunghi.

Mantenere il software aggiornato, controllare i registri delle transazioni e filtrare i contenuti degli archivi rimangono difese affidabili contro tali attacchi.

L'articolo 7-Zip vulnerabile: exploit tramite link simbolici consente di iniettare codice malevolo proviene da il blog della sicurezza informatica.

The European Pirate Party is proud to officially endorse the European Citizens’ Initiative for Psychedelic Assisted Therapy, a campaign calling on the European Commission to support research, access, and responsible regulation of psychedelic-assisted therapy.

Mental health remains one of the most pressing public health challenges of our time. Across Europe, millions of people are struggling with depression, PTSD, anxiety disorders and other mental health conditions. Traditional treatment options do not work for everyone — which is why new, evidence-based approaches are urgently needed.

Psychedelic-assisted therapy has shown strong clinical potential in recent research, but legal barriers, outdated stigma, and lack of harmonized EU policies continue to block progress. This ECI aims to change that by calling for a European strategy to support scientific research, training, and safe access to these therapies under medical supervision.

“This is an important opportunity for the EU to take mental health seriously and to base its decisions on science rather than outdated fear. Psychedelic-assisted therapy offers real hope to many people for whom existing treatments are not enough. Supporting research and responsible regulation is not just sensible policy — it’s a matter of human dignity.”
— Florian Roussel, Chair of the European Pirate Party

The European Pirates stand firmly for evidence-based policy, personal autonomy, and human rights. We believe mental health policy should be guided by scientific evidence and respect for individual choice, not by stigma or fear.

This European Citizens’ Initiative is a unique democratic tool that allows citizens to place issues directly on the EU agenda — but it needs one million signatures to succeed.

Sign the initiative today and help us push the EU toward a modern, rational, and compassionate approach to mental health care. Every signature counts.

european-pirateparty.eu/why-yo…