Dial-up modems had a distinctive sound when connecting, with the glittering, screeching song becoming a familiar melody to those jumping online in the early days of the Internet. Modern digital connections don’t really have an analog to this, by virtue of being entirely digital. And yet, [Nick Bild] decided to make WiFi audible in a pleasing tribute to the modems of yore.

The reason you could hear your dial-up modem is because it was actually communicating in audio over old-fashioned telephone lines. The initialization process happened at a low enough speed that you could hear individual sections of the handshake that sounded quite unique. Ultimately, though, once a connection was established at higher speed, particularly 33.6 k or 56 k, the sound of transmission became hard to discern from static.

Modern communication methods like Ethernet, DSL, and WiFi all occur purely digitally — and in frequencies far above the audible range. Thus, you can’t really “listen” to a Wi-Fi signal any more than you can listen to the rays of light beaming out from the sun. However, [Nick] found an anachronistic way to make a sound out of WiFi signals that sounds vaguely reminiscent of old-school modems. He used a Raspberry Pi 3 equipped with a WiFi adapter, which sniffs network traffic, honing in on data going to one computer. The packet data is then sent to an Adafruit QT Py microcontroller, which uses the data to vary the amplitude of a sound wave that’s then fed to a speaker through a digital-to-analog converter. [Nick] notes this mostly just sounds like static, so he adds some adjustments to the amplitude and frequency to make it more reminiscent of old modem sounds, but it’s all still driven by the WiFi data itself.

It’s basically WiFi driven synthesis, rather than listening to WiFi itself, but it’s a fun reference to the past. We’ve talked a lot about dial-up of late; from the advanced technology that made 56 k possible, to the downfall of AOL’s long-lived service. Video after the break.

youtube.com/embed/OxAJHiVkBEM?…

hackaday.com/2025/10/24/making…

This week, a US federal court has ruled that NSO Group is no longer allowed to use Pegasus spyware against users of WhatsApp. And for their trouble, NSO was also fined $4 million. It’s unclear how much this ruling will actually change NSO’s behavior, as it intentionally stopped short of applying to foreign governments.

There may be an unexpected source of leverage the US courts can exert over NSO, with the news that American investors are acquiring the company. Among the requirements of the ruling is that NSO cannot reverse engineer WhatsApp code, cannot create new WhatsApp accounts, and must delete any existing WhatsApp code in their possession. Whether this actually happens remains to be seen.

Points On the Curve

Cryptography is hard. Your implementation can do everything right, and still have a weakness. This was demonstrated yet again in the Cloudflare CIRCL cryptography library. The issue here is a Diffie-Hellman scheme using the Curve4Q elliptic curve.

Quick review: Diffie-Hellman is a technique where Bob and Alice can exchange public keys, and each combine the received public key with their own private key, and arrive at a shared secret. This can be accomplished on an elliptic curve by choosing a scalar value as a private key, and multiplying a standard generator point by that scalar to derive a new point on the curve, which serves as the public key. After the public key points are exchanged, Alice and Bob each multiply the received public point by their own secret scalar. Just like simple multiplication, this function is commutative, and results in the same answer for both.

There is a catch that can cause problems. Not every value is a valid point on the curve, and doing calculations on these invalid points can lead to unusual results. The danger here isn’t remote code execution (RCE), but leaking information about the private key when doing an invalid calculation using these invalid points.

The CIRCL library had a couple instances where invalid points could be used. There’s a quirk of deserializing FourQ points, that the x value can be interpreted two ways, essentially a positive or negative x. The CIRCL logic attempts to deserialize an incoming point in one way, and if that point is not actually on the curve, the value is inverted (technically “conjugated”), and the new point is accepted without testing. There were a few other similar cases where points weren’t being validated. These flaws were reported to Cloudflare and fixed earlier this year.

GlassWorm

We recently covered Shai Hulud, an npm worm that actively uploaded itself into other npm libraries when it found valid credentials on compromised computers. It was something of a sea change in the world of library security. Now a month later, we have GlassWorm, a vscode extension worm.

GlassWorm combines several very sneaky techniques. When it injects code into an extension, that code is hidden with Unicode shenanigans, rendering in VSCode as blank lines. Once this malicious VSCode extension is loaded, it reaches out to some interesting Command and Control (C2) infrastructure: The Solana blockchain is used as a sort of bulletproof DNS, hosting a a C2 IP address. There’s a second, almost equally weird C2 mechanism: Hosting those IP addresses in entries on a public Google Calendar.

Once this malware is running, it harvests credentials, and if it gets a chance, injects itself in the code for other extensions and tries to publish. And it also turns the compromised machine into a “Zombi”, part of a botnet, but also working as a RAT (Remote Access Trojan). All told, it’s really nasty malware, and seems to indicate a shift towards these meta-worms that are intended to infiltrate Open Source software repositories.

Speaking of npm, GitHub has begun making security enhancements in response to the Shai Hulud worm. It looks like good changes, like the deprecation of classic access tokens, in favor of shorter lived, granular tokens. TOTP (Time based One Time Password) is going away as a second factor of authentication, in favor of passkeys and similar. And finally, npm is encouraging the use of doing away with long-lived access tokens altogether, and publishing strictly from CI/CD systems.

TARmageddon

We’ve cheered on the progress of the Rust language and its security wins, particularly in the realm of memory safety. But memory management is not the only cause of security issues. The async-tar rust package had a parsing bug that allowed a .tar file to smuggle additional contents that were not seen by the initial validation step.

That has all sorts of potential security ramifications, like smuggling malicious files, bypassing filters, and more. But what’s really interesting about this particular bug is that it’s been around since the first release of the package, and async-tar has been forked into many other published packeges, some of which are in use but no longer maintained. This has turned what should have been a simple fix into a mess, and the popular tokio-tar is still unfixed.

It Was DNS

You probably noticed that the Internet was sort of a dumpster fire on Monday — more than normal. Most of the world, it seems, runs on Amazon’s AWS, and when AWS goes down, it’s surprising what else fails. There were the normal sites and services down, like Reddit, Signal, Fortnight, and Prime Video. It was a bit of a surprise that some banks were down and flights delayed. And then there were IoT devices, like smart beds, litter boxes, and smart bulbs.

And the problem, naturally, was DNS. It’s always DNS. Specifically, Amazon has pinned the outage on “…a latent race condition in the DynamoDB DNS management system that resulted in an incorrect empty DNS record…”. This bad record brought down other services that relied on it, and it didn’t take long for the problem to spin out of control.

Bits and Bytes

There’s even more DNS, with [Dan Kaminsky]’s infamous cache poisoning making an unwelcome comeback. DNS has historically run over UDP, and the Kaminsky attack was based on the lack of authorization in DNS responses. The solution was to randomize the port a request was sent from, requiring the matching response be delivered to the same port number. What’s new here is that the Pseudo Random Number Generator (PRNG) in BIND has a weakness, that could have allowed predicting those values.

TP-Link’s Omada gateways had a pair of vulnerabilities that allowed for RCE. The more serious of the two didn’t require any authentication. Noword on whether this flaw was accessible from the WAN interface by default. Patched firmware is now available.

The better-auth library patched an issue early this month, that allowed the createApiKey endpoint to run without authRequired set true, simply by providing a valid user ID. This bug has been in the library ever since API keys were added to the project. The fix landed in 1.3.26.

And for bonus points, go check out the ZDI post on Pwn2Own Ireland, that just wrapped. There were lots of IoT hacks, including at least one instance of Doom running on a printer. Summoning Team took the Master of Pwn award, nearly doubling the points earned by second place. Congrats!

hackaday.com/2025/10/24/this-w…

Lunedì 20 ottobre, Channel 4 ha trasmesso un documentario completo condotto da un presentatore televisivo creativo integralmente dall’intelligenza artificiale.

“Non sono reale. Per la prima volta in una trasmissione televisiva britannica, sono in realtà un presentatore AI. Alcuni di voi avranno già capito”, rivela il presentatore alla fine dello show.

Il conduttore AI di Channel 4 è stato prodotto da un’agenzia di marketing AI che ha utilizzato degli spunti per creare un essere umano digitale.

Il documentario Will AI Take My Job? ha analizzato proprio se l’intelligenza artificiale potrebbe superare i professionisti in settori quali la medicina, il diritto e la fotografia di moda.

L’intelligenza artificiale è ovunque, dai feed dei social media ai programmi televisivi e sempre più spesso anche nell’intrattenimento video in streaming.

Ad esempio, nella sua lettera trimestrale agli azionisti, Netflix ha sottolineato la “significativa opportunità” che vede nell’utilizzo dell’intelligenza artificiale generativa.

Il colosso dello streaming ha fornito alcuni esempi di cui è orgoglioso, come il ringiovanimento dei personaggi nella scena iniziale del flashback di Happy Gilmore 2 e il lavoro di pre-produzione per esplorare idee per il guardaroba e la scenografia di Billionaire’s Bunker. L’azienda vuole anche utilizzare l’intelligenza artificiale per testare nuovi formati pubblicitari.

“Stiamo fornendo ai creatori un’ampia gamma di strumenti GenAI per aiutarli a realizzare le loro visioni e offrire titoli ancora più incisivi per i propri abbonati“, ha affermato Netflix nella lettera.

Netflix ha anche annunciato che sta testando una versione beta di un ‘”esperienza di ricerca conversazionale” che ti consentirà di usare il linguaggio naturale per esplorare il suo catalogo di film e programmi TV che potrebbero interessarti.

L’azienda ha continuato a fare il tifo durante la conference call sui risultati finanziari con gli analisti. “Siamo fiduciosi che l’intelligenza artificiale aiuterà noi e i nostri partner creativi a raccontare storie meglio, più velocemente e in modi nuovi: ci siamo tutti”, ha dichiarato il CEO di Netflix, Ted Sarandos, a CNBC.

youtube.com/embed/BF74l1jIfXY?…

Sarandos ha aggiunto che l’intelligenza artificiale può migliorare la produzione di contenuti, ma “non può automaticamente trasformarti in un bravo narratore se non lo sei”.

E intanto, tra cause legali e contenuti di bassa qualità prodotti, l’intelligenza artificiale inizia a presentare i programmi. Come al solito ne vedremo delle belle.youtu.be/BF74l1jIfXY?feature=s…

L'articolo Niente carne, niente ossa, solo codice! Il primo presentatore AI arriva da Channel 4 proviene da Red Hot Cyber.

We would have enjoyed [Harishankar’s] tear down of a robot vacuum cleaner, even if it didn’t have a savage twist at the end. Turns out, the company deliberately bricked his smart vacuum.

Like many of us, [Harishankar] is suspicious of devices beaming data back to their makers. He noted a new vacuum cleaner was pinging a few IP address, including one that was spitting out logging or telemetry data frequently. Of course, he had the ability to block the IP address which he did. End of story, right?

No. After a few days of working perfectly, the robot wouldn’t turn on. He returned it under warranty, but the company declared it worked fine. They returned it and, indeed, it was working. A few days later, it quit again. This started a cycle of returning the device where it would work, it would come home and work for a few days, then quit again.

You can probably guess where this is going, but to be fair, we gave you a big hint. The fact that it would work for days after blocking the IP address wouldn’t seem like a smoking gun in real time.

The turning point was when the company refused to have any further service on the unit. So it was time to pull out the screwdriver. Inside was a dual-CPU AllWinner SoC running Linux and a microcontroller to run the hardware. Of course, there were myriad sensors and motors, too. The same internals are used by several different brands of vacuum cleaners, so these internals aren’t just one brand.

Essentially, he wrote his own software to read all the sensors and drive all the motors using his own computers, bypassing the onboard CPU. But he found one thing interesting. The Android Debug Bridge was wide open on the Linux computer. Sort of.

The problem was, you could only get in a few seconds after booting up. After that, it would disconnect. A little more poking fixed that. The software stack was impressive, using Google Cartographer to map the house, for example.

But what wasn’t impressive was the reason for the repeated failures. A deliberate command was sent to kill the robot when it quit phoning home with telemetry. Of course, at the service center, it was able to report and so it worked fine.

The hardware and the software are impressive. The enforcement of unnecessary data collection is not. It does, however, make us want to buy one of these just for the development platform. [Harishankar] has already done the work to make it useful.

It isn’t just vacuums. Android phones spew a notorious amount of data. Even your smart matress — yes, there are smart matresses — can get into the act.

hackaday.com/2025/10/24/robot-…

DC Comics ha definitivamente affermato la sua posizione sull’intelligenza artificiale generativa: nessun coinvolgimento delle macchine nella narrazione o nelle illustrazioni.

Questo annuncio è stato fatto dal presidente dell’azienda Jim Lee durante un discorso al New York Comic Con. Ha affermato che, finché la leadership rimarrà la stessa, l’attenzione sarà rivolta esclusivamente alla creatività umana. Ha sottolineato che gli appassionati di fumetti apprezzano in particolar modo la sincerità e riconoscono intuitivamente la falsità.

L’azienda richiede da tempo che tutte le immagini siano disegnate a mano da artisti, ma in passato sono state segnalate accuse di utilizzo della modellazione generativa su alcune copertine alternative.

Questi casi hanno scatenato una furiosa reazione da parte della comunità, preoccupata che l’automazione potesse sostituire il lavoro di scrittori e illustratori. In risposta, DC ha rimosso le copertine controverse e, secondo gli osservatori, ha inasprito le restrizioni per prevenire incidenti simili in futuro.

I rappresentanti dell’editoria hanno anche sottolineato che la creazione dei personaggi è più di un semplice processo tecnico. Lee ha osservato che la fan fiction e la fan fiction rimangono parte della cultura, ma la vera forza di eroi come Superman risiede nel loro posto nell’universo DC consolidato, con la sua mitologia e la sua continuity.

Questo, secondo il CEO dell’azienda, è ciò che rende i personaggi riconoscibili nel corso dei decenni e consente loro di rimanere rilevanti anche in futuro.

In un mondo in cui gli algoritmi stanno sempre più prendendo il sopravvento sul ruolo dei creatori, la posizione della DC Comics è un promemoria: l’arte è viva finché c’è respiro umano in essa.

L'articolo La DC Comics prende posizione: “nessuna intelligenza artificiale generativa” proviene da Red Hot Cyber.