... mi sembra di tornare nella new wave dei migliori anni '80...

invidious.reallyaweso.me/watch…

After a bit too much eggnog, Elliot Williams and Al Williams got together to see what Hackaday had been up to over the holiday. Turns out, quite a bit. There was a lot to cover, but the big surprise was the “What’s that Sound” competition. Do you know who had the correct answer from the last show? No one! So they guys did the right thing and drew from all the entrants for a coveted Hackaday Podcast T-shirt.

Back to the hacks, you’ll hear about USB-C and the EU, what to do when the Kickstarter product you had your heart set on doesn’t deliver, and a very strange way to hack some power grids wirelessly.

If you are interested in physics cameras, modifying off-the-shelf gear, or a fresh approach to color 3D printing, they’ll talk about that, too. Finally, you can find out what Tom Nardi thought of Hackaday in the year past, and if your next ocean voyage will have to stop for a charge.

html5-player.libsyn.com/embed/…
Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Download the MP3 full of optimism for 2025 resolutions.

Episode 302 Show Notes:

News:

• When The EU Speaks, Everyone Charges The Same Way

What’s that Sound?

• Congrats to [Henré Botha] for winning the dice roll. We’ll have to do whale sounds someday!
  
  • 52-hertz whale – Wikipedia

  
  

Interesting Hacks of the Week:

• Beam Me Up: Simple Free-Space Optical Communication
  
  • Gigabit Ethernet Through The Air
  • Hackaday Superconference 2017 – Michael Ossmann & Dominic Spill
  • Getting Started With GNU Radio

  
  

• Doomscroll Precisely, And Wirelessly
  
  • Classical VCR Head Jog Wheel

  
  

• 38C3: Taking Down The Power Grid Over Radio
• Ball Nut Modification Charts A Middle Course Between Building And Buying
  
  • Rolling Your Own Ball Screws
  • Improving Cheap Ball Screws
  • Mechanisms: Lead Screws And Ball Screws

  
  

• Taking “Movies” Of Light In Flight
  
  • Photoresistor-based Single Pixel Camera

  
  

• Full Color 3D Printing With PolyDye And Existing Inkjet Cartridges
  
  • Sprite_TM’s Magic Paintbrush

  
  

Quick Hacks:

• Elliot’s Picks
  
  • Protect Your Site With A DOOM Captcha
  • 2024 Brought Even More Customization To Boxes.py
  • VPlayer Puts Smart Display In Palm Of Your Hand

  
  

• Al’s Picks:
  
  • Wire Rope: Never Saddle A Dead Horse
  • Circuit Secrets: Exploring A $5 Emergency Light
  • Creating A Mechanical Qubit That Lasts Longer Than Other Qubits

  
  

Can’t-Miss Articles:

• 2024: As The Hardware World Turns
• Battery-Electric Ships: Coming Soon To A Harbor Near You?

hackaday.com/2025/01/03/hackad…

Despite initial interest in the 1990s and early 2000s, palmtop computers never really took off. Realistically most consumers were probably satisfied enough with smartphones as they became more widely available, but those of us who would prefer a real keyboard on our mobile devices are still feeling the pain. Today there are still a few commercial palmtop-like machines out there, but they aren’t exactly mainstream.

Which is why this 3D printed case for the Pixel 6 Pro from [TypingCat] is so interesting. It takes a relatively popular and capable contemporary phone, pairs it with a physical keyboard, and manages to create something that looks quite practical. Thanks to Termux, you can even get a fairly usable Linux environment going on the thing.

There aren’t too many components at play here, but still, we appreciate the fact that [TypingCat] provided links for not only the specific Bluetooth keyboard used, but the fasteners required to hold the three printed parts together. A link is also provided to the Termux-Desktops project, which allows you to get a Linux X11 desktop environment running on Android. It’s not the pocket Linux computer of our dreams, but it’s pretty close.

While the Pixel 6 Pro is a solid enough choice to base this project around, we’re interested in seeing if the community will come up with variants of this case to hold other similarly sized phones. It’s interesting to note that [TypingCat] has decided to use the “No Derivatives” variant of the Creative Commons license for the bottom half of the case. But since the top half is a remix of an existing Pixel 6 Pro case from [JoshCraft3D], it carries a more permissive license and must be distributed separately. Long story short, folks can create and distribute custom versions of the phone-side of this case, but the bottom needs to remain the same.

If you’ve got filament to burn extrude and would rather have a more pure Linux experience, we saw a printable Raspberry Pi Zero palmtop a couple months back that looked quite promising.

hackaday.com/2025/01/03/3d-pri…

Il lento ma costante calo di feriti e incidenti stradali era già stato segnalato in autunno dall’ISTAT, malgrado ciò il Governo ha deciso di inasprire le pene e creare nuovi motivi per imporre pesanti sanzioni. Tra queste c’è la guida sotto effetto di sostanze stupefacenti, una misura che nei casi più gravi punisce con la sospensione della patente fino a tre anni. Per essere sanzionati basta che i test fatti nel momento del fermo, fermo da posto di blocco e non da infrazioni del codice della strada, segnalino presenze di principi psicoattivi. La scienza ci dice che, paradossalmente, i principi attivi più leggeri, come quelli della cannabis, restano nell’organismo molto più a lungo di quelli di sostanze più potenti.

A fronte dell’antiscientificità, e probabile anti-costituzionalità, della misura, il Ministro Salvini si congratula con le forze dell’ordine perché, tra le altre cose, le 27.200 pattuglie sguinzagliate in giro per l’Italia hanno fermato otto, dicasi otto, persone ritenute in guida sotto l’influenza di “stupefacenti”, una ogni 3400 nuclei della stradale.

Non è stato reso noto quali altre eventuali violazioni del codice della strada siano state imputate alle otto persone. Inoltre, sono 6287 i conducenti sottoposti a etilometri e precursori (in ulteriore approssimazione bisognerebbe capire se tutti sottoposti ad entrambi), il che farebbe lo 0,12% (peraltro di un campione selezionato a monte).

Uno dei problemi delle leggi italiane, specie quelle in materia penale, è che non esistono meccanismi che ne consentano la verifica dell’efficacia del loro impatto perché questo nuovo codice della strada sarebbe il classico esempio di come la realtà sia radicalmente distante dalle norme e chi le impone”

L'articolo Capodanno 2025, otto sanzioni per guida sotto l’effetto di stupefacenti non possono essere un successo proviene da Associazione Luca Coscioni.

Claroty’s TEAM82 has a report on a new malware strain, what they’re calling IOCONTROL. It’s a Linux malware strain aimed squarely at embedded devices. One of the first targets of this malware, surprisingly, is the Iraeli made Orpak gas station pumps. There’s a bit of history here, as IOCONTROL is believed to be used by CyberAv3ngers, a threat actor aligned with Iran. In 2023 a group aligned with Israel claimed to have compromised the majority of the gas stations in Iran. IOCONTROL seems to have been deployed as retribution.

There are a few particularly interesting aspects of this malware, and how TEAM82 went about analyzing it. The first is that they used unicorn to emulate the obscure ARM platform in question. This was quite an adventure, as they were running the malicious binary without the normal Linux OS under it, and had to re-implement system calls to make execution work. The actual configuration data was encrypted as the data section of the executable, presumably to avoid simple string matching detection and analysis.

Then to communicate with the upstream command and control infrastructure, the binary first used DNS-Over-HTTPS to resolve DNS addresses, and then used the MQTT message protocol for actual communications. Once in place, it has the normal suite of capabilities, like code execution, cleanup, lateral scanning, etc. An interesting speculation is that the level of control this malware had over these gas pumps, it was in a position to steal credit card information. This malware family isn’t limited to gas pumps, either, as it’s been spotted in IoT and SCADA devices from a whole host of vendors.

Bit-unlocker

We have another attack against TPM backed Bitlocker full disk encryption. The idea here is that by default Bitlocker uses an encryption key provided by the system’s Trusted Platform Module (TPM). Unless the user intentionally turns on Bitlocker PIN, this key from the TPM is the only credential needed to decrypt the drive, and is automatically provided at boot time. We’ve covered one attack against Bitlocker, where the key is sniffed while it’s being transferred from the external TPM. The conclusion as of that coverage was that a firmware TPM saves you from this attack, since there’s no accessible bus to sniff data from.

Well. There’s another approach, as you might have guessed. Modern memory requires constant refreshing to not lose its value, but that doesn’t mean that it’s entirely lost immediately. That’s what [Jack Crouse] discovered, and put to work here. Using the reset pins on a motherboard, the system is reset and booted off a flash drive. That drive contains a very minimal EFI application that just reads system memory and dumps it to the flash drive. Because the memory is mostly intact, if you reset the machine at the right point during boot, the memory dump includes the disk encryption key, allowing for easy drive decryption. If nothing else, this should be your queue to add a PIN to your Bitlocker setup. This was also a talk given at 38c3, which is now available!

Stars for Sale

GitHub stars are a useful way to determine the popularity of a project, and by extension how trustworthy that project is. At least, that’s the idea. Like any measure of popularity and trustworthiness, the GitHub Stars system has been gamed. Given how easy it is to create a GitHub account, and that giving out stars is a free action, it’s not surprising. The research suggested that between 3 and 4.5 million stars were fake, and GitHub has been quite responsive at removing the accounts and stars that are very likely to be inauthentic.

The Downside to a Connected Car

In a tale that gets worse the more you think about it, it’s revealed that 800,000 Volkswagen electric vehicles were leaking their precise information history via an unsecured Amazon storage instance. This wasn’t explicitly referred to as an S3 bucket, but we’ll use the “bucket” term for ease of discussion. This was discovered via an unnamed whistleblower, so it’s unclear whether the bucket name was accidentally made public. Regardless, it was accessible without any authentication. The broader question is why VW needs to keep these records on their drivers. It’s the downside to an always connected car.

How’s the Passkey Doing?

[Dan Goodin] is no stranger to the pages of this column, and he has thoughts about Passkeys. This isn’t a vulnerability — the FIDO2 specification hasn’t been broken in some new and clever way. Passkeys are still a good, secure way to use a trusted device as an authentication source. The problem is, they’re sort of a pain to use. Say you’re using Google Chrome on an Apple device. A site prompts you to create a passkey. Is that passkey managed by Apple, or Google? The answer is, by Apple, unless you explicitly ask Chrome to manage it. And then, Chrome on Mac isn’t allowed to sync Passkeys to Chrome on an iPhone.

And those are essentially the two problems with Passkeys: Every vendor wants users to use their platform to store passkeys, and once stored it’s devilishly difficult to manage and move passkeys to another device/platform. The silver lining is that many password managers can act as a Passkey store, and handle syncing between devices. But then again, there’s not much difference between passwords and passkeys, when you use a password manager to handle them.

Double-Click-Jack

And in related news, there’s a new approach to harvesting unintended clicks. Clickjacking is what happens when a site loads an advertisement at the top of the page, just as you’re trying to click on something, and your click gets hijacked to something else. Browsers have added protections to make truly malicious clickjacking harder to pull off. But Doubleclickjacking neatly sidesteps all of them. It’s simple: Launch another tab that claims to be a captcha, asking the user to double-click to prove they are human. Close the tab after a single click, and the second click goes to a different window. It’s clever and devious, and one more thing to watch out for.

youtube.com/embed/4rGvRRMrD18?…

Bits and Bytes

The US Treasury has reported that it was breached, via the ironically named BeyondTrust remote support vendor. It’s reported that this was an APT affiliated with the Chinese government, though very few details are available.

The intersection of data scraping and AI writing has led to dangerously good targeted phishing emails. Part of the danger here is that so much of the legitimate emails that spam filters are trained on are also written by LLMs, and executives are so used to that style of message, phishing emails fit right in.

[Mateusz Jurczyk] has released part five of the Windows Registry deep dive over at Google Project Zero. This installment is all about how the data is actually encoded into the registry files, as well as how those files are loaded and verified. Good stuff.

hackaday.com/2025/01/03/this-w…

Flying a first-person view (FPV) remote controlled aircraft with goggles is an immersive experience that makes you feel as if you’re really sitting in the cockpit of the plane or quadcopter. Unfortunately, while your wearing the goggles, you’re also completely blind to the world around you. That’s why you’re supposed to have a spotter nearby to keep watch on the local meatspace while you’re looping through the air.

But what if you could have the best of both worlds? What if your goggles not only allowed you to see the video stream from your craft’s FPV camera, but you could also see the world around you. That’s precisely the idea behind mixed reality goggles such as Apple Vision Pro and Meta’s Quest, you just need to put all the pieces together. In a recent video [Hoarder Sam] shows you exactly how to pull it off, and we have to say, the results look quite compelling.

[Sam]’s approach relies on the fact that there’s already cheap analog FPV receivers out there that act as a standard USB video device, with the idea being that they let you use your laptop, smartphone, or tablet as a monitor. But as the Meta Quest 3 is running a fork of Android, these devices are conveniently supported out of the box. The only thing you need to do other than plug them into the headset is head over to the software repository for the goggles and download a video player app.
The FPV receiver can literally be taped to the Meta Quest
With the receiver plugged in and the application running, you’re presented with a virtual display of your FPV feed hovering in front of you that can be moved around and resized. The trick is to get the size and placement of this virtual display down to the point where it doesn’t take up your entire field of vision, allowing you to see the FPV view and the actual aircraft at the same time. Of course, you don’t want to make it too small, or else flying might become difficult.

[Sam] says he didn’t realize just how comfortable this setup would be until he started flying around with it. Obviously being able to see your immediate surroundings is helpful, as it makes it much easier to talk to others and make sure nobody wanders into the flight area. But he says it’s also really nice when bringing your bird in for a landing, as you’ve got multiple viewpoints to work with.

Perhaps the best part of this whole thing is that anyone with a Meta Quest can do this right now. Just buy the appropriate receiver, stick it to your goggles, and go flying. If any readers give this a shot, we’d love to hear how it goes for you in the comments.

youtube.com/embed/XOmeAAlSTWM?…

hackaday.com/2025/01/03/fpv-fl…

Un quarto di secolo fa nasceva "In Your Eyes Ezine" grazie ad una passione che non immaginavo potesse rimanere viva per così tanto tempo e portarmi così lontano. Oggi, dopo 25 anni di presenza sul web, guardo indietro con un senso di gratitudine e meraviglia. Mai avrei pensato che questo progetto sarebbe diventato ciò che è oggi, ma il cammino è stato incredibile.

iyezine.com/25-anni-di-in-your…

25 anni di In Your Eyes Ezine

25 anni di In Your Eyes Ezine - In Your Eyes Ezine: 25 anni di passione e creatività. Scopri il nostro viaggio, le storie e i talenti che ci hanno ispirato lungo la strada. - 25 anni

^{admin (In Your Eyes ezine)}

È convocata l’assemblea straordinaria della cellula di Treviso per martedì 14 gennaio, alle ore 18.00, presso la Libreria Universitaria San Leonardo, in Piazza Santa Maria dei Battuti, 16, a Treviso.

Sarà possibile partecipare anche in video collegamento e, per chi ne ha diritto, votare dopo aver accertato l’identità degli intervenuti da remoto. Di seguito i link allo statuto ed al regolamento delle cellule in cui è possibile trovare le disposizioni su candidatura e votazione.

L’ordine del giorno dell’assemblea straordinaria è il seguente:

1) Dimissioni da parte di Matteo Orlando come rappresentante in Consiglio Generale e coordinatore della cellula e votazione nuova/o coordinatrice/ore e rappresentante presso il consiglio generale ALC; da oggi sono aperte le candidature che potranno essere anticipate via e-mail all’indirizzo cellulatreviso@associazionelucacoscioni.it oppure presentate direttamente il giorno dell’assemblea;

2) discussione proposta piano formativo interno alla cellula (la proposta verrà inviata per e-mail la prossima settimana assieme al verbale della riunione di dicembre 2024);

3) aggiornamento andamento sportello D.A.T. ed individuazione delle nuove date;

4) varie ed eventuali.

L'articolo Assemblea straordinaria della Cellula Coscioni di Treviso proviene da Associazione Luca Coscioni.

Un recente studio di Black Fog ha rivelato tendenze allarmanti tra i dirigenti della sicurezza informatica.

Secondo i dati, nell’ultimo anno il 45% dei professionisti ha fatto ricorso all’alcol o a sostanze illegali per alleviare lo stress lavorativo e il 69% ha evitato le attività sociali. Ciò mostra segni di esaurimento, non solo di stress.

L’Organizzazione Mondiale della Sanità (OMS) definisce il burnout come una sindrome causata da stress cronico che non è stato gestito con successo. È caratterizzato da tre sintomi principali: esaurimento, cinismo e diminuzione della produttività. La ricerca mostra che il recupero completo dal burnout può richiedere anni, mentre le condizioni stressanti, con una terapia adeguata, scompaiono in poche settimane.

Il burnout colpisce molto spesso i dipendenti responsabili e motivati ​​che ignorano i propri sentimenti in un ambiente in cui non hanno alcun controllo sulla situazione. Ciò ha conseguenze devastanti, soprattutto per le persone con caratteristiche neurodivergenti. Ad esempio, il burnout autistico è accompagnato da stanchezza cronica e perdita di capacità. Tali sintomi sono esacerbati dalla depressione e dall’ansia, che creano circoli viziosi di stati negativi.

Gli esperti sottolineano l’importanza di identificare precocemente i segni del burnout. Leader come Brian Kissinger di Trace3 suggeriscono di supportare in modo proattivo i propri dipendenti rivedendo la loro giornata lavorativa e assegnando compiti per prevenire il sovraccarico. Jill Knezek di BlackLine si concentra sulle conversazioni individuali con i dipendenti per rafforzare il loro senso di valore e dare loro l’opportunità di esprimere le loro preoccupazioni.

I dipendenti notano che i programmi di benessere aziendale sono spesso percepiti come inefficaci. Gli esperti consigliano invece di cercare un aiuto professionale. La psicoterapia aiuta a far fronte allo stress crescente, costruendo strumenti per prevenire il burnout e aumentare la resilienza alle sfide future.

Il recupero dal burnout, dicono gli esperti, può portare alla “crescita dopo il trauma”. Molti pazienti ripensano ai propri valori, dedicano più tempo ai propri cari e imparano a essere felici. Essere consapevoli dei propri bisogni e creare un ambiente di lavoro confortevole, soprattutto per le persone neurodivergenti, aiuta a evitare le ricadute.

La sicurezza informatica rimane un ambito complesso e impegnativo. Tuttavia, sostenere i dipendenti, essere consapevoli dello stress e agire tempestivamente può ridurre il rischio di burnout e rafforzare lo spirito di squadra.

L'articolo Allarme Burnout: Quando la Cybersecurity Diventa una Minaccia per la Salute Mentale proviene da il blog della sicurezza informatica.

A few months ago, Disney made headlines when, rather than settling a wrongful death lawsuit, it argued that theme park guests waived their right to take it to court when they signed up for Disney Plus trials.

But Mickey Mouse appears to have had a change of heart on paying plaintiffs. Disney is now writing a multimillion-dollar settlement check to avoid litigating a defensible defamation lawsuit by Donald Trump. The president-elect claims Disney’s ABC News defamed him by saying he was found liable for “rape” when a jury really found he had committed sexual abuse.

Freedom of the Press Foundation (FPF) Director of Advocacy Seth Stern helped successfully defend the Chicago Sun-Times in a virtually identical case over 10 years ago. A judge threw out a Northwestern professor’s suit over a headline that said he was accused of rape rather than sexual assault.

“Find me the person or company that’s eager to do business with alleged sexual assailants and abusers but draws the line at alleged rapists,” Stern wrote in the Sun-Times, questioning whether Disney prioritized the interests of its nonmedia holdings over the First Amendment.

"Back in the days when news outlets were owned by news companies, a strong First Amendment was fundamental to their economic interests. Unless they’d messed up badly, they rarely settled, even when it would be cheaper than litigating. It’s fair to question whether that equation changes when news comprises just a fraction of ownership’s holdings."

You can read the op-ed here.

freedom.press/issues/settlemen…

In risposta a un paio di punti cruciali del discorso di fine anno del Presidente della Repubblica Sergio Mattarella, che ha invitato alla partecipazione civica e denunciato le condizioni inumane della detenzione in Italia, l’Associazione Luca Coscioni rende noto il sito FreedomLeaks.

Secondo il sito l’analista indipendente Marco Della Stella, al 1 gennaio 2025, sono 61.870 le persone detenute in un sistema che prevede circa 46.000 posti letto, che ha quindi un tasso di affollamento del 132,133%.

Si tratta di una pagina web che consente la denuncia partecipativa anonima tipica di quello generalmente chiamato whistleblowing. FreedomLeaks si rivolge a chi ha o ha avuto modo di entrare in carcere in quanto parente, o per impegni di assistenza sociale, educazione, formazione professionale o difensore o parte di iniziative di volontariato oppure dipendente delle Asl.

Particolarmente puntuali e circostanziate potrebbero essere le informazioni condivise da dipendenti dell’amministrazione penitenziaria, o di quelle del personale medico e paramedico

FreedomLeaks permette di trasferire informazioni e segnalazioni relative al rispetto delle leggi che riguardano i diritti e le libertà delle persone in maniera sicura, riservata e anonima grazie alla piattaforma Globaleaks che consente di attivare un canale criptato per inviare le proprie segnalazioni.

Dal sito occorre collegarsi al corrispondente indirizzo TOR, usando la sicurezza garantita dal TOR browser e condividere quanto visto durante la propria presenza in carcere.

L’Associazione Luca Coscioni auspica che la pubblicizzazione delle possibilità offerte daFreedomLeaks possa concorrere ad arricchire la conoscenza di come le istituzioni si comportano in ossequio ai loro obblighi di legge relativi al diritto alla salute in carcere.

Le testimonianze che arriveranno al sito sicuro non verranno rese pubbliche ma messe in relazione con i resoconti delle visite effettuate negli stessi istituti dalle Asl le cui relazioni sono state richieste a dicembre alle 102 Aziende sanitarie locali con formale accesso agli atti. Ad agosto 2024 l’Associazione Luca Coscioni aveva diffidato tutte le Asl competenti per la salute in carcere ad ottemperare ai loro obblighi previsti dall’ordinamento penitenziario di fornire servizi socio-sanitari e di ispezionare le strutture con particolare attenzione all’igiene e profilassi degli stessi.

L'articolo Attraverso Freedomleaks è possibile il wistleblowing sulle condizioni inumane in carcere proviene da Associazione Luca Coscioni.