Earlier this year, I was required to move my server to a different datacenter. The tech that helped handle the logistics suggested I assign one of my public IPs to the server’s Baseboard Management Controller (BMC) port, so I could access the controls there if something went sideways. I passed on the offer, and not only because IPv4 addresses are a scarce commodity these days. No, I’ve never trusted a server’s built-in BMC. For reasons like this MegaOWN of MegaRAC, courtesy of a CVSS 10.0 CVE, under active exploitation in the wild.

This vulnerability was discovered by Eclypsium back in March It’s a pretty simple authentication bypass, exploited by setting an X-Server-Addr header to the device IP address and adding an extra colon symbol to that string. Send this along inside an HTTP request, and it’s automatically allowed without authentication. This was assigned CVE-2024-54085, and for servers with the BMC accessible from the Internet, it scores that scorching 10.0 CVSS.

We’re talking about this now, because CISA has added this CVE to the official list of vulnerabilities known to be exploited in the wild. And it’s hardly surprising, as this is a near-trivial vulnerability to exploit, and it’s not particularly challenging to find web interfaces for the MegaRAC devices using tools like Shodan and others.

There’s a particularly ugly scenario that’s likely to play out here: Embedded malware. This vulnerability could be chained with others, and the OS running on the BMC itself could be permanently modified. It would be very difficult to disinfect and then verify the integrity of one of these embedded systems, short of physically removing and replacing the flash chip. And malware running from this very advantageous position very nearly have the keys to the kingdom, particularly if the architecture connects the BMC controller over the PCIe bus, which includes Direct Memory Access.

This brings us to the really bad news. These devices are everywhere. The list of hardware that ships with the MegaRAC Redfish UI includes select units from “AMD, Ampere Computing, ASRock, ARM, Fujitsu, Gigabyte, Huawei, Nvidia, Supermicro, and Qualcomm”. Some of these vendors have released patches. But at this point, any of the vulnerable devices on the Internet, still unpatched, should probably be considered compromised.

Patching Isn’t Enough

To drive the point home, that a compromised embedded device is hard to fully disinfect, we have the report from [Max van der Horst] at Disclosing.observer, detailing backdoors discovered in verious devices, even after the patch was applied.

These tend to hide in PHP code with innocent-looking filenames, or in an Nginx config. This report covers a scan of Citrix hosts, where 2,491 backdoors were discovered, which is far more than had been previously identified. Installing the patch doesn’t always mitigate the compromise.

Many of us have found VSCode to be an outstanding IDE, and the fact that it’s Open Source and cross-platform makes it perfect for programmers around the world. Except for the telemetry, which is built into the official Microsoft builds. It’s Open Source, so the natural reaction from the community is to rebuild the source, and offer builds that don’t have telemetry included. We have fun names like VSCodium, and Cursor for these rebuilds. Kudoes to Microsoft for making VSCode Open Source so this is possible.

There is, however, a catch, in the form of the extension marketplace. Only official VSCode builds are allowed to pull extensions from the marketplace. As would be expected, the community has risen to the challenge, and one of the marketplace alternatives is Open VSX. And this week, we have the story of how a bug in the Open VSX publishing code could have been a really big problem.

When developers are happy with their work, and are ready to cut a release, how does that actually work? Basically every project uses some degree of automation to make releases happen. For highly automated projects, it’s just a single manual action, a kick-off of a Continuous Integration (CI) run, that builds and publishes the new release. Open VSX supports this sort of approach, and in fact runs a nightly GitHub Action to iterate through the list of extensions, and pull any updates that are advertised.

VS Code extensions are Node.js projects, and are built using npm. So the workflow clones the repository, and runs npm install to generate the installable packages. Running npm install does carry the danger that arbitrary code runs inside the build scripts. How bad would it be for malicious code to run inside this night update action, on the Open VSX GitHub repository?

A super-admin token was available as an environment variable inside this GitHub Action, that if exfiltrated, would allow complete takeover of the Open VSX repository and unfettered access to the software contained therein. There’s no evidence that this vulnerability was found or exploited, and OpenVSX and Koi Security worked together to mitigate it, with the patch landing about a month and a half after first disclosure.

FileFix

There’s a new social engineering attack on the web, FileFix. It’s a very simple, nearly dumb idea. By that I mean, a reader of this column would almost certainly never fall for it, because FileFix asks the user to do something really unusual. It works like this. You get an email or land on a bad website, and it appears present a document for you. To access this doc, just follow the steps. Copy this path, open your File Explorer, and paste the path. Easy! The website even gives you a button to click to launch file explorer.

That button actually launches a file upload dialog, but that’s not even the clever part. This attack takes advantage of two quirks. The first is that Javascript can inject arbitrary strings into the paste buffer, and the second is that system commands can be run from the Windows Explorer bar. So yes, copy that string, and paste it into the bar, and it can execute a command. So while it’s a dumb attack, and asks the user to do something very weird, it’s also a very clever intersection between a couple of quirky behaviors, and users will absolutely fall for this.

eMMC Data Extraction

The embedded MultiMediaCard (eMMC) is a popular option for flash storage on embedded devices. And Zero Day Initiative has a fascinating look into what it takes to pull data from an eMMC chip in-situ. An 8-leg EEPROM is pretty simple to desolder or probe, but the ball grid array of an eMMC is beyond the reach of mere mortals. If you’re soldering skills aren’t up to the task, there’s still hope to get that data off. The only connections needed are power, reference voltage, clock, a command line, and the data lines. If you can figure out connection points for all of those, you can probably power the chip and talk to it.

One challenge is how to keep the rest of the system from booting up, and getting chatty. There’s a clever idea, to look for a reset pin on the MCU, and just hold that active while you work, keeping the MCU in a reset, and quiet, state. Another fun idea is to just remove the system’s oscillator, as the MCU may depend on it to boot and do anything.

Bits and Bytes

What would you do with 40,000 alarm clocks? That’s the question unintentionally faced by [Ian Kilgore], when he discovered that the loftie wireless alarm clock works over unsecured MQTT. On the plus side, he got Home Automation integration working.

What does it look like, when an attack gets launched against a big cloud vendor? The folks at Cloud-IAM pull the curtain back just a bit, and talk about an issue that almost allowed an enumeration attack to become an effective DDoS. They found the attack and patched their code, which is when it turned into a DDoS race, that Cloud-IAM managed to win.

The Wire secure communication platform recently got a good hard look from the Almond security team. And while the platform seems to have passed with good grades, there are a few quirks around file sharing that you might want to keep in mind. For instance, when a shared file is deleted, the backing files aren’t deleted, just the encryption keys. And the UUID on those files serves as the authentication mechanism, with no additional authentication needed. None of the issues found rise to the level of vulnerabilities, but it’s good to know.

And finally, the Centos Webpanel Control Web Panel has a pair of vulnerabilities that allowed running arbitrary commands prior to authorization. The flaws have been fixed in version 0.9.8.1205, but are trivial enough that this cPanel alternative needs to get patched on systems right away.

hackaday.com/2025/06/27/this-w…

Robots can look like all sorts of things, but they’re often more fun if you make them look like some kind of charming animal. That’s precisely what [Ananya], [Laurence] and [Shao] did when they built Cucumber the Robot Dog for their final project in the ECE 4760 class.

Cucumber is controllable over WiFi, which was simple enough to implement by virtue of the fact that it’s based around the Raspberry Pi Pico W. With its custom 3D-printed dog-like body, it’s able to move around on its four wheels driven by DC gear motors, and it can flex its limbs thanks to servos in its various joints. It’s able to follow someone with some autonomy thanks to its ultrasonic sensors, while it can also be driven around manually if so desired. To give it more animal qualities, it can also be posed, or commanded to bark, howl, or growl, with commands issued remotely via a web interface.

The level of sophistication is largely on the level of the robot dogs that were so popular in the early 2000s. One suspects it could be pretty decent at playing soccer, too, with the right hands behind the controls. Video after the break.

youtube.com/embed/myNXUAshH7Q?…

hackaday.com/2025/06/27/meet-c…

La Liguria, la Regione in cui sono felice di essere nato e vivere, è una regione fortunata anche dal punto di vista dell’assistenza in Oncofertilità. Grazie all’opera di medici di altissimo livello e dalla vista lunga tra cui la Dott.ssa Paola Anserini, la Prof.ssa Lucia del Mastro, il Prof. Matteo Lambertini e i loro collaboratori, l’IRCCS Ospedale Policlinico San Martino in cui mi onoro di lavorare è diventato un centro regionale con oltre 1.000 nuovi casi l’anno presi in carico dalle Unità di Senologia e di Oncofertilità. Queste ultime garantiscono percorsi assistenziali dedicati con particolare attenzione al tema della preservazione della fertilità per le pazienti under 40. Grazie ad esse, una donna su dieci riesce ad avere un figlio dopo la diagnosi di tumore del seno. Un dato doppio rispetto alla media nazionale che colloca l’IRCCS genovese ai primi posti in Europa. Ma molte donne ancora non riescono più a procreare dopo l’uscita dal tunnel della malattia ed anche qui le opportunità di miglioramento non mancano.

A livello nazionale la situazione è variegata, come spesso accade in tema di sanità. Ogni anno in Italia circa 8.000 cittadini under 40 (5.000 donne e 3.000 uomini) sono colpiti da tumore, 30 ogni giorno, pari a circa il 3% del numero totale delle nuove diagnosi. Nel nostro Paese ci sono 319 Oncologie e sono 178 i centri di Procreazione medicalmente assistita che applicano non solo la fecondazione in vitro ma anche la crioconservazione (cioè il congelamento e la conservazione a temperature bassissime) dei gameti. Ma, come anche l’esperienza genovese suggerisce, va migliorata la comunicazione fra le due realtà.

Anche la fertilità maschile può essere compromessa dalle terapie oncologiche, in particolare chemioterapia e radioterapia, che possono ridurre la produzione di spermatozoi o danneggiarne la qualità. Ciò può portare a infertilità temporanea o permanente, con conseguenze che variano a seconda dei farmaci utilizzati, delle dosi e della localizzazione della radioterapia.

Dai pochi dati ricordati, si ricava quindi che il problema del mantenimento della fertilità interessa una varietà di pazienti oncologici, femmine e maschi, adolescenti e giovani adulti, con patologie neoplastiche diverse che richiedono protocolli terapeutici chemio e/o radioterapici spesso tossici sulle gonadi. Ma la distribuzione sul territorio nazionale di centri per l’Oncofertilità e l’accesso alle cure, la formazione del personale sanitario e l’informazione alla popolazione sul tema, come spesso accade in tema di assistenza sanitaria, sono fortemente squilibrate tra le diverse regioni e richiedono interventi .

Peraltro, il problema certamente non riguarda solo i pazienti oncologici, ma una popolazione generale del Paese che va progressivamente invecchiando, divenendo sempre meno fertile e sempre più bisognosa di assistenza medica per la procreazione. Secondo gli ultimi dati ISTAT, gli uomini italiani sono i papà “più vecchi” d’Europa: il primo figlio arriva mediamente dopo i 35 anni d’età. Con l’avanzare dell’età aumenta infatti anche la quantità di danni al DNA spermatico. Così già dai 34 anni in su, i danni accumulati possono impedire il concepimento o aumentare le probabilità di tramandare ai figli difetti genetici, legati a patologie nell’infanzia e anche in età adulta. E’ di pochi giorni fa l’appello degli specialisti della Società Italiana di Andrologia affinché la crioconservazione del seme sia resa più accessibile, all’interno del SSN, agli uomini che per diverse ragioni debbano posticipare la ricerca di paternità.

Se posso fare una considerazione personale, ritengo che tra quelle ragioni, si trovi in posizione preminente, se non al primo posto, la precarietà del posto di lavoro. Garantire ai/alle nostri/e giovani la necessaria stabilità di un lavoro equamente retribuito, per poter affrontare con sufficiente serenità il meraviglioso ma impegnativo progetto di avere un figlio, darebbe a mio avviso un forte stimolo alle nascite. In tal senso, il Centro più importante per lo studio e la cura dell’infertilità degli italiani potrebbe essere in verità il Ministero del Lavoro.

Anche misure sociali che stimolino una più rapida e vera integrazione delle popolazioni immigrate e/o dei loro figli/e con una cittadinanza ottenibile in un numero ragionevole di anni ed un aumento di unioni interetniche potrebbero contrastare il nostro declino demografico. Ricordiamo che al di là di paure irrazionali, il mescolamento di geni e culture diverse sono fattori che irrobustiscono la salute fisica e mentale delle popolazioni.

L’Associazione Luca Coscioni, ha lavorato con giuristi ed esperti ad un disegno di legge che fu depositato nella XVI legislatura per la conservazione di gameti umani e tessuto gonadico, procedure in parte invasive per le persone che vogliano ricorrervi e che vanno sostenute da parte dello Stato. Ad oggi solo la parte del tessuto gonadico è prevista e in vigore. Il nostro auspicio è che possa essere prevista la preservazione della fertilità per tutti coloro che in età fertile vogliano effettuarla a carico del SSN, nell’ambito dei provvedimenti che verranno adottati per il miglioramento del futuro demografico dell’Italia. Vorremmo evidenziarne il principio: per la sua importanza in un Paese con un tasso di natalità basso come il nostro, la preservazione della salute riproduttiva dovrebbe dipendere unicamente dalla scelta delle persone che desiderano un figlio o una figlia, da nient’altro.

L'articolo Per la Fertilità e la Vita proviene da Associazione Luca Coscioni.

We have all suffered from this; the boss wants you to compile a report on the number of paper clips and you’re crawling up the wall with boredom, so naturally your mind strays to other things. You check social media, or maybe the news, and before you know it a while has been wasted. [Neil Chen] came up with a solution, to configure a cheap smart plug with a script to block his diversions of choice.

The idea is simple enough, the plug is in an outlet that requires getting up and walking a distance to access, so to flip that switch you’ve really got to want to do it. Behind it lives a Python script that can be found in a Git Hub repository, and that’s it! We like it for its simplicity and ingenuity, though we’d implore any of you to avoid using it to block Hackaday. Some sites are simply too important to avoid!

Of course, if distraction at work is your problem, perhaps you should simply run something without it.

hackaday.com/2025/06/27/a-chea…

The next “Brandung-Live” will be on 29.06.2025 at 20.00h CEST/DST.

News from Potsdam, Brandenburg, the Pirates of Germany and international news – in German.

If you want to join the conversation, just contact info@PiratesOnAir.net.

piratesonair.net/brandung-live…

rieccomi con qualche piccola e deludente novità. Da ieri pomeriggio ho il tanto agognato contratto!
Inizialmente mi era stato "promesso" un contratto di un anno all'80% . Ero contenta, un giorno in più libero non mi fa schifo, e lo stipendio è sufficiente per me.
Poi però si è tramutato in "per il momento possiamo offrirti solo 9 mesi sempre all'80%", ma niente contratto da 10 giorni...
Infine ieri mi è stato detto che purtroppo per una serie disguidi e malfunzionamenti, il contratto me lo possono fare solo fino a dicembre 2025.

Bah, la mia prima reazione è stata quello di rifiutare.
Poi il mio superiore mi ha chiamata nel suo ufficio, si è scusato mille volte e mi ha spiegato che sta facendo di tutto per tramutare il mio contratto in uno a tempo indeterminato, perché anche se sono lì da poco, ho già dimostrato di essere una valida risorsa, e lui ci tiene a valorizzare le persone meritevoli.
Sono volubile e ho detto ok (anche se, a dire tutta la verità non ho ancora firmato nulla).

Scherzi a parte, fino a dicembre mi terrò questo lavoro, almeno posso pagare l'affitto. Intanto continuo la mia formazione e studio, così da poter seguire i miei sogni. 🙃

Ora vado, parrucchiere, medico e poi giornata in spiaggia (del fiume) con la nipotina! #proudaunt

#lavoro #contratto #delusione

Sempre per capire un po' meglio il posto in cui mi trovo...

Vedo spesso la riga "Filtered language" con vicino Il nome di una lingua e "Reveal/hide".

Se ho capito bene dovrebbe essere il sistema che mi dice "questo contenuto te l'ho nascosto perché è in una lingua che non capiresti però se proprio vuoi, clicca qui e te lo faccio vedere".

Beh... non so se succede anche a voi ma 9 volte su 10 è normalissimo italiano.

Possibile che l'algoritmo che dovrebbe riconoscere le lingue sbagli così tanto?

Earlier this week, CBS News filed a strong brief outlining why President Donald Trump’s lawsuit over the editing of its 2024 interview with Kamala Harris is completely frivolous and an affront to the First Amendment.

But just days later, The Wall Street Journal reported that a mediator had proposed CBS owner Paramount Global settle the suit for $20 million. It’s been reported that Paramount — believing the Trump administration will block its merger with Skydance Media if it doesn’t settle – had previously offered $15 million, which Trump declined, demanding at least $25 million.

A mediator’s job is to find a compromise number, so, from that perspective, it’s easy to understand why they’d propose $20 million (mediators get paid the big bucks to do that kind of math). But mediators are still under an obligation not to facilitate criminality. And, as both federal and state lawmakers have said, a settlement by Paramount may amount to illegal bribery.

The Model Standards of Conduct for Mediators — adopted by the American Bar Association, American Arbitration Association, and Association for Conflict Resolution — provide as follows: “If a mediation is being used to further criminal conduct, a mediator should take appropriate steps including, if necessary, postponing, withdrawing from or terminating the mediation.” The ethics guidelines of Judicial Arbitration and Mediation Services go a step further: “A mediator should withdraw from the process if the mediation is being used to further illegal conduct.“

The mediator’s identity hasn’t been publicly disclosed, but presumably, they’re a lawyer, also bound by the rules of professional conduct. Those rules also include obligations to uphold the integrity of the legal profession and not facilitate illegal conduct. Violations are punishable by discipline up to disbarment. That said, it should not require citation of specific rules and standards to establish that it’s improper to facilitate the abuse of the legal system to funnel bribes disguised as settlements to politicians.

Everyone knows the case is not worth $20 million, or even 20 cents, in terms of legal merit. It’s beyond frivolous — and that’s saying something given the myriad frivolous lawsuits Trump has filed. As Paramount’s own lawyers note, Trump often doesn’t even attempt to cite cases supporting his cockamamie legal theories or refuting the decades of First Amendment precedent that obviously protects CBS’ editorial judgment. Any first-year law student can see this case should be thrown out at the first opportunity. It’s a joke.

“If a mediation is being used to further criminal conduct, a mediator should take appropriate steps including, if necessary, postponing, withdrawing from or terminating the mediation.”

The Model Standards of Conduct for Mediators

Yet it’s been widely reported that Paramount directors believe they need to pay up if they want Trump’s Federal Communications Commission to approve the Skydance merger. Possibly the only thing stopping them is the fact that the directors are reportedly concerned that settling could put it at risk of liability for bribery.

They should be worried. In addition to the lawmakers that have launched probes into potential criminality, as Paramount shareholders and defenders of press freedom, we’ve threatened to bring a shareholder derivative suit against Paramount directors and officers if the company pays Trump off, and retained counsel to do so on our behalf.

Any settlement agreed to by Paramount to facilitate its merger is not only tantamount to bribery but throws its own storied news outlet under the bus and invites Trump to extort countless other news corporations as soon as the check clears.

The Wall Street Journal reported that directors at Paramount have been mulling over a number it can offer that reduces the odds of a bribery case. When a party to a mediation is calculating settlement numbers not based on the merits of the lawsuit and cost of litigation but on the maximum it can pay without officers and directors getting indicted, that’s a gigantic red flag that no ethical mediator should ignore (as if investigations from federal and state lawmakers aren’t enough of a warning).

We hope the mediator is taking their obligations seriously. And we also hope Paramount directors are reading their own lawyers’ legal briefs. Editing interviews is something news outlets across the political spectrum do every hour of every day (even Trump-aligned Fox News hosts have openly acknowledged that). As Paramount’s lawyers wrote, if this case were to go forward, it “would amount to green-lighting thousands of consumer claims brought by individuals who merely disagree with a news organization’s editorial choices.”

The same can be said for if Paramount settles. Trump sued The Des Moines Register right after ABC owner Disney shamefully settled with Trump earlier this year. If he is gifted $20 million (and no, it doesn’t help matters if the money goes to his purported library foundation) for disliking the way an interview was edited, there’s no telling how many news outlets he’ll target next.

freedom.press/issues/paramount…