If you had an array of high power addressable LEDs, how would you project them onto a wall? Perhaps you’d use a Fresnel lens, or maybe an individual lens on the top of each. [Joo] faced this problem when making a lighting effect using just such an array, and the solution they came up with used both.

The problem facing a would-be LED array projector is that should the lens be too good, it will project the individual points of light from the LEDs themselves, when a more diffuse point is required. Thus the Fresnel required the aid of a separate array of lenses, resin printed in one in clear plastic. From this we get some useful tips on how to do this for best lens quality, and while the result is not quite optically perfect, it’s certainly good enough for the job in hand.

The linked Printables page comes with all you need to make the parts, and you too can have your own projected LED effect. Now we want one, too! Perhaps we really need our own Wrencher signal instead.

hackaday.com/2025/11/07/an-led…

There’s another ransomware story this week, but this one comes with a special twist. If you’ve followed this column for long, you’re aware that ransomware has evolved beyond just encrypting files. Perhaps we owe a tiny bit of gratitude to ransomware gangs for convincing everyone that backups are important. The downside to companies getting their backups in order is that these criminals are turning to other means to extort payment from victims. Namely, exfiltrating files and releasing them to the public if the victim doesn’t pay up. And this is the situation in which the Akira ransomware actors claim to have Apache’s OpenOffice project.

There’s just one catch. Akira is threatening to release 23 GB of stolen documents, which include employee information — and the Apache Software Foundation says those documents don’t exist. OpenOffice hasn’t received a demand and can’t find any evidence of a breach. It seems likely that Akira has hit some company, but not part of the Apache Software Foundation. Possibly someone that heavily uses OpenOffice, or even provides some level of support for that application. There is one more wrinkle here.

Since Apache OpenOffice is an open source software project, none of our contributors are paid employees for the project or the foundation…

First off, there are plenty of open source projects that have employee contributors, and it’s quite odd to imply otherwise. But second, for something as important as an office suite, this is a rather startling statement: there are no paid employees working on the OpenOffice code base.

NPM Typosquat Sophistication

There’s another NPM typosquatting campaign, which is barely news at this point. This one is newsworthy because these malicious packages use multiple layers of obfuscation, and lived on NPM for over four months. They use a clever bit of social engineering during package installation, in the form of a fake CAPTCHA prompt. The idea is that it makes the user less suspicious of the package, and also gives a legitimate reason for network access. But in reality, requiring user interaction defeats any automated analysis efforts.

The first layer of obfuscation consists of an eval() call with a bunch of decoder functions and an ugly encoded string. The result from that set of functions is URL-encoded and needed decoding, followed by an XOR with a key value. And finally, the executable function that finally emerges uses switch/case statements and hard-to-read values. It’s just a web to work through.

The payload behavior is boring in comparison, looking for any credentials on the system and uploading them to a remote server. It also checks for interesting browser cookies and passwords in the password manager, and any authentication tokens it can find.

WordPress Plugin Problems

[István Márton] at Wordfence has the story on a pair of WordPress plugins with severe vulnerabilities, effecting a whopping 500,000 sites combined. Up first is AI Engine, with 100,000 installs. This plugin has an unauthenticated URL endpoint that can expose a bearer token, which then allows access to the MCP endpoint, and arbitrary control of users. The good news here is that the plugin is not vulnerable by default, and requires the “No-Auth URL” setting to be configured to be vulnerable.

The other plugin is Post SMTP, with 400,000 installs. It replaces WordPress’s PHP email handling, and one of the features is the ability to view those emails from the logs. The problem was that before 3.6.1, viewing those email logs didn’t require any permissions. At first blush, that may seem like a medium severity problem, but WordPress is often configured to allow for password resets via emailed links, which means instant account takeover. Both issues have been fixed, and releases are available.

React Native CLI and Metro

A combination of the React Native CLI package and the Metro development server exposed React Native developers to a nasty 9.8 CVSS Remote Code Execution (RCE) CVE. The first element of this vulnerability is the fact that when Metro opens ports for hosting development work, it doesn’t bind to localhost, but listens on all interfaces by default.

When a new Reactive Native project is created without using a framework, some boilerplate code is run as part of the initialization. The end result is that /open-url handler is added to the project, and this handler calls open() with an outside string from the URL. It’s not hard to imagine how this can be abused for arbitrary code injection.

KASLR

Let’s talk about address randomization. Specifically, Kernel Address Space Layout Randomization (KASLR). It’s one of the defenses against turning an arbitrary memory write into a working exploit. If an attacker can’t predict where kernel objects will be in memory, twiddling bits is more likely to crash the system than result in code execution. It’s great in theory. The problem is that it doesn’t necessarily exist in reality.

That’s the story from [Seth Jenkins] at Google’s Project Zero, who was looking for ways to crack Pixel phones. It turns out that memory hotplugging is supported by Linux on Android, and that potential hotplug memory needs a lot of room in the linear memory map. So much room that it’s impractical to also randomize that layout. So while we still technically have KASLR protecting the kernel from attacks, there’s a really big gotcha in the form of the linear memory map.

Bits and Bytes

If you want a really deep dive into how BLE works, and how to investigate an existing BLE connection with an SDR, [Clément Ballabriga] from Lexfo has the scoop. It is significantly more complicated than you might expect, particularly since BLE uses frequency hopping, and a wide enough range of frequencies that your SDR almost certainly can’t capture them all at once. That means breaking a tiny part of the signal security, in order to accurately predict the frequency hops.

Cisco’s Unified Contact Center Express (UCCX) has several vulnerabilities that allows an attacker to run code as root. One vulnerability is in handling arbitrary file uploads by the Java Remote Method Invocation system. Another is an authentication bypass that can be exploited by coercing the target system to use a malicious remote server as part of the authentication process. Fixes are available, and so far it doesn’t look like these flaws have been used in the wild.

And finally, there’s the November Android security bulletin, that fixes CVE-2025-48593, a logic error in security updates in apexd.cpp that can lead to escalation of privilege.

I’ve seen this flaw conflated with CVE-2025-38593, a Bluetooth vulnerability recently fixed in the Linux kernel. This is a medium severity race condition in the kernel that can lead to a double-free and a system crash. There doesn’t seem to be a way to turn this into an RCE, as is reflected by its CVSS of 4.7.

hackaday.com/2025/11/07/this-w…

Have you ever seen photos of retro movie sets where the cameras seem to be bedazzled with lenses? Of course you can only film via one lens at a time, but mounting multiple lenses on a turret as was done in those days has certain advantages –particularly when working with tiny M12 lenses, like our own [Jenny List] recently did with this three-lens, Pi-zero based camera.

Given that it’s [Jenny], the hardware is truly open source, with not just the Python code to drive the Pi but the OpenSCAD code used to generate the STLs for the turret and the camera body all available via GitHub under a generous CC-BY-SA-4.0 license. Even using a cheap sensor and lenses from AliExpress, [Jenny] gets good results, as you can see from the demo video embedded below. (Jump to 1:20 if you just want to see images from the camera.)

The lenses are mounted to a 3D printed ring with detents to lock each quickly in place, held in place by a self-tapping screw, proving we at Hackaday practice what we preach. (Or that [Jenny] does, at least when it comes to fasteners.) Swapping lenses becomes a moment’s twist, as opposed to fiddling with tiny lenses hoping you don’t drop one. We imagine the same convenience is what drove turret cameras to be used in the movie industry, once upon a time.

youtube.com/embed/UntZmKj_IJE?…

hackaday.com/2025/11/07/pi-pow…

Plastic recycling is something that many of us strive to accomplish, but we often get caught up in the many hurdles along the way. [Brothers Make] are experienced in the world of plastic recycling and graced us with a look into a simple and reliable way to get consistent thin sheets of durable plastic. Using a common T-shirt press and a mixture of plastic scraps, you can get the process down quickly.

Summarizing the process is pretty easy due to its simplicity. You take a T-shirt press, put some Teflon baking sheets on both sides of some plastic scraps, and then press. Repeating this a couple of times with different colored plastic will get you a nice looking sheet of usable sheets for any purpose you could dream of. Thicker pieces can have some life changing applications, or as simple as guitar picks, as shown by [Brothers Make].

Make sure to try out this technique yourself if you have access to a press! Overuse of plastic is a widely known issue, and yet it feels like almost no one attempts to solve it. If you want a different kind of application, try making your own 3D printing filament out of recycled plastic!

youtube.com/embed/xPGunwTUMSE?…

Thanks to [George Graves] for the tip!

hackaday.com/2025/11/07/artsy-…

Il CEO di Nvidia, Jensen Huang, ha avvertito che la Cina sconfiggerà gli Stati Uniti nella corsa all’intelligenza artificiale (IA).

Il FT ha riportato che Huang, al Future of AI Summit ospitato dal Financial Times (FT) quel giorno, ha affermato: “I paesi occidentali, inclusi Stati Uniti e Regno Unito, sono bloccati nel cinismo. Abbiamo bisogno di maggiore ottimismo“. Citando le nuove normative sull’IA in fase di elaborazione negli Stati Uniti, Huang ha avvertito: “Potrebbero esserci 50 nuove normative (in tutti i 50 stati)“.

Ha sostenuto che questo contesto normativo sta minando la competitività occidentale. Le sue dichiarazioni sono arrivate dopo che l’amministrazione Donald Trump ha mantenuto le restrizioni sull’esportazione dei più recenti semiconduttori per l’IA di Nvidia in Cina.

Huang ha aggiunto: “L’elettricità è (praticamente) gratuita in Cina” e che la Cina sta creando un ambiente in cui le aziende locali possono utilizzare chip di IA prodotti internamente come alternativa molto più economica ai chip di IA di Nvidia, espandendo i sussidi energetici per le aziende tecnologiche.

È noto che i chip di IA cinesi sono significativamente meno efficienti dal punto di vista energetico rispetto ai chip Nvidia. Tuttavia, i sussidi energetici del governo cinese hanno contribuito a compensare in parte questa carenza. Infatti, secondo quanto riferito, la Cina ha recentemente aumentato i sussidi energetici per importanti aziende tecnologiche come ByteDance, Alibaba e Tencent.

Il Wall Street Journal (WSJ) ha riportato il 3 che l’amministratore delegato di NVIDIA, vicino al presidente Trump, ha cercato di convincere il presidente Trump a consentire l’esportazione in Cina dell’ultimo semiconduttore per l’intelligenza artificiale di Nvidia, “Blackwell“, poco prima del vertice USA-Cina del 30 del mese scorso, ma i suoi collaboratori hanno bloccato la sua richiesta.

Huang ha sottolineato l’importanza del mercato cinese, affermando: “Circa la metà dei ricercatori mondiali nel campo dell’intelligenza artificiale si trova in Cina“. Ha inoltre sostenuto che le esportazioni verso la Cina devono essere consentite per garantire che l’ecosistema aziendale cinese dell’intelligenza artificiale continui a dipendere dai semiconduttori di Nvidia.

Alcuni ipotizzano che l’amministrazione Trump possa limitare l’uso di semiconduttori per l’intelligenza artificiale all’avanguardia, come Blackwell, solo per uso interno.

Secondo quanto riferito, alcuni funzionari chiave dell’amministrazione Trump sono preoccupati che l’esportazione di Blackwell in Cina possa rafforzare le capacità di intelligenza artificiale della Cina e indebolire la sicurezza degli Stati Uniti. In un’intervista alla CBS andata in onda il 2, alla domanda se avrebbe permesso a Nvidia di vendere semiconduttori all’avanguardia alla Cina, il presidente Trump ha risposto: “No, non lo faremo. Non lo faremo. Non permetteremo a nessun altro di avere semiconduttori all’avanguardia“

L'articolo La Cina supererà gli USA nella corsa all’AI! Il CEO di Nvidia avverte “siamo bloccati dal cinismo” proviene da Red Hot Cyber.

Dear Friend of Press Freedom,

Rümeysa Öztürk has been facing deportation for 227 days for co-writing an op-ed the government didn’t like, and the government hasn’t stopped targeting journalists for deportation. Read on for news from Illinois, our latest public records lawsuit, and how you can take action to protect journalism.

Enforce ICE restraining orders now

A federal judge in Chicago yesterday entered an order to stop federal immigration officers from targeting journalists and peaceful protesters, affirming journalists’ right to cover protests and their aftermath without being assaulted or arrested.

Judge Sara Ellis entered her ruling — which extended a similar prior order against Immigration and Customs Enforcement — in dramatic fashion, quoting everyone from Chicago journalist and poet Carl Sandburg to the Founding Fathers. But the real question is whether she’ll enforce the order when the feds violate it, as they surely will. After all, they violated the prior order repeatedly and egregiously.

Federal judges can fine and jail people who violate their orders. But they rarely use those powers, especially against the government. That needs to change when state thugs are tearing up the First Amendment on Chicago’s streets. We suspect Sandburg would agree.

Journalist Raven Geary of Unraveled Press summed it up at a press conference after the hearing: “If people think a reporter can’t be this opinionated, let them think that. I know what’s right and what’s wrong. I don’t feel an ounce of shame saying that this is wrong.”

Congratulations to Geary and the rest of the journalists and press organizations in Chicago and Los Angeles that are standing against those wrongs by taking the government to court and winning. Listen to Geary’s remarks here.

Journalists speak out about abductions from Gaza aid flotillas

We partnered with Defending Rights & Dissent to platform three U.S. journalists who were abducted from humanitarian flotillas bound for Gaza and detained by Israel.

They discussed the inaction from their own government in the aftermath of their abduction, shared their experiences while detained, and reflected on what drove them to take this risk while so many reporters are self-censoring.

We’ll have a write-up of the event soon, but it deserves to be seen in full. Watch it here.

FPF takes ICE to court over dangerous secrecy

We filed yet another Freedom of Information Act lawsuit this week — this time to uncover records on ICE’s efforts to curtail congressional access to immigration facilities.

“ICE loves to demand our papers but it seems they don’t like it as much when we demand theirs,” attorney Ginger Quintero-McCall of Free Information Group said.

If you are a FOIA lawyer who is interested in working with us pro bono or for a reduced fee on FOIA litigation, please email lauren@freedom.press.

Read more about our latest lawsuit here.

If Big Tech can’t withstand jawboning, how can individual journalists?

Last week, Sen. Ted Cruz convened yet another congressional hearing on Biden-era “jawboning” of Big Tech companies. The message: Government officials leaning on these multibillion-dollar conglomerates to influence the views they platform was akin to censorship.

Sure, the Biden administration’s conduct is worth scrutinizing and learning from. But if you accept the premise that gigantic tech companies are susceptible to soft pressure from a censorial government, doesn’t it go without saying that so are individual journalists who lack anything close to those resources?

We wrote about the numerous instances of “jawboning” of individual reporters during the current administration that Senate Republicans failed to address at their hearing. Read more here.

Tell lawmakers from both parties to oppose Tim Burke prosecution

Conservatives are outraged at Tucker Carlson for throwing softballs to neo-Nazi Nick Fuentes. But the Trump administration is continuing its predecessor’s prosecution of journalist Tim Burke for exposing Tucker Carlson whitewashing another antisemite — Ye, formerly known as Kanye West.

Lawmakers shouldn’t stand for this hypocrisy, regardless of political party. Tell them to speak up with our action center.

What we’re reading

FBI investigating recent incident involving feds in Evanston, tries to block city from releasing records (Evanston RoundTable). Apparently obstructing transparency at the federal level is no longer enough and the government now wants to meddle with municipal police departments’ responses to public records requests.

To preserve records, Homeland Security now relies on officials to take screenshots (The New York Times). The new policy “drastically increases the likelihood the agency isn’t complying with the Federal Records Act,” FPF’s Lauren Harper told the Times.

When your local reporter needs the same protection as a war correspondent (Poynter). Foreign war correspondents get “hostile environment training, security consultants, trauma counselors and legal teams. … Local newsrooms covering militarized federal operations in their own communities? Sometimes all we have is Google, group chats and each other.”

YouTube quietly erased more than 700 videos documenting Israeli human rights violations (The Intercept). “It is outrageous that YouTube is furthering the Trump administration’s agenda to remove evidence of human rights violations and war crimes from public view,” said Katherine Gallagher of the Center for Constitutional Rights.

Plea to televise Charlie Kirk trial renews Senate talk of cameras in courtrooms (Courthouse News Service). It’s past time for cameras in courtrooms nationwide. None of the studies have ever substantiated whatever harms critics have claimed transparency would cause. Hopefully, the Kirk trial will make this a bipartisan issue.

When storytelling is called ‘terrorism’: How my friend and fellow journalist was targeted by ICE (The Barbed Wire). “The government is attempting to lay a foundation for dissenting political beliefs as grounds for terrorism. And people like Ya’akub — non-white [or] non-Christian — have been made its primary examples. Both journalists; like Mario Guevara … and civilians.”

freedom.press/issues/time-to-e…

Last week, Sen. Ted Cruz convened yet another congressional hearing on Biden-era “jawboning” of Big Tech companies. The message: Government officials leaning on these multibillion-dollar conglomerates to influence the views they platform was akin to censorship. Officials may not have formally ordered the companies to self-censor, but they didn’t have to – businesspeople know it’s in their economic interests to stay on the administration’s good side.

They’re not entirely wrong. Public officials are entitled to express their opinions about private speech, but it’s a different story when they lead speakers to believe they have no choice but to appease the government. At the same time the Biden administration was making asks of social platforms, the former president and other Democrats (and Republicans) pushed for repealing Section 230 of the Communications Decency Act, the law that allows social media to exist.

It’s unlikely that the Biden administration intended its rhetoric around Section 230 to intimidate social media platforms into censorship. That said, it’s certainly possible companies made content decisions they otherwise wouldn’t have when requested by a government looking to legislate them out of existence. It’s something worth exploring and learning from.

But if you accept the premise — as I do — that gigantic tech companies with billions in the bank and armies of lawyers are susceptible to soft pressure from a censorial government, doesn’t it go without saying that so are individual journalists who lack anything close to those resources?

If it’s jawboning when Biden officials suggest Facebook take down anti-vaccine posts, isn’t it “jawboning” when a North Carolina GOP official tells ProPublica to kill a story, touting connections to the Trump administration? When the president calls for reporters to be fired for doing basic journalism, like reporting on leaks? When the White House and Pentagon condition access on helping them further official narratives? A good-faith conversation about jawboning can’t just ignore all of that.

Here are some more incidents Cruz and his colleagues have not held hearings about:

• A Department of Homeland Security official publicly accused a Chicago Tribune reporter of “interference” for the act of reporting where immigration enforcement was occurring. Journalism, in the government’s telling, constituted obstruction of justice. That certainly could lead others to tread cautiously when exercising their constitutional right to document law enforcement actions.
• Director of National Intelligence Tulsi Gabbard attacked Washington Post reporter Ellen Nakashima by name, suggesting her reporting methods — which is to say, calling government officials — were improper and reflected a media establishment “desperate to sabotage POTUS’s successful agenda.” Might that dissuade reporters from seeking comment from sources, or sources from providing such comment to reporters?
• When a journalist suggested people contact her on the encrypted messaging app Signal, an adviser to Defense Secretary Pete Hegseth said she should be banned from Pentagon coverage. The Pentagon then attempted to exclude her from Hegseth’s trip to Singapore. Putting aside the irony of Hegseth’s team taking issue with Signal usage, it’s fair to assume journalists are less likely to suggest sources lawfully contact them via secure technologies if doing so leads to government threats and retaliation.
• Bill Essayli, a U.S. attorney in California, publicly called a reporter “a joke, not a journalist” for commenting on law enforcement policies for shooting at moving vehicles. Obviously, remarks from prosecutors carry unique weight and have significant potential to chill speech, particularly when prosecutors make clear that they don’t view a journalist as worthy of the First Amendment’s protections for their profession.

Sources wanting to expose wrongdoing ... will think twice about talking to journalists who are known targets of an out-of-control administration.

There are plenty more examples — and that doesn’t even get into all the targeting of news outlets, from major broadcast networks to community radio stations. They may have more resources than individual reporters, but they’re nowhere near as well positioned to withstand a major spike in legal bills and insurance premiums as big social media firms (who this administration also jawbones to censor constitutionally protected content).

And hovering over all of this is President Donald Trump himself, whose social media feed doubles as an intimidation campaign against reporters. Our Trump Anti-Press Social Media Tracker documents hundreds of posts targeting not only news outlets but individual journalists. It’s documented over 3,500 posts. Unlike Biden-era “jawboning,” threats like these come from the very top — people in a position to actually carry them out. And unlike Biden’s administration, Trump’s track record makes the threat of government retribution real, not hypothetical.

Trump views excessive criticism of him as “probably illegal.” He has made very clear his desire for journalists to be imprisoned, sued for billions, and assaulted for reasons completely untethered to the Constitution, and has surrounded himself with bootlicking stooges eager to carry out his whims. “Chilling” is an understatement for the effect when a sitting president — particularly an authoritarian one — threatens journalists for doing their job.

It’s not only that these journalists don’t have the resources of Meta, Alphabet, and the like. They also have much more to lose. Tech companies might get some bad PR based on how they handle government takedown requests, but it’s unlikely to significantly impact their bottom line, particularly when news content comprises a small fraction of their business.

But journalists don’t just host news content, they create it. Their whole careers depend on their reputations and the willingness of sources to trust them. Sources wanting to expose wrongdoing, who often talk to journalists at great personal risk and try to keep a low profile, will think twice about talking to journalists who are known targets of an out-of-control administration.

Other news outlets might be reluctant to hire someone who has been singled out by the world’s most powerful person and his lackeys. Editors and publishers — already spooked about publishing articles that might draw a SLAPP suit or worse from Trump — will be doubly hesitant when the article is written by someone already on the administration’s public blacklist.

Unlike Biden’s antics, the Trump administration has cut out the middleman by directly targeting the speech and speakers it doesn’t like. And it wields this power against people with a fraction of the resources to fight back. If that’s not jawboning, what is?

freedom.press/issues/if-big-te…

In Piemonte anche l’accesso alle case popolari, dopo il vergognoso bonus Vesta, diventa terreno di scontro ideologico per l’Assessore regionale alla Casa Maurizio Marrone (Fratelli d’Italia).

Protagonista suo malgrado una donna migrante, a cui il giudice ha riconosciuto di essere stata discriminata da una legge regionale secondo cui, per ottenere un alloggio di edilizia popolare, l’inquilino deve essere titolare di un contratto di lavoro. Ma questo vale solo se straniero.

Di fronte a questa sentenza, Marrone non ha aperto una riflessione sull’ingiustizia della norma che viola le direttive europee sui diritti delle persone con e senza cittadinanza ed è in contrasto con la Costituzione italiana e con ogni principio di umanità, ma ha scelto di attaccare il giudice e rilanciare la retorica della “difesa degli Italiani” – sempre con la maiuscola – trasformando un bisogno sociale primario in uno strumento di propaganda.

Non si tratta di una svista o di una frase sfuggita. È una strategia politica coerente, che punta a dividere, individuare un nemico, far credere che alcuni abbiano più diritto di altri di accedere ai servizi e alle tutele sociali. Non è un incidente: è un progetto politico.

Siamo di fronte a una legge che discrimina in modo esplicito e deliberato chi vive in Piemonte ma non ha cittadinanza italiana. La legge che Marrone difende è fascista nei fatti. A questo punto non serve più chiedergli se lui e il suo partito lo siano o meno: sarebbe come chiedere a chi impone una discriminazione se si considera discriminatorio, e poi usare la sua risposta per stabilire la verità. La realtà si misura nelle scelte, nelle norme, nelle vite che colpiscono. Non nelle etichette che uno si appiccica o evita.

Le istituzioni dovrebbero garantire equità e sostegno, non alimentare divisioni né usare la povertà come terreno di scontro politico.

Come Possibile, anche grazie al lavoro della nostra consigliera regionale Giulia Marro, continueremo a lavorare perché vengano riconosciuti i diritti di tutti e tutte, senza distinzioni arbitrarie.

Piemonte Possibile

L'articolo Sulle case popolari in Piemonte l’assessore Marrone difende una norma discriminatoria proviene da Possibile.

#Ambiente #StopInceneritore #NoInceneritore #NoInceneritori #ZeroWaste #Rifiuti #Riciclo #EconomiaCircolare #NoAlCarbone #EnergiaPulita