This DIY lasertag project designed by [Nii], which he brought to Tokyo Maker Faire back in September, is a treasure trove. It’s all in Japanese and you’ll need to visit X (formerly Twitter) to see it, but the images do a fine job of getting the essentials across and your favorite translator tool will do a fair job of the rest.

There’s a whole lot to admire in this project. The swing-out transparent OLED display is super slick, the electronics are housed on a single PCB, the back half of the grip is in fact a portable USB power bank that slots directly in to provide power, and there’s a really smart use of a short RGB LED strip for effects.

The optical elements show some inspired design, as well. An infrared LED points forward, and with the help of a lens, focuses the beam tightly enough to make aiming meaningful. For detecting hits, the top of the pistol conceals a custom-made reflector that directs any IR downward into a receiver, making it omnidirectional in terms of hit sensing but only needing a single sensor.

Want to know more? Check out [Nii]’s earlier prototypes on his website. It’s clear this has been in the works for a while, so if you like seeing how a project develops, you’re in for a treat.

As for the choice of transparent OLED displays? They are certainly cool, and we remember how wild it looks to have several stacked together.

hackaday.com/2024/10/26/diy-la…

Un recente articolo China Times, un ex ingegnere di rete, un uomo di 37 anni di cognome Qiu, che ha lasciato il suo impiego per dedicarsi all’attività di scalping di biglietti per eventi di grande richiamo. Qiu, sfruttando le sue competenze informatiche, ha sviluppato un software automatizzato, noto anche come “bot”, per accaparrarsi biglietti di concerti e spettacoli con elevata richiesta, che poi rivendeva a prezzi maggiorati. Questo cambiamento di carriera gli ha permesso di ottenere guadagni significativi: solo con la vendita dei biglietti ha raggiunto un reddito di circa 300.000 yuan, spingendolo ad abbandonare il vecchio lavoro e dedicarsi completamente al nuovo business.

Qiu non si è fermato al singolo utilizzo del suo software, ma ha fondato un’organizzazione online chiamata “Scall Family”, che operava come una piattaforma per prenotazioni di biglietti per concerti e spettacoli di artisti di fama internazionale. Il software permetteva di accaparrarsi i biglietti non appena venivano resi disponibili, lasciando poche possibilità ai normali acquirenti di acquistare a prezzo di listino. Qiu si occupava poi di rivendere questi biglietti ad un prezzo notevolmente maggiorato. La sua rete è diventata popolare, attirando migliaia di clienti interessati ad accedere a eventi altrimenti sold-out.

In occasione dell’ultimo concerto di Jay Chou, Qiu ha ricevuto 36 ordini dai suoi clienti, raccogliendo un anticipo di oltre 300.000 yuan per i biglietti. Tuttavia, le sue attività non sono passate inosservate alle autorità, che avevano ricevuto segnalazioni su movimenti sospetti legati alla vendita di biglietti a prezzi elevati. La polizia di Pechino, dopo accurate indagini, ha rintracciato Qiu e ha condotto una perquisizione nella sua abitazione situata nel distretto di Xizhi. Durante il raid, le forze dell’ordine hanno trovato diverse prove delle sue attività illegali.

Tra i beni sequestrati nella sua abitazione figuravano 36 biglietti per il concerto di Jay Chou, 34 per “Ah Mei” Zhang Huimei, 4 per Jacky Cheung e numerosi biglietti per altri eventi importanti, insieme a dispositivi elettronici utilizzati per l’attività di scalping. Le autorità hanno inoltre rinvenuto documenti che indicano prenotazioni e transazioni con clienti. Tutto questo materiale è stato considerato rilevante per dimostrare la portata delle sue operazioni e l’entità del profitto generato dalle vendite scalper.

Interrogato dalla polizia, Qiu ha ammesso di aver venduto i biglietti a prezzi maggiorati, confermando che il suo reddito mensile medio era di circa 200.000 yuan. In occasione di concerti di artisti particolarmente famosi, come nel caso di Jay Chou, i guadagni potevano superare il milione di yuan (circa 130.000 euro al cambio attuale). L’uomo è stato arrestato e ora è accusato di violazione della “Legge sullo sviluppo delle industrie culturali e creative” e di falsificazione di documenti. Il caso è stato inviato in tribunale per ulteriori indagini e procedimenti giudiziari.

Cosa si intende per Scalping

Lo scalping di biglietti è una pratica che consiste nell’acquisto massiccio di biglietti per eventi molto richiesti – come concerti, spettacoli e competizioni sportive – con l’intento di rivenderli a un prezzo maggiorato. Gli scalper, o bagarini digitali, utilizzano strumenti avanzati come i bot, software automatizzati in grado di accaparrarsi biglietti in pochi secondi, bloccando spesso i normali utenti dall’acquisto. Grazie alla velocità e alla capacità di questi strumenti di simulare comportamenti umani, gli scalper riescono a esaurire i biglietti appena vengono resi disponibili, creando artificialmente una situazione di scarsità. Questo permette loro di rivendere i biglietti a prezzi gonfiati, guadagnando su ogni singola transazione.

Negli ultimi anni, lo scalping di biglietti è diventato un problema rilevante per organizzatori e spettatori. Gli spettatori pagano spesso cifre esorbitanti per assistere a eventi esauriti in pochi minuti, mentre i veri appassionati rischiano di perdere l’opportunità di partecipare. Molti paesi stanno introducendo regolamentazioni per contrastare questa pratica, come la limitazione dell’uso dei bot e il divieto di rivendere biglietti a prezzi gonfiati. Tuttavia, il fenomeno rimane difficile da controllare per via delle capacità tecnologiche sempre più sofisticate degli scalper e della domanda elevata per eventi esclusivi.

L'articolo Lascia il Lavoro per Diventare uno Scalper Milionario. La Storia di Qiu, ingegnere Cinese proviene da il blog della sicurezza informatica.

Nvidia ha rilasciato patch urgenti che risolvono almeno otto vulnerabilità nei driver GPU per Windows e Linux, nonché nel software per GPU virtuali (vGPU).

Sono state rilevate diverse vulnerabilità nei driver grafici Nvidia per Windows che consentono la lettura fuori dai limiti per un utente non privilegiato. I problemi sono stati identificati da CVE-2024-0117 a CVE-2024-0121 e potrebbero essere utilizzati per eseguire codice arbitrario, escalation di privilegi, DoS, fuga di informazioni e falsificazione di dati.

Un’altra vulnerabilità, identificata come CVE-2024-0126, ha interessato i driver GPU per Windows e Linux e ha consentito a un utente malintenzionato privilegiato di aumentare i propri privilegi, il che potrebbe portare alle stesse conseguenze sopra elencate.

Nvidia ha rilasciato aggiornamenti per GeForce, NVIDIA RTX, Quadro, NVS e Tesla e ha risolto le vulnerabilità elencate nei rami dei driver R565, R560, R555, R550 e R535 per Windows e nei rami dei driver R565, R550 e R535 per Linux.

Si noti che le vulnerabilità potrebbero interessare le versioni precedenti dei driver, pertanto si consiglia agli utenti di eseguire l’aggiornamento alla versione più recente il prima possibile.

L’azienda ha inoltre risolto due vulnerabilità nel software vGPU. È stato rilevato un bug nel driver del kernel GPU di vGPU Manager (CVE-2024-0127) che ha consentito a “un utente del sistema operativo guest di causare una convalida errata dell’input compromettendo il kernel del sistema operativo guest”. Il secondo bug è stato scoperto nello stesso vGPU Manager (CVE-2024-0128) e “permetteva all’utente del sistema operativo guest di accedere alle risorse globali”.

Sebbene entrambi i problemi possano portare all’escalation dei privilegi, alla fuga di informazioni e alla modifica dei dati, la prima vulnerabilità potrebbe essere utilizzata anche per eseguire codice arbitrario e causare un rifiuto di servizio (DoS).

È stato riferito che i bug sono stati corretti come parte delle versioni Nvidia vGPU 17.4 e 16.8 e le patch sono state incluse anche nella versione di ottobre di Nvidia Cloud Gaming.

L'articolo Nvidia Rilascia Patch Urgenti! Risolte Gravi Vulnerabilità nei Driver GPU per Windows e Linux proviene da il blog della sicurezza informatica.

It’s a staple of spy thriller movies, that the protagonist has some kind of electronic scanner with which he theatrically searches his hotel room to reveal the bad guys’ attempt to bug him. The bug of course always had a flashing LED to make it really obvious to viewers, and the scanner was made by the props department to look all cool and futuristic.

It’s not so far-fetched though, while bugs and hidden cameras in for example an Airbnb may not have flashing LEDs, they still emit RF and can be detected with a signal strength meter. That’s the premise behind [RamboRogers]’ RF hunter, the spy movie electronic scanner made real.

At the rear of the device is an ESP32, but the front end is an AD8317 RF detector chip. This is an interesting and useful component, in that it contains a logarithmic amplifier such that it produces a voltage proportional to the RF input in decibels. You’ll find it at the heart of an RF power meter, but it’s also perfect for a precision field strength meter like this one. That movie spy would have a much higher chance of finding the bug with one of these.

For the real spies of course, the instruments are much more sophisticated.

hackaday.com/2024/10/26/rf-det…

Mentre la Cina ha da tempo implementato il Great Firewall of a China e il Great Cannon (sistemi statali di censura e di “bombardamento” dei siti non coerenti alle idee del partito), e la Russia si sta dotando di un Big Scanner!

Ma che cos’è il Big Scanner?

Sebbene questi paesi abbiano ideologie diverse, c’è sempre qualcosa da imparare. Un sistema statale di scansione e monitoraggio delle vulnerabilità nei sistemi governativi potrebbe rivelarsi una scelta strategica anche per l’Italia, rafforzando la postura cyber del Paese e proteggendo le infrastrutture critiche nazionali. Questa si chiama intelligence: capire cosa fanno gli altri per migliorarsi, raccogliere informazioni strategiche e adottare misure preventive.

Ma scopriamo di cosa si tratta.

Nel 2024, il sistema “Security Scanner” Russo, operando in modalità test, ha rilevato oltre 26mila vulnerabilità critiche, come riportato da Sergei Khutortsev, direttore del Centro per il monitoraggio e la gestione della rete di comunicazioni pubbliche (CMU SSOP) di Roskomnadzor.

Al forum “Spectrum 2024”, il capo del Centro SSOP ha parlato del compito principale del sistema: pulire il segmento russo di Internet da software dannoso e dispositivi infetti. L’enfasi principale è posta sul rilevamento rapido degli errori amministrativi, dei database non protetti su Internet, delle porte e delle risorse vulnerabili, più velocemente dei partner occidentali.

Secondo le informazioni della presentazione, più di 300 organizzazioni hanno ricevuto notifiche di potenziali minacce. Il sistema genera automaticamente raccomandazioni per eliminare i problemi identificati e invia notifiche ai proprietari dei sistemi informativi, agli operatori di telecomunicazioni e ai fornitori di hosting.

Il lavoro sul progetto viene svolto in collaborazione con le autorità di regolamentazione, l’FSB e l’FSTEC della Russia.

Khutortsev ha aggiunto che una volta identificate le vulnerabilità, viene monitorata la velocità della loro eliminazione.

Se non c’è risposta da parte del proprietario agli avvisi, esistono meccanismi che consentono di bloccare le vulnerabilità a livello di mezzi tecnici per contrastare le minacce, sia temporaneamente che permanentemente. Secondo Khutortsev, tali misure avranno un impatto positivo sul livello generale di sicurezza.

L'articolo Un Vulnerability Assessment di Stato per la Sicurezza Nazionale? Anche l’Italia ne ha urgente bisogno! proviene da il blog della sicurezza informatica.

As natural as walking is to us tail-less bipedal mammals, the fact of the matter is that it took many evolutionary adaptations to make this act of controlled falling forward work (somewhat) reliably. It’s therefore little wonder that replicating bipedal walking (and running) in robotics is taking a while. Recently a Chinese humanoid robot managed to bump up the maximum running speed to 3.6 m/s (12.96 km/h), during a match between two of Robot Era’s STAR1 humanoid robots in the Gobi desert.

For comparison, the footspeed of humans during a marathon is around 20 km/h and significantly higher with a sprint. These humanoid robots did a 34 minute run, with an interesting difference being that one was equipped with running shoes, which helped it reach these faster speeds. Clearly the same reasons which has led humans to start adopting footwear since humankind’s hunter-gatherer days – including increased grip and traction – also apply to humanoid robots.

That said, it looks like the era when humans can no longer outrun humanoid robots is still a long time off.

youtube.com/embed/qw2y0kceAv0?…

hackaday.com/2024/10/26/chines…

Il CERT-AGID ha rilevato recentemente una campagna malevola volta alla diffusione del trojan XWorm RAT, distribuito tramite false email camuffate da comunicazioni ufficiali del gestore Namirial.

L’email, redatta in italiano, invita l’utente a visualizzare un documento PDF allegato e, nel caso in cui il file non si apra correttamente, suggerisce di utilizzare un link alternativo presente nel corpo del messaggio.
Email utilizzata per la campagna XWorm RAT
In realtà, il file PDF funge da esca, poiché è protetto da password. Questo porta la vittima a cliccare sull’unico link alternativo disponibile che avvia il download di un archivio ZIP, ospitato su Dropbox, contenente un file URL. Da qui ha inizio la catena di compromissione.
PDF protetto da password
Il file URL sfrutta la funzionalità TryCloudflare che consente agli attaccanti di creare tunnel temporanei verso server locali e testare il servizio senza necessità di un account Cloudflare.

Ogni tunnel genera un sottodominio casuale sul dominio trycloudflare.com, utilizzato per instradare il traffico attraverso la rete di Cloudflare verso il server locale.
File su TryCloudflare
Il file URL procede quindi al download di un file BAT, offuscato tramite lo strumento BatchShield. Questo può essere facilmente deoffuscato utilizzando un tool specifico denominato BatchShield decryptor.
BAT Offuscato BAT Deoffuscato
A questo punto, il procedimento è ben noto, essendo già stato osservato in campagne precedenti. Viene scaricato un ulteriore archivio ZIP contenente l’interprete Python, utilizzato per eseguire gli script malevoli già inclusi nell’archivio. Questo processo porta al rilascio di uno dei seguenti malware: AsyncRAT, DCRat, GuLoader, VenomRAT, Remcos RAT o, come nel caso attuale, XWorm.

Indicatori di Compromissione

Al fine di rendere pubblici i dettagli della campagna odierna si riportano di seguito gli IoC rilevati:

Link: Download IoC

L'articolo Attenzione Italia! le false email di Namirial portano più guai di una Fattura Salata! proviene da il blog della sicurezza informatica.

Le controversie legali sulla divisione dei beni degli influencer dei social media si rivelano sempre più complesse e confuse. La situazione che Kat e Mike Stickler hanno dovuto affrontare dopo il divorzio è stata un esempio calzante. Uno dei maggiori asset dell’ex coppia, l’account “MikeAndKat” su TikTok e YouTube, ha attirato quasi 4 milioni di follower e nessuno sapeva come dividere equamente il profilo tra gli ex coniugi.

Secondo Kat, il giudice nel processo di divorzio non ha capito immediatamente come valutare il valore del conto, perché “questo è un settore completamente nuovo”. Il reddito principale della coppia, come quello di milioni di altri americani, proveniva dai social network, ma le loro attività sono più complesse del classico lavoro. Le pubblicazioni per un pubblico di milioni richiedono un’attenzione costante, poiché qualsiasi cambiamento nel contenuto può comportare la perdita di abbonati e, nel caso di una coppia, anche di reddito.

Gli avvocati che cercano di valutare il valore dei conti incontrano difficoltà molto maggiori rispetto alla divisione dei beni. Il successo di un account può dipendere direttamente da chi lo gestisce. In tribunale, Kat ha sottolineato che se il conto rimane con lei, continuerà a crescere. E Kat aveva ragione: dopo il divorzio ha cambiato il nome del canale in “KatStickler” e ha aumentato il numero di abbonati a quasi 10,5 milioni. Inoltre, la presenza di Kat su Instagram, YouTube e Facebook ha raggiunto un totale di 3 milioni di abbonati e le entrate derivanti dai suoi canali le hanno permesso di acquistare un appartamento e investire in una piccola impresa.

Mike ha un canale YouTube, che ora è praticamente inattivo, e lui stesso ora lavora nelle vendite.

L’industria degli influencer sulle piattaforme social sta crescendo rapidamente. Negli Stati Uniti, 27 milioni di persone lavorano come creatori di contenuti e per il 44% questa è la loro unica fonte di reddito. Il reddito principale di queste persone proviene da accordi pubblicitari e nel 2023 i marchi americani hanno pagato 26 miliardi di dollari per promuovere prodotti tramite i blogger. Allo stesso tempo, il valore dei conti tiene conto non solo dei redditi correnti, ma anche del loro potenziale, e ciascun coniuge deve giustificare il proprio ruolo in questo.

Quando gestiscono un account insieme, è difficile per gli ex coniugi valutare chi si è impegnato di più nella creazione del contenuto, chi ha avuto più idee o chi ha dedicato più tempo alla modifica. In alcuni casi, un partner è la forza trainante dell’intero account, il che complica notevolmente la procedura di sezione del profilo.

Il contenzioso tra individui ha portato all’emergere di nuovi approcci legali. Alcune coppie, come Reza e Pooja Khan, che condividono un pubblico di cinque milioni di persone, lo vedono come un progetto comune e preferiscono assumere consulenti finanziari per gestire il loro reddito in rapida crescita. Tuttavia, l’idea di dividere il loro “impero” rimane una prospettiva lontana.

La situazione può essere complicata per coloro che hanno reso popolari le relazioni personali o la vita familiare, poiché il divorzio cambia la percezione del pubblico e può avere un impatto negativo sugli affari. In alcuni casi, gli ex partner rinominano gli account per prendere le distanze dalla loro immagine passata, ma ciò comporta anche dei rischi.

Inoltre, una delle blogger, Vivian Tu, nota per i post sull’alfabetizzazione finanziaria, è consapevole della natura a breve termine di una carriera nei social network, che ricorda lo sport: la popolarità può essere persa a causa di cambiamenti negli algoritmi o della partenza del pubblico per altre tendenze. Tu si sta preparando alla vita fuori dalle piattaforme creando ulteriori fonti di reddito: scrivendo un libro e ospitando un podcast. Tu ha anche stipulato un accordo prematrimoniale che includeva i suoi conti per proteggere i suoi beni personali da potenziali controversie.

I contenziosi sulla divisione delle risorse nello spazio digitale dimostrano che i risultati di carriera nei social network oggi non sono inferiori alle tradizionali aree di business in termini di impatto sulla vita finanziaria e personale.

L'articolo Divorzio sui Social Network! Chi ottiene la custodia dei follower? proviene da il blog della sicurezza informatica.

For fans of retro games, Pac-Man is nothing short of iconic—a game so loved it’s been ported to nearly every console imaginable. But the Atari 2600 version, released in 1982, left players scratching their heads – as laid out in a video by [Almost Something]. Atari had licensed Pac-Man to ride the wave of its arcade success, but the home version, programmed solely by [Todd Fry], missed the mark, turning an arcade icon into a surprising lesson in over-ambitious marketing.

Despite the hype, [Fry] faced an almost impossible task: translating Pac-Man’s detailed graphics and complex gameplay to the Atari’s limited 4 K cartridge with only 128 bytes of RAM. Atari’s strict limitations on black backgrounds and its choice to cut costs by sticking with a 4 K cartridge left the game barely recognizable. The famous pellet-chomping maze became simpler, colors were changed, and the iconic ghosts—reduced to single colors—flickered constantly. And then, Atari went all in, producing twelve million copies, betting on the success of universal appeal. In a twist, Pac-Man did sell in record numbers (over seven million copies) but still fell short of Atari’s expectations, leaving millions of unsold cartridges eventually dumped in a New Mexico landfill.

This debacle even kind of marked Atari’s 1983 decline. Still, Pac-Man survived the hiccup, evolving and outlasting its flawed adaptation on the 2600. If you’re interested in learning more about the ins and outs of game ports, check out the fantastic talk [Bob Hickman] gave during Supercon 2023.

youtube.com/embed/kgK22XF9FgQ?…

hackaday.com/2024/10/25/ataris…

From the earliest days of warfare, it’s never been enough to be able to build a deadlier weapon than your enemy can. Making a sharper spear, an arrow that flies farther and straighter, or a more accurate rifle are all important, but if you can’t make a lot of those spears, arrows, or guns, their quality doesn’t matter. As the saying goes, quantity has a quality of its own.

That was the problem faced by Britain in the run-up to World War II. In the 1930s, Rolls-Royce had developed one of the finest pieces of engineering ever conceived: the Merlin engine. Planners knew they had something special in the supercharged V-12 engine, which would go on to power fighters such as the Supermarine Spitfire, and bombers like the Avro Lancaster and Hawker Hurricane. But, the engine would be needed in such numbers that an entire system would need to be built to produce enough of them to make a difference.

“Contribution to Victory,” a film that appears to date from the early 1950s, documents the expansive efforts of the Rolls-Royce corporation to ramp up Merlin engine production for World War II. Compiled from footage shot during the mid to late 1930s, the film details not just the exquisite mechanical engineering of the Merlin but how a web of enterprises was brought together under one vast, vertically integrated umbrella. Designing the engine and the infrastructure to produce it in massive numbers took place in parallel, which must have represented a huge gamble for Rolls-Royce and the Air Ministry. To manage that risk, Rolls-Royce designers made wooden scale models on the Merlin, to test fitment and look for potential interference problems before any castings were made or metal was cut. They also set up an experimental shop dedicated to looking at the processes of making each part, and how human factors could be streamlined to make it easier to manufacture the engines.

With prototype engines and processes in hand, Rolls-Royce embarked on a massive scale-up to production levels. They built huge plants in Crewe and Glasgow, hopefully as far from the Luftwaffe’s reach as possible. They also undertook a massive social engineering effort, building a network of training institutions tasked with churning out the millions of skilled workers needed. Entire towns were constructed to house the workers, and each factory had its own support services, including fire brigade and medical departments.

As fascinating as the engineering behind the engineering is, the film is still a love letter to the engine itself, of which almost 150,000 copies would eventually be manufactured. The casting processes are perhaps the most interesting, but there’s eye candy aplenty for Merlin fans at every stage of production. We were also surprised to learn that Rolls-Royce took the added step of mounting finished Merlins in the cowlings needed for the various planes they were destined for, to ensure that the engine would be properly integrated with the airframe. This must have been a huge boon to groundcrews out in the field; being able to bolt a new nose on a Spitfire and get it back in the fight with a spanking new Merlin was probably key to victory in the Battle of Britain.

youtube.com/embed/-fo7SmNuUU4?…

hackaday.com/2024/10/25/retrot…

Are you ready to elevate your interactive possibilities without breaking the bank? If so, explore [Caio Bassetti]’s tutorial on creating a full 3D hand controller using only a webcam, MediaPipe Hands, and Three.js. This hack lets you transform a 2D screen into a fully interactive 3D scene—all with your hand movements. If you’re passionate about low-cost, accessible tech, try this yourself – not much else is needed but a webcam and a browser!

The magic of the project lies in using MediaPipe Hands to track key points on your hand, such as the middle finger and wrist, to calculate depth and positioning. Using clever Three.js tricks, the elements can be controlled on a 3D axis. This setup creates a responsive virtual controller, interpreting hand gestures for intuitive movement in the 3D space. The hack also implements a closed-fist gesture to grab and drag objects and detects collisions to add interactivity. It’s a simple, practical build and it performs reliably in most browsers.

For more on this innovation or other exciting DIY hand-tracking projects, browse our archive on gesture control projects, or check out the full article on Codrops. With tools such as MediaPipe and Three.js, turning ideas into reality gets more accessible than ever.

hackaday.com/2024/10/25/diy-3d…

Sei individui sono stati arrestati dai Carabinieri del Nucleo Investigativo di Varese, accusati di aver sottratto dati e informazioni classificate da diverse “Banche Dati Strategiche Nazionali“.

Tra queste informazioni sensibili di Sdi, Serpico, e Inps, esfiltrare per scopi economici e personali. A quattro di loro è stato imposto l’arresto domiciliare, mentre altri due sono stati soggetti a misure interdittive.

L’inchiesta è condotta dai magistrati Francesco De Tommasi e Gianluca Prisco della Direzione Distrettuale Antimafia di Milano, sotto la supervisione del procuratore Marcello Viola, come confermato da un comunicato della Procura.

Si ipotizza che le informazioni siano state trafugate su commissione e poi vendute, includendo dati riservati riguardanti anche esponenti politici.

Gli indagati, destinatari delle misure cautelari, comprenderebbero ex membri delle forze dell’ordine, hacker e consulenti informatici.

Sembrerebbe che tutte le attività che venivano svolte dal gruppo erano fatte su commissione e tra queste c’erano anche degli esponenti politici Non ancora precisare.

Per sabato 26 ottobre è convocata una conferenza stampa alla quale parteciperà anche il procuratore nazionale antimafia e antiterrorismo, Giovanni Melillo.

L'articolo Ex membri delle Forze Dell’ordine Italiane Sottraggono Dati Strategici Nazionali proviene da il blog della sicurezza informatica.

Unless you spend all your time lounging on the sofa, you probably own at least one pair of shoes. But have you ever thought to make your own to improve some aspect of your life? YouTube channel Answer in Progress set out to do precisely that, but it didn’t quite work out.

When you (well, other people) get into running, it’s tempting to believe a lot of the shoe company hype and just drop hundreds of dollars on the latest ‘super shoe’ and hope that will help you break your target time. But do you actually need to buy into all this, or can you make something yourself? The project aimed to get the 5k time down significantly, at any cost, but primarily by cheating with technology. The team set out to look at the design process, given that there is indeed a fair amount of science to shoe design. Firstly, after a quick run, the main issues with some existing shoes were identified, specifically that there are a lot of pain points; feet hurt from all the impacts, and knees take a real pounding, too. That meant they needed to increase the sole cushioning. They felt that too much energy was wasted with the shoes not promoting forward motion as much as possible; feet tended to bounce upwards so that a rocker sole shape would help. Finally, laces and other upper sole features cause distraction and some comfort issues, so those can be deleted.
A thicker mid-sole allows for a rolled shape
The plan was to make a ‘sock’ shoe style, with an upper in one piece and stretchy enough to slip on without laces. The process started by wrapping the foot in cling film and then a few layers of duct tape to fix the shape. This was split down the top to extract the foot, open out the pattern, and transfer it to some nylon fabric. The outer profile was transferred and cut out with simple hand tools in a fashion that would allow the shape to be reconstructed as it was glued to a sole. It sounds simple, but it’s pretty fiddly work.

The latest running shoes use specialised rubber materials for the midsole. The solid foam wedge between the outer rubber and the inner sole cushions the foot. Those materials are only a few per cent ‘better’ than much more accessible foams that can be 3D printed. After sculpting a sole shape by hand using Blender, a friend 3D printed it. After that, the upper part was glued and ready for a test run. Which didn’t last long. It turned out that the lack of a stable heel counter (the bit around the back) that helps lock the heel in place meant the foot was too loose in the shoe, causing potential issues such as an ankle roll. That would be not good. A follow-up session with a sports-focused chiropodist demonstrated that all this was rather pointless before the fundamental issues of strength and fitness were addressed. So, whilst it was fun to see an attempt to beat the big boys at their own game, it sure isn’t easy to pull it off, especially if you can’t get off the sofa.

The invention of flexible 3D printing filaments spurred the development of a wide range of 3D-printed footwear, like these low-poly beauties. While we’re 3D printing shoes, we also need some lace locks. Finally, with winter approaching for us Northerners, perhaps it’s time to run off a pair of 3D-printed strap-on cleats.

youtube.com/embed/AiG_yD0Jf8Y?…

Thanks to [fluffy] for the tip!

hackaday.com/2024/10/25/can-yo…

Whilst microwave plasmas are nothing new around here, we were curious to see what happens at 20x the power, and since YouTuber [Styropyro] had put out a new video, we couldn’t resist seeing where this was going. Clearly, as your bog standard microwave oven can only handle at most one kilowatt; the ‘oven’ needed a bit of an upgrade.
A 16 kW water-cooled magnetron. Why not over-drive it to 20 kW for fun?
Getting hold of bigger magnetrons is tricky, but as luck — or perhaps fate — would have it, a 16 kW, water-cooled beast became available on eBay thanks to a tip from a Discord user. It was odd but perhaps not surprising that this Hitatch H0915 magnetron was being sold as a ‘heat exchanger.’

[Styropyro] doesn’t go into much detail on how to supply the anode with its specified 16 kW at 9.5 kVDC, but the usual sketchy (well down-right terrifying) transformers in the background indicate that he had just what was needed kicking around the ‘shop. Obviously, since this is a [Styropyro] video, these sorts of practical things have been discussed before, so there is no need to waste precious time and get right on to blowing stuff up!

Some classic microwave tricks are shown, like boiling water in five seconds, cooking pickles (they really do scream at 20 kW) and the grape-induced plasma-in-a-jar. It was quite clear that at this power level, containing that angry-looking plasma was quite a challenge. If it was permitted to leak out for only a few seconds, it destroyed the mica waveguide cover and risked coupling into the magnetron and frying it. Many experiments followed, a lot of which seemed to involve the production of toxic brown-colored nitrogen dioxide fumes. It was definitely good to see him wearing a respirator for this reason alone!
Is it purple or is it indigo? Beauty is in the eye of the beholder!
The main star of the demonstration was the plasma-induced emissions of various metal elements, with the rare indigo and violet colors making an appearance once the right blend of materials was introduced into the glassware. Talking of glassware, we reckon he got through a whole kitchen’s worth. We lost count of the number of exploded beakers and smashed plates. Anyway, plasma science is fun science, but obviously, please don’t try any of this at home!

For those who didn’t take an ‘electron devices’ course at college, here’s a quick guide to how magnetrons work. Plasma physics is weird; here’s how the plasma grape experiment works. Finally, this old hack is a truly terrible idea. Really don’t do this.

youtube.com/embed/mg79n_ndR68?…

hackaday.com/2024/10/25/upgrad…

Even if you are relatively young, you can probably think back on what TV was like when you were a kid and then realize that TV today is completely different. Most people watch on-demand. Saturday morning cartoons are gone, and high-definition digital signals are the norm. Many of those changes are a direct result of the Internet, which, of course, changed just about everything. Ham radio is no different. The ham radio of today has only a hazy resemblance to the ham radio of the past. I should know. I’ve been a ham for 47 years.

You know the meme about “what people think I do?” You could easily do that for ham radio operators. (Oh wait, of course, someone has done it.) The perception that hams are using antique equipment and talking about their health problems all day is a stereotype. There are many hams, and while some of them use old gear and some of them might be a little obsessed with their doctor visits, that’s true for any group. It turns out there is no “typical” ham, but modern tech, globalization, and the Internet have all changed the hobby no matter what part of it you enjoy.

Radios

One of the biggest changes in the hobby has been in the radio end. Hams tend to use two kinds of gear: HF and VHF/UHF (that’s high frequency, very high frequency, and ultra-high frequency). HF gear is made to talk over long distances, while VHF/UHF gear is for talking around town. It used to be that a new radio was a luxury that many hams couldn’t afford. You made do with surplus gear or used equipment.

Globalization has made radios much less expensive, while technological advances have made them vastly more capable. It wasn’t long ago that a handy-talkie (what normal folks would call a walkie-talkie) would be a large purchase and not have many features. Import radios are now sophisticated, often using SDR technology, and so cheap that they are practically disposable. They are so cheap now that many hams have multiples that they issue to other hams during public service events.

Because these cheap ($20-$40) radios often use SDR, they can even be hacked. These radios aren’t typically the highest quality if you are used to repurposed commercial gear, but when you can replace the radio for $20, it hardly matters.

HF radios are a different story. Thanks to software-defined radio, superpowerful computers, and FPGAs, even relatively inexpensive HF radios have features that would have seemed like magic when I first got my license.
The ICOM IC-7300 is considered a “starter” radio!
While some hams like to build gear or use simple or older gear, modern transceivers, like the IC-7300 from Icom shown here, have incredible RF filtering done in software, spectrum analyzers, and scopes built in. The 7300, by the way, isn’t considered a “top of the line” radio by any means. But it has features that would have been a dream on a state of the art unit before the advent of DSP.

Having these kind of tools changes how you operate. In the old days, you’d tune around to see if you could hear anyone. Now, glancing at the screen will show you all the signals on a band and how strong they are. Touch one, and you tune it in immediately. Digital noise reduction is very helpful these days with so much interference, and, of course, you can control the whole thing from a PC if you want to.

The receivers are exceptional compared to what even a high-end radio would offer a few decades ago. Specialized filters used to be expensive and limited in options. Now, you can design any filter you want on the fly and it will be nearly perfect.

Granted, these radios aren’t in the impulse buy category like the handheld radios. Still, you can find them new for around $1,000 and used for less. There are also other similar radios for much less. Just as you can buy imported handheld VHF and UHF radios, there are imported HF radios that put out a lower wattage (20 watts vs 100 watts is typical). These still have plenty of features, and you can get them for about half the cost of the name-brand 100W rigs. [K4OGO] has a video (see below) about several popular radios in that price range and you’ll notice that many of them have similar displays.

youtube.com/embed/1lVU1eN1X_g?…

Digital Modes

Paradoxically, you might not need as hot a receiver, or as big of an antenna, or as much power as you might think. Hams have long known that voice communication is inefficient. Morse code could be the earliest form of digital radio communication, allowing a proficient operator to copy signals that would never make a voice contact. However, hams have also long used other digital modes, including TeleType, which is more convenient but less reliable than a good Morse code operator.

That changed with computer soundcards. Your computer can pull signals out of a hash that you would swear was nothing but noise. Modern protocols incorporate error detection and correction, retries, and sophisticated digital signal processing techniques to pull information from what appears to be nowhere.

What kind of sound card do you need? Almost any modern card will do it, but if you have the Icom IC-7300 pictured above, you don’t need one. It turns out, it is a sound card itself. When you plug it into a PC, it offers audio in and out for ham radio programs. It can even send IQ signals directly to the PC for common SDR programs to work with.

Some digital modes are conversational. You can use them like you might a radio-based chat room to talk to people you know or people you’ve just met. However, some modes are more specialized and optimized to make and confirm contact.

Computer Logging

There was a time when every ham had a log book — a notebook to write down contacts — and a stack of QSL cards. Operators would exchange cards in the mail to confirm contact with each other. Many of the cards were interesting, and collecting enough cards could earn an award (for example, working all 50 US states or over 100 foreign countries).

Things are different now. Many people use a computer to track their contacts. While you could just use a spreadsheet, there are many ways to log and — more importantly — share logs online.

The advantage is that when you make a contact and enter into the system, it can match your entry up with your partner’s entry and immediately confirm the contact. This isn’t perfect, because there are several systems people use, but it is possible to interoperate between them. No more waiting for the mail.

DX and Propagation

I mentioned that having a display of the entire ham band changes how you operate. But there is even more help out there. Many people enjoy working rare foreign stations or special event stations held at parks or historical locations. These days, if you hear a station like that on the air, you can report it on the Internet so other people can find them. In some cases, the operator will report themselves, even.
A real-time view of beacon reception across the globe.
Suppose you want to make contact with someone in Kenya because you haven’t done it, and you are working towards an award that counts how many countries you’ve contacted. Instead of searching endlessly, you can simply watch the Internet for when a station from that country appears. Then turn on your radio, use the digital tuning to go exactly to their frequency, and try your luck.

Of course, radio propagation isn’t foolproof. But you can use beacons to determine how propagation is near you. There are many tools to manipulate the beacon data to better understand radio conditions. In fact, if you use digital modes or Morse code, you can find out who’s hearing you on the Internet, which can be very useful.

Why Not You?

Some old hams say the Internet is ruining ham radio. I say it is changing ham radio just like it has changed virtually everything else. Some of those changes aren’t that drastic anyway. For years, people chasing awards, trying to work long distances, or participating in contests have very short contacts. You typically would exchange your name, location, and how strong your signal is and then make way for the next person to make contact. The digital mode FT8 automates all that. It is true that it isn’t very personal, but those kinds of contacts were never personal to start with.

What’s more is that you don’t have to use any of this if you don’t want to. I operate a lot of Morse code with no mechanical assistance. If I hear a big pileup, I might go look at the computer to see who has been spotted on that frequency. But I don’t have to. I could figure it out the old-fashioned way.

Hams work with advanced signal processing software, satellites, moon bounce, support communities, design antennas, foster school education, work during disasters, and push the envelope on microwave communication. No matter what your interests, there’s something you’ll enjoy doing. For many years now, you don’t even have to pass a test for Morse code, so if you didn’t want to learn the code, you don’t have to.

In many ways, hams were the original hackers, and you might be surprised by how many hackers you know who are hams already. I don’t know what ham radio will look like in the year 2100, but I know it will be pushing the limits of technology, somehow.

hackaday.com/2024/10/25/ham-ra…

With the 2024 Hackaday Supercon looming large on the horizon, Editors Elliot Williams and Tom Nardi start this episode off by talking about this year’s badge and its focus on modular add-ons. From there they’ll go over the results of a particularly challenging installment of What’s that Sound?, discuss a promising DIY lathe that utilizes 3D printed parts filled with concrete, and ponder what the implosion of Redbox means for all of their disc-dispensing machines that are still out in the wild.

You’ll also hear about custom macropads, lifting SMD pins, and how one hacker is making music with vintage electronics learning kits. Finally, they’ll reassure listeners that the shifting geopolitical landscape probably won’t mean the end of Hackaday.io anytime soon, and how some strategically placed pin headers can completely change how you approach designing your own PCBs.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

Download in DRM-free MP3.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 294 Show Notes:

News:

• The 2024 Hackaday Supercon SAO Badge Reveal

What’s that Sound?

• Congrats to [I can see the sounds] for guessing the HAARP.

Interesting Hacks of the Week:

• A 3D Printed, Open Source Lathe?
  
  • Precision CNC With Epoxy Granite
  • Experiments In Creating The Best Epoxy Granite

  
  

• Redbox Is Dead, But The Machines Are Kind Of Hanging On
  
  • Redbox hack reveals customer info. from 2K rentals – Ars Technica
  • Foone: “the unit I’ve got an image for has records going …” – digipres.club

  
  

• Libre Space Foundation Aims To Improve Satellite Tech
  
  • Flying The First Open Source Satellite
  • 32C3: So You Want To Build A Satellite?
  • Open Source CubeSats Ease The Pain Of Building Your Own
  • How To Build A CubeSat
  • SatNOGS – Global Network of Ground Stations

  
  

• Keeping Tabs On An Undergraduate Projects Lab’s Door Status
• DIY Air Bearings, No Machining Required
  
  • Learn 40 Years Of Mech Prototyping At Lightspeed
  • High-Precision Air Bearing CNC Lathe And Grinder

  
  

• I2C The Hard Way

Quick Hacks:

• Elliot’s Picks:
  
  • 3D Printed Tires, By The Numbers
  • Zero To Custom MacroPad In 37 Easy Steps
  • Make Your Own Remy The Rat This Halloween

  
  

• Tom’s Picks:
  
  • Give Your SMD Components A Lift
  • 75-In-One Music
  • Figuring Out The Most Efficient Way To Reuse Bags Of Desiccant

  
  

Can’t-Miss Articles:

• Will .IO Domain Names Survive A Geopolitical Rearrangement?
• Hacker Tactic: Building Blocks
  
  • Power Supply PCB Redesign

  
  

hackaday.com/2024/10/25/hackad…

Un gruppo di scienziati ha sviluppato un metodo per registrare informazioni digitali sulle molecole di DNA che è 350 volte più veloce della tecnologia esistente. Lo studio dimostra un nuovo modo di archiviare i dati utilizzando la modifica epigenetica del DNA. Gli esperti sono fiduciosi che questa tecnologia possa aprire la strada alla creazione di sistemi biomolecolari per l’archiviazione reale delle informazioni.

Sulla base della ricerca, gli scienziati affermano che una molecola di DNA umano può potenzialmente immagazzinare fino a 215.000 terabyte di informazioni, il che ha da tempo attirato l’attenzione della comunità scientifica sul DNA come promettente vettore di dati digitali.
a , Illustrazione del meccanismo di memorizzazione delle informazioni epigenetiche. b , Schema per la programmazione di tipi mobili di DNA. c , Composizione tipografica programmabile di autoassemblaggio di DNA. Le informazioni di modifica vengono composte programmando tipi mobili di DNA che trasportano specifici epi-bit. d , La stampa parallela viene eseguita dalla catalisi DNMT1 guidata dall’autoassemblaggio di DNA per scrivere selettivamente epi-bit sui modelli di DNA. e , Sequenziamento di nanopori di modelli modificati e chiamata di metilazione collettiva. (Fonte Archiviazione parallela di dati molecolari mediante stampa di bit epigenetici sul DNA)
Rimangono due ostacoli principali sulla strada verso il pieno utilizzo del DNA per immagazzinare informazioni. Innanzitutto il costo di produzione. Oggi l’unico modo possibile per registrare i dati è la sintesi del DNA nelle fabbriche, ma questo approccio è troppo costoso per un uso di massa. La seconda difficoltà è la bassa velocità dei processi di codifica delle informazioni nelle molecole.

L’approccio proposto ci consente di risolvere entrambi i problemi utilizzando meccanismi naturali che accelerano notevolmente il processo. Il metodo si basa sulla metilazione delle basi azotate su uno stampo di DNA già esistente. Ciò elimina la necessità di sintesi e consente la registrazione dei dati ad alta velocità, che i ricercatori chiamano epi-bit, un analogo dei bit nei computer digitali convenzionali.

La metilazione, o la sua mancanza, consente di rappresentare le unità di dati come 1 e 0. I test hanno dimostrato che il nuovo metodo è in grado di registrare dati a una velocità di 350 bit per reazione, un miglioramento significativo rispetto agli approcci precedenti che fornivano solo un bit. per reazione.

Oltre ad aumentare la produttività, gli scienziati hanno anche migliorato l’usabilità delle unità DNA creando la piattaforma iDNAdrive. Circa 60 volontari provenienti da diversi campi scientifici hanno codificato con successo circa 5.000 bit di informazioni di testo sulla piattaforma.

Tuttavia, la tecnologia è ancora inferiore ai metodi di archiviazione tradizionali. Anche con l’uso di epi-bit e di una piattaforma automatizzata di elaborazione liquida, la velocità di scrittura dei dati raggiunge solo 40 bit al secondo (le unità SSD possono leggere e scrivere dati a velocità di 200-550 MB/s).

I ricercatori sollevano anche domande sulla durabilità delle etichette metiliche create dalla nuova tecnologia. Inoltre, c’è il problema di implementare un accesso casuale ai dati simile alla RAM: l’accesso selettivo ai file nel sistema epi-bit richiede la lettura dell’intero database, il che è inefficiente con il sequenziamento dei nanopori.

Il costo della tecnologia epi-bit supera finora il costo dei tradizionali sistemi di archiviazione basati sul DNA. Tuttavia, gli scienziati sperano che un’ulteriore automazione e ottimizzazione contribuiranno a ridurre i costi e ad avvicinare la commercializzazione.

L'articolo Il DNA Come Un Hard Disk! 215.000 Terabyte Possono Essere Archiviati In Una Sola Molecola proviene da il blog della sicurezza informatica.

[Neil] from The Cave, a computer and console gaming museum in the UK, has a treat for vintage computing and computer gaming enthusiasts. They received an important piece of game dev history from [Richard Costello], who coded ports of Gauntlet 2, Mortal Kombat, and Primal Rage for Atari ST and Amiga home computers in the 80s. [Richard] brought them his non-functional Atari Mega ST in the hopes that they could get it working again, and demonstrate to visitors how game development was done back in the 80s — but sadly the hardware is not in the best shape.
The Atari ST flagged deleted files for overwriting but didn’t actively wipe them, allowing an undelete utility to work.
That doesn’t stop [Neil], however. The real goal is seeing if it’s possible to re-create the development environment and access the game assets on the SCSI hard drive, and it’s not necessary to revive every part of the hardware to do that. The solution is to back up the drive using a BlueSCSI board which can act as a host, scan the SCSI bus, and dump any device it finds to an SD card. The drive didn’t spin up originally, but some light percussive maintenance solved that.

With the files pulled off the drive, it was time to boot it up using an emulator (which begins at the 16:12 mark). There are multiple partitions, but not a lot of files. There was one more trick up [Neil]’s sleeve. Suspecting that deleting everything was the last thing [Richard] did before turning the machine off decades ago, he fired up a file recovery utility. The Atari ST “deleted” files by marking them to be overwritten by replacing the first letter of the filename with a ‘bomb’ character but otherwise leaving contents intact. Lo and behold, directories and files were available to be undeleted!

[Neil] found some fascinating stuff such as mixed game and concept assets as well as what appears to be a copy of Ramrod, a never-released game. It’s an ongoing process, but with any luck, the tools and environment a game developer used in the 80s will be made available for visitors to experience.

Of course, modern retro gaming enthusiasts don’t need to create games the classic way; tools like GB Studio make development much easier. And speaking of hidden cleverness in old games, did you know the original DOOM actually had multi-monitor support hidden under the hood?

youtube.com/embed/kEYqpvXdpec?…

hackaday.com/2024/10/25/donate…

Leading off the week is the controversy around the Linux kernel and an unexpected change in maintainership. The exact change was that over a dozen developers with ties to or employment by Russian entities were removed as maintainers. The unfortunate thing about this patch was that it was merged without any discussion or real explanation, other than being “due to various compliance requirements”. We eventually got more answers, that this was due to US sanctions against certain Russian businesses, and that the Linux Foundation lawyers gave guidance that:

If your company is on the U.S. OFAC SDN lists, subject to an OFAC sanctions program, or owned/controlled by a company on the list, our ability to collaborate with you will be subject to restrictions, and you cannot be in the MAINTAINERS file.

So that’s that. One might observe that it’s unfortunate that a single government has that much control over the kernel’s development process. There were some questions about why Russian entities were targeted and not sanctioned Chinese companies like Huawei. [Ted Ts’o] spoke to that, explaining that in the US there are exemptions and different rules for each country and business. This was all fairly standard compliance stuff, up until a very surprising statement from [James Bottomley], a very core Kernel maintainer:

We are hoping that this action alone will be sufficient to satisfy the US Treasury department in charge of sanctions and we won’t also have to remove any existing patches.

I can only conclude from this that the US Treasury has in fact made this threat, that code would need to be removed. Now this is genuinely surprising, given the legal precedent that code is 1st Amendment protected speech. That precedent was established when dealing with encryption code that was being export restricted in the 90s. It seems particularly problematic that the US government believes it can specify what code does and does not belong in the Linux kernel.

SELinux

Since we’re in Kernel land, let’s talk SELinux. Many modern Linux systems, and Android in particular, use SELinux to provide an extra security layer. It’s not an uncommon troubleshooting step, to turn off SELinux to see if that helps with mysterious issues. What we have here in the klecko Blog is an intro to bypassing SELinux. The setup is that an exploit has achieved root, but is in a unprivileged context. What options does an attacker have to try to bypass SELinux?

The first, most obvious solution is to just disable SELinux altogether. If you can write to memory, the SELinux enabled bit can just be set to false. But that might not work, if you can’t write to memory, or have a hypervisor to wrestle with, like some Android systems. Another option is the set of permissive flags that can be overwritten, or the AVC cache that can be poisoned, both approaches resulting in every SELinux request being approved. It’s an interesting overview.

Printer Root

Xerox printers with the “Network Troubleshooting” feature have some unintended hidden functionality. The troubleshooting is done by calling tcpdump as root, and the configuration allows setting the IP address to use for the troubleshooting process. And as you might expect, that IP address was used to create a command line string, and it isn’t properly escaped. You can sneak a $(bash ...) in as part of the address, allowing code execution. The good news is that access to this troubleshooting function is locked behind the web admin account. Xerox has made fixed firmware available for this issue.

Fix Your Roundcube

The Roundcube email web client has a Cross-Site Scripting (XSS) vulnerability that is actively being exploited. The flaw is the processing of SVGs, and the addition of an extra space in an href tag, that the browser ignores. Sneaking this inside an SVG allows for arbitrary Javascript to run when opening this malicious email.

Roundcube has released 1.5.7 and 1.6.7 that address the issue. This is under active exploitation, currently being used against the Russian aligned CIS countries. It’s a simple exploit, so expect to see it more widely used soon.

The Archive

The Internet Archive continues to be under siege. The Distributed Denial of Service (DDoS) attacks were apparently done by SN-Blackmeta. But the hacker behind the data breach is still a mystery. But the news this week is that there is still someone with access to Internet Archive API keys. Specifically Zendesk, illustrated by the fact that when Mashable reached out via email, the hacker answered, “It’s dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets.”

It’s obviously been a terrible, horrible, no good, and very bad month for the Internet Archive. As it’s such an important resource, we’re hoping for some additional support, and getting the service back to 100%.

Quantum Errata

You may remember last week, that we talked about a Quantum Annealing machine making progress on solving RSA cryptography. In the comments, it was pointed out that some coverage on this talks about RSA, and some talks about AES, a cryptography thought to be quantum-resistant. At least one source is claiming that this confusion is because there were actually two papers from the same team, one discussing RSA, and the other techniques that could be used against AES. This isn’t confirmed yet, and there are outstanding questions about both papers.

Bits and Bytes

SQL injection attacks are old hat by this point. [NastyStereo] has an interesting idea: Polyglot SQL injection attacks. The idea is simple. A SQL query might be escapable with a single quote or a double quote. To test it, just include both: OR 1#"OR"'OR''='"="'OR''='. There are more examples and some analysis at the link.

Kaspersky researchers found a Chrome exploit, that was being delivered in the form of an online tank battle game. In reality, the game was stolen from its original developers, and the web site was a crypto stealing scam, making use of the browser 0-day. This campaign has been pinned on Lazarus, the APT from North Korea.

And yet another example of fake software, researchers at kandji discovered a fake Cloudflare Authenticator campaign. This one is a MacOS malware dropper that does a reasonably good job of looking like it’s an official Cloudflare app. It’s malware, and places itself in the system crontab, to get launched on every boot. Follow the link for Indicators of Compromise if you need them.

hackaday.com/2024/10/25/this-w…

Questa settimana, la Cina ha ospitato il sesto World Media Summit a Urumqi, capitale dello Xinjiang, con oltre 500 partecipanti da 208 importanti organizzazioni mediatiche. L’evento, organizzato in collaborazione con l’agenzia di stampa statale Xinhua e il governo locale, ha avuto come tema centrale “Intelligenza Artificiale e Trasformazione dei Media“. Tuttavia, la scelta dello Xinjiang come sede ha suscitato ampie critiche a causa delle preoccupazioni internazionali per le presunte violazioni dei diritti umani nella regione.

Adrian Zenz, direttore degli studi sulla Cina presso la Victims of Communism Memorial Foundation, ha messo in discussione le vere intenzioni del vertice, suggerendo che l’evento potrebbe servire a distrarre l’attenzione globale dalle questioni legate ai diritti umani nello Xinjiang. Ha evidenziato come la Cina stia cercando di normalizzare la situazione nella regione, presentandola come un centro per la discussione su tecnologia e sviluppo.

Le accuse di violazioni dei diritti umani nello Xinjiang continuano a essere gravi, con oltre 1 milione di uiguri e altre minoranze turche detenuti in campi di rieducazione. Gli Stati Uniti hanno descritto queste azioni come un “genocidio”, imponendo sanzioni a funzionari e aziende coinvolte. La Cina ha negato tali accuse, definendo i campi come centri di formazione professionale.

All’evento, alcuni partecipanti hanno difeso la Cina, rifiutando le accuse di violazioni dei diritti umani come “fake news”. Waref Komaiha, del Silk Road Research Institute, ha descritto lo sviluppo nello Xinjiang come sorprendente e contraddittorio rispetto alle notizie false diffuse sui media. Ling Sze Gan di Reuters ha enfatizzato il potenziale dell’intelligenza artificiale generativa per migliorare il lavoro dei giornalisti.

Gli attivisti uiguri hanno condannato il vertice, vedendolo come un tentativo di legittimare le politiche cinesi nella regione. Mamtimin Ala, presidente del governo del Turkestan orientale a Washington, ha espresso delusione per la partecipazione di organizzazioni mediatiche rispettate, ritenendola una legittimazione delle politiche coloniali cinesi.

In sintesi, il World Media Summit ha sollevato interrogativi sulla reale intenzione della Cina di affrontare le questioni legate ai diritti umani, mentre le accuse di violazioni rimangono al centro dell’attenzione internazionale. La legittimazione delle politiche cinesi attraverso la partecipazione di media internazionali ha generato forti reazioni da parte degli attivisti uiguri e preoccupazioni per la manipolazione dell’informazione.

La situazione nello Xinjiang continua a essere un tema delicato e controverso, con tensioni crescenti tra la narrativa cinese e le accuse di violazioni sistematiche dei diritti umani.

L'articolo Il World Media Summit Si è Concluso in Cina: Il Vertice dei Media, Tra AI, Ombre e Diritti Umani proviene da il blog della sicurezza informatica.