You might wonder why [Kevin] wanted to build digital calipers when you can buy them for very little these days. But, then again, you are reading Hackaday, so we probably don’t need to explain it.

The motivation, in this case, was to learn to build the same mechanism the commercial ones use for use in precise positioning systems. We were especially happy to see that [Kevin’s] exploration took him to a Hackaday.io project which led to collaboration between him and [Mitko].

The theory behind the mechanism is simple but does get into some ugly-looking trigonometry. Electrically, you feed eight sine waves with different phases into the assembly and measure the phase of the signal you receive.

Pulse density modulation is sufficient for the driving signals. The math is a bit more complex, but nothing you can’t do with a modern CPU. To set the correct parameters, a PC-based test setup allowed different runs to determine the best parameters for the final implementation.

Of course, the whole thing still needs some packaging to use as either a practical pair of calipers or for unrelated positioning duty. But it does work and it should be straightforward to adapt it for any purpose.

We’ve looked inside calipers before. If you are only making measurements with calipers one way, you may be missing out.

hackaday.com/2024/11/08/diy-di…

While advances in modern technology have allowed average people access to tremendous computing power as well as novel tools like 3D printers and laser cutters for a bare minimum cost, around here we tend to overlook some of the areas that have taken advantage of these trends as well. Specifically in the area of chemistry, the accessibility of these things have opened up a wide range of possibilities for those immersed in this world, and [Marb’s Lab] shows us how to build a glucose-detection lab in an incredibly small form factor.

The key to the build is a set of three laser-cut acrylic sheets, which when sandwiched together provide a path for the fluid to flow as well as a chamber that will be monitored by electronic optical sensors. The fluid is pumped through the circuit by a custom-built syringe pump driven by a linear actuator, and when the chamber is filled the reaction can begin. In this case, if the fluid contains glucose it will turn blue, which is detected by the microcontroller’s sensors. The color value is then displayed on a small screen mounted to the PCB, allowing the experimenter to take quick readings.

Chemistry labs like this aren’t limited to one specific reaction, though. The acrylic plates are straightforward to laser cut, so other forms can be made quickly. [Marb’s Lab] also made the syringe pump a standalone system, so it can be quickly moved or duplicated for use in other experiments as well. If you want to take your chemistry lab to the extreme, you can even build your own mass spectrometer.

youtube.com/embed/mPBcsChEdZM?…

hackaday.com/2024/11/08/a-tiny…

While rulers and tape measures are ubiquitous, they always seem to disappear when you need them. We know you’d never forget your safety glasses (safety first!), so what if they were also a measuring tool?

Starting by snapping pieces from a folding yardstick, [Simone Giertz] and [Laura Kampf] worked out a rough prototype before letting [Giertz] complete the project in brass. Some initial issues with the weight of the frames were alleviated by switching to a lighter weight plate material and using thinner frames and weight-saving holes near the ear pieces.

Beauty is in the eye of the beholder, so we’ll let somebody else decide whether or not these will be the newest fashion craze. But it’s hard to argue with the timelessness of brass unless you have a copper allergy. We could definitely see a less expensive plastic version catching on in makerspaces for the PPE bin.

Want some other cool wearable gear? How about [Giertz]’s grocery bag hat, an evening gown with servo-driven flowers, or a shirt that reflects heat out the atmospheric window?

youtube.com/embed/3EoARmGYyVc?…

hackaday.com/2024/11/08/combin…

The chances are if you know someone who is a former Apple employee, you’ll have heard their Steve Jobs anecdote, and that it was rather unflattering to the Apple co-founder. I’ve certainly heard a few myself, and quick web search will reveal plenty more. There are enough of them that it’s very easy to conclude the guy was not a very pleasant person at all.

At the same time, he was a person whose public persona transcended reality, and his fan base treated him with an almost Messianic awe. For them everything he touched turned to gold, every new feature on an Apple product was his personal invention, every one of his actions even the not-so-clever ones were evidence of his genius, and anyone who hadn’t drunk the Apple Kool-Aid was anathema. You’ll still see echoes of this today in Apple fanboys, even though the shine on the company is perhaps now a little tarnished.

It’s easy to spot parallels to this story in some of today’s tech moguls who have gathered similar devotion, but it’s a phenomenon by no means limited to tech founders. Anywhere there is an organisation or group that is centred around an individual, from the smallest organisation upwards, it’s possible for it to enter an almost cult-like state in which the leader both accumulates too much power, and loses track of some of the responsibilities which go with it. If it’s a tech company or a bowls club we can shrug our shoulders and move to something else, but when it occurs in an open source project and a benevolent dictator figure goes rogue it has landed directly on our own doorstep as the open-source community. It’s happened several times that I can immediately think of and there are doubtless more cases I am unaware of, and every time I am left feeling that our community lacks an adequate mechanism to come through it unscathed.

In theory, the advantage of open-source software is that it provides choice. If something offends you about a project you can switch to an alternative, or if you are a software developer you can simply fork it or write your own competitor. Both of those points you’ll still see trotted out by open source developers when they face criticism, yet both of them are increasingly fantastical. The scale of many large pieces of software means that there is an inevitable progression towards a single dominant project, and the days when all users of open source software were capable of writing it are long gone if they ever existed at all. In many cases the reality of large open source projects is one of lock-in just as much as in the proprietary world; if you’ve put a lot of effort into adopting something then you’re along for the ride as the cost of changing your path are too significant to ignore.

So how can we as the open source community deal with a rogue emperor in a project we rely on? In some cases the momentum can eventually gather enough to generate an alternative path, you will probably come up with the same examples I’m thinking of as I write this. But all too often either a loyal Praetorian Guard of developers protect their leader, or a firm grip on the non-open-source IP surrounding the ecosystem keeps the problematic figure in place despite all attempts to move forward. Perhaps it’s time not to consider the problem after it happens, but before.

A central plank of the open source community lies in the licence. It sets down the framework under which the software can be used and shared, and there are a huge number of choices to reflect the varying ideals of software developers. It’s a great system in what it sets out to do, but I feel there’s an aspect of open source software it fails to address. Perhaps as well as considering how the IP is regulated, a licence should also commit the project to a system of governance, much in the manner that a country will have a constitution. If this constitution is written to maintain good governance and combat the threat of a rogue emperor it could only make for more stability, and since any code contributions would be made under its terms it would be very difficult for someone intent on breaking that governance structure to remove.

One thing is for sure, it’s becoming wearisome to find afresh every few months that a piece of software you use every day is associated with problematic people or behaviours. Something needs to be done, even if it’s not quite my suggestion here. What do you think? Tell us in the comments.

hackaday.com/2024/11/08/the-ro…

With Superconference 2024 in the books, Dan joined Elliot, fresh off his flight back from Pasadena, to look through the week (or two) in hacks. It was a pretty good crop, too, despite all the distractions and diversions. We checked out the cutest little quadruped, a wireless antenna for wireless communications, a price-tag stand-in for paper calendars, and a neat way to test hardware and software together.

We take the closest look yet at why Arecibo collapsed, talk about Voyager’s recent channel-switching glitch, and find out how to put old Android phones back in action. There’s smear-free solder paste application, a Mims-worthy lap counter, and a PCB engraver that you’ve just got to see. We wrap things up with a look at Gentoo and pay homage to the TV tubes of years gone by — the ones in the camera, for the TV sets.

html5-player.libsyn.com/embed/…
Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Download the zero-calorie MP3.

Episode 295 Show Notes:

News:

• Voyager 1 Fault Forces Switch To S-Band

What’s that Sound?

• Fill in this form for your chance to win. Be specific!

Interesting Hacks of the Week:

• Rapid Prototyping PCBs With The Circuit Graver
• Zinc Creep And Electroplasticity: Why Arecibo Collapsed
• Little Quadruped Has PCB Spine And No Wiring
• Hardware-in-the-Loop Continuous Integration
• Reusing An Old Android Phone For GPIO With External USB Devices
• Portable Solder Paste Station Prevents Smears With Suction

Quick Hacks:

• Elliot’s Picks
  
  • Random Wire Antenna Uses No Wire
  • PicoROM, A DIP-32 8-Bit ROM Emulator
  • Split-Flap Clock Flutters Its Way To Displaying Time Without Numbers

  
  

• Dan’s Picks:
  
  • Word Of The Day Calendar Is Great Use Of E-Paper
  • Use PicoGlitcher For Voltage Glitching Attacks
  • Clever Circuit Makes Exercise Slightly Less Boring

  
  

Can’t-Miss Articles:

• I Installed Gentoo So You Don’t Havtoo
  
  • Handbook:Main Page – Gentoo wiki

  
  

• Capturing Light In A Vacuum: The Magic Of Tube Video Cameras

hackaday.com/2024/11/08/hackad…

[TenTech]’s Fuzzyficator brings fuzzy skin — a textured finish normally limited to sides of 3D prints — to the top layer with the help of some non-planar printing, no hardware modifications required. You can watch it in action in the video below, which also includes details on how to integrate this functionality into your favorite slicer software.
Little z-axis hops while laying down the top layer creates a fuzzy skin texture.
Fuzzyficator essentially works by moving the print nozzle up and down while laying down a top layer, resulting in a textured finish that does a decent job of matching the fuzzy skin texture one can put on sides of a print. Instead of making small lateral movements while printing outside perimeters, the nozzle does little z-axis hops while printing the top.

Handily, Fuzzyficator works by being called as a post-processing script by the slicer (at this writing, PrusaSlicer, Orca Slicer, and Bambu Studio are tested) which also very conveniently reads the current slicer settings for fuzzy skin, in order to match them.

Non-planar 3D printing opens new doors but we haven’t seen it work like this before. There are a variety of ways to experiment with non-planar printing for those who like to tinker with their printers. But there’s work to be done that doesn’t involve hardware, too. Non-planar printing also requires new ways of thinking about slicing.

youtube.com/embed/85FJl5P0AoU?…

hackaday.com/2024/11/08/fuzzy-…

Un’ombra inquietante si aggira nei sistemi aziendali: la campagna di attacco VEILDrive sta violando l’infrastruttura cloud di Microsoft, sfruttando i suoi stessi servizi legittimi per sfuggire a qualsiasi tentativo di rilevamento. Microsoft Teams, SharePoint, Quick Assist e persino OneDrive sono finiti nelle mani dei cybercriminali, trasformati in potenti strumenti per diffondere malware senza destare sospetti.

L’azienda di cybersecurity israeliana Hunters, che ha scoperto l’operazione a settembre 2024, ha lanciato l’allarme: VEILDrive rappresenta una minaccia strategica per infrastrutture critiche, come dimostrato dall’attacco che ha colpito una grande organizzazione americana, identificata come “Org C”. Senza svelare il nome dell’azienda vittima, Hunters ha descritto un attacco sofisticato, iniziato già ad agosto, culminato con l’installazione di un malware basato su Java, progettato per connettersi ai server Command and Control dei cybercriminali tramite OneDrive.

L’arma segreta di VEILDrive: Un’infrastruttura fidata

Come può un attacco così sofisticato passare inosservato? La risposta è tanto geniale quanto spaventosa: VEILDrive sfrutta la fiducia che i servizi Microsoft SaaS godono nei sistemi aziendali. Questi attaccanti non hanno creato nuovi strumenti, non hanno installato software non riconosciuti: hanno usato i servizi stessi di Microsoft per stabilire un livello di accesso continuativo, discreto e pericolosamente letale.

In una manovra di inganno senza precedenti, VEILDrive ha inviato messaggi tramite Teams a quattro dipendenti di “Org C”, impersonando membri dell’IT e richiedendo accesso remoto con Quick Assist. Ma la vera genialità dell’attacco sta nell’uso di un account già compromesso di un’altra azienda, “Org A”. Così, invece di generare sospetti con account falsi, hanno usato quello di una vittima precedente per insinuarsi nella nuova rete.

Microsoft Teams come porta d’ingresso per i Cybercriminali

Il tallone d’Achille sfruttato in questo attacco è una funzionalità di Microsoft Teams che consente la comunicazione diretta tra utenti di diverse organizzazioni tramite “Accesso Esterno”. Una funzione apparentemente innocua, ma che ha fornito un varco per i malintenzionati. Usare un servizio aziendale per lanciare un attacco contro un’altra azienda: un meccanismo di compromissione subdolo, che evidenzia come le politiche di fiducia tra piattaforme possano essere un’arma a doppio taglio.

Conclusione

Mentre il silenzio di Microsoft su questo fronte lascia spazio a preoccupazioni sempre più angoscianti, la campagna VEILDrive apre gli occhi su una realtà che non possiamo più ignorare. Nessuna infrastruttura, nessun servizio Cloud, per quanto fidato, può considerarsi immune. La domanda non è più “se” si verrà colpiti, ma “quando” e con quale sofisticazione.

VEILDrive ci lancia un segnale forte e chiaro: l’era della sicurezza garantita è finita. Le aziende devono abbandonare ogni illusione di protezione assoluta e riconoscere che oggi anche i servizi più fidati possono essere usati contro di loro.

L'articolo Microsoft Teams e OneDrive nelle Mani degli Hacker: La Minaccia Invisibile di VEILDrive proviene da il blog della sicurezza informatica.

L’FBI ha lanciato un avvertimento alle aziende statunitensi riguardo a un nuovo sistema di truffatori che utilizzano le richieste di dati di emergenza per rubare informazioni personali.

Utilizzando indirizzi e-mail hackerati di agenzie governative, i truffatori chiedono alle aziende private di fornire urgentemente dati riservati presumibilmente necessari per le indagini. Le aziende, temendo per l’incolumità delle persone, spesso forniscono i dati senza controllare attentamente le richieste. Di conseguenza, i criminali ottengono l’accesso alle informazioni personali degli utenti: telefoni, indirizzi ed e-mail, che vengono poi utilizzati per estorsioni o phishing.

Secondo l’FBI, negli ultimi mesi si è registrato un aumento delle vendite di conti governativi compromessi sui forum underground. Ad esempio, nell’agosto del 2024, un criminale informatico ha messo in vendita l’accesso agli indirizzi .gov a scopo di spionaggio ed estorsione. Il venditore ha affermato di essere in grado di aiutare i clienti a inviare richieste di dati di emergenza e ha anche fornito documenti falsi per mascherarsi da agenti delle forze dell’ordine.

Tali casi non sono isolati. Nel marzo 2024, un altro criminale ha affermato di avere accesso alle e-mail governative di più di 25 paesi e di essere disposto a fornire assistenza per richiedere dati, inclusi indirizzi e-mail e numeri di telefono. Nel dicembre 2023 sono stati registrati tentativi di ottenere dati attraverso false richieste con minacce che la mancata osservanza avrebbe potuto portare addirittura alla morte.

Per migliorare la protezione aziendale, l’FBI raccomanda di valutare criticamente tutte le richieste di dati di emergenza ricevute esaminando i documenti per individuare falsificazioni e incoerenze nei codici legali. È anche importante verificare accuratamente il mittente al minimo sospetto.

Le misure proposte per migliorare la sicurezza includono:

• utilizzo dell’autenticazione a due fattori;
• implementare rigide politiche di gestione delle password;
• creazione di password di almeno 16 caratteri di lunghezza e con combinazioni complesse di lettere, numeri e caratteri speciali;
• limitare l’accesso alle reti aziendali;
• impostare la segmentazione della rete per prevenire la diffusione di malware;
• utilizzando strumenti per monitorare attività sospette.

A causa dell’aumento della minaccia, l’FBI consiglia vivamente alle organizzazioni di rivedere i propri piani di risposta agli incidenti e di aggiornare le proprie politiche di sicurezza.

È inoltre importante mantenere stretti contatti con gli uffici regionali dell’FBI per il rapido scambio di informazioni e il coordinamento delle azioni. Per segnalare incidenti sospetti e attività criminali, l’FBI consiglia di segnalare tramite ic3.gov o l’ufficio sul campo più vicino.

L'articolo Phishing Estremo: i Cyber Criminali Sfruttano Email Governative Per Richiedere Dati Personali proviene da il blog della sicurezza informatica.

Steve Ballmer famously called Linux “viral”, with some not-entirely coherent complaints about the OS. In a hilarious instance of life imitating art, Windows machines are now getting attacked through malicious Linux VM images distributed through phishing emails.

This approach seems to be intended to fool any anti-malware software that may be running. The VM includes the chisel tool, described as “a fast TCP/UDP tunnel, transported over HTTP, secured via SSH”. Now that’s an interesting protocol stack. It’s an obvious advantage for an attacker to have a Linux VM right on a target network. As this sort of virtualization does require hardware virtualization, it might be worth disabling the virtualization extensions in BIOS if they aren’t needed on a particular machine.

AI Finds Real CVE

We’ve talked about some rather unfortunate use of AI, where aspiring security researchers asked an LLM to find vulnerabilities in a project like curl, and then completely wasted a maintainer’s time on those bogus reports. We happened to interview Daniel Stenberg on FLOSS Weekly this week, and after he recounted this story, we mused that there might be a real opportunity to use LLMs to find vulnerabilities, when used as a way to direct fuzzing, and when combined with a good test suite.

And now, we have Google Project Zero bringing news of their Big Sleep LLM project finding a real-world vulnerability in SQLite. This tool was previously called Project Naptime, and while it’s not strictly a fuzzer, it does share some similarities. The main one being that both tools take their educated guesses and run that data through the real program code, to positively verify that there is a problem. With this proof of concept demonstrated, it’s sure to be replicated. It seems inevitable that someone will next try to get an LLM to not only find the vulnerability, but also find an appropriate fix.

Slipping Between Parsers

Something else interesting from our conversation with Daniel was the trurl tool, that makes the curl url parser available as a standalone tool. The point being that there are often security problems that arise from handling URLs and other user-provided data with different parsers. And that’s the story [Andrea Menin] has to tell, taking a look at how file parsers handle file uploads a bit differently.

More specifically, Web Application Firewalls (WAFs) check a handful of metrics on file uploads, like the file extension, MIME Type, the “magic” first few bytes of the file, file size, filename sanitization, and more. This gets complicated when an application uses multipart/form-data. Files and parameters get chunked, separated by boundary delimiter strings.

So one trick is to hide strings that the WAF would normally block, by sneaking them inside a multipart upload. Another trick is to use the same name field multiple times. The WAF may ignore the repeated names, and the application itself may not ignore the repetition in the same way. There are many more, from inconsistent quotes, to omitting an expected carriage return in the upload, to failing to mention that your filename contains UTF characters.

Backscatter TOR DoS

[delroth] got a nasty surprise. He got an abuse@ email, letting him know that one of his server VMs was sending SSH probes around the Internet. Unless you’re SSH scanning on purpose, that’s not a good surprise. That’s bad for two reasons. First off, it really implies that your server has been compromised. And second, it’s going to put your IP on multiple spam and abuse blacklists.

The natural response was to start looking for malware. The likely culprits were a Syncthing relay, a Mastodon instance, a Tor relay, and a Matrix server. The odd thing was that none of those services showed signs of compromise. The breakthrough came when [delroth] started looking close at port 22 traffic captured by a running tcpdump. No outgoing packets were getting captured, but TCP reset packets were coming in.

And really, that’s the whole trick: Send bogus SSH packets from a spoofed IP address, to a bunch of servers around the Internet, and some of them will generate complaints. Anyone can generate raw packets with spoofed IP addresses. The catch is that not everyone can successfully send that traffic, since many ISPs do BCP38 scrubbing, where “impossible” traffic gets dropped. This traffic was impossible, since those source IPs were coming from the wrong network.

The only real question is “why?” The answer seems to be TOR. While [delroth] does run a TOR node, it’s not an exit node, which is usually enough to keep the IP out of trouble. While TOR does make some guarantees about traffic anonymity, it doesn’t make any guarantees about hiding the IPs of network nodes. And it seems that it’s recently become someone’s hobby to trigger exactly these attacks on TOR nodes.

Bits and Bytes

A pair of developers have started working on hardening for the PHP language and server components. That means adding back safe-unlink, doing memory isolation to make heap spraying harder, and removing trivial ways to trivially get powerful primitives. PHP may not be the cool kid on the block any more, but it’s still very widely used, and making exploitation just a bit harder is a clear win.

Cisco’s Unified Industrial Wireless Software had a trivial command injection attack allowing for arbitrary command execution as root. This was limited to devices running with Ultra-Reliable Wireless Backhaul mode turned on. So far this flaw hasn’t been found in real attacks, but such a flaw in industrial equipment isn’t great.

And finally, Electronic Arts had an improperly secured web API endpoint, and [Sean Kahler] found it and started looking around. It turns out that API included a swagger json, which documents the entire API. Score! In the end, the API allowed for moving a “persona” from one account to another, and that eventually allows for full account takeover. Yikes.

hackaday.com/2024/11/08/this-w…

ENISA ha avviato la consultazione pubblica della sua guida pratica per la cyber sicurezza delle organizzazioni europee secondo la direttiva NIS2. Un documento importante su cui le stesse organizzazioni potranno implementare il loro piano di conformità normativa. Ecco i punti cardine

L'articolo NIS2, le linee guida ENISA per l’implementazione in azienda: i punti essenziali proviene da Cyber Security 360.

Più un'organizzazione è trasparente, nei processi come nella cultura, e più le probabilità che sia rigorosa nei suoi processi produttivi aumentano. La trasparenza è un elemento fondamentale, poiché contribuisce a creare fiducia tra produttori, clienti e partner. E questo è ancora più vero in relazione alla cyber security

L'articolo La fiducia nella cyber security passa dalla trasparenza: il ruolo dei fornitori proviene da Cyber Security 360.

I settori più critici dal punto di vista degli attacchi nel 2023 si sono registrati in ambito finanziario/assicurativo e manifatturiero. Ma anche la sanità è sempre più bersagliata, con attacchi in crescita di oltre l'80% in Italia. Come prepararsi al futuro, dopo l’entrata in vigore di DORA e delle altre normative

L'articolo Rapporto Clusit 2024, cyber attacchi in Italia: manifatturiero e sanità i settori più colpiti proviene da Cyber Security 360.

Il Regolamento DORA rappresenta un passo significativo verso il rafforzamento della resilienza operativa nel settore finanziario. In questo senso, l’AI generativa emerge come un potente alleato in questo processo, offrendo strumenti e soluzioni innovative per affrontare le sfide poste dalla resilienza digitale

L'articolo Rafforzare la resilienza digitale: l’AI generativa al servizio del regolamento DORA proviene da Cyber Security 360.

Eletto il 47° presidente degli Stati Uniti d’America: torna Donald Trump a governare una delle maggiori potenze del mondo, ma dal punto di vista della sicurezza e dell’informazione come siamo arrivati all’Election Day? Cosa sappiamo e la posizione della Cina nella campagna di disinformazione

L'articolo Tra fake news e intercettazioni telefoniche: l’ombra della Cina sulle elezioni USA proviene da Cyber Security 360.

L’European Data Protection Board ha pubblicato il primo rapporto di revisione sul Data Privacy Framework (DPF): secondo l’EDPB, le misure implementate dal DPF, sebbene migliorative, lasciano aperte questioni rilevanti sulla reale equivalenza delle garanzie offerte rispetto a quelle europee. Ecco quali

L'articolo I dubbi dell’EDPB sul Data Privacy Framework: ancora tante le questioni aperte proviene da Cyber Security 360.

I vip si ritrovano sempre più spesso inconsapevolmente volani di truffe. La loro immagine viene sfruttata per irretire gli utenti e Meta cerca di calare l’asso con il riconoscimento facciale. L’idea può essere buona, ma non è esente da limiti

L'articolo Meta e il riconoscimento facciale dei vip per contrastare le truffe proviene da Cyber Security 360.

Il Garante privacy ha assegnato 20 giorni ad Intesa San Paolo per informare i clienti che hanno subito il data breach per l’acceso indebito di un proprio dipendente. La banca minimizza, ma dietro c'è un problema enorme, ecco perché

L'articolo “Intesa San Paolo avvisi subito i correntisti spiati”, che ci insegna la mossa del Garante Privacy proviene da Cyber Security 360.

È stata identificata una sofisticata campagna di phishing in cui i truffatori sfruttano la fiducia riposta nella legittimità del servizio di firma elettronica DocuSign per aggirare i filtri antispam e ingannare le vittime con l’obiettivo di ottenere pagamenti fraudolenti. Ecco tutti i dettagli e come difendersi

L'articolo False fatture di phishing: così i criminali sfruttano la firma elettronica di DocuSign proviene da Cyber Security 360.

L'obiettivo principale di ToxicPanda è quello di avviare trasferimenti di denaro da dispositivi Android compromessi tramite l'acquisizione di account (ATO) sfruttando la tecnica dellafrode sul dispositivo (ODF). Ecco come mitigare il rischio

L'articolo ToxicPanda truffa gli utenti Android con trasferimenti di denaro fraudolenti: come proteggersi proviene da Cyber Security 360.

On the bench where this is being written, there’s a Mitutoyo vernier caliper. It’s the base model with a proper vernier scale, but it’s beautifully made, and it’s enjoyable to see younger hardware hackers puzzle over how to use it. It cost about thirty British pounds a few years ago, but when it comes to quality metrology instruments that’s really cheap. The sky really is the limit for those in search of ultimate accuracy and precision. We can see then why this Redditor was upset when the $400 Mitutoyo they ordered from Amazon turned out to be nothing of the sort. We can’t even call it a fake, it’s just a very cheap instrument stuffed oddly, into a genuine Mitutoyo box.

Naturally we hope they received a refund, but it does raise the question when buying from large online retailers; how much are we prepared to risk? We buy plenty of stuff from AliExpress in out community, but in that case the slight element of chance which comes with random Chinese manufacture is offset by the low prices. Meanwhile the likes of Amazon have worked hard to establish themselves as trusted brands, but is that misplaced? They are after all simply clearing houses for third party products, and evidently have little care for what’s in the box. The £30 base model caliper mentioned above is an acceptable punt, but at what point should we go to a specialist and pay more for some confidence in the product?

It’s a question worth pondering as we hit the “Buy now” button without thinking. What’s your view? Let us know in the comments. Meanwhile, we can all be caught with our online purchases.

Thanks [JohnU] for the tip.

hackaday.com/2024/11/08/ask-ha…