Trovate qui sotto la traduzione di un articolo di Louis Derrac, il testo è distribuito con licenza Creative Commons BY-SA

Nota: con web "progressista" sto deliberatamente usando un termine vago (che va oltre la divisione destra/sinistra) per includere la parte del web che non si riconosce nella deriva ultraconservatrice e di estrema destra di parte della tecnologia americana, incarnata da Elon Musk e X, tra gli altri.

Con l'elezione di Trump/Musk(1)Il social network X (ex Twitter) sta vivendo un altro episodio di "esodo" di massa. O, per essere più precisi, i social network concorrenti stanno assistendo a un nuovo episodio di arrivo di massa. Che non è proprio la stessa cosa. E non è esattamente una novità, visto che episodi del genere si verificano regolarmente da quando Elon Musk ha acquistato X.

Mentre un gran numero di utenti cerca un luogo meno tossico per esprimersi, molti lasciano (per alcuni⋅e⋅ in modo permanente) X per motivi morali.(2). E così, il social network che si sta gonfiando in questo momento è Bluesky.

Così la settimana scorsa ho creato un account Bluesky, giusto per vedere. Ho letto diversi articoli su questo social network, alcuni dei quali entusiasti, altri molto più sfumati e altri ancora molto negativi.(3). Oggi ho deciso: il web progressista farebbe bene a migrare direttamente su Mastodon, non su Bluesky. E perché no? Perché, a meno di un miracolo, Bluesky è il prossimo TwitterX.

Bluesky è stato creato da Jack Dorsey, lo stesso uomo che ha creato Twitter. Da allora ha lasciato il progetto, ma le idee sono sempre le stesse, le stesse ideologie (libertaria, tecno-utopica), le stesse persone. Riuscite a vedere l'inizio del problema? Bluesky è finanziato da grandi venture capitalist della Silicon Valley, non da persone che si accontentano di creare una rete sociale decentralizzata per il bene comune. Avevamo il diritto di essere ingenui a metà degli anni 2000, quando il social web ci veniva venduto come un'utopia. Oggi non è più così. Tra gli investitori, i primi sostenitori e i primi dipendenti di Bluesky c'è la galassia delle criptovalute. Quella che ha fatto attivamente campagna elettorale... per Donald Trump(4).

In termini morali, quindi, Bluesky sarà anche un social network molto giovane, ma non è già molto convincente. Ma ormai sappiamo che i progetti ideologici e politici giocano un ruolo decisivo nella tecnologia statunitense. In termini economici, Bluesky è nelle mani della classica big tech della Silicon Valley. Sperare che faccia qualcosa di diverso da quello che hanno fatto tutte le altre Big Tech (massimizzazione dei profitti, chiusura progressiva, economia dell'attenzione, cattura dei dati personali, pubblicità sempre più invasiva, diffusione virale dei contenuti tossici, ecc. Sarebbe addirittura come credere ai miracoli. Bisognerebbe credere che una società capitalista, finanziata da cripto-addetti e da Venture capitalist americani tecno-soluzionisti, si prenda davvero la briga di progettare un'infrastruttura tecnica che sia veramente open-source e interoperabile. Per il bene comune e l'interesse generale. A (molto) lungo termine(5). Yuhuu! Vi ricordate di OpenAI (la società dietro ChatGPT), che in origine era un'organizzazione no-profit il cui scopo era produrre scienza aperta sull'IA?

In breve, i progressisti del web, soprattutto quelli più militanti, non hanno tempo ed energia illimitati. Penso che sarebbe nel loro interesse risparmiare un po' di tempo saltando la fase Bluesky e migrando direttamente a un'istanza Mastodon. O, più in generale, a scoprire il Fediverso.(6). Non è perfetto, ovviamente, e ci sono ancora diversi problemi: i finanziamenti, perché nulla è gratuito, la moderazione, l'ergonomia, ecc... Naturalmente, come ogni nuovo strumento, ci vuole un po' di tempo per abituarsi e per costruire nuovi punti di riferimento. Ma esiste, funziona e fa progressi ogni giorno!

Vi aspettiamo, utenti progressisti del web alla ricerca di nuovi punti di riferimento. Venite ad aiutarci a costruire il social web alternativo di cui abbiamo disperatamente bisogno.
Nota: sto continuando le mie riflessioni in un altro articolo. Et si le problème des réseaux sociaux, c’étaient les phares ?

Note a piè di pagina
1. E quello che scopriamo gradualmente sul modo in cui Musk ha usato X per aiutare Trump a vincere, o sulla crescente influenza della tecnologia di destra negli Stati Uniti.
2. Meglio tardi che mai, personalmente già nel dicembre 2022 ritenevo che Twitter fosse (già) diventato il nuovo Truth Social e che abbandonarlo fosse diventata una scelta morale.
3. Li trovate nella mia raccolta di articoli da segnalare
4. The crypto industry plowed tens of millions into the election. Now, it’s looking for a return on that investment
5. A questo proposito dobbiamo tenere presente l'eccellente concetto di Cory Doctorow sulla "enshittification (merdificazione) " dei servizi digitali. In un suo articolo analizza in dettaglio il caso Bluesky.
6. Più che Mastodon, con molte altre piattaforme sociali che possono comunicare tra loro

#Mastodon
#Bluesky
#fediverso
@informapirata ⁂ :privacypride:

If you’ve ever worked with guitar pedals or analog audio gear, you’ve probably realized the value of a resistor decade box. They substitute for a resistor in a circuit and let you quickly flick through a few different values at the twist of a knob. You can still buy them if you know where to look, but [M Caldeira] decided to build his own.

At its core, the decade box relies on a number of 11-position rotary switches. Seven are used in this case—covering each “decade” of resistances, from 1 ohm to 10 ohm and all the way up to 1 megaohm. The 11 positions on each switch allows the selection of a given resistance. For example, position 7 on the 100 ohm switch selects 700 ohms, and adds it to the total resistance of the box.

[M Caldeira] did a good job of building the basic circuit, as well as assembling it in an attractive, easy-to-use way. It should serve him well on his future audio projects and many others besides. It’s a simple thing, but sometimes there’s nothing more satisfying than building your own tools.

We’ve seen other neat designs like this in the past, including an SMD version and this neat digital decade box. Video after the break.

youtube.com/embed/Wq_XsgqvS1k?…

hackaday.com/2024/11/22/build-…

There was a time when no self-respecting electronics engineer would build a big project without at least one panel meter. They may be a rare part here in 2024, but we find ourselves reminded of them by [24Eng]’s project. It’s a 3D printed housing for one of those common small OLED displays, designed to be mounted on a panel with just a single round hole. Having had exactly this problem in the past trying to create a rectangular hole, we can immediately see the value in this.

It solves the problem by encasing the display in a printed shell, and passing a coarsely threaded hollow cylinder behind it for attachment to the panel and routing wires. This is where we are reminded of panel meters, many of which would have a similar sized protrusion on their rear housing their mechanism.

The result is a neatly made OLED display mounting, with a hole that’s ease itself to create. Perhaps now you’ll not be afraid to make your own panels.

hackaday.com/2024/11/22/oled-s…

La sala d'aspetto[b][/b]

Chi non ha casa e non ha letto
si rifugia in sala d'aspetto.

Di una panca si contenta,
tra due fagotti s'addormenta.

Il controllore pensa: "Chissà
quel viaggiatore dove anderà?"

Ma lui viaggia solo di giorno,
sempre a piedi se ne va attorno:

cammina, cammina, eh, sono guai,
la sua stazione non la trova mai!

Non trova lavoro, non ha tetto,
di sera torna in sala d'aspetto:

e aspetta, aspetta, ma sono guai,
il suo treno non parte mai.

Se un fischio echeggia di prima mattina,
lui sogna d'essere all'officina.

Controllore non lo svegliare:
un poco ancora lascialo sognare.

(Gianni Rodari)

Ever get home, tired after work, sit down on a couch, and spend an hour or two sitting down without even managing to change into your home clothes? It’s a seriously unpleasant in-between state – almost comfortable, but you know you’re not really at rest, likely hungry, and even your phone battery is likely about to die. This kind of tiredness can get self-reinforcing real quick – especially if you’re too tired to cook food, or you’re stuck in an uncomfortable position. It’s like the inverse of the marshmallow test – instead of a desire, you’re dealing with lack thereof.

I’ve been dealing with this problem a lot within the last two years’ time. Day to day, I could lose hours to this kind of tiredness. It gets worse when I’m sick, and, it’s gotten worse on average after a few bouts of COVID. It’s not just tiredness, either – distractability and tiredness go hand in hand, and they play into each other, too.

My conclusion, so far, was pretty simple. When I’m tired, delayed but proper rest is way better than “resting” in a half-alert state, even if that takes effort I might not have yet. So, it’s important that I can get up, even if I’m already in a “crashed” position. Sure, I could use tricks like “do not sit down until I’m ready to rest”, but that only works sometimes – other times, the tiredness is too much to handle.

Audio files and sound playback library in hand, negative reinforcement methods fresh in my mind, I went and cooked together a very simple solution.

Anti-Crash Script

When I noticed myself being tired and in a “crash” state, I would think “oh, no worries, I’m going to get up any minute now”. Of course, it was never just a minute, and I decided to hook into that realization, subsurface but close enough that I could justify some intervention to myself.

Would you be surprised if I told you the solution was to ring a siren into my headphones? The algorithm is simple – every time I’m “crashed” and planning to get up “real soon”, I press a button that starts a five-minute timer, programmed to ring a siren into my headphones. When the seconds stop ticking and the siren triggers, I have a choice – get up and then re-trigger the alarm for five more minutes. There is no second choice, really – I don’t give myself one. The part where I get up before turning the siren off is crucial, of course – though, in case of missing willpower, an accelerometer measuring activity could do as well.

Not that much of my willpower would be required – turned out, it typically would be enough of a shock to realize just how quickly five minutes have passed. Consistently, every time I got tired, time would pass much quicker than I could feel it, and the “oh damn it’s been five minutes already” thought made for a surprisingly powerful reality check.

Initially, the script was a tiny local webserver – I had some Flask examples fresh in my mental toolbox, so I took those and wrote two tiny HTML pages, crash and uncrash. The crash page received a seconds argument, indicating how many seconds to wait before ringing the alarm, and the uncrash page stopped the alarm. Keep the two webpages open, and hit Ctrl+R on the page I need – simple enough.

Resistance Is Counterproductive

Later on, I beautified the pages a little – adding background colours, so that it’d be easy for me to find the pages in my laptop’s window switcher and not get confused between them. That was my first attempt to make the crash/uncrash “hooks” more accessible – since, unsurprisingly, having to Alt-Tab a couple times before finding the right page required some mental energy, so I would often forget about them altogether, and developing a habit of using these pages was significantly harder. Thinking back to the very first article and principles I outlined in it – reducing resistance to use was a must.

So, the “crash” webpages got turned into keybinds accessible on my laptop globally. Surprisingly, despite the crash endpoint’s arbitrary integer delay, I didn’t need much granularity. Right now, I only use three buttons , “uncrash”, “crash in 300 seconds” (5 minutes), and “crash in 1 second” (immediate). The “immediate crash” button was a surprisingly helpful one, too. See, the “oh, five minutes truly can pass quicker than expected” lesson has stuck with me – so, when I’d notice myself crashing, I knew better than to waste time trusting in the “just a few minutes” notice.

The keybinds got me to use the script more often – which has helped me find more usecases, and use it even when I’m not sick or super tired. Really, most of the trouble nowadays is noticing when I need to press the button – which, generally, is in the mornings, when I am still groggy and a scheduled appointment might not feel as important as it actually is.

One important aspect turned out to be retriggering the alarm instead of turning it off after five minutes. I get up either way, but usually, the crash doesn’t – I might “crash” immediately afterwards, or a minute-two later. Stopping the alarm ended up being a very intentional “crash is over” decision – so, the “stop” button never got into my muscle memory. I’ve indeed had muscle-memory cycle restarts, giving myself five more minutes without realizing – but I’ve never had muscle-memory stops, which is nice, because stopping the script without even realizing it would be a critical failure condition.

Retrospective: It’s Great, Somehow

Anything missing? Definitely! For one, there are some good keybinds I could add, even if maybe they wouldn’t fundamentally impact how the script is functioning. Say I’ve woken up, and I have to get somewhere early – so I use the “crash” script to get up and get with the gravity of my current situation. As I run around the house doing morning chores, five minutes pass and the alarm rings again, even though I’m currently actively doing something around the house.

Now, running back to the laptop and pressing a keybind isn’t a problem. The problem is that I could be pressing the “reset alarm” button in two different states – either I’m doing well, or I’m not, but it’s the same button. Making two different buttons, one “doing good” and one “still crashed”, would help me collect metadata I could use for a good purpose – and, quite likely, add a trigger for some sort of positive reinforcement.

Other than that? This script has eliminated yet another common failure mode from my life – and, once again, helped improve focus. It’s as simple as simple goes, and, it’s gotten me to a more comfortable point – often, making a difference between an evening lost to tiredness, and an evening of recuperation.

One thing you might notice – to actually work properly, this script requires always-on, wireless headphones. In the next article, I’ll talk about the wireless headphone device I’ve built, why I had to build one instead of buying one, and how that device has helped me solved a bunch of other problems I didn’t realize I had.

hackaday.com/2024/11/22/hack-o…

Many of us check the weather before heading out for the day — we want to know if we’re dressed (or equipped) properly to handle what Mother Nature has planned for us. This is even more important if you’re going out hiking, because you’re going to be out in a more rugged environment. To aid in this regard, [Mukesh Sankhla] built a tool called Enhiker.

The concept is simple; it’s intended to tell you everything you need to know about current and pending conditions before heading out on a hike. It’s based around Unihiker, a single-board computer which also conveniently features a 2.8-inch touch screen. It’s a quad-core ARM device that runs Debian and has WiFi and Bluetooth built in, too. The device is able to query its GPS/GNSS receiver for location information, and then uses this to get accurate weather data online from OpenWeatherMap. It makes some basic analysis, too. For example, it can tell you if it’s a good time to go out, or if there’s a storm likely rolling in, or if the conditions are hot enough to make heat stroke a concern.

It’s a nifty little gadget, and it’s neat to have all the relevant information displayed on one compact device. We’d love to see it upgraded further with cellular connectivity in addition to WiFi; this would make it more capable when out and about.

We’ve seen some other neat hiking hacks before, too, like this antenna built with a hiking pole. Meanwhile, if you’ve got your own neat hacks for when you’re out on the trail, don’t hesitate to let us know!

hackaday.com/2024/11/22/enhike…

La Lamborghini Huracan del giocatore di baseball Kris Bryant è stata rubata mentre veniva trasportata a Las Vegas. Gli aggressori sono riusciti a modificare il percorso di consegna, ma l’auto è stata recuperata in meno di una settimana, il che ha aiutato a rintracciare diversi sospettati e altre auto rubate.

Il giocatore dei Colorado Rockies ha incaricato una compagnia di trasporti di trasportare una Lamborghini Huracan dal Colorado a Las Vegas, Nevada, dove l’atleta ha giocato in bassa stagione. L’auto però non è mai arrivata a destinazione. La polizia ne ha registrato la scomparsa il 2 ottobre e ha avviato un’indagine.

Si è scoperto che la compagnia di trasporti è stata vittima di un attacco BEC, che ha permesso ai criminali di organizzare il trasporto non autorizzato di automobili in tutto il paese. Grazie all’analisi dei dati provenienti dalle telecamere di riconoscimento targhe, è stato possibile ricostruire il percorso di movimento del camion e del rimorchio che hanno consegnato la Lamborghini.

La Lamborghini Huracan del 2023 presentava modifiche uniche che hanno contribuito a identificare l’auto quando un agente di polizia di Las Vegas l’ha avvistata. L’auto è stata ritrovata il 7 ottobre nella zona di Las Vegas e le persone coinvolte nel rapimento sono state arrestate.

Il conducente della Lamborghini ha affermato di possedere un’autofficina e di aver ricevuto una richiesta da uno sconosciuto in Texas per riparare il sistema elettronico dell’auto. Un altro sospettato è stato arrestato all’aeroporto di Las Vegas, dove avrebbe dovuto ritirare la Lamborghini. Durante la perquisizione dell’auto, la polizia ha rinvenuto strumenti atti a scassinare l’auto.

La scoperta dell’auto è stata un anello chiave per scoprire una rete criminale più ampia. Nel corso di ulteriori indagini, la polizia ha ricevuto informazioni su altri membri del gruppo criminale, che hanno portato alla scoperta di altre due auto rubate, serie di numeri VIN falsi, documenti di immatricolazione falsi, chiavi elettroniche e strumenti per cambiare targa. Inoltre, nell’ambito del caso, è stato possibile restituire un’altra auto rubata in precedenza in California.

Sebbene Bryant non sia stato nominato nella dichiarazione ufficiale della polizia, il Denver Post ha collegato l’incidente a lui.

L'articolo Caccia alla Lamborghini Huracan Rubata a Kris Bryant! Dietro l’Attacco una Rete Criminale proviene da il blog della sicurezza informatica.

La polizia sudcoreana ha confermato il coinvolgimento di hacker legati all’intelligence nordcoreana in un grave furto della criptovaluta Ethereum nel 2019. L’importo dei beni rubati in quel momento era stimato a 41,5 milioni di dollari.

Più della metà dei fondi rubati sono stati riciclati attraverso 3 scambi di criptovalute creati dagli stessi hacker. I fondi rimanenti sono stati distribuiti su 51 piattaforme. I criminali si sono infiltrati nell’exchange di criptovalute in cui era archiviato Ethereum e hanno prelevato 342.000 ETH. Oggi il loro valore supera il miliardo di dollari.

Il nome dell’exchange non è stato specificato nella dichiarazione, ma nel 2019 l’exchange sudcoreano Upbit ha segnalato un trasferimento non autorizzato di 342.000 ETH su un wallet sconosciuto. Non è specificato se questi due incidenti siano collegati.

Dall’inchiesta è emerso che l’attacco è stato effettuato dai gruppi Lazarus e Andariel, legati all’intelligence nordcoreana. I risultati si basano sull’analisi degli indirizzi IP e sul tracciamento delle risorse. Ciò ha segnato la prima volta che la Corea del Nord ha colpito un exchange di criptovalute sudcoreano.

Le forze dell’ordine sono riuscite a rintracciare 4,8 BTC trasferiti su uno scambio di criptovalute svizzero. Nel mese di ottobre gli asset sono stati restituiti alla piattaforma sudcoreana. Oggi il loro valore è di circa 427.800 dollari. La Corea del Nord nega il coinvolgimento in attacchi informatici e furti di criptovalute.

Secondo l’ONU, dal 2017 al 2024, gli hacker nordcoreani hanno effettuato 97 attacchi informatici contro società di criptovalute, causando danni per circa 3,6 miliardi di dollari. Tra gli attacchi c’era un attacco allo scambio di criptovalute HTX: nel novembre 2023 gli hacker hanno rubato 147,5 milioni di dollari e ha riciclato il bottino a marzo del 2024.

L'articolo Gli Hacker Nordcoreani Rubano 1 Miliardo di Dollari ad un Exchange della Corea del Sud proviene da il blog della sicurezza informatica.

The world of security research is no stranger to the phenomenon of not-a-vulnerability. That’s where a security researcher finds something interesting, reports it to the project, and it turns out that it’s something other than a real security vulnerability. There are times that this just means a researcher got over-zealous on reporting, and didn’t really understand what was found. There is at least one other case, the footgun.

A footgun is a feature in a language, library, or tool that too easily leads to catastrophic mistake — shooting ones self in the foot. The main difference between a footgun and a vulnerability is that a footgun is intentional, and a vulnerability is not. That line is sometimes blurred, so an undocumented footgun could also be a vulnerability, and one possible solution is to properly document the quirk. But sometimes the footgun should really just be eliminated. And that’s what the article linked above is about. [Alex Leahu] takes a look at a handful of examples, which are not only educational, but also a good exercise in thinking through how to improve them.

The first example is Tesla from the Elixer language. Tesla is an HTTP/HTTPS client, not unlike libcurl, and the basic usage pattern is to initialize an instance with a base_url defined. So we could create an instance, and set the URL base to [url=https://hackaday.com/feed/]https://hackaday.com/feed/[/url]. Then, to access a page or endpoint on that base URL, you just call a Tesla.get(), and supply the client instance and path. The whole thing might look like:

client = build_client(config, "https://hackaday.com", headers)
response = Tesla.get(client, "/floss")

All is well, as this code snippet does exactly what you expect. The footgun comes when your path isn’t just /floss. If that path starts with a scheme, like http:// or https://, the base URL is ignored, and path is used as the entire URL instead. Is that a vulnerability? It’s clearly documented, so no, definitely not. Is this a footgun, that is probably responsible for vulnerabilities in other code? Yes, very likely. And here’s the interesting question: What is the ideal resolution? How do you get rid of the footgun?

There are two related approaches that come to mind. The first would be to add a function to the library’s API, a Tesla.get_safe() that will never replace the base URL, and update the documentation and examples to use the safe version. The related solution is to then take the extra step of deprecating the unsafe version of the function.

The other example we’ll look at is Psychopg, a PostSQL driver library for Python. The example of correctly using the driver is cur.execute("INSERT INTO numbers VALUES (%s, %s)", (10, 20)), while the incorrect example is cur.execute("INSERT INTO numbers VALUES (%s, %s)" % (10, 20)). The difference may not seem huge, but the first example is sending the values of 10 and 20 as arguments to the library. The second example is doing an printf-like Python string formatting with the % operator. That means it bypasses all the protections this library has to prevent SQL injection. And it’s trivially easy because the library uses % notation. The ideal solution here is pretty straightforward. Deprecate the % SQL notation, and use a different character that isn’t overloaded with a particularly dangerous language functino.

Wormable Bing

[pedbap] went looking for a Cross-Site Scripting (XSS) flaw on Microsoft’s services. The interesting thing here is that Bing is part of that crowd of Microsoft websites, that users automatically get logged in to with their Microsft accounts. An XSS flaw there could have interesting repercussions for the entire system. And since we’re talking about it, there was obviously something there.

The flaw in question was found on Bing maps, where a specific URL can load a map with custom features, though the use of json file specified in the URL. That json file can also include a Keyhole Markup Language file, a KML. These files have a lot of flexibility, like including raw HTML. There is some checking to prevent running arbitrary JavaScript, but that was defeated with a simple mixed case string: jAvAsCriPt:(confirm)(1337). Now the example does require a click to launch the JS, so it’s unclear if this is actually wormable in the 0-click sort of way. Regardless, it’s a fun find, and netted [pedbap] a bounty.

youtube.com/embed/_brKdFmYGdI?…

Right There in Plain Text

[Ian] from Shells.Systems was inside a Palo Alto Global Protect installation, a VPN server running on a Windows machine. And there was something unusual in the system logs. The log contained redacted passwords. This is an odd thing to come across, particularly for a VPN server like this, because the server shouldn’t ever have the passwords after creation.

So, to prove the point, [Ian] wrote an extractor program, that grabs the plaintext passwords from system memory. As far as we can tell, this doesn’t have a CVE or a fix, as it’s a program weakness rather than a vulnerability.

Your Gogs Need to Go

Speaking of issues that haven’t been patched, if you’re running gogs, it’s probably time to retire it. The latest release has a Remote Code Execution vulnerability, where an authenticated user can create a symlink to a real file on the gogs server, and edit the contents. This is a very quick route to arbitrary code execution.

The real problem here isn’t this specific vulnerability, or that it hasn’t been patched yet, or even that gogs hasn’t seen a release since 2023. The real problem is that the project seems to have been almost completely abandoned. The last change was only 2 weeks ago, but looking through the change log, almost all of the recent changes appear to be automated changes. The vulnerability was reported back in August, the 90 day disclosure deadline came and went, and there was never a word from the project. That’s concerning. It’s reminiscent of the sci-fi trope, when some system keeps running itself even after all the humans have left.

Bits and bytes

The NPM account takeover hack now has an Open Source checking tool. This is the issue of expired domains still listed on the developer email addresses on NPM packages. If an attacker can register the dangling domain, it’s possible to take over the package as well. The team at Laburity are on it, with the release of this tool.

Lutra Security researchers have an interesting trick up their sleeves, when it comes to encrypted emails. What if the same encrypted text encrypted to different readable messages for each different reader? With some clever use of both encryption and the multipart/alternative MIME type, that;s what Salamander/MIME pulls off.

And finally, it’s time to dive in to DOMPurify bypasses again. That’s the JavaScript library for HTML sanitizing using the browser’s own logic to guarantee there aren’t any inconsistent parsing issues. And [Mizu] has the lowdown on how to pull off an inconsistent parsing attack. The key here is mutations. When DOMPurify runs an HTML document through the browser’s parsing engine, that HTML is often modified — hence the Purify in the title. What’s not obvious is that a change made during this first iteration through the document can have unexpected consequences for the next iteration through the document. It’s a fun read, and only part one, so keep your eyes peeled for the rest of it!

hackaday.com/2024/11/22/this-w…

Old-school technology can spark surprising innovations. By combining the vintage zoetrope concept with digital displays, [Mike Ando] created the Andotrope, a surprisingly simple omnidirectional display.

Unlike other 3D displays, the Andotrope lets you view a normal 2D video or images that appear identical irrespective of your viewing angle. The prototype demonstrated in the video below consists of a single smart phone and a black cylinder spinning at 1,800 RPM. A narrow slit in front of each display creates a “scanning” view that our brain interprets as a complete image, thanks to persistence of vision. [Mike] has also created larger version with a higher frame rate, by mounting two tablets back-to-back.

Surprisingly, the Andotrope appears to be an original implementation, and neither [Mike] nor we can find any similar devices with a digital display. We did cover one that used a paper printout in a a similar fashion. [Mike] is currently patenting his design, seeing the potential for smaller displays that need multi-angle visibility. The high rotational speed creates significant centrifugal force, which might limit the size of installations. Critically, display selection matters — any screen flicker becomes glaringly obvious at speed.

This device might be the first of its kind, but we’ve seen plenty of zoetropes over the years, including ones with digital displays or ingenious time-stretching tricks.

youtube.com/embed/YxkUCFis668?…

hackaday.com/2024/11/22/a-surp…

Sono venuto a conoscenza di questa tecnica circa 9 mesi fa e ora sto analizzando un attacco condotto da Qilin Ransomware Gang, quindi è giunto il momento di parlarne per far conoscere questa nuova tecnica.

Una delle cose più importanti per la sicurezza negli EDR è la possibilità di intercettare le chiamate al kernel. A questo scopo, i venditori di EDR utilizzano i driver MiniFilter che si caricano all’avvio. Ma cosa succede quando questi driver vengono forzati a essere disabilitati dall’attaccante? L’attaccante può tranquillamente effettuare chiamate al kernel senza essere intercettato dagli EDR.

Quando Windows carica un driver MiniFilter, c’è un ordine per caricarlo; questo ordine è specificato con un parametro che Microsoft fornisce ai driver MiniFilter, chiamato Altitudine. Questa tecnica è semplice e altamente efficace.

Ora vediamo come funziona questo attacco e come fermarlo.

In questa schermata possiamo vedere che abbiamo diversi driver MiniFilter caricati nel nostro sistema e uno di questi è quello dell’EDR. La terza colonna è l’Altitudine del driver.

Cosa succede se modifichiamo l’Altitudine di questi driver, come FileInfo in quella dell’EDR?
Per fare questo possiamo modificare una chiave di registro REG_MULTI_SZ.

Andiamo a modificare questa chiave specifica con Altitude dal MultiFilter Driver di EDR.

Per rendere effettiva la modifica dobbiamo riavviare l’endpoint. Ora possiamo verificare che la nostra modifica sia effettiva.

Possiamo vedere che ora FileInfo contiene l’altitudine del driver MiniFilter dell’EDR.

Possiamo vedere anche il MiniFilter dell’EDR che prima era caricato ora non lo è più a causa della nostra modifica. Con questa modifica del registro possiamo interagire con i Kernel Callbacks ad esempio senza essere segnalati dagli EDR.

Ho fatto questo test con 6 EDR negli ultimi mesi e NESSUNO di loro ha segnalato la modifica del registro come malevola. Ora, come possiamo monitorarlo? È semplice, possiamo monitorare la modifica di qualsiasi MiniFilter Altitude nel registro e segnalarla come malevola. Con questa tecnica, il Threat Actor
(Qilin Ransomware) che ho visto in un recente attacco in natura, esegue LaZagne senza essere segnalato da EDR.

Spero che i fornitori di EDR possano aggiungere questa telemetria ai loro prodotti, in modo che la tecnica diventi inutile.

L'articolo Come i Threat Actors Bypassano gli EDR con un semplice e banale Reboot proviene da il blog della sicurezza informatica.

Whether you’re a kid or a kid at heart, learning about science and engineering can be a lot more fun if it’s practical. You could sit around learning about motors and control theory, or you could build a robot arm and play with it. If the latter sounds like your bag of hammers, you might like Pedro 2.0.

Pedro 2.0 is a simple 3D-printable robot arm intended for STEAM education. If you’re new to that acronym, it basically refers to the combination of artistic skills with education around science, technology, engineering and mathematics.

The build relies on components that are readily available pretty much around the world—SG90 servo motors, ball bearings, and an Arduino running the show. There’s also an NRF24L01 module for wireless remote control. All the rest of the major mechanical parts can be whipped up on a 3D printer, and you don’t need a particularly special one, either. Any old FDM machine should do the job just fine if it’s calibrated properly.

If you fancy dipping your toes in the world of robot arms, this is a really easy starting point that will teach you a lot along the way. From there, you can delve into more advanced designs, or even consider constructing your own tentacles. The world really is your octopus oyster.

hackaday.com/2024/11/22/learn-…

La neve non era ancora caduta sull’Île-de-France, ma un’ondata di gelo digitale aveva già attraversato la Camera. Secondo Politico, negli ultimi giorni diversi account Telegram di parlamentari francesi sono stati violati. Mercoledì 20 novembre, i rappresentanti eletti dell’Assemblea nazionale hanno ricevuto un’e-mail dai servizi informatici del Palazzo Borbone che li avvertiva della compromissione degli account sulla popolare piattaforma di messaggistica russa. Gli attacchi, secondo quanto riportato da BFMTV, avrebbero colpito deputati di diversi schieramenti politici, un ex ministro del governo Macron, giornalisti politici e dipendenti dell’Assemblea.

Gli hacker avrebbero sfruttato un “attacco di phishing poco sofisticato”, spiega Baptiste Robert, esperto di sicurezza informatica e fondatore di Predicta Lab, in un’intervista a RTL. Le vittime ricevevano messaggi su Telegram con inviti apparentemente innocui: “Ho trovato una tua foto da bambino” o “Una foto del tuo maestro delle elementari”, oppure frasi come “Devo assolutamente mostrarti una cosa”. I messaggi contenevano link fraudolenti che, una volta cliccati, reindirizzavano a una finestra di login falsa. Questo permetteva agli hacker di prendere il controllo degli account in modo invisibile e remoto.

“L’attacco si presenta come un messaggio standard con un link fraudolento che richiede di inserire il proprio numero di telefono”, si legge nella mail inviata ai deputati dal delegato alla protezione dei dati dell’Assemblea nazionale. “Una volta fornito il numero, l’account Telegram viene compromesso immediatamente, consentendo all’aggressore di usarlo per diffondere contenuti dannosi.”

La vicenda mette in luce l’urgenza di rafforzare la sicurezza informatica, anche di fronte a minacce apparentemente banali.

L'articolo Parlamentari Francesi Hackerati! Un attacco Banalissimo di Phishing Li Colpisce in Massa proviene da il blog della sicurezza informatica.

Nella giornata di ieri, arriva in redazione una segnalazione da parte del Dott. Ilario Capurso, Responsabile Servizio Sistemi Informativi del Comune di Calenzano risultata interessante e allo stesso tempo allarmante. I siti delle Pubbliche Amministrazioni italiane stanno letteralmente scomparendo da Google, il motore più utilizzato da tutti gli “essere digitali”. Perché accade questo?

A partire dall’inizio di Novembre su forum.italia.it (gestito da AgID e Dipartimento per la Trasformazione Digitale) si sono moltiplicate le segnalazioni di malfunzionamento di indicizzazione dei siti web ufficiali di molte pubbliche amministrazioni locali italiane da parte di Google Search.

In alcuni casi si è assistito ad una repentina deindicizzazione delle pagine, in altri casi sono scomparsi interi domini di terzo livello riconducibili alla PA (nel formato comune.nomecomune.provincia.it).

Il problema riscontrato

Nel dibattito conseguente non è stata trovata una “causa comune” che potrebbe aver portato a questa deindicizzazione massiva (almeno da parte dei tecnici o incaricati della PA). Dapprima l’ipotesi più quotata pareva essere quella relativa all’implementazione del template “Design Italia”(designers.italia.it/) a cui gli enti pubblici sono obbligati ad allinearsi e che ha come scopo la standardizzazione dei contenuti ed una corretta accessibilità (e condizione necessaria per l’accesso ai finanziamenti PNRR in particolare la misura 1.4.1 “Esperienza del cittadino nei servizi pubblici”).

Questo uno screenshot relativo al mio Ente (Comune di Calenzano) che ci è stato inviato in redazione dal Comune stesso, con un confronto con il mese scorso sulle visite in arrivo da Google:

Effettuando ulteriori verifiche attraverso la Google Search Console si è scoperta una continua deindicizzazione delle pagine senza che venga segnalato un problema specifico.

Ancora nessuna risposta da Google

Sono state cercate incongruenze rispetto a piattaforme di hosting diverse, diversi provider, diversi template del sito, file robots.txt, file di sitemap.xml e diversi fornitori esterni ma non sembra esserci un fattor comune. Fatto da non tralasciare è che i siti incriminati sono normalmente raggiungibili e ricercabili da altri motori di ricerca.

Google è a conoscenza del problema (anche se non c’è una dichiarazione ufficiale) e “non è possibile fare altro che aspettare” riportano i comuni della Pubblica Amministrazione. Probabilmente qualche modifica nell’algoritmo di ranking ha generato il problema (qualcuno suppone l’introduzione dell’AI che è “scappata di mano”). Fatto sta che dopo 3 settimane il problema non è stato risolto.

Questo ha sollevato anche una discussione più ad ampio raggio su quanto i servizi messi a disposizione dei cittadini siano in verità dipendenti da Google che può far “sparire” una PA dall’oggi al domani (tant’è che si è registrato un forte calo nelle visite attraverso i vari analytics).

L'articolo I Siti delle Pubbliche Amministrazioni stanno scomparendo Google! Cosa sta succedendo? proviene da il blog della sicurezza informatica.

Il 19 novembre 2024, Apple ha distribuito una serie di aggiornamenti cruciali per migliorare la sicurezza e la stabilità dei dispositivi che utilizzano macOS, iOS, iPadOS e visionOS.

Questi aggiornamenti risolvono vulnerabilità critiche e ottimizzano le prestazioni di sistema, proteggendo i dati e l’esperienza utente su una vasta gamma di dispositivi Apple. Di seguito, un’analisi dettagliata delle principali novità.L’azienda ha reso prioritaria la protezione dei propri utenti, affrontando falle legate a WebKit e JavaScriptCore, il cuore del rendering delle pagine web sui dispositivi Apple.

Dettagli sulle vulnerabilità risolte

1. JavaScriptCore (CVE-2024-44308)

• Impatto: Un exploit permetteva di eseguire codice arbitrario utilizzando contenuti web dannosi. Secondo Apple, questa vulnerabilità potrebbe essere stata sfruttata attivamente, soprattutto su sistemi Mac con processori Intel.
• Soluzione: L’azienda ha introdotto controlli migliorati per prevenire ulteriori abusi.

1. WebKit (CVE-2024-44309)

• Impatto: La gestione errata dei cookie poteva portare ad attacchi di tipo cross-site scripting (XSS), mettendo a rischio la sicurezza delle sessioni utente. Anche in questo caso, Apple ha confermato il rischio di sfruttamento attivo della vulnerabilità.
• Soluzione: Apple ha risolto il problema migliorando la gestione dello stato dei cookie.

Entrambe le vulnerabilità sono state identificate dai ricercatori Clément Lecigne e Benoît Sevens del Google Threat Analysis Group, noti per il loro lavoro nel contrastare minacce informatiche avanzate.

L’importanza dell’aggiornamento

Le vulnerabilità risolte in iOS 18.1.1 dimostrano la continua necessità di mantenere aggiornati i dispositivi. Le falle di sicurezza possono essere sfruttate per compromettere dati personali o controllo remoto dei dispositivi. Con questa patch, Apple garantisce una maggiore protezione contro minacce emergenti.

Come aggiornare

Per installare iOS 18.1.1:

1. Vai su Impostazioni > Generali > Aggiornamento Software.
2. Assicurati che il dispositivo sia connesso a una rete Wi-Fi e abbia almeno il 50% di batteria.

Per maggiori informazioni sul contenuto di sicurezza degli aggiornamenti, Apple invita a consultare la pagina ufficiale degli aggiornamenti di sicurezza.

Conclusione

Questo aggiornamento conferma l’impegno costante di Apple nel proteggere la privacy e la sicurezza degli utenti, agendo rapidamente per mitigare rischi e garantire la massima affidabilità dei propri dispositivi.

L'articolo Apple rilascia iOS 18.1.1: aggiornamento cruciale per la sicurezza dei dispositivi proviene da il blog della sicurezza informatica.

When electronics release the Magic Smoke, more often than not it’s a fairly sedate event. Something overheats, the packaging gets hot enough to emit that characteristic and unmistakable odor, and wisps of smoke begin to waft up from the defunct component. Then again, sometimes the Magic Smoke is more like the Magic Plasma, as was the case in this absolutely smoked Omron programmable logic controller.

Normally, one tasked with repairing such a thing would just write the unit off and order a replacement. But [Defpom] needed to get the pump controlled by this PLC back online immediately, leading to the somewhat unorthodox repair in the video below. Whatever happened to this poor device happened rapidly and energetically, taking out two of the four relay-controlled outputs. [Defpom]’s initial inspection revealed that the screw terminals for one of the relays no longer existed, one relay enclosure was melted open, its neighbor was partially melted, and a large chunk of the PCB was missing. Cleaning up the damaged relays revealed what the “FR” in “FR4” stands for, as the fiberglass weave of the board was visible after the epoxy partly burned away before self-extinguishing.

With the damaged components removed and the dangerously conductive carbonized sections cut away, [Defpom] looked for ways to make a temporary repair. The PLC’s program was locked, making it impossible to reprogram it to use the unaffected outputs. Instead, he redirected the driver transistor for the missing relay two to the previously unused and still intact relay one, while adding an outboard DIN-mount relay to replace relay three. In theory, that should allow the system to work with its existing program and get the system back online.

Did it work? Sadly, we don’t know, as the video stops before we see the results. But we can’t see a reason for it not to work, at least temporarily while a new PLC is ordered. Of course, the other solution here could have been to replace the PLC with an Arduino, but this seems like the path of least resistance. Which, come to think of it, is probably what caused the damage in the first place.

youtube.com/embed/yZbEM-Sy79Q?…

hackaday.com/2024/11/21/quick-…

Visualization of magnetic skyrmions. (Credit: KRISS)
Magnetic skyrmions are an interesting example of solitons that occurs in ferromagnetic materials with conceivable solutions in electronics, assuming they can be created and moved at will. The creation and moving of such skyrmions has now been demonstrated by [Yubin Ji] et al. with a research article in Advanced Materials. This first ever achievement by these researchers of the Korea Research Institute of Standards and Science (KRISS) was more power efficient than previously demonstrated manipulation of magnetic skyrmions in thicker (3D) materials.

Magnetic skyrmions are sometimes described as ‘magnetic vortices’, forming statically stable solitons. In a broader sense skyrmions are a topologically stable field configuration in particle physics where they form a crucial part of the emerging field of spintronics. For magnetic skyrmions their stability comes from the topological stability, as changing the atomic spin of the atoms inside the skyrmion would require overcoming a significant energy barrier.

In the case of the KRISS researchers, electrical pulses together with a magnetic field were used to create magnetic skyrmions in the ferromagnetic (Fe₃GaTe₂, or FGaT) film, after which a brief (50 µs) electric current pulse was applied. This demonstrated that the magnetic skyrmions can be moved this way, with the solitons moving parallel to the electron flow injection, making them quite steerable.

While practical applications of magnetic skyrmions are likely to be many years off, it is this kind of fundamental research that will enable future magnetic storage and spintronics-related devices.

hackaday.com/2024/11/21/creati…

If you’re into CNC machining, mechanical tinkering, or just love a good engineering rabbit hole, you’re in for a treat. Substack’s [lcamtuf] has written a quick yet insightful 15-minute introduction to involute gears that’s as informative as it is accessible. You can find the full article here. Compared to Hackaday’s more in-depth exploration in their Mechanisms series over the years, this piece is a beginner-friendly gateway into the fascinating world of gear design.

Involute gears aren’t just pretty spirals. Their unique geometry minimizes friction and vibration, keeps rotational speeds steady, and ensures smooth torque transfer—no snags, no skips. As [lcamtuf] points out, the secret sauce lies in their design, which can’t be eyeballed. By simulating the meshing process between a gear and a rack (think infinite gear), you can create the smooth, rolling movement we take for granted in everything from cars to coffee grinders.

From pressure angles to undercutting woes, [lcamtuf] explores why small design tweaks matter. The pièce de résistance? Profile-shifted gears—a genius hack for stronger teeth in low-tooth-count designs.

Whether you’re into the theory behind gear ratios, or in need of a nifty tool to cut them at home, Hackaday has got you covered. Inspired? Read the full article by [lcamtuf] here.

hackaday.com/2024/11/21/gear-u…

A mouse is just two buttons, and a two-dimensional motion tracking system, right? Oh, and a scroll wheel. And a third button. And…now you’re realizing that mice can be pretty complicated. [DIY Yarik] proves that in spades with his impressive—and complex—mouse build. The only thing is, you might argue it isn’t really a mouse.

The inspiration for the mouse was simple. [Yarik] wanted something that was comfortable to use. He also wanted a mouse that wouldn’t break so often—apparently, he’s had a lot of reliability issues with mice in recent years. Thus, he went with a custom 3D-printed design with a wrist rest at the base. This allows his hand to naturally rest in a position where he can access multiple buttons and a central thumbstick for pointing. In fact, there’s a secondary scroll control and a rotary dial as well. It’s a pretty juicy control surface.

The use of a thumbstick is controversial—some might exclaim “this is not a mouse!” To them, I say, “Fine, call it a pointing device.” It’s still cool, and it look like a comfortable way to interface with a computer.

We’ve seen some other neat custom mice over the years, too, like this hilarious force-feedback mouse. Video after the break.

youtube.com/embed/GpYnQJRw7pw?…

hackaday.com/2024/11/21/custom…

With few exceptions, electronic event badges are often all but forgotten as soon as the attendee gets back home. They’re a fun novelty for the two or three days they’re expected to be worn, but after that, they end up getting tossed in a drawer (or worse.) As you might imagine, this can be a somewhat depressing thought thought for the folks who design and build these badges.

But thanks to a new firmware released by the FREE-WILi project, at least one badge is going to get a shot at having a second life. When loaded onto the RP2350-powered DEF CON 32 badge, the device is turned into a handy hardware hacking multi-tool. By navigating through a graphical interface, users will be able to control the badge’s GPIO pins, communicate over I2C, receive and transmit via infrared, and more. We’re particularly interested in the project’s claims that the combination of their firmware and the DC32 badge create an ideal platform for testing and debugging Simple Add-Ons (SAOs).

Don’t know what the FREE-WILi project is? Neither did we until today, which is actually kind of surprising now that we’re getting a good look at it. Basically, it’s a handheld gadget with a dozen programmable GPIO pins and a pair of CC1101 sub-GHz radios that’s designed to talk to…whatever you could possibly want to interface with.

It’s a bit like an even more capable Bus Pirate 5, which considering how many tricks that particular device can pull off, is saying something. As an added bonus, apparently you can even wear the FREE-WILi on your wrist for mobile hardware hacking action!

Anyway, while the hardware in the FREE-WILi is clearly more capable than what’s under the hood of the DC32 badge, there’s enough commonality between them that the developers were able to port a few of the key features over. It’s a clever idea — there’s something like 30,000 of these badges out there in the hands of nerds all over the world, and by installing this firmware, they’ll get a taste of what the project is capable of and potentially spring for the full kit.

If you give your DC32 badge the FREE-WILi treatment, be sure to let us know in the comments.

hackaday.com/2024/11/21/free-w…

Your project needs a cable, and since USB-C cables are omnipresent now, it’s only natural to want to reuse them for your evil schemes. Ever seen USB 3.0 cables used for PCIe link carrying duty? It’s because USB 3.0 cables are built to a reasonably high standard, both sockets and cables are easy to find, and they’re cheap. Well, USB-C cables beat USB 3.0 cables by all possible metrics.

Let’s go through USB-C cable reuse in great detail, and see just what exactly you get when you buy either a gas station C-C USB 2.0 cable, or, the fanciest all-features-supported 240 W Thunderbolt cable that money can buy. Looking for a cable to cut, or something to pass a seriously high-speed link? You’re reading the right article.

The Omnipresent Cables

USB-A to USB-C cables are the least interesting. They’re equivalent to a microUSB to USB-A cable, except there’s a resistor on the USB-C plug, connected from VBUS to one of the CC pins. That’s it. The cable contains four conductors, there’s really not much new. Save these cables for all the devices still built without the 5.1 kΩ resistors.

Now, a USB-C to USB-C cable – let’s say, 60 W max, the default USB-C cable capability. If your cable says anything less than 60 W, say, “2 A” or “15 W”, that’s a lie – it can handle 60 W no problem, all USB-C to C cables can do 60 W. This cable is also cool – for one, it has five conductors; GND, VBUS, D+, D-, and CC. Two of them (GND and VBUS) are guaranteed to be thick enough to carry 3 A without much voltage drop if any, too!

five conductors, two of them thicker – yep, you know where to find a replacement!
What does this mean? If you need a five-wire cable to fix your headphones, and you want something solid, a USB-C cable is probably your best bet ever – and you have a ton of choice here. You will inevitably end up with a heap of broken USB-C cables, which means you’ll never be short of 5-conductor cables – the kind of cable that has always been kind of a rarity, unless you’re pilfering headphone cables for your projects.

What about 100 W to 240 W cables? There’s good news and bad news. Good news is, the cable is likely to contain six wires. One extra wire is for VCONN – power for the emarker chip inside the cable plug, a memory chip you can read over the CC line, letting the PSU know whether the cable is indeed capable of carrying over 5 A – required for the 61 W to 240 W range.

Bad news is – there could still be five wires, if the cable is built using the alternative scheme with two emarkers, one per plug. The VCONN wire won’t be present then, and there’s no way to know until you cut the wire apart, so if you’re looking for a six-wire cable, you might have to try a few different cables. Also, the VCONN wire doesn’t connect the two plugs together – it’s isolated at one end, so don’t expect it to help if you use USB-C sockets instead of cutting the cable.

Now, you don’t always want to cut the cable – you can use USB-C sockets and apply your custom five-wire scheme to them. An idea I hear often is using USB-C cables for 3D printer hotends. It makes sense – such cables can handle 60 W of power without breaking a sweat, and you could likely do a fair bit more. Put extruder power onto the VBUS and GND pins, and use the three wires left for a thermistor and a limit switch. But the cable and socket mechanicals might be a dealbreaker. If your extruder-powering cable vibrates out of the socket, you might end up with a high-resistance-contact high-current connection on your hands – a recipe for melted plastic and possibly flames. Try it at your own risk!

You also won’t be able to make such cable reuse standard-compliant, and such port won’t be safe for any USB-C devices someone might plug into it, so label it accordingly, please.

What About Voltages?

What about putting arbitrary voltages onto VBUS, without PD negotiation? Again, it won’t be standards-compliant unless you really put some effort in – mark your jury-rigged sockets and cables accordingly, or they will eat your devices for breakfast. Also, SPR (100 W) cables contain 30 V 10 nF capacitors at each plug end, and EPR cables contain 63 V ones – reach these limits at your own risk, those capacitors are known to fail short-circuit.

Another factor is if you decide to go for the 48 V / 5 A target while bypassing the USB-C standard, because 48 V support is not as simple as putting 48 V on VBUS. If you just put 48 V on the VBUS pins, you’ll really want to figure out spark management, so that suddenly unplugging the cable won’t burn either the plug or the socket or both – PD has ways to deal with that, but they do require you to actually implement PD, specifically, EPR, which brings a heap of safety guarantees due to exceeding the 20 V limit.

That’s about it when it comes to reusing the cheapest kinds of USB-C cables – you get an extra wire compared to previous USB standards, it can handle a fair bit more power, and you can even use USB-C sockets. However, it will kill your devices if you’re not careful, and you need to take extra care if you go over 25 V or so. What about if you want to get more wires and pull some differential pairs instead?

Up The Speed

Fully-featured USB-C cables and sockets are genuinely wonderful for pulling high-speed communications over them. They are built to a solid standard, with proper impedance controls, shielding, and a modern-day understanding of digital transmission standards. Now, what exactly do you get from a fully-featured USB-C cable?
HDMI over USB C – as in, passing HDMI signals through USB-C cables. I guess, that’s one way to circumvent connector royalties!
Short answer is, you get six differential pairs, and one single-ended wire (CC), in addition to VBUS and GND. You might want to keep GND at a stable level here, and perhaps don’t mess too much with VBUS. There’s a ton you can do with these six diffpairs – two USB3 ports, or a PCIe x2 link, or two SATA, or HDMI, or CSI/DSI. You can even do Ethernet if you really want to – just don’t expect galvanic isolation to work.

There are nuances, of course! Ever see a teardown or an X-ray of a fancy fully-featured cable? There’s typically all sorts of ICs inside each plug. The first one is the emarker chip, and it’s a fun one to keep in mind. For a start, it will result in some ESD diodes between GND and CC – watch out, don’t bring CC below 0 V or above 5 V.

A second kind of IC is the signal re-driver, used in active cables. You have to provide power to these redrivers through either VBUS or VCONN, just like emarkers. If you don’t do it, your high-speed lines might just be unresponsive to any high-speed signal you apply to the pins.

What about rotation? That’s a tough one – unless your signal is very much like USB3/DisplayPort/Thunderbolt, you might not be able to find a suitable mux chip to rotate your signals. As such, you will likely want to stick to a single rotation and wire your signals directly. Then, if you plug in the cable in an unexpected way, it won’t work, so you should probably consider using the CC pin or the two SBU pins for lighting up LEDs. showing you whether you’re good, or whether you should unplug the cable, rotate it, and plug it back in, like in the good old days.

There’s one last thing you might care about. USB-C cables connect TX on one end to RX on another end, and vice-versa. This is nice for PCIe purposes, since it, too, flips pair naming at the connector. For any other signal, you’ll want to keep it in mind – RX1 won’t go to RX1 on the other end, it will go to TX1, and you’ll have to re-layout accordingly. Unfortunately, I’m not intimately familar with active cable inner workings – so, it’s hard for me to tell whether any active cable redriver chips would reject certain sorts of signaling, perhaps, signals that don’t match USB3, DisplayPort or Thunderbolt signaling types.

And One Last Hack

These are the basics of what you should know before you try and reuse a USB-C cable, no matter its complexity. That said, here’s an extra hack before we conclude!

Only one USB2 pair is actually connected at the USB-C cable end – the pair on the same side as the CC pin. My guess is, this was initially done to avoid stubs and cable plug PCB routing complications, as well as to accomodate standards like VirtualLink. Regretfully, we never got VirtualLink cables, which would allow us to use seven differential pairs at a time, but there is another hack we still get out of this!

What does this mean for you? If you use two USB2-grade 2:1 muxes, you can get two extra differential signals out of a fully-compliant USB socket, and they won’t even interfere with standard-compliant cables. Use this for SWD, JTAG, or whatever else, with your signals broken out through a custom plug – just make sure you dutifully switch the muxes depending on cable orientation, then you can keep your USB2 cake and eat it, too.

hackaday.com/2024/11/21/usb-c-…

Il Centro nazionale giapponese per gli affari dei consumatori ha raccomandato la pianificazione dell’eredità digitale per rendere più semplice per i propri cari la gestione degli account e degli abbonamenti dei cittadini dopo la loro morte. Questa iniziativa è nata a causa di numerosi casi in cui i parenti hanno incontrato difficoltà nel cancellare gli abbonamenti a causa della mancanza di accesso ai conti del defunto.

Il Centro suggerisce quattro passaggi per ridurre al minimo tali difficoltà:

1. nominare una persona di fiducia per la gestione dei dati digitali (nei servizi che supportano questo)
2. assicurati che i tuoi cari abbiano accesso ai tuoi dispositivi annotando login, password e codici PIN chiave;
3. creare una lista con l’intero elenco degli abbonamenti completati;
4. inserire tutte le informazioni di cui sopra nel testamento.

Con la crescente popolarità degli smartphone e dei servizi online, la necessità di tale pianificazione diventa sempre più urgente. I parenti affrontano problemi nel chiudere conti o annullare abbonamenti, il che porta a spese indesiderate.

Una soluzione potrebbe essere rappresentata da applicazioni che funzionano in modalità “interruttore a uomo morto”. Questi servizi inviano dati agli individui selezionati se l’utente non ha effettuato l’accesso all’account per un lungo periodo.

Inoltre, Meta offre la possibilità di nominare un cosiddetto “custode” (Legacy Contact) – l’erede dei poteri dell’utente, che sarà in grado di gestire l’account dopo la conferma ufficiale della morte del proprietario. Tali funzioni facilitano notevolmente molti processi per i parenti che stanno già vivendo un forte stress. Gli esperti sottolineano che disporre di dati preparati in anticipo aiuta a evitare difficoltà finanziarie ed emotive.

L’idea della pianificazione digitale non solo aiuta a organizzare la propria eredità, ma apre anche nuove opportunità per gli imprenditori che creano tali servizi. Prima o poi, la maggior parte dei siti e dei servizi sarà in grado di fornire tale funzionalità, e l’unica domanda che resta è se il nostro patrimonio digitale si trasformerà in un archivio ordinato o rimarrà un’eco caotica del passato che giace da qualche parte su Internet.

L'articolo Eredità digitale: chi gestirà i tuoi abbonamenti Netflix quando sarai nell’aldilà? proviene da il blog della sicurezza informatica.