By default, bash is the most popular command language simply because it’s included in most *nix operating systems. Additionally, people don’t tend to spend a lot of time thinking about whatever their computer uses for scripting as they might for other pieces of software like a word processor or browser. If you are so inclined to take a closer look at this tool that’s often taken for granted, there are a number of alternatives to bash and [monzool] wanted to investigate them closely.

Unlike other similar documentation that [monzool] has come across where the writers didn’t actually use the scripting languages being investigated, [monzool] is planning to use each of these and accomplish specific objectives. This will allow them to get a feel for the languages and whether or not they are acceptable alternatives for bash. Moving through directories, passing commands back and forth, manipulating strings, searching for files, and manipulating the terminal display settings are all included in this task list. A few languages are tossed out before initial testing even begins for not meeting certain specific requirements. One example is not being particularly useful in [monzool]’s preferred embedded environments, but even so there are enough bash alternatives to test out ten separate languages.

Unfortunately, at the end of the day none of the ten selected would make a true replacement for bash, at least for [monzool]’s use case, but there were a few standouts nonetheless. Nutshell was interesting for being a more modern, advanced system and [monzool] found Janet to be a fun and interesting project but had limitations with cross-compiling. All in all though this seemed to be an enjoyable experience that we’d recommend if you actually want to get into the weeds on what scripting languages are actually capable of. Another interesting one we featured a while back attempts to perform as a shell and a programming language simultaneously.

hackaday.com/2024/11/26/altern…

Eurojust, Europol e le autorità di 10 paesi hanno scovato un gruppo criminale che gestiva un intricato schema di traffico di sigarette.
Le autorità hanno scoperto un gruppo polacco attivo nel traffico di sigarette e le indagini hanno collegato una fabbrica di sigarette contraffatte in Francia a un altro gruppo criminale internazionale coinvolto nell'operazione.
Quindici sospettati sono stati arrestati in un'operazione congiunta che ha coinvolto cinque paesi.

Il gruppo è stato scoperto dopo essere stato sorpreso a importare grandi quantità di tabacco nel paese senza avvisare le autorità doganali. Il tabacco importato dal gruppo criminale era nascosto come tabacco di scarto. Dopo essere entrato nell'Unione Europea, è stato trasportato in magazzini doganali in Belgio, Spagna e Italia, da dove è stato portato in Germania, Francia, Belgio e Paesi Bassi per essere prodotto e venduto come sigarette. Le autorità francesi hanno scoperto che il tabacco illegale entrava nel paese nascosto in riviste.

Le autorità hanno presto scoperto che gli impianti di produzione di sigarette sparsi in Europa erano collegati. Le indagini hanno rivelato che la stessa organizzazione criminale era responsabile dell'istituzione di queste fabbriche. Il gruppo ha gestito un'operazione sofisticata attraverso più entità. Una in Bulgaria era responsabile del trasporto di materiali diversi dal tabacco come filtri, cartine e adesivi in ​​Grecia e Italia. Un'altra entità in Polonia era specializzata nella logistica e nel trasporto di tabacco e sigarette contraffatte. Il gruppo ha reclutato individui in tutta Europa, tra cui pregiudicati.

Per smantellare l'organizzazione, è stata istituita una squadra investigativa congiunta (#JIT #SIC) che ha coinvolto autorità francesi, italiane e polacche presso #Eurojust. Durante l'indagine, le autorità sono state in grado di intercettare diverse spedizioni di tabacco tagliato illegalmente, per un totale di oltre 50.000 kg. Nel frattempo, sono state chiuse diverse linee di produzione e sono state sequestrate milioni di sigarette contraffatte. Il valore dei beni sequestrati durante l'operazione è stimato in 13 milioni di euro.

Lo smantellamento della rete del traffico di sigarette è culminato in un'operazione congiunta in sei paesi il 19 novembre, ed è proseguito in Francia il 20 novembre. Sono stati arrestati 15 sospettati, 2 in Bulgaria, 4 in Francia, 1 in Germania, 4 in Grecia e 4 in Polonia. Le perquisizioni in Italia hanno portato al sequestro di 46.000 euro, telefoni cellulari, documentazione e tabacco.

Il coordinamento tra le autorità tramite Eurojust ed #Europol è stato fondamentale per il successo dell'operazione. Il team investigativo congiunto istituito presso Eurojust ha garantito lo scambio di prove e informazioni e lo svolgimento di operazioni congiunte.

Per l'Italia sono stati coinvolti Procura della Repubblica di Bergamo; Reparto operativo dei Carabinieri di Bergamo; Unità economico-finanziaria della Guardia di Finanza di Bergamo.

Life was simpler when everything your computer did was text-based. It is easy enough to shove data into one end of a pipe and take it out of the other. Sure, if the pipe extends across the network, you might have to call it a socket and take some special care. But how do you pipe all the data we care about these days? In particular, I found I wanted to transport audio from the output of one program to the input of another. Like most things in Linux, there are many ways you can get this done and — like most things in Linux — only some of those ways will work depending on your setup.

Why?

There are many reasons you might want to take an audio output and process it through a program that expects audio input. In my case, it was ham radio software. I’ve been working on making it possible to operate my station remotely. If all you want to do is talk, it is easy to find software that will connect you over the network.

However, if you want to do digital modes like PSK31, RTTY, or FT8, you may have a problem. The software to handle those modes all expect audio from a soundcard. They also want to send audio to a soundcard. But, in this case, the data is coming from a program.

Of course, one answer is to remote desktop into the computer directly connected to the radio. However, most remote desktop solutions aren’t made for high-fidelity and low-latency audio. Plus, it is nice to have apps running directly on your computer.

I’ll talk about how I’ve remoted my station in a future post, but for right now, just assume we want to get a program’s audio output into another program’s audio input.

Sound System Overview

Someone once said, “The nice thing about standards is there are so many of them.” This is true for Linux sound, too. The most common way to access a soundcard is via ALSA, also known as Advanced Linux Sound Architecture. There are other methods, but this is somewhat the lowest common denominator on most modern systems.

However, most modern systems add one or more layers so you can do things like easily redirect sound from a speaker to a headphone, for example. Or ship audio over the network.

The most common layer over ALSA is PulseAudio, and for many years, it was the most common standard. These days, you see many distros moving to PipeWire.

PipeWire is newer and has a lot of features but perhaps the best one is that it is easy to set it up to look like PulseAudio. So software that understands PipeWire can use it. Programs that don’t understand it can pretend it is PulseAudio.

There are other systems, too, and they all interoperate in some way. While OSS is not as common as it once was, JACK is still found in certain applications. Many choices!

One Way

There are many ways you can accomplish what I was after. Since I am running PipeWire, I elected to use qpwgraph, which is a GUI that shows you all the sound devices on the system and lets you drag lines between them.

It is super powerful but also super cranky. As things change, it tends to want to redraw the “graph,” and it often does it in a strange and ugly way. If you name a block to help you remember what it is and then disconnect it, the name usually goes back to the default. But these are small problems, and you can work around them.

In theory, you should be able to just grab the output and “wire” it to the other program’s input. In fact, that works, but there is one small problem. Both PipeWire and PulseAudio will show when a program is making sound, and then, when it stops, the source vanishes.

This makes it very hard to set up what I wanted. I wound up using a loopback device so there was something for the receiver to connect to and the transient sending device.

Here’s the graph I wound up with:
A partial display of the PipeWire configuration
I omitted some of the devices and streams that didn’t matter, so it looks pretty simple. The box near the bottom right represents my main speakers. Note that the radio speaker device (far left) has outputs to the speaker and to the JTDX in box.

This lets me hear the audio from the radio and allows JTDX to decode the FT8 traffic. Sending is a little more complicated.

The radio-in boxes are the loopback device. You can see it hooked to the JTDX out box because when I took the screenshot, I was transmitting. If I were not transmitting, the out box would vanish, and only the pipe would be there.

Everything that goes to the pipe’s input also shows up as the pipe’s output and that’s connected directly to the radio input. I left that box marked with the default name instead of renaming it so you can see why it is worth renaming these boxes! If you hover over the box, you’ll see the full name which does have the application name in it.

That means JTDX has to be set to listen and send to the streams in question. The radio also has to be set to the correct input and output. Usually, setting them to Pulse will work, although you might have better luck with the actual pipe or sink/source name.

In order to make this work, though, I had to create the loopback device:
pw-loopback -n radio-in -m '[FL FR]' --capture-props='[media.class=Audio/Sink]' --playback-props='[media.class=Audio/Source]' &
This creates the device as a sink with stereo channels that connect to nothing by default. Sometimes, I only connect the left channels since that’s all I need, but you may need something different.

Other Ways

There are many ways to accomplish this, including using the pw-link utility or setting up special configurations. The PipeWire documentation has a page that covers at least most of the scenarios.

You can also create this kind of virtual device and wiring with PulseAudio. If you need to do that, investigate the pactl command and use it to load the module-loopback module.

It is even possible to use the snd-aloop module to create loopback devices. However, PipeWire seems to be the future, so unless you are on an older system, it is probably better to stick to that method.

Sound Off!

What’s your favorite way to route audio? Why do you do it? What will you do with it? I’ll have a post detailing how this works to allow remote access to a ham transceiver, although this is just a part of the equation. It would be easy enough to use something like this and socat to stream audio around the network in fun ways.

We’ve talked about PipeWire for audio and video before. Of course, connecting blocks for audio processing makes us want to do more GNU Radio.

hackaday.com/2024/11/26/linux-…

Gli specialisti di Trellix hanno rilevato una nuova campagna dannosa che sfrutta il vecchio e vulnerabile driver anti-rootkit di Avast (Avast Anti-Rootkit). Gli aggressori utilizzano le tattiche BYOVD (Bring Your Own Vulnerable Driver) per eludere il rilevamento e disabilitare i componenti di sicurezza.

Il malware, che installa il driver vulnerabile sui sistemi delle vittime, è una variante del malware AV Killer. Viene fornito con un elenco codificato contenente i nomi di 142 processi di sicurezza associati a soluzioni di vari produttori.

Poiché il vecchio driver Avast può essere eseguito a livello di kernel, fornisce agli aggressori l’accesso a parti critiche del sistema operativo e consente inoltre al malware di interrompere i processi.

Secondo gli esperti di Trellix, parte del malware (vale a dire il file kill-floor.exe) colloca il driver vulnerabile ntfs.bin nella cartella utente predefinita di Windows. Il malware crea quindi il servizio aswArPot.sys utilizzando Service Control (sc.exe) e registra il driver.

Il malware controlla quindi un elenco di 142 processi associati a vari strumenti di sicurezza e cerca corrispondenze in diverse istantanee dei processi attivi sul sistema. Se viene trovata una corrispondenza, il malware crea un handle per collegarsi al driver Avast installato e utilizza l’API DeviceIoControl per emettere i comandi IOCTL necessari e interrompere il processo.

Il malware attacca i processi di molte soluzioni di sicurezza, inclusi i prodotti di McAfee, Symantec (Broadcom), Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET e BlackBerry. Disabilitandoli, il malware è in grado di eseguire liberamente azioni dannose senza generare avvisi o temere il blocco.

Vale la pena notare che questo particolare driver Avast è stato precedentemente sfruttato dagli aggressori. Ad esempio, all’inizio del 2022, i ricercatori sulla sicurezza informatica hanno riportato che AvosLocker utilizzava tattiche simili. E nel 2021, il driver anti-rootkit Avast ha sfruttato il ransomware Cuba.

Più o meno nello stesso periodo, gli esperti di SentinelLabs hanno scoperto due vulnerabilità (CVE-2022-26522 e CVE-2022-26523) che esistevano dal 2016. Questi bug hanno permesso agli aggressori di aumentare i propri privilegi sul sistema di destinazione e di sfuggire alla sandbox. Di conseguenza, gli sviluppatori Avast sono stati informati di questi problemi e la società ha risolto i bug nel dicembre 2021.

L'articolo Il BYOVD sempre più utilizzato per disabilitare gli AV/EDR. Avast, McAfee, Sophos nel mirino proviene da il blog della sicurezza informatica.

Quest'estate ho disattivato l'account Instagram. Era qualcosa che volevo fare da molto tempo, ma a lungo mi sono detto che questo avrebbe compromesso in qualche modo la mia attività. In realtà si trattava di una scusa. Era la dipendenza da dopamina che mi teneva legato a quel social, niente di più. Non so esattamente quando sia scattato il clic che mi ha fatto dire basta. So che è arrivato. Ho chiuso, e non mi è mai più passata per la testa la tentazione di riattivare l'account.

Lo stesso giorno ho disattivato l'account Facebook. Lì però la storia è stata diversa. A differenza di Instagram ci sono state un paio di occasioni in cui ho deciso di riattivarlo. La prima, in concomitanza dell'alluvione che ha colpito la Polonia a settembre, in cui è diventato da una parte un modo per assicurarmi che alcune persone che conoscevo stessero bene, e dall'altra strumento per diffondere i post di un'associazione che coordinava gli aiuti. In un secondo momento l'ho riattivato per una questione lavorativa. Se Instagram lo faccio rientrare senza difficoltà nella categoria dell'inutile, Facebook un minimo di servizio riesce ancora svolgerlo. Il problema è che a fronte di quel boh, 5% di utilità, c'è un 95% di niente, un meccanismo perverso che soverchia e irretisce. Riuscire a utilizzare cum grano salis questo strumento mi risulta complicato. E quindi, alla fine della fiera, meglio farne a meno.

Dal traffico di droga agli omicidi su commissione, il dark web è il regno oscuro del possibile. Perché le indagini sono così difficili.

The post Dark web, la grande piazza dei traffici illegali appeared first on InsideOver.

Imagine you own a weather station. Then imagine that after some years have passed, you’ve had to replace one of the sensors multiple times. Your new problem is that the sensor is no longer available. What does a hacker like [Luca] do? Build a custom solution, of course!

[Luca]’s work concerns the La Crosse WS-9257F-IT weather station, and the repeat failures of the TX44DTH-IT external sensor. Thankfully, [Luca] found that the weather station’s communication protocol had been thoroughly reverse-engineered by [Fred], among others. He then set about creating a bridge to take humidity and temperature data from Zigbee sensors hooked up to his Home Assistant hub, and send it to the La Crosse weather station. This was achieved with the aid of a SX1276 LoRa module on a TTGO LoRa board. Details are on GitHub for the curious.

Luca didn’t just work on the Home Assistant integration, though. A standalone sensor was also developed, based on the Xiao SAMD21 microcontroller board and a BME280 temperature, pressure, and humidity sensor. It too can integrate with the Lacrosse weather station, and proved useful for one of [Luca’s] friends who was in the same boat.

Ultimately, it sucks when a manufacturer no longer supports hardware that you love and use every day. However, the hacking community has a way of working around such trifling limitations. It’s something to be proud of—as the corporate world leaves hardware behind, the hackers pick up the slack!

hackaday.com/2024/11/26/recrea…

Most of us associate echolocation with bats. These amazing creatures are able to chirp at frequencies beyond the limit of our hearing, and they use the reflected sound to map the world around them. It’s the perfect technology for navigating pitch-dark cave systems, so it’s understandable why evolution drove down this innovative path.

Humans, on the other hand, have far more limited hearing, and we’re not great chirpers, either. And yet, it turns out we can learn this remarkable skill, too. In fact, research suggests it’s far more achievable than you might think—for the sighted and vision impaired alike!

Bounce That Sound

Bats are the most famous biologcal users of echolocation. Credit: Petteri Aimonen
Before we talk about humans using echolocation, let’s examine how the pros do it. Bats are nature’s acoustic engineers, emitting rapid-fire ultrasonic pulses from their larynx that can range from 11 kHz to over 200 kHz. Much of that range is far beyond human hearing, which tops out at under 20 kHz. As these sound waves bounce off objects in their environment, the bat’s specialized ultrasonic-capable ears capture the returning echoes. Their brain then processes these echoes in real-time, comparing the outgoing and incoming signals to construct a detailed 3D map of their surroundings. The differences in echo timing tell them how far away objects are, while variations in frequency and amplitude reveal information about size, texture, and even movement. Bats will vary between constant-frequency chirps and frequency-modulated tones depending on where they’re flying and what they’re trying to achieve, such as navigating a dark cavern or chasing prey. This biological sonar is so precise that bats can use it to track tiny insects while flying at speed.

Humans can’t naturally produce sounds in the ultrasonic frequency range. Nor could we hear them if we did. That doesn’t mean we can’t echolocate, though—it just means we don’t have quite the same level of equipment as the average bat. Instead, humans can achieve relatively basic echolocation using simple tongue clicks. In fact, a research paper from 2021 outlined that skills in this area can be developed with as little as a 10-week training program. Over this period, researchers successfully taught echolocation to both sighted and blind participants using a combination of practical exercises and virtual training. A group of 14 sighted and 12 blind participants took part, with the former using blindfolds to negate their vision.

The aim of the research was to investigate click-based echolocation in humans. When a person makes a sharp click with their tongue, they’re essentially launching a sonic probe into their environment. As these sound waves radiate outward, they reflect off surfaces and return to the ears with subtle changes. A flat wall creates a different echo signature than a rounded pole, while soft materials absorb more sound than hard surfaces. The timing between click and echo precisely encodes distance, while differences between the echoes reaching each ear allows for direction finding.
The orientation task involved asking participants to use mouth clicks to determine the way a rectangular object was oriented in front of them. Credit: research paperThe size discrimination task asked participants to determine which disc was bigger solely using echolocation. Credit: research paper
The training regime consisted of a variety of simple tasks. The researchers aimed to train participants on size discrimination, with participants facing two foam board disks mounted on metal poles. They had to effectively determine which foam disc was larger using only their mouth clicks and their hearing. The program also included an orientation challenge, which used a single rectangular board that could be rotated to different angles. The participants had to again use clicks and their hearing to determine the orientation of the board. These basic tools allowed participants to develop increasingly refined echo-sensing abilities in a controlled environment.

Perhaps the most intriguing part of the training involved a navigation task in a virtually simulated maze. Researchers first created special binaural recordings of a mannikin moving through a real-world maze, making clicks as it went. They then created virtual mazes that participants could navigate using keyboard controls. As they navigated through the virtual maze, without vision, the participants would hear the relevant echo signature recorded in the real maze. The idea was to allow participants to build mental maps of virtual spaces using only acoustic information. This provided a safe, controlled environment for developing advanced navigation skills before applying them in the real world. Participants also attempted using echolocation to navigate in the real world, navigating freely with experimenters on hand to guide them if needed.
Participants were trained to navigate a virtual maze using audio cues only. Credit: research paper
The most surprising finding wasn’t that people could learn echolocation – it was how accessible the skill proved to be. Previous assumptions about age and visual status being major factors in learning echolocation turned out to be largely unfounded. While younger participants showed some advantages in the computer-based exercises, the core skill of practical echolocation was accessible to all participants. After 10 weeks of training, participants were able to correctly answer the size discrimination task over 75% of the time, and at increased range compared to when they began. Orientation discrimination also improved greatly over the test period to a success rate over 60% for the cohort. Virtual maze completion times also dropped by over 50%.
Over time, participants improved in all tasks—particularly the size discrimination task, as seen in the results on this graph. The difficulty level of tasks were also scaled over time, presenting greater challenge as participants improved their echolocation skills. Credit: research paper
The study also involved a follow-up three months later with the blind members of the cohort. Participants credited the training with improving their spatial awareness, and some noted they had begun to use the technique to find doors or exits, or to make their way through strange places.

What’s particularly fascinating is how this challenges our understanding of basic human sensory capabilities. Echolocation doesn’t involve adding new sensors or augmenting existing ones—it’s just about training the brain to extract more information from signals it already receives. It’s a reminder that human perception is far more plastic than we often assume.

The researchers suggest that echolocation training should be integrated into standard mobility training for visually impaired individuals. Given the relatively short training period needed to develop functional echo-sensing abilities, it’s hard to argue against its inclusion. We might be standing at the threshold of a broader acceptance of human echolocation, not as an exotic capability, but as a practical skill that anyone can learn.

hackaday.com/2024/11/26/humans…

Aggiornare a una nuova versione di sistema operativo dovrebbe significare miglioramenti e nuove funzionalità. Tuttavia, l’update di Windows 11 24H2 sta portando con sé non pochi grattacapi, tra dispositivi USB non riconosciuti e giochi Ubisoft che si bloccano senza pietà. Ecco tutto quello che sta succedendo.

Dispositivi USB non rilevati

Dopo l’installazione di Windows 11 24H2, alcuni utenti si sono ritrovati con dispositivi USB che non vengono più riconosciuti. Il problema colpisce in particolare scanner e stampanti multifunzione che supportano il protocollo eSCL (eScanner Communication Language). Questo protocollo consente la scansione via USB o rete (Ethernet e Wi-Fi) senza bisogno di driver, ma un bug impedisce al dispositivo di passare correttamente dalla modalità eSCL a quella USB.

Non solo scanner e stampanti: anche fax, modem e dispositivi di rete con supporto eSCL sono coinvolti. Per evitare problemi, Microsoft ha deciso di bloccare l’installazione dell’aggiornamento sui PC con tali dispositivi collegati.

Per proteggere gli utenti, Microsoft ha bloccato l’installazione dell’aggiornamento sui PC che hanno questi dispositivi collegati. Gli utenti possono scegliere di attendere un fix ufficiale o scollegare temporaneamente i dispositivi per procedere con l’aggiornamento.

Impossibile giocare ad Assassin’s Creed e altri titoli Ubisoft

Gli appassionati di videogiochi non sono esenti dai problemi. Titoli come Assassin’s Creed Valhalla, Origins, Odyssey, Star Wars Outlaws e Avatar: Frontiers of Pandora stanno riscontrando incompatibilità gravi con Windows 11 24H2. I giochi spesso non si caricano o si bloccano con schermate nere, rendendo impossibile giocare.

Nonostante Ubisoft abbia rilasciato un fix temporaneo per Star Wars Outlaws (incluso in un aggiornamento da 8,83 GB), Microsoft segnala che i problemi di prestazioni persistono. Di conseguenza, anche in questo caso è stato applicato un blocco dell’aggiornamento per i dispositivi con questi giochi installati.

Blocchi mirati: la strategia di Microsoft

Per gestire queste problematiche, Microsoft ha applicato un compatibility hold, bloccando l’installazione di Windows 11 24H2 sui dispositivi potenzialmente interessati. Questa misura si applica sia ai PC con giochi Ubisoft problematici, sia a quelli con dispositivi USB eSCL collegati.

Conclusione

Gli aggiornamenti di sistema possono essere una lama a doppio taglio, come dimostra questo caos. Da una parte, Microsoft e Ubisoft stanno lavorando per risolvere i problemi; dall’altra, gli utenti devono convivere con bug che rendono frustrante l’esperienza. Il consiglio? Non forzare l’installazione e aspettare che le aziende rilascino soluzioni definitive.

Nel frattempo, chi gioca o usa dispositivi USB critici dovrebbe mantenere una versione stabile di Windows 11 e restare alla larga da aggiornamenti avventati. Perché, in fondo, nessuno vuole trovarsi con uno scanner muto e un gioco che non risponde.

L'articolo Windows 11 24H2: Dispositivi USB non rilevati e giochi Ubisoft bloccati proviene da il blog della sicurezza informatica.

Deno Land, sviluppatore del runtime Deno per JavaScript, TypeScript e WebAssembly, ha presentato una petizione per cancellare il marchio di Oracle per il termine “JavaScript” presso l’Ufficio brevetti e marchi degli Stati Uniti (USPTO). La petizione sostiene che Oracle si stia mantenendo illegalmente i diritti sul termine travisando la sua applicazione.

Gli argomenti principali di Deno sono che “JavaScript” è un termine comune, Oracle non lo utilizza a fini commerciali e la domanda di marchio è stata depositata utilizzando prove fraudolente. In particolare, Oracle ha fornito screenshot del sito web Nodejs.org come prova dell’uso commerciale del termine.

Ryan Dahl, fondatore di Deno e creatore di Node.js, ha osservato che l’azienda ha ripetutamente cercato di risolvere questo problema in modo pacifico. Nel 2022, Dahl ha inviato una lettera aperta a Oracle chiedendole di abbandonare il marchio, ma non ha mai ricevuto risposta. Nel settembre 2024 ci riprovò, raccogliendo le firme di più di 14mila sviluppatori, ma Oracle ancora una volta ignorò l’appello.

Dahl ha spiegato che l’obiettivo di Deno è rimuovere le barriere legali all’uso del termine “JavaScript” in prodotti, eventi e nomi di organizzazioni. Ha affermato che il marchio esistente crea confusione e porta a restrizioni inutili, inclusi avvisi di violazione.

È interessante notare che gli organizzatori della conferenza JSConf hanno scelto questo nome per evitare conseguenze legali associate all’utilizzo del termine completo “The JavaScript Conference”. Incidenti simili, comprese le richieste di smettere di usare il termine, si sono verificati in precedenza con altri progetti.

La petizione sostiene inoltre che Oracle in realtà non utilizza il termine “JavaScript” nei suoi prodotti, il che potrebbe costituire motivo di cancellazione del marchio. Se Oracle non rispondesse alla richiesta dell’USPTO entro il 4 gennaio 2025, Deno potrebbe prevalere per impostazione predefinita.

Dahl spera che Oracle riconosca che “JavaScript” appartiene a una comunità globale di sviluppatori, non a una sola azienda. Ha però anche precisato che in caso di controversia Deno è pronto a presentare prove per dimostrare che il marchio non è stato utilizzato in conformità alla legge.

L'articolo Deno sfida Oracle: La battaglia legale per il termine JavaScript si intensifica proviene da il blog della sicurezza informatica.

[ClownVamp]’s art project The Junk Machine is an interactive and eye-catching machine that, on demand, prints out an equally eye-catching and unique yet completely meaningless (one may even say corrupted) AI-generated advertisement for nothing in particular.

The machine is an artistic statement on how powerful software tools that have genuine promise and usefulness to creative types are finding their way into marketer’s hands, and resulting in a deluge of, well, junk. This machine simplifies and magnifies that in a physical way.

We can’t help but think that The Junk Machine is in a way highlighting Sturgeon’s Law (paraphrased as ‘ninety percent of everything is crud’) which happens to be particularly applicable to the current AI landscape. In short, the ease of use of these tools means that crud is also being effortlessly generated at an unprecedented scale, swamping any positive elements.

As for the hardware and software, we’re very interested in what’s inside. Unfortunately there’s no deep technical details, but the broad strokes are that The Junk Machine uses an embedded NVIDIA Jetson loaded up with Stable Diffusion’s SDXL Turbo, an open source AI image generator that can be installed and run locally. When and if a user mashes a large red button, the machine generates a piece of AI junk mail in real time without any need for a network connection of any kind, and prints it from an embedded printer.

Watch it in action in the video embedded below, just under the page break. There are a few more different photos on [ClownVamp]’s X account.

cdn.transientlabs.xyz/tlx/junk…

hackaday.com/2024/11/26/the-ju…

Introduction

In a recent incident response case, we dealt with a variant of the Mimic ransomware with some interesting customization features. The attackers were able to connect via RDP to the victim’s server after a successful brute force attack and then launch the ransomware. After that, the adversary was able to elevate their privileges by exploiting the CVE-2020-1472 vulnerability (Zerologon).

The identified variant abuses the Everything library and provides an easy-to-use GUI for the attacker to customize the operations performed by the malware. It also has features for disabling security mechanisms and running system commands.

This ransomware variant is named “Elpaco” and contains files with extensions under the same name. In this post, we provide details about Elpaco, besides already shared, as well the tactics, techniques and procedures (TTPs) employed by the attackers.

Analysis

First look at the sample

Our analysis started with a basic inspection of the sample. First, we verified its properties, such as the file type, strings and capabilities, as shown in the images below.

File type analysis

Interestingly enough, the malware used a 7-Zip installer mechanism, so it was classified as packed by most malware analysis tools and raised suspicions with detection tools.

File properties analysis

Entropy analysis

We inspected the file as a ZIP and found that the sample abused the Everything library, a legitimate filename search engine that provides fast searching and real-time updates by indexing files in Windows systems.

Malware archive contents

The artifact abused this library in similar ways to the Mimic ransomware discovered earlier by TrendMicro: it contained legitimate Everything applications (
Everything32.dll and Everything.exe) and a password-protected archive with malicious payloads, named Everything64.dll. The remaining file inside the archive was a legitimate 7-Zip utility for extracting the malicious archive contents. The Mimic ransomware searches for specific files using Everything APIs, encrypts user data, demands ransom payments, and exhibits sophisticated features like multi-threaded encryption to speed up the attack. Mimic also avoids detection by obfuscating its code, which makes it harder for security tools to detect and block the attack.
By analyzing Elpaco strings, we were able to identify the command used to extract the
Everything64.dll file, including its password.2e434 RunProgram="hidcon:7za.exe x -y -p7183204373585782 Everything64.dll"

7-Zip extraction command

When executed, the malware unpacked the archive and dropped the necessary files into the
%AppData%\Local directory, inside a separate directory with a randomly generated UUID as the name.C:\Users\user\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-C8DF72D8F78A\
Destination directory

Sample contents

The archive contents are required for encrypting files and performing additional tasks in the operating system.

Elpaco structure

For example, the
DC.exe binary is the Defender Control tool for enabling and disabling Windows Defender. It is triggered by the sample once unpacked.

Defender Control (DC.exe) software

The sample also drops a file called
session.tmp into the same destination directory. This is a session key for resuming encryption if the malicious process is interrupted, as by a process kill.

session.tmp file

However, the most interesting artifact is
svhostss.exe, which is the main console used by the malware. It is worth mentioning that this name closely mimics svchost.exe, a legitimate Windows process. This naming pattern is often used by threat actors to confuse less experienced individuals during memory analysis. The svhostss.exe file is indeed the binary that performs malicious instructions. The malware comes with a GUI under the name gui40.exe, located in the same directory. It interacts with the console and facilitates operations like customizing ransomware properties, such as a ransom note or allowed directories/files, and performing actions in the target system.

DC.exe is called during runtime by svhostss.exe, with the /D available command for disabling

In the GUI, the operator can select entire drives for encryption, perform a process injection to hide malicious processes, customize the ransom note, change the encryption extension, set the order of encryption based on the original file format, and exclude specific directories, files or formats from encryption.

Ransomware GUI

Ransom note customization

It is also possible to kill certain processes specified by the operator and execute system commands, all of which makes this threat highly customizable.

Ransomware parameters

Data import and export

The sample allows for the import and export of malware configuration files according to the parameters set by the operator. There are several built-in templates within the malware for the operator to choose from. The image below shows an exported configuration file; note that each configuration is preceded by a number that represents its ID.

Custom configuration file

The console interface, running alongside the GUI, gathers detailed information about the system, including drives and file shares.

Information gathering by svhostss.exe

The malware creates the following registry keys — note that all files with the default
.ELPACO-team extension are classified as “mimicfiles” and configured to open the ransom note (Decryption_INFO.txt).HKLM\SOFTWARE\Classes\.ELPACO-team\: "mimicfile"

HKLM\SOFTWARE\Classes\mimicfile\shell\open\command\: "notepad.exe
"C:\Users\user\AppData\Local\Decryption_INFO.txt""
Also, the artifact configures the
Run registry key to execute svhostss.exe and display the ransom note at startup.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhostss:
""C:\Users\user\AppData\Local\BD3FDDDF-6CAF-3EBC-D9CF-
C8DF72D8F78A\svhostss.exe""

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhostss.exe: "notepad.exe
"C:\Users\user\AppData\Local\Decryption_INFO.txt""
It is noteworthy that the main binary,
svhostss.exe, lacks significant protection from analysis, so we were able to easily see certain command executions performed by the malware.

Runtime strings

We were also able to find suspicious imports of the functions
FindFirstFileW, WriteFile, FindNextFileW and ShellExecuteW. These are typically used in ransomware samples for file manipulation, while the latter is often used for calling an external program, such as PowerShell, cmd.exe or a third-party component, for deleting the malware.

Function imports

In the case of the Elpaco and Mimic variants, it uses the
SetSearchW function exported from the legitimate Everything DLL to search the victim’s files, as shown in the images below. Interestingly enough, we detected no functions for data exfiltration.

SetSearchW function

Detection and analysis evasion

The artifact encrypts the victim’s files with the stream cipher ChaCha20. The key for this cipher is encrypted by the asymmetric encryption algorithm RSA-4096 — without the key we were unable to decrypt the files.

ChaCha20 call

As shown in the image below, all procedures performed by the ransomware during execution are logged to
C:\temp\MIMIC_LOG.txt. The artifact also drops a copy of the session.tmp key file into the same C:\temp directory.

MIMIC_LOG.txt file

The last step in malware execution is calling the
Del command to delete all executables, configuration files, DLLs, batch files and database-related files in the ransomware directory. Interestingly enough, before deleting, the sample uses the fsutil LOLBin, as shown in the image above, to securely erase svhostss.exe file, without the possibility of its recovery.

YARA rules

Based on our analysis of the sample, we developed the following YARA rules for detecting both the dropper and the console interface used by the GUI. The rules take into account the file type, relevant strings and library imports.

Elpaco dropper:
import "pe"

rule elpaco_dropper
{
meta:
author = "Kaspersky - GERT"
description = "Yara rule for detecting the Elpaco dropper."
target_entity = "file"

strings:
$s1 = "-p7183204373585782" wide ascii nocase
$s2 = "Everything64.dll" wide ascii nocase
$s3 = "ELPACO-team.exe" wide ascii nocase
condition:
(2 of ($s*)) and pe.imports("SHELL32.dll", "ShellExecuteW") and pe.imports("KERNEL32.dll",
"LoadLibraryA")
}
svhostss.exe (console interface):
import "pe"

rule elpaco_console
{
meta:
author = "Kaspersky - GERT"
description = "Yara rule for detecting the Elpaco/Mimic main console."
target_entity = "file"

strings:
$s1 = "powershell.exe -ExecutionPolicy Bypass" wide ascii nocase
$s2 = "Software\\Classes\\mimicfile\\shell\\open\\command" wide ascii nocase
$s3 = "cmd.exe /c DC.exe /D" wide ascii nocase
$s4 = "MIMIC_LOG.txt" wide ascii nocase
$s5 = "mimicfile" wide ascii nocase
$s6 = "Everything Setup..." wide ascii nocase
$s7 = "

Victims

We used these YARA rules on public sources to detect threat actors who had recently used the Elpaco sample and other Mimic variants, mainly in the United States, Russia, the Netherlands, Germany and France. However, their presence was not limited to those countries, with further cases detected in Canada, Romania, South Korea, the United Kingdom and so on.

Top 5 countries targeted by Mimic (download)

The following chart shows the evolution of Mimic appearances per month.

Mimic appearances per month, 2024 (download)

The collected data shows that Mimic variants, including Elpaco, have been used by attackers at least since August 2023.

Conclusion

In this incident, we observed that the Elpaco ransomware is a Mimic variant that abused the Everything DLL, which is used for file discovery. The artifact presented an interesting user interface for customizing its attributes, while allowing the operator to export the parameters to a configuration file. Unfortunately, the encryption algorithm makes it impossible to decrypt the files on an infected machine without the private key, which makes this threat hard to deal with. Another feature of Elpaco is that it deletes itself after encrypting files to evade detection and analysis. We have observed attacks with Elpaco and other Mimic samples on a massive scale, targeting a wide range of countries worldwide, and we’ll continue monitoring this threat.

Kaspersky products detect the threat described in this article with the following verdicts:

• HEUR:Trojan-Ransom.Win32.Generic (dropper).
• HEUR:Trojan-Ransom.Win32.Mimic.gen (svhostss.exe).

Tactics, techniques and procedures

Below are the TTPs identified from our malware analysis.

Indicators of Compromise

• 61f73e692e9549ad8bc9b965e25d2da683d56dc1 (dropper)
• 8af05099986d0b105d8e38f305efe9098a9fbda6 (svhostss.exe)

securelist.com/elpaco-ransomwa…

For a lot of electrical and mechanical machines, there are nominal and peak ratings for energy output or input. If you’re in marketing or advertising, you’ll typically look at the peak rating and move on with your day. But engineers need to know that most things can only operate long term at a fraction of this peak rating, whether it’s a power supply in a computer, a controller on an ebike, or the converter on a wind turbine. But this electric motor system has a unique cooling setup allowing it to function at nearly full peak rating for an unlimited amount of time.

The motor, called the Super Continuous Torque motor built by German automotive manufacturer Mahle is capable of 92% of its peak output power thanks to a unique oil cooling system which is able to remove heat and a rapid rate. Heat is the major limiter for machines like this; typically when operating at a peak rating a motor would need to reduce power output to cool down so that major components don’t start melting or otherwise failing. Given that the largest of these motors have output power ratings of around 700 horsepower, that’s quite an impressive benchmark.

The motor is meant for use in passenger vehicles but also tractor-trailer style trucks, where a motor able to operate at its peak rating would mean a smaller size motor or less weight or both, making them easier to fit into the space available as well as being more economically viable. Mahle is reporting that these motors are ready for production so we should be seeing them help ease the transportation industry into electrification. If you’re more concerned about range than output power, though, there’s a solution there as well so you don’t have to be stuck behind the times with fossil fuels forever.

Thanks to [john] for the tip!

hackaday.com/2024/11/26/electr…