Working from home can be pretty cool, but if you’re not the only one in the house trying to do it, the whole situation can feel like you’re right back in the office with all those walking, talking distractions. Except they’re in pajamas instead of business casual.

So, what’s the answer? Many times it’s not practical to stop what you’re doing, especially just to communicate that you’re busy. We suppose you could glare at them, put up your hand, or even give a dismissive wave, but a better solution might be this mood signal built by [gokux].

Through a simple web app, you can be red to indicate that you’re super busy, yellow to mean busy-ish, and green for let’s gossip about the cats.

This mood indicator is built on the Seeed Xiao ESP32-C3 and shows the given mood indicator on a small matrix of sixteen WS2812B LEDs. It’s powered by a 600 mAh, 3.7 V battery and a small push button switch. As usual, [gokux] has grade-A instructions for building your own version of this slick solution.

Would you like something more tactile and low-tech? Check out our own [Bob Baddeley]’s free/busy indicator from the lockdown days.

hackaday.com/2024/12/14/person…

Sebbene la grafite non faccia parte dei 17 elementi chimici chiamati “terre rare” in cui la Cina è leader assoluta nella produzione, il silicio, insieme alla grafite ultrapura, si conferma una delle risorse più preziose al mondo per il comparto tecnologico e ad alta innovazione.

La State Electronic Technology Corporation of China (CETC) ha raggiunto una precisione inimmaginabile nella produzione di grafite. Utilizzando sofisticate tecniche di lavorazione dei materiali, gli scienziati hanno sviluppato un metodo che consente loro di produrre in serie grafite con un’incredibile purezza del carbonio, oltre il 99,99995%.

Una rivoluzione nel mondo della tecnologia

Il direttore generale del CETC, Xie Yongqiang, ha sottolineato che la nuova attrezzatura è in grado di convertire la polvere di grafite con una purezza iniziale del 99,93% in un materiale quasi ideale. Il processo è così preciso che ogni molecola è sottoposta a un controllo multilivello e il livello raggiunto è così vicino al limite teorico che la quantità di impurità diventa quasi invisibile.

La cosa più interessante è che con questo approccio il costo di produzione viene notevolmente ridotto. Gli ingegneri sono riusciti a ridurre i costi fino al 40% rispetto ai processi tradizionali. Ora l’equilibrio di potere nel mercato globale dei materiali ad alta tecnologia potrebbe cambiare radicalmente.

Poco prima dell’avvento della tecnologia CETC, China Minmetals Co ha anche introdotto il proprio sviluppo di grafite ultrapura. Tuttavia, il loro risultato era principalmente di natura sperimentale e non era adatto alla produzione di massa. Inoltre, la loro tecnologia richiedeva miglioramenti, quindi era impossibile introdurla nell’industria nel prossimo futuro.

Le applicazioni della grafite ultra-pura

La grafite con questo livello di purezza apre nuove prospettive per le industrie ad alta tecnologia. Nel settore dei veicoli elettrici, il materiale migliorerà le prestazioni delle batterie: aumentando la velocità di ricarica, la capacità e la durata complessiva. Ogni frazione percentuale di purezza influisce in modo critico sull’intensità energetica dei dispositivi di accumulo elettrico.

Anche la produzione di semiconduttori riceverà un impulso allo sviluppo. I crogioli di grafite possono ora essere prodotti con estrema precisione. I moderni metodi di lavorazione consentono di creare pareti con una superficie perfettamente liscia, che elimina difetti microscopici che possono contaminare il silicio fuso. Grazie all’eccezionale purezza del materiale utilizzato, il rischio di ingresso di elementi estranei è ridotto al minimo. Questo è fondamentale per la produzione di microchip, dove anche le impurità microscopiche possono interrompere la conduttività o causare il malfunzionamento dei componenti.

L’industria aeronautica è interessata al materiale per la sua stabilità termica unica. La grafite di elevata purezza può resistere a temperature estreme, rendendola indispensabile nella creazione di componenti speciali per la tecnologia aerospaziale. Viene utilizzato, ad esempio, per realizzare scudi termici ed elementi di motori a razzo, che devono mantenere le loro proprietà a temperature superiori a 2000 °C. Il materiale viene anche utilizzato attivamente per creare stampi per parti fuse, poiché non si deforma in caso di sbalzi di temperatura.

La grafite svolge un ruolo speciale nell’energia nucleare. Nei reattori nucleari agisce come moderatore di neutroni, contribuendo a controllare la reazione a catena e garantire la stabilità dell’impianto. L’elevata purezza riduce al minimo il rischio di reazioni chimiche indesiderate nel nocciolo del reattore, che è fondamentale per la sicurezza a lungo termine.

Sanzioni, geopolitica economia e tecnologia

Naturalmente, lo sviluppo della CETC ha anche un significato geopolitico. La Cina ha già inserito la grafite ad elevata purezza nella sua lista di controllo delle esportazioni, trasformando di fatto il materiale in una risorsa strategica paragonabile per importanza ai metalli delle terre rare.

Il presidente della China Carbon Industry Association, Sun Qing, ha sottolineato in precedenza: la grafite è una risorsa naturale insostituibile che non può essere venduta a prezzi di dumping dopo una semplice lavorazione. Ciò significa che il controllo sulla sua produzione rappresenterà un serio vantaggio per la Cina di fronte alle restrizioni commerciali da parte degli Stati Uniti e dell’Unione Europea.

L'articolo L’Equilibrio Globale e il Potere Delle terre Rare. La Cina rende la grafite pura al 99,99995%! proviene da il blog della sicurezza informatica.

Krispy Kreme è stata colpita da un incidente informatico che ha mandato in tilt i sistemi di ordinazione online negli Stati Uniti. L’attacco ha generato problemi nelle consegne digitali in tutto il paese, causando frustrazione tra i clienti. Nonostante il caos online, le operazioni nei negozi fisici non sono state toccate e continuano a offrire ai clienti le loro celebri delizie.

L’incidente è stato ufficialmente comunicato tramite una comunicazione ufficiale presso la Securities and Exchange Commission (SEC). Nel documento, l’azienda ha rivelato di essere stata oggetto di “attività non autorizzate su una porzione dei propri sistemi informativi.”

“L’azienda, insieme ai propri esperti esterni di cybersecurity, continua a lavorare duramente per rispondere e mitigare l’impatto derivante dall’incidente, inclusa la ripresa dei servizi di ordinazione online, e ha informato le autorità federali competenti,” spiega il comunicato.

Nonostante l’incidente sia ancora sotto indagine, la società ha ammesso che questo potrebbe avere un “impatto significativo” sulle attività aziendali finché i sistemi non torneranno operativi.

Oltre l’impatto operativo: il rischio per i dati dei clienti

Sebbene le conseguenze immediate si siano manifestate principalmente attraverso problemi con le ordinazioni online, persistono preoccupazioni riguardo a un’eventuale esposizione dei dati dei clienti. Secondo esperti del settore, la natura di questi attacchi spesso non si limita solo a interrompere i sistemi ma anche a sottrarre dati sensibili. Le indagini sulle implicazioni di queste violazioni potrebbero durare mesi.

Una risposta rapida per limitare i danni

Nonostante la violazione, l’azienda è riuscita a rispondere in maniera relativamente efficace. Esperti di sicurezza hanno sottolineato come l’azione tempestiva da parte del team informatico abbia mitigato conseguenze più gravi: la rilevazione rapida dell’intrusione e l’attuazione del piano di risposta agli incidenti hanno consentito di contenere l’impatto operativo e continuare a mantenere gli impegni con partner retail e ristoranti.

Conclusione

Questo attacco dimostra come anche realtà con una natura apparentemente “leggera” possano rivelarsi vulnerabili in un contesto sempre più digitalizzato. La risposta tempestiva è stata fondamentale, ma resta chiaro che la cybersecurity non riguarda solo la protezione dei dati, ma anche la capacità di mantenere operativa l’intera infrastruttura durante momenti critici.

Con le festività alle porte e l’incidente ancora sotto indagine, l’azienda deve ricostruire la propria resilienza, proteggere i clienti e assicurarsi che situazioni simili possano essere affrontate con maggiore prontezza in futuro.

Come si suol dire, non tutte le ciambelle riescono col buco.

L'articolo Niente Ciambelle Oggi! Un attacco informatico blocca Krispy Kreme proviene da il blog della sicurezza informatica.

Researchers recently shared details on creating foldable, self-locking structures by using multi-material 3D printing. These origami-inspired designs can transition between flat and three-dimensional forms, locking into place without needing external support or fasteners.

The 3D structure of origami-inspired designs comes from mountain and valley fold lines in a flat material. Origami designs classically assume a material of zero thickness. Paper is fine, but as the material gets thicker things get less cooperative. This technique helps avoid such problems.
An example of a load-bearing thick-film structure.
The research focuses on creating so-called “thick-panel origami” that wraps rigid panels in a softer, flexible material like TPU. This creates a soft hinge point between panels that has some compliance and elasticity, shifting the mechanics of the folds away from the panels themselves. These hinge areas can also be biased in different ways, depending on how they are made. For example, putting the material further to one side or the other will mechanically bias that hinge to fold into either a mountain, or a valley.

Thick-panel origami made in this way paves the way towards self-locking structures. The research paper describes several different load-bearing designs made by folding sheets and adding small rigid pieces (which are themselves 3D printed) to act as latches or stoppers. There are plenty of examples, so give them a peek and see if you get any ideas.

We recently saw a breakdown of what does (and doesn’t) stick to what when it comes to 3D printing, which seems worth keeping in mind if one wishes to do some of their own thick-panel experiments. Being able to produce a multi-material object as a single piece highlights the potential for 3D printing to create complex and functional structures that don’t need separate assembly. Especially since printing a flat structure that can transform into a 3D shape is significantly more efficient than printing the finished 3D shape.

hackaday.com/2024/12/13/origam…

La falla in WPForms, un plugin per WordPress, permette il rimborso di Stripe su milioni di siti realizzati con il Cms. Si tratta di un vettore di attacco privilegiato per campagne massive. Come mitigare il rischio

L'articolo WPForms, una falla compromette la sicurezza del plug-in per WordPress: come proteggersi proviene da Cyber Security 360.

Le forze dell’ordine di 15 paesi hanno smantellato 27 piattaforme di DDoS a pagamento, note come “booters” o “stressers”, arrestando gli amministratori e identificando un ingente numero di clienti utilizzatori

L'articolo Operazione PowerOFF, smantellate 27 piattaforme DDoS: un duro colpo per il cybercrime proviene da Cyber Security 360.

Dati i cambiamenti fondamentali del panorama delle minacce degli ultimi anni, è necessario adattare approcci, modelli e framework tradizionali di cyber security. Quasi giunti alla fine del 2024 possiamo analizzare come si è evoluto il panorama delle minacce per anticipare le attività dei criinali informatici

L'articolo Evoluzione del panorama delle cyber minacce: cosa abbiamo imparato nel 2024 proviene da Cyber Security 360.

La Cina risponde a Starlink con il lancio del terzo lotto di satelliti Qianfan. Una corsa alle mega-costellazioni che va oltre l’innovazione tecnica: si tratta di una competizione per il controllo delle comunicazioni globali, con implicazioni profonde per l’economia, la sicurezza e la politica internazionale. Quali scenari

L'articolo Qianfan, la Cina risponde a Starlink: nuovi equilibri nel controllo delle infrastrutture spaziali proviene da Cyber Security 360.

La difesa contro le minacce AI-driven è una necessità imprescindibile per garantire la continuità operativa e la reputazione del brand. Le aziende devono agire con decisione e rapidità adottando soluzioni basate sull'AI. Allo stesso tempo, la formazione dei dipendenti rappresenta un ulteriore livello di protezione. Perché essere preparati significa sopravvivere

L'articolo Cyber threat e intelligenza artificiale: le aziende italiane sono pronte alla sfida? proviene da Cyber Security 360.

Microsoft ha rilasciato il consueto Patch Tuesday del mese di dicembre 2024 contenente gli aggiornamenti per 71 vulnerabilità identificate nel sistema operativo e nelle applicazioni correlate. Tra queste, anche una zero-day già attivamente sfruttata. Ecco come mettere in sicurezza i nostri sistemi

L'articolo Aggiornamenti Microsoft dicembre 2024, corretta una zero-day: aggiorniamo i sistemi proviene da Cyber Security 360.

Budget, competitività, reputazione: gli impatti economici della cybersecurity rappresentano una leva per il business di imprese di ogni dimensione e PA: vediamo come

L'articolo Cybersecurity, gli impatti economici: perché è leva di crescita proviene da Cyber Security 360.

L’FBI ha diramato un comunicato per sensibilizzare cittadini, imprese e organizzazioni contro le truffe ordite facendo ricorso alle Intelligenze artificiali (IA). Ma è davvero possibile resistere ad attacchi così ben congeniati e potenzialmente infiniti? Il parere dell’esperto

L'articolo L’FBI invita ad alzare la guardia contro le frodi fatte con le IA: ecco come difendersi proviene da Cyber Security 360.

Senza innovazione non esiste crescita esattamente come senza ricerca non esiste sviluppo. Per farlo servono competenze specialistiche e metodologiche in campi diversi. Perché senza adattamento e cambiamento il rischio è una progressiva estinzione del nostro modello sociale. Parola di Mario Draghi.

L'articolo La formazione come motore di crescita. È una sfida per esistere proviene da Cyber Security 360.

Eseguendo il browser in un ambiente sandbox separato ospitato nel cloud, in una macchina virtuale locale o in sede, le comunicazioni C2 segrete sono più difficili. Invece i codici QR aggirano l'isolamento del browser per effettuare comunicazione C2 malevola. Ecco come proteggersi

L'articolo I codici QR aggirano l’isolamento del browser: come mitigare il rischio proviene da Cyber Security 360.

Playing Star Wars Outlaws sparked an idea with [3DSage]: why not recreate the game’s wrist communicator as a functioning gadget? Inspired by the relatively simplistic design, he and his friend Ben set out to build their own device to take to Galaxy’s Edge in Disneyland. Armed with an arsenal of tools—3D printers, CNC machines, and soldering irons—he aimed to turn imagination into reality.

After ordering multiple walkie-talkies, they meticulously tested each one for audio quality, circuit board size, and compatibility with custom components. The ‘world’s tiniest walkie-talkie’ had potential but demanded creative modifications, including disassembling and resoldering components. They crafted their own circuit board and designed a 3D printed housing to fit both electronics and style. For the finishing touch, they weathered the device with paints and even glow-in-the-dark accents, making it authentic to the Star Wars universe. Even Chewbacca himself gave one a thumbs-up!

Weathering goes a long way towards creating a convincing prop — it can turn a bundle of pipes and some foam blocks into a movie-ready WWII machine gun.

youtube.com/embed/Jv44pDHvL1Y?…

hackaday.com/2024/12/13/walkie…

‘Tis the season for holiday hacks, and [Ben Emmett] is here to remind us that we don’t necessarily need a fancy microcontroller in order to make flashy fun things happen.
Smoothing down the copper traces with a guitar pick.
Take this Christmas tree for example, which uses a 555 timer and a CB4017 decade counter in order to drive some blinking LEDs. The ICs are through-hole, making the circuit fairly accessible to new players, but there are a few SMD components that need soldering as well. (More on that later.)

Here, the 555 acts like a clock and drives a square wave. Using the clock as input, the decade counter toggles the output pins one after the other, driving the LEDs to blink in turn. Since there are only eight lights, there is a pause in the light-up pattern, but that could be fixed by wiring decade counter output #9 to the reset pin.

Although function was the main focus circuit-wise, [Ben] managed to lay the traces in the shape of a Christmas tree, which looks great. Having done a similar project in the past, he discovered that the craft cutting machine prefers thick traces and wider spaces between them. This is largely why [Ben] chose to use through-hole ICs.

After laying everything out in KiCad, [Ben] exported the copper layer image for use on the cutting machine. Once it was all cut out, he put it on transfer tape to weed out the extra copper, and get the traces onto cardstock, the final substrate.

This is such a fun project, and we love that the CR2032 that powers it also acts as the stand in its vertical holder. Hit up GitHub if you want to make one for yourself. Want something even more 3D? Check out this hollow tree we saw a few years ago.

hackaday.com/2024/12/13/flashy…

We all carry touch screen computers around in our pockets these days, but before the smartphone revolution, there was the personal digital assistant (PDA). While it wasn’t a commercial success, one of the first devices in this category was the Apple Newton. Today they’re sought after by collectors, although most of the ones surviving to this day need a bit of rework to the battery pack. Luckily, as [Robert’s Retro] shows, it’s possible to rebuild the pack with modern cells.

By modern standards, the most surprising thing about these battery packs is both that they’re removable and that they’re a standard size, matching that of AA batteries. The Newton battery pack uses four cells, so replacing them with modern rechargeable AA batteries should be pretty straightforward, provided they can be accessed. This isn’t as easy, though. In true Apple fashion the case is glued shut, and prying it apart can damage it badly enough so it won’t fit back in the tablet after repair is complete. The current solution is to cut a hatch into the top instead and then slowly work on replacing the cells while being careful to preserve the electronics inside.

[Robert’s Retro] also demonstrates how to spot weld these new AA batteries together to prepare them for their new home in the Newton case. With the two rows fastened together with nickel strips they can be quickly attached to the existing electrical leads in the battery pack, and from there it’s just a matter of snapping the batteries into the case and sliding it back into the tablet. If you’re looking for something a bit more modern, though, we’d recommend this Apple tablet-laptop combo, but it’s not particularly easy on the wallet.

youtube.com/embed/wfXbp1AO4tk?…

hackaday.com/2024/12/13/apple-…

This week on the big 300th episode, Hackaday’s Elliot Williams and Kristina Panos teamed up to bring you the latest news, mystery sound, and of course, a big bunch of hacks from the previous week. So basically, business as usual.

First up in the news: it’s time for the Hackaday Europe 2025 call for proposals! Do you have a tale of hardware, firmware, or software that must be shared with the Hackaday crowd? Then this is your chance to regale us with a 20- or 40-minute talk. You know we love to hear new voices, so be sure to consider proposing a talk.

On What’s That Sound, it’s a results show week. Congratulations to [Kelvin] who was one of many that correctly identified it as the Wii startup sound. Kristina will just be over here with her Pikachu64 with the light-up cheeks.

Then it’s on to the hacks and such beginning with a rather nice reverse-engineering of the PS1, which surprisingly did it with a two-sided board. Then it’s on to a smartphone home server, magic eye images in a spreadsheet, and the math behind the music of 80s. Finally, we talk about disc cameras, the hovercraft revolution, and a whole mess of keyboards.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

Download in DRM-free MP3 and savor at your leisure.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 300 Show Notes:

News:

• 2025 Hackaday Europe CFP: We Want You!

What’s that Sound?

• Congratulations to [Kelvin]! It was the Wii menu background music.

Interesting Hacks of the Week:

• PlayStation Motherboard Sanded And Scanned, But There’s More To Do
  
  • Deconstructing PCBs
  • Remoticon Video: How To Reverse Engineer A PCB

  
  

• The Audiophile Carrot
  
  • Reddit – Dive into anything

  
  

• Smartphone Runs Home Server
  
  • I “Solved” Samsungs Swelling Battery Problem! (Batteryless Phone) – YouTube
  • Want Octoprint But Lack A Raspberry Pi? Use An Old Android Phone

  
  

• Magic Eye Images In Your Spreadsheet
• Amateur Radio Operators Detect Signals From Voyager 1
  
  • Moon Bouncing And Radar Imaging With LoRa
  • Decoding JS1YMG: First Ham Radio Station On The Moon After SLIM Mission
  • Voyager-1 single dish detection at Allen Telescope Array – Daniel Estévez
  • Detecting Voyager 1 with the ATA

  
  

• Do 3D Printers Dream Of LEGO Sheep?
  
  • Watch The OpenScan DIY 3D Scanner In Action
  • Get Great 3D Scans With Open Photogrammetry
  • What To Expect From 3D Scanning, And How To Work With It

  
  

Quick Hacks:

• Elliot’s Picks:
  
  • The Math Behind The Music Of The 80s
  • Chaotic System Cooks Meat Evenly
  • Raspberry Pi 500 And The Case Of The Missing M.2 Slot

  
  

• Kristina’s Picks:
  
  • Updated Mouse Ring Does It With A Joystick
  • An Engineer’s Perspective On Baking Gingerbread Houses
  • Unexpectedly Interesting Payphone Gives Up Its Secrets

  
  

Can’t-Miss Articles:

• Disc Film,When Kodak Pushed Convenience Too Far
• The Hovercraft Revolution And Finding The Right Niche For A Technology
  
  • Lenses: From Fire Starters To Smart Phones And VR

  
  

• Keebin’ With Kristina: The One With The Funny Keyboard

hackaday.com/2024/12/13/hackad…

Two guys — Stern and Gerlach — did an experiment in 1922. They wanted to measure magnetism caused by electron orbits. At the time, they didn’t know about particles having angular momentum due to spin. So — as explained by [The Science Asylum] in the video below — they clearly showed quantum spin, they just didn’t know it and Physics didn’t catch on for many years.

The experiment was fairly simple. They heated a piece of silver foil to cause atoms to stream out through a tiny pinhole. The choice of silver was because it was a simple material that had a single electron in its outer shell. An external magnet then pulls silver atoms into a different position before it hits some film and that position depends on its magnetic field.

If electrons randomly flew around the nucleus like a cloud, you’d expect a cloudy line on the film. If the electrons had a fixed number of possible electron orbits, the film would show a series of points. In the end, the result was a big surprise — it was neither of the expected patterns. Instead, they got something shaped like the outline of some lips.

They realized that the horizontal deflection occurred even without the magnet, so what looked like two lines were really two points, and that implies that the electrons must be in one of two positions. However, the truth is more complicated.

In fact, Schrödinger’s equations appeared later and shed more light on how the electrons could orbit. It also seemed to imply that the earlier experiment should have been a single spot on the film. The answer turned out to be quantum spin.

According to the video, this was a lucky mistake. The experiment was perfect for measuring quantum spin, but it was unlikely that anyone would have thought to perform it for that purpose. By trying to prove one thing, they had actually proved another thing that no one understood yet. Science is strange and wonderful.

Spin is a big deal in many quantum computers. If you need a refresher on electron orbitals, it is a topic we cover periodically.

youtube.com/embed/vRI1fCOQ0GA?…

hackaday.com/2024/12/13/the-st…

Humans are well overdue for a technological revolution – not a profit-driven one like we’re having now, a human-centric one. Sci-fi is wonderful for having your brain run wild. Over the last century, we’ve had writers try and imagine what world would’ve had looked like if a new technology were to address different aspects of human condition, or, work to undercut us all in yet unseen ways, for a change.

Quite a few leading HaD projects have clear sci-fi inspiration, too, and same goes for a large number of Hackaday Prize entries. Over here, we live for fantasy made reality through skill, wit, and insights.

Ever got a sci-fi-esque dream that you’ve tried to implement with modern-day tech, only to fail because something fundamental was missing about how your phone/laptop/smartwatch functions? You’re not alone here, for sure – this describes a large chunk of my tech journey. In real life, you work with audience-tailored devices, the few fun usecases pre-cooked into the hardware-firmware blob.

Still, how much can you build on top of a consumer device? Alternative OSes that liberate you from the trend of enshittification, for instance, that one’s brilliant and a lifeline for preserving one’s sanity. Alternative platforms that bring a reprieve from a modern combative and ad-filled social media environment, sure. Still, feels limited

How about diary keeping? Personal diaries are really rad, aren’t they? Surely, that one’s a low-hanging fruit?

Betteridge’s Law Breaking

The first “hack on self”-like app I’ve ever built, was a parser/UI for our local public transport company schedules – letting me know when to run for a bus stop. I wanted to reduce resistance, and eventually, even integrate it into a portable device of some sort. I did bring that to a phone of mine, with help of Python SDK for Symbian S60, a wonderful if a little limited framework.

The next app of mine was a diary, encrypted with Blowfish, because that’s what I found a pure Python implementation of. I always tried keeping a diary, in a number of different paper forms, and I always failed in the end. The app though, it was fun, just secure enough to avoid relying on obscurity, and it worked great – for two weeks! It was pretty easy for me to forget about its existence, and every time I wanted to log something, I’d need to log in. Sounds easy? Yeah. In retrospect, I would’ve added a diary entry function before the decryption prompt, because even that small of a delay has backfired.

There’s a somberly fun saying, that with ADHD, a TODO list or a project can last at most two weeks. The diary is where I’ve really felt that one. Here I was, just having touched base with the dream of keeping a diary, and now it’s gone? How does that even work? How is it that I’m out of juice for it, somehow, why is it that opening the diary to make notes was fun two weeks ago, but is a chore today?

No worries, though, the sadness didn’t last long, I avoided learning too much in the moment, and immediately found something else to hack on. Every time I heard about journaling, keeping a diary, an archive, it felt fun, but also a fair bit more unreachable than before. I still wanted it, and, I’ve had my share of sadness to process through.

Or Did I?

Of course, if you’ve failed at building something, one way of processing the resulting sadness is to get distracted by other projects until you’re interested in the goal again, try and remember your mistakes, wait for the perfect conditions, and then build a new system that avoids those mistakes as you remember them.

Now, memories are fuzzy and malleable, so the “lessons from years ago” could be outright false, attention is hard to predict so it could take years to resume a project, and you’d want to reach for some actual insights, but whoops, you’d want some sort of diary to look back at, the whole thing is a chicken-and-egg problem yet again.

We don’t let that get in the way – we just build new stuff, and on average, it magically turns out to be better, because we’re building it differently this time. Really, just how many times can you try the same thing and fail? This time, it will be different! Seriously, it’s been days/months/years, how could it be the same? Keep pulling the lever of one-armed bandit that is project enthusiasm, see if you win the lottery and transform an aspect of your life for the better.

By that point, I had a few points of change filed away. I wanted some sort of daily notifications that’d motivate me to stick with it longer than two weeks, for sure. I also wanted to reduce resistance towards making entries – no more passphrase entry before logging, no more need for decryption. At the time, I spent 24/7 with my laptop on me, so that’s a low-resistance platform’s sorted out. I make it an Alt-Tab away, add regular notifications, should be easy this time.

Tale Of Two Scripts

I recalled one thing – the diary logs were accessible as long as I could remember the password, sure, and at the same time, I was rarely interested in re-reading them. Things changed, because I got a new question, trying to piece together a narrative about myself. How’d my days actually go? Could I draw trends of happiness, productivity, energy, excitement?

This time, I wrote a couple commandline apps with very simple text interfaces. The very first one, poc_1.py for proof-of-concept 1, used a non-dismissable notification service to poke me once every 24 hours, every morning, asking a very simple question – “how do you feel?”. Wake up, alt-tab into the commandline window, write in how I’m feeling as a baseline, then get up and go about my day.

Really, I wanted my computer to care about me, because it felt like the only entity that possibly would and really could, even, had the energy to. It can be hard to untangle a brain’s inner workings, even though stars know we all try, and my country isn’t known for having quality therapists that are easy to find. So, my computer it is – non-judgmental by nature, giving me space to talk, space of the kind I lacked everywhere else.

The next two poc_N.py scripts were about logging achievements and problems respectively, into the same logfile used by the poc_1.py. 10 minutes after I wrote both of them, I realized that they were a carbon copy of each other, and united them into poc_4.py – a script tailored for me to quickly log any sort of event into a commandline window at a whim.

The aim was very simple – let a stream of thoughts flow as quickly as possible. Type up your thoughts or an event, enter, type another, enter. One letter in the beginning to indicate event type, for rudimentary categorization – the script will remind you if you forget to input it, too. Primarily, I wanted to use it to log my day-to-day achievements and problems alike, but also general thoughts and feelings I wanted to let out.

"day_reflection": "it's been productive. Currently, I feel indifferent, to be honest. [...]"}

What Happened?

Two scripts, one asks me every morning how I’m feeling, and another is a place I can put any sorts of thoughts at any point. I wanted to – how my day went, and how I feel about the previous day. It was also pretty easy to read through the logs, or parse them – my “linebreak-separated json” strategy remains undefeated.

Every morning, I would wake up, look at my laptop, see a notification, and alt-tab the console window to talk about how I feel first thing in the morning. While writing my feedback, I could look to the side and see the achievements/problems/thoughts of the previous day. It was nice – and it’s still nice to use, even though I’ve definitely had gaps in its use. It wasn’t the nicest part about it!

I realized that my feelings about the previous day had nothing to do with the previous day. Instead, it was defined by how I feel in the morning. My feelings were about how well I slept, what I ate, my dreams in the night, the first thought that came into my mind when I woke up, the last open window on my laptop. My feelings about yesterday were defined by anything except what I actually did yesterday.

It was sobering to be reminded how much my assessments and decisions are influenced by my feelings and state in the moment, rather than a recollection of facts and a weighted assessment of them. A year or two later, I saw this fact in a Twitter thread, described as a piece of common knowledge about life logging as a practice. I don’t think I’ve ever bookmarked it, and, I’m yet to track that thread down again.

Before, I used to put a lot of stock into the feeling of “how my last few days went”. Now, I keep it firmly in mind that I need strong references to make such conclusions. I still have big, months-long gaps in using the diary script, but I have not given up on it, or the idea – it’s not the only insight I’ve gotten from it.

Self: Hacked

So, that was a quick and fruitful finding – we take those. Collecting more data has proven to be helpful yet again, and so has building low-interaction-resistance context-aware systems. What else… a system that taps into feelings, might give you insights you couldn’t even hope for – it’s not like most of us get a solid toolkit to navigate or analyze our feelings day-by-day. Still a few problems left to solve and tricks to try out, and it’s all pretty exciting.

How can I make my diary keeping more consistent? Voice logging option for the days when text’s not as accessible? Building the diary system into multiple places at once, always having new aspects to switch to when one gets boring? Dynamic reminders that catch me exactly when I have some free time to write? More helpful event logging? Those are just a few of the directions I’m pursuing at once.

In the meantime, hacking continues. You’ll see more concepts, new findings, and even some lovely hardware – especially given that a couple other hackers have joined the fight.

hackaday.com/2024/12/13/hack-o…

Who wouldn’t want to have a scanning electron microscope (SEM)? If you’re the person behind the ProjectsInFlight channel on YouTube, you certainly do. In a recent video it’s explained how he got his mittens on a late 1980s, early 1990s era JEOL JSM-5200 SEM that was going to be scrapped. This absolute unit of a system comes with everything that’s needed to do the imaging, processing and displaying on the small CRT. The only problem with it was that it was defective, deemed irreparable and hence the reason why it was headed to the scrap. Could it still be revived against all odds?
The JEOL JSM-5200 SEM after being revived and happily scanning away. (Credit: ProjectsInFlight, YouTube)
The good news was that the unit came with the manual and schematics, and it turns out there’s an online SEM community of enthusiasts who are more than happy to help each other out. One of these even had his own JSM-5200 which helped with comparing the two units when something wasn’t working. Being an SEM, the sample has to be placed in a high vacuum, which takes a diffusion vacuum pump, which itself requires a second vacuum pump, all of which requires voltages and electronics before even getting to the amplification circuitry.

Since the first problem was that this salvaged unit wasn’t turning on, it started with the power supply and a blown fuse. This led to a shorted transformer, bad DC-DC converters, a broken vacuum pump, expired rubber hoses and seals, and so on, much of which can be attributed simply to the age of the machine. Finding direct replacements was often simply impossible to very expensive, necessitating creative solutions along with significant TLC.

Although there are still some small issues with for example the CRT due to possibly bad capacitors, overall the SEM seems to be in working condition now, which is amazing for a unit that was going to be trashed.

Thanks to [Hans] for the tip.

youtube.com/embed/Kqx9blbYDB0?…

hackaday.com/2024/12/13/saving…

Sono state scoperte vulnerabilità nei sistemi multimediali delle auto Skoda che consentono il controllo remoto delle funzioni dell’auto e il monitoraggio della loro posizione in tempo reale. PCAutomotive lo ha annunciato alla conferenza Black Hat Europe.

La ricerca ha identificato 12 nuovi bug che interessano la Skoda Superb III (3V3) – 2.0 TDI rilasciata nel 2022. Skoda è un marchio di proprietà del colosso automobilistico tedesco Volkswagen.

PCAutomotive ha spiegato che le vulnerabilità potrebbero essere utilizzate in combinazione per introdurre malware nel sistema di un veicolo. Per fare ciò, gli hacker criminali devono connettersi al sistema multimediale Skoda Superb III tramite Bluetooth. L’aggressore dovrà essere nelle vicinanze del veicolo, fino ad un massimo di 10 metri dall’auto.

Le vulnerabilità che colpiscono il sistema MIB3 potrebbero consentire l’esecuzione di codice arbitrario ogni volta che il dispositivo viene avviato. Ciò apre la possibilità di ottenere dati sulla posizione del veicolo tramite GPS, velocità di guida, registrare conversazioni tramite il microfono integrato, acquisire schermate dallo schermo del sistema multimediale e anche riprodurre eventuali suoni nell’abitacolo.

Anche i dati di contatto sincronizzati del proprietario dell’auto potrebbero essere rubati. A differenza dei database telefonici sicuri, le informazioni di contatto nel sistema di archiviazione MIB3 sono archiviate in testo non crittografato, rendendone più facile il furto. Tuttavia, nonostante la gravità della minaccia, i ricercatori non hanno trovato vulnerabilità che consentissero l’accesso ai sistemi critici di controllo del veicolo come sterzo, freni e acceleratore.

Secondo PCAutomotive, le unità MIB3 vulnerabili vengono utilizzate in vari modelli Volkswagen e Skoda e la società stima che potrebbero esserci più di 1,4 milioni di veicoli di questo tipo nel mondo. Allo stesso tempo, gli esperti osservano che il numero effettivo di auto a rischio potrebbe essere molto più elevato se si tiene conto del mercato secondario. Quindi, su piattaforme come eBay puoi trovare sistemi multimediali con contatti già sincronizzati, se il precedente proprietario non li ha cancellati.

PCAutomotive ha segnalato il risultato a Volkswagen e la società ha rilasciato aggiornamenti di sicurezza per risolvere i difetti. Un rappresentante Skoda ha osservato che durante l’intero periodo di utilizzo dei veicoli non sono stati registrati rischi per la sicurezza dei clienti o dei loro veicoli.

L'articolo Bug nel Sistema Multimediale di Skoda: Rischi per 1,4 Milioni di Veicoli! proviene da il blog della sicurezza informatica.

Microsoft’s Recall feature is back. You may remember our coverage of the new AI feature back in June, but for the uninitiated, it was a creepy security trainwreck. The idea is that Windows will take screenshots of whatever is on the screen every few seconds, and use AI to index the screenshots for easier searching. The only real security win at the time was that Microsoft managed to do all the processing on the local machine, instead of uploading them to the cloud. All the images and index data was available unencrypted on the hard drive, and there weren’t any protections for sensitive data.

Things are admittedly better now, but not perfect. The recall screenshots and database is no longer trivially opened by any user on the machine, and Windows prompts the user to set up and authenticate with Windows Hello before using Recall. [Avram] from Tom’s Hardware did some interesting testing on the sensitive information filter, and found that it worked… sometimes.

So, with the public preview of Recall, is it still creepy? Yes. Is it still a security trainwreck? It appears that the security issues are much improved. Time will tell if a researcher discovers a way to decrypt the Recall data outside of the Recall app.

Patch Tuesday

Since we’re talking about Microsoft, this week was Patch Tuesday, and we had seventy-one separate vulnerabilities fixed, with one of those being a zero-day that was used in real-world attacks. CVE-2024-49138 doesn’t seem to have a lot of information published yet. We know it’s a Heap-based Buffer Overflow in the Common Log File driver, and allows an escalation of privilege to SYSTEM on Windows machines.

BadRAM

One of the most interesting frontiers in computing right now is trying to give cloud computing actual security. AMD has approached this problem with SEV-SNP, Secure Encrypted Virtualization/Secure Nested Paging, among other approaches. But today we have a very clever hardware attack that can defeat SEV-SNP: BadRAM.

The key here is the DIMM memory specification’s SPD, Serial Presence Detect. That’s a simple protocol that uses SMBus, an I2C protocol, to pull information from a memory module. How does your desktop know that those are 4 GB modules? And how does it know the right timings to actually boot successfully? SPD provides that data. BadRAM asks the rather simple question, what happens if you overwrite a module’s SPD chip?

When you convince SPD to lie, and report a memory module that’s larger than it really is, you get a sort of shadow memory. Put simply, multiple memory addresses refer to the same physical bits. That should set your security alarm bells to sounding. This defeats most memory protection schemes, and allows overriding SEV-SNP, by just over-writing the security hashes after they’ve been calculated. AMD has released updated firmware that actively checks for aliasing addresses, defeating the attack.

When rnd is Hard

Getting good random bits is hard. There is the obvious problem, that computers are deterministic, and can’t actually generate randomness without dedicated hardware for the purpose. Beyond that, different languages and platforms have different quirks. Many of those languages have a pseudorandom function, that can produce a good approximation of random numbers. The catch is that those numbers are entirely deterministic, and to be anything close to usable as a safe source of randomness, the pseudorandom function must be seeded with a truly non-deterministic number.

Which is why it’s particularly bad to accidentally hard-code the seed into a platform. And yes, that’s exactly what the Web assembly platform for Dart did until surprisingly recently. This did result in an easy-to-guess websocket port/key/password combination that could result in the takeover of a Dart application from another visited website. And that’s not all, follow the link above to find two other similar stories in the Dart/Flutter world.

OpenWRT and sha256 collisions

The OpenWRT project had a bit of a security scare late last week. It turns out that the attended sysupgrade service actually triggers custom firmware builds on the OpenWRT servers. And it’s possible to run arbitrary code insode that build process. That’s not as bad as it sounds, as the project works very hard to isolate each of those builds inside podman containers. There was another problem, where build artifacts were tracked using a partial SHA256 hash. The full 64 characters of a SHA256 hash is enough to be secure, particularly in this case — but reducing that to twelve characters is not.

[RyotaK] actually did the work, using hashcat to find a hash collision, resulting in the server serving a tampered firmware image in place of the correct one. The find was reported, and the sysupgrade build server was temporarily taken offline, and a fix rolled out. The OpenWRT project put out a statement, acknowledging the issue, and pointing out that there are insufficient logs to determine whether this vulnerability chain has ever actually been used. And so out of an abundance of caution, users of the sysupgrade server should trigger an in place upgrade to completely rule out the possibility of running a compromised image.

Bits and Bytes

Facebook Messenger on iOS had an issue, where a member of group calls could crash the app for all members of the call, simply by sending an invalid emote to the group. Sure puts the angry face in context. It’s fixed now, appears to be strictly limited to the denial of service crash, and there’s a decent walkthrough of the problem at the link.

Maxwell Dulin, AKA [Striꓘeout], has now worked on both sides of the security coin. He’s both been the security researcher, and now is on the security team at a company. This puts him in a particularly good position to comment on why it takes so long to fix a given bug. And not to give it away, but some of the reasons are better than others.

And finally, how not to fall for a crypto scam. In this case, it was a Telegram group, that was hawking a fake new token. The scam was rather impressive, with faked reviews from Certik and TechRate, and legitimate looking smart contracts. But like most deals that seem to good to be true, this was a rugpull, where criminal con artists convinced a few investors to put money into the scheme, only to take the money and run. Stay frosty out there!

hackaday.com/2024/12/13/this-w…

Gli analisti di Lookout hanno scoperto uno spyware precedentemente sconosciuto per Android chiamato EagleMsgSpy. Si ritiene che venga utilizzato dalle forze dell’ordine cinesi e dalle agenzie governative per monitorare i dispositivi mobili.

I ricercatori ritengono che lo spyware sia stato sviluppato da una società cinese, Wuhan Chinasoft Token Information Technology Co., Ltd. (noto anche come uhan Zhongruan Tongzheng Information Technology Co., Ltd e Wuhan ZRTZ Information Technology Co, Ltd.) ed è in uso almeno dal 2017.

Inoltre, i primi artefatti associati a EagleMsgSpy sono stati caricati su VirusTotal solo il 25 settembre 2024.

EagleMsgSpy: Non solo la NSO Group

Come sempre abbiamo detto, la NSO Group, leader nella produzione di spyware di controllo remoto, non è l’unica a sviluppare malware avanzati di spionaggio.

Nel loro rapporto, gli investigatori forniscono numerose prove che collegano EagleMsgSpy ai suoi sviluppatori e operatori, inclusi indirizzi IP associati a server di controllo, domini, collegamenti diretti nella documentazione interna, nonché contratti pubblici e dati OSINT raccolti.

Ad esempio, il dominio utilizzato da Wuhan Chinasoft Token Information Technology per ospitare materiale pubblicitario (tzsafe[.]com) appare anche nel codice EagleMsgSpy e la documentazione del malware menziona direttamente il nome dell’azienda stessa.

Inoltre, gli screenshot esaminati dei dispositivi di prova dal pannello amministrativo di EagleMsgSpy corrispondono all’ubicazione dell’ufficio dell’azienda a Wuhan. È da notare che nella documentazione interna e nell’infrastruttura degli sviluppatori di spyware sono stati trovati indizi dell’esistenza di una versione iOS di EagleMsgSpy, ma i ricercatori non hanno ancora a disposizione un campione per i dispositivi Apple.

Gli stessi sviluppatori descrivono EagleMsgSpy come un “prodotto completo per il monitoraggio legale dei dispositivi mobili” in grado di raccogliere “informazioni dai telefoni cellulari dei sospettati in tempo reale, attraverso il monitoraggio della rete all’insaputa del sospettato, tracciando tutte le azioni del criminale con i telefoni cellulari e riassumendoli”.

Lookout ritiene che le forze dell’ordine installino manualmente EagleMsgSpy sui dispositivi mirati quando hanno accesso fisico ai dispositivi sbloccati. È probabile che ciò accada durante la confisca dei dispositivi, ad esempio durante gli arresti.
Programma di installazione di EagleMsgSpy

Spionaggio a 360 gradi

Poiché non è stato possibile trovare l’installer APK nel Google Play Store o negli app store di terzi, si ritiene che lo spyware sia distribuito da un numero molto limitato di operatori.

Uno studio su diversi campioni di spyware ha mostrato che gli sviluppatori stanno attivamente migliorando l’offuscamento e la crittografia del codice (ad esempio, utilizzando l’apkToolPlus open source), ovvero EagleMsgSpy è chiaramente in fase di sviluppo attivo.

Una volta installato sul dispositivo di destinazione, EagleMsgSpy mostra la seguente attività:

• ruba messaggi dai servizi di messaggistica istantanea (inclusi QQ, Telegram, Viber, WhatsApp, WeChat e così via);
• registra ciò che accade sullo schermo utilizzando l’API Media Projection, acquisisce screenshot e registra l’audio;
• recupera i registri delle chiamate, l’elenco dei contatti e i messaggi SMS;
• riceve dati sulla posizione (GPS), attività di rete, applicazioni installate;
• ruba segnalibri dai browser e file da dispositivi di archiviazione esterni.

Tutti i dati raccolti vengono temporaneamente archiviati in una directory nascosta, crittografati, compressi e quindi trasferiti ai server di controllo.

Un Pannello di amministrazione completo

Il pannello di amministrazione del malware si chiama “Stability Maintenance Judgment System”. Consente agli operatori remoti di avviare azioni in tempo reale come la registrazione dell’audio, la visualizzazione della distribuzione geografica dei contatti di una vittima e il monitoraggio dei messaggi.

Per quanto riguarda gli operatori di spyware, Lookout afferma che i server di controllo di EagleMsgSpy sono associati ai domini dell’Ufficio di pubblica sicurezza, come le filiali di Yantai e Zhifu.

Il rapporto rileva inoltre che gli specialisti di Lookout sono stati in grado di identificare due indirizzi IP associati ai certificati SSL dei server di controllo EagleMsgSpy (202.107.80[.]34 e 119.36.193[.]210). Questi indirizzi sono stati precedentemente utilizzati da altri strumenti di spionaggio provenienti dalla Cina, tra cui PluginPhantom e CarbonSteal.

L'articolo Cina Leader Nei Malware! EagleMsgSpy: lo Spyware che compete con Pegasus proviene da il blog della sicurezza informatica.

Autori: Luca Stivali e Francesco De Marcus del gruppo DarkLab

Le nostre fonti di Threat Inteligence purtroppo sono confermate. Alle ore 7:10 di oggi, nei canali underground da noi monitorati, è apparso un messaggio che annunciava un’altra ondata di attacchi DDoS ai danni di target italiani.

Il gruppo di attivisti filorussi NoName057 sta conducendo, per il secondo giorno consecutivo, attacchi di Distributed Denial Of Of Service (DDoS) contro istituzioni pubbliche e private italiane.

Dopo gli attacchi di ieri che hanno colpito i siti dei principali porti italiani (Trieste e Taranto), il sito della Guardia di Finanza e molti altri; oggi nel mirino risultano fra gli altri: Aereonautica Militare, Marina Militare, Banca BPER, Corte costituzionale, Ministero del Lavoro, Consiglio Superiore della Magistratura, Ministero delle Infrastrutture e molti altri.

Ecco la lista dei target:

• concorsi.gdf.gov.it
• openpnrr.it
• www.acqualatina.it
• acamir.regione.campania.it
• www.agenziatplbergamo.it
• www.mimit.gov.it
• www.mediobanca.com
• www.uni.com
• www.aeronautica.difesa.it
• www.bper.it
• sso.csm.it
• www.cortecostituzionale.it
• www.lavoro.gov.it
• www.mit.gov.it
• www.csm.it
• www.popso.it
• www.fingenia.it
• www.marina.difesa.it
• www.ctmcagliari.it

Al momento della stesura dell’articolo (13 dicembre ore 9:39) i target risultano effettivamente non raggiungibili.

Attacchi DDoS e NIS2

Come già ampiamente discusso nei nostri precedenti articoli un attacco DDos (Distributed Denial of Service) è una tipologia di attacco mirato a sovraccaricare un sito web, un server o una rete con una quantità eccessiva di traffico che arriva da una rete di computer compromessi (noti anche come reti zombie) che rendono difficilmente individuabile il traffico malevolo da quello genuino.

Nell’ultimo rapporto CLUSIT del 2024 si evidenzia che i criminali prediligono due tipologie di attacchi, i Malware e i DDos i quali rappresentano rispettivamente il 32,6 e il 30,3 degli incidenti segnalati. Pertanto, come soleva dire Antonio Lubrano, “la domanda ci sorge spontanea”.

Vista la caratura delle realtà colpite in questi giorni, che peraltro avrebbero dovuto già implementare la NIS1, quanto manca ancora al sistema Italia per essere compliance con la nuova NIS2?

La domanda che ci poniamo vuole essere assolutamente provocatoria, stuzzicante e riflessiva. Le scadenze purtroppo hanno spesso valore per il mero adeguamento formale ma, in questo caso, sono strumentali e funzionali alla sicurezza paese e quindi di necessaria implementazione.

L'articolo Secondo giorno di attacchi DDoS da parte di NoName057 ai danni di istituzioni e banche proviene da il blog della sicurezza informatica.

In our high school chemistry classes we all learn about chirality, the property of organic molecules in which two chemically identical molecules can have different structures that are mirror images of each other. This can lead to their exhibiting different properties, and one aspect of chirality is causing significant concerns in the field of synthetic biology. The prospect of so-called mirror organisms is leading to calls from a group of prominent scientists for research in the field to be curtailed due to the risks they would present.

Chirality is baked into all life; our DNA is formed of right-handed molecules while our proteins are left handed. The “mirror” organisms would reverse either or both of these, and could in theory be used to improve biochemical production processes. The concern is that these organisms would evade both the immune systems of all natural life forms, and any human defences such as antibiotics, thus posing an existential risk to life. It’s estimated that the capacity to produce such a life form lies more than a decade away, and the scientists wish to forestall that by starting the conversation early. They are calling for a halt to research likely to result in these organisms, and a commitment from funding bodies not to support such research.

Warnings of the dangers from scientific advances are as old as science itself, and it’s safe to say that many such prophecies have come from dubious sources and proved not to have a basis in fact. But this one, given the body of opinion behind it, is perhaps one that should be heeded.

Header: Original: Unknown Vector: — πϵρήλιο, Public domain.

hackaday.com/2024/12/13/chiral…