Il 10 dicembre 2024, Microsoft ha divulgato una vulnerabilità critica nel protocollo Windows Lightweight Directory Access Protocol (LDAP), identificata come CVE-2024-49113. Questa falla consente a un attaccante remoto non autenticato di causare un’interruzione del servizio (Denial of Service, DoS) sui server Windows non aggiornati, compromettendo la stabilità e la sicurezza delle reti aziendali.

Il protocollo LDAP è fondamentale per l’accesso e la gestione delle informazioni nei servizi di directory, in particolare all’interno di ambienti Active Directory di Microsoft. Una vulnerabilità in questo componente può avere ripercussioni significative sulla sicurezza delle infrastrutture IT aziendali.

Il 1º gennaio 2025, SafeBreach Labs ha pubblicato un exploit proof-of-concept (PoC) denominato “LDAPNightmare”, che dimostra come sfruttare CVE-2024-49113 per causare il crash di server Windows non aggiornati. Questo exploit, disponibile pubblicamente, evidenzia la gravità della vulnerabilità e l’urgenza di applicare le patch di sicurezza rilasciate da Microsoft.

Il PoC sviluppato da SafeBreach Labs interagisce con il protocollo Netlogon Remote Protocol (NRPC) e il client LDAP di Windows per sfruttare la vulnerabilità, causando un’interruzione del servizio sul server target. Questo tipo di attacco può essere eseguito da remoto senza necessità di autenticazione, aumentando il rischio per le organizzazioni che non hanno ancora applicato gli aggiornamenti di sicurezza.

Microsoft ha assegnato a CVE-2024-49113 un punteggio di gravità CVSS di 4.0, indicando un livello di rischio moderato. Tuttavia, la disponibilità di un exploit pubblico aumenta la probabilità che la vulnerabilità venga sfruttata in attacchi reali, rendendo fondamentale l’implementazione tempestiva delle patch di sicurezza.

Per proteggere le infrastrutture IT da potenziali attacchi che sfruttano CVE-2024-49113, è essenziale che le organizzazioni applichino immediatamente gli aggiornamenti di sicurezza forniti da Microsoft. Inoltre, è consigliabile monitorare attentamente i sistemi per rilevare eventuali attività sospette e adottare misure proattive per rafforzare la sicurezza delle reti aziendali.

L'articolo LDAPNightmare: L’Exploit è in rete per la vulnerabilità critica di Microsoft Windows proviene da il blog della sicurezza informatica.

The miniature Christmas village is a tradition in many families — a tiny idyllic world filled happy people, shops, and of course, snow. It’s common to see various miniature buildings for sale around the holidays just for this purpose, and since LEDs are small and cheap, they’ll almost always have some switch on the bottom to light up the windows.

This year, [Braden Sunwold] and his wife started their own village with an eye towards making it a family tradition. But to his surprise, the scale lamp posts they bought to dot along their snowy main street were hollow and didn’t actually light up. Seeing it was up to him to save Christmas, [Braden] got to work adding LEDs to the otherwise inert lamps.

Now in a pinch, this project could have been done with nothing more than some coin cells and a suitably sized LED. But seeing as the lamp posts were clearly designed in the Victorian style, [Braden] felt they should softly flicker to mimic a burning gas flame. Blinking would be way too harsh, and in his own words, look more like a Halloween decoration.

This could have been an excuse to drag out a microcontroller. But instead, [Braden] did as any good little Hackaday reader should do, and called on Old Saint 555 to save Christmas. After doing some research, he determined that a trio of 555s rigged as relaxation oscillators could be used to produce quasi-random triangle waves. When fed into a transistor controlling the LED, the result would be a random flickering instead of a more aggressive strobe effect. It took a little tweaking of values, but eventually he got it locked down and sent away to have custom PCBs made of the circuit.

With the flicker driver done, the rest of the project was pretty simple. Since the lamp posts were already hollow, feeding the LEDs up into them was easy enough. The electronics went into a 3D printed base, and we particularly liked the magnetic connectors [Braden] used so that the lamps could easily be taken off the base when it was time to pack the village away.

We can’t wait to see what new tricks [Braden] uses to bring the village alive for Christmas 2025. Perhaps the building lighting could do with a bit of automation?

youtube.com/embed/SH6hXkraL7c?…

hackaday.com/2025/01/02/555-ti…

The art of writing has become a cluttered one to follow, typically these days through a graphical word processor. There may be a virtual page in front of you, but it’s encumbered by much UI annoyance. To combat this a variety of distraction free software and appliances have been created over the years.

But it’s perhaps [Liam Proven]’s one we like the most — it’s a bootable 16-bit DOS environment with a selection of simple text and office packages on board. No worries about being distracted by social media when you don’t even have networking.

The zip file, in the releases section of the repository, is based upon SvarDOS, and comes with some software we well remember from back in the day. There’s MS Word 5.5 for DOS, in the public domain since it was released as a Y2K fix, Arnor Protext, and the venerable AsEasyAs spreadsheet alongside a few we’re less familiar with. He makes the point that a machine with a BIOS is required, but those of you unwilling to enable BIOS emulation on a newer machine should be able to run it in a VM or an emulator. Perhaps it’s one to take on the road with us, and bang away in DOS alongside all the high-powered executives on the train with their fancy business projections.

We recently talked about SvarDOS, and it shouldn’t come as a surprise that our article linked to a piece [Liam] wrote for The Register.

hackaday.com/2025/01/02/the-ul…

Aside from their ability to operate fairly well in extreme temperatures, lead-acid batteries don’t have many benefits compared to more modern battery technology. They’re heavy, not particularly energy dense, have limited charge cycles, and often can’t be fully discharged without damage or greatly increased wear. With that in mind, one can imagine that a laptop that uses a battery like this would be not only extremely old but also limited by this technology. Of course, in the modern day we can do a lot to bring these retro machines up to modern standards like adding in some lithium batteries to this HP laptop.

Simply swapping the batteries in this computer won’t get the job done though, as lead-acid and lithium batteries need different circuitry in order to be safe while also getting the maximum amount of energy out. [CYUL] is using a cheap UPS module from AliExpress which comes with two 18650 cells to perform this conversion, although with a high likelihood of counterfeiting in this market, the 18650s were swapped out with two that were known to be from Samsung. The USB module also needs to be modified a bit to change the voltage output to match the needs of the HP-110Plus, and of course a modernized rebuild like this wouldn’t be complete without a USB-C port to function as the new power jack.

[CYUL] notes at the end of the build log that even without every hardware upgrade made to this computer (and ignoring its limited usefulness in the modern world) it has a limited shelf life as the BIOS won’t work past 2035. Hopefully with computers like this we’ll start seeing some firmware modifications as well that’ll let them work indefinitely into the future. For modern computers we’ll hope to avoid the similar 2038 problem by switching everything over to 64 bit systems and making other software updates as well.

hackaday.com/2025/01/02/a-mode…

Especially within the world of multi-threaded programming does atomic access become a crucial topic, as multiple execution contexts may seek to access the same memory locations at the same time. Yet the exact meaning of the word ‘atomic’ is also essential here, as there is in fact not just a single meaning of the word within the world of computer science. One type of atomic access refers merely to whether a single value can be written or read atomically (e.g. reading or writing a 32-bit integer on a 32-bit system versus a 16-bit system), whereas atomic operations are a whole other kettle of atomic fish.

Until quite recently very few programming languages offered direct support for the latter, whereas the former has been generally something that either Just Worked if you know the platform you are on, or could often be checked fairly trivially using the programming language’s platform support headers. For C and C++ atomic operations didn’t become supported by the language itself until C11 and C++11 respectively, previously requiring built-in functions provided by the toolchain (e.g. GCC intrinsics).

In the case of Ada there has been a reluctance among the language designers to add support for atomic operations to the language, with the (GNU) toolchain offering the same intrinsics as a fallback. With the Ada 2022 standard there is now direct support in the System.Atomic_Operations library, however.

Defining Atomic Operations

As mentioned earlier, the basic act of reading or writing can be atomic based on the underlying architecture. For example, if you are reading a 32-bit value on a fully 32-bit system (i.e. 32-bit registers and data bus), then this should complete in a single operation. In this case the 32-bit value read cannot suddenly have 8 or 16-bits on the end that were written during said reading action. Ergo it’s guaranteed to be atomic on this particular hardware platform. For Ada you can use the Atomic pragma to enforce this type of access. E.g.:
A : Unsigned_32 with Atomic;
A := 0;

A := A + 1;
-- This generates:
804969f: a1 04 95 05 08 mov 0x8059504,%eax
80496a4: 40 inc %eax
80496a5: a3 04 95 05 08 mov %eax,0x8059504
Now imagine performing a more complex operation, such as incrementing the value (a counter) even as another thread tries to use this value in a comparison. Although the first thread’s act of reading is atomic and writing the modified value back is atomic, this set of operations is not, resulting in a data race. There’s now a chance that the second thread will read the value before it is updated by the first, possibly causing the second thread to miss the update and requiring repeated polling. What if you could guarantee that this set of atomic operations was itself atomic?

The traditional way to accomplish this is through mutual exclusion mechanisms such as the common concept of mutexes. These do however come with a fair amount of overhead when contended due to the management of the (implementation-defined) mutex structures, the management of which uses the same atomic operations which we could directly use as well. As an example there are LOCK XADD (atomic fetch and add) and LOCK CMPXCHG (atomic compare and exchange) in the x86 ISA which a mutex implementation is likely to use, but which we’d like to use for a counter and comparison function in our own code too.

Reasons To Avoid

Obviously, having two or more threads compete for the same resources is generally speaking not a great idea and could indicate a flaw in the application’s architecture, especially in how it may break modularity. Within Ada an advocated approach has been to use protected objects and barriers within entries, which provides language-level synchronization between tasks. A barrier is defined using the when keyword, followed by the condition that has to evaluate to true before execution can continue.

From a more low-level programming perspective as inspired by C code and kin, the use of directly shared resources makes more sense, and can be argued to have performance benefits. This contrasts with the philosophy behind Ada, which argues that neither safety nor ease of maintenance should ever be sacrificed in the name of performance. Even so, if one can prove that it is in fact safe and does not invite a maintenance nightmare, it could be worth supporting.

One might even argue that since people are going to use this feature anyway – with toolchain intrinsics if they have to – one may as well provide a standard library version. This is something that could be immensely helpful to newcomers as well, as evidenced by my recent attempt to port a lock-free ring buffer (LFRB) from C++ to Ada and running into the atomic operations details head-first.

Fixing A Lock-Free Ring Buffer

In my original Ada port of the LFRB I had naively taken the variables that were adorned with the std::atomic STL feature and replaced that with the with Atomic; pragma, blissfully unaware of this being actually an improvement over the ‘everything is implementation dependent and/or undefined behavior’ elements in C++ (and C). Since I insisted on making it a straight port without a major redesign, it would seem that here I need to use this new Ada 2022 library.

Since the code uses both atomic operations on Boolean and Integer types we need the following two packages:
with System.Atomic_Operations.Integer_Arithmetic;
with System.Atomic_Operations.Exchange;
These generic packages of course also need to have a specific package defined for our use:
type Atomic_Integer is new Integer with Atomic;
package IAO is new System.Atomic_Operations.Integer_Arithmetic(Atomic_Integer);

type Atomic_Boolean is new Boolean with Atomic;
package BAO is new System.Atomic_Operations.Exchange(Atomic_Boolean);
These new types are defined as being capable of atomic read and write operations, which is a prerequisite for more complex atomic operations and thus featured in the package instantiation. Using these types is required to perform atomic operations on our target variables, which are declared as follows:
dataRequestPending : aliased Atomic_Boolean;
unread : aliased Atomic_Integer;
The [url=https://en.wikibooks.org/wiki/Ada_Programming/Keywords/aliased]aliased[/url] keyword here means that the variable has to be in memory (i.e. have a memory address) and not just in a register, allowing it to be the target of an access (pointer) type.

When we want to perform an atomic operation on our variables, we use the package which we instantiated previously, e.g.:
IAO.Atomic_Subtract(unread, len);
IAO.Atomic_Add(free, len);
The first of which will subtract the value of len from unread followed by the second line which will add the same value to free. We can see that we are now getting memory barriers in the generated assembly, e.g.:
lock add DWORD PTR [rsp+4], eax #,, _10
Which is the atomic addition operation for the x86 ISA, confirming that we are now indeed performing proper atomic operations. Similarly, for booleans we can perform atomic operations such as assigning a new value and returning the previous value:
while BAO.Atomic_Exchange(dataRequestPending, false) loop
null;
end loop;

Atomic Differences

I must express my gratitude to the commentators to the previous LFRB Ada article who pointed out these differences between atomic in C++ (and C) and Ada. Along with their feedback there are also tools such as the Godbolt Compiler Explorer site where it’s quite easy to drop in some C++ and Ada code for comparison between the generated assembly, even across a range of ISAs. Since I did not consult any of these previously consider this article my mea culpa for getting things so terribly wrong earlier.

Correspondingly, before passing off the above explanation as the absolute truth, I will preface it by saying that it is my best interpretation of The Correct Way in the absence of significant amounts of example code or discussions. Currently I’m adapting the LFRB code as described as above and will update the corresponding GitHub project once I feel relatively confident that I can dodge writing a second apology article.

For corrections and feedback, feel free to sound off in the comments.

hackaday.com/2025/01/02/progra…

What do you get when you cross cardboard, deodorant rollers, and a love for retro gaming? A marvel of DIY engineering that brings the arcade classic Puzzle Bobble to life—once again! Do you remember the original Puzzle Bobble aiming mechanism we featured 12 years ago? Now, creator [TomTilly] has returned with a revamped version, blending ingenuity with a touch of nostalgia. [Tom] truly is a Puzzle Bobble enthusiast. And who could argue that? The game’s simplicty makes for innocent yet addictive gameplay.

[Tom]’s new setup recreates Puzzle Bobble’s signature aiming mechanic using surprising materials: deodorant roller balls filled with hot glue (to diffuse LED colours), bamboo skewers, and rubber bands. At its heart is an Arduino UNO, which syncs the RGB LED ‘bubbles’ and a servo-driven aiming arm to the game’s real-time data. A Lua script monitors MAME’s memory locations to match the bubble colours and aimer position.

But this isn’t just a static display. [Tom] hints at a version 2.0: a fully functional controller complete with a handle. Imagine steering this tactile masterpiece through Puzzle Bobble’s frantic levels!

Need more inspiration? Check out other quirky hacks like [Tom]’s deodorant roller controller we featured in 2023. Whether you’re into cardboard mechanics or retro gaming, there’s no end to what clever hands can create.

youtube.com/embed/uzLQa7_EQDE?…

hackaday.com/2025/01/02/crafti…

Venerdì scorso, l’azienda Cyberhaven specializzata nella prevenzione del furto di dati ha confermato di essere stata vittima di un attacco informatico lanciato la sera del 24 dicembre, che ha portato alla pubblicazione di una versione corrotta della sua estensione sul Chrome Web Store il 25 mattina. I team di sicurezza hanno impiegato quasi un giorno in più per rilevare l’attacco e altri 60 minuti per sostituire il plug-in dannoso (v24.10.4) con una versione sana (v24.10.5). All’alba del 26 tutto era tornato alla normalità, o quasi.

Estensioni Chrome hackerate: cosa hanno sfruttato i malintenzionati

Se Cyberhaven si è preso il tempo necessario prima di comunicare ufficialmente i dettagli di questo attacco, ora sappiamo cosa è successo. In modo del tutto classico, un dipendente sarebbe caduto vittima di un attacco di phishing particolarmente ben congegnato. Gli hacker sono poi riusciti a rubare le sue credenziali di connessione al Chrome Web Store per pubblicare una versione dannosa del plugin ufficiale. Secondo l’azienda, solo i browser Chromium configurati per aggiornare automaticamente le estensioni sarebbero a rischio.

Ma le conseguenze non sono meno importanti per la sicurezza dei dati. Secondo John Tuckner, ricercatore di Secure Annex, l’estensione corrotta, che conta più di 400.000 installazioni, conteneva codice in grado di esfiltrare sessioni autenticate e cookie su un server remoto. Tuttavia, tra i clienti di Cyberhaven che probabilmente utilizzeranno il suo plugin, troviamo grandi nomi come Snowflake, Motorola, Canon e persino Reddit.

Non un caso isolato

In seguito a questa scoperta, Jaime Blasco, un altro ricercatore, questa volta della Nudge Security, ha preso l’iniziativa di continuare l’indagine sulla base degli indirizzi IP e dei domini registrati sul server pirata. È emerso che l’attacco a Cyberhaven non è stato un caso isolato, ma parte di una serie di hack coordinati.

Blasco è stato infatti in grado di identificare che lo stesso codice dannoso era stato iniettato anche in altre quattro estensioni popolari, vale a dire Internxt VPN (10.000 installazioni, patchata il 29 dicembre), VPNCity (50.000, rimossa dallo store), Uvoice (40.000, patchata dicembre 31) e ParrotTalks (40.000, rimossi dallo store).

Come ciliegina sulla torta, Blasco ha scoperto anche altri domini che puntano a potenziali vittime, mentre Tuckner hanno confermato di aver identificato diverse altre estensioni contenenti lo stesso codice dannoso, ancora attive al 31 dicembre, tra cui Bookmark Favicon Changer, Castorus, Search Copilot AI Assistant per Chrome , VidHelper o assistente YesCaptcha. In totale, il set aggiuntivo di questi moduli compromessi ha accumulato fino ad oggi più di 540.000 installazioni.

Migliora la tua postura cyber per evitare di rimanere vittima

Se utilizzi una o più di queste estensioni compromesse, controlla innanzitutto che siano state aggiornate dopo il 31 dicembre. Altrimenti disinstallale immediatamente. Inoltre, reimposta le impostazioni del browser, elimina i cookie, modifica tutte le password, configura la 2FA e opta per le passkey quando possibile. Per aiutarti, considera l’utilizzo di un gestore di password sicuro.

In generale, limita il più possibile il numero di estensioni installate sul tuo browser e privilegia quelle di sviluppatori affidabili e reattivi. Controlla regolarmente le autorizzazioni concesse a ciascuno di essi: un controllo captcha non ha bisogno di accedere al tuo microfono, alla tua fotocamera o alla tua posizione GPS, ad esempio. Infine, monitora gli avvisi di sicurezza e valuta la possibilità di installare un antivirus affidabile per agire rapidamente in caso di un nuovo problema.

L'articolo Estensioni Chrome hackerate! 540.000 installazioni minacciano i tuoi dati proviene da il blog della sicurezza informatica.

I servizi segreti americani hanno ammesso di non aver verificato se le persone fossero d’accordo con l’utilizzo dei loro dati geografici in uno speciale programma di tracciamento. Sebbene l’agenzia abbia dichiarato che i dati sono stati raccolti con il permesso, non è stata effettuata alcuna verifica effettiva del consenso. I geodati sono stati ottenuti tramite applicazioni meteorologiche e navigatori, che hanno trasmesso le informazioni a Venntel.

La Federal Trade Commission (FTC) ha vietato a Venntel di vendere dati sulla posizione dopo aver constatato che il consenso non veniva sempre richiesto. Venntel si è rivelato un fornitore chiave di dati per gli strumenti di sorveglianza utilizzati dalle agenzie governative. Ad esempio, il programma Locate X di Babel Street consente di tracciare attraverso gli smartphone gli spostamenti delle persone, fino alle visite alle cliniche e ai luoghi di residenza.

Nel 2022, l’ufficio del senatore Ron Wyden ha chiesto ai servizi segreti quali misure fossero state adottate per verificare che i dati sulla posizione fossero stati ottenuti con il consenso degli utenti. La risposta si è rivelata inequivocabile: “nessuno“. Ha anche rivelato che l’agenzia ha utilizzato lo strumento senza mandato, ma afferma che i dati sono stati utilizzati solo per trovare informazioni e non in cause legali.

I giornalisti avevano precedentemente pubblicato fughe di notizie sul lavoro di Locate X. Uno dei video mostrava come utilizzando il programma fosse possibile selezionare una zona sulla mappa e monitorare i dispositivi che la visitavano. Le e-mail dei servizi segreti interni discutevano se fosse necessario un mandato per tale utilizzo di dati. Alcuni hanno sostenuto che il consenso è implicito quando si installano le app. Tuttavia, la FTC ha dimostrato che il consenso non è stato ottenuto o non era chiaro.

La FTC ha inoltre riscontrato che gli avvisi sulla raccolta dati in-app non erano sufficientemente trasparenti. Anche la società madre di Venntel, Gravy Analytics, è accusata di violazione della privacy. Il senatore Wyden ha definito questa pratica inaccettabile e scandalosa.

Secondo la FTC, Gravy e Venntel elaborano ogni giorno oltre 17 miliardi di segnali provenienti da circa un miliardo di dispositivi. La FTC ha affermato che le azioni delle aziende mettono a repentaglio le libertà civili e la sicurezza di molti gruppi, come il personale militare, le minoranze religiose e gli attivisti sindacali.

L'articolo Tracciamento Senza Consenso: Lo Scandalo Dei Servizi Segreti Americani proviene da il blog della sicurezza informatica.

With 2024 now officially in the history books, it’s time to take our traditional look back and reflect on some of the top trends and stories from the past twelve months as viewed from the unique perspective Hackaday affords us. Thanks to the constant stream of tips and updates we receive from the community, we’ve got a better than average view of what’s on the mind of hardware hackers, engineers, and hobbyists.

This symbiotic relationship is something we take great pride in, which is why we also use this time of year to remind the readers just how much we appreciate them. We know it sounds line a line, but we really couldn’t do it without you. So whether you’ve just started reading in 2024 or been with us for years, everyone here at Hackaday thanks you for being part of something special. We’re keenly aware of how fortunate we are to still be running a successful blog in the era of YouTube and TikTok, and that’s all because people like you keep coming back. If you keep reading it, we’ll keep writing it.

So let’s take a trip down memory lane and go over just a handful of the stories that kept us talking in 2024. Did we miss your favorite? Feel free to share with the class in the comments.

Boeing’s Bungles

We’ll start off with what was undoubtedly one of the biggest stories in the tech and engineering world, although you’ll find little mention of it on the pages of Hackaday up until now. We’re talking, of course, of the dramatic and repeated failures of the once unassailable Boeing.

As a general rule, we don’t really like running negative stories. It’s just not the vibe we try and cultivate. Unless we can bring something new to the discussion, we’d rather leave other outlets peddle in doom and gloom. So that’s why, after considerable internal debate at HQ, we ultimately never wrote a story about the now infamous Alaska Airlines door plug incident at the beginning of the year.

Nor did we cover the repeated delays of Boeing’s Starliner capsule, a crewed spacecraft that the company was paid $4.2 billion to build under NASA’s Commercial Crew Program — nearly double the sum SpaceX received for the development of their Crew Dragon.

Things only got worse once the capsule finally left the launch pad in June. With human lives in the balance, it seemed in poor taste for us to cover Starliner’s disastrous first crewed flight to the International Space Station. The mission was so fraught with technical issues that NASA made the unprecedented decision to send the capsule back to Earth without its crew onboard. Those two astronauts, Barry E. Wilmore and Sunita Williams, still remain on the ISS; their planned eight-day jaunt to the Station has now been extended until March of 2025, at which point they’ll be riding home on SpaceX’s capsule.

We won’t speculate on what exactly is happening at Boeing, although we’ve heard some absolutely hair-raising stories from sources who wish to remain anonymous. Suffice to say, as disheartening as it might be for us on the outside to see such a storied company repeatedly fumble, it’s even worse for the those on the inside.

Desktop 3D Printing Reshuffling

While the tectonic shifts in the desktop 3D printer market didn’t start last year, 2024 really seemed to be the point where it boiled over. For years the market had been at a standstill, with consumers essentially having two paths forward depending on what they were willing to spend.

Had $200 or $300 to play with? You’d buy something like an Ender 3, a capable enough machine if you were willing to put in the time and effort. Or if you could stand to part with $800, you brought a Prusa i3, and didn’t worry about the little details like bed leveling or missed steps because it was automated enough to just work most of the time.

But then, Bambu Labs showed up. Founded by an ex-DJI engineer, the Chinese company introduced a line of printers that might as well have come from the future. Their speed, ease of use, and features were beyond even what Prusa was offering, and yet they cost nearly half as much. Seemingly overnight, the the market leaders at both ends of the spectrum were beat at their own game, and the paradigm shifted. The cheap printers now seemed archaic in comparison, and Prusa’s machines overpriced.

But while Bambu’s printers have dazzled consumers, they bring along some unfortunate baggage. Suddenly 3D printing involves cloud connectivity, proprietary components, and hardware that was designed for production rather than repairability. In short, desktop 3D printing seems on the verge of breaking into the legitimate mainstream, with all the downsides that comes with it these days.

It’s wasn’t all bad news though. When the community started experimenting with running alternate firmware on their hardware, Bambu’s response was better than we’d feared: users would be allowed to modify their firmware, but would have to waive their warranty. It’s not a perfect solution, but considering Prusa did more or less the same thing in 2019 when they released the Mini, the community had already shown they would accept the compromise.

Speaking of Prusa, feelings on how they’ve decided to respond to this newfound competition have been mixed, to put it mildly. In developing their new Core ONE printer it looks like they’ve engineered a worthy opponent for Bambu’s X1, but unfortunately, it appears the company has all but abandoned their open source hardware roots in the process.

RP2350 Has a Rocky Start

The release of the Pi Pico development board made our list of highlights for 2021, and in the intervening years, the RP2040 microcontroller at its heart has become a favorite of makers and hackers. We’ve even used it for the last two Supercon badges at this point. So the fact that its successor made this year’s list should come as no surprise.

But while the release of the Pi Pico 2 over the summer was noteworthy in its own way, it wasn’t really the big story. It’s what happened after that triggered debate in the community. You see, the RP2350 microcontroller that powered the Pico 2 launched with a known bug affecting the internal pull-down resistors. A bug that Hackaday alumn Ian Lesnet started documenting while incorporating the chip into a new version of the Bus Pirate. It turned out the scope of said bug was actually a lot worse than the documentation indicated, a fact that the folks at Raspberry Pi didn’t seem keen to acknowledge at first.

Ultimately, the erratum for the RP2350 was amended to better describe the nature of the issue. But as for an actual hardware fix, well that’s a different story. The WiFi-enabled version of the Pico 2 was released just last month, and it’s still susceptible to the same bug. Given that the hardware workaround for the issue — adding external pull-downs — isn’t expensive or complicated to implement, and that most users probably wouldn’t run into the problem in the first place, it seems like there’s no rush to produce a new version of the silicon.

Voyager 1 Shows its Age

Admittedly, any piece of hardware that’s been flying through deep space for nearly 50 years is bound to run into some problems, especially one that was built with 1970s era technology. But even still, 2024 was a rough year for humanity’s most distant explorer, Voyager 1.

The far-flung probe was already in trouble when the year started, as it was still transmitting gibberish due to being hit with a flipped-bit error in December of 2023. Things looked pretty grim for awhile, but by mid-March engineers had started making progress on the issue, and normal communication was restored before the end of April.

In celebration Dan Maloney took a deep-dive into the computers of Voyager, a task made surprisingly difficult by the fact that some of the key documentation he was after apparently never got never digitized. Things were still going well by June, and in September ground controllers were able to pull off a tricky reconfiguration of the spacecraft’s thrusters.

But just a month later, Voyager suffered another major glitch. After receiving a command to turn on one of its heaters, Voyager went into a fault protection mode that hadn’t been triggered since 1981. In this mode only the spacecraft’s low power S-band radio was operational, and there was initially concern that NASA wouldn’t be able to detect the signal. Luckily they were able to pick out Voyager’s faint cries for help, and on November 26th, the space agency announced they had established communications with the probe and returned it to normal operations.

While Voyager 1 ended 2024 on a high note, there’s no beating the clock. Even if nothing else goes wrong with the aging hardware, the spacecraft’s plutonium power source is producing less and less energy each year. Various systems can be switched off to save power, something NASA elected to do with Voyager 2 back in October, but eventually even that won’t be enough and the storied spacecraft will go silent for good.

CH32 Gains Momentum

We first got word of the CH32 family of low-cost RISC-V microcontrollers back in early 2023, but they were hard to come by and the available documentation and software toolchains left something to be desired. A 10¢ MCU sounds great, but what good is it if you can’t buy the thing or program it?

The situation was very different in 2024. We ran nearly three times the number of posts featuring some variant of the CH32 in 2024 than we did in the previous year, and something tells us the numbers for 2025 will be through the roof. The fact that the chips got official support in the Arduino IDE back in January certainly helped increase its popularity with hobbyists, and by March you could boot Linux on the thing, assuming you had time to spare.

In May bitluni had clustered 256 of them together, another hacker had gotten speech recognition running on it, and there was even a project that aimed to turn the SOIC-8 variant of the chip into the world’s cheapest RISC-V computer.

We even put our own official stamp of approval on the CH32 by giving each and every attendee of Supercon 2024 one to experiment with. Not only did attendees get a Simple-Add On (SAO) protoboard with an onboard CH32, but the badge itself doubled as a programmer for the chip, thanks in no small part to help from [CNLohr].

Evolution of the SAO

But the CH32 isn’t the only thing that got a boost during Supercon 2024. After years of seeing SAOs that were little more than a handful of (admittedly artistically arranged) LEDs, we challenged hackers to come up with functional badge add-ons using the six-pin interface and show them off in Pasadena by way of an event badge that served as a power and communications hub for them.

The response was phenomenal. Compared to the more complex interfaces used in previous Supercon badges, focusing on the SAO standard greatly reduced the barrier of entry for those who wanted to produce their own modular add-ons in time for the November event. Instead of only a handful of ambitious attendees having the time and experience necessary to produce a modular PCB compatible with the badge, a good chunk of the ticket holders were able bring along SAOs to show off and trade, adding a whole new dimension to the event.

While it’s unlikely we’ll ever make another Supercon badge that’s quite as SAO-centric as we did in 2024, we hope that the experience of designing, building, and sharing these small add-ons will inspire them to keep the momentum going in 2025 and beyond.

Share Your 2024 Memories

Even if this post was four times as long, there’s no way we’d be able to hit on everyone’s favorite story or event from 2024. What would you have included? Let us know in the comments, and don’t be afraid to speculate wildly about what might be in store for the hacking and making world in 2025.

hackaday.com/2025/01/02/2024-a…

If you’re looking to get into flying first-person view (FPV) remote controlled aircraft, there’s an incredible amount of information available online. Seriously, it’s ridiculous. In fact, between the different forums and the countless YouTube videos out there, it can be difficult to sort through the noise and actually find the information you need.

What if there was one location where FPV folks could look up hardware, compare notes, and maybe even meet up for the occasional flight? That’s the idea behind the recently launched DIYFPV. In its current state the website is a cross between a social media platform, a hardware database, and a tech support forum.

Being able to look up parts to see who has them in stock and for what price is certainly handy, and is likely to become a very valuable resource, especially as users start filling the database with first-hand reviews. There’s no shortage of social media platforms where you can post and chat about FPV, but pairing that with a dedicated tech support section has promise. Especially if the solutions it produces start getting scrapped by show up in search engines.

But the part of DIYFPV that has us the most interested is the interactive builder tool. As explained in the announcement video below, once this feature goes live, it will allow users to pick parts from the database and virtually wire them together. Parts are represented by high-quality illustrations that accurately represent connectors and solder pads, so you won’t be left guessing where you’re supposed to connect what. Schematics can be shared with others to help with troubleshooting or if you want to get feedback.

The potential here is immense. Imagine a function to estimate the mass of the currently selected electronics, or a simulation of how much current it will draw during flight. It’s not clear how far DIYFPV plans on taking this feature, but we’re eager to find out.

youtube.com/embed/0iD4j3tdXxA?…

hackaday.com/2025/01/02/diyfpv…

Quando guardiamo nell’abisso dell’Intelligenza Artificiale, cosa vediamo? E cosa vede l’IA quando guarda noi? Sam Altman, soprannominato il “padre dell’IA” e CEO di OpenAI, si è fatto portatore di una rivoluzione tecnologica epocale, paragonata a invenzioni come la ruota e l’elettricità. Ma chi è davvero quest’uomo che promette di plasmare il futuro dell’umanità?

Nato nel 1985, Altman ha incontrato il suo destino all’età di 8 anni, quando ricevette in dono un Macintosh LC II. Da allora, la sua vita è stata un’inarrestabile ascesa nel mondo digitale. Tra gli oggetti più cari ad Altman c’è la mezuzah, un simbolo di fede e tradizione, una pergamena contenente due passaggi della Torah, custodita in un astuccio, a testimonianza delle sue radici culturali e del suo legame con l’eredità ebraica.

Dopo aver fondato Loopt e guidato Y Combinator, Altman ha co-fondato OpenAI, un’organizzazione che si propone di creare un’intelligenza artificiale “a beneficio dell’umanità”. Una missione nobile, ma che solleva interrogativi sul potenziale uso di una tecnologia così potente. Chi controllerà questa tecnologia e come verrà utilizzata?
Foto Carlo Denza

Come Worldcoin punta a cambiare l’economia globale

Come Worldcoin punta a cambiare l’economia globale? In che modo Sam Altman e Alex Blania, cofondatore di Tools for Humanity, immaginano di raggiungere l’obiettivo di un’economia più equa? Il 17 ottobre 2024 in diretta da San Francisco, Altman e Blania hanno tenuto un evento live intitolato “A New World” (tenete a mente questo titolo), durante il quale hanno illustrato gli ultimi sviluppi del progetto. Il progetto Worldcoin, sviluppato dall’azienda Tools for Humanity fondata da Altman e Blania, si basa su un sistema che combina innovazioni tecnologiche con modelli economici inclusivi.

Sfruttando la potenza delle criptovalute e dell’intelligenza artificiale, mira a creare nuove opportunità di distribuzione delle risorse, affrontando problemi come la disuguaglianza economica e la mancanza di accesso ai servizi finanziari per molte persone. Uno degli elementi distintivi di Worldcoin è il World ID, un sistema di identificazione biometrica univoco basato sulla scansione dell’iride. Questo sistema è progettato per distinguere gli esseri umani dai bot, un’operazione sempre più cruciale nell’era dell’intelligenza artificiale, garantendo un accesso equo ai benefici della piattaforma.

Criptovalute: un sistema decentralizzato

Le criptovalute, come il famoso Bitcoin, sono nate con la promessa di essere un sistema finanziario decentralizzato, libero dal controllo di banche e governi. Sfruttando la tecnologia peer-to-peer, i computer di tutto il mondo si connettono tra loro, creando una rete in cui ogni nodo funziona sia come client che come server. Nessuno controlla la rete; solo algoritmi complessi garantiscono l’emissione e la validità delle monete digitali. A differenza di Bitcoin che si basa su un algoritmo di consenso di tipo Proof of Work, Ethereum, la blockchain su cui si basa Worldcoin, utilizza il protocollo Proof of Stake. Worldcoin, con la sua promessa di un “sistema economico più giusto”, si inserisce in questo contesto. Utilizza la tecnologia blockchain di Ethereum, che la differenzia per una distribuzione più equa e il focus sull’identità digitale. Ma quali sono le sue caratteristiche principali? E in cosa si distingue dalle altre criptovalute?

Progetto Worldcoin: come funziona?

Il sogno di Altman e del suo team è sviluppare tecnologie, come l’IA, così potenti da trasformare non solo la società ma anche il sistema economico globale. Queste tecnologie mirano ad aiutare le persone a fare ciò che prima non era possibile o a farlo in modo radicalmente diverso. L’intelligenza artificiale, ad esempio, viene utilizzata per l’analisi delle immagini dell’iride da parte dell’Orb e potrebbe avere un ruolo futuro nella gestione della rete. Per realizzare questa visione, è stato necessario immaginare nuove infrastrutture: “luoghi” virtuali in cui esseri umani e agenti di intelligenza artificiale possano scambiarsi risorse. La missione di questa rete finanziaria è duplice: creare un’identità digitale globale e una rete economica inclusiva. Worldcoin si basa su un sistema globale di identità digitale supportato dal protocollo Layer 2 di Ethereum, Optimism, scelto per la sua capacità di migliorare la scalabilità e ridurre le commissioni di transazione.

World ID, WorldApp, Worldcoin

Per accedere al network World, gli utenti devono ottenere un’identità digitale univoca. Allo scopo di prevenire la falsificazione di profili, questa identità viene creata esclusivamente tramite un dispositivo biometrico dedicato. Lo strumento, sviluppato da Tools for Humanity, è denominato Orb ed è basato su tecnologia open source. Questo dispositivo, a forma di sfera, utilizza lenti specializzate per scansionare l’iride, generando un World ID unico per ogni utente. L’immagine dell’iride viene trasformata in un codice hash, una sorta di “impronta digitale” univoca che non può essere ricondotta all’immagine originale, garantendone così l’anonimato. Una volta completata la registrazione, tramite l’applicazione WorldApp – un portafoglio digitale che gestisce sia le credenziali di accesso che la criptovaluta – gli utenti possono ricevere e utilizzare la moneta digitale WLD (Worldcoin). Inizialmente, gli utenti ricevono dei token WLD gratuiti come incentivo per registrarsi, un aspetto importante del modello di distribuzione di Worldcoin.

È importante sottolineare che possedere un World ID non implica la condivisione di dati personali come nome, numero di telefono, indirizzo e-mail o domicilio. I dati raccolti dall’Orb vengono trasformati in un codice hash univoco, progettato per garantire l’anonimato e proteggere la privacy degli utenti. World ID, inoltre, potrebbe essere usato in futuro per accedere ad altri servizi online, oltre a Worldcoin, come i social network o le piattaforme di e-commerce.

I Paesi che hanno aderito a Worldcoin

I Paesi in cui è possibile registrarsi al progetto Worldcoin tramite scansione dell’iride effettuata con un Orb sono: Argentina, Austria, Brasile, Cile, Colombia, Corea del Sud, Germania, Giappone, Guatemala, Ecuador, Messico, Malesia, Panama, Perù, Polonia, Portogallo, Singapore. La lista è in continuo aggiornamento. Questi paesi hanno aderito al progetto perché vedono in Worldcoin un’opportunità per l’inclusione finanziaria o per l’innovazione tecnologica. Per il momento il progetto non è ancora stato introdotto in Italia.

Il caso Italia

Il GPDP analizzando il caso specifico ha avvertito che il progetto violerebbe il Regolamento Ue. Il provvedimento del Garante Per La Protezione Dei Dati Personali si è espresso in maniera chiara: “il trattamento dei dati biometrici basato sul consenso degli aderenti al progetto, rilasciato sulla base di una informativa insufficiente, non può essere considerato una base giuridica valida secondo i requisiti richiesti dal Regolamento europeo.” E Oltretutto, “la promessa di ricevere WLD token (moneta digitale) gratuiti da parte di Wordcoin incide negativamente sulla possibilità di esprimere un consenso libero e non condizionato al trattamento dei dati biometrici effettuato attraverso gli Orb. Infine, i rischi del trattamento risultano ulteriormente amplificati dall’assenza di filtri per impedire l’accesso agli Orb e alla World App ai minori di 18 anni.”

Worldcoin: Critiche e Controversie

Worldcoin, pur rappresentando una visione ambiziosa per il futuro dell’economia e dell’identità digitale, ha sollevato numerose critiche. Nel 2023, il progetto è stato sospeso in Kenya a causa di preoccupazioni relative alla privacy e alla raccolta dei dati biometrici. La Spagna è stata il primo paese europeo a bloccare l’iniziativa, evidenziando gli elevati rischi per la tutela dei dati personali. Anche l’ex analista della NSA Edward Snowden ha criticato apertamente il modello di privacy di Worldcoin. Ha sottolineato che, anche se le scansioni biometriche venissero cancellate per motivi di privacy – come dichiarato dall’azienda – l’identificatore univoco generato potrebbe essere utilizzato per collegare future analisi biometriche agli stessi individui.

Nel suo tweet del 24 ottobre 2021, Snowden ha affermato: “Non utilizzare la biometria per l’antifrode. In realtà, non usare la biometria per nulla.” Le preoccupazioni etiche e le questioni legate alla privacy rimangono centrali nel dibattito su Worldcoin. Il progetto sarà in grado di mantenere le sue promesse senza compromettere i diritti fondamentali degli individui? Curiosamente, l’evento del 17 ottobre 2024, intitolato “A New World”, ricorda il titolo del romanzo di fantascienza distopica, Il mondo nuovo (Brave New World) di Aldous Huxley. Opera nella quale Huxley immagina una società futura in cui il controllo sociale e la perdita di libertà individuali sono ottenuti attraverso la tecnologia e la standardizzazione. Coincidenze!

L'articolo Worldcoin: Il Futuro dell’Economia è Scritto nell’Iride? proviene da il blog della sicurezza informatica.

Generally, the projects featured on Hackaday actually do something. We won’t go as far as to say they are practical creations, but they usually have some kind of function other than to sit there and blink. But what if just sitting still and blinking away randomly is precisely what you want a piece of hardware to do?

That was exactly the goal when [createscifi] set out to dress a Lite Brite up as a futuristic prop. On a technical level, this project is pretty much as simple as it gets. But we appreciated seeing some of the techniques brought to bear on this project, and perhaps more importantly, really like the channel’s overall goal of creating affordable sci-fi props using common components. We don’t plan on filming our own space epic anytime soon…but we like to know the option is there.

A diode laser makes adding surface details easy.
The process starts off with creating some 2D imagery to represent various components on the final “control panel”, such as sliders, knobs, and a logo. These details, plus the big opening for the Lite Brite itself, are then cut out of thin wood using a diode laser.

After gluing the parts together, [createscifi] sprays the whole thing black and then rubs graphite powder into the surface to give it a unique metallic texture. Finally, small discs are glued onto the surface to represent knobs and buttons — a process known as “greebling” in the model and prop making world.

The very last step of the process is to glue the Lite Brite into the back of the console, and set it off randomly blinking. Personally, we’d have liked to have seen some attempt made to cover the Lite Brite. It seems like putting the thing behind a piece of scuffed up acrylic to act as a diffuser would have made for a more mysterious visual, but as [createscifi] points out, he considers the fact that its still recognizably a child’s toy to be something of a visual gag.

We love prop builds; from ray guns to historical recreations, they’re multi-disciplinary projects that really allow the creator to stretch their creativity without getting bogged down by the tyranny of practicality. It’s been a couple years since the last Sci-Fi Contest, perhaps it’s time for another?

youtube.com/embed/sSPEUNTuqXU?…

hackaday.com/2025/01/02/light-…