We love electronic conference badges here at Hackaday, but it’s undeniable that many of them end up gathering dust after the event. Most of them are usable as development boards though, so it’s nice to see them appear in projects from time to time. [Benjamin Blundell] has a good one, he’s using an EMF Camp 2014 badge to power a set of load cells in a bee scale.

Not being skilled in the art of apiary here at Hackaday we’re thankful for his explanation. Beekeepers weigh their hives as a means of gauging their occupancy, and the scale for this purpose has a few application specific features. The EMF 2014 badge (known as the TiLDA MKe) meanwhile is an Arduino Due compatible ARM Cortex M0 board with an LCD display, making it perfect for the job. He devotes quite some time to describing the load cells, mounting them on extrusion, and calibration, all of which should be of use to anyone making a scale.

The software for the badge is an odd mix of Arduino and FreeRTOS, and he takes one of the stock apps and modifies it for the scale. It’s very much a badge of its era, being programmable but not with a built-in interpreter for MicroPython or similar. You can see the whole project at work in the video below the break.

If you’ve not seen a TiLDA MKe before, we wrote about it when it was released.

youtube.com/embed/KWlVOn8AhTU?…

hackaday.com/2025/01/04/a-new-…

MISP ha annunciato il rilascio di un nuovo standard di sicurezza informatica, Threat Actor Naming (RFC), che mira a risolvere uno dei problemi chiave dello scambio di informazioni nel campo delle minacce informatiche: l’identificazione unificata e affidabile dei gruppi di criminalità informatica.

La mancanza di standard nella denominazione degli autori delle minacce spesso porta a confusione, doppi sforzi e ridotta efficienza dell’analisi. L’obiettivo principale dello standard è utilizzare attivamente i database esistenti, inclusi gli identificatori univoci (UUID), per migliorare l’accuratezza e la coerenza nello scambio di dati. Questo approccio supporta una maggiore collaborazione e semplifica il confronto delle informazioni sulle minacce informatiche tra le piattaforme.

Va notato che la mancanza di standard uniformi porta al fatto che lo stesso autore della minaccia può avere molti nomi, il che complica il lavoro degli analisti.

Ad esempio, gli stessi gruppi possono essere chiamati sia APT-1 che TA-505 e l’uso di parole del dizionario come “ZooPark” crea confusione a causa del loro significato comune.

Si consiglia di controllare attentamente i nomi esistenti nei database prima di creare un nuovo nome. È importante evitare di utilizzare parole del dizionario, nomi di strumenti e tecniche per evitare di creare nomi duplicati o fuorvianti. Il documento proponeva anche un formato standard, favorendo titoli di una sola parola o frasi contenenti trattini. La codifica dovrebbe essere basata su ASCII a 7 bit per evitare barriere linguistiche e incoerenze.

Inoltre, si propone di creare un registro centralizzato per archiviare i nomi delle minacce. Tale registro ci consentirà di tracciare la storia dei nomi e di garantirne l’unicità. Ad esempio, i nomi “APT-1” o “TA-505” sono considerati buoni esempi, mentre “ShadyRAT” o “GIF89a” causano confusione a causa della sovrapposizione con altri termini.

Le raccomandazioni includono anche misure di sicurezza: prima di pubblicare un nuovo nome, è necessario verificare la presenza di informazioni riservate che potrebbero rivelare dettagli dell’incidente.

Il documento evidenzia la necessità di standard comuni che facilitino la collaborazione tra analisti e piattaforme come MISP, oltre a migliorare la comprensione generale delle minacce informatiche.

L'articolo Stop Alla Confusione! MISP Vuole Che I Threat Actors Abbiano Un Solo Nome proviene da il blog della sicurezza informatica.

Alla conferenza annuale Chaos Communication Congress (CCC), organizzata dalla più grande comunità di hacker d’Europa, il ricercatore Thomas Lambertz ha presentato il rapporto “Windows BitLocker: Screwed without a Screwdriver”.

Nel suo discorso, ha dimostrato come aggirare la protezione crittografica BitLocker e ottenere l’accesso ai dati. Sebbene il CVE-2023-21563 sia stato ufficialmente aggiornato con la patch nel novembre 2022, può ancora essere sfruttato nelle versioni attuali di Windows. Per fare ciò, è sufficiente l’accesso fisico una tantum al dispositivo e la connessione alla rete.

L’attacco rientra nella categoria “bitpixie” e non richiede manipolazioni complesse, come l’apertura del case del computer. La tecnica prevede l’utilizzo del boot loader legacy di Windows tramite Secure Boot per estrarre la chiave di crittografia nella RAM, dopodiché la chiave viene estratta utilizzando Linux. Ciò dimostra che gli aggiornamenti volti a correggere la vulnerabilità non erano abbastanza efficaci.

Il problema è legato alle restrizioni su dove sono archiviati i certificati in UEFI. Si prevede che i nuovi certificati Secure Boot non verranno visualizzati prima del 2026. Come soluzione temporanea, Lambertz consiglia agli utenti di creare i propri PIN per BitLocker o disabilitare l’accesso alla rete nel BIOS. Inoltre anche un semplice dispositivo di rete USB può essere utilizzato per sferrare un attacco.

Per gli utenti comuni, la minaccia rimane improbabile. Tuttavia, negli ambienti aziendali, governativi e in altri ambienti mission-critical, la capacità di decrittografare completamente un disco tramite l’accesso fisico rappresenta una seria preoccupazione.

Per uno studio più approfondito dell’argomento, la registrazione integrale della presentazione di Lambertz è a disposizione degli interessati sul sito web del CCC Media Center. Dura 56 minuti e contiene dettagli tecnici che spiegano perché risolvere la vulnerabilità è così impegnativo.

L'articolo BitLocker Sotto Attacco! La Dimostrazione Shock al Chaos Communication Congress proviene da il blog della sicurezza informatica.

È stato pubblicato ieri il consueto rapporto annuale della Polizia Postale e delle Comunicazioni relativo al 2024. Il documento evidenzia come l’istituzione abbia affrontato sfide sempre più complesse nel cyberspazio, rafforzando il suo ruolo di pilastro nella lotta contro i crimini informatici.

Il report offre una panoramica dettagliata delle attività svolte, mettendo in luce risultati significativi in molteplici ambiti, tra cui la protezione delle infrastrutture critiche, il contrasto alla criminalità digitale e la tutela dei minori online.

Un focus centrale del rapporto riguarda il contrasto alla pedopornografia online. Il Centro Nazionale per il Contrasto alla Pedopornografia Online (CNCPO) ha intensificato il monitoraggio della rete, inserendone 2.775 in una blacklist. Le operazioni investigative hanno portato all’arresto di 144 individui, segnando un aumento rispetto all’anno precedente. Questo risultato sottolinea l’efficacia di una strategia che combina tecnologie avanzate e cooperazione internazionale.

La tutela dei minori ha incluso anche campagne educative come “Una Vita da Social” e “Cuori Connessi,” che hanno raggiunto migliaia di giovani in tutta Italia. Queste iniziative, volte a promuovere un uso consapevole della rete, si sono affiancate a interventi diretti contro fenomeni quali sextortion, revenge porn e adescamento online. La crescente diffusione di queste minacce ha spinto la Polizia Postale a rafforzare i propri programmi di sensibilizzazione nelle scuole.

Parallelamente, il Centro Nazionale Anticrimine Informatico per la Protezione delle Infrastrutture Critiche (CNAIPIC) ha incrementato le attività di prevenzione contro attacchi ransomware e DDoS. In un contesto geopolitico instabile, gli attacchi sponsorizzati da stati o gruppi ideologici rappresentano una minaccia crescente. L’impegno della Polizia Postale è stato essenziale per garantire la sicurezza di eventi di rilievo come il Vertice G7 e il Giubileo della Speranza 2025.

Il Centro nazionale anticrimine informatico per la protezione delle infrastrutture critiche (Cnaipic) ha gestito circa 12.000 attacchi informatici e diramato 59.000 alert, concentrandosi su eventi critici come il Vertice G7 in Puglia. In un contesto caratterizzato da attacchi ransomware e DDoS, sono state identificate 180 persone coinvolte in attività cybercriminali, spesso legate a gruppi sponsorizzati da Stati.

Nel contrasto al cyberterrorismo, sono stati monitorati oltre 290.000 siti web e oscurati 2.364 per prevenire radicalizzazioni e minacce terroristiche.

Per quanto riguarda il contrasto al crimine finanziario online, l’analisi dei dati ha evidenziato un aumento costante di truffe nel tempo, che, nel quadro del generale rinnovamento della struttura organizzativa del Servizio Polizia Postale, ha portato all’istituzione di una Divisione operativa dedicata. I principali crimini riguardano il phishing, il vishing e lo smishing, frodi basate sul social engineering (come la BEC fraud) e truffe tramite investimenti online (falso trading). In crescita anche l’uso delle criptovalute, le cui transazioni sono più difficili da tracciare, richiedendo competenze specializzate.

Infine, il Commissariato di P.S. online, sito ufficiale della Polizia Postale e strumento di diretto contatto con i cittadini, ha ricevuto 3 milioni di visite e gestito oltre 82.000 segnalazioni e 23.000 richieste di assistenza. Attraverso iniziative come “Una vita da social” e “Cuori Connessi”, ha sensibilizzato studenti e cittadini sui rischi della rete, promuovendo comportamenti sicuri online con materiali informativi distribuiti in collaborazione con enti e aziende locali.

L'articolo Polizia Postale 2024: 144 Arrestati Per Pedopornografia e 2.300 siti oscurati per cyberterrorismo proviene da il blog della sicurezza informatica.

From the Institute of Computing Technology division of the Chinese Academy of Sciences and Peng Cheng Laboratory comes a high-performance and well-documented RISC-V core called XiangShan.

In the Git repository, you’ll find several branches including at least two stable branches: Yanqihu and Nanhu. The currently developed architecture, Kunminghu, is impressive, with a sophisticated instruction fetch unit, a reorder buffer, and a register renaming scheme.

The point of these types of circuits in a CPU is to allow multiple instructions to process at once. This also implies that instructions can be executed out of order. A cursory glance didn’t show any branch prediction logic, but that may be a limitation of the documentation. If there isn’t one, that would be an interesting thing to add in a fork if you are looking for a project.

On the computing side, the processor contains an integer block, a floating point unit, and a vector processor. Clearly, this isn’t a toy processor and has the capability to compete with serious modern CPUs.

There is a separate GitHub for documentation. It looks like they try to keep documentation in both Mandarin and English. You can also find some of the academic papers about the architecture there, too.

We love CPU design, and this is an interesting chance to contribute to an open CPU while there are still interesting things to do. If you need to start with something easier, plenty of small CPUs exist for educational purposes.

hackaday.com/2025/01/03/high-p…

The word “algorithm” can sometimes seem like a word designed to scare people away from math classes, much like the words “calculus”, “Fourier transform”, or “engineering exam”. But in reality it’s just a method for solving a specific problem, and we use them all the time whether or not we realize it. Taking a deep dive into some of the ways we solve problems, especially math problems, often leads to some surprising consequences as well like this set of algorithms for performing various calculations using nothing but a checkerboard.

This is actually a demonstration of a method called location arithmetic first described by [John Napier] in 1617. It breaks numbers into their binary equivalent and then uses those representations to perform multiplication, division, or to take the square root. Each operation is performed by sliding markers around the board to form certain shapes as required by the algorithms; with the shapes created the result can be viewed directly. This method solves a number of problems with other methods of performing math by hand, eliminating other methods like trial-and-error. The video’s creator [Wrath of Math] demonstrates all of these capabilities and the proper method of performing the algorithms in the video linked below as well.

While not a “hack” in the traditional sense, it’s important to be aware of algorithms like this as they can inform a lot of the way the world works on a fundamental level. Taking that knowledge into another arena like computer programming can often yield some interesting results. One famous example is the magic number found in the code for the video game Quake, but we’ve also seen algorithms like this used to create art as well.

youtube.com/embed/_Qe_0aj4eEM?…

hackaday.com/2025/01/03/math-o…

Although ham radio can be an engaging, rewarding hobby, it does have a certain reputation for being popular among those who would fit in well at gated Florida communities where the preferred mode of transportation is the golf cart. For radio manufacturers this can be a boon, as this group tends to have a lot of money and not demand many new features in their technology. But for those of us who skew a bit younger, there are a few radios with custom firmware available that can add a lot of extra capabilities.

The new firmware is developed by [NicSure] for the Tidradio TD-H3 and TD-H8 models and also includes a browser-based utility for flashing it to the radio without having to install any other utilities. Once installed, users of these handheld radios will get extras like an improved S-meter and detection and display of CTCSS tones for repeater usage. There’s also a programmer available that allows the radio’s memory channels to be programmed easily from a computer and a remote terminal of sorts that allows the radio to be operated from the computer.

One of the latest firmware upgrades also includes a feature called Ultra Graph which is a live display of the activity on a selected frequency viewable on a computer screen. With a radio like this and its upgraded firmware, a lot of the capabilities of radios that sell for hundreds of dollars more can be used on a much more inexpensive handheld. All of this is possible thanks to an on-board USB-C interface which is another feature surprisingly resisted by other manufacturers even just for charging the batteries.

youtube.com/embed/2QbwW1Sgy5o?…

hackaday.com/2025/01/03/custom…

All wiring is beautiful, except when it isn’t. But is there anything more lovely to behold than circuit sculpture? Once again, [Mohit Bhoite] has made this process look easy like Sunday morning. This time, he’s created a weather display in the form of a lander.

This lander runs on the Particle Photon 2, which connects over Wi-Fi and retrieves the weather forecast for the day, along with sunrise and sunset times and wind conditions. Everything is beautifully displayed on a vertically-oriented Adafruit 170×320 TFT screen.

There’s also a pulse-density microphone (PDM) breakout board and a buzzer, and the build is capped off with a red 0805 LED. We’re not sure what the feet are made of, but they sure make this lander cute (and accurate).

All the project logs are picture-rich, which is really the most we could ask for when trying to imitate this level of greatness. This is apparently an ongoing project, and we’re excited for the end result, although it looks fairly complete from here.

Do you want to bend it like Bhoite? Then be sure to check out his Hackaday Supercon talk on the subject.

hackaday.com/2025/01/03/landin…

There’s an old joke: What do you get someone who has everything? A place to put it. For hackers like [Christian], everything is a hoard of priceless electronic components. His solution is using small zipper bags, either regular plastic or anti-static. These attach using hook and loop fastener to plastic binder sheets which then live in a binder. Combined with some custom printed labels and a few other tricks, it makes for a nice system, as you can see in the video below.

Honestly, we’ve done something similar before, using a binder with little pockets, but the bag and custom labels beat our system. He even has QR codes on some of them to locate data sheets easily. Seems like a barcode for inventory management might have been good, too.

Some advice from us. If you are just starting out, this might seem like overkill. But if you start out doing something — this or something else — then ten years from now, you won’t have to be like us and think, “I’d get everything organized, but it is going to take months to work through what I already have…” That usually makes it a project you never really get started with. Develop good habits early!

Even if you don’t want to store your components this way, his binder hacks probably work for lots of other things, too. It isn’t as flashy as some systems we’ve seen, but it is very practical. If only you didn’t have to turn the pages in the binder yourself.

youtube.com/embed/N9kQCDN8lkk?…

hackaday.com/2025/01/03/organi…

Dear Friend of Press Freedom,

If you enjoy reading this newsletter, please support our work. Our impact in 2024 was made possible by supporters like you. If someone has forwarded you this newsletter, please subscribe here.

Democrats surrender on press freedom

Democrats spent election season fundraising by warning America that a second Trump term would kickstart America’s descent into fascism. It’d be logical to assume, then, that after Trump won, they’d do everything in their power to restrain his anti-democratic impulses. You’d think that even before he won, the mere prospect would spur some urgency to check his potential powers.

But they either didn’t really believe Trump posed the threats they campaigned on, or they don’t care. That’s evident because, despite Trump escalating his threats to retaliate against the media to unprecedented levels in the closing weeks of 2024, Senate leadership gave up on the PRESS Act — the bipartisan “shield” bill to protect journalist-source confidentiality.

There are no excuses for their failure. The bill passed the House unanimously and had bipartisan support in the Senate, which Democrats controlled. Sure, it didn’t help that Trump called on Republicans to kill the bill, or that Sen. Tom Cotton gave an irrational floor speech opposing it.

But those obstacles only arose because Senate Democrats waited 11 months to act, after the House passed the bill last January. And there were still opportunities in the closing days of the session, even if Sen. Schumer would’ve had to shorten senators’ holiday break. Bottom line, if leadership saw the bill as a higher priority, it would be the law of the land today.

The bill’s lead sponsors — Jamie Raskin and Kevin Kiley in the House and Ron Wyden and Mike Lee in the Senate — deserve credit for their diligent efforts. So do the newspapers that endorsed the bill, even though they should’ve done so sooner. But others — particularly those in leadership positions who could’ve done more — should be ashamed. If Trump follows through on his threats against the press they will share a significant portion of the blame.

Mohawk journalist speaks out about being arrested for reporting

Isaac White is a Mohawk journalist from the territory of Akwesasne in northern New York. He was arrested back in May for attempting to cover a demonstration in opposition to a land claim settlement.

White’s story about his arrest, which we published in December, discusses his shock at being arrested in violation of the Constitution his ancestors inspired and his suspicion that the charges against him and others were intended to silence critics of the settlement. These charges were dropped several months later, after Freedom of the Press Foundation (FPF) and other organizations wrote to local prosecutors.

If White’s suspicions are correct, those efforts failed. “While the thought of spending a year in county jail wasn’t appealing,” he writes, “there was no way I would bend to the state’s bullying.” Read White’s detailed and inspiring reflection on his ordeal here.

News outlets shouldn’t settle defensible cases

FPF Director of Advocacy Seth Stern argued in the Chicago Sun-Times that ABC could’ve defended Trump’s lawsuit alleging George Stephanopoulos defamed him by stating that he’d been found liable for rape, as opposed to sexual abuse. Instead, it settled for $15 million.

Stern would know — he helped defend the Sun-Times in a virtually identical case over 10 years ago. “Find me the person or company that’s eager to do business with alleged sexual assailants and abusers but draws the line at alleged rapists,” he writes, questioning whether Disney-owned ABC prioritized the interests of its nonmedia holdings over the First Amendment. You can read the op-ed here.

The 2025 journalist’s digital security checklist

In tumultuous times, we believe in being prepared, not scared. Sound digital security practice often involves forming and relying on good habits. Building these reflexes now will help keep journalists better protected against future threats.

This is why our digital security team distilled advice our trainers have shared with thousands of journalists over the years into actionable, concrete steps. Read more here.

What we’re reading

Federal lawsuit: Asheville journalists sue city, police over alleged illegal arrests (Asheville Citizen Times). Park curfews don’t mean police can evade scrutiny at night. The Asheville Blade had every right to cover a controversial Christmas night encampment sweep three years ago. Asheville officials must be held accountable for retaliating against journalists.

Indigenous journalism legacy ends in Akwesasne with Indian Time closing (Canadian Broadcasting Corporation). Sadly, Indigenous-owned news outlets face the same challenges as other local news outlets. Case in point, Indian Time, the newspaper White was reporting for when he was arrested, was recently forced to shutter. It covered Akwesasne, located at the U.S.-Canada border.

LA city officials use disappearing Google Chats. The city attorney is investigating (Los Angeles Times). When they’re not trying to sue or prosecute journalists for reporting on public records, Los Angeles officials use disappearing chats to avoid creating them in the first place. LA’s dismal track record on press freedom is a reminder for anyone who thinks it’s solely a Trump or Republican issue.

He leaked Trump’s tax returns. Will Biden protect him? (The Intercept). Charles Littlejohn didn’t leak tax evaders’ returns for personal gain, but because he saw no other path to accountability. We wrote last year that “even murder defendants are entitled to consideration of their motives at sentencing. Whistleblowers certainly should be as well.”

Meta’s WhatsApp wins ruling holding spyware maker NSO liable for hacking (The Washington Post). NSO Group, the maker of the notorious Pegasus spyware, cannot escape accountability in U.S. courts for its unlawful attacks on journalists and human rights activists in dozens of countries around the world.

Spyware is spreading — and it’s cheaper than ever (Columbia Journalism Review). Trevor Timm, FPF’s executive director, helped journalists Joel Simon and Ronan Farrow alongside Ela Stapley of the Committee to Protect Journalists come up with five tips for reporters worried about spyware attacks.

Check out our other newsletters

If you haven’t yet, subscribe to FPF’s other newsletters, including The Classifieds, our new newsletter on overclassification and more from Lauren Harper, our Daniel Ellsberg Chair on Government Secrecy.

freedom.press/issues/dems-fail…