The Bluesky and ATmosphere reports are back after I was occupied last week with the Ahoy! conference about ATProto in Hamburg. It was amazing to meet so many cool people in real life, and share the excitement of working on this network together. There were some great talks, and just being around people who you can talk in-depth about Bluesky and ATProto with is just great. Hoping to see many more ATProto conferences pop up and meet more of you in real life.
A practical note: if you missed the ATmosphere report last week, a reminder that I’m also sending out the reports via email every Friday. This comes with an extra analysis article that’s not on the website, so don’t forget to subscribe!
Bluesky launches a blue check verification system
Bluesky has launched a new verification system for their platform, with blue checkmarks. With the checkmark system, Bluesky selects a few Trusted Verifiers, who can hand out checkmarks. Bluesky PBC will also hand out checkmarks to “authentic and notable accounts”. The main reason for this system’s existence is that the other verification system, using domain names as handles, did not perform well enough. Bluesky PBC says that 270k accounts have set their own domain name as a handle, but not enough high-profile accounts have done so. The other problem with domain names as verification is that many well-known public figures do not have a well-known website. The first organisations that are Trusted Verifiers in the Bluesky app are the New York Times and Wired Magazine.
Bluesky PBC advertises the new checkmark verification system with its Trusted Verifiers as “a healthy digital society should distribute power”. However, it is unclear with the current implementation to what extend power is actually distributed. Bluesky PBC is the one who selects the Trusted Verifiers that can be displayed in their app. In their blog post, they also write: “Bluesky will review these verifications as well to ensure authenticity.” To me, it seems far from distributing power, and can at best be seen as distributing operational work. With Bluesky PBC holding full control of who gets to be a Trusted Verifier, as well as reviewing their output, how much power has Bluesky PBC actually distributed?
The new checkmark verification system is not exclusive to the Bluesky app however, and it is build on an open system. Anyone can create verifications or become a Verifier, as all the data for verification is openly accessible to anyone. The only difference is that verifications that are not made by Bluesky PBC or one of their Trusted Verifiers will not be visible in the official Bluesky clients. Other systems have already sprung up, a new verifier tool by cred.blue allows anyone to easily hand out verifications. The Deer client, which is a fork of the Bluesky client, already allows for anyone to set their own Verifiers as well. I’ll talk more about this in an upcoming article, as what is happening with Deer and verification has some interesting implications on how the network will likely develop.
For now, Bluesky PBC has build a technologically cool system, which also solves a meaningful problem that their app has in the short term. While the way it is currently implemented falls short of the advertised distribution of power regarding verification, the team is clear that this is an early implementation and that the system will evolve later.
Streamplace funding
Some news from streaming software Streamplace:
Streamplace has raised 100k Livepeer tokens, worth around 500k USD, from the Livepeer Treasury to further expand the Streamplace platform. The money will be used to expand the team, enhance infrastructure and build a deeper integration with ATProto, as well as building content moderation infrastructure.
A short explanation of Livepeer, and how it relates to Streamplace. Livepeer is a decentralised network for video transcoding and processing. Transcoding (in this context) processes the video stream to make it accessible in various formats and qualities, so a stream can be viewed both by someone on a slow internet connection in 360p, as well as someone with fast internet in 4K definition. Livepeer is a DAO, with an attached crypto token. Streamplace uses Livepeer for the video transcoding, and because of this integration, which allows the Livepeer network to grow as well, the Livepeer DAO has awarded Streamplace 100k tokens, currently worth around 500k USD. It is unclear to me how the Livepeer token works, with its corresponding tokenomics, and where the value of the tokens is coming from.
Streamplace creator Eli Mellon gave an interview on the devtools-fm podcast where Eli goes into more detail on the background of Streamplace and how the software works.
Two other ATProto apps are working on integration Streamplace. Skylight already announced earlier to be working with Streamplace. At the ATProto conference Ahoy in Hamburg last week Joe Basser, co-founder of the ATProto video platform, announced to be working on livestreaming with Streamplace as well.
Streamplace is hiring a Decentralized Video Protocol Engineer and a Lead Front-End Engineer
An OBS overlay to display Streamplace chat on-stream.
An update on relays and independent infra
Bluesky PBC made some changes to how their relays work, with an update with the unassuming name of ‘Sync 1.1′. The update made it much cheaper to run relays, as they do not have to store data of the entire network anymore. This has made a drastic impact on running relays. Last month, independent developer @futurset up a relay on his own Raspberry Pi. Now Phil, another independent developer, has set up multiple relays and made them publicly accessible. This means that there are now multiple other full-network relays that index the entire network, that are outside of US jurisdiction. Just as importantly, running these full-network relays is cheap, with costs getting as low as 18 USD per month. Feed builder Graze is also creating their own implementation of a relay: Turbostream includes a large amount of extra information in the stream. For example, where Jetstream (a simplified version of a relay) broadcasts a reply, Turbostream broadcasts a reply together with the post that is being replied to, as well as a range of other information. This in turn makes it easier to other parties to build on, as most information needed is already included in Turbostream.
These developments leads to some interested new questions. When it comes to running a relay, technology and costs are clearly not barriers anymore. But what about moderation and uptime guarantees? Is having a relay that many other parties depend on even the right model of the network?
It also calls the model that the Free Our Feeds campaign had in mind, which aligned more with a perspective of expensive and large relays. Today, Free Our Feeds announced that they will donate a 50k USD grant to a new IndieSky Working Group. The IndieSky came out of the second day of the conference, organised by Boris Mann and Ted Han. Mann and Han are behind the ATProtocol Developer Community Group, and also organised the first ATProto conference in Seattle last month. The goal of IndieSky is to “work together on R&D, code, and infrastructure on how and why to run different parts of the ATProto stack”, with more details in the announcement. The first meeting for the working group is on May 8th.
In Other News
The Ahoy! conference for the European Social Web was last week, and as an extremely biased person who helped organise the conference I think it was a great success! Massive shout-out to Sebastian Korfmann who has done an incredible amount of work getting the conference to such a great place, super impressive. During the conference I did some longer video interviews with some of the people in the community, those videos will be released in the coming weeks. The main takeaway for me from the conference was to see the amount of positive energy and enthusiasm in the community. People are aware that they are contributing to a space that has massive potential and is undergoing rapid changes. I’m excited to see more conferences for ATProto, and meet more people from the community in real life, as it has been super great to meet the people at Ahoy!.
Turtleisland.social is a Mastodon server for the North American Native/Indigenous community. They have set up their own PDS server for community members to join Bluesky as well. Community-centered data hosting is one of the possibilities with the PDS system of Bluesky that is mentioned regularly as an option, but has not been borne out much yet. Two other communities are in the process of building out a similar structure: Blacksky is creating their own PDS software for the Black community, and Northsky is building out systems that allow people to easily migrate their ATProto account to a Northsky PDS. It’s worth pointing out here that the early adopters of new technology on social networking are all minority communities. For people building social networks this provides a pragmatic argument (besides the much more important ethical argument) for creating safe digital spaces: the people for whom safety is the most crucial are also the most likely to be early adopters of new technologies.
Not all early adoption is by minority communities: Gander.social is a newly announced social network on ATProto, focusing on the Canadian community. Gander has a lot of plans for features that make it stand out from the Bluesky app. The project is still in development, and it seems once the project gets closer to launch it will become clearer what the ATProto integration will actually entail.
Bluesky has made some changes to their PDS, allowing people to sign up directly for an ATProto account on a PDS without going through the Bluesky app. Link aggregator platform Frontpage is one of the first to take advantage of this, allowing account creation on the Frontpage platform now.
Bluesky PBC is joining Lexicon Community Technical Steering Committee. Bluesky Engineer Bryan Newbold will be the representative. It signals a growing maturity of the ecosystem, that an effort run by the ATProto developer community can come to a place where Bluesky joins the initiative on an equal footing.
Openvibe is a multi-network client that combines someones Mastodon, Bluesky, Nostr and Threads accounts into a single app. Their latest update is an customisable For You algorithmic timeline, which combines posts from multiple networks into a unified algorithmic timeline.
Newsletter publishing platform Ghost now has a simple setting to share posts on Bluesky, via the ActivityPub bridge. This was already possible with Bridgy Fed, but that required some manual steps, where it is now a simple toggle setting.
The Links
For the protocol-minded people:
A proposal for private images (not posts!) on ATProto.
Proposal: A Simple XRPC Method for Signing Payloads in ATProtocol
News from Bluesky takes the most popular links on the network and displays them in an interface more like Hacker News.
Bluesky video client Skylight is working on a dislike feature so people can further fine tune their algorithm.
An example of how inauthentic accounts use Starter Packs to quickly build a following and integrate themselves into the network.
That’s all for this week, thanks for reading! If you want more analysis, you can subscribe to my newsletter. Every week you get an update with all this week’s articles, as well as extra analysis not published anywhere else. You can subscribe below, and follow this blog @fediversereport.com and my personal account @laurenshof.online on Bluesky.
bsky.app login screen at the top right showing account creation changed to turtleis.land Our Bluesky Personal Data Server joins our Mastodon server for a more complete Native/Indigenous social media experience The Bluesky Native community is much lar…
si parla di "metalli rari" e "terre rare" come se fosse la stessa cosa. sono basita. spero che zelensky abbia scritto terre rare, così sarà vincolato a non dare un bel niente a trump. forse trump dovrebbe leggere la tabella periodica degli elementi... e tanti italiani anche.
Uovo è più di un coworking convenzionale: è lo spazio ideale per la presentazione di libri, lezioni, workshop, incontri, servizi fotografici e molto altro.
L'immagine presenta un'atmosfera misteriosa e urbana, con un focus su oggetti che suggeriscono un gioco di ruolo o un'esperienza di gioco. Al centro, in caratteri rossi e bianchi, si legge "SODOMA 2" con la sottotitolo "URBAN GAME" in rosso. Sotto il titolo, si intravede una mano guantata di nero, posata su un foglio di carta beige, con un bastone di legno e un oggetto bianco curvo accanto. In alto a destra, un bicchiere con cubetti di ghiaccio aggiunge un tocco di eleganza. Lo sfondo è scuro e grigio, con un effetto di texture che contribuisce all'atmosfera enigmatica.
Fornito da @altbot, generato localmente e privatamente utilizzando Ovis2-8B
Brain-to-speech interfaces have been promising to help paralyzed individuals communicate for years. Unfortunately, many systems have had significant latency that has left them lacking somewhat in the practicality stakes.
A team of researchers across UC Berkeley and UC San Francisco has been working on the problem and made significant strides forward in capability. A new system developed by the team offers near-real-time speech—capturing brain signals and synthesizing intelligible audio faster than ever before.
New Capability
The aim of the work was to create more naturalistic speech using a brain implant and voice synthesizer. While this technology has been pursued previously, it faced serious issues around latency, with delays of around eight seconds to decode signals and produce an audible sentence. New techniques had to be developed to try and speed up the process to slash the delay between a user trying to “speak” and the hardware outputting the synthesized voice.
The implant developed by researchers is used to sample data from the speech sensorimotor cortex of the brain—the area that controls the mechanical hardware that makes speech: the face, vocal chords, and all the other associated body parts that help us vocalize. The implant captures signals via an electrode array surgically implanted into the brain itself. The data captured by the implant is then passed to an AI model which figures out how to turn that signal into the right audio output to create speech. “We are essentially intercepting signals where the thought is translated into articulation and in the middle of that motor control,” said Cheol Jun Cho, a Ph.D student at UC Berkeley. “So what we’re decoding is after a thought has happened, after we’ve decided what to say, after we’ve decided what words to use, and how to move our vocal-tract muscles.”
The AI model had to be trained to perform this role. This was achieved by having a subject, Ann, look at prompts and attempting to “speak ” the phrases. Ann has suffered from paralysis after a stroke which left her unable to speak. However, when she attempts to speak, relevant regions in her brain still lit up with activity, and sampling this enabled the AI to correlate certain brain activity to intended speech. Unfortunately, since Ann could no longer vocalize herself, there was no target audio for the AI to correlate the brain data with. Instead, researchers used a text-to-speech system to generate simulated target audio for the AI to match with the brain data during training. “We also used Ann’s pre-injury voice, so when we decode the output, it sounds more like her,” explains Cho. A recording of Ann speaking at her wedding provided source material to help personalize the speech synthesis to sound more like her original speaking voice.
To measure performance of the new system, the team compared the time it took the system to generate speech to the first indications of speech intent in Ann’s brain signals. “We can see relative to that intent signal, within one second, we are getting the first sound out,” said Gopala Anumanchipalli, one of the researchers involved in the study. “And the device can continuously decode speech, so Ann can keep speaking without interruption.” Crucially, too, this speedier method didn’t compromise accuracy—in this regard, it decoded just as well as previous slower systems. Pictured is Ann using the system to speak in near-real-time. The system also features a video avatar. Credit: UC Berkeley The decoding system works in a continuous fashion—rather than waiting for a whole sentence, it processes in small 80-millisecond chunks and synthesizes on the fly. The algorithms used to decode the signals were not dissimilar from those used by smart assistants like Siri and Alexa, Anumanchipalli explains. “Using a similar type of algorithm, we found that we could decode neural data and, for the first time, enable near-synchronous voice streaming,” he says. “The result is more naturalistic, fluent speech synthesis.”
It was also key to determine whether the AI model
was genuinely communicating what Ann was trying to say. To investigate this, Ann was qsked to try and vocalize words outside the original training data set—things like the NATO phonetic alphabet, for example. “We wanted to see if we could generalize to the unseen words and really decode Ann’s patterns of speaking,” said Anumanchipalli. “We found that our model does this well, which shows that it is indeed learning the building blocks of sound or voice.”
For now, this is still groundbreaking research—it’s at the cutting edge of machine learning and brain-computer interfaces. Indeed, it’s the former that seems to be making a huge difference to the latter, with neural networks seemingly the perfect solution for decoding the minute details of what’s happening with our brainwaves. Still, it shows us just what could be possible down the line as the distance between us and our computers continues to get ever smaller.
Featured image: A researcher connects the brain implant to the supporting hardware of the voice synthesis system. Credit: UC Berkeley
Chatbot Arena is the most popular AI benchmarking tool, but new research says its scores are misleading and benefit a handful of the biggest companies.#News
The image features a cartoon character standing on a sidewalk in front of a red brick wall. The character has a bald head with a few strands of brown hair on the sides, wears black-rimmed glasses, and a blue and black striped shirt. He is holding a microphone in his right hand and giving a thumbs-up with his left hand. His facial expression is cheerful, with a wide smile showing his teeth. To the right of the character, there is a black spider hanging from a web. The background includes green grass on either side of the sidewalk. The overall style of the image is simple and cartoonish, with bold outlines and flat colors.
Provided by @altbot, generated privately and locally using Ovis2-8B
Rear-view mirrors are important safety tools, but [Mike Kelly] observed that cyclists (himself included) faced hurdles to using them effectively. His solution? A helmet-mounted dual-mirror system he’s calling the Mantis Mirror that looks eminently DIY-able to any motivated hacker who enjoys cycling. One mirror for upright body positions, the other for lower positions. Carefully placed mirrors eliminate blind spots, but a cyclist’s position changes depending on how they are riding and this means mirrors aren’t a simple solution. Mirrors that are aligned just right when one is upright become useless once a cyclist bends down. On top of that, road vibrations have a habit of knocking even the most tightly-cinched mirror out of alignment.
[Mike]’s solution was to attach two small mirrors on a short extension, anchored to a cyclist’s helmet. The bottom mirror provides a solid rear view from an upright position, and the top mirror lets one see backward when in low positions.
[Mike] was delighted with his results, and got enough interest from others that he’s considering a crowdfunding campaign to turn it into a product. In the meantime, we’d love to hear about it if you decide to tinker up your own version.
You can learn all about the Mantis Mirror in the video below, and if you want to see the device itself a bit clearer, you can see that in some local news coverage.
"Medvedev, Trump ha finalmente costretto Kiev a pagare aiuti" non sia giammai che un paese aggredito venga aiutato semplicemente perché la vittima... i russi soni proprio degli "idealisti".
fra l'altro per certi versi la storia ucraina ricorda molto quella italiana. con popoli stranieri che hanno sempre cercato di soggiogarci. chissà se in caso di successo gli ucraini chiameranno questa una "guerra di indipendenza"
a chi non ha dubbi sulla reale alleanza della russia durante la seconda guerra mondiale, basta ricordare che quella che noi la chiamiamo "guerra di liberazione", viene chiamata invece da chi non sa che farsene della libertà come "guerra patriottica"...
Il Regno Unito ha inaugurato a Southampton il primo impianto europeo per la produzione di semiconduttori su scala industriale basati su fotonica del silicio. La notizia arriva nel pieno del riavvicinamento tra Londra e Bruxelles (che dovrebbe essere
Dal #MIM un augurio speciale di buon #1maggio a tutto il personale della scuola, a chi ogni giorno sostiene la crescita e la formazione di studentesse e studenti con passione e impegno.
Dal #MIM un augurio speciale di buon #1maggio a tutto il personale della scuola, a chi ogni giorno sostiene la crescita e la formazione di studentesse e studenti con passione e impegno.
One might be tempted to think that re-creating a film robot from the 1950s would be easy given all the tools and technology available to the modern hobbyist, but as [Mike Ogrinz]’s quest to re-create Robby the Robot shows us, there is a lot moving around inside that domed head, and requires careful and clever work. The “dome gyros” are just one of the complex assemblies, improved over the original design with the addition of things like bearings. Just as one example, topping Robby’s head is a mechanical assembly known as the dome gyros. It looks simple, but as the video (embedded below) shows, re-creating it involves a load of moving parts and looks like a fantastic amount of work has gone into it. At least bearings are inexpensive and common nowadays, and not having to meet film deadlines also means one can afford to design things in a way that allows for easier disassembly and maintenance.
Robby the Robot first appeared in the 1956 film Forbidden Planet and went on to appear in other movies and television programs. Robby went up for auction in 2017 and luckily [Mike] was able to take tons of reference photos. Combined with other enthusiasts’ efforts, his replica is shaping up nicely.
We’ve seen [Mike]’s work before when he shared his radioactive Night Blossoms which will glow for decades to come. His work on Robby looks amazing, and we can’t wait to see how it progresses.
@Informatica (Italy e non Italy 😁) È stata identificata un’astuta campagna di phishing che sta prendendo di mira gli utenti di WooCommerce, il popolare plugin di e-commerce per WordPress. L’esca si presenta come un avviso ufficiale di sicurezza, ma nasconde una backdoor
Quinto appuntamento dell’edizione 2025 della Scuola di Liberalismo di Messina, promossa dalla Fondazione Luigi Einaudi ed organizzata in collaborazione con l’Università degli Studi di Messina e la Fondazione
La società di sicurezza informatica SentinelOne ha pubblicato un rapporto sui tentativi degli aggressori di accedere ai suoi sistemi. Una violazione di un’organizzazione del genere aprirebbe le porte agli hacker, che potrebbero accedere a migliaia di infrastrutture riservate di tutto il mondo.
“Non ci limitiamo a studiare gli attacchi: li affrontiamo faccia a faccia. I nostri esperti affrontano le stesse minacce che dicono agli altri di contrastare. È questa esperienza plasma il nostro pensiero e il nostro approccio al lavoro”, si legge nel documento.
Sebbene per i fornitori di sicurezza informatica sia tabù discutere degli attacchi informatici contro di loro, una pressione costante sui sistemi di sicurezza aiuta a migliorare i meccanismi di difesa. Negli ultimi mesi gli esperti dell’azienda hanno respinto un’ampia gamma di attacchi: dalle azioni di gruppi criminali finalizzate al guadagno economico a complesse operazioni pianificate dai servizi segreti di vari Paesi.
La campagna più vasta e sofisticata è stata organizzata da specialisti nordcoreani. I ricercatori hanno scoperto una rete di specialisti informatici nordcoreani che operano sotto copertura. Gli aggressori hanno creato circa 360 identità virtuali accuratamente realizzate, ciascuna dotata di una storia professionale, un portfolio e referenze convincenti. Sono state presentate oltre mille candidature per diverse posizioni tecniche in azienda da parte di specialisti inesistenti. In un caso, gli agenti hanno addirittura cercato di ottenere un impiego nel dipartimento di intelligence informatica, la stessa unità che all’epoca si occupava di identificare e analizzare le loro attività. Un’altra grave minaccia proviene dagli hacker che agiscono per conto del governo cinese. Il gruppo ShadowPad ha attaccato la catena di fornitura compromettendo un partner logistico responsabile della gestione dell’hardware. Da luglio 2024 a marzo 2025, i criminali informatici che hanno utilizzato il malwareScatterBrain si sono infiltrati nei sistemi di oltre 70 organizzazioni in tutto il mondo. Tra le persone colpite figurano aziende industriali, agenzie governative, istituti finanziari, società di telecomunicazioni e centri di ricerca.
La terza grande minaccia è, come sempre, il ransomware. I membri della banda Nitrogen utilizzano un trucco interessante: trovano aziende rivenditori con una procedura di verifica dei clienti semplificata e, utilizzando metodi di ingegneria sociale, acquistano da loro licenze ufficiali. L’obiettivo finale è penetrare nelle piattaforme di sicurezza informatica, tra cui il sistema EDR di SentinelOne. Una volta ottenuto l’accesso, studiano sistematicamente i meccanismi di sicurezza, cercano modi per disattivarli e sviluppano metodi per aggirare i sistemi di rilevamento delle intrusioni.
Parallelamente a Nitrogen, è diventato attivo il gruppo di hacker Black Basta, che ha scelto una tattica diversa. I suoi membri testano metodicamente l’efficacia dei loro strumenti dannosi rispetto alle principali soluzioni di sicurezza. Gli aggressori hanno preso di mira i sistemi di diversi importanti sviluppatori: CrowdStrike, Carbon Black, Palo Alto Networks e SentinelOne. Documentano attentamente i risultati di ogni attacco con prove, perfezionando le loro tecniche di penetrazione.
Sui forum degli hacker compaiono regolarmente annunci pubblicitari per la vendita di accessi temporanei o permanenti alle console di gestione dei sistemi di sicurezza.
Si potrebbe dire che la recente serie di attacchi ha costretto il team SentinelOne a riconsiderare la propria strategia di difesa. Gli ingegneri hanno implementato meccanismi di sicurezza aggiuntivi e creato meccanismi più sofisticati per monitorare l’intera infrastruttura. Particolare attenzione viene ora rivolta non solo al rafforzamento delle loro risorse, ma anche al controllo approfondito di tutte le organizzazioni partner che hanno accesso a dati critici.
Vintage hi-fi gear has a look and feel all its own. [ThunderOwl] happened to be playing in this space, turning a heavily-modified Technics stereo stack into an awesome neo-retro PC case. Meet the “TechnicsPC!” This is good. We like this. You have to hunt across BlueSky for the goodies, but it’s well worth it. The main build concerned throwing a PC into an old Technics receiver, along with a pair of LCD displays and a bunch of buttons for control. If the big screens weren’t enough of a tell that you’re looking at an anachronism, the USB ports just below the power switch will tip you off. A later addition saw a former Technics tuner module stripped out and refitted with card readers and a DVD/CD drive. Perhaps the most era-appropriate addition, though, is the scrolling LED display on top. Stuffed inside another tuner module, it’s a super 90s touch that somehow just works.
These days, off-the-shelf computers are so fancy and glowy that DIY casemodding has fallen away from the public consciousness. And yet, every so often, we see a magnificent build like this one that reminds us just how creative modders can really be. Video after the break.
“Live test”. All more or less as planned, as “cons” – it does not interrupt ongoing scroll cycle with new stuff, it puts new content info with next cycle, so, kinda “info delays”:
Negli ultimi anni, la nostra quotidianità è stata invasa da piccoli quadrati pixelati capaci di portarci in un lampo su siti web, attivare applicazioni, aprire contenuti multimediali o avviare pagamenti digitali. I QR-code, acronimo di “Quick Response”, sono diventati il ponte tra il mondo fisico e quello digitale. Tuttavia, questo ponte – spesso considerato innocuo – può trasformarsi in un cavallo di Troia perfettamente mimetizzato, se sfruttato con competenza da un attaccante.
Un messaggio divulgato di recente nel canale Telegram “Social Engineering – Делаем уникальные знания доступными” (tradotto: “Social Engineering – Rendiamo le conoscenze uniche accessibili”) ci offre un’interessante retrospettiva su casi storici e reali in cui proprio il QR-code è stato impiegato come vettore di attacco. Analizziamoli con spirito critico e rigore tecnico.
L’attacco alle Google Glass (2013): l’occhio digitale diventa un bersaglio
Nel maggio 2013, i ricercatori di Lookout Mobile Security scoprirono una vulnerabilità sorprendente: le Google Glass (all’epoca un prodotto innovativo in fase sperimentale) erano progettate per “osservare” automaticamente le immagini potenzialmente utili all’utente. Questa funzione, sfruttata attraverso un QR-code appositamente craftato, consentiva di prendere controllo remoto del dispositivo.
La vulnerabilità fu corretta da Google in poche settimane, ma resta un campanello d’allarme: anche le interfacce “non convenzionali”, come gli smartglass, possono diventare preda di exploit visivi. Se la patch non fosse arrivata in tempo, un attacco in-the-wild avrebbe potuto compromettere dati sensibili, audio, video e localizzazioni dell’utente — tutto a sua insaputa.
ZXing Barcode Scanner (2014): quando un’espressione regolare non basta
Il secondo caso riguarda ZXing Barcode Scanner, un’app open source molto diffusa tra il 2013 e il 2015. Questa applicazione, pur tentando di filtrare contenuti sospetti tramite regex, non discriminava efficacemente i contenuti URI malformati o pericolosi, lasciando passare exploit veicolati via JavaScript.
Un esempio riportato nel messaggio mostra come un codice del tipo:
javascript;alert(“You have won 1000 dollars! Just Click The Open Browser Button”);
venisse bloccato dal filtro. Tuttavia, con lievi modifiche sintattiche, il payload riusciva comunque a superare il controllo, venendo riconosciuto come URI “valido” e aprendo il browser con esecuzione implicita del codice.
Questo scenario rientra pienamente nella categoria dei code injection visuali, in cui l’utente è indotto ad attivare personalmente un codice malevolo, con un click che sembra innocuo ma innesca un comportamento pericoloso.
L’attacco USSD ai Samsung (2012): QR e factory reset in un solo colpo
Nel 2012, il ricercatore Ravishankar Borgaonkar dimostrò come un semplice QR-code potesse contenere un comando USSD nascosto, capace di eseguire un factory reset su alcuni dispositivi Samsung.
Il codice tel:*2767*3855#, se interpretato come un link telefonico, causava un reset totale del dispositivo, cancellando dati, configurazioni e applicazioni. A oggi, questo rappresenta uno dei più eclatanti esempi di come un codice apparentemente inerte possa contenere una bomba logica, sfruttando meccanismi legittimi del sistema operativo.
L’utente curioso: l’anello debole della catena
Infine, il messaggio chiude con un’osservazione tanto banale quanto cruciale: la vera vulnerabilità è l’essere umano. L’utente medio, di fronte a un QR-code sconosciuto, tende a scansionarlo per pura curiosità, dimenticando ogni principio basilare di sicurezza informatica. Studi citati nel testo confermano che, in ambienti controllati, la maggior parte dei soggetti ignari esegue la scansione senza porsi domande.
Questa dinamica rientra nel classico campo del social engineering visivo, dove l’attaccante non forza il sistema, ma manipola il comportamento dell’utente per ottenere un’esecuzione volontaria del codice.
Conclusioni: educazione digitale e threat modeling anche per i QR-code
I casi riportati nel canale Telegram non sono frutto di fantascienza o ipotesi teoriche. Sono incidenti reali, documentati, verificati e – in alcuni casi – ancora oggi possibili, seppur mitigati da patch successive.
Ci ricordano che ogni tecnologia, anche la più banale, può essere arma a doppio taglio, soprattutto quando coinvolge l’interazione tra mondo fisico e digitale.
E allora cosa possiamo fare?
Formare gli utenti a non scansionare QR-code da fonti sconosciute o non verificate.
Utilizzare app di lettura QR con sandboxing, logging e avvisi su contenuti potenzialmente pericolosi.
Integrare l’analisi dei QR-code nei processi di threat intelligence aziendale, soprattutto nei contesti BYOD.
Valutare il QR-code come vettore di attacco nel proprio threat model, specialmente in ambiti pubblici (es. aeroporti, eventi, marketing).
Il QR-code, oggi, è diventato uno strumento trasversale e pervasivo. E proprio per questo, va trattato come ogni altro componente della superficie di attacco: con attenzione, consapevolezza e competenze tecniche.
1° Maggio, un giorno per onorare chi lavora, chi lotta per farlo in modo dignitoso e chi, troppo spesso, perde la vita mentre svolge la propria mansione.
Nel 2025, l’Italia continua a piangere ogni anno centinaia di morti sul lavoro. Una ferita profonda che ci ricorda quanto la sicurezza debba essere al centro di ogni politica, di ogni impresa, di ogni processo produttivo.
Difendere il lavoro e i lavoratori nel 2025 significa proteggerli ovunque: sul campo e nel digitale. È per questo che Il 1° Maggio deve essere anche un’occasione per riflettere sulla sicurezza informatica. Oggi il lavoro non è più solo fisico, è anche e sempre più digitale.
Accanto alla sicurezza nei cantieri, nelle fabbriche, sui mezzi e negli ospedali, dobbiamo iniziare a parlare anche di sicurezza nei sistemi, nei dati, nei processi connessi.
Il lavoro è cambiato. Le minacce anche.
Smart working, cloud, strumenti di collaborazione online, home banking, piattaforme SaaS, la digitalizzazione ha migliorato la produttività, ma ha anche aperto nuove porte a minacce invisibili.
Un attacco informatico oggi può:
bloccare un ospedale, rallentando cure salvavita
paralizzare un comune, impedendo servizi ai cittadini
sabotare un’azienda, lasciando fermi lavoratori e commesse
rubare dati, identità, brevetti: il frutto del lavoro di interi team
e spesso, tutto questo, accade in silenzio, senza clamore. Ma con danni enormi.
La sicurezza è una sola e, fisica o digitale, va garantita ovunque. Sbaglieremmo a contrapporre i due mondi. La sicurezza deve essere una cultura trasversale, concreta, quotidiana.
Così come si lavora (ancora troppo poco) per diminuire le morti e gli incidenti nei luoghi fisici di lavoro bisogna impegnarsi per:
formare lavoratori e dirigenti sui rischi informatici
investire in sistemi sicuri, aggiornati, resilienti
adottare comportamenti consapevoli, dal clic all’allegato alla password al Wi-Fi.
Ogni errore digitale può compromettere un’intera filiera produttiva. Ogni attacco può essere l’inizio di una crisi, economica e umana. Quando un attacco informatico colpisce, il lavoro si ferma
Un ransomware può bloccare la produzione di un’azienda, costringendo interi reparti a fermarsi
Una violazione dei dati può compromettere la fiducia dei clienti e mettere a rischio mesi di lavoro commerciale
Un attacco ai sistemi comunali può sospendere servizi essenziali come l’anagrafe, i pagamenti elettronici o l’assistenza sociale
Oggi un attacco informatico può danneggiare il lavoro come e più di un sabotaggio fisico.
Celebrare il 1° Maggio significa mettere al centro il diritto a un lavoro sicuro e dignitoso. Davvero. Dignità significa non morire mentre si lavora ma significa anche non essere esposti a rischi evitabili, solo perché nessuno ha formato, insegnato, protetto e/o vigilato.
Il futuro del lavoro sarà sempre più digitale e non possiamo permettere che sia un futuro fragile. È tempo che imprese, istituzioni e lavoratori affrontino questi temi non come un obbligo ma come un’opportunità per garantire un futuro professionale più stabile, resiliente e consapevole.
Radiation-induced volumetric expansion (RIVE) is a concern for any concrete structures that are exposed to neutron flux and other types of radiation that affect crystalline structures within the aggregate. For research facilities and (commercial) nuclear reactors, RIVE is generally considered to be one of the factors that sets a limit on the lifespan of these structures through the cracking that occurs as for example quartz within the concrete undergoes temporary amorphization with a corresponding volume increase. The significance of RIVE within the context of a nuclear power plant is however still poorly studied.
A recent study by [Ippei Maruyama] et al. as published in the Journal of Nuclear Materials placed material samples in the LVR-15 research reactor in the Czech Republic to expose them to an equivalent neutron flux. What their results show is that at the neutron flux levels that are expected at the biological shield of a nuclear power plant, the healing effect from recrystallization is highly likely to outweigh the damaging effects of amorphization, ergo preventing RIVE damage.
This study follows earlier research on the topic at the University of Tokyo by [Kenta Murakami] et al., as well as by Chinese researchers, as in e.g. [Weiping Zhang] et al. in Nuclear Engineering and Technology. [Murayama] et al. recommend that for validation of these findings concrete samples from decommissioned nuclear plants are to be examined for signs of RIVE.
Heading image: SEM-EDS images of the pristine (left) and the irradiated (right) MC sample. (Credit: I. Murayama et al, 2022)
Typewriters aren’t really made anymore in any major quantity, since the computer kind of rained all over its inky parade. That’s not to say you can’t build one yourself though, as [Toast] did in a very creative fashion.
After being inspired by so many typewriters on YouTube, [Toast] decided they simply had to 3D print one of their own design. They decided to go in a unique direction, eschewing ink ribbons for carbon paper as the source of ink. To create a functional typewriter, they had to develop a typebar mechanism to imprint the paper, as well as a mechanism to move the paper along during typing. The weird thing is the letter selection—the typewriter doesn’t have a traditional keyboard at all. Instead, you select the letter of your choice from a rotary wheel, and then press the key vertically down into the paper. The reasoning isn’t obvious from the outset, but [Toast] explains why this came about after originally hitting a brick wall with a more traditional design.
If you’ve ever wanted to build a typewriter of your own, [Toast]’s example shows that you can have a lot of fun just by having a go and seeing where you end up. We’ve seen some other neat typewriter hacks over the years, too. Video after the break.
Most of us learned to design circuits with schematics. But if you get to a certain level of complexity, schematics are a pain. Modern designers — especially for digital circuits — prefer to use some kind of hardware description language.
There are a few options to do similar things with PCB layout, including tscircuit. There’s a walk-through for using it to create an LED matrix and you can even try it out online, if you like. If you’re more of a visual learner, there’s also an introductory video you can watch below.
The example project imports a Pico microcontroller and some smart LEDs. They do appear graphically, but you don’t have to deal with them graphically. You write “code” to manage the connections. For example: <trace from={".LED1 .GND"} to="net.GND" />
If that looks like HTML to you, you aren’t wrong. Once you have the schematic, you can do the same kind of thing to lay out the PCB using footprints. If you want to play with the actual design, you can load it in your browser and make changes. You’ll note that at the top right, there are buttons that let you view the schematic, the board, a 3D render of the board, a BOM, an assembly drawing, and several other types of output.
Will we use this? We don’t know. Years ago, designers resisted using HDLs for FPGAs, but the bigger FPGAs get, the fewer people want to deal with page after page of schematics. Maybe a better question is: Will you use this? Let us know in the comments.
This isn’t a new idea, of course. Time will tell which HDLs will survive and which will whither.
This week, Jonathan Bennett and Dan Lynch chat with Peter van Dijk about PowerDNS! Is the problem always DNS? How did PowerDNS start? And just how big can PowerDNS scale? Watch to find out!
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.
Altbot
in reply to 𝓘𝓰𝓸𝓻 🏴☠️ 🏳️🌈 🇮🇹 • • •L'immagine presenta un'atmosfera misteriosa e urbana, con un focus su oggetti che suggeriscono un gioco di ruolo o un'esperienza di gioco. Al centro, in caratteri rossi e bianchi, si legge "SODOMA 2" con la sottotitolo "URBAN GAME" in rosso. Sotto il titolo, si intravede una mano guantata di nero, posata su un foglio di carta beige, con un bastone di legno e un oggetto bianco curvo accanto. In alto a destra, un bicchiere con cubetti di ghiaccio aggiunge un tocco di eleganza. Lo sfondo è scuro e grigio, con un effetto di texture che contribuisce all'atmosfera enigmatica.
Fornito da @altbot, generato localmente e privatamente utilizzando Ovis2-8B
🌱 Energia utilizzata: 0.238 Wh