Who else remembers Spirograph? When making elaborate spiral doodles, did you ever wish for a much, much bigger version? [Fortress Fine Woodworks] had that thought, and “slapped a router onto it” to create a gorgeous walnut table.
This printed sanding block was a nice touch.
The video covers not only 3D printing the giant Spirograph, which is the part most of us can easily relate to, but all the woodworking magic that goes into creating a large hardwood table. Assembling the table out of choice lumber from the “rustic” pile is an obvious money-saving move, but there were a lot of other trips and tricks in this video that we were happy to learn from a pro. The 3D printed sanding block he designed was a particularly nice detail; it’s hard to imagine getting all those grooves smoothed out without it.

Certainly this pattern could have been carved with a CNC machine, but there is a certain old school charm in seeing it done (more or less) by hand with the Spirograph jig. [Fortress Fine Woodworks] would have missed out on quite the workout if he’d been using a CNC machine, too, which may or may not be a plus to this method depending on your perspective. Regardless, the finished product is a work of art and worth checking out in the video below.

Oddly enough, this isn’t the first time we’ve seen someone use a Spirograph to mill things. It’s not the first giant-scale Spirograph we’ve highlighted, either. To our knowledge, it’s the first time someone has combined them with an artful walnut table.

youtube.com/embed/zW5nZ0Hp95k?…

hackaday.com/2025/05/02/3d-pri…

Most of us have some dream project or three that we’d love to make a reality. We bring it up all the time with friends, muse on it at work, and research it during our downtime. But that’s just talk—and it doesn’t actually get the project done!

At the 2024 Hackaday Supercon, Sarah Vollmer made it clear—her presentation is about turning talk into action. It’s about how to overcome all the hurdles that get in the way of achieving your grand project, so you can actually make it a reality. It might sound like a self-help book—and it kind of is—but it’s rooted in the experience of a bonafide maker who’s been there and done that a few times over.

youtube.com/embed/lOWqkVV9P1M?…

At the outset, Sarah advises us on the value of friends when you’re pursuing a project. At once, they might be your greatest cheerleaders, or full of good ideas. In her case, she also cites several of her contacts in the broader community that have helped her along the way—with a particular shoutout to Randy Glenn, who also gave us a great Supercon talk last year on the value of the CAN bus. At the same time, your friends might—with good intentions—lead you in the wrong direction, with help or suggestions that could derail your project. Her advice is to take what’s useful, and politely sidestep or decline what won’t help your project.

Next, Sarah highlights the importance of watching out for foes. “Every dream has your dream crushers,” says Sarah. “It could be you, it could be the things that are being told to you.” Excessive criticism can be crushing, sapping you of the momentum you need to get started. She also relates it to her own experience, where her project faced a major hurdle—the tedious procurement process of a larger organization, and the skepticism around whether she could overcome it. Whatever threatens the progress of your project could be seen as a foe—but the key is knowing what is threatening your project.
Sarah’s talk is rooted in her personal experiences across her haptics work and other projects.
The third step Sarah recommends? Finding a way to set goals amidst the chaos. Your initial goals might be messy or vague, but often the end gets clearer as you start moving. “Be clear about what you’re doing so you can keep your eye on the prize,” says Sarah. “No matter what gets in your way, as long as you’re clear about what you’re doing, you can get there.” She talks about how she started with a simple haptics project some years ago. Over the years, she kept iterating and building on what she was trying to do with it, with a clear goal, and made great progress in turn.

Once you’re project is in motion, too, it’s important not to let it get killed by criticism. Cries of “Impossible!” might be hard to ignore, but often, Sarah notes, these brick walls are really problems you create actions items to solve. She also notes the value of using whatever you can to progress towards your goals. She talks about how she was able to parlay a Hackaday article on her work (and her previous 2019 Supercon talk) to help her gain access to an accelerator program to help her start her nascent lab supply business.

youtube.com/embed/aRkfiQZNx3I?…

Sarah’s previous Hackaday Supercon appearance helped open doors for her work in haptics.

Anyone who has ever worked in a corporate environment will also appreciate Sarah’s advice to avoid the lure of endless planning, which can derail even the best planned project. “Once upon a time I went to meetings, those meetings became meetings about meetings,” she says. “Those meetings about meetings became about planning, they went on for four hours on a Friday, [and] I just stopped going,” Her ultimate dot point? “We don’t talk, talk is cheap, but too much talk is bankrupting.”

“When all else fails, laugh and keep going,” Sarah advises. She provides an example of a 24/7 art installation she worked on that was running across multiple physical spaces spread across the globe. “During the exhibit, China got in a fight with Google,” she says. This derailed plans to use certain cloud buckets to run things, but with good humor and the right attitude, the team were able to persevere and work around what could have been a disaster.

Overall, this talk is a rapid fire crash course in how she pushed her projects on through challenges and hurdles and came out on top. Just beware—if you’re offended by the use of AI art, this one might not be for you. Sarah talks fast and covers a lot of ground in her talk, but if you can keep up and follow along there’s a few kernels of wisdom in there that you might like to take forward.

hackaday.com/2025/05/02/superc…

It’s the podcast so nice we recorded it twice! Despite some technical difficulties (note to self: press the record button significantly before recording the outro), Elliot and Dan were able to soldier through our rundown of the week’s top hacks. We kicked things off with a roundup of virtual keyboards for the alternate reality crowd, which begged the question of why you’d even need such a thing. We also looked at a couple of cool demoscene-adjacent projects, such as the ultimate in oscilloscope music and a hybrid knob/jack for eurorack synth modules. We also dialed the Wayback Machine into antiquity to take a look at Clickspring’s take on the origins of precision machining; spoiler alert — you can make gas-tight concentric brass tubing using a bow-driven lathe. There’s a squishy pneumatic robot gripper, an MQTT-enabled random number generator, a feline-friendly digital stethoscope, and a typewriter that’ll make you Dymo label maker jealous. We’ll also mourn the demise of electronics magazines and ponder how your favorite website fills that gap, and learn why it’s really hard to keep open-source software lean and clean. Short answer: because it’s made by people.

html5-player.libsyn.com/embed/…
Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Download the zero-calorie MP3.

Episode 319 Show Notes:

News:

• There’s A Venusian Spacecraft Coming Our Way
• You Wouldn’t Steal A Font…
• Sigrok Website Down After Hosting Data Loss

What’s that Sound?

• Fill out this form for your chance to win!

Interesting Hacks of the Week:

• Weird And Wonderful VR/MR Text Entry Methods, All In One Place
  
  • Just a moment…

  
  

• Clickspring’s Experimental Archaeology: Concentric Thin-Walled Tubing
• Amazing Oscilloscope Demo Scores The Win At Revision 2025
  
  • osci-render
  • Tripping On Oscilloshrooms With An Analog Scope
  • Crossing Commodore Signal Cables On Purpose

  
  

• Look! It’s A Knob! It’s A Jack! It’s Euroknob!
• Robot Gets A DIY Pneumatic Gripper Upgrade
  
  • Vastly Improved Servo Control, Now Without Motor Surgery

  
  

• Remembering Heathkit

Quick Hacks:

• Elliot’s Picks
  
  • A New And Weird Kind Of Typewriter
  • Terminal DAW Does It In Style
  • Comparing ‘AI’ For Basic Plant Care With Human Brown Thumbs

  
  

• Dan’s Picks:
  
  • Quantum Random Number Generator Squirts Out Numbers Via MQTT
  • Onkyo Receiver Saved With An ESP32
  • Quick And Easy Digital Stethoscope Keeps Tabs On Cat

  
  

Can’t-Miss Articles:

• Libogc Allegations Rock Wii Homebrew Community
• The DIY 1982 Picture Phone

hackaday.com/2025/05/02/hackad…

While the COVID-19 pandemic wasn’t an experience anyone wants to repeat, infections disease experts like [Dr. Pardis Sabeti] are looking at what we can do to prepare for the next one.

While the next pandemic could potentially be anything, there are a few high profile candidates, and bird flu (H5N1) is at the top of the list. With birds all over the world carrying the infection and the prevalence in poultry and now dairy agriculture operations, the possibility for cross-species infection is higher than for most other diseases out there, particularly anything with an up to 60% fatality rate. Only one of the 70 people in the US who have contracted H5N1 recently have died, and exposures have been mostly in dairy and poultry workers. Scientists have yet to determine why cases in the US have been less severe.

To prevent an H5N1 pandemic before it reaches the level of COVID and ensure its reach is limited like earlier bird and swine flu variants, contact tracing of humans and cattle as well as offering existing H5N1 vaccines to vulnerable populations like those poultry and dairy workers would be a good first line of defense. So far, it doesn’t seem transmissible human-to-human, but more and more cases increase the likelihood it could gain this mutation. Keeping current cases from increasing, improving our science outreach, and continuing to fund scientists working on this disease are our best bets to keep it from taking off like a meme stock.

Whatever the next pandemic turns out to be, smartwatches could help flatten the curve and surely hackers will rise to the occasion to fill in the gaps where traditional infrastructure fails again.

youtube.com/embed/5CyVi4UzKxE?…

hackaday.com/2025/05/02/prepar…

Renata Morresi:
Dunque, con calma, vagliando ogni sintagma: ieri notte, in acque internazionali, dei #droni da guerra, forse mandati dal governo di #israele , hanno attaccato una nave con #aiutiumanitari diretta verso un luogo dove non c'è più cibo, acqua, elettricità, medicine, ecc., #Gaza . Ripeto: AIUTI UMANITARI - PER GAZA - BOMBARDATI - DA DRONI - IN ACQUE INTERNAZIONALI. Quando apriremo gli occhi su quello che stanno facendo il criminale #Netanyahu & i suoi complici? Per quanto tempo ancora potremo assecondare questo scempio? Potremo dire che non sapevamo? Che non arrivavano immagini o notizie? Che non conoscevamo i #genocidi ? Né i #criminidiguerra ? Come faremo a parlare di umanesimo? Di studiare la storia per non ripeterla? Come faremo a credere ai 'valori cristiani' o 'occidentali'? All'uguaglianza e all'equità? Al progresso e alla civiltà europea? Come faremo a guardarci allo specchio?

#genocidio

This week, Oligo has announced the AirBorne series of vulnerabilities in the Apple Airdrop protocol and SDK. This is a particularly serious set of issues, and notably affects MacOS desktops and laptops, the iOS and iPadOS mobile devices, and many IoT devices that use the Apple SDK to provide AirPlay support. It’s a group of 16 CVEs based on 23 total reported issues, with the ramifications ranging from an authentication bypass, to local file reads, all the way to Remote Code Execution (RCE).

AirPlay is a WiFi based peer-to-peer protocol, used to share or stream media between devices. It uses port 7000, and a custom protocol that has elements of both HTTP and RTSP. This scheme makes heavy use of property lists (“plists”) for transferring serialized information. And as we well know, serialization and data parsing interfaces are great places to look for vulnerabilities. Oligo provides an example, where a plist is expected to contain a dictionary object, but was actually constructed with a simple string. De-serializing that plist results in a malformed dictionary, and attempting to access it will crash the process.

Another demo is using AirPlay to achieve an arbitrary memory write against a MacOS device. Because it’s such a powerful primative, this can be used for zero-click exploitation, though the actual demo uses the music app, and launches with a user click. Prior to the patch, this affected any MacOS device with AirPlay enabled, and set to either “Anyone on the same network” or “Everyone”. Because of the zero-click nature, this could be made into a wormable exploit.

youtube.com/embed/ZmOvRLBL3Ys?…

Apple has released updates for their products for all of the CVEs, but what’s going to really take a long time to clean up is the IoT devices that were build with the vulnerable SDK. It’s likely that many of those devices will never receive updates.

EvilNotify

It’s apparently the week for Apple exploits, because here’s another one, this time from [Guilherme Rambo]. Apple has built multiple systems for doing Inter Process Communications (IPC), but the simplest is the Darwin Notification API. It’s part of the shared code that runs on all of Apple’s OSs, and this IPC has some quirks. Namely, there’s no verification system, and no restrictions on which processes can send or receive messages.

That led our researcher to ask what you may be asking: does this lack of authentication allow for any security violations? Among many novel notifications this technique can spoof, there’s one that’s particularly problematic: The device “restore in progress”. This locks the device, leaving only a reboot option. Annoying, but not a permanent problem.

The really nasty version of this trick is to put the code triggering a “restore in progress” message inside an app’s widget extension. iOS loads those automatically at boot, making for an infuriating bootloop. [Guilherme] reported the problem to Apple, made a very nice $17,500 in the progress. The fix from Apple is a welcome surprise, in that they added an authorization mechanism for sensitive notification endpoints. It’s very likely that there are other ways that this technique could have been abused, so the more comprehensive fix was the way to go.

Jenkins

Continuous Integration is one of the most powerful tools a software project can use to stay on top of code quality. Unfortunately as those CI toolchains get more complicated, they are more likely to be vulnerable, as [John Stawinski] from Praetorian has discovered. This attack chain would target the Node.js repository at Github via an outside pull request, and ends with code execution on the Jenkins host machines.

The trick to pulling this off is to spoof the timestamp on a Pull Request. The Node.js CI uses PR labels to control what CI will do with the incoming request. Tooling automatically adds the “needs-ci” label depending on what files are modified. A maintainer reviews the PR, and approves the CI run. A Jenkins runner will pick up the job, compare that the Git timestamp predated the maintainer’s approval, and then runs the CI job. Git timestamps are trivial to spoof, so it’s possible to load an additional commit to the target PR with a commit timestamp in the past. The runner doesn’t catch the deception, and runs the now-malicious code.

[John] reported the findings, and Node.js maintainers jumped into action right away. The primary fix was to do SHA sum comparisons to validate Jenkins runs, rather than just relying on timestamp. Out of an abundance of caution, the Jenkins runners were re-imaged, and then [John] was invited to try to recreate the exploit. The Node.js blog post has some additional thoughts on this exploit, like pointing out that it’s a Time-of-Check-Time-of-Use (TOCTOU) exploit. We don’t normally think of TOCTOU bugs where a human is the “check” part of the equation.

2024 in 0-days

Google has published an overview of the 75 zero-day vulnerabilities that were exploited in 2024. That’s down from the 98 vulnerabilities exploited in 2023, but the Threat Intelligence Group behind this report are of the opinion that we’re still on an upward trend for zero-day exploitation. Some platforms like mobile and web browsers have seen drastic improvements in zero-day prevention, while enterprise targets are on the rise. The real stand-out is the targeting of security appliances and other network devices, at more than 60% of the vulnerabilities tracked.

When it comes to the attackers behind exploitation, it’s a mix between state-sponsored attacks, legal commercial surveillance, and financially motivated attacks. It will be interesting to see how 2025 stacks up in comparison. But one thing is for certain: Zero-days aren’t going away any time soon.

Perplexing Passwords for RDP

The world of computer security just got an interesting surprise, as Microsoft declared it not-a-bug that Windows machines will continue to accept revoked credentials for Remote Desktop Protocol (RDP) logins. [Daniel Wade] discovered the issue and reported it to Microsoft, and then after being told it wasn’t a security vulnerability, shared his report with Ars Technica.

So what exactly is happening here? It’s the case of a Windows machine login via Azure or a Microsoft account. That account is used to enable RDP, and the machine caches the username and password so logins work even when the computer is “offline”. The problem really comes in how those cached passwords get evicted from the cache. When it comes to RDP logins, it seems they are simply never removed.

There is a stark disconnect between what [Wade] has observed, and what Microsoft has to say about it. It’s long been known that Windows machines will cache passwords, but that cache will get updated the next time the machine logs in to the domain controller. This is what Microsoft’s responses seem to be referencing. The actual report is that in the case of RDP, the cached passwords will never expire, regardless of changing that password in the cloud and logging on to the machine repeatedly.

Bits and Bytes

Samsung makes a digital signage line, powered by the MagicINFO server application. That server has an unauthenticated endpoint, accepting file uploads with insufficient filename sanitization. That combination leads to arbitrary pre-auth code execution. While that’s not great, what makes this a real problem is that the report was first sent to Samsung in January, no response was ever received, and it seems that no fixes have officially been published.

A series of Viasat modems have a buffer overflow in their SNORE web interface. This leads to unauthenticated, arbitrary code execution on the system, from either the LAN or OTA interface, but thankfully not from the public Internet itself. This one is interesting in that it was found via static code analysis.

IPv6 is the answer to all of our IPv4 induced woes, right? It has Stateless Address Autoconfiguration (SLAAC) to handle IP addressing without DHCP, and Router Advertisement (RA) to discover how to route packets. And now, taking advantage of that great functionality is Spellbinder, a malicious tool to pull off SLACC attacks and do DNS poisoning. It’s not entirely new, as we’ve seen Man in the Middle attacks on IPv4 networks for years. IPv6 just makes it so much easier.

hackaday.com/2025/05/02/this-w…

Una nuova campagna di phishing sta circolando in queste ore con un obiettivo ben preciso: spaventare le vittime con la minaccia di una multa stradale imminente e gonfiata, apparentemente proveniente da PagoPA. L’obiettivo è convincere l’utente a cliccare su un link fraudolento e inserire i propri dati di pagamento, con la scusa di saldare una sanzione.

In questo articolo analizziamo cosa è importante non fare quando si riceve un’email di questo tipo, per capire come molte truffe online sfruttino l’urgenza e la credibilità di marchi noti al fine di ottenere un vantaggio economico.
Email fake di PagoPA arrivata alla redazione di Red Hot Cyber

“Evita la maggiorazione: paga adesso”. Scopriamo perché è una truffa

L’email in questione arriva da un mittente apparentemente legittimo, ma con un dominio sospetto: [strong]jeyhun.ashurov@tu-dortmund.de[/strong]. Intanto un dominio di origine tedesca dovrebbe far subito pensare che si tratti di una truffa. Le email ufficiali solitamente pervengono dal dominio gov.it Il contenuto della comunicazione cerca di replicare lo stile formale delle notifiche ufficiali, con messaggi intimidatori come:

“La preghiamo di prendere nota che, in caso di mancato pagamento entro la fine della giornata odierna, l’importo totale sarà automaticamente aggiornato a 500 €.”

Un’altra tecnica psicologica è l’urgenza: la scadenza è fissata per il giorno stesso della ricezione, inducendo panico e reazioni impulsive. Pertanto:

• Email sospetta: le comunicazioni sono avvenute dall’email [strong]jeyhun.ashurov@tu-dortmund.de[/strong]. PagoPA avvengono da domini istituzionali come @pagopa.gov.it.
• Assenza di destinatario specifico: si usa “Gentile proprietario/a del veicolo”, un modo generico per colpire più vittime.
• Minacce e urgenze: è una tecnica comune nel phishing per spingere l’utente all’azione.
• Link truffaldini: il link “Accedi al Pagamento Online” porta quasi certamente a una pagina clone creata per rubare i dati della carta.

Cosa fare se ricevi questa email?

1. Per prima cosa aumenta l’attenzione
2. Non cliccare sul link.
3. Segnala l’email come phishing nel tuo client di posta.
4. Verifica eventuali multe reali solo tramite i portali ufficiali (come il sito del Comune o il portale ufficiale di PagoPA).
5. Avvisa amici e parenti, in particolare quelli meno esperti di tecnologia.

L’analisi tecnica di Red Hot Cyber: cosa si cela dietro il link

Il team di Red Hot Cyber ha analizzato l’email sospetta all’interno di un ambiente sicuro, utilizzando una sandbox, ovvero una macchina virtuale isolata dal sistema reale, che consente di analizzare contenuti potenzialmente pericolosi senza rischi per il computer o la rete.

Al primo tentativo, cliccando sul link presente nell’email, abbiamo osservato una serie di redirect automatici: sorprendentemente, il collegamento sembrava concludersi sul sito ufficiale di PagoPA, un’astuzia probabilmente pensata per aumentare la fiducia della vittima e ridurre i sospetti.

Abbiamo quindi analizzato l’URL tramite VirusTotal, una piattaforma che verifica la reputazione dei link attraverso decine di motori antivirus. Il risultato? Tre antivirus lo identificavano chiaramente come malevolo.
schermata che etichetta il link presente nell’email come malevolo www.virustotal.com
Effettuando ulteriori test — e questa volta utilizzando Tor per anonimizzare la navigazione e accedere eventualmente a contenuti geolocalizzati o camuffati — siamo riusciti ad accedere al vero sito fraudolento.

Come funziona la truffa

Una volta atterrati sul sito clone, ci è stato chiesto di compilare un modulo con i nostri dati anagrafici, dopodiché il sito richiede di inserire:

• Numero della carta di credito
• Data di scadenza
• Codice CVV

Non è finita. Dopo l’inserimento dei dati della carta, il sito richiede anche:

• Codice SMS (OTP) ricevuto via banca
• PIN della carta

In questo modo, il criminale informatico ottiene tutti i codici necessari per svuotare la carta di credito: dati personali, dati bancari, codice di sicurezza e persino il secondo fattore di autenticazione.

Una volta in possesso di queste informazioni, il truffatore può effettuare prelievi e transazioni fino al totale prosciugamento del plafond disponibile sulla carta.

Mai in

L'articolo Attenti italiani! Una Finta Multa da pagare tramite PagoPA vuole svuotarti il conto proviene da il blog della sicurezza informatica.

Una nuova vulnerabilità di sicurezza in macOS consente a malintenzionati di eludere la protezione di App Sandbox manipolando i segnalibri con ambito di sicurezza. La vulnerabilità è incentrata sul sistema di segnalibri, una funzionalità progettata per consentire alle applicazioni sandbox un accesso persistente ai file selezionati dall’utente.

I segnalibri funzionano generando token firmati crittograficamente che codificano l’accesso persistente concesso dall’utente ai file esterni al contenitore di un’applicazione. Secondo l’analisi dettagliata di Microsoft, gli aggressori possono sfruttare questa falla critica, il CVE-2025-31191. Tale bug consente di eliminare e sostituire una voce fondamentale per l’autenticazione dell’accesso ai file, violando di fatto uno dei principali limiti di sicurezza di macOS.

“Un processo dannoso in esecuzione nel contesto di un’app sandbox potrebbe eliminare il legittimo segreto di firma utilizzato da ScopedBookmarkAgent”, spiegano gli analisti relativamente alla vulnerabilità. Questi segnalibri sono normalmente protetti dall’autenticazione HMAC-SHA256, con chiavi derivate in modo univoco per ciascuna applicazione come HMAC-SHA256(secret, [bundle-id]). L’exploit sfrutta una sottile debolezza nel meccanismo di protezione di questi “portachiavi”.

Sebbene Apple abbia correttamente limitato l’accesso in lettura all’elemento com.apple.scopedbookmarksagent.xpc tramite ACL, i ricercatori hanno scoperto che la protezione non impediva l’eliminazione o la sostituzione dell’elemento. Dopo l’eliminazione, gli aggressori potevano inserire un nuovo segreto con un valore noto e allegare un ACL permissivo che consentiva loro un accesso più ampio. A questo punto, grazie alla chiave di firma compromessa, gli aggressori possono:

• Calcola la chiave di firma crittografica per qualsiasi applicazione utilizzando il suo ID bundle.
• Creare segnalibri dannosi per file arbitrari.
• Inserire questi segnalibri falsi nel file securebookmarks.plist.

uando l’applicazione tenta di accedere ai file utilizzando questi segnalibri, ScopedBookmarkAgent convalida le credenziali contraffatte e concede l’accesso senza ulteriore consenso dell’utente. In questo modo si aggirano di fatto i limiti della sandbox, consentendo l’accesso a file di sistema sensibili e il potenziale per ulteriori sfruttamenti. La proof-of-concept dimostrata da Microsoft mostra come una macro di Office dannosa potrebbe implementare questa catena di attacchi, sebbene la vulnerabilità riguardi qualsiasi app sandbox che utilizzi segnalibri con ambito di sicurezza.

Questa vulnerabilità interessa diversi sistemi operativi Apple, tra cui macOS Ventura, macOS Sequoia, macOS Sonoma, tvOS, iOS e iPadOS.

L’exploit consente l’accesso non autorizzato ai dati sensibili degli utenti e potenzialmente consente l’esecuzione di codice arbitrario con privilegi elevati.

L'articolo Sandbox a Rischio: Una Macro Office Può Prendere il Controllo del Tuo Mac proviene da il blog della sicurezza informatica.

Imagine a bare-bones electric pickup: it’s the size of an old Hilux, it seats two, and the bed fits a full sheet of plywood. Too good to be true? Wait until you hear that the Slate Pickup is being designed for DIY repairability and modification, and will sell for only $20,000 USD, after American federal tax incentives.
Using the cellphone for infotainment makes for a less expensive product and a very clean dash. (Image: Slate Motors)
There are a few things missing: no infotainment system, for one. Why bother, when almost everyone has a phone and Bluetooth speakers are so cheap? No touch screen in the middle of the dash also means the return of physical controls for the heat and air conditioning.

There is no choice in colors, either. To paraphrase Henry Ford, the Slate comes in any color you want, as long as it’s grey. It’s not something we’d given much though to previously, but apparently painting is a huge added expense for automakers. Instead, the truck’s bodywork is going to be injection molded plastic panels, like an old Saturn coupe. We remember how resilient those body panels were, and think that sounds like a great idea. Injection molding is also a less capital-intensive process to set up than traditional automotive sheet metal stamping, reducing costs further.

That being said, customization is still a big part of the Slate. The company intends to sell DIY vinyl wrap kits, as well as a bolt-on SUV conversion kit which customers could install themselves. The plan is to have a “Slate University” app that would walk owners through maintaining their own automobile, a delightfully novel choice for a modern carmaker.

With a color wrap and an SUV add-on, it looks like a different beast. (Image: Slate Motors)
Of course, it’s all just talk unless Slate can make good on their promises. With rumors that Jeff Bezos is interested in investing, maybe they can pull it off and produce what could be a Volkswagen for 21st century America.

Interested readers can check out the Slate Motors website, and preorder for only $50 USD. For now, Slate is only interested in doing business within the United States, but we can hope they inspire copycats elsewhere. There’s no reason similar vehicles couldn’t be made anywhere from Alberta to Zeeland, if the will was there.

What do you think? Is this the perfect hackermobile, or have Slate fallen short? Let us know in the comments.

We’ve covered electric trucks before, but they were just a bit bigger, and some of them didn’t use batteries.

hackaday.com/2025/05/02/is-thi…

Il crimine informatico continua a rappresentare una minaccia significativa per la sicurezza globale e le economie. La Rete europea per la criminalità informatica giudiziaria (EJCN) ha tenuto la sua 18a riunione plenaria dal 28 al 29 aprile presso la sede di Eurojust a L'Aia. L'evento di due giorni ha riunito 60 partecipanti provenienti da 32 paesi.
Istituito nel 2016, l'EJCN svolge un ruolo vitale nel promuovere la cooperazione e la condivisione delle conoscenze tra i professionisti specializzati nella lotta al crimine informatico, con l'obiettivo di aumentare l'efficienza delle indagini e dei procedimenti giudiziari. Con il sostegno del partner chiave #Eurojust, l' #EJCN lavora per rafforzare la cooperazione tra le autorità nazionali, affrontando la natura senza confini del crimine informatico e le sfide che pone.
I progressi tecnologici creano nuove opportunità per i criminali di sfruttare la velocità, la convenienza e l'anonimato di Internet. Le conseguenti minacce informatiche non conoscono confini, causando danni e ponendo minacce reali alle vittime di tutto il mondo. Le autorità nazionali stanno adottando misure per combattere questa minaccia in crescita, ma spesso affrontano sfide al passo con l'ambiente tecnico in rapido cambiamento.

I pubblici ministeri e i giudici in tutta l' #UE sono alle prese con nuovi problemi legali e aree grigie, come cooperare con i fornitori di servizi che detengono prove elettroniche cruciali, sequestrare criptovalute sotto il controllo dei fornitori di servizi di cripto-attività o affrontare i complessi fenomeni del terrorismo abilitato al cyber. La 18a riunione plenaria dell'EJCN ha affrontato queste sfide frontalmente, presentando discussioni su argomenti chiave come l'intelligenza artificiale, criptovalute, il pacchetto E-evidence e le reti terroristiche che operano online. L'incontro ha incluso presentazioni su casi studio, incluso l'uso criminale di modelli linguistici di grandi dimensioni, evidenziando la natura in evoluzione delle minacce informatiche.
Una sessione ristretta del secondo giorno ha permesso ai partecipanti di condividere aggiornamenti su legislazioni, sentenze e casi nazionali. Le sessioni di approfondimento hanno riguardato argomenti come l'intelligenza artificiale, criptovalute, le prove elettroniche e la formazione per la magistratura su argomenti relativi al #cybercrime, fornendo una piattaforma per i partecipanti per condividere esperienze e anticipare le sfide future. L'incontro è stato un importante raduno di esperti e parti interessate, offrendo preziose informazioni e discussioni sulle principali sfide che l'industria della criminalità informatica deve affrontare e dimostrando l'impegno dell'EJCN a sostenere i suoi membri nei loro sforzi per combattere la criminalità informatica.

@Informatica (Italy e non Italy 😁)

Siamo in grado di dire che la storia del database con numeri di alte cariche istituzionali è priva di fondamento. Non c’è stato alcun attacco cyber per il furto dei dati. Il solo attacco pericoloso per l’Italia è quello con cui stanno cercando di delegittimare l’Agenzia della cybersecurity nazionale

Numeri rubati a Mattarella e Meloni? Fake news pericolosa, ecco perché

agendadigitale.eu/sicurezza/pr…

dicorinto.it/temi/privacy/nume…

We all appreciate clear easy-to-read reference materials. In that pursuit [Andreas] over at Splitbrain sent in his latest project, Pinoutleaf. This useful web app simplifies the creation of clean, professional board pinout reference images.

The app uses YAML or JSON configuration files to define the board, including photos for the front and back, the number and spacing of pins, and their names and attributes.For example, you can designate pin 3 as GPIO3 or A3, and the app will color-code these layers accordingly. The tool is designed to align with the standard 0.1″ pin spacing commonly used in breadboards. One clever feature is the automatic mirroring of labels for the rear photo, a lifesaver when you need to reverse-mount a board. Once your board is configured, Pinoutleaf generates an SVG image that you can download or print to slide over or under the pin headers, keeping your reference key easily accessible.

Visit the GitHub page to explore the tool’s features, including its Command-Line Interface for batch-generating pinouts for multiple boards. Creating clear documentation is challenging, so we love seeing projects like Pinoutleaf that make it easier to do it well.

hackaday.com/2025/05/02/pinout…

Secondo quanto riportato da Security Insider, il 30 aprile alla conferenza RSA di San Francisco, un’assenza ha colpito l’attenzione di molti: quella dei dirigenti delle principali agenzie federali statunitensi dedicate alla sicurezza informatica, come la NSA e la CISA. Queste figure istituzionali, da anni protagoniste della conferenza, quest’anno non si sono presentate. Una mancanza che ha sollevato interrogativi sull’attuale stato della leadership americana nel campo della cybersecurity. Alcuni analisti legano questa assenza ai tagli al bilancio federale, ai licenziamenti e al clima politico teso causato dalle indagini promosse da Donald Trump sugli ex dirigenti della CISA.

Un esempio eclatante è stata la cancellazione dell’evento “State of Hacking” organizzato tradizionalmente dalla NSA, da sempre uno dei momenti più attesi della conferenza RSA. L’evento, che solitamente vedeva lunghe file di partecipanti e sale gremite, è stato annullato improvvisamente. Poco dopo, un portavoce della NSA ha confermato che anche l’intervista prevista con il direttore Dave Luber era stata cancellata, dichiarando che, secondo le nuove linee guida di leadership, Luber non parteciperà ad eventi pubblici al momento. L’assenza è stata interpretata come un segnale di chiusura e riservatezza, non in linea con la tradizionale apertura dell’agenzia verso il settore.

Anche la CISA ha brillato per la sua assenza. Negli anni precedenti, i direttori Chris Krebs e Jen Easterly non solo hanno partecipato attivamente, ma hanno anche contribuito alla firma di impegni chiave come la lettera “Secure by Design”. Quest’anno, invece, solo il vicedirettore Michael Garcia ha preso parte a un dibattito sulla protezione delle infrastrutture critiche, unica apparizione significativa dell’agenzia. Nessuna intervista, nessuna tavola rotonda con i media, e ancora nessun nuovo direttore ufficialmente nominato, mentre il blocco del senatore Ron Wyden sulla nomina di Sean Plankey resta un ostacolo politico che pesa sul futuro dell’agenzia.

A peggiorare la situazione, la scorsa settimana due alti funzionari della CISA coinvolti proprio nell’iniziativa “Secure by Design” hanno rassegnato le dimissioni. Questo ha alimentato preoccupazioni sulla continuità operativa dell’agenzia in un momento in cui la sicurezza informatica nazionale è più cruciale che mai. Alcuni osservatori suggeriscono che la priorità dell’agenzia dovrebbe essere il rafforzamento delle competenze interne e il reclutamento di nuovi talenti, piuttosto che le attività pubbliche e mediatiche.

Anche l’ex direttore della NSA Paul Nakasone e Rob Joyce hanno partecipato a dibattiti sul futuro della tecnologia e delle cyber-minacce, in un panel che ha incluso persino il produttore della serie Netflix “Zero Day”, portando una dimensione più pop alla conferenza. Tuttavia, la mancanza dei vertici attuali delle agenzie ha lasciato un vuoto tangibile.

Durante una tavola rotonda dal titolo “Come i principali attori delle minacce stanno usando il potere informatico per sovvertire la democrazia”, un giornalista ha chiesto spiegazioni sull’assenza dei funzionari. Il contrammiraglio in pensione Mark Montgomery ha attribuito la situazione ai drastici tagli federali, alla ristrutturazione dei dipartimenti e al clima di incertezza tra il personale militare. A suo dire, la paura di esporsi pubblicamente in un momento delicato potrebbe aver scoraggiato molte presenze, riflettendo un cambiamento profondo nel modo in cui le istituzioni statunitensi si interfacciano con il settore pubblico della cybersecurity.

L'articolo RSA 2025: Scomparsi NSA e CISA, silenzio preoccupante dagli alti vertici della cyber USA proviene da il blog della sicurezza informatica.