As the Industrial Age took the world by storm, city centers became burgeoning hubs of commerce and activity. New offices and apartments were built higher and higher as density increased and skylines grew ever upwards. One could live and work at height, but this created a simple inconvenience—if you wanted to send any mail, you had to go all the way down to ground level.

In true American fashion, this minor inconvenience would not be allowed to stand. A simple invention would solve the problem, only to later fall out of vogue as technology and safety standards moved on. Today, we explore the rise and fall of the humble mail chute.

Going Down

Born in 1848 in Albany, New York, James Goold Cutler would come to build his life in the state. He lived and worked in the growing state, and as an architect, he soon came to identify an obvious problem. For those occupying higher floors in taller buildings, the simple act of sending a piece of mail could quickly become a tedious exercise. One would have to make their way all the way to a street level post box, which grew increasingly tiresome as buildings grew ever taller.
Cutler’s original patent for the mail chute. Note element G – a hand guard that prevented people from reaching into the chute to grab mail falling from above. Security of the mail was a key part of the design. Credit: US Patent, public domain
Cutler saw that there was an obvious solution—install a vertical chute running through the building’s core, add mail slots on each floor, and let gravity do the work. It then became as simple as dropping a letter in, and down it would go to a collection box at the bottom, where postal workers could retrieve it during their regular rounds. Cutler filed a patent for this simple design in 1883. He was sure to include a critical security feature—a hand guard behind each floor’s mail chute. This was intended to stop those on lower levels reaching into the chute to steal the mail passing by from above. Installations in taller buildings were also to be fitted with an “elastic cushion” in the bottom to “prevent injury to the mail” from higher drop heights.
A Cutler Receiving Box that was built in 1920. This box would have lived at the bottom of a long mail chute, with the large door for access by postal workers. The brass design is typical of the era. Credit: National Postal Museum, CC0
One year later, the first installation went live in the Elwood Building, built in Rochester, New York to Cutler’s own design. The chute proved fit for purpose in the seven-story building, but there was a problem. The collection box at the bottom of Cutler’s chute was seen by the postal authorities as a mailbox. Federal mail laws were taken quite seriously, then as now, and they stated that mailboxes could only be installed in public buildings such as hotels, railway stations, or government facilities. The Elwood was a private building, and thus postal carriers refused to service the collection box.

It consists of a chute running down through each story to a mail box on the ground floor, where the postman can come and take up the entire mail of the tenants of the building. A patent was easily secured, for nobody else had before thought of nailing four boards together and calling it a great thing.

Letters could be dropped in the apertures on the fourth and fifth floors and they always fell down to the ground floor all right, but there they stated. The postman would not touch them. The trouble with the mail chute was the law which says that mail boxes shall be put only in Government and public buildings.

–The Sun, New York, 20 Dec 1886

Cutler’s brilliantly simple invention seemed dashed at the first hurdle. However, rationality soon prevailed. Postal laws were revised in 1893, and mail chutes were placed under the authority of the US Post Office Department. This had important security implications. Only post-office approved technicians would be allowed to clear mail clogs and repair and maintain the chutes, to ensure the safety and integrity of the mail.
The Cutler Mail chutes are easy to spot at the Empire State Building. Credit: Teknorat, CC BY-SA 2.0
With the legal issues solved, the mail chute soared in popularity. As skyscrapers became ever more popular at the dawn of the 20th century, so did the mail chute, with over 1,600 installed by 1905. The Cutler Manufacturing Company had been the sole manufacturer reaping the benefits of this boom up until 1904, when the US Post Office looked to permit competition in the market. However, Cutler’s patent held fast, with his company merging with some rivals and suing others to dominate the market. The company also began selling around the world, with London’s famous Savoy Hotel installing a Cutler chute in 1904. By 1961, the company held 70 percent of the mail chute market, despite Cutler’s passing and the expiry of the patent many years prior.

The value of the mail chute was obvious, but its success was not to last. Many companies began implementing dedicated mail rooms, which provided both delivery and pickup services across the floors of larger buildings. This required more manual handling, but avoided issues with clogs and lost mail and better suited bigger operations. As postal volumes increased, the chutes became seen as a liability more than a convenience when it came to important correspondence. Larger oversized envelopes proved a particular problem, with most chutes only designed to handle smaller envelopes. A particularly famous event in 1986 saw 40,000 pieces of mail stuck in a monster jam at the McGraw-Hill building, which took 23 mailbags to clear. It wasn’t unusual for a piece of mail to get lost in a chute, only to turn up many decades later, undelivered.
An active mail chute in the Law Building in Akron, Ohio. The chute is still regularly visited by postal workers for pickup. Credit: Cards84664, CC BY SA 4.0Mail chutes were often given fine, detailed designs befitting the building they were installed in. This example is from the Fitzsimons Army Medical Center in Colorado. Credit: Mikepascoe, CC BY SA 4.0
The final death knell for the mail chute, though, was a safety matter. Come 1997, the National Fire Protection Association outright banned the installation of new mail chutes in new and existing buildings. The reasoning was simple. A mail chute was a single continuous cavity between many floors of a building, which could easily spread smoke and even flames, just like a chimney.

Despite falling out of favor, however, some functional mail chutes do persist to this day. Real examples can still be spotted in places like the Empire State Building and New York’s Grand Central station. Whether in use or deactivated, many still remain in older buildings as a visible piece of mail history.

Better building design standards and the unstoppable rise of email mean that the mail chute is ultimately a piece of history rather than a convenience of our modern age. Still, it’s neat to think that once upon a time, you could climb to the very highest floors of an office building and drop your important letters all the way to the bottom without having to use the elevator or stairs.

Collage of mail chutes from Wikimedia Commons, Mark Turnauckas, and Britta Gustafson.

hackaday.com/2025/06/25/the-ri…

Kumiko is a form of Japanese woodworking that uses small cuts of wood (probably offcuts) to produce artful designs. It’s the kind of thing that takes zen-like patience to assemble, and years to master– and who has time for that? [Paper View] likes the style of kumiko, but when all you have is a 3D printer, everything is extruded plastic.

His video, embedded below, focuses mostly on the large tiled piece and the clever design required to avoid more than the unavoidable unsightly seems without excessive post processing. (Who has time for that?) The key is a series of top pieces to hide the edges where the seams come together. The link above, however, gives something more interesting, even if it is on Makerworld.

[Paper View] has created a kumiko-style (out of respect for the craftspeople who make the real thing, we won’t call this “kumiko”) panel generator, that allows one to create custom-sized frames to print either in one piece, or to assemble as in the video. We haven’t looked at MakerWorld’s Parametric Model Maker before, but this tool seems to make full use of its capabilities (to the point of occasionally timing out). It looks like this is a wrapper for OpenScad (just like Thingiverse used to do with Customizer) so there might be a chance if enough of us comment on the video [Paper View] can be convinced to release the scad files on a more open platform.

We’ve featured kumiko before, like this wood-epoxy guitar, but for ultimate irony points, you need to see this metal kumiko pattern made out of nails. (True kumiko cannot use nails, you see.)

Thanks to [Hari Wiguna] for the tip, and please keep them coming!

youtube.com/embed/w5P7E7muk9o?…

hackaday.com/2025/06/25/carefu…

Cyberattackers often view small and medium-sized businesses (SMBs) as easier targets, assuming their security measures are less robust than those of larger enterprises. In fact, attacks through contractors, also known as trusted relationship attacks, remain one of the top three methods used to breach corporate networks. With SMBs generally being less protected than large enterprises, this makes them especially attractive to both opportunistic cybercriminals and sophisticated threat actors.

At the same time, AI-driven attacks are becoming increasingly common, making phishing and malware campaigns easier to prepare and quickly adapt, thus increasing their scale. Meanwhile, cybersecurity regulations are tightening, adding more compliance pressure on SMBs.

Improving your security posture has never been more critical. Kaspersky highlights key attack vectors every SMB should be aware of to stay protected.

How malware and potentially unwanted applications (PUAs) are disguised as popular services

Kaspersky analysts have used data from the Kaspersky Security Network (KSN) to explore how frequently malicious and unwanted files and programs are disguised as legitimate applications commonly used by SMBs. The KSN is a system for processing anonymized cyberthreat-related data shared voluntarily by opted-in Kaspersky users. For this research, only data received from the users of Kaspersky solutions for SMBs were analyzed. The research focused on the following applications:

• ChatGPT
• Cisco AnyConnect
• Google Drive
• Google Meet
• DeepSeek
• Microsoft Excel
• Microsoft Outlook
• Microsoft PowerPoint
• Microsoft Teams
• Microsoft Word
• Salesforce
• Zoom

Between January and April 2025 alone, nearly 8,500 SMB users encountered cyberattacks in which malware or PUAs were disguised as these popular tools.

Among the detected threats, the highest number (1652) of unique malicious and potentially unwanted files mimicked Zoom, the widely used video conferencing platform. This accounted for nearly 41% of all unique files detected, a 14-percentage point increase compared to 2024. Microsoft Office applications remained frequent targets for impersonation: Outlook and PowerPoint each accounted for 16%, Excel for nearly 12%, while Word and Teams made up 9% and 5%, respectively.

Share of unique files with names mimicking the nine most popular legitimate applications in 2024 and 2025 (download)

A comparison of the threat landscape in 2024 and 2025 reveals a clear shift: with the growing popularity of AI services, cyberattackers are increasingly disguising malware as various AI tools. According to our analysis, the number of unique malicious files mimicking ChatGPT grew by 115%, reaching 177 in the first four months of 2025. This contributed to a three-percentage-point increase in the tool’s share among the most mimicked applications. DeepSeek, a large language model launched only in 2025, has immediately appeared on the list of impersonated tools.

Another cybercriminal tactic to watch for in 2025 is the growing use of collaboration platform brands to trick users into downloading or launching malware and PUAs. As mentioned above, the share of threats disguised as Zoom increased by 14 percentage points, reaching 1652 unique files, while Microsoft Teams and Google Drive saw increases of over three and one percentage points, respectively, with 206 and 132 cases. This pattern likely reflects the normalization of remote work and geographically distributed teams, which has made these platforms integral to business operations across industries.

Attackers are clearly leveraging the popularity and credibility of these services to increase the success rate of their campaigns.

The total number of unique malicious and unwanted files imitating legitimate applications slightly declined year-over-year, from 5,587 in 2024 to 4,043 in 2025.

Main types of threats affecting the SMB Sector, 2025 (download)

The top threats targeting SMBs in 2025 included downloaders, Trojans, and adware.

Leading the list are downloaders, potentially unwanted applications designed to install additional content from the internet, often without clearly informing the user of what’s being downloaded. While not inherently malicious, these tools are frequently exploited by attackers to deliver harmful payloads to victims’ devices.

Trojans ranked next. These are malicious programs that carry out unauthorized actions such as deleting, blocking, modifying, or copying data, or disrupting the normal operation of computers and networks. Trojans are among the most prevalent forms of malware, and cyberattackers continue to use them in a wide range of malicious campaigns.

Adware also made the top three list. These programs are designed to display advertisements on infected computers or substitute a promotional website for the default search engine in a browser. Adware often comes bundled with freeware or shareware, effectively serving as the price for using the free software. In some cases, Trojans silently download and install adware onto the victim’s machine.

Among other common types of threats were DangerousObject, Trojan-Dropper, Backdoor, Trojan-Downloader, HackTool, Trojan-PSW, and PSW-Tool. For instance, we recently identified a campaign involving a Trojan-Downloader called “TookPS“, which was distributed through fake websites imitating legitimate remote access and 3D modeling software.

How scammers and phishers trick victims into giving up accounts and money

We continue to observe a wide range of phishing campaigns and scams targeting SMBs. Attackers aim to steal login credentials for various services, from delivery platforms to banking systems, or manipulate victims into sending them money.

To do this, cyberattackers use a variety of lures, often imitating landing pages from brands commonly used by SMBs. One example is a phishing attempt targeting Google business accounts. The bait lures victims with the promise of promoting their company on X. It requires them to first log in to a dedicated platform using their Google account with credentials that will end up in cyberattackers’ hands.

Another fake landing page impersonated a bank that offered business loans: a “Global Trust Bank”. Since legitimate organizations with that name exist in multiple countries, this phishing attempt may have seemed believable. The attackers tried to lure users with favorable business loan terms – but only after victims submitted their online banking credentials, giving the criminals access to their accounts.

We also saw a range of phishing emails targeting SMBs. In one recent case detected by our systems, the attacker sent a fake notification allegedly from DocuSign, an electronic document-signing service.

SMBs can even find themselves targeted by classic Nigerian scams. In one recent example, the sender claimed to represent a wealthy client from Turkey who wanted to move $33 million abroad to allegedly avoid sanctions, and invited the recipient to handle the funds. In Nigerian scams, fraudsters typically cajole money. They may later request a relatively small payment to a manager or lawyer compared to the amount originally promised.

Beyond these threats, SMBs are bombarded daily with hundreds of spam emails. Some promise attractive deals on email marketing or loans; others offer services like reputation management, content creation, or lead generation. In general, these offers are crafted to reflect the typical needs of small businesses. Not surprisingly, AI has also made its way into the spam folder – with offers to automate various business processes.

We have also seen spammers offering dubious deals like purchasing a database of over 400,000 businesses for $100, supposedly to be used for selling the company’s B2B products, or manipulating reviews on a review platform.

Security tips

SMBs can reduce risks and ensure business continuity by investing in comprehensive cybersecurity solutions and increasing employee awareness. It is essential to implement robust measures such as spam filters, email authentication protocols, and strict verification procedures for financial transactions and the handling of sensitive information.

Another key step toward cyber resilience is promoting awareness about the importance of comprehensive security procedures and ensuring they are regularly updated. Regular security training sessions, strong password practices, and multi-factor authentication can significantly reduce the risk of phishing and fraud.

It is also worth noting that searching for software through search engines is an insecure practice, and should be prohibited in the organization. If you need to implement new tools or replace existing ones, make sure they are downloaded from official sources and installed on a centralized basis by your IT team.

Cybersecurity Action Plan for SMBs

1. Define access rules for corporate resources such as email accounts, shared folders, and online documents. Monitor and limit the number of individuals with access to critical company data. Keep access lists up to date and revoke access promptly when employees leave the company. Use cloud access security brokers to monitor and control employee activities within cloud services and enforce security policies.
2. Regularly back up important data to ensure the preservation of corporate information in case of emergencies or cyberincidents.
3. Establish clear guidelines for using external services and resources. Create well-defined procedures for coordinating specific tasks, such as implementing new software, with the IT department and other responsible managers. Develop short, easy-to-understand cybersecurity guidelines for employees, with a special focus on account and password management, email protection, and safe web browsing. A well-rounded training program will equip employees with the knowledge they need and the ability to apply it in practice.
4. Implement specialized cybersecurity solutions that provide visibility and control over cloud services, such as Kaspersky Next.

securelist.com/smb-threat-repo…

Can a 3D Minecraft implementation be done entirely in CSS and HTML, without a single line of JavaScript in sight? The answer is yes!

True, this small clone is limited to playing with blocks in a world that measures only 9x9x9, but the fact that [Benjamin Aster] managed it at all using only CSS and pure HTML is a fantastic achievement. As far as proofs of concept go, it’s a pretty clever one.

The project consists of roughly 40,000 lines of HTML radio buttons and labels, combined with fewer than 500 lines of CSS where the real work is done. In a short thread on X [Benjamin] explains that each block in the 9x9x9 world is defined with the help of tens of thousands of <label> and <input type="radio"> elements to track block types and faces, and CSS uses that as a type of display filter. Clicking a block is clicking a label, and changing a block type (“air” or no block is considered a type of block) switches which labels are visible to the user.

Viewing in 3D is implemented via CSS animations which apply transforms to what is displayed. Clicking a control starts and stops the animation, resulting in a view change. It’s a lot of atypical functionality for plain HTML and CSS, showing what is possible with a bit of out-of-the-box thinking.

[Simon Willison] has a more in-depth analysis of CSS-Minecraft and how it works, and the code is on GitHub if you want a closer look.

Once you’re done checking that out and hungry for more cleverness, don’t miss Minecraft in COBOL and Minecraft Running in… Minecraft.

hackaday.com/2025/06/25/minecr…

Un grave attacco informatico ha colpito l’Alto Adige nella giornata di martedì 24 giugno, provocando un blackout diffuso che ha interessato diversi servizi telematici, sia pubblici che privati.

Lo riporta il notiziario l’Adige.it, che Le prime interruzioni sono state registrate già nelle prime ore del mattino del 24 giugno e hanno coinvolto aziende, media locali, infrastrutture strategiche e cittadini comuni, impedendo l’accesso a numerosi portali e reti operative.

Nel corso del pomeriggio, il presidente della Provincia autonoma di Bolzano, Arno Kompatscher, ha confermato che il malfunzionamento è stato causato da un attacco informatico. L’intrusione ha compromesso alcuni sistemi della pubblica amministrazione e ha reso temporaneamente inaccessibili vari servizi digitali, scatenando immediatamente l’allerta nelle istituzioni locali.

Tra i settori più colpiti figurano i sistemi telefonici, o parti di essi, del Centro provinciale per le informazioni sul traffico, della Centrale unica di emergenza, della centrale del Corpo permanente dei vigili del fuoco e del Servizio radio provinciale sono attualmente soggetti a disfunzioni tecniche.

È stata avviata un’indagine per chiarire le dinamiche dell’attacco informatico che ha colpito la provincia. Le prime ricostruzioni fanno pensare a un’azione a scopo estorsivo: la stessa amministrazione ha confermato che è stata avanzata una richiesta economica alle strutture coinvolte, specificando però che non verrà intrapresa alcuna trattativa con gli autori dell’attacco.

Durante un incontro con i referenti dei settori colpiti dal blocco digitale, le autorità locali hanno comunicato che l’origine del problema è stata identificata e contenuta tempestivamente, limitando così danni più gravi. È stato inoltre precisato che non vi è stata alcuna compromissione dei dati personali dei cittadini e che i numeri per le emergenze restano pienamente funzionanti.

Al momento dal monitoraggio delle underground criminali, ancora non emergono segnali di compromissione da parte di cyber gang ransomware.

L'articolo Cyberattacco in Alto Adige: blackout informatico paralizza servizi pubblici e privati proviene da il blog della sicurezza informatica.

Gli aggressori stanno sfruttando una vulnerabilità critica nell’escalation dei privilegi nel tema WordPress Motors, che consente loro di hackerare gli account degli amministratori e assumere il controllo completo del sito di destinazione.

L’attività dannosa è stata scoperta da Wordfence, che il mese scorso ha segnalato una grave vulnerabilità, la CVE-2025-4322, che colpisce tutte le versioni del tema Motors fino alla 5.6.67. Questo tema, sviluppato da StylemixThemes, ha totalizzato 22.460 vendite su Envato Market ed è molto popolare tra i proprietari di siti web dedicati al settore automobilistico.

Il problema è legato al widget Registro di accesso e alla convalida errata dell’identità dell’utente durante l’aggiornamento di una password, che consente ad aggressori non autenticati di modificare le password dell’amministratore. Pertanto, per sfruttare il bug, un aggressore deve prima trovare l’URL in cui si trova il widget controllando /login-register, /account, /reset-password, /signin, ecc. utilizzando richieste POST speciali. Tali richieste contengono caratteri UTF-8 non validi nel valore hash_check, il che porta a confronti hash errati durante la reimpostazione di una password.

Il corpo del POST contiene il valore stm_new_password, che reimposta la password dell’utente in base agli ID che in genere appartengono agli amministratori del sito.

A maggio, gli sviluppatori di StylemixThemes hanno rilasciato la versione 5.6.68, che corregge CVE-2025-4322, ma molti utenti non hanno ancora installato gli aggiornamenti e potrebbero ora essere vulnerabili agli attacchi.

Gli analisti di Wordfence hanno segnalato che gli attacchi alla nuova vulnerabilità sono iniziati già il 20 maggio, appena un giorno dopo la divulgazione del problema. Attacchi più estesi sono iniziati dopo il 7 giugno 2025 e Wordfence afferma di aver già bloccato oltre 23.100 tentativi di hacking contro i suoi clienti.

Secondo gli esperti, le password utilizzate dagli aggressori negli attacchi includono:

• Prova prova123!@#;
• rzkkd$SP3znjrn;
• Curdo@Kurd12123;
• owm9cpXHAZTk;

Una volta ottenuto l’accesso, gli aggressori accedono alla dashboard di WordPress come amministratori e creano account amministrativi aggiuntivi per mettere piede sulla risorsa hackerata. Gli esperti scrivono che la comparsa improvvisa di tali account, unita al blocco degli account amministratore esistenti (le password non funzionano più), è un segno sicuro dello sfruttamento di CVE-2025-4322. Si consiglia agli utenti di Motors di aggiornare il tema il prima possibile.

L'articolo 22.000 siti a rischio: nuova vulnerabilità Motors WordPress consente l’hacking totale proviene da il blog della sicurezza informatica.