Lego’s Technic line features all kinds of mechanical devices, from cogs to gears to chains and even pneumatic components. However, the vast majority of these components are made out of plastic and are only capable of toy-like levels of performance. In the competitive world of Lego YouTube, builders often push these parts to their limits, breaking them more often than you might think. To that end, [Brick Experiment Channel] has been investigating stouter Lego-compatible universal joints from a variety of third-party manufacturers.

The video starts with a simple demonstration, showing that a Lego universal joint pops apart at just 0.4 Nm of torque. It’s no surprise, given it relies on tiny plastic pins in snap-fit joints. However, this means that it’s not that hard to build a stronger universal joint to outperform the stock parts.

The video steps through a range of other options available on the market. For example, CaDA builds a universal joint using aluminium sleeves, a copper center, and steel pins to join everything together. It’s so strong that the plastic Lego axles fail long before the joint does. Tested with third-party aluminum axles, it eventually fails at 2.3 Nm of torque when the aluminum sleeve snaps. An all-steel joint from MTP goes even harder, eventually stripping out its axle mount at 4 Nm. The rest of the video goes on to explore angular performance, size, and other design features.

It’s fair to say that if you’re swapping out universal joints and axles for aluminum steel parts, you’re not really playing with Lego anymore. At the same time, it’s neat that there exists a sort of defacto standard kit for mechanical experimentation that is now being expanded upon with stronger components. Video after the break.

youtube.com/embed/g52QzQCOGbI?…

hackaday.com/2025/07/01/there-…

Well, here’s an interesting idea: the service loop. Ever heard of it? We haven’t!

In the video, the presenter explains the service loop serves two purposes: on the one hand it may provide strain relief, but chiefly these loops are installed so there will be extra available slack in the cable if you need to rewire it some day to change the configuration of your pinout.

One major problem with the service loop may be that the single turn is enough to create an inductor which will then induce noise and cross-talk all over the place. Our rule of thumb is always to completely unroll wires and cables before using them. Do you have a theory about the benefits or problems with service loops? If you do, we’d love to hear what you think in the comments!

If you’re interested in strain relief, we’ve covered that before, and you don’t need a service loop to do it! Check out Cheap Strain Relief By Casting Hot Glue In A 3D Print and Arduino Uno Strain Relief.

youtube.com/embed/x5sw5BqUT8I?…

Thanks to [Oliver] for writing in to let us know about this intriguing and somewhat controversial idea.

hackaday.com/2025/07/01/are-se…

Le persone tendono a essere più comprensive nei confronti dei chatbot se li considerano interlocutori reali. Questa è la conclusione a cui sono giunti gli scienziati dell’Università Ebraica di Gerusalemme dopo una serie di studi su larga scala pubblicati sulla rivista Nature Human Behaviour.

In nove esperimenti, i ricercatori hanno reclutato più di 6.200 partecipanti. Tutti hanno interagito con chatbot basati su modelli linguistici di grandi dimensioni (LLM), ma alcuni partecipanti credevano di parlare con un essere umano. Questo è stato un fattore chiave nel modo in cui percepivano il supporto e l’empatia del loro interlocutore.

Come osservato nell’articolo, i modelli linguistici moderni dimostrano una notevole capacità di comprendere i contesti sociali ed emotivi. Non solo sono in grado di analizzare lo stato emotivo dell’interlocutore, ma anche di imitare abilmente espressioni di cura, compassione e sostegno.

Gli autori dello studio sottolineano che, nonostante le capacità empatiche oggettive dell’IA, le persone sono molto più propense a rifiutare il supporto emotivo se sanno di comunicare con una macchina. I soggetti a cui è stato detto che le loro risposte erano state scritte da un essere umano, anche se ciò non era vero, hanno valutato i messaggi come più empatici e di supporto. Erano anche disposti ad aspettare più a lungo per una risposta, credendo che fosse stata preparata da una persona reale.

Allo stesso tempo, i dati hanno mostrato che la convinzione che l’IA fosse coinvolta nella preparazione delle risposte presumibilmente umane riduceva la percezione dell’empatia. Questo effetto persisteva indipendentemente dalla lunghezza delle risposte, dalla velocità con cui venivano ricevute e dallo specifico modello di IA utilizzato nell’esperimento.

Inoltre, lo studio ha scoperto che le persone scelgono sistematicamente l’interazione umana rispetto all’intelligenza artificiale quando hanno bisogno di supporto emotivo, dimostrando quanto sia radicata la necessità di un elemento umano quando si discutono argomenti personali e delicati.

Il rapporto evidenzia anche un interessante paradosso: in termini di accuratezza formale e velocità di elaborazione delle informazioni, l’IA è in grado di comprendere meglio lo stato emotivo di una persona. A differenza degli esseri umani, che potrebbero trovare noiosa l’empatia, l’IA riconosce istantaneamente i segnali emotivi e non sperimenta affaticamento o esaurimento.

Tuttavia, gli esseri umani hanno ancora difficoltà a percepire tale “empatia” da parte delle macchine. Barriere psicologiche e pregiudizi giocano un ruolo chiave, anche quando l’IA dimostra oggettivamente un alto livello di empatia.

È interessante notare che un altro studio ha precedentemente osservato che l’intelligenza artificiale può mostrare segnali di ansia. Nello specifico, il modello GPT-4 ha mostrato un aumento dei punteggi di ansia , misurati mediante test psicologici standard, dopo aver lavorato con scenari traumatici.

Questi risultati sollevano seri interrogativi sulla natura dell’intelligenza artificiale, sui suoi limiti e sul futuro delle interazioni uomo-macchina in situazioni emotivamente intense. Nonostante gli evidenti progressi tecnologici, la percezione pubblica rimane più conservatrice e la fiducia nell’IA è limitata.

L'articolo Mi Ami, Non mi Ami? A scusa, sei un Chatbot! proviene da il blog della sicurezza informatica.

There comes a time in any software developer’s life when they look at their achievements, the lines of code written and the programming languages they have relied on, before wondering whether there may be more out there. A programming language and its associated toolchains begin to feel like familiar, well-used tools after you use them for years, but that is no excuse to remain rusted in place.

While some developers like to zigzag from one language and toolset to another, others are more conservative. My own journey took me from a childhood with QuickBasic and VisualBasic to C++ with a bit of Java, PHP, JavaScript, D and others along the way. Although I have now for years focused on C++, I’m currently getting the hang of Ada in particular, both of which tickle my inner developer in different ways.

Although Java and D never quite reached their lofty promises, there are always new languages to investigate, with both Rust and Zig in particular getting a lot of attention these days. Might they be the salvation that was promised to us C-afflicted developers, and do they make you want to zigzag or ferrously oxidize?

Solving Problems

As hilarious it is to make new programming languages for the fun of it, there has to be some purpose to them if they want to be more than a gag. That’s why Whitespace and Brainf*ck are great for having some (educational) fun with, while Forth is a serious and very much commercially successful language. Meanwhile there’s still an ongoing debate about whether Python may or may not be an esoteric language, mostly on account of it granting whitespace so much relevance that would make the Whitespace developers proud.

This contrasts heavily with languages like C and consequently C++ where whitespace is not relevant and you can write everything on a single line if that’s your kink. Meanwhile in Ada, COBOL and others case sensitivity doesn’t exist, because their developers failed to see the point of adding this ‘feature’. This leads us to another distinguishing feature of languages: weakly- versus strongly-typed and super-strongly typed languages.

If one accepts that a type system is there to prevent errors, then logically the stronger the type system is, the better. This is one reason why I personally prefer TypeScript over JavaScript, why Java reflection and Objective-C messaging drove me up various walls, why my favorite scripting language is AngelScript, why I love the type system in Ada and also why I loathe whoever approved using the auto keyword in C++ outside of templates.

With those lines marked, let’s see what problems Rust and Zig will solve for me.

Getting Ziggy

The Zig language is pretty new, having only been released in early 2016. This makes it four years younger than Rust, while also claiming to be a ‘better C’. Much of this is supposed to come from ‘improved memory safety’, which is a topic that I have addressed previously, both in the context of another ‘improved C’ language called TrapC, as well as from a security red herring point of view. Here again having a very strong type system is crucial, as this allows for the compiler as well as static and dynamic analysis tools to pick up any issues.

There is also the wrinkle that C++ is already an improved C, and the C11 standard in particular addresses a lot of undefined behavior, which makes it a pretty tall order to do better than either. Fortunately Zig claims to be a practically drop-in solution for existing C and C++ code, so it should be pretty gentle to get started with.

Unfortunately, this is the part where things rapidly fell apart for me. I had the idea to quickly put together a crude port of my ncurses-based UE1 emulator project, but the first surprise came after installing the toolchain. My default development environment on Windows is the Linux-like MSYS2 environment, with the Zig toolchain available via pacman.

A feeling of dread began to set in while glancing at the Getting Started page, but I figured that I’d throw together a quick ncurses project based on some two-year old code that someone said had worked for them:
const std = @import("std");
const c = @cImport({
@cInclude("curses.h");
});

pub fn main() !void {
var e = c.initscr();
e = c.printw("Hello World !!!");
e = c.refresh();
e = c.getch();
e = c.endwin();
}
Despite the symbol soup and chronic fear of fully writing out English words, it’s not too hard to understand what this code is supposed to do. The @cImport() block allows you to include C headers, which in this case allows us to import the standard ncurses header, requiring us to only link against the system ncurses library later on. What’s not inspiring much confidence is that it’s clear at this point already that Zig is a weakly-typed language, bringing back highly unwanted embedded JavaScript flashbacks.

While prodding at writing a standard Makefile to compile this code, the reality of the Zig build system began to hit. You can only use the zig command, which requires a special build file written in Zig, so you have to compile Zig to compile Zig, instead of using Make, CMake, Ninja, meson, etc. as is typical. Worse is that Zig’s API is being changed constantly, so that the sample build.zig code that I had copied no longer worked and had to be updated to get the following:
const std = @import("std");

pub fn build(b: *std.Build) void {
const target = b.standardTargetOptions(.{});
const optimize = b.standardOptimizeOption(.{});
const exe = b.addExecutable(.{
.name = "ncurses",
.root_source_file = b.path("main.zig"),
.target = target,
.optimize = optimize,
});

exe.linkSystemLibrary("c");
exe.linkSystemLibrary("ncurses");
b.installArtifact(exe);
}
With this change in place, I no longer got compile errors for the build file, but even after deleting the .zig-cache folder that the toolchain creates I kept getting the same linker errors:

While I’m sure that all of this is solvable, I was looking for a solution to my problems, not to get new problems. Instead I got a lack of strong typing, an oddly verbose syntax, ever-shifting APIs, being strong-armed into giving up the build tools of one’s choosing and finally some weird linker errors that probably require constant nuking of caches as one has to already suffer through with CMake and Gradle.

It is time to zigzag out of dodge to the next language.

Rusted Expectations

As mentioned earlier, Rust is a few years older than Zig, and in addition it has seen a lot more support from developers and companies. Its vibrant community is sure to remind you of these facts at any opportunity they get, along with how Rust cures all ills. Ignoring the obvious memory safety red herring, what problems can Rust solve for us?

Following the same pattern as with Zig, we first have to set up a development environment with the Rust toolchain and the ability to use ncurses. Unlike with Zig, we apparently cannot use C (or C++) code directly, so the recommendation is to use a wrapper. From its code we can worryingly tell that it is also a weakly-typed language by the use of type inference, and the fact that the unsafe keyword is required to cooperate with C interfaces gives even great cause for concern. Ideally you’d not do the equivalent of hammering in raw assembly when writing C either, as this bypasses so many checks.

Regardless, the task is to figure out how to use this ncurses-rs wrapper, despite it already being EOL-ed. Rather than dealing with this ‘cargo’ remote repository utility and reliving traumatic memories of remote artefact repositories with NodeJS, Java, etc., we’ll just copy the .rs files of the wrapper directly into the source folder of the project. It’s generally preferred to have dependencies in the source tree for security reasons unless you have some level of guarantee that the remote source will be available and always trustworthy.

Although you can use the rustc compiler directly, it provides an extremely limited interface compared to e.g. Clang and GCC. After trying to understand and massage dependency paths for the included files (modules) for a while, the sad result is always another fresh series of errors, like:
The frustrating end to trying out Rust.
At this point any enthusiasm for doing more with Rust has already rapidly oxidized and decayed into sad shards of ferrous oxide.

Workflow Expectations

Most of my exposure to Rust and Zig prior to this experience had been from a theoretical and highly academical perspective, but actually trying to use a language is when you really begin to develop feelings that tell you whether the language is something you’re interested in. In my case these feelings were for both languages primarily frustration, mixed with an urge to get away from the whole thing as soon as possible.

This contrasts heavily with my recent experiences with COBOL, which saw me working for days on code and figuring out the language, but with a feeling of almost giddy joy at grasping yet another concept or mechanism. What helped a lot here is that the COBOL toolchains are just typical GCC compilers with the whole feature set, which means that you can use them with any build system of your choice.

Even with the Ada toolchain and its multi-step process of module dependency resolving, compiling and linking you can use these tools any way you like. It’s this kind of freedom that is at least in my view an essential part of a good development environment, as it gives the developer the choice of how to integrate these into their workflow.

The workflow with Zig and Rust reminds me mostly of the harrowing struggle with Android development and its Gradle-based environment. You get similar struggles with just getting the basic thing off the ground, are always dealing with baffling errors that may or may not be related to a component that’s a few versions too old or new, and basically it’s just a gigantic waste of time.

Even ignoring whether Zig and Rust are or can become good languages, it is this complete disregard for individual workflow preferences that’s probably the most off-putting to me, and reason to avoid these ecosystems at all cost. Something which I wish I could do with Gradle as well, but I digress.

In the end I think I’ll be sticking with C++, with a bit of C and an increasing amount of Ada and Fortran on the side. Unless you’re being paid big bucks, there is no reason to put yourself through the suffering of a workflow you loathe.

hackaday.com/2025/07/01/c-enco…

People have been coming up with clever ways to bring light to the darkness since we lived in caves, so it’s no surprise we still love finding interesting ways to illuminate our world. [Michael] designed a simple, but beautiful, book lamp that’s easy to assemble yourself.

This build really outshines its origins as an assembly of conductive tape, paper, resistors, LEDs, button cells, and a binder clip. With a printable template for the circuit, this project seems perfect for a makerspace workshop or school science project kids could take home with them. [Michael] walks us through assembling the project in a quick video and even has additional information available for working with conductive tape which makes it super approachable for the beginner.

The slider switch is particularly interesting as it allows you to only turn on the light when the book is open using just conductive tape and paper. We can think of a few other ways you could control this, but they quickly start increasing the part count which makes this particularly elegant. By changing the paper used for the shade or the cover material for the book, you can put a fun spin on the project to match any aesthetic.

If you want to build something a little more complex to light your world, how about a 3D printed Shoji lamp, a color-accurate therapy lamp, or a lamp that can tell you to get back to work.

youtube.com/embed/ggw1bmISklU?…

hackaday.com/2025/07/01/diy-bo…

Gli esperti hanno scoperto una nuova campagna malware chiamata Silver Fox (nota anche come Void Arachne) che utilizza falsi siti web. Le risorse presumibilmente distribuiscono software popolari (WPS Office, Sogou e DeepSeek), ma in realtà vengono utilizzate per diffondere il RAT Sainbox e il rootkit open source Hidden.

Secondo Netskope Threat Labs, i siti di phishing (come wpsice[.]com) distribuiscono programmi di installazione MSI dannosi in cinese, il che significa che questa campagna è rivolta a utenti di lingua cinese. “Il payload del malware include Sainbox RAT, una variante di Gh0st RAT e una variante del rootkit open source Hidden”, hanno affermato i ricercatori.

Non è la prima volta che Silver Fox usa questa tattica. Ad esempio, nell’estate del 2024, eSentire ha descritto una campagna rivolta agli utenti cinesi di Windows tramite siti che presumibilmente erano progettati per scaricare Google Chrome e distribuire il RAT Gh0st. Inoltre, nel febbraio 2025, gli analisti di Morphisec scoprirono un’altra campagna su un sito web falso che distribuiva ValleyRAT (noto anche come Winos 4.0) e un’altra versione di Gh0st RAT.

Come riportato da Netskope, questa volta gli installer MSI dannosi scaricati da siti falsi sono progettati per avviare un file eseguibile legittimo shine.exe, che carica la DLL dannosa libcef.dll utilizzando una tecnica di caricamento laterale. Il compito principale di questa DLL è estrarre ed eseguire lo shellcode dal file di testo 1.txt presente nel programma di installazione, che alla fine porta all’esecuzione di un altro payload DLL: il trojan di accesso remoto Sainbox.

“La sezione .data del payload studiato contiene un altro binario PE che può essere eseguito a seconda della configurazione del malware”, osservano gli esperti. “Il file incorporato è un driver rootkit basato sul progetto open source Hidden“

Il suddetto Trojan Sainbox ha la capacità di scaricare payload aggiuntivi e rubare dati, mentre Hidden fornisce agli aggressori una serie di funzionalità per nascondere processi e chiavi correlati al malware nel registro di Windows sugli host compromessi.

L’obiettivo principale del rootkit è nascondere processi, file, chiavi e valori di registro. Come spiegano i ricercatori, utilizza un mini-filtro e callback del kernel per raggiungere questo obiettivo. Hidden può anche proteggere se stesso e processi specifici e contiene un’interfaccia utente accessibile tramite IOCTL.

“L’utilizzo di varianti di RAT commerciali (come Gh0st RAT) e rootkit open source (come Hidden) offre agli aggressori controllo e furtività senza richiedere molto sviluppo personalizzato”, afferma Netskope.

L'articolo Nuova campagna malware Silver Fox: diffonde RAT e rootkit tramite falsi siti web proviene da il blog della sicurezza informatica.

There are all manner of musical myths, covering tones and melodies that have effects ranging from the profound to the supernatural. The Pied Piper, for example, or the infamous “brown note.”

But what about a song that could crash your laptop just by playing it? Even better, a song that could crash nearby laptops in the vicinity, too? It’s not magic, and it’s not a trick—it was just a punchy pop song that Janet Jackson wrote back in 1989.

Rhythm Nation

As told by Microsoft’s Raymond Chen, the story begins in the early 2000s during the Windows XP era. Engineers at a certain OEM laptop manufacturer noticed something peculiar. Playing Janet Jackson’s song Rhythm Nation through laptop speakers would cause the machines to crash. Even more bizarrely, the song could crash nearby laptops that weren’t even playing the track themselves, and the effect was noted across laptops of multiple manufacturers.

youtube.com/embed/OAwaNWGLM0c?…

Rhythm Nation was a popular song from Jackson’s catalog, but nothing about it immediately stands out as a laptop killer.

After extensive testing and process of elimination, the culprit was identified as the audio frequencies within the song itself. It came down to the hardware of the early 2000s laptops in question. These machines relied on good old mechanical hard drives. Specifically, they used 2.5-inch 5,400 RPM drives with spinning platters, magnetic heads, and actuator arms.
The story revolves around 5,400 RPM laptop hard drives, but the manufacturer and model are not public knowledge. No reports have been made of desktop PCs or hard disks suffering the same issue. Credit: Raimond Spekking, CC BY-SA 4.0
Unlike today’s solid-state drives, these components were particularly susceptible to physical vibration. Investigation determined that something in Rhythm Nation was hitting a resonant frequency of some component of the drive. When this occurred, the drive would be disturbed enough that read errors would stack up to the point where it would trigger a crash in the operating system. The problem wasn’t bad enough to crash the actual hard drive head into the platters themselves, which would have created major data loss. It was just bad enough to disrupt the hard drive’s ability to read properly, to the point where it could trigger a crash in the operating system.
A research paper published in 2018 investigated the vibrational characteristics of a certain model of 2.5-inch laptop hard drive. It’s not conclusive evidence, and has nothing to do with the Janet Jackson case, but it provides some potentially interesting insights as to why similar hard drives failed to read when the song was played. Credit: Research paper
There was a simple workaround for this problem, that was either ingenious or egregious depending on your point of view. Allegedly, the OEM simply whipped up a notch filter for the audio subsystem to remove the offending frequencies. The filter apparently remained in place from the then-contemporary Windows XP up until at least Windows 7. At this point, Microsoft created a new rule for “Audio Processing Objects” (APO) which included things like the special notch filter. The rule stated that all of these filters must be able to be switched off if so desired by the user. However, the story goes that the manufacturer gained a special exception for some time to leave their filter APO on at all times, to prevent users disabling it and then despairing when their laptops suddenly started crashing unexpectedly during Janet Jackson playlists.

As for what made Rhythm Nation special? YouTuber Adam Neely investigated, and came up with a compelling theory. Having read a research paper on the vibrational behavior of a 2.5-inch 5,400 RPM laptop hard disk, he found that it reported the drive to have its largest vibrational peak at approximately 87.5 Hz. Meanwhile, he also found that Rhythm Nation had a great deal of energy at 84.2 Hz. Apparently, the recording had been sped up a touch after the recording process, pushing the usual low E at 82 Hz up slightly higher. The theory being that the mild uptuning in Rhythm Nation pushed parts of the song close enough to the resonant frequency of some of the hard drive’s components to give them a good old shaking, causing the read errors and eventual crashes.

It’s an interesting confluence of unintended consequences. A singular pop song from 1989 ended up crashing laptops over a decade later, leading to the implementation of an obscure and little-known audio filter. The story still has holes—nobody has ever come forward to state officially which OEM was involved, and which precise laptops and hard drives suffered this problem. That stymies hopes for further research and recreation of this peculiarity. Nevertheless, it’s a fun tech tale from the days when computers were ever so slightly more mechanical than they are today.

hackaday.com/2025/07/01/one-la…

It’s been awhile since we checked in with Canada’s Edison Motors, so let’s visit [DeBoss Garage] for an update video. To recap, Edison Motors is a Canadian company building diesel-electric hybrid semi-trucks and more.
The last interesting thing to happen in Donald, BC was when it burned down in the 1910s.
Well, they’ve thankfully moved out of the tent in their parents’ back yard where the prototype was built. They’ve bought themselves a company town: Donald, British Columbia, complete with a totally-not-controversial slogan “Make Donald Great Again”.

More interesting is that their commercial-off-the-shelf (COTS), right-to-repair centered approach isn’t just for semi-trucks: they’re now a certified OEM manufacturer of a rolling heavy truck chassis you can put your truck cab or RV body on, and they have partnered with three coach-builders for RVs and a goodly number of manufacturing partners for truck conversion kits. The kits were always in the plan, but selling the rolling chassis is new.

One amazingly honest take-away from the video is the lack of numbers for the pickups: top speed, shaft horsepower, torque? They know what all that should be, but unlike the typical vaporware startup, Edison won’t tell you the engineering numbers on the pickup truck kits until it has hit the race track and proved itself in the real world. These guys are gear-heads first and engineers second, so for once in a long time the adage “engineers hate mechanics” might not apply to a new vehicle.

The dirt track is the first thing under construction in Donald, so hopefully the next update we hear from Edison Motors will include those hard numbers, including pesky little things like MSRP and delivery dates. Stay tuned.

In our last post about an electric truck, a lot of you in the comments wanted something bigger, heavier duty, not pure battery, and made outside the USA. Well, here it is.

youtube.com/embed/DnmCvAZIW38?…

Thanks to [Keith Olson] for the tip. Remember, the lines are always open!

hackaday.com/2025/07/01/move-o…

Cisco ha segnalato due vulnerabilità RCE critiche che non richiedono autenticazione e interessano Cisco Identity Services Engine (ISE) e Passive Identity Connector (ISE-PIC). Alle vulnerabilità sono stati assegnati gli identificatori CVE-2025-20281 e CVE-2025-20282 e hanno ottenuto il punteggio massimo di 9,8 punti su 10 sulla scala CVSS. Il primo problema riguarda le versioni 3.4 e 3.3 di ISE e ISE-PIC, mentre il secondo riguarda solo la versione 3.4.

La causa principale dell’errore CVE-2025-20281 era l’insufficiente convalida dell’input utente in un’API esposta. Ciò consentiva a un aggressore remoto e non autenticato di inviare richieste API contraffatte per eseguire comandi arbitrari come utente root. Il secondo problema, CVE-2025-20282, era causato da una convalida dei file insufficiente nell’API interna, che consentiva la scrittura di file in directory privilegiate. Questo bug consentiva ad aggressori remoti non autenticati di caricare file arbitrari sul sistema di destinazione ed eseguirli con privilegi di root.

La piattaforma Cisco Identity Services Engine (ISE) è progettata per gestire le policy di sicurezza di rete e il controllo degli accessi e in genere funge da motore di controllo degli accessi alla rete (NAC), gestione delle identità e applicazione delle policy. Questo prodotto è un elemento chiave della rete aziendale ed è spesso utilizzato da grandi aziende, enti governativi, università e fornitori di servizi.

Gli esperti Cisco segnalano che finora non si sono verificati casi di sfruttamento attivo di nuove vulnerabilità (né exploit resi pubblici), ma si consiglia a tutti gli utenti di installare gli aggiornamenti il prima possibile. Gli utenti dovrebbero aggiornare alla versione 3.3 Patch 6 (ise-apply-CSCwo99449_3.3.0.430_patch4) e alla versione 3.4 Patch 2 (ise-apply-CSCwo99449_3.4.0.608_patch1) o successive. Non esistono soluzioni alternative per risolvere i problemi senza applicare patch.

E’ ovvio che con vulnerabilità di tale entità, sia necessario procedere con urgenza all’aggiornamento delle patch, al fine di prevenire possibili tentativi di violazione. Il fornitore raccomanda pertanto di effettuare tempestivamente gli aggiornamenti necessari.

L'articolo Cisco centra il bersaglio: 9,8 su 10 per due RCE su Identity Services Engine e Passive Identity Connector proviene da il blog della sicurezza informatica.

Le sentenze Meta e Anthropic stabiliscono (per ora) che risucchiare l'intera Internet per "addestrare" le loro fottute IA non costituisce violazione del copyright. E poi arriva CreativeCommons che vuole "segnalare" come i detentori dei diritti preferiscono essere spolpati.

spreaker.com/episode/dk-9x35-t…

pixelfed.uno/nobollo
Shorts

peertube.uno/c/moments_of_life…
Video

mastodon.uno/@nobollo
Spizzichi...

Ci metto la faccia.
...quel che c'è dietro in fondo, conta quasi esclusivamente per me.

Qualche domanda adesso.

Come ti chiami?
- Silvio Domenico.
...ma qualcuno mi chiama anche stronzo...dipende.

Sei credente?
- Si...aspetta!
...a cosa ti riferisci esattamente?

In cosa sei veramente competente?
- Dipende chi ho di fronte.

Cosa ti piace in una donna?
- Che sia una donna, innazitutto.
...con dentro una persona preferibilmente a me compatibile.
Parliamo...di cosa piace a me, ovviamente!

Hai fatto il Militare?
- Si, in Marina...perchè...altrimenti non vengo assunto?

Quale genere musicale preferisci?
- La musica in genere, più quella di una volta...sembra qualunquista, ma non è così.

Cosa o chi vorresti con te su un'isola deserta?
- Un cellulare...appena mi rompo le palle chiamo qualcuno disponibile a venirmi a prendere.

Fatti una domanda e poi risponditi.
- E adesso?
Adesso, passo alla prossima domanda.

Che sorpresa vorresti ricevere?
- La prossima.

Il gusto di gelato che preferisci?
- Pistacchio.

Se tu fossi?
- Altro...non sarei questo.

Il tuo soprannome abituale?
- Nessuno abituale.

Hai mai tradito qualcuno?
- Se esiste un patto...no. Aspettative, si ne ho tradito. Ma, alle volte, quasi sempre...non sai cosa si aspettino gli altri da te...e poi, comunque, quello non lo considero un tradimento.

Sei mai stato tradito da qualcuno?
_ Non pienamente...e comunque, non c'erano patti di sorta..

La parolaccia che ripeti continuamente?
- Alcune in egual misura...forse, cazzo in misura superiore.

La posizione preferita in amore?
- Oggi sono un pò stanco...prego si accomodi...domani, magari si cambia.

Hai mai fatto l'amore con più di una donna contemporaneamente?
- Si...ma era in un sogno.

E con più uomini?
- Salta!!

Qualche aggettivo per descriverti?
- 181 cm,brizzolato,piede 43......in questo modo sono certo di non dire cazzate pseudocerebrali.

Sai essere competitivo?
- Si...se posso.

La tua trasmissione televisiva preferita?
- Serie TV, non tutte le serie, ovviamente.

Centrodestra o centrosinistra?
- Centrosinistra, quando ho voglia di votare...turandomi il naso...come ormai da tempo.

Maradona o Platinì?
- Van Basten.

Seno naturale o rifatto?
- Naturale...certo, se non è alle ginocchia sarebbe meglio...ma naturale indubbiamente.

Hai mai visto un film pornografico?
- Da adulto, mai sino alla fine.
Da ragazzi,al cinema, si arrivava alla fine, ma con un pò di lamentele ai paesi bassi...

Meglio i Beatles oppure i Rolling Stones?
- Eagles.

Il sesso...dove è meglio farlo?
- Dove si riesce.

Ti vedi bello?
- Non mi vedo...sono miope, presbite e lievemente astigmatico...

Più giovane o più vecchio?
- Nel mezzo del cammin...insomma, anche a tre quarti ormai.

Qualcosa di cui ti vergogni?
- Cos'è una terapia di gruppo?

E di cui vai fiero?
- Nonostante il necessario rapporto conflittuale...mio figlio.

Qualche persona che stimi
- Mi sforzo di partire da me...poi altre, in ordine sparso.

La tua macchina?
- Un sedile che mi porta il culo da una parte all'altra.

Cosa avresti voluto saper fare?
- Tra le tante...cantare.

Uno o due ricordi dei primi dieci anni?
- Immensamente,l e notti della vigilia natale.
Quando col mio fratellino...ci si svegliava nel cuore della notte per vedere se era già passato Gesù Bambino, Babbo natale...insomma bastava che passasse qualcuno a lasciare qualcosa di gradito.
E la meraviglia quando i doni erano già sotto l'albero....

Dei secondi?
- Versione romantica...il primo bacio.
Versione erotica...la prima...insomma quella. Questo, in positivo...
...e in negativo...la morte del mio fratellino di cui sopra.

Dei terzi?
- Il matrimonio, ma non la cerimonia o il ricevimento...
Piuttosto,la sensazione del giorno dopo...

Dei quarti?
- La nascita di mio figlio...e per antitesi...la scomparsa di mio Padre.

Dei quinti?
-...un altra immensa e dolorosissima perdita...il Fratellone.

Ricordo importante del Sesto decennio?
Nè parlerò se arriverò a terminarli...e se nè avrò voglia.

With immunotherapy increasingly making it out of the lab and into hospitals as a viable way to treat serious conditions like cancer, there’s a lot of pressure to optimize these therapies. This is especially true for therapies involving chimeric antigen receptor (CAR) T cells, which so far required a cumbersome process of extracting the patient’s T cells, modifying them ex vivo and returning the now CAR T cells to the patient’s body. After a recently published study, it seems that we may see in vivo CAR T cell therapy become reality, with all the ease of getting a vaccine shot.

We covered CAR T cells previously in the context of a way to prevent T cell exhaustion and making them more effective against certain tumors. This new study (paywalled) by [Theresa L. Hunter] et al. as published in Science demonstrates performing the CAR manipulation in vivo using CD8+ T cell targeting lipid nanoparticles containing mRNA to reprogram these T cells directly.

In rodent and non-human primate studies a clear effect on tumor control was demonstrated, with for auto-immune diseases the related B cells becoming effectively depleted. Although it’s still a long way off from human trials and market approval, this research builds upon the knowledge gained from existing mRNA vaccines, raising hopes that one day auto-immune or cancer therapy could be as simple as getting a cheap, standardized shot.

hackaday.com/2025/07/01/in-viv…

Una falla critica nella sicurezza dell’utility Linux Sudo è stata individuata, tale falla permette a qualunque utente locale privo di autorizzazioni di ampliare i propri diritti fino ad arrivare all’accesso come root. Le versioni del software Sudo dalla 1.9.14 alla 1.9.17 sono state riconosciute come vulnerabili, codificate come CVE-2025-32463, e rappresentano un pericolo considerevole per i sistemi operativi Linux che adottano le impostazioni di default.

Pertanto si consiglia vivamente agli amministratori di sistema di aggiornare immediatamente i propri pacchetti Sudo, poiché non esiste una soluzione alternativa per questa vulnerabilità critica.

Il bug di sicurezza è stato individuato da Rich Mirch della Stratascale Cyber Research Unit (CRU) e interessa la funzionalità chroot (-R o -chroot) poco comune in Sudo. Questa falla risulta essere estremamente pericolosa poiché non necessita dell’impostazione di regole Sudo specifiche per l’utente malintenzionato, permettendo quindi lo sfruttamento da parte di utenti sprovvisti di autorizzazioni amministrative.

La falla è stata introdotta in Sudo v1.9.14 a giugno 2023 con aggiornamenti al codice di gestione della corrispondenza dei comandi quando viene utilizzata la funzionalità chroot. La vulnerabilità consente agli utenti non privilegiati di richiamare chroot() su percorsi scrivibili e non attendibili sotto il loro controllo, che Sudo esegue con autorità di root.

La tecnica di sfruttamento implica l’inserimento di un file /etc/nsswitch.conf dannoso all’interno di un ambiente chroot controllato, manipolando il sistema Name Service Switch (NSS). Questo permette agli aggressori di specificare fonti NSS personalizzate, corrispondenti a librerie di oggetti condivisi (come ad esempio libnss_/woot1337.so.2), che vengono successivamente caricate da Sudo con privilegi di root. Di conseguenza, si verifica una violazione della sicurezza quando le operazioni NSS sono attivate e il sistema procede al caricamento della configurazione /etc/nsswitch.conf da un ambiente che non è attendibile.

L’exploit proof-of-concept lo dimostra creando un oggetto condiviso dannoso con una funzione che chiama setreuid(0,0) e setregid(0,0) per ottenere privilegi di root , quindi esegue /bin/bash per fornire una shell di root. Il codice exploit mostra come un semplice comando gcc -shared -fPIC può compilare la libreria dannosa che viene caricata durante le operazioni NSS di Sudo.

I ricercatori di sicurezza hanno verificato la vulnerabilità su Ubuntu 24.04.1 con Sudo 1.9.15p5 e 1.9.16p2, nonché su Fedora 41 Server con Sudo 1.9.15p5. La vulnerabilità colpisce la configurazione predefinita di Sudo, rendendola una minaccia diffusa che richiede attenzione immediata. La correzione è disponibile in Sudo 1.9.17p1 o versioni successive, in cui l’opzione chroot è stata deprecata e le funzioni vulnerabili pivot_root() e unpivot_root() sono state rimosse.

L'articolo Vulnerabilità critica in Sudo: escalation dei privilegi a root su Linux proviene da il blog della sicurezza informatica.