I sistemi di controllo industriale (ICS), fondamentali per il funzionamento di infrastrutture critiche come reti elettriche, idriche e di trasporto, sono sempre più vulnerabili agli attacchi informatici. In questo contesto, l’articoloHoneyPLC: un honeypot di nuova generazione per i sistemi di controllo industriale propone un honeypot avanzato e scalabile progettato per simulare PLC reali (controllori logici programmabili) e raccogliere in maniera automatica malware, in particolare codice dannoso scritto in ladder logic, migliorando sensibilmente lo stato dell’arte nella protezione degli ICS.

A differenza degli honeypot tradizionali, HoneyPLC si distingue per tre aspetti fondamentali: elevata interattività, ampia scalabilità e capacità di inganno. È in grado di emulare fedelmente protocolli di rete industriali come TCP/IP, S7comm, SNMP e HTTP, offrendo un’interazione simile a quella di un vero PLC.

Può inoltre simulare più modelli di PLC provenienti da marchi diversi, rendendolo molto più adattabile rispetto agli honeypot precedenti, che di solito supportano solo uno o due modelli. La sua struttura modulare consente anche di creare profili personalizzati per diversi dispositivi industriali.

Uno degli aspetti più innovativi è la capacità di occultamento: HoneyPLC riesce a ingannare gli strumenti di ricognizione più comuni, come Nmap, fornendo risposte verosimili grazie alla generazione automatica di fingerprint e all’emulazione accurata dei protocolli. Inoltre, ogni interazione dell’attaccante viene tracciata e conservata nei log, con la possibilità di raccogliere in tempo reale i programmi in logica ladder iniettati nei blocchi di memoria, funzione che mancava nei precedenti honeypot ICS.

La valutazione sperimentale ha coinvolto cinque modelli di PLC reali (tra cui Siemens, Allen-Bradley e ABB) e ha dimostrato che HoneyPLC è in grado di replicare fedelmente il comportamento di ciascuno di essi. È riuscito anche a resistere alle scansioni di strumenti di ricognizione, simulando stack di rete coerenti con i dispositivi target. Inoltre, ha catturato efficacemente malware scritto in ladder logic, confermando la sua utilità come strumento di raccolta e analisi dei codici malevoli.

In conclusione, HoneyPLC rappresenta un importante passo avanti nella protezione dei sistemi industriali. Grazie alla sua capacità di scalare su più modelli di PLC, di simulare interazioni realistiche e di raccogliere malware in maniera automatizzata, costituisce un potente strumento per la ricerca sulla sicurezza degli ICS e per la creazione di contromisure sempre più efficaci contro le minacce informatiche rivolte al settore industriale.

L'articolo HoneyPLC: il nuovo honeypot che rivoluziona la difesa degli impianti industriali proviene da il blog della sicurezza informatica.

By now most floppy disks have been relegated to the dustbin of history, with a few exceptions for obscure industrial applications using legacy hardware and, of course, much of the world’s nuclear weapons arsenals. In fact, they’re so rare to see in the world anymore that many below a certain age don’t recognize the “save” symbol commonly used in application user interfaces. Without a use case, and with plenty of old floppies still laying around, [Rob] took a pile of them and built this Whack-a-Mole-style game.

The game has a number of floppy-disk-specific features compared to the arcade classic, though. First, there’s no mallet, so the player must push the floppy disks into the drive manually. Second, [Rob] went to somewhat exceptional lengths to customize the drives to that sometimes the disks jump out of the drive, forcing the player to grab them and put them back in to score points in the game. He did this without needing to install high-powered solenoids in the drives too. As for the game software itself, it all runs on an Amiga 600 and even includes a custom-made soundtrack for the 30-second game.

Getting the drives just right did take a number of prototypes, but after a few versions [Rob] has a working game that looks fun to play and is a clever use of aging hardware, not to mention the fact that it runs on a retro computer as well. Of course, for the true retro feel, you’ll want to make sure you find a CRT for the display somewhere, even though they’re getting harder to find now than old floppy disk drives.

youtube.com/embed/I2HWena_eXs?…

hackaday.com/2025/07/01/whack-…

Your design task, should you decide to accept it: given an input voltage, square it. Ok, that’s too hard since squaring 8 volts would give you 64 volts, so let’s say the output should be 10% of the square, so 8 volts in would result in 6.4V. How do you do it? [Engineering Prof.] knows how and will show you what you can do in the video below.

The circuit uses two op amps and some transistors. However, the transistors are used in a way that depends on the temperature, so it is important to use a transistor array so they are matched and will all be at the same temperature.

The math depends on the fact that the transistor response has a natural log term in it, and the property that the sum of two logs is the same as the log of the product of the numbers.

Because of the matching transistors, many of the terms in the equation cancel out. Because the transistors are current devices, the transistor circuit’s output current is the input current squared divided by the output transistor’s collector current. Then it is just a matter of converting the voltage to a current and back again using the right scaling.

There’s more to it, of course, but that’s the gist of it. You can dig into the math by watching the video. If the KCL references are fuzzy for you, here’s a refresher. Squaring a voltage would be pretty important for an analog computer.

youtube.com/embed/NBVIN0S5o_g?…

hackaday.com/2025/07/01/challe…

As it stands, cryptocurrency largely seems to be a fad of the previous decade, at least as far as technology goes. During that time, many PC users couldn’t get reasonably priced graphics cards since most of them were going into these miners. In contrast, nowadays any shortages are because they’re being used to turn the Internet into an AI-fueled wasteland. But nonetheless, there is a lot of leftover mining hardware from the previous decade and unlike the modern AI tools getting crammed into everything we own, this dated hardware is actually still useful. [Zendrael] demonstrates this by turning an old mining rig into a media server.

The mining rig is essentially nothing more than a motherboard with a large number of PCI slots, each designed for a GPU. PCI slots can do many other things, though, so [Zendrael] puts a terabyte solid state drive in each but one of the PCI cards using NVMe to PCI adapters. The final slot still hosts a GPU since the computer is being converted to a media server, and this allows it to do various encodings server-side. Even with only 4 GB of memory, the machine in its new configuration is more than capable of running Debian and spinning up all of the necessary software needed for a modern media server like Jellyfin, Nextcloud, and Transmission.

With many people abandoning miners as the value of them declines over time, it’s possible to find a lot of hardware like this that’s ready to be put to work on something new and useful. Hopefully all of the GPUs and other hardware being put to use today in AI will find a similar useful future, but until then we’ll note that you don’t need super powerful hardware to run some of those models on your own.

youtube.com/embed/hWcVDUmKp5A?…

hackaday.com/2025/07/01/a-cryp…

ICYMI

This Friday, the Fourth of July, the United States Pirate Party will be hosting our annual Pirate National Conference. It will be hybrid, hosting jointly in-person and online, with the Conference taking place in San Francisco, California. This year, the theme is “Run for Something!”.

For more information about our 2025 Conference, you may visit the official Conference page.

This past Sunday, we had another series of meetings and joint appearances between ourselves and the US Transhumanist Party. The purpose of these meetings have been to further advance the coalition plans between our two parties.

Not only did Captain Drew Bingaman serve as the guest on the latest Virtual Enlightenment Salon by the USTP, but members of the USTP joined us for our Sunday meeting.

We are pleased to announce that the coalition between our two parties is all but official. Both parties will be ratifying the bylaws of the coalition in the coming days and will officially kick off a new era in US minor party politics.

This coalition, slated to officially be named “All Hands for a Free Future Coalition”, which can be shortened to “All Hands”, “AllHandsFuture” and, if you have a sense of humor, “the Handies”, will begin with our two parties and will be expected to expand membership to fellow parties down the line.

We here in the United States Pirate Party would like to express our gratitude to our friends in the United States Transhumanist Party.

Free Men. Free Labor. Free Soil. Free Future.

Don’t forget to tune into our conference, streamed live to our YouTube channel this Friday. Not only will we be electing a new board, but also we shall inaugurate the first ever Captain of Young Pirates USA.

uspirates.org/icymi-2025-pirat…

Lego’s Technic line features all kinds of mechanical devices, from cogs to gears to chains and even pneumatic components. However, the vast majority of these components are made out of plastic and are only capable of toy-like levels of performance. In the competitive world of Lego YouTube, builders often push these parts to their limits, breaking them more often than you might think. To that end, [Brick Experiment Channel] has been investigating stouter Lego-compatible universal joints from a variety of third-party manufacturers.

The video starts with a simple demonstration, showing that a Lego universal joint pops apart at just 0.4 Nm of torque. It’s no surprise, given it relies on tiny plastic pins in snap-fit joints. However, this means that it’s not that hard to build a stronger universal joint to outperform the stock parts.

The video steps through a range of other options available on the market. For example, CaDA builds a universal joint using aluminium sleeves, a copper center, and steel pins to join everything together. It’s so strong that the plastic Lego axles fail long before the joint does. Tested with third-party aluminum axles, it eventually fails at 2.3 Nm of torque when the aluminum sleeve snaps. An all-steel joint from MTP goes even harder, eventually stripping out its axle mount at 4 Nm. The rest of the video goes on to explore angular performance, size, and other design features.

It’s fair to say that if you’re swapping out universal joints and axles for aluminum steel parts, you’re not really playing with Lego anymore. At the same time, it’s neat that there exists a sort of defacto standard kit for mechanical experimentation that is now being expanded upon with stronger components. Video after the break.

youtube.com/embed/g52QzQCOGbI?…

hackaday.com/2025/07/01/there-…

Long before he was the Freedom of Information Act director at The Washington Post, Nate Jones was a curious college student with a penchant for Able Archer 83.

Looking to learn more about the 1983 NATO war game, he ventured to the Ronald Reagan Presidential Library and sifted through a box inscribed “military exercises.” The folders inside were empty and classified.

“You can do FOIA, but good luck,” an archivist told him. “So instead of giving up, I kind of got a little angry,” he recalled.

Jones funneled that FOIA frustration into fanaticism. Years later, he acquired the documents his college self had yearned for and eventually wrote a book about the war scenario based on them.

But the lesson he learned transcended Able Archer 83. Access to even one unclassified document from the jump is all it would have taken to start a chain reaction of declassification for Jones much sooner.

“If the dang Reagan Library had just given me the records right away, it would have helped me file tens of thousands of more public records requests,” he explained.

To understand how FOIA requests and public records like those ultimately obtained by Jones can be used to fight government secrecy and improve our communities, Freedom of the Press Foundation (FPF) hosted an online webinar June 24 with Jones, MuckRock CEO Michael Morisy, and investigative journalist and author Miranda Spivack.

youtube.com/embed/AHGmEfZEMV8?…

Morisy, whose organization has helped file over 156,000 records requests and led to the release of over 11 million pages, said the key to a successful FOIA lies in its preparation. As a starting point, he advises requesters to “step inside the mindset of a bureaucrat” and envision the request from their perspective.

“Where are the records that you care about? How would you describe them? How would they work? Who would have access to them? And then use that to guide that public records officer to exactly what you want,” he said.

Spivack — who recently authored “Backroom Deals in Our Backyards: How Government Secrecy Harms Our Communities and the Local Heroes Fighting Back” — said it’s also important to consider the system of records requests as a whole, beyond the individuals working within them.

Unlike at the federal level, she said, there isn’t a constituency for transparency at the state and local levels “until somebody bumps into a problem.” That can stifle requesters.

“There are a lot of groups at the state and local level that are pro transparency, but I think they really have to get into communities and have to translate for people why it matters,” added Spivack. “Not even when you need it, but before you need it, why it should matter that your government should be more transparent.”

Still, there are cases where a local or state government records office can provide more information than a federal one, which is why Spivack recommends filing requests with both parties when it’s appropriate to do so.

Jones concurred. “It’s a great strategy to always file with as many agencies as you can.”

Another helpful strategy is to replicate prior successful records requests, he said.

“Don’t reinvent the wheel. Have an agency release more of what they already have released,” Jones said. Many reporters, including those at the Post, use MuckRock to find examples of past successful requests and duplicate them to save time and increase their odds of a successful request, he added.

As the Trump administration slashes FOIA offices and prunes the National Archives and Records Administration’s budget, one audience question, from open government advocate Alex Howard, addressed the possibility of insulating FOIA offices from political influence and firings.

Jones suggests modeling FOIA offices more closely on the Inspector General’s Office, which could add pressure on people in the agency “to release the things to the public in a timely manner.”

“So if you want to call it insulation, that would be fine, but I would rather call it empowerment,” he added.

Looking ahead, Morisy said that the encroachment of corporate interests in records requests is contributing to the “hollowing out” of government competence and could be clogging up the system. Instead of fighting together, transparency constituencies are picking individual battles, he said, which waters down their ability to enact change within the system.

“I think they’re losing, which I think is a big, big problem,” Morisy said.

Still, Jones is optimistic about the system, even if it’s far from perfect. He encourages requesters to file weekly, if not daily, to open the tap on a consistent flow of releases. Following that ethos could yield “one or two or three good documents a week,” he said.

“Be a proactive requester, not a reactive requester,” Jones said. “If you plant your acorns, the trees will grow.”

freedom.press/issues/use-publi…

Well, here’s an interesting idea: the service loop. Ever heard of it? We haven’t!

In the video, the presenter explains the service loop serves two purposes: on the one hand it may provide strain relief, but chiefly these loops are installed so there will be extra available slack in the cable if you need to rewire it some day to change the configuration of your pinout.

One major problem with the service loop may be that the single turn is enough to create an inductor which will then induce noise and cross-talk all over the place. Our rule of thumb is always to completely unroll wires and cables before using them. Do you have a theory about the benefits or problems with service loops? If you do, we’d love to hear what you think in the comments!

If you’re interested in strain relief, we’ve covered that before, and you don’t need a service loop to do it! Check out Cheap Strain Relief By Casting Hot Glue In A 3D Print and Arduino Uno Strain Relief.

youtube.com/embed/x5sw5BqUT8I?…

Thanks to [Oliver] for writing in to let us know about this intriguing and somewhat controversial idea.

hackaday.com/2025/07/01/are-se…

Le persone tendono a essere più comprensive nei confronti dei chatbot se li considerano interlocutori reali. Questa è la conclusione a cui sono giunti gli scienziati dell’Università Ebraica di Gerusalemme dopo una serie di studi su larga scala pubblicati sulla rivista Nature Human Behaviour.

In nove esperimenti, i ricercatori hanno reclutato più di 6.200 partecipanti. Tutti hanno interagito con chatbot basati su modelli linguistici di grandi dimensioni (LLM), ma alcuni partecipanti credevano di parlare con un essere umano. Questo è stato un fattore chiave nel modo in cui percepivano il supporto e l’empatia del loro interlocutore.

Come osservato nell’articolo, i modelli linguistici moderni dimostrano una notevole capacità di comprendere i contesti sociali ed emotivi. Non solo sono in grado di analizzare lo stato emotivo dell’interlocutore, ma anche di imitare abilmente espressioni di cura, compassione e sostegno.

Gli autori dello studio sottolineano che, nonostante le capacità empatiche oggettive dell’IA, le persone sono molto più propense a rifiutare il supporto emotivo se sanno di comunicare con una macchina. I soggetti a cui è stato detto che le loro risposte erano state scritte da un essere umano, anche se ciò non era vero, hanno valutato i messaggi come più empatici e di supporto. Erano anche disposti ad aspettare più a lungo per una risposta, credendo che fosse stata preparata da una persona reale.

Allo stesso tempo, i dati hanno mostrato che la convinzione che l’IA fosse coinvolta nella preparazione delle risposte presumibilmente umane riduceva la percezione dell’empatia. Questo effetto persisteva indipendentemente dalla lunghezza delle risposte, dalla velocità con cui venivano ricevute e dallo specifico modello di IA utilizzato nell’esperimento.

Inoltre, lo studio ha scoperto che le persone scelgono sistematicamente l’interazione umana rispetto all’intelligenza artificiale quando hanno bisogno di supporto emotivo, dimostrando quanto sia radicata la necessità di un elemento umano quando si discutono argomenti personali e delicati.

Il rapporto evidenzia anche un interessante paradosso: in termini di accuratezza formale e velocità di elaborazione delle informazioni, l’IA è in grado di comprendere meglio lo stato emotivo di una persona. A differenza degli esseri umani, che potrebbero trovare noiosa l’empatia, l’IA riconosce istantaneamente i segnali emotivi e non sperimenta affaticamento o esaurimento.

Tuttavia, gli esseri umani hanno ancora difficoltà a percepire tale “empatia” da parte delle macchine. Barriere psicologiche e pregiudizi giocano un ruolo chiave, anche quando l’IA dimostra oggettivamente un alto livello di empatia.

È interessante notare che un altro studio ha precedentemente osservato che l’intelligenza artificiale può mostrare segnali di ansia. Nello specifico, il modello GPT-4 ha mostrato un aumento dei punteggi di ansia , misurati mediante test psicologici standard, dopo aver lavorato con scenari traumatici.

Questi risultati sollevano seri interrogativi sulla natura dell’intelligenza artificiale, sui suoi limiti e sul futuro delle interazioni uomo-macchina in situazioni emotivamente intense. Nonostante gli evidenti progressi tecnologici, la percezione pubblica rimane più conservatrice e la fiducia nell’IA è limitata.

L'articolo Mi Ami, Non mi Ami? A scusa, sei un Chatbot! proviene da il blog della sicurezza informatica.

There comes a time in any software developer’s life when they look at their achievements, the lines of code written and the programming languages they have relied on, before wondering whether there may be more out there. A programming language and its associated toolchains begin to feel like familiar, well-used tools after you use them for years, but that is no excuse to remain rusted in place.

While some developers like to zigzag from one language and toolset to another, others are more conservative. My own journey took me from a childhood with QuickBasic and VisualBasic to C++ with a bit of Java, PHP, JavaScript, D and others along the way. Although I have now for years focused on C++, I’m currently getting the hang of Ada in particular, both of which tickle my inner developer in different ways.

Although Java and D never quite reached their lofty promises, there are always new languages to investigate, with both Rust and Zig in particular getting a lot of attention these days. Might they be the salvation that was promised to us C-afflicted developers, and do they make you want to zigzag or ferrously oxidize?

Solving Problems

As hilarious it is to make new programming languages for the fun of it, there has to be some purpose to them if they want to be more than a gag. That’s why Whitespace and Brainf*ck are great for having some (educational) fun with, while Forth is a serious and very much commercially successful language. Meanwhile there’s still an ongoing debate about whether Python may or may not be an esoteric language, mostly on account of it granting whitespace so much relevance that would make the Whitespace developers proud.

This contrasts heavily with languages like C and consequently C++ where whitespace is not relevant and you can write everything on a single line if that’s your kink. Meanwhile in Ada, COBOL and others case sensitivity doesn’t exist, because their developers failed to see the point of adding this ‘feature’. This leads us to another distinguishing feature of languages: weakly- versus strongly-typed and super-strongly typed languages.

If one accepts that a type system is there to prevent errors, then logically the stronger the type system is, the better. This is one reason why I personally prefer TypeScript over JavaScript, why Java reflection and Objective-C messaging drove me up various walls, why my favorite scripting language is AngelScript, why I love the type system in Ada and also why I loathe whoever approved using the auto keyword in C++ outside of templates.

With those lines marked, let’s see what problems Rust and Zig will solve for me.

Getting Ziggy

The Zig language is pretty new, having only been released in early 2016. This makes it four years younger than Rust, while also claiming to be a ‘better C’. Much of this is supposed to come from ‘improved memory safety’, which is a topic that I have addressed previously, both in the context of another ‘improved C’ language called TrapC, as well as from a security red herring point of view. Here again having a very strong type system is crucial, as this allows for the compiler as well as static and dynamic analysis tools to pick up any issues.

There is also the wrinkle that C++ is already an improved C, and the C11 standard in particular addresses a lot of undefined behavior, which makes it a pretty tall order to do better than either. Fortunately Zig claims to be a practically drop-in solution for existing C and C++ code, so it should be pretty gentle to get started with.

Unfortunately, this is the part where things rapidly fell apart for me. I had the idea to quickly put together a crude port of my ncurses-based UE1 emulator project, but the first surprise came after installing the toolchain. My default development environment on Windows is the Linux-like MSYS2 environment, with the Zig toolchain available via pacman.

A feeling of dread began to set in while glancing at the Getting Started page, but I figured that I’d throw together a quick ncurses project based on some two-year old code that someone said had worked for them:
const std = @import("std");
const c = @cImport({
@cInclude("curses.h");
});

pub fn main() !void {
var e = c.initscr();
e = c.printw("Hello World !!!");
e = c.refresh();
e = c.getch();
e = c.endwin();
}
Despite the symbol soup and chronic fear of fully writing out English words, it’s not too hard to understand what this code is supposed to do. The @cImport() block allows you to include C headers, which in this case allows us to import the standard ncurses header, requiring us to only link against the system ncurses library later on. What’s not inspiring much confidence is that it’s clear at this point already that Zig is a weakly-typed language, bringing back highly unwanted embedded JavaScript flashbacks.

While prodding at writing a standard Makefile to compile this code, the reality of the Zig build system began to hit. You can only use the zig command, which requires a special build file written in Zig, so you have to compile Zig to compile Zig, instead of using Make, CMake, Ninja, meson, etc. as is typical. Worse is that Zig’s API is being changed constantly, so that the sample build.zig code that I had copied no longer worked and had to be updated to get the following:
const std = @import("std");

pub fn build(b: *std.Build) void {
const target = b.standardTargetOptions(.{});
const optimize = b.standardOptimizeOption(.{});
const exe = b.addExecutable(.{
.name = "ncurses",
.root_source_file = b.path("main.zig"),
.target = target,
.optimize = optimize,
});

exe.linkSystemLibrary("c");
exe.linkSystemLibrary("ncurses");
b.installArtifact(exe);
}
With this change in place, I no longer got compile errors for the build file, but even after deleting the .zig-cache folder that the toolchain creates I kept getting the same linker errors:

While I’m sure that all of this is solvable, I was looking for a solution to my problems, not to get new problems. Instead I got a lack of strong typing, an oddly verbose syntax, ever-shifting APIs, being strong-armed into giving up the build tools of one’s choosing and finally some weird linker errors that probably require constant nuking of caches as one has to already suffer through with CMake and Gradle.

It is time to zigzag out of dodge to the next language.

Rusted Expectations

As mentioned earlier, Rust is a few years older than Zig, and in addition it has seen a lot more support from developers and companies. Its vibrant community is sure to remind you of these facts at any opportunity they get, along with how Rust cures all ills. Ignoring the obvious memory safety red herring, what problems can Rust solve for us?

Following the same pattern as with Zig, we first have to set up a development environment with the Rust toolchain and the ability to use ncurses. Unlike with Zig, we apparently cannot use C (or C++) code directly, so the recommendation is to use a wrapper. From its code we can worryingly tell that it is also a weakly-typed language by the use of type inference, and the fact that the unsafe keyword is required to cooperate with C interfaces gives even great cause for concern. Ideally you’d not do the equivalent of hammering in raw assembly when writing C either, as this bypasses so many checks.

Regardless, the task is to figure out how to use this ncurses-rs wrapper, despite it already being EOL-ed. Rather than dealing with this ‘cargo’ remote repository utility and reliving traumatic memories of remote artefact repositories with NodeJS, Java, etc., we’ll just copy the .rs files of the wrapper directly into the source folder of the project. It’s generally preferred to have dependencies in the source tree for security reasons unless you have some level of guarantee that the remote source will be available and always trustworthy.

Although you can use the rustc compiler directly, it provides an extremely limited interface compared to e.g. Clang and GCC. After trying to understand and massage dependency paths for the included files (modules) for a while, the sad result is always another fresh series of errors, like:
The frustrating end to trying out Rust.
At this point any enthusiasm for doing more with Rust has already rapidly oxidized and decayed into sad shards of ferrous oxide.

Workflow Expectations

Most of my exposure to Rust and Zig prior to this experience had been from a theoretical and highly academical perspective, but actually trying to use a language is when you really begin to develop feelings that tell you whether the language is something you’re interested in. In my case these feelings were for both languages primarily frustration, mixed with an urge to get away from the whole thing as soon as possible.

This contrasts heavily with my recent experiences with COBOL, which saw me working for days on code and figuring out the language, but with a feeling of almost giddy joy at grasping yet another concept or mechanism. What helped a lot here is that the COBOL toolchains are just typical GCC compilers with the whole feature set, which means that you can use them with any build system of your choice.

Even with the Ada toolchain and its multi-step process of module dependency resolving, compiling and linking you can use these tools any way you like. It’s this kind of freedom that is at least in my view an essential part of a good development environment, as it gives the developer the choice of how to integrate these into their workflow.

The workflow with Zig and Rust reminds me mostly of the harrowing struggle with Android development and its Gradle-based environment. You get similar struggles with just getting the basic thing off the ground, are always dealing with baffling errors that may or may not be related to a component that’s a few versions too old or new, and basically it’s just a gigantic waste of time.

Even ignoring whether Zig and Rust are or can become good languages, it is this complete disregard for individual workflow preferences that’s probably the most off-putting to me, and reason to avoid these ecosystems at all cost. Something which I wish I could do with Gradle as well, but I digress.

In the end I think I’ll be sticking with C++, with a bit of C and an increasing amount of Ada and Fortran on the side. Unless you’re being paid big bucks, there is no reason to put yourself through the suffering of a workflow you loathe.

hackaday.com/2025/07/01/c-enco…

People have been coming up with clever ways to bring light to the darkness since we lived in caves, so it’s no surprise we still love finding interesting ways to illuminate our world. [Michael] designed a simple, but beautiful, book lamp that’s easy to assemble yourself.

This build really outshines its origins as an assembly of conductive tape, paper, resistors, LEDs, button cells, and a binder clip. With a printable template for the circuit, this project seems perfect for a makerspace workshop or school science project kids could take home with them. [Michael] walks us through assembling the project in a quick video and even has additional information available for working with conductive tape which makes it super approachable for the beginner.

The slider switch is particularly interesting as it allows you to only turn on the light when the book is open using just conductive tape and paper. We can think of a few other ways you could control this, but they quickly start increasing the part count which makes this particularly elegant. By changing the paper used for the shade or the cover material for the book, you can put a fun spin on the project to match any aesthetic.

If you want to build something a little more complex to light your world, how about a 3D printed Shoji lamp, a color-accurate therapy lamp, or a lamp that can tell you to get back to work.

youtube.com/embed/ggw1bmISklU?…

hackaday.com/2025/07/01/diy-bo…

The Hack The Promise Festival in Basel has firmly established itself as a pivotal platform where international experts, activists, and engaged communities come together for interdisciplinary discussions on the social, political, and technical challenges of digital transformation. The 2024 festival revolved around the theme “fact/fake/fiction,” exploring how truth, fiction, and manipulation increasingly intertwine in digital spaces and what this means for democratic societies.

At last year’s event, Schoresch Davoodi delivered his lecture in German, titled „Fakten und Fiktionen – Wie die Gesellschaft durch Unsicherheit gestresst wird“ (“Facts and Fictions – How Society is Stressed by Uncertainty”). His presentation moved beyond a mere description of digital phenomena, analyzing how overlapping global crises—such as pandemics, wars, and economic challenges—create a collective societal stress that heightens vulnerability to misinformation and manipulation.

Davoodi critically assessed current political responses as often symptomatic, addressing surface issues rather than the underlying causes like diffuse social anxieties and psychological strain. His approach combines technical perspectives with socio-psychological insights, offering a holistic analysis that remains relatively uncommon in the programmatic discussions of many Pirate Parties.

He also reflected critically on the role of NGOs in political discourse, cautioning against the risk that NGO-affiliated structures might act more as instruments of control than as independent actors, potentially limiting democratic pluralism and open debate. This perspective encourages important discussions regarding the influence of civil society organizations in net politics and democratic participation.

Philosophically, Davoodi’s lecture drew on Immanuel Kant’s Enlightenment theory and critiques of dogmatic thinking, emphasizing the necessity of independent thought and the rejection of authoritarian mentalities. This normative framing adds depth, extending beyond purely technical or political considerations.

The Hack The Promise Festival is widely recognized for fostering critical and interdisciplinary dialogue. Within this context, Davoodi’s lecture provides valuable programmatic impulses for Pirate Parties internationally. It signals a strategic shift away from solely activist-driven approaches towards a more reflective and mature political stance that emphasizes education, resilience, and a pluralistic discourse culture.

By addressing current challenges in digital society and highlighting the necessary evolution in net politics, this contribution holds significant relevance for Pirate Parties worldwide. The festival thus plays an important role in advancing the international debate on democracy and digital freedom, helping to strengthen it for the future.

Looking Ahead: Hack The Promise Festival 2025

The next Hack The Promise Festival is scheduled for October 3–5, 2025, and will take place at the Padelhalle Klybeck in Basel. The upcoming edition will explore hacking as a socio-technical practice. This goes beyond computer specialists, focusing on opening up systems to challenge and change societal structures—be they technological, political, epistemic, or social. The aim is to disrupt power dynamics and envision new futures beyond imposed limitations.

Author: Schoresch Davoodi

pp-international.net/2025/07/h…

Gli esperti hanno scoperto una nuova campagna malware chiamata Silver Fox (nota anche come Void Arachne) che utilizza falsi siti web. Le risorse presumibilmente distribuiscono software popolari (WPS Office, Sogou e DeepSeek), ma in realtà vengono utilizzate per diffondere il RAT Sainbox e il rootkit open source Hidden.

Secondo Netskope Threat Labs, i siti di phishing (come wpsice[.]com) distribuiscono programmi di installazione MSI dannosi in cinese, il che significa che questa campagna è rivolta a utenti di lingua cinese. “Il payload del malware include Sainbox RAT, una variante di Gh0st RAT e una variante del rootkit open source Hidden”, hanno affermato i ricercatori.

Non è la prima volta che Silver Fox usa questa tattica. Ad esempio, nell’estate del 2024, eSentire ha descritto una campagna rivolta agli utenti cinesi di Windows tramite siti che presumibilmente erano progettati per scaricare Google Chrome e distribuire il RAT Gh0st. Inoltre, nel febbraio 2025, gli analisti di Morphisec scoprirono un’altra campagna su un sito web falso che distribuiva ValleyRAT (noto anche come Winos 4.0) e un’altra versione di Gh0st RAT.

Come riportato da Netskope, questa volta gli installer MSI dannosi scaricati da siti falsi sono progettati per avviare un file eseguibile legittimo shine.exe, che carica la DLL dannosa libcef.dll utilizzando una tecnica di caricamento laterale. Il compito principale di questa DLL è estrarre ed eseguire lo shellcode dal file di testo 1.txt presente nel programma di installazione, che alla fine porta all’esecuzione di un altro payload DLL: il trojan di accesso remoto Sainbox.

“La sezione .data del payload studiato contiene un altro binario PE che può essere eseguito a seconda della configurazione del malware”, osservano gli esperti. “Il file incorporato è un driver rootkit basato sul progetto open source Hidden“

Il suddetto Trojan Sainbox ha la capacità di scaricare payload aggiuntivi e rubare dati, mentre Hidden fornisce agli aggressori una serie di funzionalità per nascondere processi e chiavi correlati al malware nel registro di Windows sugli host compromessi.

L’obiettivo principale del rootkit è nascondere processi, file, chiavi e valori di registro. Come spiegano i ricercatori, utilizza un mini-filtro e callback del kernel per raggiungere questo obiettivo. Hidden può anche proteggere se stesso e processi specifici e contiene un’interfaccia utente accessibile tramite IOCTL.

“L’utilizzo di varianti di RAT commerciali (come Gh0st RAT) e rootkit open source (come Hidden) offre agli aggressori controllo e furtività senza richiedere molto sviluppo personalizzato”, afferma Netskope.

L'articolo Nuova campagna malware Silver Fox: diffonde RAT e rootkit tramite falsi siti web proviene da il blog della sicurezza informatica.

There are all manner of musical myths, covering tones and melodies that have effects ranging from the profound to the supernatural. The Pied Piper, for example, or the infamous “brown note.”

But what about a song that could crash your laptop just by playing it? Even better, a song that could crash nearby laptops in the vicinity, too? It’s not magic, and it’s not a trick—it was just a punchy pop song that Janet Jackson wrote back in 1989.

Rhythm Nation

As told by Microsoft’s Raymond Chen, the story begins in the early 2000s during the Windows XP era. Engineers at a certain OEM laptop manufacturer noticed something peculiar. Playing Janet Jackson’s song Rhythm Nation through laptop speakers would cause the machines to crash. Even more bizarrely, the song could crash nearby laptops that weren’t even playing the track themselves, and the effect was noted across laptops of multiple manufacturers.

youtube.com/embed/OAwaNWGLM0c?…

Rhythm Nation was a popular song from Jackson’s catalog, but nothing about it immediately stands out as a laptop killer.

After extensive testing and process of elimination, the culprit was identified as the audio frequencies within the song itself. It came down to the hardware of the early 2000s laptops in question. These machines relied on good old mechanical hard drives. Specifically, they used 2.5-inch 5,400 RPM drives with spinning platters, magnetic heads, and actuator arms.
The story revolves around 5,400 RPM laptop hard drives, but the manufacturer and model are not public knowledge. No reports have been made of desktop PCs or hard disks suffering the same issue. Credit: Raimond Spekking, CC BY-SA 4.0
Unlike today’s solid-state drives, these components were particularly susceptible to physical vibration. Investigation determined that something in Rhythm Nation was hitting a resonant frequency of some component of the drive. When this occurred, the drive would be disturbed enough that read errors would stack up to the point where it would trigger a crash in the operating system. The problem wasn’t bad enough to crash the actual hard drive head into the platters themselves, which would have created major data loss. It was just bad enough to disrupt the hard drive’s ability to read properly, to the point where it could trigger a crash in the operating system.
A research paper published in 2018 investigated the vibrational characteristics of a certain model of 2.5-inch laptop hard drive. It’s not conclusive evidence, and has nothing to do with the Janet Jackson case, but it provides some potentially interesting insights as to why similar hard drives failed to read when the song was played. Credit: Research paper
There was a simple workaround for this problem, that was either ingenious or egregious depending on your point of view. Allegedly, the OEM simply whipped up a notch filter for the audio subsystem to remove the offending frequencies. The filter apparently remained in place from the then-contemporary Windows XP up until at least Windows 7. At this point, Microsoft created a new rule for “Audio Processing Objects” (APO) which included things like the special notch filter. The rule stated that all of these filters must be able to be switched off if so desired by the user. However, the story goes that the manufacturer gained a special exception for some time to leave their filter APO on at all times, to prevent users disabling it and then despairing when their laptops suddenly started crashing unexpectedly during Janet Jackson playlists.

As for what made Rhythm Nation special? YouTuber Adam Neely investigated, and came up with a compelling theory. Having read a research paper on the vibrational behavior of a 2.5-inch 5,400 RPM laptop hard disk, he found that it reported the drive to have its largest vibrational peak at approximately 87.5 Hz. Meanwhile, he also found that Rhythm Nation had a great deal of energy at 84.2 Hz. Apparently, the recording had been sped up a touch after the recording process, pushing the usual low E at 82 Hz up slightly higher. The theory being that the mild uptuning in Rhythm Nation pushed parts of the song close enough to the resonant frequency of some of the hard drive’s components to give them a good old shaking, causing the read errors and eventual crashes.

It’s an interesting confluence of unintended consequences. A singular pop song from 1989 ended up crashing laptops over a decade later, leading to the implementation of an obscure and little-known audio filter. The story still has holes—nobody has ever come forward to state officially which OEM was involved, and which precise laptops and hard drives suffered this problem. That stymies hopes for further research and recreation of this peculiarity. Nevertheless, it’s a fun tech tale from the days when computers were ever so slightly more mechanical than they are today.

hackaday.com/2025/07/01/one-la…

It’s been awhile since we checked in with Canada’s Edison Motors, so let’s visit [DeBoss Garage] for an update video. To recap, Edison Motors is a Canadian company building diesel-electric hybrid semi-trucks and more.
The last interesting thing to happen in Donald, BC was when it burned down in the 1910s.
Well, they’ve thankfully moved out of the tent in their parents’ back yard where the prototype was built. They’ve bought themselves a company town: Donald, British Columbia, complete with a totally-not-controversial slogan “Make Donald Great Again”.

More interesting is that their commercial-off-the-shelf (COTS), right-to-repair centered approach isn’t just for semi-trucks: they’re now a certified OEM manufacturer of a rolling heavy truck chassis you can put your truck cab or RV body on, and they have partnered with three coach-builders for RVs and a goodly number of manufacturing partners for truck conversion kits. The kits were always in the plan, but selling the rolling chassis is new.

One amazingly honest take-away from the video is the lack of numbers for the pickups: top speed, shaft horsepower, torque? They know what all that should be, but unlike the typical vaporware startup, Edison won’t tell you the engineering numbers on the pickup truck kits until it has hit the race track and proved itself in the real world. These guys are gear-heads first and engineers second, so for once in a long time the adage “engineers hate mechanics” might not apply to a new vehicle.

The dirt track is the first thing under construction in Donald, so hopefully the next update we hear from Edison Motors will include those hard numbers, including pesky little things like MSRP and delivery dates. Stay tuned.

In our last post about an electric truck, a lot of you in the comments wanted something bigger, heavier duty, not pure battery, and made outside the USA. Well, here it is.

youtube.com/embed/DnmCvAZIW38?…

Thanks to [Keith Olson] for the tip. Remember, the lines are always open!

hackaday.com/2025/07/01/move-o…