Sono state identificate diverse vulnerabilità nei prodotti Cisco Identity Services Engine (ISE) e Cisco ISE Passive Identity Connector (ISE-PIC) che potrebbero consentire a un utente malintenzionato remoto di eseguire comandi arbitrari sul sistema operativo sottostante con privilegi di amministratore.

Cisco ha già rilasciato aggiornamenti software per correggere queste vulnerabilità e, al momento, non risultano disponibili soluzioni alternative per mitigarle. Un attaccante remoto potrebbe sfruttare tali vulnerabilità per ottenere accesso con privilegi di root ed eseguire comandi sul sistema.

Le vulnerabilità sono indipendenti tra loro: ciò significa che lo sfruttamento di una non è condizione necessaria per sfruttare le altre. Inoltre, una determinata versione software vulnerabile a una di queste problematiche potrebbe non essere interessata dalle restanti.

CVE-2025-20281 e CVE-2025-20337: vulnerabilità di esecuzione di codice remoto non autenticato dell’API Cisco ISE

Diverse vulnerabilità in una specifica API di Cisco ISE e Cisco ISE-PIC potrebbero consentire a un aggressore remoto non autenticato di eseguire codice arbitrario sul sistema operativo sottostante come utente root . L’aggressore non necessita di credenziali valide per sfruttare queste vulnerabilità.

Queste vulnerabilità sono dovute a una convalida insufficiente dell’input fornito dall’utente. Un aggressore potrebbe sfruttarle inviando una richiesta API contraffatta. Un exploit riuscito potrebbe consentire all’aggressore di ottenere privilegi di root su un dispositivo interessato.

CVE-2025-20282: Vulnerabilità di esecuzione di codice remoto non autenticato nell’API Cisco ISE

Una vulnerabilità in un’API interna di Cisco ISE e Cisco ISE-PIC potrebbe consentire a un aggressore remoto non autenticato di caricare file arbitrari su un dispositivo interessato e quindi eseguire tali file sul sistema operativo sottostante come root .

Questa vulnerabilità è dovuta alla mancanza di controlli di convalida dei file che impedirebbero il posizionamento dei file caricati in directory privilegiate su un sistema interessato. Un aggressore potrebbe sfruttare questa vulnerabilità caricando un file contraffatto sul dispositivo interessato. Un exploit riuscito potrebbe consentire all’aggressore di memorizzare file dannosi sul sistema interessato e quindi eseguire codice arbitrario o ottenere privilegi di root sul sistema.

L'articolo 3 bug da score 10 sono stati rilevati in Cisco ISE e ISE-PIC: aggiornamenti urgenti proviene da il blog della sicurezza informatica.

Sophos ha annunciato di aver risolto tre distinte vulnerabilità di sicurezza in Sophos Intercept X per Windows e nel relativo programma di installazione. Queste problematiche, identificate con i codici CVE-2024-13972, CVE-2025-7433 e CVE-2025-7472, sono state classificate con un livello di gravità “Alto”. Il bollettino di sicurezza, con ID pubblicazione sophos-sa-20250717-cix-lpe, è stato aggiornato e pubblicato il 17 luglio 2025 e non prevede soluzioni alternative temporanee. I prodotti interessati sono Sophos Intercept X Endpoint e Intercept X per il server.

La prima vulnerabilità, CVE-2024-13972, riguarda un problema di permessi nel registro durante l’aggiornamento di Intercept X per Windows. Questa falla avrebbe potuto consentire a un utente locale di ottenere privilegi a livello di sistema durante il processo di aggiornamento del prodotto. Sophos ha ringraziato Filip Dragovic di MDSec per aver segnalato responsabilmente questa vulnerabilità.

La seconda criticità, CVE-2025-7433, è una vulnerabilità di escalation dei privilegi locali nel componente Device Encryption di Sophos Intercept X per Windows. Questa falla avrebbe potuto permettere l’esecuzione di codice arbitrario. Sophos ha espresso gratitudine a Sina Kheirkhah (@SinSinology) di watchTowr per la sua segnalazione responsabile.

Infine, la CVE-2025-7472 è una vulnerabilità di escalation dei privilegi locali scoperta nel programma di installazione di Intercept X per Windows. Se il programma di installazione fosse stato eseguito con privilegi di sistema (SYSTEM), un utente locale avrebbe potuto ottenere privilegi a livello di sistema.

Questa vulnerabilità è stata scoperta e segnalata a Sophos tramite il suo programma bug bounty, con un ringraziamento particolare a Sandro Poppi per la sua segnalazione responsabile. Per i clienti che utilizzano versioni precedenti del programma di installazione per distribuire attivamente endpoint e server, è fondamentale scaricare la versione più recente del programma di installazione da Sophos Central.

Per la maggior parte dei clienti, non è richiesta alcuna azione manuale. Ciò è dovuto al fatto che, per impostazione predefinita, i clienti che utilizzano la politica di aggiornamento predefinita ricevono automaticamente gli aggiornamenti per i pacchetti raccomandati. Questo assicura che le correzioni per queste vulnerabilità vengano installate senza intervento dell’utente.

Tuttavia, i clienti che utilizzano pacchetti di Supporto a Termine Fisso (FTS) o Supporto a Lungo Termine (LTS) devono intraprendere un’azione per ricevere queste correzioni. È necessario che questi utenti eseguano un aggiornamento per assicurarsi che le patch di sicurezza siano applicate ai loro sistemi.

L'articolo Sophos risolve vulnerabilità in Intercept X per Windows proviene da il blog della sicurezza informatica.

Over on his YouTube channel [Pat Deegan] from Psychogenic Technologies shows us two KiCad tips to save a million clicks.

In the same way that it makes sense for you to learn to touch type if you’re going to be using a computer a lot, it makes sense for you to put some thought and effort into your KiCad keyboard shortcuts keys, too.

In this video [Pat] introduces the keymap that he has come up with for the KiCad programs (schematic capture and PCB layout) and explains the rules of thumb that he used to generate his recommended shortcut keys, being:

• one handed operation; you should try to make sure that you can operate the keyboard with one hand so your other hand can stay on your mouse
• proximity follows frequency; if you use it a lot it should be close to hand
• same purpose, same place; across programs similar functions should share the same key
• birds of a feather flock together; similar and related functionality kept in proximate clusters
• typing trounces topography; if you have to use both hands for typing you have to take your hand off the mouse anyway so then it doesn’t really matter where on the keyboard the shortcut key is

You can find importable KiCad keymaps and customizable SVG cheatsheets in the downloads section of his notes.

[Pat]’s video includes some other tips and commentary (he gives you free access to a KiCad course he has put together) but for us the big takeaway was the keymaps. Also, if you haven’t been keeping abreast of developments, KiCad is now at version 9, as of February this year.

youtube.com/embed/T-voZId8eyw?…

hackaday.com/2025/07/17/improv…

What has 8 ARM cores, 8 GB of RAM, fits in a pocket, and runs NixOS? It’s no pi-clone SBC, but [MWLabs]’s smartphone– a OnePlus 6, to be precise.

The video embedded below, and the git link above, are [MWLabs]’s walk-through for loading the mobile version of Nix onto the cell phone, turning it into a tiny-screened Linux computer. He’s using the same flake on the phone as on his desktop, which means he gets all the same applications set up in the same way– talk about convergence. That’s an advantage to Nix in this application, compared to the usual Alpine-based PostMarketOS.

Of course some of the phone-like features of this pocket-computer are lacking: the SIM is detected, and he can text, but 4G is nonfunctional. The rear camera is also not there yet, but given that Mobile-NixOS builds on the work done by well-established PostMarketOS, and PostMarketOS’ testing version can run the camera, it’s only a matter of time before support comes downstream. Depending what you need a tiny Linux device for, the camera functionality may or may not be of particular interest. If you’re like us, the idea of a mobile device running Nix might just intrigue you,

Smartphones can be powerful SBC alternatives, after all. You can even turn them into SBCs. As long as you don’t need a lot of GPIO, like for a server,a phone in hand might be worth two birds in the raspberry bush.

youtube.com/embed/yxfDNqZ9WTM?…

hackaday.com/2025/07/17/8-core…

In today’s high-speed information overload environment, we often find ourselves with too much data to take in at once, causing us to occasionally miss out on opportunities otherwise drowned out in noise. None of this is more evident in the realm of high-speed trading, whether it’s for stocks, commodities, or even crypto. Most of us won’t be able to build dedicated high speed connections directly to stock exchanges for that extra bit of edge over the other traders, but what we can do is build a system that keys us in to our cryptocurrency price of choice so we know exactly when to pull the trigger on a purchase or sale.

[rishab]’s project for doing this is based on an ESP32 paired with a 10″ touchscreen display. It gathers live data from Binance, a large cryptocurrency exchange that maintains various pieces of information about many digital currencies. [rishab]’s tool offers a quick, in-depth look at a custom array of coins, with data such as percentage change over a certain time and high and low values for that coin as well. The chart updates in real time, and [rishab] also built a feature in which scales coins up if they have been seeing large movements in price over short timeframes.

Although it’s not a direct fiber link into an exchange, it certainly has its advantages over keeping this information in a browser window on a computer where it could get missed, and since it’s dedicated hardware running custom firmware it can show you exactly what you need to see if you’re day trading crypto. Certainly projects like this are in the DIY spirit that crypto enthusiasts tout as ideals of the currency, and as people move away from mining and more into speculative trading we’d expect to see more projects like this.

youtube.com/embed/U1MZoj3MJso?…

hackaday.com/2025/07/17/esp32-…

Over on his YouTube channel [Tom Stanton] shows us how to build a Stirling Engine for a bike.

A Stirling Engine is a heat engine, powered by the expansion and contraction of a working fluid (such as air) which is heated and cooled in a cycle. In the video [Tom] begins by demonstrating the Stirling Engine with some model engines and explains the role of the displacer piston. His target power output for his bike engine is 150 watts (about 0.2 horsepower) which is enough power to cycle at about 15 mph (about 24 km/h). After considering a CPU heatsink as the cooling system he decided on water cooling instead.

[Tom] goes on to 3D print and machine various parts for his bike engine. He uses myriad materials including aluminum and Teflon. He isn’t yet comfortable machining steel, so he had the steel part he needed for handling the hot end of the engine manufactured by a third party.

[Tom] explains that when he started the project he had intended to make a steam engine. But after some preliminary research he discovered that a Stirling Engine was a better choice, particularly they are quieter, more efficient, and safer. After a number of false starts and various adjustments he manages to get his engine to run, which is pretty awesome. Standby for part two to see the bike in action!

We have covered the Stirling Engine here on Hackaday many times before. You might like to read about how to create one with minimal parts or how to make one from expedient materials.

youtube.com/embed/zB3lrLjqIh4?…

hackaday.com/2025/07/17/buildi…

On Thursday, Demand Progress and Freedom of the Press Foundation (FPF) filed an ethics complaint against Edward L. Artau, a Florida judge who was nominated by President Donald Trump to a federal district court after delivering a favorable ruling for Trump in his defamation lawsuit against the Pulitzer Board. The ethics complaint asks the D.C. Court of Appeals and the Florida Judicial Qualifications Commission to investigate Artau for potentially breaking rules requiring judges to recuse themselves to avoid conflicts of interest, remain impartial, avoid impropriety, and avoid giving false statements.

Politico reported that Artau, who sought for Trump to nominate him shortly after the president won the 2024 presidential election, later ruled in Trump’s favor as part of a panel of state appellate judges deciding whether to allow the president’s lawsuit against the Pulitzer Prize Board to move forward. After joining a favorable panel ruling for Trump, and after going out of his way to write a gratuitous solo concurrence praising the lawsuit’s claims on the merits, Artau was nominated to be a judge on South Florida’s U.S. trial court. Artau later gave an incomplete and misleading testimony about these events to the Senate Judiciary Committee while under oath.

“A federal judge’s goal should be upholding the law and the American people’s confidence in the judiciary, not delivering whatever the president wants so that they can get a job,” said Emily Peterson-Cassin, director of corporate power at Demand Progress. “Judge Ed Artau’s behind-closed-doors jockeying for his nomination, his failure to recuse himself from the Pulitzer lawsuit and his misleading testimony to the Senate all raise bright red flags that need to be investigated.”

Seth Stern, director of advocacy at Freedom of the Press Foundation, said: “Judges should be safeguarding us against President Trump’s frivolous attacks on the free press, the First Amendment and the rule of law. Instead, Judge Artau seems eager to facilitate Trump’s unconstitutional antics in exchange for a job. That’s far from the level of integrity that the Rules of Professional Conduct demand. Attorney disciplinary commissions need to rise to this moment and not tolerate ethical violations that impact not only individuals before the court but our entire democracy.”

Read the Complaint here or below.

freedom.press/static/pdf.js/we…

freedom.press/issues/fpf-deman…

Our next PPI board meeting will take place on 05.08.2025 at 14:00 UTC / 16:00 CEST.

All official PPI proceedings, Board meetings included, are open to the public. Feel free to stop by. We’ll be happy to have you.

Where:jitsi.pirati.cz/PPI-Board

The prior meeting was unfortunately delayed.

Prior to that meeting a SCENE meeting is scheduled on July 22 at 7 pm/ UTC 9 pm CEST.

All of our meetings are posted to our calendar: pp-international.net/calendar/

We look forward to seeing visitors.

Thank you for your support,

The Board of PPI

pp-international.net/2025/07/n…

Do you feel nostalgia for a childhood novelty toy that had potential but ultimately fell short of its promise? Do you now have the skills to go make a better version of that toy to satisfy your long-held craving? [ExpensivePlasticCrap] does and has set off on a mission to make a better jumping bean.

Jumping beans, the phenomenon on which the novelty of [ExpensivePlasticCrap]’s childhood is based, are technically not beans, and their movement is arguably not a jump — a small hop at best. The trick is that the each not-a-bean has become the home to moth larvae that twitches and rolls on the ground as the larvae thrash about, trying to move their protective shells out of the hot sun.

The novelty bean was a small plastic pill-like capsule with a ball bearing inside what would cause the “bean” to move in unexpected ways as it rolled around. [ExpensivePlasticCrap]’s goal is to make a jumping bean that lives up to its name.

Various solenoids and motors were considered for the motion component of this new and improved bean. Ultimately, it was a small sealed vibrating motor that would be selected to move the bean without getting tangled in what was to become a compact bundle of components.

An ATtiny microcontroller won out over discrete components for the job of switching the motor on and off (once per second), for ease of implementation. Add this along with a MOSFET, battery and charging board for power into a plastic capsule, and the 1 Hz jumping bean was complete.

[ExpensivePlasticCrap] offers some thoughts on how to get more jump out of the design by reducing the weight of the build and giving it a more powerful source of motion.

If insect-inspired motion gets you jumping, check out this jumping robot roach and these tiny RoboBees.

hackaday.com/2025/07/17/2025-o…

On this date in 1975, a Soviet and an American shook hands. Even for the time period, this wouldn’t have been a big deal if it wasn’t for the fact that it happened approximately 220 kilometers (136 miles) over the surface of the Earth.
Crew of the Apollo–Soyuz Test Project
Although their spacecraft actually launched a few days earlier on the 15th, today marks 50 years since American astronauts Thomas Stafford, Vance Brand, and Donald “Deke” Slayton docked their Apollo spacecraft to a specifically modified Soyuz crewed by Cosmonauts Alexei Leonov and Valery Kubasov. The two craft were connected for nearly two days, during which time the combined crew was able to freely move between them. The conducted scientific experiments, exchanged flags, and ate shared meals together.

Politically, this very public display of goodwill between the Soviet Union and the United States helped ease geopolitical tensions. On a technical level, it not only demonstrated a number of firsts, but marked a new era of international cooperation in space. While the Space Race saw the two counties approach spaceflight as a competition, from this point on, it would largely be treated as a collaborative endeavour.

The Apollo–Soyuz Test Project lead directly to the Shuttle–Mir missions of the 1990s, which in turn was a stepping stone towards the International Space Station. Not just because that handshake back in 1975 helped establish a spirit of cooperation between the two space-fairing nations, but because it introduced a piece of equipment that’s still being used five decades later — the Androgynous Peripheral Attach System (APAS) docking system.

Meeting in the Middle

While the Apollo–Soyuz Test Project was the first time spacecraft from two different countries linked up, it was far from the first docking in space. The Apollo program relied heavily on the concept, as the Command Module and Lunar Module would dock and undock multiple times on each lunar mission. For their part, the Soviets had also docked a pair of Soyuz capsules together as early as 1967. By the early 1970s, both nations had also docked spacecraft to their respective space stations.

The problem was, the docking systems used by both countries weren’t compatible with each other. In fact, things were changing so fast that even vehicles from the same country couldn’t necessarily dock with each other. For example, an American Gemini capsule wouldn’t be able to dock with Skylab. Of course, this isn’t terribly surprising. At this point, most of the hardware was mission-specific, and only flew once.

What was the Apollo–Soyuz Test Project needed was a standardized docking interface that took into account the lessons learned by both countries so far. By 1970, Soviet and US engineers had started meeting and exchanging information to decide what such a docking standard would look like. It was decided early on that this new docking standard should be androgynous — rather than having distinct “male” and “female” variants as was the norm with earlier docking ports. In this way, the same docking port could be used to support two spacecraft docking together as was planned for the Apollo–Soyuz Test Project, while at the same time allowing a vehicle to dock to a space station.

This capability was so key to the design that the docking standard ultimately came to be known as the Androgynous Peripheral Attach System. While the US and Soviet versions did differ slightly, they were mechanically compatible with each other. Some elements of the design were the result of a compromise, such as the overall diameter of the port being limited to the size of the existing Apollo and Soyuz capsules, but otherwise it was hoped the concept would prove useful for future missions and spacecraft from both nations.

Built to Last

The Apollo–Soyuz Test Project was the only time an Apollo and Soyuz spacecraft docked in space. In fact, it was the last time an Apollo spacecraft flew — after the conclusion of this mission, there wouldn’t be anther crewed American mission until the Space Shuttle came online nearly six years later.

But once the Americans started flying the Shuttle, and the Soviets had established their Mir space station, it wasn’t long before the two would meet. The Soviets had already designed a modified version of APAS that they called APAS-89, which was intended to allow the Buran spacecraft to dock with Mir. Buran never made it past the testing phase, but the work on the docking port ended up being adapted once more for the Shuttle. This final version of the standard became known as APAS-95, and was used until the final Shuttle-Mir mission in June of 1998.
The International Space Station
APAS-95 performed so well during the Mir missions that it was decided the Shuttle would continue to use it for the International Space Station. In addition, APAS-95 (as well as a modified “hybrid” version) would also be used to hold together the core US and Russian modules of the Station.

It was the defacto docking standard used until the introduction of the International Docking Adapter in 2015, which converted the exposed APAS-95 ports used for visiting American spacecraft to a newer design to be used by modern vehicles such as the SpaceX Dragon and Boeing Starliner.

While it has now been retired for the International Docking System Standard (IDSS), the ISS is still being held together by APAS-95, and will remain that way until the space laboratory is eventually de-orbited. Not a bad legacy for a technology initially developed for a simple handshake.

hackaday.com/2025/07/17/the-ap…

Feeling nostalgic? Weren’t around in the 90s but wonder what it was like? ProtoWeb has you covered! Over on his YouTube channel [RetroTech Chris] shows you how to browse the web like it’s 1995.

The service that [RetroTech Chris] introduces is on the web over here: protoweb.org. The way it works is that you configure your browser to use the service’s proxy server, then the service will be able to intercept your browsing activity and serve you old content from its cache. Also, for some supported sites, you will see present-day content but presented in the format you would have seen in the 90s. Once you have configured your browser to use the ProtoWeb proxy you can navigate to inode.com/ where you will find a directory listing of sites which have been archived or emulated within the service.

In his video [RetroTech Chris] actually demos some of the old web browsers running on old hardware, which is a very good recreation of what things were like. If you want the most realistic experience you can even configure ProtoWeb to slow down your network connection to the speed of a 56k dial-up modem. There are some things from the 90s that we miss, but waiting for websites to load isn’t one of them!

We had a look in our own archive to see how far back we here at Hackaday could go, and we found our first post, from September 2004: Radioshack Phone Dialer – Red Box. A red box! Spicy.

youtube.com/embed/-Qs3LVPmLgk?…

Thanks to [Teejay] for writing in about this one.

hackaday.com/2025/07/17/protow…

Пиратская партия Германии на сайте Пиратского Интернационала обратила внимание на важную проблему: корпорации преследуют людей за создание мемов, не имеющих коммерческой цели.

Мемы, пародии и интернет-фольклор — важная часть современной культуры. Они рождаются в сетевых сообществах, переосмысливают медиа и становятся новым языком общения. Но так называемые правообладатели пытаются приватизировать даже те образы, которые давно стали частью общественного достояния.

В России, как и во всём мире, люди сталкиваются с аналогичными проблемами. Правообладатели активно подают в суд за использование мемов, даже если они созданы для развлечения. Например, «Си Ди Лэнд Контакт», приватизировавший Ждуна, несколько раз судился за его использование, Москвариум заявил о намерении зарегистрировать товарный знак «Рыбов показываем», петербургский предприниматель пытался, впрочем, безуспешно, зарегистрировать товарный знак «Как тебе такое, Илон».

Эта мировая практика показывает, как устаревшие законы о так называемом авторском праве, которое в первую очередь защищает не автора, а правообладателя, то есть, того, кто первым подберёт плохо лежащее, подавляют творчество и свободное выражение.

Пиратская партия России всецело поддерживает позицию ПП Германии.

Публикуем перевод их заявления:

Культура мемов — это здорово! Пираты обожают мемы. Мемы помогают людям делиться идеями и шутками. Но некоторые жадные создатели корпоративного контента нападают на тех, кто их создаёт. Они подают в суд на тех, кто создаёт мемы без какой-либо коммерческой цели. Мы должны дать этому отпор!

Один явный случай произошел в Германии. Фанаты создали мемы о героине детской книги Конни. Издатель разослал письма с требованием прекратить противоправные действия. Они угрожали аккаунту в <запрещённой в РФ соцсети с фотографиями>. И им это удалось. Они закрыли аккаунт. Они ограничили свободу слова. Они уничтожили собственное творение. Мемы позволили бы Конни выжить. Конни умрёт. Спасите Конни!

Хотя в Германии особенно строго относятся к «нарушению авторских прав», эта проблема носит глобальный характер и не ограничивается только мемами.

Такие случаи случаются в мире искусства. Disney разослал официальные уведомления о фан-арте.

Такие случаи происходят в игровой индустрии. Nintendo закрывает игры, созданные на основе их контента.

В музыкальной индустрии такое случается. Музыканты подают в суд на других музыкантов за ремиксы своих треков.

Они происходят в социальных сетях. Поклонников событий в Южной Корее предостерегли по поводу мемов о военном положении.

Мемы — это здорово! Переделки игр — это здорово! Ремиксы — это здорово! Протесты в социальных сетях — это здорово! Так общество развивается и создаёт новые формы самовыражения. Знания — производны. Мы учимся на истории и создаём новые версии, которые немного отличаются, но лучше.

Давайте потребуем защиты мемов! Ни один материал не должен быть заморожен авторским правом!

Вся история искусства — это цепочка заимствований, переосмыслений и новых интерпретаций. Шекспир перерабатывал старые сюжеты, музыканты делали каверы, а кинорежиссёры снимали ремейки. Сегодня цифровые технологии позволяют людям создавать новые формы искусства на основе существующих произведений, но корпорации хотят запретить это, превратив культуру в «закрытый клуб».

Наша цель — культура, которая принадлежит людям и авторам, а не так называемым правообладателям!

Вступайте в Пиратскую партию России и присоединяйтесь к борьбе за свободные мемы, открытые лицензии и право на ремиксы. Вместе мы сможем остановить цензуру и сохранить интернет как пространство творчества.

Сообщение Пираты любят мемы появились сначала на Пиратская партия России | PPRU.

Hanno cominciato ad ammazzare cattolici, stai a vedere che adesso comincia a importarcene qualcosa...

La presidente del Consiglio Giorgia Meloni ha condannato l’attacco contro la chiesa e in generale contro la popolazione civile con toni particolarmente duri: in un comunicato ha detto che «sono inaccettabili gli attacchi contro la popolazione civile che Israele sta dimostrando da mesi. Nessuna azione militare può giustificarla.

ilpost.it/2025/07/17/chiesa-sa…

Israele ha attaccato l’unica chiesa cattolica nella Striscia di Gaza

Quella della Sacra Famiglia: tre persone sono state uccise e nove ferite, fra cui il parroco

^{Il Post}

So far in the “Field Guide” series, we’ve mainly looked at critical infrastructure systems that, while often blending into the scenery, are easily observable once you know where to look. From the substations, transmission lines, and local distribution systems that make up the electrical grid to cell towers and even weigh stations, most of what we’ve covered so far are mega-scale engineering projects that are critical to modern life, each of which you can get a good look at while you’re tooling down the road in a car.

This time around, though, we’re going to switch things up a bit and discuss a less-obvious but vitally important infrastructure system: the cold chain. While you might never have heard the term, you’ve certainly seen most of the major components at one time or another, and if you’ve ever enjoyed fresh fruit in the dead of winter or microwaved a frozen burrito for dinner, you’ve taken advantage of a globe-spanning system that makes sure environmentally sensitive products can be safely stored and transported.

What’s A Cold Chain?

Simply put, the cold chain is a supply chain that’s capable of handling items that are likely to be damaged or destroyed unless they’re kept within a specific temperature range. The bulk of the cold chain is devoted to products intended for human consumption, mainly food but also pharmaceuticals and vaccines. Certain non-consumables also fall under the cold chain umbrella, including cosmetics, personal care products, and even things like cut flowers and vegetable seedlings. We’ll be mainly looking at the food cold chain for this article, though, since it uses most of the major components of a cold chain.

As the name implies, the cold chain is designed to maintain a fixed temperature over the entire life of a product. “Farm to fork” is a term often used to describe the cold chain, since the moment produce is harvested or prepared foods are manufactured, the clock starts ticking. The exact temperature required varies by food type. Many fruits and vegetables that ripen in the summer or early autumn can stand pretty high temperatures, at least for a while after harvesting, but some produce, like lettuces and fresh greens, will start wilting very quickly after harvest.

For extremely sensitive crops, the cold chain might start almost the second the crop is harvested. Highly perishable crops such as sweet corn, greens, asparagus, and peas require rapid cooling to remove field heat and to slow the biological processes that were still occurring within the plant tissues at the time of harvest. This is often accomplished right in the field with a hydrocooler, which uses showers or flumes of chilled water. Extremely perishable crops such as broccoli might even be placed directly into flaked ice in the field. Other, less-sensitive crops that can wait an hour or two will enter the cold chain only when they’re trucked a short distance to an initial processing plant.

Many foods, including different kinds of produce, fresh meat and fish, and lots of prepared meals, benefit from flash freezing. Flash freezing aims to reduce damage to the food by controlling the size and number of ice crystals that form within the cells of the plant or animal tissue. Simply putting a food item in a freezer and waiting for the heat to passively transfer out of it tends to form few but large ice crystals, which are far more damaging than the many tiny ice crystals that form when the heat is rapidly removed. Flash freezing methods include cryogenic baths using liquid nitrogen or liquid carbon dioxide, blast cooling with high-velocity jets of chilled air, fluidized bed cooling, where pressurized chilled air is directed upward through a bed of produce while it’s being agitated, and plate cooling, where chilled metal plates lightly contact flat, thin foods such as pizza or sliced fish.

youtube.com/embed/i0f-ychdTdE?…

Big and Cold

A very large public refrigerated warehouse. Note the high-bay storage area to the left, which houses a fully automated AS/RS freezer section. Source: Lineage Logistics.
Once food is chilled to the proper temperature, it needs to be kept at that temperature until it can be sold. This is where cold warehousing comes in, an important part of the cold chain that provides controlled-temperature storage space that individual producers simply can’t afford to maintain. The problem for farmers is that many crops are determinate, meaning that all the fruits or vegetables are ready for harvest more or less at the same time. Outsourcing their cold warehousing to companies that specialize in that part of the cold chain allows them to concentrate on growing and harvesting their crop instead of having to maintain a huge amount of storage space, which would sit unused for the entire growing season.

Cold warehouses, or public refrigerated warehouses (PRWs) as they’re known in the trade, benefit greatly from economies of scale, and since they accept produce from hundreds or even thousands of producers, their physical footprints can be staggering. The average PRW in the United States has grown in size dramatically since the post-pandemic e-commerce boom and now covers almost 185,000 square feet, or more than 4 acres. Most PRWs have four temperature zones: deep freeze (-20°F to -10°F) for items such as ice cream and frozen vegetables; freezer (0°F to 10°F) for meats and prepared foods; refrigerated (35°F to 45°F), for fresh fruits and vegetables; and cool storage, which is basically just consistent room-temperature storage for shelf-stable food items. What’s more, each zone can have sub-zones tailored specifically for foods that prefer a specific temperature; bananas, for example, do best around 46°F, making the fridge section too cold and the cool section too warm. Sub-zones allow goods to be stored just right.
A map of some of the key public refrigerated warehouses in the United States. Notice how there are practically none in the areas that raise primarily cereal grains. Source: map via ArcGIS, data from Global Cold Chain Alliance (public use).
Due to the nature of their business, location is critical to PRWs. They have to be close to where the food is produced as well as handy to transportation hubs, which means you’ve probably seen one of these behemoth buildings from a highway and not even known it. The map above highlights the main agricultural regions of the United States, such as the fruit and vegetable producers in the Central Valley of California and the Willamette Valley in Oregon, meat packing plants in the Upper Midwest, the hog and chicken producers in the South, and seafood producers along both coasts. It also shows a couple of areas with no PRWs, which are areas where agriculture is limited to cereal grains, which don’t require refrigeration after harvest, and livestock, which are usually shipped for slaughter somewhere other than where they were raised.

Thanks to the complicated logistics of managing multiple shippers and receivers, most cold warehouses have a level of automation that rivals that of an Amazon distribution center. A lot of the automation is found in the high-bay freezer, a space often three or four stories tall that has rack after rack of space for storing palletized products. Automated storage and retrieval systems (AS/RS) store and fetch pallets using large X-Y gantry systems running between the racks. Algorithms determine the best storage location for pallets based on their contents, the temperature regime they require, and the predicted length of stay within the warehouse.

While AS/RS reduces the number of workers needed to run a cold warehouse, and there are some fully automated PRWs, most cold warehouses maintain a large workforce to run forklifts, pick pallets, and assemble orders for shipping. These workers face significant health and safety challenges, risking everything from slips and falls on icy patches to trench foot and chill-induced arthritis and dermatitis. Cold-stress injuries, such as hypothermia and frostbite, are possible too. Warehouses often have to limit the number of hours their employees work in the cold zones, and they have to provide thermal wear along with the standard complement of PPE.

youtube.com/embed/mW11jmZUHoE?…

Reefer Madness

Once an order is assembled and ready to ship from the cold warehouse, food enters perhaps the most visible — and riskiest — link in the cold chain: refrigerated trucks and shipping containers. Known as reefers, these are specialized vehicles that have the difficult task of keeping their contents at a constant temperature no matter what the outside conditions might be. A reefer might have to deliver a load of table grapes from a PRW in California to a supermarket distribution center in Massachusetts, continue to Maine to pick up a load of live lobsters, and drop that off at a PRW in Florida before running a load of oranges to Washington.
Reefer trailers are one of the last links in the “farm to fork” cold chain. The diesel tank, which fuels the reefer and allows it to run with no tractor attached, can barely be seen between the legs of the trailer. Source: Felix Mizioznikov – stock.adobe.com
Meeting the challenge of all these conditions is the job of the refrigeration unit. Typically mounted in an aerodynamic fairing on the front of a semi-trailer unit, the refrigeration unit is essentially a heat pump on steroids. For over-the-road (OTR) reefers, as opposed to railcar reefers or shipping container reefers, the refrigeration unit is powered by a small but powerful diesel engine. Typically either three- or four-cylinder engines making 20 to 30 horsepower, these engines run the compressor that pumps the refrigerant through the condenser and evaporator, as well as the powerful fan that circulates air inside the trailer. Fuel for the engine is stored in a tank mounted under the trailer, allowing the reefer to run even when the trailer is parked with no tractor attached. The refrigeration unit is completely automatic, with a computer taking input from temperature sensors inside the trailer to make sure the interior remains at the setpoint. The computer also logs everything going on in the reefer, making the data available via a USB drive or to a central dispatcher via a telematics link.

The trailer body itself is carefully engineered, with thick insulation to minimize heat transfer to and from the outside environment while maximizing heat transfer between the produce and the air inside the trailer. For maximum cooling — or heating; if a load of bananas has to be kept at their happy place of 46°F while being trucked across eastern Wyoming in January, the refrigeration unit will probably have to run its cycle in reverse to add heat to the trailer — the air must reach the back of the unit. Reefer units use flexible ducts in the ceiling to direct the air 48 to 53 feet to the very back of the trailer, where it bounces off the rear doors and returns to the front of the trailer with the help of channels built into the floor. Shippers need to be careful when loading a reefer to obey load height limits and to correctly orient pallets so as not to block air circulation inside the trailer.

In addition to the data logging provided by the refrigeration unit, shippers will often include temperature loggers inside their shipments. Known generically to produce truckers as a “Ryan” for a popular brand, these analog strip chart recorders use a battery-powered motor to move a strip of paper past a bimetallic arm. Placed in a tamper-evident container, the recorder is placed within a pallet and records the temperature over a 10- to 40-day period. The receiver can break the seal open and see a complete temperature history of the shipment, detecting any accidental (or intentional; drivers sometimes find it hard to sleep with the reefer motor roaring right behind the sleeper cab) interruptions in the operation of the reefer.

Featured image: “Close Up of Frozen Vegetables” by Tohid Hashemkhani

hackaday.com/2025/07/17/a-fiel…

3D printing is arguably over-used in the maker community. It’s just so easy to run off a quick prototype and then… well, it’s good enough, right? Choosing the right plastic can go a long way to making sure your “good enough” prototype really is good enough for long term use. If you’re producing anything with gearing, you might want to cast your eyes to a study by [Mert Safak Tunalioglu] and [Bekir Volkan Agca] titled: Wear and Service Life of 3-D Printed Polymeric Gears.
No spin doctoring here, spinning gears.
The authors printed simple test gears in ABS, PLA, and PETG, and built a test rig to run them at 900 rpm with a load of 1.5 Nm against a steel drive gear. The gears were pulled off and weighed every 10,000 rotations, and allowed to run to destruction, which occurred in the hundreds-of-thousands of rotations in each case. The verdict? Well, as you can tell from the image, it’s to use PETG.

The authors think that this is down to PETG’s ductility, so we would have liked to see a hard TPU added to the mix, to say nothing of the engineering filaments. On the other hand, this study was aimed at the most common plastics in the 3D printing world and also verified a theoretical model that can be applied to other polymers.

This tip was sent in by [Benjamin], who came across it as part of the research to build his first telescope, which we look forward to seeing. As he points out, it’s quite lucky for the rest of us that the U.S. government provides funding to make such basic research available, in a way his nation of France does not. All politics aside, we’re grateful both to receive your tips and for the generosity of the US taxpayer.

We’ve seen similar tests done by the community — like this one using worm gears — but it’s also neat to see how institutional science approaches the same problem. If you need oodles of cycles but not a lot of torque, maybe skip the spurs and print a magnetic gearbox. Alternatively you break out the grog and the sea shanties and print yourself a capstan.

hackaday.com/2025/07/17/this-s…

Nel 2021, durante una delle mie esplorazioni sul confine sempre più sfumato tra hardware e cybersecurity, scrivevo un articolo dal titolo che oggi suona quasi profetico: “Anche un cavo prende vita”.
Allora si parlava degli albori del progetto OMG Cable: un innocuo cavo USB che, nascosto dietro l’aspetto di un semplice accessorio di ricarica, celava un cuore digitale capace di compiere operazioni di compromissione da far impallidire molti malware tradizionali.

E proprio in questi giorni, a distanza di quattro anni, mi è capitato di averne uno tra le mani, reale, fisico, pronto all’uso, inserito in un’attività di penetration test commissionata a un team che supporto.
Questa volta non si trattava di teoria, né di un test da laboratorio, ma di un vero scenario aziendale in cui l’obiettivo era colpire e far riflettere.

Il risultato è stato sorprendente. L’innocuo cavetto lasciato su una scrivania ha fatto il suo sporco lavoro in pochi secondi, dimostrando ancora una volta come la sicurezza fisica sia la porta d’ingresso più sottovalutata e più pericolosa di molte infrastrutture digitali.
E così, mentre riprendevo in mano quel cavo camuffato, non ho potuto fare a meno di tornare con la mente a quell’articolo del 2021. Ma questa volta con una consapevolezza in più: l’OMG Cable non è più una curiosità tecnologica. È una realtà operativa. E lo è oggi, qui, nel 2025.

Cos’è davvero l’OMGCable?

Immagina di avere tra le mani un cavo USB. Niente di strano: può essere USB-A, USB-C, Lightning, o magari un ibrido. Ha l’aspetto perfetto, identico all’originale Apple o Samsung. Funziona come un vero cavo: ricarica, trasferisce dati, collega dispositivi. Ma quello che non si vede è tutto il resto.
Dentro quel guscio di plastica, apparentemente innocuo, si nasconde un microcontrollore Wi-Fi programmabile. Non un giocattolo da maker, ma un modulo studiato con maniacale attenzione all’invisibilità.
Attraverso un’interfaccia accessibile da browser – o direttamente da uno smartphone – è possibile connettersi al cavo, caricare script, inviare comandi, aprire shell, trasferire file. E il tutto può essere fatto da remoto, senza che l’utente finale si accorga di nulla.
Una volta collegato a un computer, l’OMG Cable si comporta come una tastiera umana. Inietta comandi. Simula input. Può aprire terminali, eseguire codice, scaricare payload. E se questo non bastasse, può anche rilevare la geolocalizzazione, attivarsi solo in determinate aree, registrare sequenze di tasti, o cancellare la sua memoria con un comando di autodistruzione.

L’utilizzo legittimo: uno strumento da red team

In mano a un professionista del settore, questo strumento è semplicemente straordinario. Chi lavora in ambito red team lo sa bene: le simulazioni di attacco devono essere realistiche, efficaci e soprattutto imprevedibili.
Inserire un OMG Cable in uno scenario controllato permette di testare la sicurezza fisica, la consapevolezza del personale, l’efficacia delle policy aziendali.
Durante una simulazione di attacco mirato, il cavo può essere lasciato strategicamente in un’area comune, o usato da un operatore per valutare la risposta dei sistemi di difesa in caso di intrusione fisica.
In ambito formativo, poi, è uno strumento didattico eccezionale. Niente sensibilizza più di un attacco riuscito: far vedere a un dipendente che bastano due secondi per compromettere un sistema con un semplice cavo può cambiare radicalmente il suo approccio alla sicurezza.

Ma il confine è pericolosamente sottile

Tutto questo però ha un rovescio inquietante. Perché la stessa potenza che lo rende uno strumento utile e legittimo in ambito professionale, lo rende anche pericolosamente facile da abusare.
L’OMG Cable non richiede conoscenze avanzate per essere usato. Bastano pochi clic e una connessione Wi-Fi. Non serve scrivere malware, aggirare antivirus, bypassare protezioni. È sufficiente collegarlo.
E qui si apre un abisso. Perché chiunque, e dico chiunque, può acquistarlo online. Non ci sono controlli, né registrazioni. Nessun limite. Nessun avviso legale che accompagni l’acquisto.
Immagina una sala riunioni. Un collaboratore lascia un cavo attaccato a una presa. Un altro collega, ignaro, lo utilizza per collegare il proprio laptop. In quel momento, l’attaccante, che può essere seduto al bar a cento metri di distanza, apre una shell, esegue comandi, esfiltra dati. Tutto in silenzio. Nessuna finestra. Nessun allarme.
E immagina ora uno scenario domestico. O peggio, relazionale. Un cavo “dimenticato” in casa di qualcuno. Una tastiera invisibile che registra tutto. Che invia tutto. Che controlla tutto.
Non siamo lontani dalla fantascienza. Siamo esattamente lì.

Le implicazioni legali sono gravi. Ma chi le conosce?

In molti Paesi – Italia inclusa – strumenti come questo, se utilizzati per registrare comunicazioni senza consenso, possono rientrare nel reato di intercettazione illecita.
La legge italiana, ad esempio, punisce severamente l’uso di dispositivi atti a captare comunicazioni o informazioni private.
Eppure, l’OMG Cable non è soggetto ad alcun tipo di regolamentazione. Non esistono avvisi legali, licenze, autorizzazioni. Lo compri come un caricabatterie da viaggio.
Il problema, quindi, è duplice: da un lato la tecnologia corre veloce e propone soluzioni sempre più potenti. Dall’altro, la cultura e la consapevolezza di chi la utilizza restano pericolosamente indietro.

Serve una nuova etica. E serve ora.

Nel nostro mondo ci piace categorizzare: white hat, grey hat, black hat. Ma la realtà è molto più complessa. Uno strumento come l’OMG Cable mette in crisi queste categorie. Perché il confine tra uso etico e abuso criminale si gioca tutto sul contesto.
Ed è proprio questo contesto che manca. Le scuole, le aziende, i responsabili della sicurezza devono iniziare a includere l’etica hacker tra i temi fondamentali.
Non basta più insegnare a difendersi da un attacco. Bisogna anche insegnare perché certi attacchi non devono essere condotti.
Perché oggi, chiunque può essere un attaccante. E se non gli spieghi il confine, non è detto che lo riconosca da solo.

Ma allora come ci si difende?

Non esiste una risposta semplice. Non basta installare un antivirus o blindare i firewall. Il pericolo, in questo caso, entra dalla porta principale, con il consenso implicito dell’utente.
Bisogna rivedere le policy. Bisogna formare le persone. Bisogna controllare i dispositivi fisici con lo stesso rigore con cui si analizza un pacchetto di rete.
Il concetto di sicurezza fisica, da sempre sottovalutato nel digitale, oggi torna prepotentemente d’attualità.
Serve un cambio di paradigma. Una cultura nuova. Una consapevolezza che metta l’essere umano, con i suoi errori, le sue abitudini, le sue ingenuità, al centro della strategia difensiva.

Una conclusione che non conclude

L’OMG Cable non è il male. Non è il colpevole. È uno specchio. Riflette chi lo usa e per cosa lo usa.
È uno strumento potentissimo, che può fare bene o può fare male. Dipende da noi.
Ma una cosa è certa: chi lavora in cybersecurity non può permettersi di ignorarlo.
Perché la prossima compromissione potrebbe arrivare non da un allegato di phishing, non da una vulnerabilità CVE, ma da un semplice cavo lasciato sulla scrivania.

Nel 2021 scrivevo che anche il cavo ha una vita.
Oggi aggiungo: sta a noi decidere che direzione prenderà quella vita.

L'articolo OMGCable: la sottile linea rossa tra penetration testing e sorveglianza occulta proviene da il blog della sicurezza informatica.

HackerHood, il team di hacker etici di Red Hot Cyber, ha realizzato qualcosa che raramente si vede fuori dalle conferenze più esclusive: un workshop live in cui viene mostrato, passo dopo passo, un attacco ransomware completo.

Non si tratta di una simulazione teorica, ma di un vero e proprio viaggio all’interno del lato oscuro della rete, dove da una semplice email di phishingsi arriva in pochi minuti a compromettere completamente un sistema informatico. Tutto questo è stato possibile grazie alla collaborazione con OMNIA e Whit Secure, due realtà che puntano da sempre sulla cultura della sicurezza.

Infatti questo workshop esclusivo presentato da Antonio Montillo e Alessandro Moccia di Framework Security è stato mostrato all’interno di un evento a porte chiuse organizzato da Omnia e WithSecure, il 2 luglio 2025 presso il moderno datacenter Tier IV a Siziano (PV).

L’obiettivo? vedere, comprendere e proteggersi per tempo!

I due professionisti hanno saputo raccontare in modo semplice e dettagliato la complessità tecnica che si cela dietro un attacco informatico. Quello che normalmente leggiamo nei report, tra sigle e diagrammi, qui prende vita davanti ai nostri occhi: dall’esca iniziale che induce la vittima a cliccare, all’esecuzione del malware, fino alla crittografia dei dati e alla classica schermata di riscatto. Un percorso che non è spettacolare con un attacco informatico visto all’interno di un film primo in classifica, ma è reale e profondamente educativo.

youtube.com/embed/wAa7zT-ithI?…

Il bello di questo workshop è che non si è limitato solo a mostrare “cosa” fa un ransomware, ma spiega anche “come” e “perché” funziona. Si vede chiaramente quanto sia importante la preparazione tecnica di chi lavora nella difesa: conoscere le tattiche, le tecniche e le procedure usate dai criminali è l’unico modo per costruire barriere efficaci.

Spesso si pensa che basti un buon antivirus o qualche aggiornamento per stare tranquilli, ma la realtà è ben diversa: la cybersecurity è un lavoro continuo, condiviso, fatto di studio, test, simulazioni e aggiornamento costante.

L’infrastruttura predisposta è stata composta dalle seguenti componenti software:

• Postazioni client
• Controller di dominio Windows
• Server di posta Microsoft Echange
• Server SQL Server

Fase di sfruttamento degli exploit e pivoting all’interno dell’infrastruttura
Proprio per questo motivo abbiamo deciso di non tenere questo contenuto solo per chi era presente all’evento, ma di condividerlo con tutti.

Sul nostro canale YouTube è disponibile il video di una parte del workshop: sì, dura un po’, ma credeteci, vale ogni secondo. Guardandolo capirete non solo la potenza distruttiva di un ransomware, ma anche quanto possa essere sottile e convincente l’attacco iniziale. È un modo concreto per sensibilizzare aziende, professionisti e semplici curiosi su una minaccia che colpisce ogni giorno organizzazioni grandi e piccole.

In un mondo dove la tecnologia corre sempre più veloce, iniziative come questa realizzata da Omnia e With Secure servono a fermarsi un attimo e osservare davvero i rischi che corriamo.

HackerHood e Red Hot Cyber vogliono portare la cultura della sicurezza fuori dagli ambienti tecnici e renderla accessibile a tutti, perché solo capendo come funziona un attacco possiamo davvero imparare a difenderci. E ora tocca a voi: guardate il workshop, condividetelo e diventate anche voi parte di questa battaglia quotidiana contro le minacce informatiche.

Perché il ransomware non si ferma. E neanche noi dobbiamo farlo!

L'articolo Il Video di un Attacco Ransomware in Diretta! Il workshop di HackerHood per Omnia e WithSecure proviene da il blog della sicurezza informatica.

Google ha rilasciato un aggiornamento di emergenza per il browser Chrome, eliminando sei vulnerabilità contemporaneamente, una delle quali è già attivamente sfruttata in attacchi reali. Il problema riguarda componenti critici associati al motore grafico del browser e può portare all’uscita dalla sandbox, un meccanismo di protezione che isola i processi di Chrome dal resto del sistema.

La vulnerabilità più grave tra quelle risolte è stata il CVE-2025-6558, con un punteggio CVSS di 8,8. Riguarda la gestione non corretta di dati non attendibili nei componenti ANGLE e GPU. ANGLE, o Almost Native Graphics Layer Engine, che fungono da livello tra il browser e i driver dell’hardware grafico. È attraverso di esso che una pagina web dannosa può avviare una cosiddetta “sandbox escape” e interagire con il resto del sistema a un livello inferiore.

Questo metodo è particolarmente pericoloso in caso di attacchi mirati: è sufficiente aprire una pagina per ricevere un’infezione impercettibile, senza clic o download di file. Gli sviluppatori di Google hanno osservato che l’exploit per questa vulnerabilità è già utilizzato in attacchi reali, sebbene i dettagli e gli obiettivi specifici non siano stati divulgati. La scoperta del problema è attribuita agli specialisti del Threat Analysis Group, Clement Lesin e Vlad Stolyarov, che hanno segnalato la vulnerabilità il 23 giugno 2025.

Il fatto che la vulnerabilità venga sfruttata in attacchi reali ed è stata scoperta da un team di esperti in minacce di uno Stato nazionale indica il possibile coinvolgimento di attori informatici di livello nazionale. L’aggiornamento di Chrome risolve altre cinque vulnerabilità, tra cui il CVE-2025-6554, scoperto anch’esso da Lesin il 25 giugno. Questa è la quinta volta quest’anno che Google corregge vulnerabilità proof-of-concept attivamente sfruttate. L’elenco include anche CVE-2025-2783 , CVE-2025-4664 e CVE-2025-5419 .

Per proteggere gli utenti, si consiglia di aggiornare Chrome alla versione 138.0.7204.157 o 138.0.7204.158 per Windows e macOS, e alla 138.0.7204.157 per Linux. La versione più recente può essere installata tramite la sezione “Informazioni” nelle impostazioni. Anche i possessori di browser basati su Chromium come Edge, Brave, Opera e Vivaldi dovrebbero tenere d’occhio il rilascio degli aggiornamenti.

Le vulnerabilità relative ai componenti grafici e ai meccanismi di isolamento dei processi non sempre fanno notizia, ma vengono spesso sfruttate nelle catene di attacco. Particolarmente degni di nota sono i bypass dei limiti di privilegio, i bug di GPU e WebGL e la corruzione della memoria durante il rendering: queste sono le aree che spesso diventano la base per successive vulnerabilità critiche.

L'articolo Google Chrome, fix in emergenza per un bug critico che porta ad una sandbox escape proviene da il blog della sicurezza informatica.