JavaScript is everywhere these days, even outside the browser. Everyone knows that this is because JavaScript is the best programming language, which was carefully assembled by computer experts and absolutely not monkeyed together in five days by some bloke at Netscape in the 90s. Nowhere becomes this more apparent than in aspects like JavaScript’s brilliantly designed Date class, which astounds people to this day with its elegant handling of JavaScript’s powerful type system. This is proudly demonstrated by the JS Date quiz by [Samwho].

Recently [Brodie Robertson] decided to bask in the absolute glory that is this aspect of JavaScript, working his way through the quiz’s 28 questions as his mind gradually began to crumble at the sheer majesty of this class’ elegance and subtle genius. Every answer made both logical and intuitive sense, and left [Brodie] gobsmacked at the sheer realization that such a language was designed by mere humans.

After such a humbling experience, it would only seem right to introduce the new JS convert to the book JavaScript: The Good Parts, to fully prepare them for their new career as a full-stack JS developer.

youtube.com/embed/IRX5TuggMxg?…

hackaday.com/2025/07/21/testin…

Having a robot that can quickly and unsupervised pick any lock with the skills of a professional human lockpicker has been a dream for many years. A major issue with lockpicking robots is however the lack of any sensing of the pins – or equivalent – as the pick works its magic inside. One approach to try and solve this was attempted by the [Sparks and Code] channel on YouTube, who built a robot that uses thin wires in a hollow key, load cells and servos to imitate the experience of a human lockpicker working their way through a pin-tumbler style lock.

Although the experience was mostly a frustrating series of setbacks and failures, it does show an interesting approach to sensing the resistance from the pin stack in each channel. The goal with picking a pin-tumbler lock is to determine when the pin is bound where it can rotate, and to sense any false gates from security pins that may also be in the pin stack. This is not an easy puzzle to solve, and is probably why most lockpicking robots end up just brute-forcing all possible combinations.

Perhaps that using a more traditional turner and pick style approach here – with one or more loadcells on the pick and turner- or a design inspired by the very effective Lishi decoding tools would be more effective here. Regardless, the idea of making lockpicking robots more sensitive is a good one, albeit a tough nut to crack. The jobs of YouTube-based lockpicking enthusiasts are still safe from the robots, for now.

Thanks to [Numbnuts] for the tip.

youtube.com/embed/-EqSJTBMepA?…

hackaday.com/2025/07/21/a-lock…

[danjovic] came up with a nifty entry for our 2025 One-Hertz Challenge that lands somewhere between the categories of Ridiculous and Clockwork. It’s a clock that few hackers, if any, could read on sight—just the way we like them around here!

The clock is called Hexa U.T.C, which might give you an idea why this one is a little tricky to parse. It displays the current Unix time in hexadecimal format. If you’re unfamiliar, Unix time is represented as the number of non-leap seconds that have ticked by since 1 January 1970 at 00:00:00 UTC. Even if you can turn the long hex number into decimal in your head, you’re still going to have to then convert the seconds into years, days, hours, minutes, and seconds before you can figure out the actual time.

The build relies on an ESP32-S2 module, paired with a 7-segment display module driven by the TM1638 I/O expander. The ESP32 syncs itself up with an NTP time server, and then spits out the relevant signals to display the current Unix time in hex on the 7-segment displays.

It’s a fun build that your programmer friends might actually figure out at a glance. As a bonus it makes an easy kicking-off point for explaining the Year 2038 problem. We’ve featured other similar Unix clocks before, too. Video after the break.

youtube.com/embed/git1te5nhhI?…

hackaday.com/2025/07/21/2025-o…

[Scott Baker] wrote in to let us know about his freezer monitor.

After a regrettable incident where the ice cream melted because the freezer failed [Scott] decided that what was called for was a monitoring and alerting system. We enjoyed reading about this hack, and we’ll give you the details in just a tick, but before we do, we wanted to mention [Scott]’s justifications for why he decided to roll his own solution for this, rather than just using the bundled proprietary service from the white goods manufacturer.

We’re always looking for good excuses for rolling our own systems, and [Scott]’s list is comprehensive: no closed-source, no-api cloud service required, can log with high fidelity, unlimited data retention, correlation with other data possible, control over alerting criteria, choice of alerting channels. Sounds fair enough to us!

The single-board computer of choice is the Raspberry Pi Zero 2 W. As [Scott] says, it’s nice to be able to SSH into your temperature monitoring system. The sensor itself is the DS18B20. [Scott] 3D printed a simple case to hold the electronics. The other materials required are a 4.7k resistor and a power cable. The instructions for enabling the 1-wire protocol in Raspbian are documented in INSTALL.md.

When it comes time for programming, [Scott’s] weapon of choice is GoLang. He uses Go to process the file system exported by the 1-wire drivers under /sys/bus/w1/devices. He sets the Pi Zero up as an HTTP endpoint for Prometheus to scrape. He uses a library from Sergey Yarmonov to daemonize his monitoring service.

Then he configures his ancient version of Prometheus with the requisite YAML. The Prometheus configuration includes specifications of the conditions that should result in alerts being sent. Once that’s done, [Scott] configures a dashboard in Grafana. He is able to show two charts using the same timescale to correlate garage energy usage with freezer temperatures. Mission accomplished!

Now that you know how to make a freezer monitor, maybe it’s time to make yourself a freezer.

hackaday.com/2025/07/21/freeze…

By and large, the human body is designed to breathe from birth, and keep breathing continuously until death. Indeed, if breathing stops, lifespan trends relatively rapidly towards zero. There’s a whole chunk of the brain and nervous system dedicated towards ensuring oxygen keeps flowing in and carbon dioxide keeps flowing out.

Unfortunately, the best laid plans of our body often go awry. Obstructive sleep apnea is a condition in which a person’s airways become blocked by the movement of soft tissues in the throat, preventing the individual from breathing. It’s a mechanical problem that also has a mechanical solution—the CPAP machine.

Under Pressure

Obstructive sleep apnea occurs when the airway is blocked when muscle tone relaxes during sleep. Credit: public domain
The underlying mechanism of obstructive sleep apnea (OSA) is quite straightforward. During sleep, as the throat, neck, and skeletal muscles all relax, the tongue and/or soft palette can come to block the airway. When this happens, fresh air cannot pass to the lungs, nor can the individual exhale. Breathing is effectively halted, sometimes for minutes at a time. As the individual’s oxygen saturation drops and carbon dioxide levels build up, the brain and nervous system typically trigger an arousal in which the person enters a lighter stage of sleep or wakes up to some degree. The arousal may simply involve a change of position to restore normal breathing, or the individual may wake more fully while gasping for air. Having cleared the airway and resumed normal respiration, the individual generally returns to deeper sleep. As they do, and the muscles relax again, a further obstructive apnea may occur with similar results.

For those suffering from sleep apnea, these arousals can occur many hundreds of times a night. Each disrupts the normal cycles of sleep, generally leading to symptoms of serious sleep deprivation. These arousals often occur without the individual having any awareness they occurred. Sleep apnea can thus easily go undiagnosed, as individuals do not know the cause of their fatigue. In many cases, reports of heavy snoring from sleeping partners are what leads to a sleep apnea diagnosis, as breathing typically becomes louder as the airway slowly closes due to the muscles relaxing during sleep.

Ultimately, the solution to sleep apnea is to stop the airway becoming blocked in the first place, allowing normal breathing to continue all the way through sleep. The problem is that it’s difficult to access the tissues deep in the airway. One might imagine placing some kind of mechanical device into the throat to keep the airway open, but this would be highly invasive. It would also likely pose a choking risk if disrupted during sleep.
The ResMed AirSense 10 Elite, a modern CPAP machine. Note the humidifier attached on the side. This helps reduce instances of dry mouth or similar issues during use. Credit: VSchagow, CC BY-SA 4.0
Enter the CPAP machine—short for “continuous positive airway pressure.” Invented by Australian doctor Colin Sullivan in 1980, the idea behind it is simple—pressurize the individual’s airway in order to hold it open and prevent the tongue and soft tissues from causing a blockage. Air pressures used are relatively low. Machines typically deliver in the range of 4 to 20 cm H₂O, which has been found sufficient to keep an airway open during sleep. The CPAP machine doesn’t breathe for the user—it just provides air to the airway at greater than atmospheric pressure.
A Lowenstein Prisma SMART CPAP machine, with hose and mask attached. Credit: Mnalis, CC0
Key to the use of CPAP is how to get the pressurized air inside the airway. Early machines pressurized a large helmet, with an air seal around the neck. Today, modern CPAP machines deliver carefully-controlled pressurized air via a mask. Nasal masks are the least-invasive option, which pressurize the whole airway via the nostrils alone. These masks require that the mouth remain closed during sleep, else the pressurized air is free to leave the airway. Full-face masks, which are similar to those used for other medical procedures, can be used for individuals who need to breathe through their mouth while sleeping.

Overall, a CPAP machine is relatively simple to understand. It consists of a pump to provide pressurized air to the mask, and a user interface for configuring the pressure and other settings. CPAP machines often also feature humidification to stop the supplied air from drying out the user’s mouth and/or nose. This can be paired with heated tubing to warm the air, which avoids condensation from forming in the tube or mask during use. This is called “rainout” and can be unpleasant for the user. Modern machines can also carefully monitor pressure levels and airflow, logging breathing events and other data for later analysis.
A full face mask for use with a CPAP machine. Nasal-only masks are also popular. Credit: public domain
CPAP treatment is not without its issues, however. Users must grow accustomed to wearing a mask while sleeping, as well as adjust to the feeling of breathing in and exhaling out against the continuous incoming pressure from the machine. It’s also important for users to get a suitable mask fit, to avoid issues like skin redness or pressure leaking from the mask. In the latter case, a CPAP machine will be ineffective at keeping an airway open if pressure is lost via leaks. These problems lead to relatively low compliance with CPAP use among those with obstructive sleep apnea. Studies suggest 8% to 15% abandon CPAP use after a single night, while 50% stop using CPAP within their first year. Regardless, the benefits of CPAP machines are well-supported by the available scientific literature. Studies have shown that use of CPAP treatment can reduce sleepiness, blood pressure, and the prevalence of motor vehicle crashes in those with obstructive sleep apnea.

Nobody likes the idea of being semi-woken tens or hundreds of times a night, but for sleep apnea sufferers, that’s precisely what can happen. The CPAP machine is the mechanical solution that provides a good night’s rest, all thanks to a little pressurized air.

Featured image: “wide variety of masks at cpap centra” by [Rachel Tayse]. (Gotta love that title!)

hackaday.com/2025/07/21/fixing…

Gli sviluppatori di CrushFTP segnalano una vulnerabilità zero-day (CVE-2025-54309) che gli hacker stanno già sfruttando. La vulnerabilità consente l’accesso amministrativo ai server vulnerabili tramite l’interfaccia web. Secondo gli sviluppatori, i primi attacchi sono stati scoperti il 18 luglio 2025, anche se è probabile che lo sfruttamento della vulnerabilità sia iniziato il giorno prima.

Secondo Ben Spink, CEO di CrushFTP, poco prima era stata aggiunta una patch al prodotto che aveva bloccato accidentalmente anche questa vulnerabilità 0-day. Sebbene la patch fosse originariamente mirata a un problema diverso e avesse disabilitato di default la funzionalità AS2 su HTTP(S), raramente utilizzata, l’azienda ritiene che gli hacker abbiano eseguito il reverse engineering del codice di CrushFTP, scoperto il nuovo bug e iniziato a sfruttarlo sui dispositivi su cui la “patch accidentale” non era ancora stata installata.

“Riteniamo che questo bug fosse presente nelle build fino al 1° luglio 2025 circa. Il problema è stato risolto nelle versioni attuali di CrushFTP”, ha dichiarato l’azienda. “Il vettore di attacco utilizzava HTTP(S). Stavamo risolvendo un altro problema relativo ad AS2 su HTTP(S) e non ci siamo resi conto che il bug potesse essere utilizzato in modo diverso. Sembra che gli hacker abbiano notato questa modifica nel codice e abbiano trovato un modo per sfruttare la vulnerabilità precedente.”

L’attacco sarebbe stato effettuato tramite l’interfaccia web del programma nelle versioni fino a CrushFTP 10.8.5 e CrushFTP 11.3.4_23. Non è chiaro quando siano state rilasciate esattamente queste versioni, ma gli sviluppatori scrivono che l’attacco si è verificato intorno al 1° luglio. Gli amministratori che ritengono che i loro sistemi siano stati compromessi sono ora invitati a ripristinare la configurazione utente predefinita da un backup creato prima del 16 luglio. I segnali di compromissione includono:

• modifiche sospette in MainUsers/default/user.XML, in particolare modifiche recenti e presenza del campo last_logins;
• nuovi nomi utente di livello amministratore che sembrano caratteri casuali (ad esempio 7a0d26089ac528941bf8cb998d97f408m).

Gli sviluppatori sottolineano che le modifiche che più spesso osservano riguardano l’utente predefinito e questo è il principale indicatore di compromissione. “In generale, abbiamo osservato che l’utente predefinito veniva modificato più spesso. E lo modificavano in modo tale che la configurazione diventasse formalmente non valida, ma allo stesso tempo continuasse a funzionare per l’aggressore e per nessun altro”.

Al momento non è noto se gli attacchi a CrushFTP siano stati utilizzati per rubare dati o distribuire malware. Tuttavia, le soluzioni di trasferimento file sicuro sono da tempo un obiettivo prioritario per gli aggressori e risultano particolarmente appetibili per gli operatori di ransomware. Ad esempio, il ransomware Clop è noto per la sua frequente diffusione attraverso vulnerabilità presenti in altri popolari prodotti aziendali, tra cui MOVEit Transfer , GoAnywhere MFT e Accellion FTA .

L'articolo CrushFTP vulnerabilità zero-day sfruttata attivamente e aziende a rischio proviene da il blog della sicurezza informatica.

“Il tetto di sei mesi per i licenziamenti è incostituzionale”. La Consulta dá ragione alla Cgil. Per la Corte “il criterio fisso non garantisce adeguatezza e congruità del risarcimento”. La sua cancellazione faceva parte dei quesiti al referendum

Nonostante il menefreghismo dei lavoratori Italiani il sindacato è riuscito lo stesso a far sparire una norma ingiusta.

Peccato che ne beneficieranno anche quelli a cui non importa nulla dei loro diritti. Gente che magari si convincerà anche che in fondo hanno fatto bene a starsene a casa tanto poi il risultato lo raggiunge qualcuno altro per loro.

cgiltoscana.it/2025/07/21/il-t…

When you first get your hands on an old piece of equipment, regardless of whether it’s an old PC or some lab equipment, there is often the temptation to stick a power lead into it and see what the happy electrons make it do. Although often this will work out fine, there are many reasons why this is a terrible idea. As many people have found out by now, you can be met by the wonderful smell of a Rifa capacitor blowing smoke in the power supply, or by fascinatingly dangly damaged power wires, as the [Retro Hack Shack] on YouTube found recently in an old Gateway PC.

Fortunately, this video is a public service announcement and a demonstration of why you should always follow the sage advice of “Don’t turn it on, take it apart”. Inside this Gateway 2000 PC from 1999 lurked a cut audio cable, which wasn’t terribly concerning. The problem was also a Molex connector that had at some point been violently ripped off, leaving exposed wiring inside the case. The connector and the rest of the wiring were still found in the HDD.

Other wires were also damaged, making it clear that the previous owner had tried and failed to remove some connectors, including the front panel I/O wiring. Thankfully, this PC was first torn apart so that the damage could be repaired, but it shows just how easily a ‘quick power-on check’ can turn into something very unpleasant and smelly.

youtube.com/embed/mHWUtvGMhH4?…

hackaday.com/2025/07/21/dont-t…

L’ultima ricerca Trend Micro rivela come i cybercriminali utilizzino piattaforme e strumenti basati sull’intelligenza artificiale per lanciare attacchi pronti all’uso

Milano, 15 luglio 2025 – Gli strumenti di intelligenza artificiale generativa sono sempre più potenti, convenienti e accessibili e i cybercriminali li utilizzano ormai in ogni tipologia di attacco, dalle frodi aziendali alle estorsioni e furti di identità.Lo rivela “Deepfake it ‘til You Make It: A Comprehensive View of the New AI Criminal Toolset“, l’ultima ricercaTrend Micro, leader globale di cybersecurity.

Lo studio illustra la portata e la maturità che hanno raggiunto i deepfake in ambito cybercriminale. Questa minaccia, dopo l’iniziale momento di hype, è diventata una tattica comune per gli attaccanti, che sono riusciti a mettere in dubbio la fiducia nel mondo digitale, esponendo le aziende a nuovi rischi e accelerando i modelli di business criminali.

“L’utilizzo dell’intelligenza artificiale nella creazione di asset media non è più un rischio futuro, ma una minaccia reale alle imprese. Abbiamo rilevato molti casi di manager impersonati da malintenzionati, processi di selezione del personale compromessi e difese in ambito finanziario aggirate con sorprendente facilità. Questa ricerca vuole anche essere un avvertimento: le aziende devono essere preparate per la nuova era dei deepfake, il rischio è rimanere inesorabilmente indietro. Viviamo in un mondo dove non tutto ciò che vediamo può essere vero e la fiducia digitale deve essere ricostruita dalle fondamenta”. Afferma Salvatore Marcis, Country Manager di Trend Micro Italia.

Lo studio rivela che i cybercriminali non hanno bisogno di competenze tecniche per lanciare un attacco, ma utilizzano piattaforme che generano video, audio e immagini pronti all’uso. Questi strumenti sono pensati appositamente per crearedeepfake realistici in grado di ingannare aziende e organizzazioni: sono economici, facili da utilizzare e incredibilmente capaci di oltrepassare i sistemi per la verifica delle identità e i controlli di sicurezza.

La ricerca sottolinea come l’ecosistema cybercriminale sia in continua crescita e gli attaccanti, grazie a queste piattaforme, siano in grado di eseguire truffe convincenti:

• La truffa del CEO è sempre più difficile da individuare, poiché i malintenzionati utilizzano finti audio o video per impersonare i responsabili aziendali durante meeting in tempo reale
• I processi di selezione del personale vengono compromessi da falsi candidati che utilizzano l’AI per superare i colloqui, con l’obiettivo di ottenere accesso ai sistemi aziendali
• Le organizzazioni nel settore dei servizi finanziari registrano una crescita di deepfake che provano a oltrepassare la verifica KYC (Know Your Customer), al fine di riciclare denaro attraverso credenziali falsificate e in modalità anonima

Nell’underground cybercriminale si possono trovare tutorial, toolkit e servizi che aiutano a semplificare queste operazioni, ad esempio manuali che illustrano come aggirare le procedure di onboarding passo dopo passo, o strumenti plug-and-play per lo scambio e la modifica di volti. La barriera all’ingresso dovuta alle competenze tecniche è ormai molto bassa.

Le truffe alimentate dai deepfake sono sempre più frequenti e complesse, le aziende hanno il dovere di organizzarsi proattivamente per ridurre al minimo l’esposizione al rischio e proteggere persone e processi. Una corretta strategia aziendale include percorsi formativi sui rischi di social engineering, la revisione dei processi di autenticazione e soluzioni per il rilevamento di media sintetici.

Ulteriori informazioni sono disponibili a questo link

L'articolo I deepfake sono ormai lo standard per frodi, furti di identità e truffe alle aziende proviene da il blog della sicurezza informatica.