Smartphones boggle my mind a whole lot – they’re pocket computers, with heaps of power to spare, and yet they feel like the furthest from it. As far as personal computers go, smartphones are surprisingly user-hostile.

In the last year’s time, even my YouTube recommendations are full of people, mostly millennials, talking about technology these days being uninspiring. In many of those videos, people will talk about phones and the ecosystems that they create, and even if they mostly talk about the symptoms rather than root causes, the overall mood is pretty clear – tech got bland, even the kinds of pocket tech you’d consider marvellous in abstract. It goes deeper than cell phones all looking alike, though. They all behave alike, to our detriment.

A thought-provoking exercise is to try to compare smartphone development timelines to those of home PCs, and see just in which ways the timelines diverged, which forces acted upon which aspect of the tech at what points, and how that impacted the alienation people feel when interacting with either of these devices long-term. You’ll see some major trends – lack of standardization through proprietary technology calling the shots, stifling of innovation both knowingly and unknowingly, and finance-first development as opposed to long-term investments.

Let’s start with a fun aspect, and that is hackability. It’s not perceived to be a significant driver of change, but I do believe it to be severely decreasing chances of regular people tinkering with their phones to any amount of success. In other words, if you can’t hack it in small ways, you can’t really make it yours.

Can’t Tinker, Don’t Own

In order to tinker with your personal computer, you need just that, the computer itself. Generally, you need a whole another computer to hack on your smartphone; sometimes you even need a custom cable, and it’s not rare you can’t do it at all. Phone tinkering is a path you explicitly set out to do, whereas computer-based hacking is something you can do idly.
A Nokia N900 in hands of a user (by Victorgrigas, CC BY-SA 3.0)
There’s good reasons for this, of course – first, a phone was generally always a “subservient” device not meant or able to be used as a development bench unto itself. Then – phones started really growing in an age and an environment where proprietary technology reigned supreme, with NDAs and utter secrecy (particularly for GSM modems with their inordinate amount of IP) being an especially prominent fixture in the industries surrounding phones. Even Android’s open-source technology was mostly for manufacturers’ benefit rather than a design advantage for users, as demonstrated by the ever-worsening non-open-source driver situation.

Only a few phones ever bucked these trends, and those that did, developed pretty devoted followings if the hardware was worthwhile. Just look at the Nokia N900 with its hardware capability and alt OS support combo, Pixel phones with their mainline kernel support letting alternative OSes flourish, or old keypad Motorolas with leaked baseband+OS source code. They’re remembered pretty fondly, and it’s because they facilitated hacking, on-device or even off-device.

Hacking starts by probing at a device’s inner workings, deducing how things work, and testing the boundaries, but it doesn’t happen when boundaries are well-protected and hidden away from your eyes. A typical app, even on Android, is surprisingly non-explorable, and unlike with PCs, again, if you want to explore it, you need a whole another device. Does it benefit app developers? For sure. I also have a strong hunch it doesn’t benefit users that we could otherwise see become developers.

Part of it is the need to provide a polished user experience, a respectable standard to have, especially so for producing pocket computers to be used by millions of people at once. However, I’d argue that modern phones are suffocating, and that the lack of transparency is more akin to encasing an already reliable device in epoxy for no reason. A device designed to never ever challenge you, is a device that can’t help you grow, and it’s not really a device you can grow attached to, either.

Of course, complaints are one thing, and actionable suggestions is another.

What Do?

If I were asked how to fix this, I wouldn’t limit myself to opening filesystems back up to a user’s exploration habits, beyond the way they were open even in early Android days. I think modern phones could use a pre-installed Python interpreter, with a healthy amount of graphics libraries, a decent amount of control over the system, snappy well-configured autocomplete, and a library of example scripts you could edit in place; essentially, an Arduino IDE-like environment.

In other words, let people easily program phones to flash the screen every time an SMS from a specific person is received, or start audio recording when the user taps the touchscreen three times as the phone’s locked, or send accelerometer movements into a network socket as fast as the OS can receive them. Then, let them wrap those programs into apps, share apps easily with each other, and, since the trend of fast obsolescence requires regular collectie infusions of cash, transfer them from phone to phone quickly.

By the way, if days of Bluetooth and IrDA transfers evaded you, you missed out. We used to stand next to each other and transfer things from one phone to another, a field previously handled, but nowadays these things are somehow relegated to proprietary technologies like Airdrop. This isn’t a problem for personal computers, in fact, they somehow keep getting better and better at it; just recently, I transferred some movies between two laptops using a Thunderbolt cable during a flight, and somehow, this was one of the few “wow” moments that I’ve had recently with consumer-grade tech.

The idea is pretty simple on its own – if phones are to be personal computers, they should be very easy to program.

The Doohickey Port

What about a bonus suggestion, for hardware customization? USB-C ports are really cool and powerful, but they’re relatively bespoke, and you only ever get one, to be unplugged every time you need to charge or sync. Plus, even if you have OTG, all that 5V step-up action isn’t great for the battery, and neither are USB hardware/firmware stacks.

I like I2C. Do you like I2C? I know most of you do. I enjoy I2C a lot, and I like how it’s decently well standardized, to the point things tend to just work. It’s not as great at as many things as USB can be, but it’s also comparably low-frills, you don’t need a software stack or a hefty bespoke board. For the most part, with I2C, you can just send bytes back and forth. It’s a low-bandwidth yet high-impact bus, with a healthy amount of devices you can attach to it. Also, CPUs tend to have plenty of I2C ports to go around, often leaving a good few to spare.

What else? Keeping up with the times, these days, you can manufacture flex PCBs decently quickly, with stiffener at no extra cost, and for dirt cheap, too. On a physical level, phones tend to come with cases, overwhelmingly so. In a way, there’s suddenly plenty of free space on the back of a phone, for those with the eyes to see, and that’s after accounting for the ever-increasing camera bump, too.

My bonus idea to make phones more customizable at low entry level, would be an I2C accessory port. In effect, a latch-less FFC socket with exposed I2C, and some 3.3V at non-negligible power. Of course, protect all lines electrically, current-limit the 3.3V and make its power switchable. With modern tech, you don’t need to compromise waterproofing, either, and you can add a whole bunch of protection to such a port.

From there, you can get GPIOs, you can get PWM, and so much more. You could have a reasonably simple GPIO expansion, but also a fully-fledged board with DACs and ADCs bolted on, or a servo control board, or an extra display of the kind phone designers like to add once in a generation, only to find it never be used by third-party apps as sales numbers never really reach the point of wider adoption. Experimental chording keyboards, touch surfaces, thermal pixel sensors,

Does it feel like you’ve seen that implemented? Of course, this resembles the PinePhone addon scheme, with FPCs wedged between the back cover and a set of pogo pins. Notably though, this kind of standard is about having compatibility between models and even manufacturers. You also shed a lot of Bluetooth cruft generally required when developing accessories for modern phones. It requires a flex PCB, sure, but so do pogopin schemes, and there’s barely any mechanics compared to a pogopin array. Is it more fragile than a pogopin array? Yes, but it’s fragile addon-side, not as much phone-side, whereas pogopin arrays tend to be the opposite.

A Sketch And A Dream

Of course, this also relies on the aforementioned Python interpreter, and a decent exposed I2C API. If the only way to tinker with yours and others’ accessories is through bespoke intransparent apps you need a whole different device to make (or modify, if you’re lucky), the hackability aspect wanes quick. In essence, what I’m proposing is a phone-contained sandbox, not in a security sense, but in an educational sense. Personal computers have been serving as sandboxes for decades now, and yet, phones could never really fulfill such a niche.

I think one of the big problems with modern phones is that a phone is barely ever a sandbox, all for mostly historic reasons. Now, if that’s the case, we should make it one. If it’s a sandbox, then it can be molded to your needs through hacking and tinkering. If it can be molded to your needs, then it belongs to you in a whole different way. Will this happen? Quite unlikely, though, I do feel like making some prototypes. Instead, it’s about highlighting a significant aspect that contributes to tech alienation, and imagining how we could solve it given enough market buy-in.

hackaday.com/2025/08/11/smartp…

Una falla di sicurezza recentemente individuata nel noto software per la compressione di file 7-Zip ha destato considerevoli timori all’interno della comunità dedicata alla sicurezza informatica. Tutte le versioni di 7-Zip antecedenti alla 25.01 sono interessate da tale vulnerabilità, la quale scaturisce da una gestione non appropriata dei collegamenti simbolici nel corso dell’estrazione dei file.

Si trattaCVE-2025-55188, scoperto e segnalato dal ricercatore di sicurezza Landon il 9 agosto 2025, consente agli aggressori di eseguire scritture arbitrarie di file durante l’estrazione dell’archivio, portando potenzialmente all’esecuzione di codice su sistemi vulnerabili. Quando gli utenti estraggono un archivio creato in modo dannoso contenente link simbolici non sicuri, 7-Zip segue questi link durante l’estrazione, consentendo agli aggressori di scrivere file in posizioni esterne alla directory di estrazione prevista.

La vulnerabilità sfrutta il meccanismo di elaborazione dei link simbolici di 7-Zip. Secondo l’avviso di sicurezza, l’attacco richiede condizioni specifiche per avere successo. Una volta soddisfatte queste condizioni, gli aggressori possono creare archivi dannosi contenenti link simbolici che puntano a file di sistema sensibili. Una volta estratti, 7-Zip segue questi link simbolici, consentendo agli aggressori di sovrascrivere file critici come chiavi SSH, file .bashrc o altre configurazioni di sistema.

Per i sistemi Linux, gli aggressori necessitano che l’obiettivo utilizzi una versione vulnerabile di 7-Zip durante l’estrazione di un formato di archivio che supporti i link simbolici, come file ZIP, TAR, 7Z o RAR. Il processo di sfruttamento è più semplice negli ambienti Linux. Sui sistemi Windows, è necessario soddisfare requisiti aggiuntivi per uno sfruttamento efficace. Il processo di estrazione 7-Zip deve disporre di privilegi elevati o operare in modalità sviluppatore Windows per creare collegamenti simbolici. Questo rende i sistemi Windows meno vulnerabili, ma non immuni all’attacco.

Nonostante abbia ricevuto un punteggio CVSS di 2,7, che lo classifica come di bassa gravità, gli esperti di sicurezza avvertono che l’impatto pratico potrebbe essere molto più significativo. La vulnerabilità consente agli aggressori di ottenere accessi non autorizzati ed eseguire codice prendendo di mira file sensibili che controllano il comportamento del sistema. La vulnerabilità è particolarmente preoccupante perché 7-Zip visualizza i percorsi dei file prima della risoluzione del collegamento simbolico, consentendo agli aggressori di nascondere la vera destinazione delle loro scritture dannose.

La versione 25.01 di 7-Zip, rilasciata il 3 agosto 2025, risolve questa vulnerabilità con una gestione avanzata dei link simbolici. L’aggiornamento include significativi miglioramenti alla sicurezza per impedire la creazione di link simbolici non sicuri durante l’estrazione degli archivi.

L'articolo Nuova falla in 7-Zip: link simbolici trasformano un’estrazione in un hack proviene da il blog della sicurezza informatica.

IT'S MONDAY, AND THIS IS DIGITAL POLITICS. I'm Mark Scott, and I'm having some serious FOMO about missing out on the Oasis reunion concerts touring the United Kingdom. In honor of that, I give you this banger.

— Everything you need to know about the upcoming AI Impact Summit to be hosted by India early next year.

— Ahead of Donald Trump's meeting with Vladimir Putin on Aug. 15, Russia's state-based media is in a full-court propaganda press.

— Who's who in the recent shake-up in the European Commission's Directorate-General for Communications Networks, Content and Technology.

Let's get started:

digitalpolitics.co/newsletter0…

Sometimes, you build a thing because you need a thing. Sometimes, you do it just to see if you can. This project is in category two: [polymatt] didn’t need to create a floppy disk from scratch-– plenty of old disks still exist– but we’re glad he made the attempt because it makes for a fascinating video that’s embedded below.

Some of you are going to quibble with the terminology [polymatt] uses in this video: first of all, he didn’t begin by creating the universe, so is he really starting “from scratch”? Secondly, the “floppy” format he’s attempting to copy is a 3½” diskette, which does not flop at all. Alas, the vernacular has decided that “stiffy” means something totally different that you ought not to hand a co-worker, and “floppy” is the word in use now.

Choosing newer stiff-walled medium does allow him to practice his CNC skills and make the coolest-looking floppy enclosure we’ve ever seen. (It turns out brushed aluminum is even cooler-looking than the translucent neon ones.) On the other hand, we can’t help but wonder if a lower-density format 5¼” disk might have been an easier hurdle to jump. The diskette that was built does magnetize, but it can’t read or write actual files. We wonder if the older format might have been more forgiving of grain size and composition of his ferrite coating. Even more forgiving still would be to use these techniques to make magnetic tape which is a perfectly viable way to store data.

Instead of storing data, you could make your own cleaning floppy. It’s not like data storage was really the point here, anyway– its not the destination, but the journey. So whatever you call this DIY diskette, please don’t call it a flop.

Thanks to [Anonymous] for the stiff tip! If you want to slip us your tip, rest assured we will grab on and milk it for all it is worth to our readers.

youtube.com/embed/TBiFGhnXsh8?…

hackaday.com/2025/08/11/dont-s…

Running out of filament mid-print is a surefire way to ruin your parts and waste a lot of time. [LayerLab] was sick of having this problem, and so sought to find a proper solution. Unfortunately, between off-the-shelf solutions and homebrew attempts, he was unable to solve the problem to his satisfaction.

[LayerLab] had a simple desire. He wanted his printer to swap to a second spool of filament when the first one runs out, without ruining or otherwise marring the print. It sounds simple, but the reality is more complicated. As an Australian, he couldn’t access anything from InfinityFlow, so he first attempted to use the “auto refill” features included on the Bambu Labs AMS 2. However, it would routinely make filament changes in outside wall areas of a print, leaving unsightly marks and producing poorer quality parts.

His next effort was to use the Wisepro Auto Refill Filament Buffer. It’s a feeder device that takes filament from two spools, and starts feeding the backup spool in to your printer when the primary spool runs out. Unfortunately, [LayerLab] had a cavalcade of issues with the device. It would routinely feed from the secondary spool when there was still primary filament available, jamming the device, and it didn’t come with a proper mounting solution to work with consumer printers. It also had bearings popping out the top of the housing. Attempts to rework the device into a larger twin-spool rig helped somewhat, but ultimately the unreliability of the Wisepro when changing from one spool to another meant it wasn’t fit for purpose. Its feeder motors were also to trigger the filament snag cutters that [LayerLab] had included in his design.

Ultimately, the problem remains unsolved for [LayerLab]. They learned a lot along the way, mostly about what not to do, but they’re still hunting for a viable automatic filament changer solution that suits their needs. Filament sensors help, but can only do so much. If you reckon you know the answer, or a good way forward, share your thoughts in the comments. Video after the break.

youtube.com/embed/zvCZANVXaKw?…

hackaday.com/2025/08/11/the-tr…

Affidarsi ciecamente a ChatGPT per consigli di fitness o piani alimentari può essere rischioso. Anche le raccomandazioni sulla salute fornite dall’intelligenza artificiale, infatti, possono mettere in pericolo la vita. Un caso recente lo dimostra: un uomo di 60 anni di New York è finito in ospedale dopo aver seguito alla lettera il suggerimento di ChatGPT di ridurre drasticamente il consumo di sale.

Secondo i medici, l’uomo ha quasi azzerato l’apporto di sodio nella dieta per diverse settimane, provocando un calo pericoloso dei livelli di sodio nel sangue, una condizione nota come iponatriemia. La famiglia ha dichiarato che l’uomo si era affidato al piano alimentare elaborato dall’IA senza consultare prima un medico.

Qualche giorno fa, gli esperti avevano affermato che non si dovrebbero seguire consigli medici forniti dall’IA, poiché non è ancora sufficientemente sviluppata per sostituire un medico. È possibile che in futuro l’IA sostituisca i medici, ma per ora si dovrebbe evitare di seguire consigli relativi a malattie. Tuttavia, l’uomo è stato dimesso dall’ospedale ed è tornato a casa dopo aver ricevuto le cure necessarie.

Secondo un articolo del Times of India, che ha riportato la notizia, in passato veniva utilizzato in medicina nel XX secolo, ma ora è considerato velenoso in grandi quantità. Seguendo questo consiglio, l’uomo ha acquistato il bromuro di sodio online. Lo ha usato al posto del sale nei suoi alimenti per tre mesi. Durante questo periodo non ha consultato un medico. Questo errore gli è costato la salute e ha dovuto essere ricoverato in ospedale.

L’uomo non soffriva di alcuna malattia mentale o fisica in precedenza. Ma dopo aver assunto bromuro di sodio, sono iniziati molti gravi problemi. Ha iniziato a provare una paura estrema, ha iniziato ad avere deliri, ha iniziato ad avere molta sete e ha anche iniziato ad avere confusione mentale. Quando è stato ricoverato in ospedale, era così spaventato che si è persino rifiutato di bere acqua. In realtà, aveva la sensazione che qualcosa si fosse mescolato all’acqua. Le indagini hanno rivelato che l’uomo era affetto da “intossicazione da bromuro”.

In ospedale, i medici hanno ripristinato l’equilibrio idrico ed elettrolitico nel corpo del sessantenne. Dopo tre settimane di trattamento, le sue condizioni sono migliorate. È stato dimesso dall’ospedale quando i livelli di sodio e cloruro nel suo corpo sono tornati alla normalità.

L'articolo Un uomo di 60 anni finito in ospedale per tre settimane per i consigli medici di ChatGPT proviene da il blog della sicurezza informatica.

Il Cyberpandino non è solo una Panda trasformata in laboratorio hi-tech, ma un simbolo di resistenza e avventura senza confini. Dopo aver attraversato canyon, deserti e steppe, ora si trova sulle vette eteree dell’Himalaya, a ben 5000 metri di altezza: un traguardo che pochi veicoli possono immaginare. La sfida non si ferma, e il motore ronza tra aria rarefatta e cieli immensi, alimentato dall’entusiasmo instancabile del suo equipaggio .

In quel silenzio ovattato sulle strade senza tempo del Pamir, il Cyberpandino assomiglia a un essere vivente che sfida la gravità e l’oblio. Tra curve mozzafiato e valli sospese sopra il mondo, ogni colpo di gas diventa una dichiarazione: “Non si molla, non si ferma”. Il team affronta la fatica, la mancanza d’ossigeno e le condizioni più estreme con saldatori in una mano e script in un’altra, mantenendo viva la scintilla di creatività hacker e innovazione maker .

Lungo il percorso del Mongol Rally, questa Panda del 2003 ha già dimostrato di sapersi reinventare: fari LED stampati in 3D, interfaccia touchscreen “Panda OS”, sensori OBD2, GPS, IMU, persino misuratori di qualità dell’aria. Ora, mentre si arrampica verso le cime dell’Himalaya, questi strumenti diventano ancora più preziosi, pronti a raccontare ogni respiro, ogni tremito del motore, ogni sublime vertigine del viaggio .

In questa metà dell’avventura, immersi tra nuvole e vette, il Cyberpandino diventa metafora: un mix perfetto di incoscienza visionaria e resilienza pura. È la cultura hacker che prende forma su quattro ruote, sfidando la logica del comfort e della praticità per abbracciare il caos, l’imprevisto e il fascino dell’ignoto. Ed è proprio lì, in mezzo al nulla cosmico, che si sente più vivo che mai .

La vetta non è mai un punto d’arrivo, ma un invito a continuare. Anche a 5000 metri, tra rocce cromate dal gelo e strade che sembrano sospese tra passato e futuro, il Cyberpandino non arretra. In quel “tetto del mondo”, tra l’Himalaya e il cuore pulsante dell’Asia centrale, il viaggio continua — tra freddo penetrante, panorami surreali e la promessa che, anche dove tutto sembra fermo, l’avventura non si ferma mai.

L'articolo Verso la Meta! Pamir Highway: il Cyberpandino a 5000 metri sul tetto del mondo proviene da il blog della sicurezza informatica.

I ricercatori di Eclypsium hanno identificato pericolose vulnerabilità nelle webcam Lenovo 510 FHD e Lenovo Performance FHD che possono essere trasformate in dispositivi di attacco di tipo BadUSB. Il problema, denominato BadCam, è stato presentato al DEF CON 33. Gli esperti sottolineano che questo è il primo caso documentato in cui un dispositivo Linux già connesso a un computer può essere riprogrammato da remoto e utilizzato come dispositivo un USB dannoso.

Gli attacchi BadUSB sono noti dal 2014, quando Karsten Nohl e Jakob Lell dimostrarono la capacità di modificare il firmware dei dispositivi USB per eseguire silenziosamente comandi e lanciare codice dannoso. A differenza dei malware tradizionali memorizzati nel file system, tali attacchi operano a livello di firmware, rendendoli praticamente invisibili ai software antivirus. Questi dispositivi possono emulare una tastiera, intercettare l’input, installare backdoor, reindirizzare il traffico e rubare dati.

Nello scenario descritto dai ricercatori, un aggressore può inviare una webcam compromessa alla vittima o collegarla fisicamente a un computer, per poi assumerne il controllo da remoto. Il dispositivo inizia quindi a fungere da emulatore HID o da dispositivo USB aggiuntivo, immettendo comandi, inviando payload e inserendosi nel sistema, mantenendo al contempo le funzionalità di una normale telecamera. Inoltre, una telecamera modificata in questo modo può reinfettare un computer anche dopo aver reinstallato il sistema operativo.

La vulnerabilità è causata dalla mancanza di autenticazione del firmware e dalla presenza del supporto USB Gadget in Linux. Ciò consente di compromettere completamente la parte software del dispositivo. Dopo la scoperta del problema nell’aprile 2025, Lenovo ha rilasciato un aggiornamento firmware alla versione 4.8.0 e, in collaborazione con SigmaStar, ha preparato uno strumento per correggere il difetto.

Gli esperti sottolineano che questo attacco dimostra una pericolosa lacuna nel modello di fiducia: sia i sistemi aziendali che quelli domestici spesso si fidano automaticamente delle periferiche in grado di eseguire codice e accettare istruzioni remote. I dispositivi vulnerabili possono rappresentare una minaccia non solo per il computer in uso, ma anche per qualsiasi altro a cui vengano successivamente connessi.

L'articolo BadUSB. Uno Spyware nella webcam: il bug Lenovo che minaccia milioni di PC proviene da il blog della sicurezza informatica.

Durante la conferenza DEF CON33 incentrata sulla sicurezza, un team di specialisti del settore, Yair e Shahak Morag, provenienti da SafeBreach Labs, hanno illustrato una categoria innovativa di attacchi di tipo denial-of-service (DoS), a cui hanno dato il nome di \”Win-DoS Epidemic\”. La ricerca dimostra come gli aggressori possano bloccare qualsiasi endpoint o server Windows, compresi i controller di dominio (DC) critici, e persino utilizzare i DC pubblici come armi per creare una botnet DDoS di grandi dimensioni.

Le loro scoperte, che comprendono quattro vulnerabilità DoS di Windows a una falla Distributed Denial-of-Service (DDoS) attivabile senza clic, sono state presentate dai due ricercatori. I difetti scoperti, tutti classificati come “consumo incontrollato di risorse”, includono:

• CVE-2025-26673 (CVSS 7.5): una vulnerabilità DoS di elevata gravità in Windows LDAP.
• CVE-2025-32724 (CVSS 7.5): una vulnerabilità DoS di elevata gravità in Windows LSASS.
• CVE-2025-49716 (CVSS 7.5): una vulnerabilità DoS di gravità elevata in Windows Netlogon.
• CVE-2025-49722 (CVSS 5.7): una vulnerabilità DoS di media gravità nello spooler di stampa di Windows, che richiede un aggressore autenticato su una rete adiacente.

Un attacco DoS riuscito contro un DC può paralizzare un’intera organizzazione, rendendo impossibile agli utenti effettuare l’accesso, accedere alle risorse o eseguire le operazioni quotidiane. “Presentiamo “Win-DoS Epidemic”: strumenti DoS che sfruttano quattro nuove vulnerabilità zero-click Win-DoS e una Win-DDoS! Bloccano qualsiasi endpoint/server Windows, inclusi i DC, o lanciano una botnet utilizzando DC pubblici per attacchi DDoS. L’epidemia è iniziata”, hanno affermato i ricercatori.

I controller di dominio costituiscono la spina dorsale della maggior parte delle reti aziendali, gestendo l’autenticazione e centralizzando la gestione degli utenti e delle risorse. Il lavoro dei ricercatori si basa sulla loro precedente scoperta, la vulnerabilità LdapNightmare (CVE-2024-49113), che è stata il primo exploit DoS pubblico per un controller di dominio Windows. Le nuove scoperte ampliano significativamente questa minaccia, andando oltre il solo LDAP per abusare di altri servizi Windows principali.

youtube.com/embed/Itqhjh-5XmY?…

Questo comportamento consente a un aggressore di sfruttare l’immensa potenza di decine di migliaia di DC pubblici in tutto il mondo, trasformandoli in una botnet DDoS enorme, gratuita e non rintracciabile. L’attacco non richiede infrastrutture speciali e non lascia tracce forensi, poiché l’attività dannosa ha origine dai DC compromessi e non dal computer dell’aggressore.

La scoperta più allarmante è la nuova tecnica DDoS, che i ricercatori hanno chiamato Win-DDoS. Questo attacco sfrutta una falla nel processo di referral del client LDAP di Windows. In un’operazione normale, un referral LDAP indirizza un client a un server diverso per soddisfare una richiesta. Yair e Morag hanno scoperto che, manipolando questo processo, potevano reindirizzare i DC a un server vittima e, cosa fondamentale, hanno trovato un modo per far sì che i DC ripetessero incessantemente questo reindirizzamento.

Questa tecnica rappresenta un cambiamento significativo negli attacchi DDoS, poiché consente attacchi ad alta larghezza di banda e ad alto volume senza i costi o i rischi tipici associati alla configurazione e alla manutenzione di una botnet.

L'articolo Win-DoS Epidemic: I nuovi attacchi DoS e DDoS partono da Microsoft Windows proviene da il blog della sicurezza informatica.

ElectroSim Industrial è una macchina virtuale educativa che simula la piattaforma operativa di una tipica azienda elettrica, mettendo insieme controllo dei consumi, monitoraggio industriale e nozioni essenziali di cybersecurity. L’ambiente è pensato per studenti, insegnanti e professionisti in formazione, offrendo un laboratorio reale dove praticare in maniera concreta con tecnologie e protocolli utilizzati nei sistemi OT/ICS.

Il cuore della simulazione si basa su componenti noti e affidabili nell’ambito industriale: OpenPLC per la logica di controllo, Node-RED per i flussi dati dei sensori, InfluxDB per la memorizzazione delle serie temporali, Grafana per dashboard dinamiche, Mosquitto per le comunicazioni IoT, e MariaDB per gestire dati di clienti e servizi elettrici. L’aspetto difensivo include strumenti come Suricata per il monitoraggio della rete e UFW/Fail2Ban per la sicurezza perimetrale

L’ambiente è disponibile in due versioni: una versione leggera senza interfaccia grafica, da usare in modalità terminale, e una GUI basata su XFCE per chi preferisce un’esperienza visuale completa. Entrambe le versioni sono distribuite tramite file .ova, pronti per essere importati in VirtualBox. Con pochi click si avvia la VM, si accede con credenziali predefinite e si è subito pronti a sperimentare interfacce come Grafana, Node-RED e InfluxDB tramite browser.

Il progetto è volutamente “pulito”: non contiene flussi, dashboard o dati preconfigurati. Questo design stimola la creazione autonoma di flussi in Node-RED, la definizione di dashboard in Grafana, l’inserimento e l’interrogazione di dati su InfluxDB, e la sperimentazione di configurazioni di automazione e difesa personalizzate. È un ottimo punto di partenza per chi vuole mettersi alla prova con scenari OT reali, acquisire competenze pratiche e comprendere le dinamiche di un ecosistema elettrico simile a quelli industriali.

ElectroSim Industrial è un progetto significativo per chi vuole esplorare la sicurezza informatica del mondo OT/ICS usando uno strumento concreto e accessibile. L’autrice, Ivanka Fernández Leivas, ha reso l’ambiente disponibile sotto licenza Creative Commons CC BY-ND 4.0, consentendo la condivisione e uso a fini educativi (ma non modifiche o distribuzioni alterate). Nel complesso, è una risorsa preziosa per formazione, didattica e autopratica in scenari industriali simulati

L'articolo ElectroSim: L’ambiente virtuale per hacker etici per studiare le falle di sicurezza dei sistemi OT/ICS proviene da il blog della sicurezza informatica.

Having owned an Amiga microcomputer is apparently a little bit like having shaken hands with Shoggoth: no one can escape unchanged from the experience. Thirty-two years on, [Neil] at The Retro Collective remains haunted by the memories — specifically, the memory of BlitzBasic 2, an Amiga-specific programming language he never found the time to use. What better time to make a game for the Amiga than the year 2025 of the common era?

[Neil] takes us on a long journey, with more than a little reminiscing along the way. BlitzBasic may not have been the main programming language for the Amiga, but it was by no means the least, with a good pedigree that included the best-selling 1993 game Skidmarks. Obviously BlitzBasic was not a slow, interpreted language as one might think hearing “BASIC”. Not only is it a compiled language, it was fast enough to be billed as the next best thing to C for the Amiga, according to [Neil].

[Neil] wasn’t the only one whose dreams have been haunted by the rugose touch of the Amiga and its scquomose BlitzBasic language– you’ll find a version on GitHub called AmiBlitz3 that is maintained by [Sven] aka [honitas] to this day, complete with an improved IDE. The video includes a history lesson on the open-source AmiBlitz, and enough information to get you started.

For the vibe-coders amongst you, [Neil] has an excellent tip that you can use LLMs like ChatGPT to help you learn niche languages like this not by asking for code (which isn’t likely to give you anything useful, unless you’ve given it special training) but by requesting techniques and psudocode you can then implement to make your game. The LLM also proved a useful assistent for [Neil]’s excel-based pixel art workflow.

If you’re wondering why bother, well, why not? As [Neil] says, writing Amiga games is his version of a crossword puzzle. It may also be the only way to keep the dreams at bay. Others have taken to writing new operating systems or reproducing PCBs to keep vintage Amiga hardware alive. If some gather under the light of the full moon to chant “Ia! Ia! Commodore f’thagan”– well, perhaps we can thank them for Commodore for rising from the sunless depths of bankruptcy once again.

youtube.com/embed/DES1oyCOSYs?…

hackaday.com/2025/08/10/amiga-…

In questo episodio ci dedichiamo sempre alla creatività, ma con particolare attenzione ai video e alle immagini.

zerodays.podbean.com/e/io-e-ch…

We lost a true legend this week with the passing of NASA astronaut Jim Lovell at the ripe old age of 97. Lovell commanded the ill-fated Apollo 13 mission back in 1970, and along with crewmates Jack Swigert and Fred Haise — along with just about every person working at or for NASA — he managed to guide the mortally wounded Odyssey command module safely back home. While he’s rightly remembered for the heroics on 13, it was far from his first space rodeo. Lovell already had two Gemini missions under his belt before Apollo came along, including the grueling Gemini 7, where he and Frank Borman undertook the first long-duration space mission, proving that two men stuffed into a Volkswagen-sized cockpit could avoid killing each other for at least two weeks.

Lovell also served as Command Module Pilot on Apollo 8, the first crewed mission to lunar orbit. Apollo 8 was notable for its many technical and scientific accomplishments, but it’s perhaps best known as the mission where Lunar Module Pilot Bill Anders, who died only last year in a plane crash, proved his photography chops by capturing the iconic Earthrise image, as well as (probably) the first full-disk image of Earth from space. Along with Gemini 12, Lovell racked up four flights, making him the first person to reach that number, and spent nearly a solid month in space. He was also the only person to make it to lunar orbit twice without having landed on the surface, which we’d have found int½olerable, but which he always seemed to take in stride.

youtube.com/embed/7EP0qaBo-tc?…

We harp on about the Apollo era all the time not only because we’re rapidly losing its alumni — with the passing of Jim Lovell, only five astronauts from the program are left, and every one of them is in their 90s — but because the achievements from that program were so definitional and formative to many of us who went into STEM. Magazines such as Popular Mechanics played a similar role, too, which is why we were excited to find out about this massive online trove of PM issues stretching all the way back to 1902. The digitized volumes are maintained by a variety of archives, including The Internet Archive and Google Books, and it looks like every issue through the end of 2005 is included and free of charge to browse. We were charmed to learn that the classic “Written so that you can understand it” tagline made its first appearance on the masthead way back on issue 6. In a lot of ways, Hackaday is the spiritual successor to PM and other magazines like it, but with 123 years of publication under its belt, we’ve got a ways to go to catch up.

It looks like the speaker schedule for HOPE_16 is filling up fast, as you’d expect since the conference is next weekend. The lineup looks fantastic; our early unofficial award for best talk title goes to Kody Kinzie’s Meshtastic talk “Spooky Action at a Discount.” If you’re planning to attend the conference, we’d love to get a heads-up on talks we should cover once the videos are published, so hit us up at tips@hackaday.com.

And finally, we’d have sworn the era of building dams was long gone in the United States, but it seems we were mistaken. A massive dam project, the Chimney Hollow Reservoir Project, is nearing completion in Colorado, and Aaron Witt got to take a second look at the project after first checking it out in 2023. The earthen dam, which will be 350 feet tall and over 1,000 feet wide at completion, is somewhat unique in that it doesn’t impound an existing stream, but rather will collect water from the Colorado River via a tunnel through the mountain that abuts the dam. Also unique is the asphalt core of the dam. Most earthen dams use a layer of packed clay to prevent the flow of water, but since clay was hard to come by locally, they used an extra gooey wall of asphalt two feet thick. As is typical for Aaron, he geeks out on the heavy equipment, which we can’t complain about at all, but it’s the civil engineering that really caught our fancy. Enjoy!

youtube.com/embed/0eFTrOpueYE?…

hackaday.com/2025/08/10/hackad…

These days, if you want to flash some LEDs, you’d probably grab a microcontroller. Maybe you’d go a little more old-school, and grab a 555. However, [Jacob] is even more hardcore than that, as evidenced by this chunky electromechanical flasher build.

[Jacob] goes into great detail on his ancillary write-up, describing how the simple building blocks used by industrial control engineers can be used to make a flasher circuit that cycles once per second. Basically, two relays are paired with two 0.5-second delay timers. The two relays tag each other on and off on delay as their timers start and expire, with the lamp turned on and off in turn.

We’ve had lots of other great entries to our One Hertz Challenge, too — from clocks to not-clocks. There’s still time to get an entry in — the deadline for submission is Tuesday, August 19 at 9:00AM Pacific time. Good luck out there!

hackaday.com/2025/08/10/2025-o…