In California è stata intentata una causa contro Microsoft, accusandola di aver interrotto prematuramente il supporto per Windows 10 e di aver costretto gli utenti ad acquistare nuovi dispositivi. Il querelante, Lawrence Klein, residente a San Diego, sostiene che la decisione di interrompere gli aggiornamenti di sicurezza il 14 ottobre 2025 interesserà circa 240 milioni di computer in tutto il mondo, metà dei quali non sarà in grado di aggiornare a Windows 11 a causa dei rigidi requisiti hardware.

Secondo lui, ciò costringerà milioni di persone a pagare per un “supporto esteso” (da 30 dollari all’anno per i consumatori a 244 dollari all’anno per le aziende nel terzo anno) o a sostituire i dispositivi funzionanti, creando montagne di rifiuti elettronici ed esponendo i dati ad attacchi informatici.

La causa sostiene che Microsoft stia sfruttando la sua posizione dominante nel mercato dei sistemi operativi per promuovere una nuova linea di dispositivi con Windows 11 e un assistente AI integrato chiamato Copilot, che richiede unità di elaborazione neurale (NPU) avanzate.

Questo, secondo Klein, conferisce all’azienda un vantaggio competitivo nel mercato in rapida crescita dell’intelligenza artificiale generativa, limitando al contempo la scelta degli utenti e riducendo gli incentivi per i concorrenti.

Si rileva inoltre che il ciclo di supporto di Windows 10 è quasi dimezzato rispetto alle versioni precedenti del sistema operativo e che gli utenti non hanno ricevuto informazioni chiare sulla fine del supporto e sulle conseguenze al momento dell’acquisto dei dispositivi.

Oltre alle perdite finanziarie e ai problemi di compatibilità, Klein sottolinea i rischi per la sicurezza, anche per le organizzazioni che gestiscono dati sensibili. Chiede al tribunale di obbligare Microsoft a estendere il supporto gratuito per Windows 10 finché la base utenti non scenderà al di sotto di una soglia ragionevole, oppure di allentare i requisiti per Windows 11 e richiedere la divulgazione obbligatoria dei periodi di supporto e dei rischi associati al momento della vendita dei dispositivi.

L'articolo Microsoft sotto accusa in California per la fine del supporto di Windows 10 proviene da il blog della sicurezza informatica.

Perché non riusciamo a staccarci dagli schermi, anche quando abbiamo trovato quello che cercavamo? Perché continuiamo a scorrere i feed senza pensarci mentre il tempo vola? Gli scienziati stanno cercando risposte a queste domande, e forse le scimmie con gli iPad possono aiutarci.

In un esperimento condotto presso l’Istituto Centrale Giapponese di Medicina Sperimentale e Scienze della Vita, 14 scimmie sono state messe in una gabbia con tablet per 10 minuti. Sullo schermo sono stati mostrati contemporaneamente nove brevi video muti di diverse specie di primati. Se l’animale toccava uno dei video, questo si espandeva fino a riempire l’intero schermo e gli altoparlanti riproducevano il caratteristico verso delle scimmie.

Queste “sessioni di addestramento” sono state condotte due o tre volte a settimana per due mesi. L’obiettivo dell’esperimento non era confrontare esseri umani e scimmie tramite schermi, ma verificare se questi animali potessero essere utilizzati come modello per studiare l’apprendimento e gli effetti degli stimoli visivi e uditivi sul comportamento. In altre parole, se avrebbero percepito suoni e immagini come ricompense, come accade con un frutto.

I risultati sono stati promettenti. Secondo gli autori, l’esperimento ha dimostrato che il comportamento delle scimmie davanti al touchscreen poteva essere modellato e mantenuto utilizzando stimoli audiovisivi. Entro la fine dei due mesi, otto animali su dieci inclusi nell’analisi finale toccavano costantemente lo schermo, indicando un’associazione consolidata con la “ricompensa”.

Ma ciò che è stato particolarmente interessante è stata la fase successiva, il test di “estinzione”.

I ricercatori hanno disattivato la ricompensa: quando veniva toccato, lo schermo rimaneva scuro e l’audio non si attivava. Le quattro scimmie non hanno ridotto la loro attività e hanno continuato a toccare lo schermo. Questo potrebbe significare che il semplice cambiamento nell’immagine, anche minimo, può mantenere vivo l’interesse, il che in qualche modo spiega perché possiamo scorrere TikTok per ore senza avere la sensazione di aver ricevuto qualcosa di prezioso.

I ricercatori sottolineano che questo modello potrebbe aiutare a comprendere meglio come si forma e si mantiene la dipendenza delle persone dagli schermi e cosa influenza lo sviluppo della dipendenza dagli stimoli audiovisivi.

Il lavoro è stato pubblicato sull’International Journal of Comparative Psychology.

L'articolo Così le scimmie con i tablet svelano i segreti della nostra ossessione per gli smartphone proviene da il blog della sicurezza informatica.

Modern competitive games have a great deal of anti-cheat software working to make sure you can’t hack the games to get a competitive advantage. [Kamal Carter] decided to work around this by building a physical aimbot for popular FPS Valorant.

The concept is straightforward enough. [Kamal] decided to hardmount an optical mouse to a frame, while moving a mousepad around beneath it with an off-the-shelf Cartesian CNC platform, but modified to be driven by DC motors for quick response. This gave him direct control over the cursor position which is largely undistinguishable from a human being moving the mouse. Clicking the mouse is achieved with a relay. As for detecting enemies and aiming at them, [Kamal] used an object detection system called YOLO. He manually trained the classifier to detect typical Valorant enemies and determine their position on the screen. The motors are then driven to guide the aim point towards the enemy, and the fire command is then given.

The system has some limitations—it’s really only capable of completing the shooting range challenges in Valorant. The vision model isn’t trained on the full range of player characters in Valorant, and it would prove difficult to use such a system in a competitive match. Still, it’s a neat way to demonstrate how games can be roboticized and beaten outside of just the software realm. Video after the break.

youtube.com/embed/fr02fxc-5jo?…

hackaday.com/2025/08/11/physic…

Un nuovo schema per distribuire codice dannoso camuffato da immagini .svg è stato scoperto su decine di siti di contenuti per adulti stranieri. Come hanno scoperto gli esperti di Malwarebytes, gli aggressori incorporano codice JavaScript offuscato in tali file che, una volta cliccati, avviano una catena nascosta di script che termina con il download di Trojan.JS.Likejack.

Questo malware clicca silenziosamente sul pulsante “Mi piace” su un post predefinito di Facebook se la vittima ha un account aperto sul social network in quel momento. In questo modo, le pagine con contenuti espliciti ottengono maggiore visibilità e visibilità grazie ai browser compromessi.

SVG (Scalable Vector Graphics) si differenzia dai consueti .jpg e .png in quanto memorizza i dati come testo XML. Questo consente di ridimensionare l’immagine senza perdere qualità, ma consente anche di incorporare HTML e JavaScript al suo interno. Questa funzionalità ha da tempo attirato gli aggressori, poiché apre la strada ad attacchi XSS , HTML injection e attacchi DoS. In questo caso, gli autori dei file dannosi hanno utilizzato una tecnica JSFuck modificata, che codifica JavaScript in un set di caratteri, rendendo difficile l’analisi.

Dopo la decodifica iniziale, lo script carica nuovi frammenti di codice, anch’essi nascosti all’analisi. La fase finale dell’attacco è l’interazione forzata con gli elementi di Facebook, che viola le regole della piattaforma. Facebook blocca tali account, ma gli autori dello schema tornano rapidamente con nuovi profili.

Tecniche simili sono già state osservate in precedenza. Nel 2023, gli hacker hanno utilizzato il tag .svg per sfruttare una vulnerabilità XSS nel client web Roundcube e, nel giugno 2025, i ricercatori hanno registrato attacchi di phishing con una falsa finestra di accesso Microsoft, aperta anch’essa da un file SVG.

Malwarebytes ora collega i casi identificati a decine di siti WordPress che distribuiscono contenuti dannosi in modo simile.

L'articolo Malware nascosto nelle immagini SVG nei siti per adulti: il nuovo schema per nascondere Trojan proviene da il blog della sicurezza informatica.

Pechino ha annunciato un pacchetto di misure di supporto per i robot umanoidi alla World Robot Conference (WRC) 2025, con l’obiettivo di raggiungere una capacità produttiva annuale di 10.000 unità entro il 2027. La nuova politica comprende iniziative volte ad ampliare gli scenari reali da parte dei robot e ampi sussidi che copriranno l’intera catena del valore della produzione di robot umanoidi.

Nell’ambito dell’iniziativa, hanno fatto parlare il Robomall, descritto come un negozio di robot 4S, e il Robot Restaurant aperto a Pechino. I locali sono progettati per creare canali di vendita per i robot e, al contempo, offrire al pubblico l’opportunità di interagire con la tecnologia.

Morgan Stanley ha affermato in una nota: “Riteniamo che il continuo sostegno del governo sarà fondamentale per accelerare l’adozione in Cina e affermare la leadership della Cina nel settore dei robot intelligenti su scala globale”.

Le iniziative della capitale rappresentano un passo significativo negli sforzi della Cina per diventare leader mondiale nella tecnologia e nella produzione di robot umanoidi.

Le misure annunciate a Pechino segnano un’accelerazione strategica nella corsa alla leadership globale nel settore dei robot umanoidi. Con obiettivi produttivi ambiziosi, sussidi estesi e iniziative concrete, la capitale cinese sta creando un ecosistema in cui industria, ricerca e consumatori possono interagire in maniera diretta, riducendo la distanza tra sviluppo tecnologico e applicazione pratica.

Se queste politiche avranno successo, la Cina non solo potrà consolidare il proprio vantaggio competitivo, ma potrebbe anche ridefinire il panorama mondiale della robotica intelligente.

Il sostegno governativo, unito a un’adozione più rapida in scenari reali, potrebbe trasformare i robot umanoidi da curiosità tecnologiche a componenti centrali della vita quotidiana e dell’economia globale.

L'articolo La Cina punta sui robot umanoidi! Un pacchetto di misure in arrivo per 10.000 unità entro il 2027 proviene da il blog della sicurezza informatica.

Generally, you think that if you pay more for something, it must be better, right? But that’s not always true. Even if it is true at the lower end, sometimes premium brands are just barely better than the midrange. [Project Farm] looks at a bunch of different calipers — a constant fixture around the shop if you do any machining, 3D printing, or PCB layout. The price range spans from less than $10 for some Harbor Freight specials to brands like Mitutoyo, which cost well over $100. Where’s the sweet spot? See the video below to find out.

The first part of the video covers how much the units weigh, how smooth the action is, and how much force it takes to push it down. However, those are not what you probably care most about. The real questions are how accurate and repeatable they are.

If you just want a summary of the first part of the video, skip to the ten minute mark. The table there shows that the three instruments that have the most consistent force on the slide range in price from $27 to $72. The $454 pair (which, to be fair, included a micrometer) was number six by that measure. The smoothness factor, which is somewhat subjective, came in favor of the most expensive pair, but there was a $25 caliper that was nearly as good in the number two slot.

Using a calibration block and some special techniques, he attempts to see how accurate they all are. We wish he’d used millimeters instead of inches, but in the inch range, none of them are bad. Only one set had a real problem of not making consistent readings.

If you want to jump right to the tables again, jump to the 17:20 mark. With two exceptions, they were all mostly accurate and fell into three groups. We wondered if there are three different chipsets involved. The cheapest caliper in the first group cost $27 and was as good as the expensive Mitutoyo. The second group ranged from $18 to as much as $40 and were only 0.000675 inches (only 0.017145 mm) off from the higher group.

Which was the best? That table is at about the 18:00 minute mark. In all fairness, the best, by his estimation, did cost $144, so it was the second most expensive set in the review. But that’s still cheaper than the Mitutoyo, which placed third. The fourth-place set was good, too, and came in at $27. For a few bucks less, the sixth-place caliper was also good.

Do you know how to do all the measurements your calipers are capable of? Ever wonder what’s inside those things? We did too.

youtube.com/embed/z5KtKAee0jw?…

hackaday.com/2025/08/11/calipe…

To every gadget, tool, or toy, you can reasonably think: ‘Sure I could buy this… but can I make it myself?’ And that’s where [Ben] decided he could, and got to work. On a sea scooter, to be exact.

This sea scooter was to be a fully waterproof, hermetically sealed 3D-printed underwater personal propulsion device, with the extreme constraint that the entire hull and mechanical interfaces are printed in one go. No post-printing holes for shafts, connectors, or seals. It also meant [Ben] needed to embed all electronics, motor, magnetic gearbox, custom battery pack, wireless charging, and non-contact magnetic control system inside the print during the actual print process.

As [Ben] explains, both Bluetooth and WiFi ranges are laughable once underwater. He elegantly solves this with a reed-switch-based magnetic control system. The non-contact magnetic drive avoids shaft penetrations entirely. Power comes from a custom 8S LiFePO₄ pack, charged wirelessly through the hull. Lastly, everything’s wrapped in epoxy to make it as watertight as a real submarine.

The whole trick of ‘print-in-place’ is that [Ben] pauses the builder mid-print, and drops in each subsystem like a secret ingredient. Continuing, he tweaks the printer’s Z-offset, and onwards it goes. It’s tense, high-stakes work; a 14-hour print where one nozzle crash means binning hundreds of dollars’ worth of embedded components.

Still, [Ben] took the chance, and delivered a cool, fully packed and fully working sea scooter. Comment below to discuss the possibilities of building one yourself.

youtube.com/embed/6IO8PidCOrc?…

hackaday.com/2025/08/11/watert…

The police raid of the Marion County Record’s newsroom on Aug. 11, 2023, shocked the country but proved to be just one of a series of alarming attacks on local journalism that year. It was also a preview of how lawless and incompetent governments can use strained constructions of the law as pretext to retaliate against journalists they dislike, as we now see not only in small-town America but at the federal level. As the death of Record co-owner Joan Meyer the next day tragically proved, by the time justice takes its course — if it ever does — the damage has often already been done.

We asked investigative journalist Jessica McMaster to reflect on her award-winning coverage of the raid for KSHB-TV in Kansas City, Missouri. The interview is below. You can also read about or watch our discussion with Record publisher Eric Meyer earlier this year.

On a Friday afternoon in 2023, news broke of a police raid of the Marion County Record newsroom and its publisher Eric Meyer’s home. Did you realize right away that this needed to be not just a statewide story but a national one?

I realized right away this was a big story. Once the news broke that Joan Meyer died, I knew we had to go to Marion — the backlash was immediate and the responses were coming in from across the country.

Over the course of many months, it became clear that the raid wasn’t a random instance of police overresponding to a citizen complaint. Details began to emerge about local officials, including the police chief, Gideon Cody, and their conduct before, during, and after the raid — even before coming to Marion. Plenty of great local journalists did amazing work covering the story, but you seemed to get a large share of the big scoops. Without divulging any confidences, how were you able to pull it off, especially being based in Kansas City, not particularly close to Marion?

I worked a lot of hours. In the beginning, we stayed overnight in Marion. After that, it was a lot of driving back and forth, while taking calls from sources at all hours of the night. I’d been a journalist long enough to know that a story this big doesn’t die down for a few weeks. We made the commitment to drive the five-hour round trip daily. I didn’t always know what our angle would be, but I knew I’d find it.

“If journalists are not willing to report on the ongoing attacks against the free press, who will?”

Jessica McMaster

Talk about the level of transparency — or lack thereof — that you encountered from government officials, both in Marion and statewide, during your reporting on the raid. What were some of the challenges you needed to overcome, in terms of secrecy and accessing information that was of public interest?

Gideon Cody wasn’t talking. The county attorney wasn’t talking. The Kansas Bureau of Investigation was saying very little. Almost immediately, it had the appearance that everyone involved in this was covering their own tail — and of course they were. This was a huge mess. We leaned on the gift of open records laws to get most of our information. Getting emails and text messages helped piece the parts of the story together that those in power wanted to remain a secret. We knew they’d try and block us — we were prepared to fight back. There were times when we had to get our attorneys involved when information was being withheld. On a story like this, the details don’t reveal the truth all at once. It trickles out over time. It’s always fun to look back and see how it all comes together — one information request, or leak, at a time.

At Freedom of the Press Foundation (FPF), we were glued to your X feed for real-time updates. We probably weren’t the only ones. Can you talk about the challenge of breaking news on social media while also investigating the bigger stories?

This is one of my favorite parts about covering a big story — connecting with people in real time. I had people from other countries sending me emails and tweeting to me that they were following me for updates. I was not asked to use social media in real time by my employer — it’s just something I’d become accustomed to doing since early on in my career. With Marion, we were getting updates constantly — social media made it easy to get that information out quickly. I don’t see using social media as a challenge — I think it’s a tool to connect with our followers more authentically and bring them along on the journey with us. Of course, if I have to get my broadcast script in urgently, or I have to be on camera within the next few minutes, I’ll take a break from providing live updates and come back to it once I’m done.

Were there any stories you were able to break while covering the raid that you felt were particularly important to the public’s understanding of what went on?

We broke so many stories over the first couple of months. I remember driving to Marion during that first week of coverage. I didn’t know what the story would be on this particular day. It was our plan to find the story once we got there. About an hour into our trip, while driving past a cornfield, my cellphone rings and it’s the attorney for Marion County Record. He tips me off that the county attorney has revoked the search warrants. He gave me a two-minute head start before he planned to tell all the other reporters. This was arguably the biggest break in the case — it’s the first time officials publicly admitted the raids shouldn’t have happened. This squashed any doubts of wrongdoing on behalf of the newspaper — and people, especially in Marion — did have their doubts. So, of course, I’m scrambling to get this information out there. Minutes after I broke the news on X, the county attorney sent a press release to all newsrooms with his statement on revoking the warrants.

“It’s hard for a lot of us to grasp that so many people, in positions of power, failed in such spectacular fashion to do their jobs.”

Jessica McMaster

What insights did you come away with about the state of press freedom in Kansas and in the United States?

This was a massive failure by several people within the justice system. I think that’s what’s so shocking about this entire thing — most of us assume a police chief would understand press freedom laws. If a police chief doesn’t, we’d assume a county attorney would. If a county attorney doesn’t, we’d assume a district judge would. If no one understands these laws — surely someone will look it up. The amount of layers Gideon Cody’s attack on the newspaper survived is astonishing. What did all these people, who are supposed to understand the law, think the response would be? I think it’s hard for a lot of us to grasp that so many people, in positions of power, failed in such spectacular fashion to do their jobs.

Do you think the raid had an ongoing chilling effect on journalism?

I think the chilling effect comes from a culmination of attacks that have been launched against the free press over the past several years. We’ve seen this play out in other instances, during protests for example, where police assault or arrest journalists for doing their jobs. I think Marion was another example of that.

Despite your award-winning work on the raid and all the other great work you’ve done, less than two years after the raid, your position at KSHB-TV, Kansas City’s NBC affiliate, was eliminated. What does that say about the state of the news industry and whether local investigative reporting is valued these days?

The company I worked for always valued investigative journalism — it’s why I stayed in my position for a decade. I think what we’re seeing is that many local newsrooms are becoming more and more risk averse. I personally felt this shift over the past few years. When newsrooms operate from a place of fear, it’s very difficult for reporters to do their job, especially investigative reporters who, by nature, do more high-risk, accountability-focused stories.

What’s next for you? I saw that your X post about the layoff said your time as an investigative journalist was coming to an end. Are you done with journalism or are you going to look for a way back in? And why?

I love journalism. I believe in its purpose. I believe in its power. We need solid journalists who aren’t afraid to hold the powerful accountable. That said, I don’t see myself stepping back into a newsroom. At least not anytime soon. I took the summer off to focus on my kids and reflect on what I want to do next, which has been such a gift. I plan to keep writing and creating content for something I believe in.

Journalists often feel like covering press freedom stories is difficult, because they’re making themselves the story or because their objectivity will be questioned, for example. What do you say to that, and what’s your advice to journalists and editors wondering whether it’s a good idea to report on press freedom violations?

Stick to the facts. That’s my advice. While I didn’t initially know why police raided the newspaper, I knew this was fundamentally wrong. I knew police should’ve served a subpoena, as opposed to busting down the doors. I knew the free press has protections, both locally and federally. All of that gave me grounds to cover this story. It can be uncomfortable reporting on something so closely tied to our personal lives — but if journalists are not willing to report on the ongoing attacks against the free press, who will?

freedom.press/issues/a-massive…

Si tratta di un latitante 44enne, ricercato dalle autorità italiane per i reati di associazione a delinquere finalizzata al traffico internazionale di sostanze stupefacenti con le aggravanti connesse a due distinti tentativi di importazione di ingenti quantitativi di cocaina dal Sudamerica.

E' ritenuto legato alla 'Ndrangheta. E' stato catturato in un appartamento nel quartiere residenziale di Cali.

A carico di Starnone è stata già emessa una sentenza di condanna a 5 anni e mezzo per reati di droga. L'uomo è stato catturato dalla polizia colombiana mentre si trovava in un appartamento nel quartiere residenziale nel capoluogo del dipartimento Valle del Cauca.

Essenziale l'apporto del progetto INTERPOL Cooperation Against ‘Ndrangheta (I-CAN).

Si tratta di un'iniziativa lanciata dall'Italia e dall'INTERPOL nel gennaio 2020 per contrastare la minaccia globale rappresentata dalla ‘Ndrangheta, come noto un'organizzazione criminale transnazionale altamente organizzata e potente.

Finanziato dal Dipartimento della Pubblica Sicurezza italiano, il progetto mira a rafforzare la cooperazione internazionale tra forze di polizia sfruttando le capacità dell'INTERPOL di condividere intelligence, competenze e best practice, trasformando così le informazioni in arresti e smantellando le reti criminali.

Avviato a Reggio Calabria l'obiettivo principale del progetto è stato - da subito - quello di istituire un sistema globale di allerta precoce contro questo "nemico invisibile". I-CAN opera attraverso una rete di paesi pilota, che inizialmente includevano Australia, Argentina, Brasile, Canada, Colombia, Francia, Germania, Italia, Svizzera, Stati Uniti e Uruguay, che si è espanso a 13, tra cui Austria, Belgio e Spagna.

Il progetto facilita operazioni coordinate transfrontaliere, come dimostrato dall'operazione globale del 2020 che ha portato all'arresto di sei latitanti legati alla 'Ndrangheta in Albania, Argentina e Costa Rica, con conseguente sequestro di 400 kg di cocaina e smantellamento del clan Bellocco. Le operazioni successive hanno continuato a dare risultati, tra cui l'arresto nel 2023 di un latitante di 16 anni, Edgardo Greco, in Francia, con il supporto di I-CAN.

Il progetto si è evoluto oltre la sua fase iniziale, con iniziative in corso tra cui la Conferenza I-CAN del 2022 a Roma, che ha riunito le forze dell'ordine di 14 paesi per definire una strategia unitaria contro la 'Ndrangheta, oggi considerata un'entità criminale "silenziosa e pervasiva" che si infiltra nelle economie legittime attraverso la corruzione e il riciclaggio di denaro.

Il successo del progetto si basa su una combinazione di condivisione di intelligence, coordinamento internazionale e utilizzo di strumenti analitici avanzati per esplorare dati provenienti da diverse fonti, consentendo indagini transnazionali. Il suo quadro continua a sostenere gli sforzi in corso, tra cui il progetto I-FORCE, incentrato sulla cooperazione regionale nell'Europa orientale e sudorientale.

#ndrangheta #ican #interpol #iforce

@Attualità e Geopolitica - Gruppo di discussione

As you may have guessed given our name, we do love hacks around here, and this one is a great example of making some common, everyday things work in uncommon ways. [Nathan] sent in his hack to detect the door lock position in his basement.

Having a house that dates back to the 1890s, much of it was not very conducive to using off-the-shelf home automation devices. [Nathan] wanted a way to check the status of the basement deadbolt. He went about putting together a custom sensor using some spare parts, including a spare BeagleBone Black, and some springs from a ballpoint pen. Going full MacGyver, [Nathan] used springs from a ballpoint pen to craft a compliant contact for his sensor.

The pair of springs sat in the door frame and came in contact with the deadbolt; given they are springs, the exact position of the sensor was not very sensitive, as if too close it would just compress the springs slightly more. The springs were wired to the BeagleBone Black’s GPIO, acting as a switch to sense when there was conductivity between the springs through the deadbolt.

This wasn’t just a plug-it-in-and-it-works type of project, mind you; the BeagleBone Black was over 15 ft away from the sensors, lending plenty of opportunity for noise to be introduced into the lines. To combat this, [Nathan] created an RC filter to filter out all the high-frequency noise picked up by his sensor. Following the RC filter, he added in some code to handle the debounce of the sensor, as the springs have some inherent noise in them. Thanks [Nathan] for sending in your resourceful hack; we love seeing the resourcefulness of reusing things already on hand for other purposes. Be sure to check out some of the other repurposed components we’ve featured.

hackaday.com/2025/08/11/compli…

These days, if you want a reverb effect, you just dial up whatever software plugin most appeals to you and turn the dials to taste. However, [Something Physical] specialises in… physical things… and thus built a reverb the old fashioned way. Using a trashcan, of course.

The concept is simple enough—the method of operation is exactly the same as any old plate reverb. Audio is played through a speaker connected to the plate (or trashcan), causing it to vibrate. The sound is then picked up at another point on the plate (or trashcan) with some kind of microphonic pickups, amplified, and there you have your reverb signal.

Given it’s built around a piece of street furniture, [Something Physical] has dubbed this the Street-Verb. It uses a class D amp to drive a speaker with a bolt stuck to it. The bolt is then put in contact with the trashcan itself to transfer the vibration. A pair of piezo elements are used as the pickups, run through a preamps built with a humble BC109C transistor. Since there are two pickups, the Street-Verb is effectively a stereo reverb unit, though the input is only mono. [Something Physical] set up the speaker driver and pickups to be easily movable, and was able to test the device with all kinds of street furniture, like gates and street signs, but the trashcan ‘verb setup is by far the most compelling.

We’ve featured other plate reverb builds before, too, albeit less garbage-themed. Video after the break.

youtube.com/embed/J2e8JIxW1g4?…

hackaday.com/2025/08/11/buildi…

When you think of neon, you might think of neon signs or the tenth element, a noble gas. But there was a time when neon bulbs like the venerable NE-2 were the 555 of their day, with a seemingly endless number of clever circuits. What made this little device so versatile? And why do we see so few of them today?

Neon’s brilliant glow was noted when William Ramsay and Morris Travers discovered it in 1898. It would be 1910 before a practical lighting device using neon appeared. It was 1915 when the developer, Georges Claude, of Air Liquide fame, received a patent on the unique electrodes suitable for lighting and, thus, had a monopoly on the technology he sold through his company Claude Neon Lights.

However, Daniel Moore in 1917 developed a different kind of neon bulb while working for General Electric. These bulbs used coronal discharge to produce a red glow or, with argon, a blue glow. This was different enough to earn another patent, and neon bulbs found use primarily as indicator lamps before the advent of the LED. However, it would also find many other uses.

How It Worked

An NE-2 with AC power applied (public domain by [junkyardsparkle]).Despite the name, a neon bulb typically has only 99.5% neon, and the rest is usually argon, which tunes the voltage where the gas breaks down. This breakdown voltage is the key to the bulb’s properties. The gas is at a very low pressure. Other gases and impurities can also change the color of the bulb, but the most common ones were neon and argon.

There are two electrodes within, an anode and a cathode. When a DC voltage excites the bulb sufficiently, a glow forms around one electrode. AC makes both electrodes glow alternately. The striking voltage changes based on ambient light or radioactive exposure, as well as the bulb’s gas mix and pressure.

Until the strike voltage occurs, the bulb is effectively an open circuit. When it does strike, however, the resistance goes down and will sustain even at a lower voltage. Like an LED, current limiting is essential, or the bulb will burn out. The NE-2, arguably the most common neon bulb, triggers at 90 V, nominally, and will conduct until the voltage drops to about 60 V.

So It Lights Up?

The lighting up is good, but you do need a lot of voltage to get it going. The bulb will easily light up from 120 V line voltage, for example. But the really interesting property is that the bulbs, when glowing, exhibit negative resistance. That is, as current increases, voltage decreases.

You can also make the bulbs operate in a bistable mode, where they can work in logic circuits. They weren’t common, but some bulbs had special features for logic use. These bulbs were not made to glow necessarily, and sometimes had a third wire used as a control electrode.

Since the gas inside the tube can ionize, neon bulbs can also detect things like light, microwaves, or heavy electrostatic fields. They can even pick up audio.

What Could You Do?

Of course, the normal application was to use the devices as a lamp, like you’d use an LED today. Power pilot lights were common. Special neon lights looking like digits form the basis of nixie tubes.

Another neat display trick was the “blown fuse” indicator. Fuse holders often had neon bulbs in them that connected across the fuse terminals. In normal operation, the voltage across the fuse was practically zero, so the bulb stayed dark. But if the fuse blew, you’d have 120 V across the bulb, which would then light up. A high-value resistor prevented any significant current from flowing.

By far the most common non-lighting use was as a part of a relaxation oscillator. Consider a circuit with a resistor and a capacitor, but the capacitor has a neon bulb across it. The capacitor will charge until it hits the neon bulb’s trigger voltage. The bulb will light and discharge the capacitor until it drops below the holding voltage for the bulb. Then the process starts over. You could use neons to make a clock.

Long History

The NE-2 could create high-voltage regulator circuits (from Elementary Electronics, 1965)
[E. Norbert Smith] wrote about the “1001” uses for the NE-2 — probably not an exaggeration, but [Smith] didn’t get that many in the article — in a 1965 Elementary Electronics magazine article.

The circuits he shows include a 50 V regulated power supply. (Regulators weren’t held to the same standard in those days as we would expect now.) Need 150 V? Use three of them. Or put them in parallel to improve regulation performance.

Some of the circuits are probably not useful if you aren’t building with tubes. And, of course, if you aren’t building with tubes, you are less likely to have the high voltages you need, so there is that.

He also covers the classic self-indicating fuse and the relaxation oscillator. Of course, if you can make one neon bulb blink, you can also make two blink alternately. Blink it fast enough and you can make a code practice oscillator with just a few parts and a 90 V battery.
A 100 kHz oscillator gets the divide by 10 treatment with a simple neon bulb circuit (from Elementary Electronics, 1965)
If you wondered how neon bulbs could handle logic, that same article will answer that question, too. Just be aware that a logic 1 is 10 V — not a problem — but a logic 0 is -10 V. The nice thing about demonstrating logic circuits with neon bulbs is that you don’t need a logic probe or scope to see the state of the machine.

There were many other ways to use these bulbs. Since the trigger voltage was stable, you could use it as a voltage indicator if you coupled it with a voltage divider. In fact, many cheap AC socket testers still work this way. A typical circuit for a capacitor checker could be found in “36 Time Tested Circuits,” a book from Popular Electronics.
This capacitor tester required a keen eye and sense of timing. From a collection of circuits from Popular Electronics, 1992.
The capacitor is hooked up to the AC line via some 470 kΩ resistors. If you connect a capacitor to it, the neon bulb should light up. If not, it is open. When you push the button, you switch to DC, and you should be able to see one side of the neon bulb dim. If it doesn’t dim or doesn’t go all the way off, the capacitor is shorted or leaky. Supposedly, you could get a feel for the value of the capacitor by how long it took half of the bulb to go out. Makes you appreciate your digital capacitance meter, right?

Why Gone?

Why do you so rarely see neon bulbs today? They are still around, but the number of circuits you have where you have the requisite 100 V or so to drive them is not what it used to be. On top of that, as an indicator, an LED is usually a far better choice.

If you want negative resistance, your choices are less obvious. Some special diodes present a negative resistance in certain operating regimes, and you can coax the behavior from some transistors. However, as a matter of practicality, today, you’d probably just use an active switch and be done with it, especially for an oscillator circuit. Then again, if you really want an oscillator, as we are always reminded, you can do it with a 555, among other methods.

We have no doubt that [Smith] was right. There are probably at least 1,001 different uses, but you get the idea. Did you use an NE-2 for something interesting? Let us know about it in the comments. Still want more neon bulb circuits? We’ve seen plenty.

hackaday.com/2025/08/11/neon-b…

If you used the internet at home a couple of decades or more ago, you’ll know the characteristic sound of a modem connecting to its dial-up server. That noise is a thing of the past, as we long ago moved to fibre, DSL, or wireless providers that are always on. It’s a surprise then to read that AOL are discontinuing their dial-up service at the end of September this year, in part for the reminder that AOL are still a thing, and for the surprise that in 2025 they still operate a dial-up service.

There was a brief period in which instead of going online via the internet itself, the masses were offered online services through walled gardens of corporate content. Companies such as AOL and Compuserve bombarded consumers with floppies and CD-ROMs containing their software, and even Microsoft dipped a toe in the market with the original MSN service before famously pivoting the whole organisation in favour of the internet in mid 1995. Compuserve was absorbed by AOL, which morphed into the most popular consumer dial-up ISP over the rest of that decade. The dotcom boom saw them snapped up for an exorbitant price by Time Warner, only for the expected bonanza to never arrive, and by 2023 the AOL name was dropped from the parent company’s letterhead. Over the next decade it dwindled into something of an irrelevance, and is now owned by Yahoo! as a content and email portal. This dial-up service seems to have been the last gasp of its role as an ISP.

So the eternal September, so-called because the arrival of AOL users on Usenet felt like an everlasting version of the moment a fresh cadre of undergrads arrived in September, may at least in an AOL sense, finally be over. If you’re one of the estimated 0.2% of Americans still using a dial-up connection don’t despair, because there are a few other ISPs still (just) serving your needs.

hackaday.com/2025/08/11/end-of…

Gli esperti di Lumia hanno pubblicato un’indagine tecnica chiamata AppleStorm, in cui si sostiene che l’assistente vocale Siri trasmetta ai server Apple più dati utente di quanti ne siano necessari per completare le attività. In particolare, l’attenzione si è concentrata sui messaggi dettati tramite Siri nelle app di messaggistica WhatsApp e iMessage: a quanto pare, vengono inviati ai server dell’azienda anche se l’attività può essere elaborata localmente, senza accedere ai sistemi cloud.

Apple dichiara elevati standard di privacy e utilizza un modello di intelligenza artificiale ibrido che combina l’elaborazione locale con il servizio cloud Private Cloud Compute (PCC). Tuttavia, è emerso che Siri accede anche ad altri server che non fanno parte dell’architettura PCC. Tra questi, i server di dettatura, l’infrastruttura di ricerca (sottodominio smoot.apple.com) e server di estensione Apple Intelligence separati, attraverso i quali, ad esempio, avviene l’interazione con ChatGPT.

Durante gli esperimenti, i ricercatori hanno utilizzato gli strumenti mitmproxy e Frida su macOS Sequoia con Apple Intelligence abilitata. Semplici query come “Ciao” o “Che ore sono?” venivano elaborate localmente. Tuttavia, quando si chiedeva informazioni sul meteo, venivano registrate due connessioni esterne: una al server di riconoscimento vocale, la seconda al servizio di ricerca. L’analisi dei dati trasmessi ha mostrato che Siri raccoglie automaticamente informazioni sulle applicazioni installate sul dispositivo, anche se sono in esecuzione in un ambiente virtuale. Pertanto, quando si chiedeva informazioni sul meteo, le chiamate venivano registrate sia all’applicazione Apple Weather integrata che all’applicazione Windows nell’ambiente Parallels.

Inoltre, i dati inviati contenevano le coordinate esatte della posizione dell’utente. Anche con la trasmissione della geolocalizzazione formalmente abilitata, tali dettagli sarebbero stati ridondanti per una richiesta di informazioni meteo. L’analisi dei pacchetti ha anche rivelato la trasmissione di metadati relativi ad altre applicazioni, fino ai nomi dei file e dei processi aperti al momento della richiesta a Siri.

La trasmissione del contenuto dei messaggi solleva interrogativi particolarmente acuti. Utilizzando Siri per inviare una frase tramite WhatsApp, si è scoperto che il testo, il numero del destinatario e altri attributi del messaggio venivano inviati ai server Apple e non all’infrastruttura PCC. Tuttavia, la funzionalità non dipende dal lato server: anche quando le connessioni sono bloccate, il messaggio viene inviato correttamente. Ciò indica che l’invio al cloud avviene senza necessità tecnica.

Nel tentativo di chiarire se questo sia correlato alle specifiche dell’integrazione di WhatsApp tramite SiriKit, il ricercatore ha creato una propria applicazione basata sulla documentazione Apple, riscontrando un comportamento identico: anche i messaggi inviati tramite Siri dall’applicazione di prova venivano indirizzati ai server Apple. Un quadro simile si osserva con iMessage.

La complessità delle policy sulla privacy contribuisce ad aumentare la confusione. Siri e Apple Intelligence sono regolati da documenti diversi. Di conseguenza, due comandi quasi identici – ad esempio “Che tempo fa oggi?” e “Chiedi a ChatGPT che tempo fa?” – vengono elaborati da sistemi diversi con diversi livelli di protezione e diverse condizioni di raccolta dati. L’utente non ha modo di sapere quale sottosistema verrà utilizzato.

Apple ha riconosciuto il trasferimento di dati, ma non lo ha considerato un problema di Apple Intelligence . Ha invece attribuito parte della colpa agli sviluppatori terzi che utilizzano SiriKit. Tuttavia, Siri stessa sta chiaramente inviando più dati del necessario, e lo fa all’insaputa dell’utente. La trasparenza è uno degli slogan principali di Apple in materia di intelligenza artificiale, ma nella pratica viene implementata in modo selettivo.

L'articolo Siri invia i dati ad Apple senza preavviso: AppleStorm rivela la verità proviene da il blog della sicurezza informatica.

Linus Torvalds ha duramente criticato il primo lotto di patch RISC-V proposte per l’inclusione in Linux 6.17, affermando che le modifiche sono arrivate troppo tardi e contenevano quella che lui ha definito “spazzatura” non correlata a RISC-V e che interessava gli header comuni del kernel.

Era particolarmente infastidito dalla nuova macro helper make_u32_from_two_u16(), che secondo Torvalds rendeva il codice meno chiaro e peggiorava le cose. Notò che la semplice scrittura del form (a mostrava immediatamente cosa stava succedendo, mentre l’uso dell'”helper” oscurava l’ordine delle parole e introduceva ambiguità.
No, questa è spazzatura ed è arrivata troppo tardi. Ho chiesto un ritiro anticipato.richieste perché sono in viaggio, e se non riesci a seguire questa regola, almeno rendi le richieste di pull *buone*.Ciò aggiunge vari elementi indesiderati che non sono specifici di RISC-V ai file di intestazione generici.E con "spazzatura" intendo davvero. Questa è roba che nessuno dovrebbe inviami, figuriamoci in ritardo in una finestra di unione.Come questo folle e inutile "helper" make_u32_from_two_u16().Quella cosa rende il mondo un posto peggiore in cui vivere. È spazzatura inutile che rende incomprensibile qualsiasi utente, e attivamente *PEGGIO* che non usare quello stupido "aiutante".
Torvalds ha sottolineato che tali modifiche non dovrebbero comparire nelle intestazioni generali, né tantomeno essere apportate alla fine della finestra di merge. Ha avvertito che non accetterà più richieste di pull tardive né consentirà la creazione di “spazzatura” al di fuori dell’albero dell’architettura RISC-V.

Secondo lui, gli autori potranno riprovare queste modifiche solo nella versione 6.18 e solo all’inizio della finestra di unione, senza modifiche controverse e inutili.

La vicenda dimostra che, anche in un ecosistema aperto e collaborativo come quello di Linux, l’inclusività non significa accettare qualsiasi contributo senza filtro. L’open source nasce per essere accessibile, ma richiede disciplina, coerenza e qualità tecnica. Come ha dimostrato Torvalds, le regole di integrazione e revisione servono a preservare la stabilità e la chiarezza del codice, evitando l’introduzione di modifiche inutili o dannose.
Ma l’open source non doveva essere inclusivo? Sì, ma inclusivo non vuol dire indulgente con la “spazzatura”: vuol dire garantire che ogni contributo sia valido, utile e ben integrato nell’interesse di tutta la comunità.

L'articolo Linus Torvalds: “Questa è Spazzatura”! Critico per la patch RISC-V per Linux 6.17 proviene da il blog della sicurezza informatica.

È solo grazie al lavoro di questi cronisti che la tragedia di Gaza è sotto gli occhi del mondo, visto che l’esercito israeliano ha sempre negato l’accesso ai giornalisti indipendenti, lasciando spazio agli embedded sotto controllo. Proprio nelle ore in cui venivano uccisi Anas Al- Sharif e i suoi colleghi, sulla tv pubblica (RaiNews 24) veniva trasmessa senza filtri la conferenza stampa di Netanyahu. Episodi che devono far riflettere la categoria sul ruolo dell’informazione nei conflitti, sulla necessità di raccontare e testimoniare i fatti, di circostanziare le dichiarazioni, di sottrarsi alle pressioni delle propagande. È più che mai necessaria una vasta mobilitazione per difendere le ragioni di un’informazione libera e indipendente, il diritto e dovere di essere testimoni sul campo dei fatti.

La Segreteria dell’ASR

dicorinto.it/associazionismo/s…

Smartphones boggle my mind a whole lot – they’re pocket computers, with heaps of power to spare, and yet they feel like the furthest from it. As far as personal computers go, smartphones are surprisingly user-hostile.

In the last year’s time, even my YouTube recommendations are full of people, mostly millennials, talking about technology these days being uninspiring. In many of those videos, people will talk about phones and the ecosystems that they create, and even if they mostly talk about the symptoms rather than root causes, the overall mood is pretty clear – tech got bland, even the kinds of pocket tech you’d consider marvellous in abstract. It goes deeper than cell phones all looking alike, though. They all behave alike, to our detriment.

A thought-provoking exercise is to try to compare smartphone development timelines to those of home PCs, and see just in which ways the timelines diverged, which forces acted upon which aspect of the tech at what points, and how that impacted the alienation people feel when interacting with either of these devices long-term. You’ll see some major trends – lack of standardization through proprietary technology calling the shots, stifling of innovation both knowingly and unknowingly, and finance-first development as opposed to long-term investments.

Let’s start with a fun aspect, and that is hackability. It’s not perceived to be a significant driver of change, but I do believe it to be severely decreasing chances of regular people tinkering with their phones to any amount of success. In other words, if you can’t hack it in small ways, you can’t really make it yours.

Can’t Tinker, Don’t Own

In order to tinker with your personal computer, you need just that, the computer itself. Generally, you need a whole another computer to hack on your smartphone; sometimes you even need a custom cable, and it’s not rare you can’t do it at all. Phone tinkering is a path you explicitly set out to do, whereas computer-based hacking is something you can do idly.
A Nokia N900 in hands of a user (by Victorgrigas, CC BY-SA 3.0)
There’s good reasons for this, of course – first, a phone was generally always a “subservient” device not meant or able to be used as a development bench unto itself. Then – phones started really growing in an age and an environment where proprietary technology reigned supreme, with NDAs and utter secrecy (particularly for GSM modems with their inordinate amount of IP) being an especially prominent fixture in the industries surrounding phones. Even Android’s open-source technology was mostly for manufacturers’ benefit rather than a design advantage for users, as demonstrated by the ever-worsening non-open-source driver situation.

Only a few phones ever bucked these trends, and those that did, developed pretty devoted followings if the hardware was worthwhile. Just look at the Nokia N900 with its hardware capability and alt OS support combo, Pixel phones with their mainline kernel support letting alternative OSes flourish, or old keypad Motorolas with leaked baseband+OS source code. They’re remembered pretty fondly, and it’s because they facilitated hacking, on-device or even off-device.

Hacking starts by probing at a device’s inner workings, deducing how things work, and testing the boundaries, but it doesn’t happen when boundaries are well-protected and hidden away from your eyes. A typical app, even on Android, is surprisingly non-explorable, and unlike with PCs, again, if you want to explore it, you need a whole another device. Does it benefit app developers? For sure. I also have a strong hunch it doesn’t benefit users that we could otherwise see become developers.

Part of it is the need to provide a polished user experience, a respectable standard to have, especially so for producing pocket computers to be used by millions of people at once. However, I’d argue that modern phones are suffocating, and that the lack of transparency is more akin to encasing an already reliable device in epoxy for no reason. A device designed to never ever challenge you, is a device that can’t help you grow, and it’s not really a device you can grow attached to, either.

Of course, complaints are one thing, and actionable suggestions is another.

What Do?

If I were asked how to fix this, I wouldn’t limit myself to opening filesystems back up to a user’s exploration habits, beyond the way they were open even in early Android days. I think modern phones could use a pre-installed Python interpreter, with a healthy amount of graphics libraries, a decent amount of control over the system, snappy well-configured autocomplete, and a library of example scripts you could edit in place; essentially, an Arduino IDE-like environment.

In other words, let people easily program phones to flash the screen every time an SMS from a specific person is received, or start audio recording when the user taps the touchscreen three times as the phone’s locked, or send accelerometer movements into a network socket as fast as the OS can receive them. Then, let them wrap those programs into apps, share apps easily with each other, and, since the trend of fast obsolescence requires regular collectie infusions of cash, transfer them from phone to phone quickly.

By the way, if days of Bluetooth and IrDA transfers evaded you, you missed out. We used to stand next to each other and transfer things from one phone to another, a field previously handled, but nowadays these things are somehow relegated to proprietary technologies like Airdrop. This isn’t a problem for personal computers, in fact, they somehow keep getting better and better at it; just recently, I transferred some movies between two laptops using a Thunderbolt cable during a flight, and somehow, this was one of the few “wow” moments that I’ve had recently with consumer-grade tech.

The idea is pretty simple on its own – if phones are to be personal computers, they should be very easy to program.

The Doohickey Port

What about a bonus suggestion, for hardware customization? USB-C ports are really cool and powerful, but they’re relatively bespoke, and you only ever get one, to be unplugged every time you need to charge or sync. Plus, even if you have OTG, all that 5V step-up action isn’t great for the battery, and neither are USB hardware/firmware stacks.

I like I2C. Do you like I2C? I know most of you do. I enjoy I2C a lot, and I like how it’s decently well standardized, to the point things tend to just work. It’s not as great at as many things as USB can be, but it’s also comparably low-frills, you don’t need a software stack or a hefty bespoke board. For the most part, with I2C, you can just send bytes back and forth. It’s a low-bandwidth yet high-impact bus, with a healthy amount of devices you can attach to it. Also, CPUs tend to have plenty of I2C ports to go around, often leaving a good few to spare.

What else? Keeping up with the times, these days, you can manufacture flex PCBs decently quickly, with stiffener at no extra cost, and for dirt cheap, too. On a physical level, phones tend to come with cases, overwhelmingly so. In a way, there’s suddenly plenty of free space on the back of a phone, for those with the eyes to see, and that’s after accounting for the ever-increasing camera bump, too.

My bonus idea to make phones more customizable at low entry level, would be an I2C accessory port. In effect, a latch-less FFC socket with exposed I2C, and some 3.3V at non-negligible power. Of course, protect all lines electrically, current-limit the 3.3V and make its power switchable. With modern tech, you don’t need to compromise waterproofing, either, and you can add a whole bunch of protection to such a port.

From there, you can get GPIOs, you can get PWM, and so much more. You could have a reasonably simple GPIO expansion, but also a fully-fledged board with DACs and ADCs bolted on, or a servo control board, or an extra display of the kind phone designers like to add once in a generation, only to find it never be used by third-party apps as sales numbers never really reach the point of wider adoption. Experimental chording keyboards, touch surfaces, thermal pixel sensors,

Does it feel like you’ve seen that implemented? Of course, this resembles the PinePhone addon scheme, with FPCs wedged between the back cover and a set of pogo pins. Notably though, this kind of standard is about having compatibility between models and even manufacturers. You also shed a lot of Bluetooth cruft generally required when developing accessories for modern phones. It requires a flex PCB, sure, but so do pogopin schemes, and there’s barely any mechanics compared to a pogopin array. Is it more fragile than a pogopin array? Yes, but it’s fragile addon-side, not as much phone-side, whereas pogopin arrays tend to be the opposite.

A Sketch And A Dream

Of course, this also relies on the aforementioned Python interpreter, and a decent exposed I2C API. If the only way to tinker with yours and others’ accessories is through bespoke intransparent apps you need a whole different device to make (or modify, if you’re lucky), the hackability aspect wanes quick. In essence, what I’m proposing is a phone-contained sandbox, not in a security sense, but in an educational sense. Personal computers have been serving as sandboxes for decades now, and yet, phones could never really fulfill such a niche.

I think one of the big problems with modern phones is that a phone is barely ever a sandbox, all for mostly historic reasons. Now, if that’s the case, we should make it one. If it’s a sandbox, then it can be molded to your needs through hacking and tinkering. If it can be molded to your needs, then it belongs to you in a whole different way. Will this happen? Quite unlikely, though, I do feel like making some prototypes. Instead, it’s about highlighting a significant aspect that contributes to tech alienation, and imagining how we could solve it given enough market buy-in.

hackaday.com/2025/08/11/smartp…

Una falla di sicurezza recentemente individuata nel noto software per la compressione di file 7-Zip ha destato considerevoli timori all’interno della comunità dedicata alla sicurezza informatica. Tutte le versioni di 7-Zip antecedenti alla 25.01 sono interessate da tale vulnerabilità, la quale scaturisce da una gestione non appropriata dei collegamenti simbolici nel corso dell’estrazione dei file.

Si trattaCVE-2025-55188, scoperto e segnalato dal ricercatore di sicurezza Landon il 9 agosto 2025, consente agli aggressori di eseguire scritture arbitrarie di file durante l’estrazione dell’archivio, portando potenzialmente all’esecuzione di codice su sistemi vulnerabili. Quando gli utenti estraggono un archivio creato in modo dannoso contenente link simbolici non sicuri, 7-Zip segue questi link durante l’estrazione, consentendo agli aggressori di scrivere file in posizioni esterne alla directory di estrazione prevista.

La vulnerabilità sfrutta il meccanismo di elaborazione dei link simbolici di 7-Zip. Secondo l’avviso di sicurezza, l’attacco richiede condizioni specifiche per avere successo. Una volta soddisfatte queste condizioni, gli aggressori possono creare archivi dannosi contenenti link simbolici che puntano a file di sistema sensibili. Una volta estratti, 7-Zip segue questi link simbolici, consentendo agli aggressori di sovrascrivere file critici come chiavi SSH, file .bashrc o altre configurazioni di sistema.

Per i sistemi Linux, gli aggressori necessitano che l’obiettivo utilizzi una versione vulnerabile di 7-Zip durante l’estrazione di un formato di archivio che supporti i link simbolici, come file ZIP, TAR, 7Z o RAR. Il processo di sfruttamento è più semplice negli ambienti Linux. Sui sistemi Windows, è necessario soddisfare requisiti aggiuntivi per uno sfruttamento efficace. Il processo di estrazione 7-Zip deve disporre di privilegi elevati o operare in modalità sviluppatore Windows per creare collegamenti simbolici. Questo rende i sistemi Windows meno vulnerabili, ma non immuni all’attacco.

Nonostante abbia ricevuto un punteggio CVSS di 2,7, che lo classifica come di bassa gravità, gli esperti di sicurezza avvertono che l’impatto pratico potrebbe essere molto più significativo. La vulnerabilità consente agli aggressori di ottenere accessi non autorizzati ed eseguire codice prendendo di mira file sensibili che controllano il comportamento del sistema. La vulnerabilità è particolarmente preoccupante perché 7-Zip visualizza i percorsi dei file prima della risoluzione del collegamento simbolico, consentendo agli aggressori di nascondere la vera destinazione delle loro scritture dannose.

La versione 25.01 di 7-Zip, rilasciata il 3 agosto 2025, risolve questa vulnerabilità con una gestione avanzata dei link simbolici. L’aggiornamento include significativi miglioramenti alla sicurezza per impedire la creazione di link simbolici non sicuri durante l’estrazione degli archivi.

L'articolo Nuova falla in 7-Zip: link simbolici trasformano un’estrazione in un hack proviene da il blog della sicurezza informatica.