This document pool contains updates and resources on the EU's proposed 'Regulation laying down rules to prevent and combat child sexual abuse' (CSA Regulation)

The post CSA Regulation Document Pool appeared first on European Digital Rights (EDRi).

Un Initial Access Broker mette in vendita accesso ai server di Nike USA in un celebre forum underground.

Un post apparso recentemente su un forum del dark web ha sollevato nuove preoccupazioni in merito alla sicurezza delle grandi aziende internazionali. Un Initial Access Broker (IAB), ovvero un attore specializzato nella compromissione e nella rivendita di accessi a reti aziendali, ha dichiarato di avere a disposizione credenziali o punti di ingresso validi per i sistemi di Nike USA oppure, di un suo fornitore di terze parti.

Disclaimer: Questo rapporto include screenshot e/o testo tratti da fonti pubblicamente accessibili. Le informazioni fornite hanno esclusivamente finalità di intelligence sulle minacce e di sensibilizzazione sui rischi di cybersecurity. Red Hot Cyber condanna qualsiasi accesso non autorizzato, diffusione impropria o utilizzo illecito di tali dati. Al momento, non è possibile verificare in modo indipendente l’autenticità delle informazioni riportate, poiché l’organizzazione coinvolta non ha ancora rilasciato un comunicato ufficiale sul proprio sito web. Di conseguenza, questo articolo deve essere considerato esclusivamente a scopo informativo e di intelligence.

Chi sono gli Initial Access Broker (IAB)

Gli Initial Access Broker rappresentano una figura centrale nell’ecosistema del cybercrime. La loro attività consiste nel compromettere le infrastrutture informatiche di aziende – tramite phishing, exploit di vulnerabilità, credenziali rubate o attacchi brute force – per poi rivendere questi accessi sul dark web.
Gli acquirenti possono essere gruppi ransomware, criminali interessati al furto di dati sensibili, oppure attori che sfruttano questi punti di ingresso per muoversi lateralmente all’interno delle reti e lanciare attacchi mirati.

Di fatto, gli IAB abbassano la barriera d’ingresso al cybercrimine: chiunque abbia le risorse economiche per acquistare un accesso iniziale può bypassare la fase più complessa di un attacco, accelerando la compromissione dell’obiettivo.

Il post sul forum

Il messaggio è stato pubblicato da un utente con nickname NetworkBrokers, che nel forum gode di uno status di alto livello (“GOD”) e vanta una reputazione positiva.
Nel post, datato 25 agosto 2025 alle 03:55 AM, l’utente scrive:

> “Hi,
We are selling Initial Access to Nike USA.”

Il testo, molto sintetico, è accompagnato dal logo ufficiale della multinazionale statunitense. Non vengono riportati dettagli tecnici sull’accesso in vendita (ad esempio tipologia, livello di privilegi, modalità di accesso o prezzo richiesto). Tuttavia, il semplice annuncio è sufficiente per attirare l’attenzione degli attori malevoli in cerca di nuove opportunità di attacco.

Un rischio che potrebbe estendersi alla supply chain

Non è chiaro se l’accesso offerto riguardi direttamente i sistemi di Nike USA o se sia legato a un fornitore terzo che collabora con l’azienda. In entrambi i casi, l’impatto potenziale è significativo: nel primo scenario l’attacco colpirebbe direttamente l’organizzazione, nel secondo potrebbe generare un effetto domino tipico delle supply chain attacks, che sfruttano i legami con partner esterni meno protetti per penetrare in infrastrutture di alto profilo.

Considerazioni finali

La comparsa di un annuncio simile conferma ancora una volta come i grandi brand globali siano costantemente nel mirino della criminalità informatica e come la filiera di fornitori e partner possa rappresentare un anello debole nella difesa.

Se confermato, l’accesso messo in vendita potrebbe essere sfruttato da cyber gang per future campagne ransomware o di data exfiltration.

L'articolo Nike sotto Tiro! In vendita l’accesso alle infrastrutture IT da Un Initial Access Broker proviene da il blog della sicurezza informatica.

Una vulnerabilità nel popolare strumento di lancio di modelli di intelligenza artificiale Ollama ha aperto la strada ad attacchi drive-by , consentendo agli aggressori di interferire silenziosamente con l’applicazione locale tramite un sito Web appositamente preparato, leggere la corrispondenza personale e persino sostituire i modelli utilizzati, caricando anche versioni infette.

La falla di sicurezza è stata scoperta e divulgata il 31 luglio da Chris Moberly, Senior Security Manager di GitLab. La vulnerabilità riguardava Ollama Desktop v0.10.0 ed era correlata a un’implementazione errata dei controlli CORS nel servizio web locale responsabile della GUI. Di conseguenza, JavaScript su una pagina dannosa poteva scansionare un intervallo di porte sul computer della vittima (da 40000 a 65535), trovare una porta casuale utilizzata dalla GUI di Ollama e inviare una falsa richiesta POST “semplice” , modificando le impostazioni e reindirizzando il traffico al server dell’aggressore.

Dopo aver sostituito la configurazione, l’aggressore è stato in grado di intercettare tutte le richieste locali, leggere la corrispondenza e modificare le risposte dell’IA in tempo reale. L’utente ha visualizzato un sito normale e l’attacco è avvenuto senza alcun clic o azione da parte sua. Inoltre, gli aggressori potevano specificare i propri prompt di sistema o collegare modelli “avvelenati”, controllando completamente il funzionamento dell’applicazione.

Moberly ha osservato che sfruttare la vulnerabilità “sarebbe banale” e ha sottolineato che persino la preparazione dell’infrastruttura di attacco avrebbe potuto essere automatizzata utilizzando un LLM. Fortunatamente, il team di Ollama ha risposto rapidamente e ha riconosciuto il problema e ha rilasciato una versione aggiornata, v0.10.1, un’ora dopo, che corregge il bug. Per gli utenti che hanno installato Ollama tramite gli installer ufficiali, è stato sufficiente riavviare il programma affinché l’aggiornamento automatico avesse effetto; chi lo ha installato tramite Homebrew deve aggiornarlo manualmente.

Il codice PoC ela descrizione tecnica dell’attacco sono stati pubblicati da Moberly su GitLab. Non ci sono ancora informazioni che la vulnerabilità sia stata sfruttata dagli aggressori, ma il ricercatore consiglia a tutti gli utenti di Ollama di assicurarsi di avere una patch.

Ollama è progettato per eseguire modelli LLM localmente su computer macOS e Windows. La vulnerabilità non ha interessato l’API principale di Ollama ed è stata limitata alla nuova GUI disponibile solo poche settimane prima della scoperta del bug. Al problema non è ancora stato assegnato un identificatore CVE.

L'articolo Un bug critico in Ollama consente attacchi di sostituzione del modello proviene da il blog della sicurezza informatica.

I recently picked up one of those cheap macropads (and wrote about it, of course). It is surprisingly handy and quite inexpensive. But I felt bad about buying it. Something like that should be easy to build yourself. People build keyboards all the time now, and with a small number of keys, you don’t even have to scan a matrix. Just use an I/O pin per switch.

The macropad had some wacky software on it that, luckily, people have replaced with open-source alternatives. But if I were going to roll my own, it would be smart to use something like QMK, just like a big keyboard. But that made me wonder, how much trouble it would be to set up QMK for a simple project. Spoiler: It was pretty easy.

The Hardware

Simple badge or prototype macropad? Why not both?
Since I just wanted to experiment, I was tempted to jam some switches in a breadboard along with a Raspberry Pi Pico. But then I remembered the “simple badge” project I had up on a nearby shelf. It is simplicity itself: an RP2040-Plus (you could just use a regular Pi Pico) and a small add-on board with a switch “joystick,” four buttons, and a small display. You don’t really need the Plus for this project since, unlike the badge, it doesn’t need a battery. The USB cable will power the device and carry keyboard (or even mouse) commands back to the computer.

Practical? No. But it would be easy enough to wire up any kind of switches you like. I didn’t use the display, so there would be no reason to wire one up if you were trying to make a useful copy of this project.

The Software

There are several keyboard firmware choices out there, but QMK is probably the most common. It supports the Pico, and it’s well supported. It is also modular, offering a wide range of features.

The first thing I did was clone the Git repository and start my own branch to work in. There are a number of source files, but you won’t need to do very much with most of them.

There is a directory called keyboards. Inside that are directories for different types of keyboards (generally, brands of keyboards). However, there’s also a directory called handwired for custom keyboards with a number of directories inside.

There is one particular directory of interest: onekey. This is sort of a “Hello World” for QMK firmware. Inside, there are directories for different CPUs, including the RP2040 I planned to use. There are many other choices, though, if you prefer something else.

Surprise!

Quick guide to the files of interest.
So, that directory probably has a mess of files in it, right? Not really. There are five files, including a readme, and that’s it. Of those, there are only two I was going to change: config.h and keyboard.json. In addition, there are a few files that may be important in the parent directory: config.h, onekey.c, and info.json.

I didn’t want to interfere with the stock options, so I created a directory at ~/qmk_firmware/keyboards/handwired/hackaday. I copied the files from onekey to this directory, along with the rp2040 and keymap directories (that one is important). I renamed onekey.c to hackaday.c.

It seems confusing at first, but maybe the diagram will help. This document will help, too. The good news is that most of these files you won’t even need to change. Essentially, info.json is for any processor, keyboard.json is for a specific processor, and keymap.json goes with a particular keymap.

Changes

The root directory config.h didn’t need any changes, although you can disable certain features here if you care. The hackaday.c file had some debugging options set to true, but since I wanted to keep it simple, I set them all to false.

The info.json file was the most interesting. You can do things like set the keyboard name and USB IDs there. I didn’t change the rest, even though the diode_direction key in this file won’t be used for this project. For that matter, the locking section is only needed if you have physical keys that actually lock, but I left it in since it doesn’t hurt anything.

In the rp2040 directory, there are more changes. The config.h file allows you to set pin numbers for various things, and I also put some mouse parameters there (more on that later). I didn’t actually use any of these things (SPI and the display), so I could have deleted most of this.

But the big change is in the keyboard.json file. Here you set the processor type. But the big thing is you set up keys and some feature flags. Usually, you describe how your keyboard rows and columns are configured, but this simple device just has direct connections. You still set up fake rows and columns. In this case, I elected to make two rows of five columns. The first row is the four buttons (and a dead position). The second row is the joystick buttons. You can see that in the matrix_pins section of the file.

The layouts section is very simple and gives a name to each key. I also set up some options to allow for fake mouse keys and media keys (mousekey and extrakey set to true). Here’s the file:
{
"keyboard_name": "RP2040_Plus_Pad",
"processor": "RP2040",
"bootloader": "rp2040",
"matrix_pins": {
"direct": [
["GP15", "GP17", "GP19", "GP21", "NO_PIN"],
["GP2", "GP18", "GP16", "GP20", "GP3"]
]
},
"features": {
"mousekey": true,
"extrakey": true,
"nkro": false,
"bootmagic": false
},
"layouts": {
"LAYOUT": {
"layout": [
{ "label":"K00", "matrix": [0, 0], "x": 0, "y": 0 },
{ "label": "K01", "matrix": [0, 1], "x": 1, "y": 0 },
{ "label": "K02", "matrix": [0, 2], "x": 2, "y": 0 },
{ "label": "K03", "matrix": [0, 3], "x": 3, "y": 0 },
{ "label": "K10", "matrix": [1, 0], "x": 0, "y": 1 },
{ "label": "K11", "matrix": [1, 1], "x": 1, "y": 1 },
{ "label": "K12", "matrix": [1, 2], "x": 2, "y": 1 },
{ "label": "K13", "matrix": [1, 3], "x": 3, "y": 1 },
{ "label": "K14", "matrix": [1, 4], "x": 4, "y": 1 }
]
}
}
}

The Keymap

It still seems like there is something missing. The keycodes that each key produces. That’s in the ../hackaday/keymaps/default directory. There’s a json file you don’t need to change and a C file:
#include QMK_KEYBOARD_H

const uint16_t PROGMEM keymaps[][MATRIX_ROWS][MATRIX_COLS] = {
[0] = LAYOUT(
// 4 buttons
KC_KB_VOLUME_UP, KC_KB_MUTE, KC_KB_VOLUME_DOWN, KC_MEDIA_PLAY_PAUSE,
// Mouse
QK_MOUSE_CURSOR_UP, QK_MOUSE_CURSOR_DOWN,
QK_MOUSE_CURSOR_LEFT, QK_MOUSE_CURSOR_RIGHT,
QK_MOUSE_BUTTON_1
),
};
. . .

Mousing Around

I didn’t add the mouse commands until later. When I did, they didn’t seem to work. Of course, I had to enable the mouse commands, but it still wasn’t working. What bit me several times was that the QMK flash script (see below) doesn’t wait for the Pi Pico to finish downloading. So you sometimes think it’s done, but it isn’t. There are a few ways of solving that, as you’ll see.

Miscellaneous and Building

Installing QMK is simple, but varies depending on your computer type. The documentation is your friend. Meanwhile, I’ve left my fork of the official firmware for you. Be sure to switch to the rp2040 branch, or you won’t see any differences from the official repo.

There are some build options you can add to rules.mk files in the different directories. There are plenty of APIs built into QMK if you want to play with, say, the display. You can also add code to your keymap.c (among other places) to run code on startup, for example. You can find out more about what’s possible in the documentation. For example, if you wanted to try an OLED display, there are drivers ready to go.

The first time you flash, you’ll want to put your Pico in bootloader mode and then try this:
qmk flash -kb handwired/hackaday/rp2040 -km default
If you aren’t ready to flash, try the compile command. You can also use clean to wipe out all the binaries. The binaries wind up in qmk_firmware/.build.

Once the bootloader is installed the first time (assuming you didn’t change the setup), you can get back in bootloader mode by double-tapping the reset button. The onboard LED will light so you know it is in bootloader mode.

It is important to wait for the Pi to disconnect, or it may not finish programming. Adding a sync command to the end of your flash command isn’t a bad idea. Or just be patient and wait for the Pi to disconnect itself.

Usually, the device will reset and become a keyboard automatically. If not, reset it yourself or unplug it and plug it back in. Then you’ll be able to use the four buttons to adjust the volume and mute your audio. The joystick fakes being a mouse. Don’t like that? Change it in keymap.c.

There’s a lot more, of course, but this will get you started. Keeping it all straight can be a bit confusing at first, but once you’ve done it once, you’ll see there’s not much you have to change. If you browse the documentation, you’ll see there’s plenty of support for different kinds of hardware.

What about debugging? Running some user code? I’ll save that for next time.

Now you can build your dream macropad or keyboard, or even use this to make fake keyboard devices that feed data from something other than user input. Just remember to drop us a note with your creations.

hackaday.com/2025/08/20/instan…

There are probably at least as many ways to construct a robotic arm as there are uses for them. In the case of [Thomas Sanladerer] his primary requirement for the robotic arm was to support a digital camera, which apparently has to be capable of looking vaguely menacing in a completely casual manner. Meet Caroline, whose styling and color scheme is completely coincidental and does not promise yummy moist cake for anyone who is still alive after all experiments have been run.

Unlike typical robotic arms where each joint in the arm is directly driven by a stepper motor or similar, [Thomas] opted to use a linear rail that pushes or pulls the next section of the arm in a manner that’s reminiscent of the action by the opposing muscles in our mammalian appendages. This 3D printer-inspired design is pretty sturdy, but the steppers like to skip steps, so he is considering replacing them with brushless motors.

Beyond this, the rest of the robotic arm uses aluminium hollow stock, a lot of 3D printed sections and for the head a bunch of Waveshare ST3215 servos with internal magnetic encoder for angle control. One of these ~€35 ST3215s did cook itself during testing, which is somewhat worrying. Overall, total costs was a few hundred Euro, which for a nine-degree robotic arm like this isn’t too terrible.

youtube.com/embed/rKyJm80RxE0?…

hackaday.com/2025/08/20/buildi…

Check (or cheques) have long been a standard way for moving money from one bank account to another. They’re essentially little more than a codified document that puts the necessary information in a standard format to ease processing by all parties involved in a given transaction.

The check was once a routine, if tedious, way for the average person to pay for things like bills, rent, or even groceries. As their relevance continues to wane in the face of newer technology, though, the Australian government is making a plan to phase them out for good.

Put Some Respect On My Check

Check use has been in heavy decline in recent decades. Credit: Treasury.gov.au
The pending demise of the checks was first floated in June 2023, with the release of the government’s Strategic Plan for Australia’s Payments System. With the rise of credit and debit cards, digital payments via smartphones, and Osko instant bank transfers, checks had diminished to a lower level of importance than ever.

Government statistics indicated that checks were used for less than 0.1% of retail payments within Australia. In 2004, over 10,000,000 personal checks were used every month. Fast forward to 2024, and that number had dwindled to somewhere below 300,000. As volumes have fallen, the price of processing individual checks has effectively increased. In an era where digital payments happen instantly for near-zero cost, a check can take 3 to 7 days to clear, with government statistics stating processing costs for a single check now exceed $5.

Ultimately, the check is now seen as a slow and unwieldy way to make payments, and one no longer worthy of being maintained into the future. Companies have even been questioned openly in the media for the rationale of still using checks to issue refunds in this day and age. The rationale is that winding down the check system for good will lead users to prioritize cheaper, faster methods of transferring money. The aim is to reduce transaction costs, improve productivity in the financial system, and just generally grease the wheels of commerce across the country.
The Australian Payments Network issued design specifications for Australian checks, last updated in 2017, but these will soon be defunct. Credit: Australian Payments Network
The current transition plan has two major milestones. By 30 June 2028, Australian banks will cease issuing personal, commercial, government, and bank checks. Any check written after this date will not be accepted and effectively deemed invalid, with no payment made. By 30 September 2029, financial institutions will cease accepting personal, commercial, government and bank cheques entirely. Any remaining checks, whenever created, will effectively be void.

These dates were chosen specifically because personal, commercial, and government checks go “stale” 15 months after they are first drawn. Thus, checks of these types that are written on the very last valid day will still be able to be cashed in the usual period of validity before the system is shut down for good. The intention is that there will be no checks that would otherwise still be valid to cash past 30 September 2029 had the system not been closed. Bank checks do not technically go “stale,” so there is still an open question as to whether there will be a need to honor unpresented bank checks after this date.

There are still a few years left until the big shut down. This gives the government and financial institutions time to ensure they have alternative payment methods in place for the handful of remaining check use cases. There are some concerns that various banks may attempt to leave the checking system prior to the government shut down date, burdening other financial institutions with the costs of keeping the system afloat until the end. The government has stated its expectations that banks will work together to ensure a smooth transition.

To that end, there are exit conditions expected to be adhered to for banks that are shutting down checking. Tier 1 banks are expected to maintain operations until the end date to support smaller institutions that rely on them for check clearing services. Additionally, banks which cease checking operations must still remain members of the Australian Paper Clearing System and fund the system. Banks will also need to provide 6 month warnings to customers ahead of any decision to shut down their checking operations.

While the domestic Australian checking system will shut down, this will not impact foreign checks coming into the country. Since these checks are processed outside the existing Australian checking system, this will not be an issue—financial institutions that process foreign checks will continue to do so.

hackaday.com/2025/08/20/death-…

Any serious journalist would tell you that it’d be journalistic malpractice for a local journalist not to report that a prominent public official listed a boarded-up house as his official residence in order to claim eligibility for his position. But that’s not how John Sarcone III, acting U.S. attorney for the Northern District of New York, sees it.

He was reportedly “incensed” by reporting from the Times Union of Albany and ordered his subordinates to remove it from his office’s media list. In response, Freedom of the Press Foundation (FPF), Demand Progress Education Fund, and Reinvent Albany have filed a complaint against Sarcone with New York’s Attorney Grievance Committee.

As the complaint explains, “Sarcone is the chief legal officer charged with enforcing federal law in a district that covers over 30,000 square miles and is home to 3.4 million people. And yet he either does not know or does not care about the ‘practically universal agreement that a major purpose of [the First] Amendment was to protect the free discussion of governmental affairs.’”

The complaint requests that the Committee open an investigation to determine whether Sarcone's conduct violates New York’s Rules of Professional Conduct, and exercise its power to impose sanctions, which can include disbarment.

FPF’s Director of Advocacy Seth Stern said: “All licensed attorneys — but especially top prosecutors entrusted to protect the public, not just their clients — should know better than to retaliate against newspapers for basic public-interest journalism. Sarcone has repeatedly abused his office in his brief tenure. The committee should ensure he can no longer undermine the Constitution and embarrass the legal profession.”

Demand Progress Education Fund Special Advisor Kate Oh stated: “A prosecutor who so flagrantly disregards his ethical and professional obligations and tramples over the First Amendment rights of the press should not be empowered to enforce the laws of our nation. Sarcone’s professional history is littered with red flags and must be investigated. No less than the public’s faith in the rule of law is at stake.”

Reinvent Albany Executive Director John Kaehny said: “With great power comes great responsibility, and U.S. Attorneys like John Sarcone are among the most powerful people in America. Unfortunately, Mr. Sarcone has grossly abused his authority and betrayed the public trust. Mr. Sarcone's flagrant misuse of his authority to retaliate against the Albany Times-Union and his repeated, well-documented dishonesty are completely unacceptable, unethical, and violate basic democratic norms and rules of professional conduct. The Times Union is one of the most respected newspapers and civic institutions in New York, and it's chilling to see it attacked by an unethical U.S. Attorney with a personal grievance.”

You can read the complaint here or below. If you’d like further comment, please contact media@freedom.press or eric@demandprogress.org ,or info@reinventalbany.org.

freedom.press/static/pdf.js/we…

freedom.press/issues/rights-gr…

Heating things up is one of the biggest sources of cost and emissions for many industrial processes we take for granted. Most of these factories are running around the clock so they don’t have to waste energy cooling off and heating things back up, so how can you match this 24/7 cycle to the intermittent energy provided by renewables? This MIT spin-off thinks one solution is thermal storage refractory bricks.

Electrified Thermal Solutions takes the relatively simple technology of refractory brick to the next level. For the uninitiated, refractory bricks are typically ceramics with a huge amount of porosity to give them a combination of high thermal tolerance and very good insulating properties. A number of materials processes use them to maximize the use of the available heat energy.

While the exact composition is likely proprietary, the founder’s Ph.D. thesis tells us the bricks are likely a doped chromia (chrome oxide) composition that creates heat in the brick when electrical energy is applied. Stacked bricks can conduct enough current for the whole stack to heat up without need for additional connections. Since these bricks are thermally insulating, they can time shift the energy from solar or wind energy and even out the load. This will reduce emissions and cost as well. If factories need to pipe additional grid power, it would happen at off-peak hours instead of relying on the fluctuating and increasing costs associated with fossil fuels.

If you want to implement thermal storage on a smaller scale, we’ve seen sand batteries and storing heat from wind with water or other fluids.

hackaday.com/2025/08/20/therma…