Sometimes it seems like there’s nothing Emacs can’t do. Which, of course, is why some people love it, and some people hate it. Apparently, [mbork] loves it and devised a scheme to show a video (with a little help), accept cut-in and out marks, and then use ffmpeg to output the video clip, ready for posting, emailing, or whatever.

This was made easier by work already done to allow Emacs to create subtitles (subed). Of course, Emacs by itself can’t play videos, but it can take control of mpv, which can. Interestingly, subed doesn’t insist on mpv since it won’t work on Windows, but without it, your editing experience won’t be as pleasant.

Back to creating a clip, once you have control of mpv, it is almost too simple. A keybinding remembers where mpv is when you mark the beginning, and another one grabs the end mark, works out the arguments, and calls ffmpeg to do the actual work.

This is one of those cases where Emacs really isn’t doing much of the work; it is more of a sophisticated scripting, orchestration, and user-interface system. But it reminds us of the old Russian proverb: The marvel is not that the bear dances well, but that the bear dances at all.

Emacs is a hot topic of debate in the Hackaday bunker. Some of us have our browsers emacs-ified. We hear a rumor that one among us may even boot directly into the editor. But not all of us, of course.

hackaday.com/2025/08/22/video-…

When [Tom Nardi] reported on NOAA’s statement that many of its polar birds were no longer recommended for use, he mentioned that when the satellites do give up, there are other options if you want to pull up your own satellite weather imagery. [Jacopo] explains those other options in great detail.

For example, the Russian Meteor-M satellites are available with almost the same hardware and software stack, although [Jacopo] mentions you might need an extra filter since it is a little less tolerant of interference than the NOAA bird. On the plus side, Meteor-M is stronger than the NOAA satellite on 1.7 GHz, and you can even use a handheld antenna to pick it up. There are new, improved satellites of this series on their way, too.

Another possibility is Metop-B and -C. These do require a wide bandwidth but that’s not hard to do with a modern SDR. Apparently, these satellites will operate until 2027 and beyond.

Even the US GOES satellites are still operational and should continue working for the foreseeable future. There are plenty more choices. Weather not your thing? Jason-3 sends data on radiation and humidity. There are even solar images you can pluck out of the airwaves.

If you’re interested, read on to the bottom, where you’ll find coverage of what you need and how to get started. Of course, you can still get the last gasp of some of the classic satellites, at least for now. You can even print your own antennas.

hackaday.com/2025/08/22/hows-t…

If you’ve ever lost gear to lightning or power spikes, you know what a pain they are. Out in rural Arkansas, where [vinthewrench] lives, the grid is more chaos than comfort – especially when storms hit. So, he dug into the problem after watching a cheap AC-DC module quite literally melt down. The full story, as always, begins with the power company’s helpful reclosers: lightning-induced surges, and grid switching transients. The result though: toasted boards, shorted transformers, and one very dead Raspberry Pi. [vinthewrench] wrote it all up – with decent warnings ahead. Take heed and don’t venture into things that could put your life in danger.

Back to the story. Standard surge suppressors? Forget it. Metal-oxide varistor (MOV)-based strips are fine for office laptops, but rural storms laugh at their 600 J limits. While effective and commonly used, MOVs are “self-sacrificing” and degrade over time with each surge event.

[vinthewrench] wanted something sturdier. Enter ZeusFilter 1.0 – a line-voltage filter stitched together from real parts: a slow-blow fuse, inrush-limiting thermistor, three-electrode gas discharge tube for lightning-class hits, beefy MOVs for mid-sized spikes, common-mode choke to kill EMI chatter, and safety caps to bleed off what’s left. Grounding done right, of course. The whole thing lives on a single-layer PCB, destined to sit upstream of a hardened PSU.

As one of his readers pointed out, though, spikes don’t always stop at the input. Sudden cut-offs on the primary can still throw nasty pulses into the secondary, especially with bargain-bin transformers and ‘mystery’ regulators. The reader reminded that counterfeit 7805s are infamous for failing short, dumping raw input into a supposedly safe 5 V rail. [vinthewrench] acknowledged this too, recalling how collapsing fields don’t just vanish politely – Lenz makes sure they kick back hard. And yes, when cheap silicon fails, it fails ugly: straight smoke-release mode.

In conclusion, we’re not particularly asking you to try this at home if you lack the proper knowledge. But if you have a high-voltage addiction, this home research is a good start to expand your knowledge of what is, in theory, possible.

hackaday.com/2025/08/22/how-to…

Over time, web browsers have accumulated a ton of features beyond what anyone from the 90s might have imagined, from an application platform to file management and even to hardware access. While this could be concerning from a certain point of view, it makes it much easier to develop a wide range of tools. All a device really needs to use a browser as a platform is an IP address, and this project brings a web UI dashboard to Zephyr to simplify application development.

Zephyr is a real-time operating system (RTOS) meant for embedded microcontrollers, so having an easy way to access these systems through a web browser can be extremely useful. At its core, this project provides a web server that can run on this operating system as well as a REST API that can be used by clients to communicate with it. For things like blinking lights this is sufficient, but for other things like sensors that update continuously the dashboard can also use WebSocket to update the web page in real time.

The web dashboards that can be built with this tool greatly reduce the effort and complexity needed to interact with Zephyr and the microcontrollers it typically runs on, especially when compared to a serial console or a custom application that might otherwise be built for these systems. If this is your first time hearing about this RTOS we recently featured a microcontroller-based e-reader which uses this OS as a platform.

youtube.com/embed/z-RBdc-sygo?…

hackaday.com/2025/08/22/web-da…

Con il numero di vulnerabilità a cui sono sottoposte le aziende in tutto il mondo, i ricercatori del Rochester Institute of Technology, dell’Università delle Hawaii e di Leidos hanno condotto il più grande studio comparativo ad oggi dei quattro sistemi di punteggio delle vulnerabilità più diffusi: CVSS, EPSS, SSVC ed Exploitability Index.

Gli autori hanno analizzato 600 vulnerabilità reali provenienti dalle versioni Patch Tuesday di Microsoft per scoprire quanto questi sistemi siano coerenti tra loro, quanto bene gestiscano le attività di definizione delle priorità e con quale accuratezza prevedano il rischio di sfruttamento.

I risultati sono stati allarmanti: tutti e quattro i sistemi mostrano nette differenze nelle valutazioni delle stesse CVE. È stata riscontrata una correlazione estremamente bassa tra loro: in alcuni casi, la percezione della gravità della minaccia dipende radicalmente dall’approccio utilizzato. Ciò porta a una situazione paradossale: la stessa vulnerabilità può essere inclusa nella lista di priorità di un sistema e ignorata da un altro.

Gli autori sottolineano che, in pratica, questo porta al caos nel processo decisionale. I sistemi spesso raggruppano centinaia di CVE nelle stesse “classi principali”, senza fornire una vera e propria gradazione. Ad esempio, secondo CVSS ed Exploitability Index, più della metà delle vulnerabilità rientra nei livelli di priorità più elevati, mentre EPSS seleziona solo quattro CVE, creando il problema opposto: un’eccessiva selettività e il rischio di trascurare casi pericolosi.

Il documento presta particolare attenzione all’efficacia dell’EPSS come strumento per la previsione di attacchi futuri. Nonostante l’obiettivo dichiarato di prevedere la probabilità di exploit entro 30 giorni, meno del 20% delle vulnerabilità CVE sfruttabili note presentava punteggi EPSS elevati prima di essere aggiunte al catalogo KEV. Inoltre, il 22% delle vulnerabilità non aveva alcun punteggio nel sistema fino alla conferma degli attacchi. Ciò compromette seriamente la sua affidabilità come strumento preventivo.

SSVC, a sua volta, offre una categorizzazione qualitativa delle azioni (ad esempio, “monitorare”, “agire”), ma anche qui sono state riscontrate delle difficoltà: la decisione dipende dal parametro poco comparabile “impatto sulla missione e sul benessere”, il che rende difficili i confronti tra organizzazioni.

È stato inoltre verificato se le tipologie di vulnerabilità (secondo il CWE) influenzino le discrepanze tra le valutazioni. È emerso che non esiste una connessione sistematica: anche all’interno di un CWE si riscontrano forti discrepanze, il che indica l’autonomia della logica di ciascun sistema e l’assenza di un approccio universale.

Lo studio dimostra che l’utilizzo di uno qualsiasi di questi sistemi senza un adattamento contestuale e adeguato alle esigenze di una specifica organizzazione può portare a false priorità. Gli autori raccomandano di non fare affidamento su un unico sistema come fonte universale di verità, ma di utilizzare una combinazione di metriche, integrate con dati e policy interne. È particolarmente importante distinguere tra i concetti di gravità e probabilità di sfruttamento: si tratta di assi diversi che richiedono strumenti di valutazione diversi.

Il lavoro evidenzia la necessità di ripensare l’intero sistema di valutazione delle vulnerabilità. Le organizzazioni moderne non necessitano di un solo indicatore numerico, ma di strumenti trasparenti, interpretabili e adattabili al contesto, che tengano conto delle reali condizioni operative, della criticità delle risorse e della logica aziendale. Solo così è possibile costruire un processo di gestione delle vulnerabilità efficace e affidabile.

L'articolo CVSS, EPSS, SSVC ed Exploitability Index: tutti strumenti inutili senza contesto proviene da il blog della sicurezza informatica.

Dear Friend of Press Freedom,

For 150 days, Rümeysa Öztürk has faced deportation by the United States government for writing an op-ed it didn’t like, and for 69 days, Mario Guevara has been imprisoned for covering a protest. Read on for more, and click here to subscribe to our other newsletters.

​​New strategies to help journalists in Gaza

Letters and condemnations have their place in press freedom advocacy, especially when dealing with a persuadable audience. But that playbook isn’t working for journalists in Gaza. Israeli Prime Minister Benjamin Netanyahu and his arms supplier, President Donald Trump, don’t care about journalists’ lives, let alone their freedoms.

Freedom of the Press Foundation (FPF) board member and Pulitzer Prize-winning journalist Azmat Khan and her colleagues, Meghnad Bose and Lauren Watson, spoke to over 20 journalists and activists, including FPF Executive Director Trevor Timm, in search of novel ideas to stop Israel’s slaughter of journalists and concealment of war crimes. Read more in Columbia Journalism Review.

FPF complaint opposes U.S. attorney’s retaliation against press

It’d be journalistic malpractice for reporters to ignore a prominent public official listing a boarded-up house as his residence to claim eligibility for his position. But that’s not how John Sarcone III, acting U.S. attorney for the Northern District of New York, sees it.

He was reportedly “incensed” by reporting from the Times Union of Albany and ordered the paper removed from his office’s media list. In response, FPF, Demand Progress Education Fund, and Reinvent Albany filed a complaint with New York’s Attorney Grievance Committee. Read more here.

Oregon cops cosplay as journalists

Eugene police threatened documentary filmmaker Tim Lewis with arrest if he didn’t back up while filming them. But Lewis noticed another reporter wearing a vest marked “PRESS” filming without police harassment.

Turns out he wasn’t a reporter at all — he was a police public information program coordinator. As FPF Advocacy Director Seth Stern told Double Sided Media, “Police officers obstructing lawful journalism and giving their own publicly funded propagandists the exclusive right to record them up close is unconstitutional, un-American, and absurd.”

Eugene police have reportedly said they will replace the word “press” with “videographer.” Read more here.

Kansas school district fails to censor student journalists

A group of students sued Lawrence Public Schools in Kansas over the district’s use of surveillance software against students, including student journalists. Naturally, the student newspaper wanted to report on the case. But the principal ordered them not to, and the students believed their faculty adviser would be fired if they disobeyed.

Major news conglomerates have caved to official pressure, but not these kids. They sought a court order prohibiting the school from censoring them, leading the principal to drop his censorial directive and a judge to remind the district that the adviser was legally protected from retaliation. Then they published their story. Read it here.

Puerto Rico’s fake news law is unconstitutional

A district court rightly struck down Puerto Rico’s “fake news” law, which criminalized raising “false alarms” about public emergencies. Now, FPF and other rights organizations are urging an appellate court to affirm the ruling in a legal brief authored by the University of Georgia School of Law’s First Amendment Clinic.

The brief explained how the law could be selectively enforced to chill reporting that officials dislike. Read more here.

What we’re reading

Pritzker signs bill to protect freedom of press, Illinois journalists (WCIA). A nonsensical court ruling excluded news reporting from the protection of Illinois’ law against strategic lawsuits against public participation. FPF worked with local organizations and lawyers to help fix the mess.

Human rights groups to university administrators: Dismantle surveillance to defend free speech now (Fight for the Future). Surveillance technology has no place on college campuses and especially in student newsrooms. We joined a letter calling on universities to dismantle these dangerous tools.

Lawyers ask judge to order ICE to free Spanish-language journalist from immigration detention (Associated Press). Immigration and Customs Enforcement’s targeting of Mario Guevara — a lawful U.S. resident — based on his journalism is a flagrant First Amendment violation. He must be released.

US: Excessive force against LA protesters (Human Rights Watch). HRW usually focuses on wars and atrocities. Now, they’re investigating LA cops’ violence against protesters and journalists. It’s not because it’s a slow atrocity news week — it’s because the situation in LA really is that bad.

Israel says it killed a Hamas commander. It killed a Pulitzer-winning journalist (The New York Times). “The military made no attempt to obscure this brazen strike on civilians, which is a war crime.” And as +972 Magazine explained, it’s far from the first time Israel smeared journalists as terrorists to justify killing them. Its army has a unit tasked with linking journalists to Hamas.

Watchdog or ‘witch hunt’? Highland releases final review of town clerk’s office (River Reporter). Good for the upper Delaware region’s River Reporter for not letting an embattled town supervisor’s veiled threat of a SLAPP stop it from doing its job.

Journalists planning to cover McCormick, Perry event in Pennsylvania must prove their US citizenship (Penn Live). “Journalists who are citizens should decline to attend if their peers are excluded. They should spend their Tuesday investigating politicians and arms manufacturers rather than covering their photo ops,” Stern said.

For the Record is MuckRock’s weekly newsletter that keeps you informed on public records transparency battles, threats and wins. Sign-up to get original reporting, access to FOIA trainings and more.

freedom.press/issues/new-strat…

Electromagnetic Field manage to get live music at a hacker camp right, by turning it into the most cyberpunk future possible.
A couple of decades ago now, several things happened which gave life to our world and made it what it has become. Hackerspaces proliferated, giving what was previously dispersed a physical focus. Alongside that a range of hardware gave new expression to our projects; among them the Arduino, affordable 3D printing, and mail-order printed circuit boards.

The result was a flowering of creativity and of a community we’d never had before.Visiting another city could come with a while spent in their hackerspace, and from that new-found community blossomed a fresh wave of events. The older hacker camps expanded and morphed in character to become more exciting showcases for our expression, and new events sprang up alongside them. The 2010s provided me and my friends with some of the most formative experiences of our lives, and we’re guessing that among those of you reading this piece will be plenty who also found their people.

And then came COVID. Something that sticks in my mind when thinking about the COVID pandemic is a British news pundit from March 2020 saying that nothing would be quite the same as before once the pandemic was over. In our community this came home to me after 2022, when the first large European hacker camps made a return. They were awesome in their own way, but somehow sterile, it was as though something was missing. Since then we’ve had a few more summers spent trailing across the continent to hang out and drink Club-Mate in the sun, and while we commend the respective orgas for creating some great experiences, finding that spark can still be elusive. Hanging out with some of my friends round a European hackerspace barbecue before we headed home recently, we tried to put our finger on exactly where the problem lay.

Just what has gone wrong with hacker camps?

Perhaps the most stinging criticism we arrived at was that our larger events seem inexorably to be morphing into festivals. It’s partly found on the field itself and we find events hosting music stages, but also in the attendees. Where a decade or more ago people were coming with their cool hacks to be the event, now an increasing number of people are coming as spectators just to see the event. This no doubt reflects changing fashions in a world where festival attendance is no longer solely for a hard core of music fans, but its effect has been to slowly turn fields of vibrant villages where the real fun happened, into fields of tents with a few bright spots among them, and the attendees gravitating toward a central core where increasingly, the spectacle is put on for them.
I caught quite a lot of grief from a performative activist for taking this intentionally unfocused picture at a hacker camp in 2022. Canon EOS M100 on a tripod pointing upwards at hanging lights in a darkened field. WTF.
The other chief gripe was around the eternal tussle in our community between technology and activism. Hackers have always been activists, if you doubt that take a read of Hackaday’s coverage of privacy issues, but the fact remains that we are accidental activists; activism is not the reason we do what we do. The feeling was that some events in our community have become far more about performative imposition of a particular interpretation of our culture or conforming to political expectations than they have about the hacks, and that the fun has been sucked out of them as a result.

People who know me outside my work for Hackaday will tell you that I have a significant career as an activist in a particular field, but when I’m at a hacker camp I am not there to be lectured at length about her ideology by an earnest young activist with blue hair and a lot of body piercings. I am especially not there to be policed as some kind of enemy simply because I indicate that I’m bored with what she has to say; I know from my own activism that going on about it too much is not going to make you any friends.

It’s evident that one of the problems with the larger hacker camps is not only that they have simply become too big, but that there are also some cultural traps which events can too readily fall into. Our conversation turned to those events we think get it right, and how we would approach an event of our own. One of my favourite events is a smaller one with under 500 attendees, whose organisers have a good handle on what makes a good event because they’re in large part making the event they want to be at. Thus it has a strong village culture, a lack of any of the trappings of a festival, and significant discouragement when it comes to people attending simply to be political activists.

That’s what I want to see more of, but even there is danger. I want it to remain awesome but not become a victim of its own success as so many events do. If it grows too much it will become a sterile clique of the same people grabbing all the tickets every time it’s held, and everyone else missing out. Thus there’s one final piece of the puzzle in ensuring that any hacker event doesn’t become a closed shop, that our camps should split and replicate rather than simply becoming ever larger.

The four-rule model

Condensing the above, my friends and I came up with a four-rule model for the hacker camps we want.

Limited numbers, self replicating, village led, bring a hack.

Let’s look at those in more detail.

Limited numbers

There’s something special about a camp where you can get to know everyone on the field at some level, and it’s visibly lost as an event gets larger. We had differing views about the ideal size of a small camp with some people suggesting up to 500 people, but I have good reasons for putting forward a hundred people as an ideal, with a hard limit at 150. The smaller a camp is the less work there is for its orga, and by my observation, putting on a camp for 500 people is still quite a lot of effort. 150 people may sound small, but small camps work. There’s also the advantage that staying small ducks under some red tape requirements.

Self replicating

As an event becomes more popular and fills up, that clique effect becomes a problem. So these events should be self replicating. When that attendee limit is reached, it’s time to repeat the formula and set up another event somewhere else. Far enough away to not be in direct competition, but near enough to be accessible. The figure we picked out of the air for Europe was 200 km, or around 120 miles, because a couple of hours drive is not insurmountable but hardly on your doorstep. This would eventually create a diverse archipelago of small related events, with some attendees going to more than one. Success should be measured in how many child events are spawned, not in how many people attend.

Village-led

The strength of a hacker camp lies in its villages, yet larger camps increasingly provide all the fun centrally and starve the villages. The formula for a small camp should have the orga providing the field, hygiene facilities, power, internet, and nothing else, with the villages making the camp. Need a talk track? Organise one in your village. Want a bar to hang out and drink Club-Mate at? Be the bar village. It’s your camp, make it.

Bring a hack

Sadly Wasteleand is for now beyond me. Toglenn, CC BY-SA 4.0.
An event I wish I was in a position to attend is the Wasteland weekend, a post-apocalyptic festival in the Californian desert. Famously you will be denied entry to Wasteland if you aren’t post-apocalyptic enough, or if you deem post-apocalyptic to be merely cosplaying a character from a film franchise. The organisers restrict entry to the people who match their vision of the event, so of course all would-be attendees make an effort to follow their rules.

It’s an idea that works here: if you want to be part of a hacker camp, bring a hack. A project, something you make or do; anything (and I mean anything) that will enhance the event and make it awesome. What that is is up to you, but bringing it ensures you are not merely a spectator.

See You On A Field Not Too Far Away

With those four ingredients, my friends and I think being part of the hacker and maker community can become fun again. Get all your friends and their friends, hire a complete camping site for a weekend outside school holidays, turn up, and enjoy yourselves. A bunch of Europeans are going to make good on this and give it a try, before releasing a detailed version of the formula for others to try too.

Maybe we’ll see you next summer.

hackaday.com/2025/08/22/findin…

In this episode of the Hackaday Podcast, editors Elliot Williams and Tom Nardi start out with a warning about potentially radioactive shrimp entering the American food supply via Walmart, and things only get weirder from there. The extra spicy shrimp discussion makes a perfect segue into an overview of a pair of atomic One Hertz Challenge entries, after which they’ll go over the latest generation of 3D printer filament, using an old Android smartphone as a low-power Linux server, some tips for creating better schematics, and Lorde’s specification-bending transparent CD. Finally, you’ll hear about how the nature of digital ownership influences the hardware we use, and on the other side of the coin, how open source firmware like QMK lets you build input devices on your terms.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

Or download in DRM-free MP3 to enjoy with your shrimp.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 334 Show Notes:

News:

• Food Irradiation Is Not As Bad As It Sounds
• Walmart shrimp may have been exposed to radioactive material, FDA says

What’s that Sound?

• Congratulations to [Gesundheit] for getting guessing this week’s sound.

Interesting Hacks of the Week:

• 2025 One Hertz Challenge: Atomic Decay Clock Is Accurate But Not Precise
  
  • 2025 One Hertz Challenge: Timekeeping At One Becquerel
  • Decaying clocks – Antiquarian Horological Society
  • Gammaclock
  • Time Capsule Expo ’70
  • Deriving 1 Hz from Candle Flame Oscillations

  
  

• Suggested Schematic Standards

• Should You Try Printing With Polypropylene?
  
  • MorPhlex: The TPU Filament That Goes Soft After You Print It

  
  

• From Smartphone To A Home Server
• A Solderless, Soluble Circuit Board
  
  • Hackaday Europe 2025: David Cuartielles – What if the Future (Of Electronics) Was Compostable?

  
  

• Why Lorde’s Clear CD Has So Many Playback Issues

Quick Hacks:

• Elliot’s Picks:
  
  • Adjustable Allen Key After All These Years
  • The PC In Your Pico
  • The VLF Transformation

  
  

• Tom’s Picks:
  
  • I, 3D Printer
  • Reviving A Piece Of Yesterday’s Tomorrow
  • Silent Speak And Spell Gets Its Voice Back

  
  

Can’t-Miss Articles:

• The Terminal Demise Of Consumer Electronics Through Subscription Services
• Instant Macropad: Just Add QMK

hackaday.com/2025/08/22/hackad…

Famously, Nikola Tesla won the War of the Currents in the early days of electrification because his AC system could use transformers to minimize losses for long distance circuits. That was well before the invention of the transistor, though, and there are a lot of systems that still use AC now as a result of electricity’s history that we might otherwise want to run on DC in our modern world. Sprinkler systems are one of these things, commonly using a 24V AC system, but [Vinthewrench] has done some work to convert over to a more flexible 24 VDC system instead.

The main components of these systems that are set up for AC are solenoids which activate various sets of sprinklers. But these solenoids can take DC and still work, so no major hardware changes are needed. It’s not quite as simple as changing power supplies, though. The solenoids will overheat if they’re fully powered on a DC circuit, so [Vinthewrench] did a significant amount of testing to figure out exactly how much power they need to stay engaged. Once the math was done, he uses a DRV103 to send PWM signals to the solenoids, which is set up to allow more current to pull in the solenoids and then a lower holding current once they are activated.

With a DC power supply like this, it makes it much easier to have his sprinkler system run on a solar powered system as well as use a battery backup without needing something like an inverter. And thanks to the DRV103 the conversion is not physically difficult; ensuring that the solenoids don’t overheat is the major concern here. Another great reason to convert to a DIY sprinkler controller is removing your lawn care routine from an unnecessary cloud-based service.

hackaday.com/2025/08/22/conver…

You may have noticed the Anime Catgirls when trying to get to the Linux Kernel’s mailing list, or one of any number of other sites associated with Open Source projects. [Tavis Ormandy] had this question, too, and even wrote about it. So, what’s the deal with the catgirls?

The project is Anubis, a “Web AI Firewall Utility”. The intent is to block AI scrapers, as Anubis “weighs the soul” of incoming connections, and blocks the bots you don’t want. Anubis uses the user agent string and other indicators to determine what an incoming connection is. But the most obvious check is the in-browser hashing. Anubis puts a challenge string in the HTTP response header, and JavaScript running in the browser calculates a second string to append this challenge. The goal is to set the first few bytes of the SHA-256 hash of this combined string to 0.

[Tavis] makes a compelling case that this hashing is security theatre — It makes things appear more secure, but doesn’t actually improve the situation. It’s only fair to point out that his observation comes from annoyance, as his preferred method of accessing the Linux kernel git repository and mailing list are now blocked by Anubis. But the economics of compute costs clearly demonstrate that this SHA-256 hashing approach will only be effective so long as AI companies don’t add the 25 lines of C it took him to calculate the challenge. The Anubis hashing challenge is literally security by obscurity.

Something Security AI is Good At

We’ve recently covered an AI competition, where AI toolchains were used to find and patch vulnerabilities. This took a massive effort to get good results. This week we have work on a similar but constrained task that AI is much better at. Instead of finding a new CVE, simply ask the AI to generate an exploit for CVEs that have been published.

The key here seems to be the constrained task that gives the AI a narrow goal, and a clever approach to quickly test the results. The task is to find an exploit using the patch code, and the test is that the exploit shouldn’t work on the patched version of the program. This approach cuts way down on false positives. This is definitely an approach to keep an eye on.

We’re Hunting CodeRabbits

Reviewing Pull Requests (PRs) is one of the other AI use cases that has seen significant deployment. CodeRabbit provides one of those tools which summarizes the PR, looks for possible bugs, and runs multiple linter and analysis tools. That last one is extremely important here, as not every tool is bulletproof. Researchers at Kudelski Security discovered that the Rubocop tool was accessible to incoming PRs with ruby files.

Rubocop has a nifty feature, that allows extensions to be loaded dynamically during a run. These are specified in a .rubocop.yml file, that CodeRabbit was helpfully passing through to the Rubocop run. The key here is that the extension to be loaded can also be included in a PR, and Rubocop extensions can execute arbitrary code. How bad could it be, to run code on the CodeRabbit backend servers?

The test payload in this case was simply to capture the system’s environment variables, which turned out to be a smorgasbord of secrets and API keys. The hilarious part of this research is that the CodeRabbit AI absolutely flagged the PR as malicious, but couldn’t stop the attack in motion. CodeRabbit very quickly mitigated the issue, and rolled out a fix less than a week later.

Illegal Adblock

There’s a concerning court case making its way through the German courts, that threatens to make adblocking illegal on copyright grounds. This case is between Axel Springer, a media company that makes money from showing advertisements, and Eyeo, the company behind Adblock Plus. The legal theory claimed by Axel Springer is that a website’s HTML and CSS together forms a computer program, that is protected by copyright. Blocking advertisements on that website would then be a copyright violation, by this theory.

This theory is novel, and every lower court has rejected it. What’s new this month is that the German Supreme Court threw the case back to a lower court, instructing that court to revisit the question. The idea of copyright violation simply by changing a website has caught the attention of Mozilla, and their Product Counsel, [Daniel Nazer], has thoughts.

The first is that a legal precedent forcing a browser to perfectly honor the code served by a remote web host would be horribly dangerous. I suspect it would also be in contention with other European privacy and security laws. As court battles usually go, this one is moving in slow motion, and the next ruling may be years away. But it would be particularly troubling if Germany joined China as the only two nations to ban ad blockers.

Copilot, Don’t Tell Anyone

Microsoft’s Office365 has an audit log, that tracks which users access given files. Running Copilot in that environment dutifully logs those file accesses, but only if Copilot actually returns a link to the document. So similar to other techniques where an AI can be convinced to do something unintended, a user can ask Copilot to return the contents of a file but not to link to it. Copilot will do as instructed, and the file isn’t listed in the audit log as accessed.

Where this gets more interesting is how the report and fix was handled. Microsoft didn’t issue a CVE, fixed the issue, but opted not to issue a statement. [Zack Korman], the researcher that reported the issue, disagrees quite vigorously with Microsoft’s decision here. This is an interesting example of the tension that can result from disagreements between researcher and the organization responsible for the product in question.

Disputed Research

This brings us to another example of disputed research, the “0-day” in Elastic Endpoint Detection and Response (EDR). Elastic disputes the claim, pointing out that they could not replicate code execution, and the researcher didn’t provide an entire proof of concept. This sort of situation is tricky. Who is right? The company that understands the internals of the program, or the researcher that undoubtedly did discover something, but maybe doesn’t fully understand what was found?

There are two elements that stand out in the vulnerability write-up. The first is that the overview of the attack chain lists a Remote Code Execution (RCE) as part of the chain, but it seems that nothing about this research is actually an RCE. The premise is that code running on the local machine can crash the Elastic kernel driver. The second notable feature of this post is that the proof-of-concept code uses a custom kernel driver to demonstrate the vulnerability. What’s missing is the statement that code execution was actually observed without this custom kernel driver.

Bits and Bytes

One of the very useful features of Microsoft’s VSCode is the Remote-SSH extension, which allows running the VSCode front-end on a local machine, and connecting to another server for remote work. The problem is that connecting to a remote server can install extensions on the local machine. VSCode extensions can be malicious, and connecting to a malicious host can run code on that host.

Apple has patched a buffer overflow in image handling, that is being used in an “extremely sophisticated” malware attacks against specific targets. This sort of language tends to indicate the vulnerability was found in an Advanced Persistent Threat (APT) campaign by either a government actor, or a professional actor like NSO Group or similar.

And finally, if zines are your thing, Phrak issue 0x48 (72) is out! This one is full of stories of narrowly avoiding arrest while doing smart card research, analysis of a North Korean data dump, and a treatise on CPU backdoors. Exciting stuff, Enjoy!

hackaday.com/2025/08/22/this-w…

Advanced Security Solutions, con sede negli Emirati Arabi Uniti, è nata questo mese ed offre fino a 20 milioni di dollari per vulnerabilità zero-day ed exploit che consentirebbero a chiunque di hackerare uno smartphone tramite SMS. Si tratta di una delle cifre più alte per qualsiasi broker 0day, almeno tra quelli che lo divulgano pubblicamente.

Advanced Security Solutions. Un nuovo attore nella scena dei broker 0day

Oltre a 20 milioni di dollari per gli exploit di qualsiasi sistema operativo mobile, l’azienda offre anche grandi ricompense per le vulnerabilità zero-day in altri software:

• fino a 15 milioni di dollari per ogni 0-day, con conseguente compromissione completa di Android e iPhone;
• fino a 10 milioni di dollari per exploit simili per Windows e Linux;
• fino a 5 milioni di dollari per exploit simili per il browser Chrome;
• fino a 1 milione di dollari per exploit simili per Safari e Microsoft Edge.

Non è chiaro chi ci sia dietro l’azienda e chi sono i suoi clienti.

“Aiutiamo agenzie governative, agenzie di intelligence e forze dell’ordine a condurre operazioni di precisione sul campo di battaglia digitale”, afferma il sito web di Advanced Security Solutions. “Collaboriamo attivamente con oltre 25 governi e agenzie di intelligence in tutto il mondo. I nostri clienti tornano costantemente per nuovi servizi, a dimostrazione della fiducia e del valore strategico che forniamo in contesti operativi critici, tra cui l’antiterrorismo e la lotta al narcotraffico”.

Il sito web afferma inoltre che, nonostante l’azienda sia nuova, impiega “solo professionisti con oltre 20 anni di esperienza in unità di intelligence d’élite e appaltatori militari privati”.

Uno dei primi attori in questo campo è stato Zerodium, apparso nel 2015. All’epoca, l’azienda, creata dal co-fondatore di Vupen Chaouki Bekrar, offriva fino a 1 milione di dollari per strumenti di hacking per iPhone.

Tre anni dopo, nel 2018, Crowdfense ha lanciato la propria piattaforma per l’acquisto di vulnerabilità ed exploit, offrendo fino a 3 milioni di dollari per zero-day simili.

Negli ultimi anni i prezzi degli 0-day sono aumentati, in parte a causa dell’aumento della domanda e in parte perché i dispositivi e i software moderni stanno diventando sempre più difficili da hackerare grazie al miglioramento della sicurezza.

Così, l’anno scorso Crowdfense ha pubblicato un nuovo listino prezzi , offrendo fino a 7 milioni di dollari per vulnerabilità zero-day su iPhone e fino a 5 milioni di dollari per exploit simili su Android. Anche le vulnerabilità zero-day in applicazioni specifiche hanno iniziato a costare molto di più. Ad esempio, fino a 8 milioni di dollari per exploit su WhatsApp e iMessage e fino a 4 milioni di dollari su Telegram.

Per fare un paragone, Advanced Security Solutions offre fino a 2 milioni di dollari per exploit per Telegram, Signal e WhatsApp.

Vale anche la pena notare che all’inizio di quest’anno, il broker di vulnerabilità russo Operation Zero è diventato un’eccezione sul mercato, offriva fino a 20 milioni di dollari per gli stessi tipi di exploit che Advanced Security Solutions sta ora cercando.

Chi sono i broker 0day

I broker 0day sono intermediari specializzati nella compravendita di vulnerabilità informatiche sconosciute al pubblico e ai produttori di software, chiamate appunto zero-day. Queste falle di sicurezza, non ancora documentate né patchate, rappresentano un valore enorme nel mercato cyber, poiché consentono di sviluppare exploit capaci di aggirare le difese dei sistemi più diffusi. I broker operano come veri e propri mercanti: acquistano vulnerabilità da ricercatori indipendenti, hacker o gruppi criminali, per poi rivenderle a soggetti interessati, che possono spaziare da governi e agenzie di intelligence fino ad aziende di sicurezza o, in casi meno leciti, a cyber criminali.

Il mercato dei broker 0day si muove in una zona grigia, dove la linea tra lecito e illecito è spesso molto sottile. Alcuni broker operano in contesti legali, collaborando con stati o imprese che usano queste informazioni per sviluppare difese e rafforzare la sicurezza. Altri invece alimentano il cybercrime, rivendendo exploit a gruppi ransomware, mercati clandestini o attori statali che li utilizzano per operazioni di spionaggio o cyber warfare. Proprio per l’alto impatto che hanno sulla sicurezza globale, i broker 0day sono tra gli attori più discussi e controversi nell’ecosistema delle minacce informatiche.

L'articolo 20 milioni di dollari per exploit zero-day dal broker Advanced Security Solutions proviene da il blog della sicurezza informatica.

Tratto (e leggermente rielaborato) da "Il risveglio delle scienze religiose" di Imam Al Ghazali. ❤

Primo dovere dello studente
Il primo dovere dello studente è prioritizzare la purificazione della sua anima dalle caratteristiche più riprovevoli
Ibn Mas'ud رضي الله عنه ci ricorda:

Conoscenza non è essere al corrente di tante informazioni. Conoscenza è una luce che viene gettata nel cuore.

Secondo dovere dello studente
Il secondo dovere dello studente è che limiti i suoi attaccamenti e che viaggi lontano dalla sua casa, cosicché nel suo cuore si liberi spazio per la conoscenza.
Si dice che la conoscenza non ti darà un decimo di sé stessa se tu non le darai tutto te stesso.

Terzo dovere dello studente
Il terzo dovere dello studente consiste nel non atteggiarsi con arroganza, nel non mostrarsi altezzoso prima di acquisire la conoscenza e nel non impartire ordini al proprio insegnante. Al contrario, dovrebbe consegnare sé stesso al completo controllo del maestro, proprio come un uomo malato si affida totalmente al dottore. La persona malata non pretende di dare consigli al proprio dottore né

di guidarlo su quale medicina utilizzare.

Quarto dovere dello studente
Il quarto dovere dello studente è evitare di prestare attenzione alle divergenze tra le persone di conoscenza, poiché ciò genera confusione e smarrimento. Infatti, nelle fasi iniziali, il cuore dello studente tende a inclinarsi verso qualunque cosa gli venga presentata, soprattutto se essa conduce all’inattività, in accordo con la sua pigrizia e inattitudine.

Quinto dovere dello studente
Il quinto dovere dello studente è quello di non trascurare nessuna disciplina tra le scienze lodevoli, ma di esaminarla fino a raggiungerne l’obiettivo.
Se ne ha la capacità, dovrebbe padroneggiarla completamente; se non può, allora dovrebbe almeno acquisirne la parte più importante. E ciò è possibile soltanto dopo averla dapprima considerata nella sua interezza.

Sesto dovere dello studente
Il sesto dovere dello studente è che egli dedichi grande attenzione alla più importante delle scienze: la conoscenza dell’Aldilà. Con ciò si intende quella categoria di scienze che riguarda il perfezionamento del carattere e lo svelamento. Il perfezionamento del carattere conduce allo svelamento, e lo svelamento è la conoscenza diretta di Allah سبحانه وتعالىٰ, una luce che Allah سبحانه وتعالىٰ infonde in un cuore purificato attraverso l’adorazione e lo sforzo

Settimo dovere dello studente
Il settimo dovere dello studente è che il suo obiettivo presente sia quello di riempire il proprio intimo con le caratteristiche che lo condurranno al cospetto di Allah سبحانه وتعالىٰ e presso la dimora delle alte schiere (al-malāʾ al-aʿlā), tra coloro che sono stati avvicinati. Egli non deve mai cercare, attraverso la conoscenza, né il comando, né la ricchezza, né lo status.

Un nuovo allarme sulla sicurezza informatica arriva da un enorme dataset contenente informazioni personali di utenti italiani di Facebook.

Secondo quanto riportato, un threat actor conosciuto con l’alias Chucky_BF su un noto forum underground avrebbe messo in vendita un archivio da 35 milioni di record, con dati sensibili quali nomi completi e numeri di telefono.

L’annuncio, comparso su un forum del dark web, indica che le informazioni sono disponibili in formato CSV e riguardano esclusivamente profili italiani, riconoscibili anche dal prefisso telefonico +39.

Non è chiaro se questi dati siano già stati divulgati in precedenza o facenti già parte della famosa raccolta di dati Fuck Faceboock in circolazione da diversi anni a anche con specifici motoria di ricerca gratuiti disponibili nel dark web.

Siamo andati a verificare il post, ma tale post era stato eliminato oppure l’utente bannato dalla piattaforma su ito dopo la pubblicazione. Di seguito quanto riporta DarkWeb Informer con le evidenze del post pubblicato

Il dataset infatti sembra provenire da una raccolta precedente di informazioni trafugate e successivamente riorganizzate per il mercato illecito. Ovviamente la disponibilità di numeri di telefono associati a nominativi reali apre scenari rischiosi in termini di phishing, smishing e frodi online.

Il threat actor avrebbe pubblicato alcuni screenshot di anteprima per dimostrare l’autenticità del materiale in vendita, corredando il post con riferimenti a canali di contatto su Telegram. Questi elementi, seppur tipici nelle dinamiche del cybercrime, non consentono di verificare con certezza la reale provenienza e l’affidabilità del dataset, che potrebbe anche essere una truffa all’interno dello stesso ecosistema criminale.

La vicenda riaccende il dibattito sull’efficacia delle misure di sicurezza adottate dalle grandi piattaforme social e sulla tutela dei dati personali. In Italia, un database di queste dimensioni rappresenterebbe un rischio non solo per i singoli utenti, ma anche per le aziende e le istituzioni che potrebbero diventare bersaglio di campagne mirate di social engineering. Autorità e specialisti di cybersecurity raccomandano agli utenti di prestare particolare attenzione a messaggi sospetti e di rafforzare le misure di protezione dei propri account.

In attesa di conferme ufficiali e di eventuali comunicazioni da parte di Meta, il caso mette nuovamente in evidenza la vulnerabilità del patrimonio informativo digitale.

La vendita di dati personali, anche se non sempre confermata nei dettagli, continua a rappresentare uno dei mercati più fiorenti del dark web, a dimostrazione di quanto le informazioni private siano oggi una merce preziosa e costantemente esposta a rischi.

L'articolo 35 milioni di utenti Facebook italiani in vendita nel dark web proviene da il blog della sicurezza informatica.