Attiviste ProPal incatenate ai cancelli di Leonardo. L’ad Cingolani: “Accuse false, non vendiamo a Israele”
[quote]MILANO – Il 29 settembre, sette attiviste di Palestine Action Italia hanno bloccato l’ingresso principale della sede di Leonardo spa di Nerviano (Milano) incatenandosi al cancello e mostrando striscioni con…
L'articolo Attiviste ProPal
Gesundheitsdigitalisierung am Limit: Warum es bei der elektronischen Patientenakte noch immer hakt
netzpolitik.org/2025/gesundhei…
Perù in fiamme, Bolouarte sotto accusa: contestata all’ONU e nelle piazze
@Notizie dall'Italia e dal mondo
Dalla Generazione Z alle comunità indigene, cresce la contestazione contro un potere accusato di lawfare, repressione e sudditanza agli interessi delle élite
L'articolo Perù in fiamme, Bolouarte sotto accusa: contestata all’ONU e nelle piazze proviene da
Piano Trump, la giravolta di Netanyahu: “No al ritiro dell’Idf”. Smotrich: “Finirà in lacrime”
[quote]Il primo ministro si è anche detto contrario a uno Stato palestinese, scontrandosi ancora una volta con il programma discusso a Washington
L'articolo Piano Trump, la giravolta di Netanyahu: “No al ritiro dell’Idf”. Smotrich: “Finirà in lacrime” su
Eredità Agnelli, spunta nuovo testamento. I legali dei fratelli Elkann: “Non incide”
[quote]TORINO – La scansione di un testamento scritto a penna da Gianni Agnelli nel lontano 1998 ribalta l’eredità dell’Avvocato. “Lascio a mio figlio Edoardo la mia partecipazione nella società semplice…
L'articolo Eredità Agnelli, spunta nuovo testamento. I legali dei fratelli
UCRAINA. Giovani in fuga e accuse a Zelensky
@Notizie dall'Italia e dal mondo
Mentre le trattative tra Russia e Ucraina sono in stallo, i giovani fuggono dal paese e crescono le accuse di accentramento e autoritarismo nei confronti del presidente Zelensky
L'articolo UCRAINA. Giovani in fuga e accuse a Zelensky proviene pagineesteri.it/2025/09/30/mon…
LockBit 5.0: la minaccia cross-platform che sfida le difese enterprise
@Informatica (Italy e non Italy 😁)
LockBit, dopo anni di indiscussi primati nel cybercrime, dimostra di saper evolversi con una pericolosa efficacia. La scoperta di LockBit 5.0 da parte dei ricercatori di Trend Micro segna un punto di svolta nella guerra informatica: non siamo più di fronte a una semplice
LE ACCUSE DEI POLITICI OCCIDENTALI E DEI MEDIA CONTRO LA RUSSIA RIGUARDO AGLI INCIDENTI CON I DRONI IN EUROPA NON SONO CONFERMATE DAI RISULTATI DELLE VERIFICHE DELLA NATO E DEI SERVIZI DI INTELLIGENCE NAZIONALI - Berliner Zeitung
L'analisi mostra che la maggior parte degli incidenti fa parte di operazioni standard o è conseguenza delle interferenze dei jammer ucraini, senza prove di intenzioni militari da parte della Russia. Il giornale afferma che queste accuse infondate, amplificate dai media, creano un clima di paura utilizzato per giustificare il riarmo dell'Europa.
Info Defense
Creating Python GUIs with GIMP
GUI design can be a tedious job, requiring the use of specialist design tools and finding a suitable library that fits your use case. If you’re looking for a lightweight solution, though, you might consider just using a simple image editor with a nifty Python library that [Manish Kathuria] whipped up.
[Manish’s] intention was to create a better-looking user interface solution for Python apps that was also accessible. He’d previously considered other Python GUI options to be unimpressive, requiring a lot of code and delivering undesirable results. His solution enables the use of just about any graphic you can think of as a UI object, creating all kinds of visually-appealing possibilities. He also was eager to make sure his solution would work with irregular-shaped buttons, sliders, and other controls—a limitation popular libraries like Tkinter never quite got around.
The system simply works by using layered image files to create interactive interfaces, with a minimum of code required to define the parameters and performance of the interface. You’re not strictly limited to using the GIMP image editor, either; some of the examples use MS Paint instead. Files are on Github for those eager to try the library for themselves.
We’ve featured some neat GUI tools before, too, like this library for embedded environments. Video after the break.
youtube.com/embed/382ugrMfP8g?…
youtube.com/embed/MbUyM4_DJAU?…
TekaSketch: Where Etch A Sketch Meets Graph Theory
The Etch A Sketch was never supposed to meet a Raspberry Pi, a camera, or a mathematical algorithm, but here we are. [Tekavou]’s Teka-Cam and TekaSketch are a two-part hack that transforms real photos into quite stunning, line-drawn Etch A Sketch art. Where turning the knobs only results in wobbly doodles, this machine plots out every curve and contour better than your fingertips ever could.
Essentially, this is a software hack mixed with hardware: an RPi Zero W 2, a camera module, Inkplate 6, and rotary encoders. Snap a picture, and the image is conveyed to a Mac Mini M4 Pro, where Python takes over. It’s stripped to black and white, and the software creates a skeleton of all black areas. It identifies corner bridges, and unleashes a modified Chinese Postman Algorithm to stitch everything into one continuous SVG path. That file then drives the encoders, producing a drawing that looks like a human with infinite patience and zero caffeine jitters. Originally, the RPi did all the work, but it was getting too slow so the Mac was brought in.
It’s graph theory turned to art, playful and serious at the same time, and it delivers quite unique pieces. [Tekavou] is planning on improving with video support. A bit of love for his efforts might accellerate his endeavours. Let us know in the comments below!
youtube.com/embed/g_TLOn1jJWY?…
Klein has attempted to subpoena Discord and Reddit for information that would reveal the identity of moderators of a subreddit critical of him. The moderators' lawyers fear their clients will be physically attacked if the subpoenas go through.
Klein has attempted to subpoena Discord and Reddit for information that would reveal the identity of moderators of a subreddit critical of him. The moderatorsx27; lawyers fear their clients will be physically attacked if the subpoenas go through.#News #YouTube
Reddit Mods Sued by YouTuber Ethan Klein Fight Efforts to Unmask Them
This article was produced in collaboration with Court Watch, an independent outlet that unearths overlooked court records.Subscribe to them here.Critics of YouTuber Ethan Klein are pushing back on subpoenas that would reveal their identities as part of an ongoing legal fight between Klein and his detractors. Klein is a popular content creator whose YouTube channel has more than 2 million subscribers. He’s also involved in a labyrinthine personal and legal beef with three other content creators and the moderators of a subreddit that criticises his work. Klein filed a legal motion to compel Discord and Reddit to reveal the identities of those moderators, a move their lawyers say would put them in harm’s way and stifle free speech on the internet forever.
Klein is most famous for his H3 Podcast and collaborations with Hasan Piker and Trisha Paytas which he produced through his company Ted Entertainment Inc. Following a public falling out with Piker, Klein released a longform video essay critiquing his former podcast partner. As often happens with long video essays about YouTube drama, other content creators filmed themselves watching Klein’s essay.
playlist.megaphone.fm?p=TBIEA2…
These are called “reaction” videos and they’re pretty common on YouTube. Klein sued three creators—Frogan, Kaceytron, and Denims—calling their specific reaction videos low effort copyright infringement. As part of the lawsuit, he also went after the moderation team of the r/h3snark subreddit—a board on Reddit that critiques Klein and had shared the Denims video as part of a thread about Klein’s Piker essay.On July 31, a judge allowed Klein’s lawyers to file a subpoena with Reddit and Discord that would reveal the identities of the people running r/h3snark and an associated Discord server. On September 22, lawyers for the defendants filed a motion to quash the subpoenas.
“On its face, the Action is about copyright infringement,” the latest filing said. “At its heart, however, the Action is about stifling criticism and seeking retribution by unmasking individuals for perceived reputational harms TEI [Klein’s production company] attributes to [John Doe moderators] unrelated to TEI’s intellectual property rights.”
The defendants’ lawyers said the subpoena to unmask moderators should be quashed because Klein can’t prove his case of copyright infringement, but also because revealing such information could put the Does’ in harm’s way. “The balance of equities weighs in favor of Does’ anonymity and quashing TEI’s Subpoenas in their entirety,” the filing said.
As evidence of the danger faced by the Does, the court filing quoted Klein directly. “Listen, guys, at this point you [r/h3snark mods] are totally fucked,” Klein said on a podcast, according to the court filing. “There’s a subpoena that’s going to come. You can’t erase your data. We’re going to get your IP address and find your information.”
“If there’s any justice in the world [the h3snark mods] will lose everything that they care about and I will be the one who makes them lose those things […] through legal means. Through any legal means,” he said, according to the court filing.
The defendants' lawyers paint a grim picture of what might happen should Klein’s subpoenas succeed: they “fear potentially being attacked, or worse, killed, over moderating a subreddit,” the filing said. “These worries extend to all family and friends connected to Does. Does fear their professional lives being ruined, potential sexual violence, extortion, fans showing up to their home, and endless years of harassment due to Ethan’s prolific lies surrounding them. The target he has painted on the moderators would make it unsafe to live openly in any capacity. Some Does also have heightened risk of retaliatory harm due to their religious identities. If their real names are revealed, these Does—and their families—face a real risk of being doxed, stalked, or harassed, as has happened to others in similar situations. In this climate, unmasking Does would expose them to significant and unjustified danger.”
Personal safety wasn’t the only legal argument the moderator’s lawyers put forward. A key part of Klein’s claim is that the Does violated his copyright by hosting links on r/h3snark of other streamers reacting to his video “Content Nuke—Hasan Piker.” His legal case is built around going after content creators for making “low effort” content using his work, but also the anonymous people on Reddit who shared links of those videos.
“The next question is whether creating a discussion thread, which includes a link to a streamer’s channel, where the streamer reacts to a live broadcast while providing her own commentary and criticism, and users visiting the thread engage in their own debate about the live broadcast and reactions thereto, constitutes contributory infringement,” the filing said. “It does not.”
The lawyers also argued that a Reddit “megathread”—a common practice where the moderators of a subreddit create one single space on a board for people to talk about a specific top—are fair use, that the reaction videos were transformative and should be considered fair use, and that the reaction videos increased the public’s exposure to Klein’s video.
💡
Do you know anything else about this story? I would love to hear from you. Using a non-work device, you can message me securely on Signal at +1 347 762-9212 or send me an email at matthew@404media.co.At the end of the filing, the lawyers returned again to the personal safety of the moderators. They argued that even if Klein’s claim of copyright infringement met the burden of proof, and the lawyers don’t believe it does, the balance of harms is in favor of the moderators. “The personal harms to Does by allowing unmasking, as well as the public harms to online speech and discourse generally, would be irreparable in the private sense and long-reaching in the public sense,” the filing said.
The anonymity of places like Reddit and Discord grant a layer of protection to people seeking to critique power. This case could set a dangerous precedent, the lawyers believe. “If the court allows TEI’s Subpoenas, it would enable TEI to impose a considerable price on Does’ use of the vehicle of anonymous speech—including public exposure, real risks of retaliation and actual harm, and the financial and other burdens of defending the Action,” the filing said.
The filing added: “Very few would-be commentators are prepared to bear costs of this magnitude. So, when word gets out that the price tag of criticizing Ethan is this high—that speech will disappear. But that is precisely what Ethan Klein wants.”
Breaking News Channel reshared this.
Lumafield Shows Why Your Cheap 18650 Cells Are Terrible
Lithium-ion cells deliver very high energy densities compared to many other battery technologies, but they bring with them a danger of fire or explosion if they are misused. We’re mostly aware of the battery conditioning requirements to ensure cells stay in a safe condition, but how much do we know about the construction of the cells as a factor? [Lumafield] is an industrial imaging company, and to demonstrate their expertise, they’ve subjected a large number of 18650 cells from different brands to a CT scan.
The construction of an 18650 sees the various layers of the cell rolled up in a spiral inside the metal tube that makes up the cell body. The construction of this “jellyroll” is key to the quality of the cell. [Lumafield’s] conclusions go into detail over the various inconsistencies in this spiral, which can result in cell failure. It’s important that the edges of the spiral be straight and that there is no electrode overhang. Perhaps unsurprisingly, they find that cheap no-name cells are poorly constructed and more likely to fail, but it’s also interesting to note that these low-quality cells also have fewer layers in their spiral.
We hope that none of you see more of the inside of a cell in real life than you have to, as they’re best left alone, but this report certainly sheds some light as to what’s going on inside a cell. Of course, even the best cells can still be dangerous without protection.
Joe Vinegar reshared this.
Macintosh System 7 Ported To x86 With LLM Help
You can use large language models for all sorts of things these days, from writing terrible college papers to bungling legal cases. Or, you can employ them to more interesting ends, such as porting Macintosh System 7 to the x86 architecture, like [Kelsi Davis] did.
When Apple created the Macintosh lineup in the 1980s, it based the computer around Motorola’s 68K CPU architecture. These 16-bit/32-bit CPUs were plenty capable for the time, but the platform ultimately didn’t have the same expansive future as Intel’s illustrious x86 architecture that underpinned rival IBM-compatible machines.
[Kelsi Davis] decided to port the Macintosh System 7 OS to run on native x86 hardware, which would be challenging enough with full access to the source code. However, she instead performed this task by analyzing and reverse engineering the System 7 binaries with the aid of Ghidra and a large language model. Soon enough, she had the classic System 7 desktop running on QEMU with a fully-functional Finder and the GUI working as expected. [Kelsi] credits the LLM with helping her achieve this feat in just three days, versus what she would expect to be a multi-year effort if working unassisted.
Files are on GitHub for the curious. We love a good port around these parts; we particularly enjoyed these efforts to recreate Portal on the N64. If you’re doing your own advanced tinkering with Macintosh software from yesteryear, don’t hesitate to let us know.
Tre gravi falle scoperte in VMware vCenter e NSX: patch da applicare subito
Il 29 settembre 2025 Broadcom ha diffuso l’avviso di sicurezza VMSA-2025-0016, riguardante la correzione di tre vulnerabilità individuate nei prodotti VMware vCenter e VMware NSX. I bug, interessano diverse soluzioni dell’ecosistema VMware e presentano una gravità classificata come alta, con un punteggio CVSSv3 compreso tra 7,5 e 8,5.
Le falle coinvolgono i seguenti componenti e piattaforme:
- VMware vCenter Server
- VMware NSX e NSX-T
- VMware Cloud Foundation
- VMware Telco Cloud Platform
- VMware Telco Cloud Infrastructure
Dettagli sulle vulnerabilità
Le vulnerabilità identificate sono catalogate come CVE-2025-41250, CVE-2025-41251 e CVE-2025-41252.
CVE-2025-41250 – Iniezione dell’intestazione SMTP in vCenter
Una debolezza in VMware vCenter consente l’iniezione di intestazioni SMTP. Un utente con privilegi non amministrativi, ma autorizzato a creare attività pianificate, potrebbe manipolare le email di notifica inviate dal sistema. La vulnerabilità ha un punteggio CVSS massimo di 8,5.
- Risoluzione: installare le patch indicate nella Matrice di risposta.
- Ringraziamenti: segnalazione a cura di Per von Zweigbergk.
CVE-2025-41251 – Meccanismo di recupero password debole in NSX
VMware NSX presenta una falla nel sistema di recupero delle password. Un attaccante non autenticato potrebbe sfruttarla per enumerare nomi utente validi, aprendo la strada a possibili attacchi brute-force. Il problema è stato valutato con un punteggio massimo di 8,1.
- Risoluzione: aggiornamenti disponibili nelle versioni corrette indicate da Broadcom.
- Ringraziamenti: segnalazione attribuita alla National Security Agency (NSA).
CVE-2025-41252 – Enumerazione dei nomi utente in NSX
Un’ulteriore vulnerabilità in VMware NSX permette a un utente non autenticato di enumerare account validi, aumentando il rischio di tentativi di accesso non autorizzati. La criticità è stata valutata con un punteggio massimo di 7,5.
- Risoluzione: patch ufficiali disponibili nella Matrice di risposta.
- Ringraziamenti: anche in questo caso, segnalazione della National Security Agency (NSA).
Broadcom raccomanda l’immediata applicazione delle patch fornite per tutte le distribuzioni interessate. Al momento non sono previste soluzioni alternative o mitigazioni temporanee.
L'articolo Tre gravi falle scoperte in VMware vCenter e NSX: patch da applicare subito proviene da il blog della sicurezza informatica.
0-day 0-click su WhatsApp! un’immagine basta per prendere il controllo del tuo iPhone
Qualche produttore di spyware starà probabilmente facendo ginnastica… strappandosi i capelli. Ma ormai è il solito teatrino: c’è chi trova, chi incassa, chi integra e poi arriva il ricercatore di turno a rovinare la festa — per etica o per qualsiasi altra ragione scenica.
Recentemente è stata individuata una falla di sicurezza in WhatsApp che consente l’esecuzione di codice remoto (RCE) senza necessità di clic (0-click). Questa vulnerabilità risulta essere già attivamente sfruttata dagli aggressori su piattaforme Apple, tra cui iOS, macOS e iPadOS.
I ricercatori di DarkNavyOrg hanno individuato una falla sfruttando due vulnerabilità, CVE-2025-55177 e CVE-2025-43300, in una proof-of-concept. Questa debolezza permette di compromettere i dispositivi in modo silenzioso, senza richiedere alcun intervento dell’utente.
Le vittime ricevono un file immagine DNG dannoso tramite WhatsApp e, dopo l’analisi automatica, subiscono il controllo completo del dispositivo. Lo sfruttamento inizia con CVE-2025-55177, un difetto logico critico nella logica di gestione dei messaggi di WhatsApp.
Per impostazione predefinita, WhatsApp non è in grado di comprendere che un messaggio in arrivo sia realmente originato da un dispositivo connesso autorizzato. Un aggressore può aggirare le verifiche di sicurezza iniziali e includere un file DNG contraffatto nella cronologia chat della vittima modificando la fonte del messaggio.
Poiché WhatsApp elabora i messaggi automaticamente, anche prima che l’utente li visualizzi, il payload viene recapitato senza avvisare la vittima. Una volta consegnato, il carico utile DNG malformato innesca la seconda falla, CVE-2025-43300. Questa vulnerabilità risiede nella libreria di analisi dei file DNG, dove un controllo improprio dei limiti provoca un errore di danneggiamento della memoria.
Quando il motore di elaborazione multimediale di WhatsApp tenta di analizzare la struttura DNG non corretta, sovrascrive le regioni di memoria critiche, consentendo a un aggressore di dirottare il flusso di esecuzione ed eseguire codice arbitrario sul dispositivo di destinazione. Uno sfruttamento riuscito comporta la compromissione completa del dispositivo e in questo scenario gli aggressori possono effettuare tutte le classiche operazione di un spyware:
- Esfiltrare dati personali, inclusi messaggi, contatti, foto e credenziali;
- Intercettazione dei flussi audio e video in diretta dalla telecamera e dal microfono;
- Installare backdoor persistenti o malware per l’accesso a lungo termine;
- Manipolare le impostazioni di sistema, disattivare le funzionalità di sicurezza o rimuovere le prove di compromissione.
Le vittime non hanno la possibilità di ispezionare o bloccare il payload dannoso prima dell’esecuzione e le protezioni standard degli endpoint potrebbero non contrassegnare il file DNG malformato come dannoso.
La società DarkNavyOrg è tuttora impegnata nell’investigazione degli exploit di tipo zero-click associati. Una vulnerabilità relativa a Samsung (CVE-2025-21043) è stata menzionata dal gruppo come attualmente in fase di studio. La recente serie di scoperte mette in evidenza la difficoltà costante nel salvaguardare i parser di file sofisticati all’interno delle app di messaggistica che operano su più piattaforme, ove persino formati sicuri come il DNG possono essere sfruttati come canali di attacco.
L'articolo 0-day 0-click su WhatsApp! un’immagine basta per prendere il controllo del tuo iPhone proviene da il blog della sicurezza informatica.
Joe Vinegar reshared this.
In occasione del XXII Congresso Coscioni: “I diritti spiegati ai bambini – Laboratori sui temi della disabilità e dell’inclusione”
I diritti spiegati ai bambini
Laboratori sui temi della disabilità e dell’inclusione
Per il secondo anno, nel corso del Congresso, l’Associazione Luca Coscioni per la libertà di ricerca scientifica è lieta di organizzare i laboratori “I diritti spiegati ai bambini”, sui temi della disabilità e dell’inclusione. I laboratori si svolgeranno sabato 4 ottobre 2025, dalle 15.00 alle 18.00, e domenica 5 ottobre, dalle 10.00 alle 12.00.
Un viaggio per scoprire la ricchezza della diversità
I laboratori sono pensati per bambini dai 4 ai 10 anni e guidano i più piccoli alla scoperta dei diritti, dell’unicità di ciascuno e del valore dell’inclusione. Attraverso giochi, racconti e attività creative, i bambini saranno accompagnati a riflettere in modo semplice e coinvolgente sul rispetto, sulla collaborazione e sulla bellezza della diversità.
Obiettivi pedagogici
- Sviluppare empatia e sensibilità verso le difficoltà degli altri.
- Riconoscere e valorizzare le proprie unicità e quelle altrui.
- Imparare collaborazione, rispetto reciproco e sostegno.
- Trasformare le barriere in occasioni di crescita e inclusione condivisa.
Preannuncia la partecipazione dei tuoi figli! Invia una mail a laboratoribambini@associazionelucacoscioni.it indicando quanti bambini sono, l’età e le sessioni cui prenderanno parte.
L'articolo In occasione del XXII Congresso Coscioni: “I diritti spiegati ai bambini – Laboratori sui temi della disabilità e dell’inclusione” proviene da Associazione Luca Coscioni.
Testamento biologico e diritti nel fine vita – Incontro informativo in provincia di Pavia
Testamento biologico e diritti nel fine vita – Incontro informativo a Travacò Siccomario
Un incontro pubblico aperto alla cittadinanza per approfondire il tema del testamento biologico (DAT – Disposizioni Anticipate di Trattamento) e, più in generale, i diritti nel fine vita.
Durante l’evento si parlerà:
- della legge 219/2017 su consenso informato e DAT,
- delle modalità per redigere e depositare le disposizioni,
- dello stato della normativa nazionale dopo la sentenza Cappato-Antoniani,
- delle nuove leggi regionali approvate in Toscana e Sardegna,
- del servizio gratuito di orientamento legale e medico-sanitario attivo con il nostro Numero Bianco.
Interverranno:
- Cristiana Zerosi e Alice Spaccini, membri della Giunta dell’Associazione Luca Coscioni.
Sarà inoltre l’occasione per presentare ufficialmente alla cittadinanza la nascita della Cellula Coscioni di Pavia, attiva sul territorio per promuovere libertà civili, autodeterminazione e accesso ai diritti.
L'articolo Testamento biologico e diritti nel fine vita – Incontro informativo in provincia di Pavia proviene da Associazione Luca Coscioni.
Screenshots shared with 404 Media show tenant screening services ApproveShield and Argyle taking much more data than they need. “Opt-out means no housing.”#News
Landlords Demand Tenants’ Workplace Logins to Scrape Their Paystubs
Landlords are using a service that logs into a potential renter’s employer systems and scrapes their paystubs and other information en masse, potentially in violation of U.S. hacking laws, according to screenshots of the tool shared with 404 Media.The screenshots highlight the intrusive methods some landlords use when screening potential tenants, taking information they may not need, or legally be entitled to, to assess a renter.
“This is a statewide consumer-finance abuse that forces renters to surrender payroll and bank logins or face homelessness,” one renter who was forced to use the tool and who saw it taking more data than was necessary for their apartment application told 404 Media. 404 Media granted the person anonymity to protect them from retaliation from their landlord or the services used.
💡
Do you know anything else about any of these companies or the technology landlords are using? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.“I am livid,” they added.
This post is for subscribers only
Become a member to get access to all content
Subscribe now
Breaking News Channel reshared this.
What happened to RubyGems, Bundler, and the Open Source drama that controls the internet infrastructure.#Features
How Ruby Went Off the Rails
For the past couple of weeks, a community of developers who use the programming language Ruby have been closely following a dramatic change in ownership of some of the most essential tools in its ecosystem with far reaching impacts for the worldwide web.If you’re not familiar with Ruby or the open source development community, you probably haven’t heard about any of this, but the tools in question serve as critical infrastructure for gigantic internet services like GitHub, Shopify, and others, so any disruption to them would be catastrophic to those companies, their users, and vast swaths of the internet.
On September 19, Ruby Central, a nonprofit organization that manages RubyGems.org, a platform for sharing Ruby code and libraries, asserted control over several GitHub repositories for Ruby Gems as well as other critical Ruby open source projects that the rest of the Ruby development community relies on. A group of open source developers who had contributed to those projects and maintained them for years had their permissions suddenly revoked. When these developers announced on social media that their access was taken away, many Ruby developers saw the decision as a betrayal of their years-long contributions to the Ruby ecosystem and open source principles more generally. Others accused Ruby Central of succumbing to corporate pressure from companies like Shopify, which they claimed wanted more control over the project.
In some ways, this whole affair is an example of why this stuff gets really messy when people start getting paid
I’ve spent the last week talking to people who had direct involvement with Ruby Central’s decision, the contributors who were ousted, and developers in the Ruby community. I’ve heard accusations of greed, toxic personalities, and stories about years-long feuds between people, at times in open disagreement, who ultimately govern some of these important open source tools.RubyGems.org and other critical Ruby tools have so far not been interrupted during this transition, but the incident sheds light on a basic truth about the internet and open source development: Much of the technology we use every day and take for granted is being maintained by a small number of developers who are not compensated for that work or get paid very little when compared to salaries at big tech companies. Open source development continues to make much of the internet possible, but as some of these tools become more important and financially valuable, they’re subject to more scrutiny and pressure from the community, organizations, and companies that rely on them.
“In some ways, this whole affair is an example of why this stuff gets really messy when people start getting paid, and once you start introducing formal organizations and employees and nonprofits and lawyers and all this kind of complexity,” Mike McQuaid, developer of the popular package manager Homebrew, which is built with Ruby, told me. McQuaid has talked to and offered to mediate between Ruby Central and the ousted maintainers. “This is a textbook case of what happens when there's this conflict between what companies want, what nonprofit individuals want, how much responsibility people have when they take money, who gets control and when. How much democracy versus just ‘I have the power to do something, therefore I'm going to do it.’”
With Ruby developers can download and use self-contained packages of code that add different functionalities to a Ruby project. These packages are called gems, and are distributed primarily via RubyGems.org, where developers can upload gems they’ve developed or download gems from other developers.
The ability to download gems and plug them into different projects is very useful and convenient for Ruby developers, but can create complications. Different gems are developed by different teams and are updated at different times with bug fixes and new features, and might not necessarily be compatible or play well with one another as they evolve.
This is where Bundler comes in. As its website explains, “Bundler provides a consistent environment for Ruby projects by tracking and installing the exact gems and versions that are needed.” So, for example, if a developer is building a Ruby project and wants to use gems X, Y, and Z, Bundler will pull the versions of those gems that are compatible with one another, providing developers an easy solution for what Bundler describes as “dependency hell.”
Bundler is an open source project that was initially developed by Yehuda Katz, but the GitHub repository for the project was created and was administrated by André Arko. In 2015, Arko also founded a nonprofit trade organization named Ruby Together, which raised funds from developers and companies that use Ruby in order to maintain Bundler and other open source tools.
I will not mince words here: This was a hostile takeover
RubyGems.org, the site and service, is governed by Ruby Central, a nonprofit founded in 2001, which also organizes several Ruby conferences like RubyConf and RailsConf. In 2022, Arko’s Ruby Together and Ruby Central merged, “uniting the Ruby community’s leading events and infrastructure under one roof,” according to Ruby Central’s site. Bundler’s and RubyGems.org’s work often overlapped both in their goals and the developers who worked on them, but operated across two different GitHub organizations, each with its own repositories. To streamline development of these open source projects, Bundler also joined the Ruby Gems GitHub organization in 2022.In 2023, Ruby Central established the Open Source Software Committee, which according to its site oversees RubyGems, Bundler, and RubyGems.org, focusing on infrastructure stability, security, and sustainability.
A confusing and central point of disagreement between Ruby Central and the maintainers it ousted on September 19 is rooted in the merging of Ruby Together and Ruby Central and the difference between Rubygems.org the service, essentially an implementation of the Ruby Gems codebase on an AWS instance, which both parties agree Ruby Central owns and operates, and the Ruby Gems the codebase that lives in the same GitHub organization as Bundler.
According to a recording of a mid-September Zoom meeting which I obtained between Marty Haught, Ruby Central’s Director of Open Source, Arko, and the other ousted contributors, Ruby Central maintains that the codebase and GitHub organization became its responsibility when Ruby Central merged with Ruby Together in 2022. The ousted contributors’ position is that members of Ruby Central, like Haught, can be owners of the GitHub organization, but that ownership of the RubyGems codebase and other projects in the GitHub organization belong to the contributors, who don’t have a detailed governance model but historically have governed by consensus.
Arko made this argument to me in a recent interview, but also outlined that argument in a blog post, where he also shared the merger agreement between Ruby Central and Ruby Together. It shows that Ruby Together would dissolve and that Ruby Central would be in charge of raising and allocating funds for development, but does not explicitly say Ruby Central takes ownership of the RubyGems and Bundler projects or the GitHub organization.
To make matters even more complicated, Arko was at once a contributor to these open source projects, a contributor to RubyGems.org the service, an owner of the GitHub organization, and an advisor to Ruby Central’s Open Source Software Committee.
In May, Arko resigned his position as an advisor to Ruby Central’s Open Source Software Committee, but continued his work as a contributor. Arko told me he resigned his advisory role because of Ruby Central’s last minute invitation of David Heinemeier Hansson, better known online as DHH, as a keynote speaker at RailsConf.
Arko told me he objected to that decision because of DHH’s “horrifying, racist, misogynist, politics” and DHH’s “personal vendetta” against him. In 2021, back at Motherboard, we reported that many employees at DHH’s company, Basecamp, quit after his decision to ban any discussion of politics at work, which many employees saw as squashing discussion about race, bias, and diversity. Arko told me that DHH’s “personal vendetta” against him stemmed from Arko not wanting to support a certain feature DHH wanted added to Bundler, after which DHH demanded Arko be removed from the Ruby Together board.
The current controversy erupted on social media on September 19, when one contributor to the open source projects in the RubyGems and Bundler GitHub organization, Ellen Dash, announced that Haught, Ruby Central’s Director of Open Source, revoked GitHub organization membership for all admins on the RubyGems, Bundler, and RubyGems.org maintainer teams. At that moment, their permissions and access to the GitHub organization were revoked, meaning they could no longer make any changes or contributions to the code, and Haught, representing Ruby Central, took control.
“I will not mince words here: This was a hostile takeover,” Dash said in a public “goodbye” letter they shared online. “I consider Ruby Central’s behavior a threat to the Ruby community as a whole. The forceful removal of those who maintained RubyGems and Bundler for over a decade is inherently a hostile action. Ruby Central crossed a line by doing this.”
The news was seen by many developers in the Ruby and open source community as betraying the dedication and labor that Dash, Arko, and other maintainers put into these tools for years.
Ruby Central, meanwhile, describes the move as one centered around security.
“With the recent increase of software supply chain attacks, we are taking proactive steps to safeguard the Ruby gem ecosystem end-to-end,” Ruby Central said in an explanation of its decision. “To strengthen supply chain security, we are taking important steps to ensure that administrative access to the RubyGems.org, RubyGems, and Bundler is securely managed. This includes both our production systems and GitHub repositories. In the near term we will temporarily hold administrative access to these projects while we finalize new policies that limit commit and organization access rights. This decision was made and approved by the Ruby Central Board as part of our fiduciary responsibility. In the interim, we have a strong on-call rotation in place to ensure continuity and reliability while we advance this work. These changes are designed to protect critical infrastructure that power the Ruby ecosystem, whether you are a developer downloading gems to your local machine [or] a small or large team who rely on the safety and availability of these tools.”
404 Media has covered the kind of recent supply chain attacks targeting open source projects that Ruby Central is referring to. Earlier this month, a critical JavaScript development tool Node Package Manager (NPM), was targeted by a similar supply chain attack. But not everyone in the Ruby development community bought the explanation that security was at the heart of the recent moves. One reason for that is a public statement from a Ruby Central board member and treasurer Freedom Dumlao.
On Substack, Dumlao apologized for the sudden change and how it was communicated.
“If Ruby Central made a critical mistake, it's here,” he wrote. “Could these conversations have been happening in public? Could the concerns we were hearing from companies, users and sponsors have been made more apparent? Probably. But I remind you we don't have a ‘communications team’, no real PR mechanism, we are all just engineers who (like many of you I'm sure) go heads down on a problem until it's solved.”
Dumlao reiterated that RubyGems and Bundler are critical infrastructure that are now increasingly under the threat of supply chain attacks, and said that the companies that rely on them “count” on Ruby Central do everything it can to keep them and their users safe.
However, Dumlao also said that Ruby Central was under “deadline” to make this change.
“Either Ruby Central puts controls in place to ensure the safety and stability of the infrastructure we are responsible for, or lose the funding that we use to keep those things online and going,” Dumlao wrote.
In a September 22 video message in response to criticism about its decision to remove maintainers, Ruby Central’s executive director Shan Cureton described a similar dynamic. She said “sponsors and companies who depend on Ruby tooling came to us with supply chain concerns” and that “Our funding and sponsorships are directly tied to our ability to demonstrate strong operational standards. Without those standards in place, it becomes harder to secure the support needed to keep maintainers paid, organize events, and provide resources for developers at every stage of their journey.”
Since Shopify is one of the primary sponsors and funders of Ruby Central, this led some in the Ruby community to believe that Shopify was exerting pressure on Ruby Central to make this change.
“That is not how it happened, and I wish I had been more careful with my wording in that blog post,” Dumlao told me in a Linkedin message when I asked him if Ruby Central was under pressure from Shopify to make these changes.
I just don't think that there's any other plausible explanation than Shopify demanded this.
After I gave Dumlao my number so we could do a phone interview, I got an email from Cindi Sutera, who was recently brought on as a spokesperson for Ruby Central."Ruby Central’s mission is to keep the infrastructure that Rubyists rely on stable, safe, and trustworthy,” she told me. “As part of a routine review following organizational changes, we identified a small number of accounts whose privileges no longer matched current role requirements. The Board voted that it was imperative to align access with our privilege policy to keep the infrastructure that the Ruby community depends on stable. This is our mission.”
Sutera said that the board approved “a temporary administrative hold on certain elevated permissions” while it finalized operator agreements and governance roles.
“To move quickly and transparently, we imposed a clear deadline to complete operator agreements and close gaps,” she said. “We could have communicated earlier that we felt it necessary to move quickly and wish we could have given the community more time to prepare for this action. And now, here we are committed to completing this transition for the stability and security of the Ruby Gems supply chain. More updates are coming as we work through security protocols and stabilization efforts.”
“There’s literally only one company providing the money that is keeping Ruby Central open, and it is Shopify,” Arko told me. “And so I just don't think that there's any other plausible explanation than Shopify demanded this.”
When I asked Arko why he thought Ruby Central removed him, if it wasn’t for security reasons, Arko said: “totally unprovable speculation is Shopify’s CEO is best friends with DHH, who hates me.” DHH is also a Shopify board member.
“Thanks for the invitation, but not my place to weigh in a lot on this while they're working through these changes,” DHH told me in an email when reached for comment. “But I support them taking steps to secure and professionalize the supply chain work they're doing.”
Shopify did not reply to a request for comment.
As this episode spread on social media, I talked to several people associated with Ruby Central who told me the board was acting in the interest of the RubyGems and the Ruby community. Two sources who asked for anonymity for fear of retaliation said that Arko was difficult to work with, questioned how he used funds raised by Ruby Together, and claimed that a new Ruby version manager he’s working on, rv, means he has a conflict of interest with his work on RubyGems and Bundler.
Arko acknowledged to me he heard he’s been difficult to work with in the past. He said that sometimes he’s been able to reach out to people directly and resolve any issues, and that sometimes he hasn’t. He rejected the other allegations, and said that Ruby Together’s financials have always been public.
“It has always been fully public, and the amount has been fixed at $150 an hour for 10 years,” he said, referring to the amount contributors got paid to work on Bundler. Arko added that nobody has ever been paid for more than 20 hours a week, and that the most he’s been able to raise in a single year is $300,000 to pay eight different contributors. “Nobody has gotten a raise for 10 years.”
"As a matter of policy, we don’t discuss individual personnel,” Sutera, the Ruby Central spokesperson, said when I asked if Arko was removed from the GitHub organization because of his previous behavior. “Our recent actions were organization-wide governance measures aimed at aligning access with policy. Our priority is maintaining a stable and secure Ruby Gems supply chain."
McQuaid, the developer of Homebrew and who followed the controversy, told me that even Arko’s harshest critics wouldn’t deny the contributions he’s made to the Ruby community over the years.
Regarding Arko’s blog post about his removal, McQuaid told me it’s good that Arko is crediting other people for their contribution and that he’s following open source principles of community and transparency, but that “his ‘transparency’ here has been selective to things that benefit him/his narrative, he seems unwilling or unable to admit that he failed as a leader in being unwilling or unable to introduce a formal governance process long before this all went down or appoint a meaningful successor and step down amicably.”
The fundamental disagreement here is about who “owns” the GitHub organization that houses Bundler and RubyGems. Technically, Ruby Central was able to assert control because Hiroshi Shibata, a member of the Ruby core team and one of the contributors who has owner-level permissions on the GitHub, made Haught, who revoked the others’ access, an owner as well. Any owner can add or remove any other owner, but when Ruby Central’s board voted to make this change Haught acted immediately and removed Arko, Dash, and others.
However, Arko fundamentally disagrees with the premise that Ruby Central has the right to govern the GitHub organization in any way, and believes that it has always belonged to the group of contributors who had access up until September 19.
Arko said that even if Ruby Central gave him his permissions back, he would not consider the matter resolved until Ruby Central stopped claiming it owns Bundler “but I am definitely not going to hold my breath for that one.”
“When people really care, they're passionate and they're enthusiastic and they argue, and that often looks like drama,” McQuaid, the developer of Homebrew, said when I asked what he thinks this entire affair says about the state of open source development. “But if I had to pick between having the enthusiasm and the drama or losing both, then I'd probably pick the enthusiasm and the drama, because in some ways, the system is somewhat self correcting. Even the stuff that's going on right now, people are having essentially a very public debate about what role do large companies or nonprofits or individual maintainers have in open source. To what extent does someone's level of contribution matter versus what type of person they are? I think these are valuable discussions to be having, and we're having them in the open, whereas if it was in a company, this would all be in a meeting room or with an HR department or in a leadership offsite or whatever.”
A board member's perspective of the RubyGems controversy
What a week it's been as a Ruby Central Board Member.Freedom Dumlao (Freedom’s Substack)
TikTok: The art of the (non) deal
IT'S MONDAY, AND THIS IS DIGITAL POLITICS. I'm Mark Scott, and I bring you an exclusive first look at the latest Star Wars epic coming to a cinema near you later this year.
— The United States has a deal to shift ownership of TikTok's US unit to American owners — or does it?
— Some of the biggest social media companies are speaking out of both sides of their mouths when it comes to online safety.
— Artificial intelligence is expected to boost global trade by at least a third by 2040, according to estimates from the World Trade Organization.
Let's get started
Ask Hackaday: How Do You Distro Hop?
If you read “Jenny’s Daily Drivers” or “Linux Fu” here on Hackaday, you know we like Linux. Jenny’s series, especially, always points out things I want to try on different distributions. However, I have a real tendency not to change my distro, especially on my main computer. Yet I know people “distro hop” all the time. My question to you? How do you do it?
The Easy but Often Wrong Answer
Sure, there’s an easy answer. Keep your /home directory on a separate disk and just use it with a new boot image. Sounds easy. But the truth is, it isn’t that easy. I suppose if you don’t do much with your system, that might work. But even if you don’t customize things at the root level, you still have problems if you change desktop environments or even versions of desktop environments. Configuration files change over time. Good luck if you want to switch to and from distros that are philosophically different, like systemd vs old-school init; apparmor vs SELinux. So it isn’t always as simple as just pointing a new distro at your home directory.
One thing I’ve done to try out new things is to use a virtual machine. That’s easy these days. But it isn’t satisfying if your goal is to really switch to a new distro as your daily driver.
The Reason
The reason this came up is that I generally like KDE and was using Kubuntu for a number of years. They tend to lag a bit on the KDE desktop, so when KDE came out with Neon, I was sold. However, since they were both based on Ubuntu/Debian, there was a mostly working upgrade path to convert a Kubuntu installation to Neon.
Fast forward to today. Neon has been suffering lately. I hear there is one volunteer keeping it running. KDE has decided to shift focus to a new distro that does things I’m not crazy about (immutable system; Wayland). So it was time to hop again.
I’d heard that OpenSUSE was good at keeping up with KDE, and the rolling release of Tumbleweed appeals to me. So I made the switch.
The Hard Way
I am in no way suggesting you do this. It was a bad idea, and while it worked, it was a lot of effort. Even so, it only worked because I have way more disk storage than I need: my root file system is way under 3 TB, and I have about 9 TB of RAID as my primary hard drive. Of course, you should be backed up. But if you’ve ever had to restore from a backup, you know that’s no fun. Better to have it and not need it.
So what did I do? I used kvm to stand up a virtual machine, and then I installed Tumbleweed on it. I turned off the btrfs features since I didn’t plan to use them. Then I set about matching my Neon desktop. All the KDE settings. All the strange systemd services and timers I have set up. The systems I use to run my own dynamic DNS. As much of everything as I could think of.
I got to the point where working in the VM was comfortable. My browsers and all my other tools were ready and configured.
You know I forgot something. I knew too, so I wanted to save things for reference. First, I booted from a live image and made a copy of my entire root file system under /NEON. Then I rebooted and created a new virtual machine and booted a “live” ISO file on it.
A Hard Day’s Night
The next step was to copy the snapshot of the /NEON directory into the VM. Sure, I could have used LVM snapshots or, if I were still using btrfs, a snapshot from that. But I have plenty of disk space, especially after pruning off some very large directories from the copy.
The key to this, by the way, is using the nbd program to mount the VM’s disk image. You do need the nbd module loaded, if you have it as a module, and then you export it using nbd. From there, you get a device you can mount just like any other. I’d explain it, but you really shouldn’t be taking this as instructions. Still, if you need to do it, [shamil] has a good, concise explanation.
Of course, the new VM won’t boot. You have to bind mount all the running directories (like /run and /proc) to the right mountpoint and then chroot into the mounted file system. Once there, you can rebuild your init image and run grub. After that, you should be able to boot into the old Neon system in the new VM.
The Beauty of It…
So at this point, I had not made any changes to my main OS. I had a copy of it for backup purposes, and I was able to boot into a clone of it using a VM. I could also boot into the target system with a different VM.
The next step was to boot to a live image again and nuke nearly everything on the root file system except for /NEON, and the VMs, of course, which were on separate drives.
I thought about running the Tumbleweed installer and then copying files from the VM, but instead I decided to just do it by hand. I copied the files from the new VM over to the real root drive, using nbd again. Then I had to do the whole bind/mount/chroot/reinstall steps again.
Did It Boot?
It did, in fact, boot up. There were a few glitches, mostly due to self-inflicted problems. When I restored some large directories and some SSD-based temporary directories, I created some SELinux problems that were fun to track down. I had, of course, forgotten a few things installed deeply, too. But that wasn’t a problem. I could still go grab stuff from /NEON or even boot the Neon install up in the VM to compare things.
I am about to the point where I will delete the extra copies of things. I’ve already released the Tumbleweed VM. But it occurs to me: I won’t do this again. That leads to my question for you. If you distro hop, how do you do it? Let us know in the comments. Then again, current thinking is to have a minimal system and then put everything in its own container anyway.
Again, I beg you, don’t follow my example. This was way too much work and risk. But I’m also crazy enough to relocate /usr.
10″ LEGO Tyre is Practical Nostalgia
If there’s one thing that has come to define the generations after the baby boom, it’s probably nostalgia. It’s heavily marketed and weaponized by the market: yearning for better, simpler times seems to be a core thread of the consumer economy these days. [Makerneer] combined his xilennial love of LEGO bricks with the flat tires on his log splitter to produce a 10″ TPU tyre will never go flat, and provide a dopamine release every time he sees it.
The tyre is a custom model to fit his particular rims, but he does provide STEP and F3D files if you’d like to try modifing it for your own purpose — they’re at Step 6 of the Instructable. Props to [Makerneer] for truly open-sourcing the design instead of just tossing STL files online. His build log also takes the time to point out the ways he had to modify the LEGO tyre profile to make it amenable to 3D printing: notably chamfering some of the tread pattern to eliminate bridging, which is a bit of a no-no with TPU.
As you can see in the (unfortunately vertical) demo video below, it’s a bit quite a bit squishier than a regular run-flat tyre, but that was part of [Makerneer]’s design goal. He didn’t like how rigid the non-pneumatic tyres he’d tried were, so endevoured to design something himself; the whole LEGO thing was just for fun. If you wanted to replicate this tyre with a bit less skoosh, you need only tune the infill on your print.
While only time will tell how long this LEGO-inspired add-on will continue adding whimsy to [Makerneer]’s log-splitting, we have tests to show it will outperform any other plastic he might have printed. This project is probably more practical than a 3D printed bicycle tyre, which doesn’t even have the side benefit of whimsy.
youtube.com/embed/_iNaEs9MEEw?…
Two Decades Of Hackaday In Words
I think most of us who make or build things have a thing we are known for making. Where it’s football robots, radios, guitars, cameras, or inflatable textile sculptures, we all have the thing we do. For me that’s over the years been various things but has recently been camera hacking, however there’s another thing I do that’s not so obvious. For the last twenty years, I’ve been interested in computational language analysis. There’s so much that a large body of text can reveal without a single piece of AI being involved, and in pursuing that I’ve created for myself a succession of corpus analysis engines. This month I’ve finally been allowed to try one of them with a corpus of Hackaday articles, and while it’s been a significant amount of work getting everything shipshape, I can now analyse our world over the last couple of decades.
The Burning Question You All Want Answered
A corpus engine is not clever in its own right, instead it will simply give you straightforward statistics in return for the queries you give it. But the thing that keeps me coming back for more is that those answers can sometimes surprise you. In short, it’s a machine for telling you things you didn’t know. To start off, it’s time to settle a Hackaday trope of many years’ standing. Do we write too much about Arduino projects? Into the engine goes “arduino”, and for comparison also “raspberry”, for the Raspberry Pi.
What comes out is a potted history of experimenter’s development boards, with the graph showing the launch date and subsequent popularity of each. We’re guessing that the Hackaday Arduino trope has its origins in 2011 when the Italian board peaked, while we see a succession of peaks following the launch of the Pi in 2012. I think we are seeing renewals of interest after the launch of the Pi 3 and Pi 4, respectively. Perhaps the most interesting part of the graph comes on the right as we see both boards tail off after 2020, and if I had to hazard a guess as to why I would cite the rise of the many cheap dev boards from China.
The Perils Of The Corpus Maintainer
The astute among you might wonder why the figures on the graph above are not higher, because surely we have featured more Arduino or Raspberry Pi projects than that. And here we touch on a problem faced by anyone working with data. It comes down to this: are we looking at spotting the trends from the data, or absolute figures? When I built this corpus, I had to make two choices, one over how much I was allowed to stress Hackaday’s infrastructure, and the other in how much computing power and physical storage space I was prepared to give the project on my bench. I lack a computing cloud for my work, instead I have to rely on silicon and spinning rust I own, and to that there’s a finite limit.
Thus in building this corpus I reasoned that the more important words pertaining to each story would be nearer the start, and restricted myself to the title and first paragraph of each Hackaday piece, or about a hundred words. It’s definitely enough for trend analysis, but for obvious reasons if the word you are looking for is way down in the third or fourth paragraph, you’ll be disappointed. Furthermore if this technique angers you, don’t look too closely at how your oscilloscope samples higher frequency waveforms.
World Events Playing Out On Our 3D Printers
Do you remember the period in which governments were in a panic about not having enough ventilators? We had quite a few stories on the subject at the time, and they appear in the corpus. Fortunately it was pretty soon understood that home made ventilators would be dangerous so we were right to be cautious covering such projects.
Language Evolving Before Our Very Eyes
When I started on my corpus software projects, I was interested in the relationships between words because I had spent a while working in the search engine business. Later on I became interested in using the same techniques to spot trends in news content which is what has sustained my interest, but there’s another use for these techniques.
In the dictionary business, lexicographers use corpus engines to track developments in language, and we can see that in action in Hackaday too. When did you first hear the term “Retrocomputer”? We’ve all been fooling around with old computers for years now, but in our corpus it first appeared in 2012. Since then it’s had a few ups and downs, but it remains on an upward trajectory. For the graph I combined all the various forms of the word, “retrocomputer”, “retrocomputing”, and so on.
So What’s Under The Hood?
Computers are not clever in themselves, they are merely very good at repetitively doing something you tell them to, for many hours without complaint. In this case, my computer is analysing and indexing a large body of text, and the way I’m doing it was arrived at over quite a few iterations. It’s a product of the hardware I had when i started work on it, an Intel Core laptop which was quite flashy for the mid-2000s, and then later a pair of always-on Raspberry Pi boards with USB hard drives. My problem was that if I tried to use any of the available databases to store my index they would quickly become unusable due to its immense size, so I arrived at a technique using flat files instead.
You can run a version of my software yourself, it can be found in my GitHub repository. The processing script takes the text and splits it into sentences and words, then stores frequency and collocate data as a huge tree of small JSON files on a hard disk volume, the reasoning being that the filesystem is an extremely fast way to retrieve data categorised by directory and filename.
The version I’ve used only deals in single word phrases, but other versions have extended the directory tree based index to support multi-word phrases. You can also plumb in a part-of-speech tagger if you wish. The result is a fully functional corpus engine that can run on an original Raspberry Pi 1, not bad considering that it can mine multi-million-word corpora in an instant. Mine has the task of continually updating a corpus of news data, allowing me to watch events unfold in real time.
Now. Over To You
I have spent a lot of time over the last month getting the Hackaday corpus together and ready for analysis, and then more time gathering the data for and writing this story. I’ve only been able to show you a small amount of what’s in this trove of data, so perhaps there are trends you’d like to see explored. Use the comments below to request, and maybe I can show them in a follow-up.
Mini Laptop Needs Custom Kernel
These days, you rarely have to build your own Linux kernel. You just take what your distribution ships, and it usually works just fine. However, [Andrei] became enamored with a friend’s cyberdeck and decided that he’d prefer to travel with a very small laptop. The problem is, it didn’t work well with a stock kernel. So, time to build the kernel again.
Of course, he tried to simply install Linux. The installer showed a blank screen. You might guess that you need to add ‘nomodeset’ to the kernel options. But the screen was still a bit wacky. [Andrei] likens troubleshooting problems like this to peeling an onion. There are many layers to peel back, and you are probably going to shed some tears.
He did turn to ChatGPT for some help, but found there were many hallucinations, so it was sometimes helpful and sometimes not. What follows is a detective story with many twists and turns.
He finally decided he needed a custom kernel and had to learn the steps. If you haven’t done it, it really isn’t that hard. If you are trying to get “close” to another existing kernel, you can read /proc/config.gz to get a list of how the person who built your kernel set it up (even if that someone was you).
The custom kernel worked. Sort of. The screen finally turned on, but it was rotated 90 degrees. Not too convenient. A few more options paid off. Along the way, he mentions a few common debugging procedures, like divide and conquer or testing kernels on a virtual machine before moving to real hardware.
The culprit turned out to be an errant video module. But… there was still no sound or touchpad. That caused even more detective work that uncovered some confusing documentation. At the end, he has a mostly working machine, although he didn’t have sleep mode, and the machine tends to run hot. He’s ok with that. We often find that we have similar problems with things like orientation sensors, although the situation is improving.
Of course, building the kernel is a far cry from writing new code for it. If you want to get your feet wet, maybe start with an old version. You can even find some automation scripts that help you get straight to debugging your code.
youtube.com/embed/6iqRg_rB6lQ?…
Vulnerabilità critica in GoAnywhere MFT di Fortra: CVE-2025-10035
I ricercatori di WatchTowr Labs hanno segnalato attacchi attivi a una vulnerabilità di elevata gravità nel sistema di gestione del trasferimento file GoAnywhere MFT di Fortra. Il problema, identificato come CVE-2025-10035, è un errore di deserializzazione nel componente License Servlet che consente l’iniezione di comandi non autenticati. Lo sfruttamento richiede una risposta di licenza contraffatta con una firma valida.
Fortra ha informato i propri clienti dell’interruzione il 18 settembre, ma ne è venuta a conoscenza circa una settimana prima e non ha specificato come avesse ricevuto l’informazione o se fosse già a conoscenza dell’exploit.
Nel frattempo, un rapporto di WatchTowr cita “conferme attendibili” di attacchi a partire dal 10 settembre, otto giorni prima della pubblicazione dell’avviso ufficiale. Per questo motivo, i ricercatori hanno sollecitato un cambiamento nella valutazione del rischio e il riconoscimento del fatto che gli aggressori spesso sfruttano i bug molto prima che vengano emessi gli avvisi di sicurezza.
L’analisi delle tracce di hacking ha rivelato che, dopo aver sfruttato la vulnerabilità, gli aggressori hanno eseguito comandi sul server senza autorizzazione, creato un account amministratore nascosto chiamato “admin-go” e lo hanno utilizzato per creare un utente web con diritti di accesso legittimi.
Questo utente ha quindi scaricato e avviato componenti aggiuntivi. Tra i file scoperti c’erano “zato_be.exe” e “jwunst.exe”. Quest’ultimo è un binario legittimo per il programma di amministrazione remota SimpleHelp, ma in questo caso è stato utilizzato per il controllo persistente sui sistemi infetti.
Gli aggressori hanno anche eseguito il comando “whoami/groups”, salvando i risultati in un file chiamato test.txt per una successiva trasmissione. Ciò ha permesso loro di determinare i privilegi dell’utente corrente e di mappare i percorsi all’interno dell’infrastruttura.
Al momento della pubblicazione, Fortra non aveva ancora commentato i risultati di WatchTowr. Il fornitore ha rilasciato correzioni nella versione corrente 7.8.4 e nel ramo di supporto 7.6.3. Si consiglia vivamente agli specialisti di aggiornare i propri sistemi e, come misura temporanea, di limitare l’accesso a Internet alla console di amministrazione. Inoltre, lo sviluppatore consiglia di controllare i log per individuare eventuali errori contenenti la stringa “SignedObject.getObject”, che potrebbe indicare tentativi di exploit.
L'articolo Vulnerabilità critica in GoAnywhere MFT di Fortra: CVE-2025-10035 proviene da il blog della sicurezza informatica.
Laureati in informatica senza futuro! Migliaia di CV ignorati e addio stipendio a 6 cifre
Nel mercato del lavoro IT si stanno verificando tendenze allarmanti. Sempre più laureati in informatica non riescono a trovare lavoro, nemmeno con il salario minimo.
Un tempo, una laurea in informatica era considerata un lasciapassare per una carriera ben retribuita con prospettive di rapida ascesa. Ma i licenziamenti di massa nelle principali aziende tecnologiche, insieme all’introduzione di nuovi strumenti che eliminano la necessità di conoscenze tecniche approfondite, hanno cambiato radicalmente le regole del gioco.
Le storie dei giovani professionisti sono demoralizzanti. Un laureato dell’Università dell’Oregon ha dichiarato di aver inviato quasi seimila curriculum e di aver sostenuto tredici colloqui in due anni, senza mai ricevere una sola offerta. È stato persino rifiutato da una catena di fast food perché non aveva “l’esperienza richiesta“.
Alcuni hanno affermato di aver fatto domanda per centinaia, e in diversi casi migliaia, di posizioni lavorative nel settore tecnologico presso aziende, organizzazioni non profit ed enti governativi. Ma molti laureati in informatica hanno affermato che la loro ricerca di lavoro, durata mesi, si è spesso conclusa con una profonda delusione o, peggio, con aziende che li hanno abbandonati.
Zach Taylor ha dichiarato al New York Times che, da quando si è laureato nel 2023 in informatica presso l’Oregon State University, ha presentato domanda per quasi 6.000 posizioni lavorative nel settore tecnologico, ed è stata una delle “esperienze più demoralizzanti che abbia mai dovuto affrontare”.
Taylor non è l’unica. Secondo il sito indipendente di monitoraggio dei licenziamenti Layoffs.fyi, nel 2024 sono stati licenziati oltre 150.000 dipendenti del settore tecnologico in 551 aziende tecnologiche. Al momento della stesura di questo articolo, nel 2025 erano stati licenziati 88.964 dipendenti del settore tecnologico in 199 aziende tecnologiche.
In questo contesto, molti studenti e giovani professionisti stanno iniziando a mettere in discussione la professione scelta. Secondo i sondaggi, un terzo dei laureati ritiene che la propria formazione sia stata uno spreco di denaro e metà della Generazione Z si pente della specializzazione scelta.
Grandi aziende tecnologiche come Amazon, Google, Meta, Lenovo e Intel hanno licenziato una parte considerevole della loro forza lavoro nel 2024, e i licenziamenti continueranno anche nel 2025. Microsoft, ad esempio, ha annunciato a luglio che taglierà altri 9.000 dipendenti dopo una
serie di licenziamenti avvenuti all’inizio di quest’anno.
Sebbene l’idea alla base dell’intelligenza artificiale fosse quella di automatizzare le attività manuali e aiutare i lavoratori a concentrarsi su attività a maggior valore aggiunto, alcuni lavoratori temono che li sostituirà completamente, e questo sta già accadendo.
Tuttavia, gli esperti sottolineano che la domanda di specialisti non scomparirà del tutto.
Nei prossimi anni, saranno richiesti esperti in sicurezza informatica, tecnologie cloud e analisi dei dati. Inoltre, il mercato attribuisce sempre più importanza non solo al diploma, ma anche alle competenze pratiche, comprovate da corsi, tirocini e progetti pratici.
Mentre i laureati si chiedono se l’era degli stipendi a sei cifre nel settore IT sia finita, il mercato del lavoro si sta ristrutturando e nuove regole impongono ai professionisti di essere molto più flessibili e disposti ad apprendere nel corso della loro vita.
L'articolo Laureati in informatica senza futuro! Migliaia di CV ignorati e addio stipendio a 6 cifre proviene da il blog della sicurezza informatica.
Gli USA vogliono hackerare Telegram! Il caso che fa discutere di privacy e giurisdizione
Il Dipartimento di Giustizia degli Stati Uniti ha ricevuto l’autorizzazione del tribunale per condurre un’ispezione a distanza dei server di Telegram nell’ambito di un’indagine sullo sfruttamento minorile. La mozione del pubblico ministero ha affermato che questa misura era necessaria a causa del rifiuto dell’azienda di collaborare con le forze dell’ordine e di rispondere alle indagini ufficiali.
Il giudice ha concesso l’autorizzazione all’utilizzo di una tecnica di accesso remoto specializzata che consente di inviare una serie di richieste ai server di Telegram. Queste richieste costringono il sistema a restituire informazioni sull’account di destinazione, inclusi messaggi e dati associati.
La decisione è stata riportata da CourtWatch, citando documenti del tribunale; tuttavia, i link diretti non sono stati inclusi nella notizia perché i documenti contengono informazioni personali identificabili.
Secondo il documento, le informazioni scaricate devono essere archiviate sul dispositivo dell’investigatore all’interno della giurisdizione in cui si svolge il processo.
È stato inoltre sottolineato che non saranno effettuati ulteriori tentativi di accesso all’account senza un’ordinanza separata del tribunale. Pertanto, si tratta di un accesso remoto una tantum all’infrastruttura di Telegram allo scopo di scaricare la corrispondenza e altro materiale necessario per il caso.
Questo caso è un esempio lampante di come le autorità statunitensi utilizzino l’accesso diretto a server stranieri per ovviare alla mancanza di collaborazione dell’azienda.
Tali azioni stanno accendendo il dibattito sulla portata dell’autorità delle agenzie di intelligence, sulla giurisdizione transfrontaliera e sulle implicazioni per gli utenti di app di messaggistica che si dichiarano immuni al controllo esterno.
L'articolo Gli USA vogliono hackerare Telegram! Il caso che fa discutere di privacy e giurisdizione proviene da il blog della sicurezza informatica.
Mentre Windows 10 va in pensione Windows 7 raddoppia le installazioni in due mesi
Windows 7 è stato uno tra i migliori sistemi operativi di casa Microsoft, e moltissimi ne decantano ancora oggi le doti di stabilità. Ma Microsoft ha interrotto il supporto di questo prodigio dei sistemi operativi da gennaio 2020.
Secondo le statistiche di Statcounter aggiornate a settembre 2025, il sistema operativo Windows 7, da tempo fuori produzione, ha raddoppiato la sua quota di mercato tra i sistemi operativi Microsoft negli ultimi due mesi.
Nel frattempo, la quota di mercato di Windows 11 è cresciuta notevolmente, trainata dai nuovi acquisti di PC e dalle migrazioni dal precedente Windows 10, il cui supporto terminerà a ottobre 2025.
Secondo StatCounter, la quota di mercato globale di Windows 11 ha superato quella di Windows 10 nel luglio 2025. A settembre, la sua quota di utilizzo era del 50,74%, rispetto al 43,09% di Windows 10.
Illustrazione: Statcounter
Lanciato nel 2009, Windows 7 ha mantenuto la sua quota di mercato per gran parte dell’anno, fino ad agosto. Il suo utilizzo è cresciuto dal 2,02% di luglio al 3,59% di agosto. E a settembre aveva raggiunto un “rivoluzionario” 5,2%.
Naturalmente, questo non significa che gli utenti di Windows 10 stiano passando in massa a Windows 7 invece di aggiornare a Windows 11. Qualunque siano i fattori che determinano l’aumento di popolarità di Windows 7, i numeri sono impressionanti, soprattutto considerando che Microsoft ha interrotto il supporto per il sistema operativo a gennaio 2020.
L'articolo Mentre Windows 10 va in pensione Windows 7 raddoppia le installazioni in due mesi proviene da il blog della sicurezza informatica.
Neues Polizeigesetz in Berlin: „Abkehr von der grundrechtsfreundlichen Politik“
netzpolitik.org/2025/neues-pol…
Neues Polizeigesetz: Berliner Senat will Verhaltenscanner gegen Bevölkerung einsetzen
netzpolitik.org/2025/neues-pol…
Bundes-Klinik-Atlas: „Es muss immer um die bestmögliche Versorgung von Patienten gehen“
netzpolitik.org/2025/bundes-kl…
adenglobalcdsas
in reply to Cybersecurity & cyberwarfare • • •We are looking for someone who can invest 45,000 US dollars in our company.
We are looking for an investor who can lend 45,000 US dollars to our company.
We are looking for an investor who can invest 45,000 US dollars in our company.
With this budget, we will produce our own uniquely designed furniture through our contracted manufacturers and offer them to the global market. By producing in bulk (wholesale), we will significantly reduce production costs and be able to sell high-quality, durable, and aesthetically pleasing furniture at affordable prices.
With the budget of 45,000 US dollars you will invest in our company, we will produce our own designed furniture and sell it in the global market.
With the money you lend, we will have the company we have agreed on produce quality furniture for a certain amount of money and sell it on the international market.
Since our furniture will be produced wholesale, we will provide a cost advantage and will be offered to customers at affordable prices.
In short, we will be able to sell quality, beautiful-looking, comfortable furniture to people at affordable prices.
Since the furniture we produce will be made of cheap and high-quality materials, people will want to buy it quickly.
You know that furniture is a type of profession that has been very profitable for years and will provide us with a large profit in a short time.
Thanks to our experience in advertising, we will expand into international markets and make quick profits.
Because our advertising network is strong, we will be able to acquire a customer base from many countries in a short time.
This means that within this project, your money will grow more than fivefold in a short period, providing you with a high and guaranteed profit.
💼 Your Profit:
You will provide a loan of 45,000 US dollars to our company. We will invest these funds in our furniture business, grow the investment, and return a total of 250,000 US dollars to you by March 22, 2026.
You will invest 45,000 US dollars in our company. When 22.03.2026 comes, I will return your money as 250,000 US dollars.
In short, you will receive back the 45,000 US dollars you lent to our company as 250,000 US dollars, and we will give you back your money in an increased amount.
We will contact you on March 22, 2026, and refund your winnings of 250,000 US dollars.
To learn how to lend 45,000 US dollars to our company and to get detailed information about our educational project, send a message to my Telegram username below.
To learn how you can invest 45,000 US dollars in our company and how you can participate in our furniture project, send a message to my Telegram username below and I will give you detailed information.
To learn how you can multiply your money by investing 45,000 US dollars in our company and to get detailed information about our furniture project, send a message to my Telegram username below.
To learn how you can lend 45,000 US dollars to our company and increase your money by participating in our furniture project, send a message to my Telegram username below and all detailed information will be given to you.
Turn your capital into opportunity! Our company is seeking a 45,000 USD investment to expand our innovative furniture project. Join us and discover how your money can grow while supporting a global venture. For full details, message us on Telegram at the username below.
For detailed information and to learn how you can participate in our furniture project, send a message to my Telegram username below and I will give you detailed information.
My telegram username:
@adenholding