A QSL Card from Radio Moscow probably got many 14-year-olds on government watch lists. (Public domain)
Between World War II and Y2K, shortwave listening was quite an education. With a simple receiver, you could listen to the world. Some of it, of course, was entertainment, and much of it was propaganda of one sort or another. But you could learn a lot. Kids with shortwave radios always did great in geography. Getting the news from a different perspective is often illuminating, too. Learning about other cultures and people in such a direct way is priceless. Getting a QSL card in the mail from a faraway land seemed very exciting back then.

Today, the shortwave landscape is a mere shadow of itself. According to a Wikipedia page, there are 235 active shortwave broadcasters from a list of 414, so nearly half are defunct. Not only are there many “dead” shortwave outlets, but many of the ones that are left are either not aimed at the world market or serve a niche group of listeners.

You can argue that with the Internet, you don’t need radio, and that’s probably correct in some ways but misses a few important points. Indeed, many broadcasters still exist as streaming stations or a mix of radio and streaming. I have to admit I listen to the BBC often but rarely on the air. My computer or phone plays it in crystal clarity 24 hours a day.
A future Hackaday author in front of an Eico shortwave radio
So, while a 14-year-old in 1975 might be hunched over a radio wearing headphones, straining to hear NHK World Radio, these days, they are likely surfing the popular social media site of the week. You could easily argue that content on YouTube, Instagram, and the like can come from all over the world, so what’s the problem?

The problem is information overload. Faced with a shortwave radio, there were a limited number of options available. What’s more, only a small part of the band might be “open” at any given time. It isn’t like the radio could play games or — unless you were a ham — allow you to chat with your friends. So you found radio stations from Germany to South Africa. From China and Russia, to Canada and Mexico. You knew the capital of Albania. You learned a little Dutch from Radio Nederlands.

Is there an answer? Probably not. Radio isn’t coming back, barring an apocalyptic event. Sure, you can listen to the BBC on your computer, but you probably won’t. You can even listen to a radio over the network, but that isn’t going to draw in people who aren’t already interested in radio, even if it really looks like a radio.

If you made a website with radio stations of the world, would people use it? Something like a software version of this globe or a “world service” version of RadioGarden. Probably not.

Do you listen to shortwave radio? If so, what are you listening to? Do you listen to “world services” at all? Tell us in the comments. Many careers were launched by finding a shortwave radio under the Christmas tree at just the right age. When Internet access is compromised, there’s still no substitute for real radios. If you want to listen to some of those vintage programs, they are — unsurprisingly — on the Internet.

This week on the Podcast, it’s Kristina’s turn to bloviate alongside Editor-in-Chief Elliot Williams. First up in the news: our fresh new contest has drawn three entries already! That’s right, the 2024 Tiny Games Challenge is underway. You have until September 10th to show us your best tiny game, whether that means tiny hardware, tiny code, or a tiny BOM.

Then it’s on to What’s That Sound, which sounded familiar to Kristina, but she couldn’t place it. Can you get it? Can you figure it out? Can you guess what’s making that sound? If you can, and your number comes up, you get a special Hackaday Podcast t-shirt.

Then it’s on to the hacks, beginning with a hack to print metal and a way to weld wood, along with a photo-resistor-based, single-pixel camera. We’ll talk desiccants carbon fiber, and Baron Harkonnen. Finally, we discuss the troubles of keeping hygroscopic materials from degrading, and have a klatch about Keebin’ with Kristina.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

Download and savor at your leisure.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 281 Show Notes:

News:

• Show Us Your Minimalist Games, And Win

What’s that Sound?

• Fill out this form with your best guess, and you might win!

Interesting Hacks of the Week:

• CeraMetal Lets You Print Metal, Cheaply And Easily
  
  • Not Acceptable!
  • Home

  
  

• Mechanical Keyboard + Laptop = Clacktop
• Sealed Packs Of Pokémon Cards Give Up Their Secrets Without Opening Them
  
  • 2000-Year Old Charred Manuscripts Reveal Their Secrets
  • Vesuvius Challenge 2023 Grand Prize Awarded And 2024’s New Challenge

  
  

• Welding Wood Is As Simple As Rubbing Two Sticks Together
  
  • This Laser-Cut One-Piece Wedge Tenon Locks Wood Joints Tight

  
  

• Photoresistor-based Single Pixel Camera
  
  • A Single Pixel Digital Camera With Arduino
  • A Very Modern Flying Spot Scanner
  • You Can Use LEDs As Sensors, Too

  
  

• Desiccants, Tested Side By Side

Quick Hacks:

• Elliot’s Picks:
  
  • Exploring Cheap Tantalum Caps Of Mysterious Provenance
  • Ask Hackaday: Should We Teach BASIC?
  • Could Carbon Fiber Be The New Asbestos?

  
  

• Kristina’s Picks:
  
  • Robot Seeks And Sucks Up Cigarette Butts, With Its Feet
  • A Throne For LEGO Baron Harkonnen
  • 2024 Tiny Games Challenge: Improving Reaction Time

  
  

Can’t-Miss Articles:

• FDM Filament Troubles: Keeping Hygroscopic Materials From Degrading
• Keebin’ With Kristina: The One With The Key Cap Map

These days, most of our microcontroller boards come with bootloaders so you can squirt hex into them straight over USB. However, you don’t need to do things this way. If you’re more old school, you can program your AVRs right from a Commodore 64. [Linus Akesson] shows us how.

Programming an AVR isn’t that hard. By holding the chip in reset, it’s possible to flash code via a serial protocol using just three wires. However, that’s pretty impractical to do with modern PCs — they don’t come with addressable IO pins anymore. Normally, you’d use a dedicated programmer to do the job, but [Linus] found his had died on a Friday night. So he set about turning his C64 into one instead.

He decided to use the pins of the C64’s Joystick Port 2, with pins 1, 2, 3, and 4 hooked up to SCK, MOSI, Reset, and MISO on the AVR, respectively. 5 V and Ground were also provided courtesy of the C64’s port. He then whipped up a simple bit of assembly code to read a bit of AVR hex and spit it out over the Joystick port following the in-circuit programming protocol. With a 1541 Ultimate to load files on to the C64 in hand, it was easy to pull his compiled AVR program off his modern PC, chuck it on the C64, and then get the old Commodore to program the AVR in turn.

It’s not the first time [Linus] has wowed us with a C64 in hand. If you’ve got your own fresh projects for the best-selling computer of all time, don’t hesitate to let us know!

Il 26 luglio 2024, il gruppo ransomware Ransomexx ha pubblicamente rivendicato un attacco contro Liteon, un colosso nel settore dei componenti elettronici. Questo attacco è un’ulteriore testimonianza della crescente minaccia rappresentata dai cybercriminali per le grandi aziende. Di seguito, esaminiamo i dettagli dell’attacco, le sue conseguenze e le misure che le aziende possono adottare per difendersi da simili minacce.

Chi è Liteon?

Liteon Technology Corporation (liteon.com/), con sede a Taiwan, è un leader mondiale nella produzione di una vasta gamma di componenti elettronici. Fondata nel 1975, Liteon è specializzata nello sviluppo e nella produzione di dispositivi optoelettronici, dispositivi di archiviazione e altri componenti elettronici. Tra i suoi prodotti principali ci sono soluzioni di illuminazione LED, semiconduttori, elettronica per l’automotive e dispositivi per la salute. Liteon è rinomata per la sua innovazione e il suo impegno verso la sostenibilità, fornendo soluzioni tecnologiche di alta qualità ai clienti globali.

Dettagli dell’Attacco

L’attacco a Liteon è avvenuto il 26 luglio 2024, quando Ransomexx ha rivendicato la responsabilità dell’infiltrazione nei sistemi aziendali e la successiva criptazione di dati critici.

Sul loro sito web, Ransomexx ha pubblicato dettagli riguardanti l’attacco, inclusa la dimensione dei dati trafugati, pari a 142GB. Inoltre, il gruppo ha minacciato di divulgare informazioni sensibili a meno che Liteon non paghi un riscatto.

Al momento, non possiamo confermare con precisione la veridicità della violazione, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Tuttavia, se confermata, la fuga di dati potrebbe includere informazioni sensibili sui clienti, dettagli interni sui progetti in corso e altri dati critici.

Conclusione

L’attacco ransomware di Ransomexx contro Liteon è un chiaro monito della vulnerabilità delle aziende moderne ai cyberattacchi. Questo evento evidenzia la necessità di rafforzare le difese cibernetiche e di essere preparati a rispondere a tali minacce. Solo attraverso un approccio integrato e collaborativo alla sicurezza informatica le aziende possono proteggere i loro dati e mantenere la fiducia dei loro clienti.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

L'articolo Il Gruppo Ransomware Ransomexx Rivendica l’Attacco al Colosso Liteon proviene da il blog della sicurezza informatica.

First up this week is the story of EvilVideo, a clever telegram exploit that disguises an APK as a video file. The earliest record we have of this exploit is on June 6th when it was advertised on a hacking forum.

Researchers at ESET discovered a demo of the exploit, and were able to disclose it to Telegram on June 26th. It was finally patched on July 11. While it was advertised as a “one-click” exploit, that’s being a bit generous, as the ESET demo video shows. But it was a clever exploit. The central trick is that an APK file can be sent in a Telegram chat, and it displays what looks like a video preview. Tap the “video” file to watch it, and Telegram prompts you to play it with an external player. But it turns out the external player in this case is Android itself, which prompts the target to install the APK. Sneaky.

youtube.com/embed/8mdW3MWoeFI?…

Traffic Control

We briefly covered this story a couple months ago, focusing on how bad of an idea it is to threaten a good faith researcher with legal action. Well the details of this traffic controller hack are available, and it’s about what you’d expect. Part one is all about getting the hardware and finding a trivial security bypass. The “web security” tab in the user interface seems to be an iframe, and navigating directly to that iframe address simply doesn’t trigger a login prompt. That’s the issue that [Andrew Lemon] first disclosed to Q-Free, leading to the legal nastygram.

Well now we have part two of that research, and spoilers: it doesn’t get any better. A couple false starts led [Andrew] to a desperation move. He had a new box to test and no login for it, so he started at the basics with the Burp proxy. And lo and behold, in the request was an odd string. 1.3.6.1.4.1.1206.3.36.1.6.10.1*IDO_0=2&

That is an Object IDentifier (OID) for the Simple Network Management Protocol (SNMP). These things use a version of SNMP known as National Transportation Communications for Intelligent Transportation System Protocol, or NTCIP. And this device not only uses that protocol, it seems to do so without authentication. Among the fields that are readable and writable without auth are the system username and system password. No hashing in sight. Now we can only hope that this is ancient hardware that isn’t in use any longer, or at least no longer connected to the Internet. And we’ll also hope that vendors like Q-Free have learned their lessons since this software was written. Though given their response to the vulnerability disclosure, we’re not holding our breaths.

The Rest of the Crowdstrike Story

You may have noticed a bit of weirdness around the world last Friday. Early in the morning of the 18th, Croudstrike pushed a rapid response content update to their Falcon antivirus platform. Rapid Response data does get tested, but does not get a staged roll out. And in this case, a bug in the testing platform led to the invalid file being pushed out, and because the rollout was not staged, it went everywhere all at once.

This bogus configuration data triggered an out-of-bounds memory read in the Falcon kernel driver, leading to system crashes. The particularly bitter context is that Crowdstrike had done the same thing to Linux machines a few months earlier. It’s beginning to seem that antivirus kernel drivers are a bad idea.

Microsoft has made it clear that this wasn’t a Microsoft incident. And the little known fact is that Microsoft tried to put an end to antivirus kernel drivers years ago, and was blocked by government regulators. And why didn’t Windows offer to boot without the crashing driver? The Crowdstrike kernel driver marks itself as a boot-start driver. The one ray of hope is that it’s possible for the system to stay up just long enough for Crowdstrike to pull an update before the system crash. It only takes something like 15 reboots.

youtube.com/embed/ZHrayP-Y71Q?…

This time it was Microsoft

There was, apparently, another Blue Screen crash this month. The July Patch Tuesday update dropped some computers into the BitLocker recovery screen, which just happens to be that same shade of blue. It’s not yet clear what about this set of fixes triggered the problem, but it seems that getting the recovery key does get these machines running again.

LetsKill OCSP

Let’s Encrypt surprised a few of us by announcing the end of OCSP this week. The Online Certificate Status Protocol is used to query whether a given certificate is still valid. One of the problems with that protocol is that it requests status updates per DNS address, effectively sending a running browsing history over the Internet. There’s a technical issue, in that the attacks that OCSP is designed to defend against also place the attacker in a position to block OCSP requests, and clients will silently ignore OCSP requests that time out.

The replacement is the Certificate Revocation List (CRL), which is a simple list of revoked certificates. The problem is that those lists can be huge. Mozilla and Google have rolled out a clever solution, that uses data compression and aggressive optimization to handle those CRLs like any other browser update. And hence, OCSP is destined to go away.

InSecure Boot

Binarly is sounding the alarm on Secure Boot. The biggest problem is that at least five device manufacturer used demo keys in production. The master key predictably leaked, and as a result about 200 devices have broken secure boot protections. That key is labeled DO NOT TRUST - AMI Test PK? Perfect, ship it!

Bits and Bytes

Docker Engine had a nasty regression, where a flaw fixed in 2019 wasn’t properly forward-ported to later versions. CVE-2024-41110 is a CVSS 10.0 issue, where an API call with Content-Length of 0 is forwarded without any authentication.

An interesting bug was just fixed in curl, where a TLS certificate could trigger the curl ASN.1 parser to fail and return an error. When it did this, the function in question can call free() on a stack buffer, which is particularly bad idea. This is notable as the curl developers refer to it as a “C mistake (likely to have been avoided had we not been using C)”. Time to add some Rust code to curl?

And finally, there’s something you should know about Github. Code is forever. This is all working as intended, but can catch you if you’re not aware. Namely, private or deleted commits that are attached to a public repo are still accessible, if you know or guess the short commit hash. This has some important ramifications for cleaning up data leaks, and developing private forks. Knowing is half the battle!

The German government is going on a telecom spending spree with a new telecom law, seemingly against industry stakeholders' views and its own decision to tighten the purse strings.

euractiv.com/section/digital/n…

Le istituzioni sanitarie devono andare oltre la semplice fortificazione della loro sicurezza di base, assicurandosi che le difese informatiche siano adeguate alle minacce di oggi e di domani, per proteggere sia i dati che le vite dei pazienti. Ecco i punti critici da presidiare per prevenire attacchi futuri

L'articolo Cyber sicurezza nella sanità: gli impatti del ransomware e i punti deboli da presidiare proviene da Cyber Security 360.

Il trojan RAT 9002 è stato usato in due diverse campagne e ha colpito anche diverse organizzazioni italiane. Cos'è, come si diffonde e come porvi rimedio

L'articolo RAT 9002 ha preso di mira le aziende italiane (anche governative): come difendersi proviene da Cyber Security 360.

Google ha introdotto nuove funzionalità in Chrome che consentono un’analisi antivirus più approfondita dei file scaricati da Internet, anche degli archivi compressi protetti da password. Migliora la sicurezza online, ma serve un attento bilanciamento con le esigenze di privacy e controllo dei propri dati sensibili

L'articolo Chrome migliora la sicurezza online analizzando anche i file protetti da password proviene da Cyber Security 360.

Dall’Irlanda e dall’Olanda i due progetti finalisti, scelti durante la sessione europea (svoltasi nei giorni scorsi a Roma) della competizione globale Tech4Good all’insegna della sostenibilità

L'articolo Huawei EU Seeds for the Future 2024: dopo Roma, si va in Cina proviene da Cyber Security 360.

Un proxy è un server che agisce come intermediario tra il dispositivo dell'utente e Internet e consente di monitorare, filtrare e gestire il traffico in entrata e in uscita, migliorando significativamente la sicurezza dei nostri sistemi informatici. Ecco le regole per una corretta implementazione

L'articolo Proxy: cosa sono e come utilizzarli per difendersi dai malware proviene da Cyber Security 360.

L’EDPB ha pubblicato le FAQ sul Data Privacy Framework utili alle organizzazioni europee che debbano trasferire dati personali a società USA. Ecco i passaggi fondamentali in relazione agli adempimenti preventivi al trasferimento stesso

L'articolo Data Privacy Framework: nelle FAQ dell’EDPB gli obblighi delle organizzazioni europee proviene da Cyber Security 360.

Il crash globale dei sistemi Windows è una chiara lezione per aziende e governi sulla necessità di sviluppare soluzioni che aumentino la resilienza della rete globale mitigando la vulnerabilità di un’architettura monolitica con single points of failure significativi. Facciamo chiarezza

L'articolo Il caso CrowdStrike e le fragilità della rete interconnessa: i rischi dei single points of failure proviene da Cyber Security 360.

Microsoft ha incolpato l’Unione Europea del blocco mondiale dei sistemi Windows colpiti da un bug nel Falcon Sensor di CrowdStrike. E lo ha fatto sulla base di un accordo del 2009 sull’interoperabile con sistemi di terze parti. Facciamo chiarezza analizzando le conseguenze di una simile azione

L'articolo Disastro CrowdStrike: perché Microsoft accusa la UE e quali le possibili conseguenze proviene da Cyber Security 360.

Nonostante gli sforzi profusi nel rendere migliore la user experience degli utenti online, Google fa sapere di intraprendere “un nuovo percorso per il Privacy Sandbox sul web”, retrocedendo rispetto alla scelta, ambiziosa, di eliminare i famosi cookie di terze parti. Capiamo come e perché

L'articolo Google fa dietrofront sui cookie di terze parti: cosa non ha funzionato e cosa accadrà proviene da Cyber Security 360.

Le organizzazioni possono migliorare significativamente la loro strategia di cyber security adottando un approccio olistico che tenga conto delle differenze chiave e delle considerazioni specifiche delle reti e dei dispositivi OT e IoT e superando i silos culturali tra team InfoSec e OT che spesso hanno priorità diverse

L'articolo Il futuro è connesso, ma è anche sicuro? Le sfide della cyber security OT e IoT proviene da Cyber Security 360.

Uno dei “topoi” della narrativa degli ultimi due secoli è quello di mostrare come le consuetudini sociali siano stupide, ma che tentare di violarle sia ancora più stupido. Un particolare sviluppo di questo tema è quello di raccontare il rapporto tra l’individuo “A”, chiamiamolo “Antisociale“, che si trova ai margini della società a causa di uno stigma più o meno definito e l’individuo “B”…

Source

informapirata

2024-07-26 11:31:46

Beghe nel Fediverso: le polemiche di Uriel Fanelli contro mastodon.uno sono una boiata pazzesca

Ma è anche giusto spiegare perché lo siano

informapirata.it/2024/07/26/pe…

Perché Uriel Fanelli è così divertente? [Spoiler: perché esiste solo on line] - informapirata

Beghe nel Fediverso: le polemiche di Uriel Fanelli contro mastodon.uno sono una boiata pazzesca Ma è anche giusto spiegare perché lo siano…

^{informapirata}