Normally, if you change a file’s extension in Windows, it doesn’t do anything positive. It just makes the file open in the wrong programs that can’t decode what’s inside. However, [PortalRunner] has crafted a file that can behave as six different filetypes, simply by swapping out the extension at the end of the filename.

The basic concept is simple enough. [PortalRunner] simply found a bunch of different file formats that could feasibly be crammed in together into a single file without corrupting each other or confusing software that loads these files.

It all comes down to how file formats work. File extensions are mostly meaningless to the content of a file—they’re just a shorthand guide so an operating system can figure out which program should load them. In fact, most files have headers inside that indicate to software what they are and how their content is formatted. For this reason, you can often rename a .PNG file to .JPEG and it will still load—because the operating system will still fire up an image viewer app, and that app will use headers to understand that it’s actually a PNG and not a JPEG at heart, and process it in the proper way.

[PortalRunner] found a way to merge the headers of various formats, creating a file that could be many different types. The single file contains data for a PNG image, an MP4 video, a PDF document, a ZIP archive, a Powerpoint presentation, and an HTML webpage. The data chunks for each format are lumped into one big file, with the combined headers at the very top. The hijinx required to pull this off put some limitations on what the file can contain, and the files won’t work with all software… but it’s still one file that has six formats inside.

This doesn’t work for every format. You can’t really combine GIF or PNG for example, as each format requires a different initial set of characters that have to be at the very beginning of the file. Other formats aren’t so persnickety, though, and you can combine their headers in a way that mostly works if you do it just right.

If you love diving into the binary specifics of how file formats work, this is a great project to dive into. We’ve seen similarly mind-bending antics from [PortalRunner] before, like when they turned Portal 2 into a webserver. Video after the break.

youtube.com/embed/o7qx-wgl3jo?…

hackaday.com/2025/08/08/one-fi…

Sensitive content Clicca per aprire/chiudere

Dopo che il mio account Instagram è stato bloccato e ne ho creato uno nuovo, ho ricontattato i miei vecchi compagni di scuola e, dopo tanto tempo, ci siamo ritrovati a cena insieme. Il ristorante di barbecue era davvero delizioso.

‘Hearing voices’ doesn’t have to be worrisome, for instance when software-defined radio (SDR) happens to be your hobby. It can take quite some of your time and attention to pull voices from the ether and decode them. Therefore, [theckid] came up with a nifty solution: RadioTranscriptor. It’s a homebrew Python script that captures SDR audio and transcribes it using OpenAI’s Whisper model, running on your GPU if available. It’s lean and geeky, and helps you hear ‘the voice in the noise’ without actively listening to it yourself.

This tool goes beyond the basic listening and recording. RadioTranscriptor combines SDR, voice activity detection (VAD), and deep learning. It resamples 48kHz audio to 16kHz in real time. It keeps a rolling buffer, and only transcribes actual voice detected from the air. It continuously writes to a daily log, so you can comb through yesterday’s signal hauntings while new findings are being logged. It offers GPU support with CUDA, with fallback to CPU.

It sure has its quirks, too: ghost logs, duplicate words – but it’s dead useful and hackable to your liking. Want to change the model, tweak the threshold, add speaker detection: the code is here to fork and extend. And why not go the extra mile, and turn it into art?

hackaday.com/2025/08/08/whispe…

In his regular browsing on AliExpress, [Ben Jeffrey] came across something he didn’t understand—a $5 fiber optic to RF cable TV adapter. It was excessively cheap, and even more mysteriously, this thing didn’t even need power. He had to know how it worked, so he bought one and got down to tinkering with it.
Inside the device in question.
[Ben] needed some hardware to test the device with, so he spent $77 on a RF-to-fiber converter and a cheap composite-to-RF modulator so he could test the $5 fiber-to-RF part. A grand expenditure to explore a $5 device, but a necessary sacrifice for the investigation. Once [Ben] hooked up a fiber optic signal to the converter, he was amazed to see it doing its job properly. It was converting the incoming video stream to RF, and it could readily be tuned in on a TV, where the video appeared clean and true.

It was disassembly that showed how simple these devices really are. Because they’re one-way converters, they simply need to convert a changing light signal into an RF signal. Inside the adapter is a photodiode which picks up the incoming light, and with the aid of a few passives, the current it generates from that light becomes the RF signal fed into the TV. There’s no need for a separate power source—the photodiode effectively works like a solar panel, getting the power from the incoming light itself. The part is ultimately cheap for one reason—there just isn’t that much to it!

It’s a neat look at something you might suspect is complex, but is actually very simple. We’ve explored other weird TV tech before, too, like the way Rediffusion used telephone lines to deliver video content. Video after the break.

hackaday.com/2025/08/08/tearin…

Dear Friend of Press Freedom,

It’s the 136th day that Rümeysa Öztürk is facing deportation by the United States government for writing an op-ed it didn’t like, and the 55th day that Mario Guevara has been imprisoned for covering a protest. Read on for more, and click here to subscribe to our other newsletters.

Paramount’s $36 million babysitter

Paramount and Skydance Media finally completed their merger this week. To get there, Paramount paid $16 million to settle President Donald Trump’s absurdly frivolous lawsuit against CBS News, while Skydance reportedly will chip in $20 million in Trump-friendly PSAs.

So now Trump will leave them alone, right? Of course not. Skydance also committed to Federal Communications Commission chair and Trump bootlicker Brendan Carr to appoint a “bias ombudsman.” Skydance CEO David Ellison assured skeptics that the position will be a “transparency vehicle, not an oversight vehicle.” He promised that “we’re not being overseen by the FCC or anyone else.”

Carr sees it differently. He told The Washington Post’s Jeremy Barr that the FCC is in a “trust but verify posture,” noting that “when you make a filing at the FCC, we have rules and regulations that deal with false representations to the agency.” He added, “I’m confident that we’re going to stay in touch with [Skydance and Paramount] and track this issue.”

It sure sounds like Carr’s leaving the door wide open to threaten regulatory action whenever CBS broadcasts something he doesn’t like. Carr — who intends to monitor bias while wearing the president’s bust as a lapel pin — is the poster child for why the Constitution bars the government from meddling in newsrooms’ editorial decisions. Carr has also said he’s keeping his FCC’s nonsense investigation into CBS open, giving him another cudgel to wield if journalists forget who’s boss. There’s $36 million well spent.

Freedom of the Press Foundation (FPF) Advocacy Director Seth Stern talked more about Carr’s censorial antics and our attorney disciplinary complaint against him on Legal AF’s “Court of History” podcast on the MeidasTouch network. Watch it here.

FPF’s barrage of FOIAs seeks to combat secrecy

Since our Freedom of Information Act request exposed the lies underpinning the Trump administration’s crackdown on leaks to journalists, FPF has filed over 100 more FOIAs to learn how the administration is targeting journalists and stifling dissent.

We put together a list of our top 10 most urgent FOIA requests. Read more here.

How federal law enables retaliation against incarcerated journalists

These days the president of the United States files frivolous lawsuits at an alarming clip, including against news outlets that displease him. He’s far from the only prominent public figure abusing the federal court system in this way.

And yet, Congress has not seen fit to pass a federal “anti-SLAPP” law to stop powerful billionaires and politicians from pursuing strategic lawsuits against public participation. But powerless prisoners? That’s another story. If they want access to the federal courts, they need to navigate the Prison Litigation Reform Act — a maze of onerous procedural requirements.

We hosted a webinar with incarcerated journalist Jeremy Busby and two attorneys from the American Civil Liberties Union, Nina Patel and Corene Kendrick, to hear more about how the law silences journalism. Read and watch here.

Don’t let the leading voice for digital journalists be silenced

For decades, the National Press Photographers Association has protected the rights of news photographers and videographers. But recently, NPPA announced that it faces financial difficulties. We spoke to NPPA’s longtime General Counsel, Mickey Osterreicher, about NPPA’s work and the impact on the First Amendment if it shutters. You can support the NPPA’s programs here.

Privacy policy update

We’ve updated FPF’s privacy policy to include a new payment processor and our use of Fight for the Future’s activism APIs. See the updated policy for details.

What We're Reading

The price of approval: How Paramount sold out the First Amendment for a merger

Protect the Protest
FPF’s Stern spoke to Protect the Protest — a coalition of nonprofit organizations fighting back against Strategic Lawsuits Against Public Participation, of which we are a proud member — about what the Paramount merger means for press freedom.

Ohio reporter’s notebook searched by Secret Service at Vance fundraiser

U.S. Press Freedom Tracker
This is an obvious violation of reporters’ rights. Secret Service members should have basic First Amendment training, especially if they are going to be dispatched in the field.

New York Times responds to Benjamin Netanyahu’s lawsuit threat: “An increasingly common playbook”

Deadline
The government that has killed more journalists than all other countries combined over the last few years shouldn’t be lecturing a newspaper about anything — let alone an obviously true story.

US appeals court upholds SEC ‘gag rule’ over free speech objections

Reuters
An unfortunate decision, but this might be one of the rare instances when this Supreme Court accidentally does some good. We wrote last year about how this rule impacts the press.

Home Depot and Lowe's share data from hundreds of AI cameras with cops

404 Media
First, the Electronic Frontier Foundation filed a public records request that uncovered how Home Depot and Lowe’s are cooperating with cops. Then, 404 Media made the story free thanks to their commitment to dropping paywalls for public records-based reporting.

Govt. website ‘glitch’ removes Trump’s least favorite part of Constitution

Rolling Stone
We’re skeptical of the government’s excuses for deleting habeas corpus from an online copy of the Constitution. Let us guess, the next “glitch” makes the First Amendment disappear?

Law strikes back: Lawyers doing Trump’s bidding targeted where integrity still matters

MSNBC
Rachel Maddow discussed our disciplinary complaint against Carr as an example of using the legal profession’s standards “as a way to stand up and push back against” attacks on the press.

freedom.press/issues/paramount…

Some people just want to have their cake and eat it too, but very few of us ever get to pull it off. [Erich Styger] has, though with V5 of his “MetaMetaClock”— a clock made of clocks, that uses the orientation of the hands to create digits.

We’ve seen previous versions of this clock. As before, the build is exquisitely detailed and all relevant files are on GitHub. This version keeps the acrylic light-pipe hands of version 4, but adds more of them: 60 clocks vs 24. Larger PCBs are used, grouping the dual-shaft steppers into groups of four, instead of the individual PCBs used before. Each PCB has an NXP LPC845 (a Cortex M0 microcontroller) that communicates on an RS-485 bus. Placing four steppers per microcontroller reduces parts count somewhat compared to previous versions (which had each ‘clock’ on its own modular PCB) albeit at the cost of some flexibility.

While the last version used veneers on its face, this version is cut by CNC by from a large slab of oak. It’s certainly the most attractive version yet, and while bigger isn’t always better, more clock faces means more potential effects. Date? Time? Block letters? Arbitrary text? Kaleidoscopic colours from the RGB LEDs? It’s all there, and since it’s open source, anyone who builds one can add more options. A BLE interface makes it quick and easy to wirelessly switch between them or set the time.

It’s nice sometimes to watch projects like this improve incrementally over time. [Erich] mentions that he plans to add Wifi and a web-based user interface for the next version. We look forward to it, and are grateful to [jicasi] for the tip. Just as it is always clock time at Hackaday, so you can always toss a tip of your own into the box.

Eventually [Erich] will have enough clocks for Bad Apple, but this version can do short text strings among many other effects. Check his blog for more demo videos.

hackaday.com/2025/08/08/clock-…

Like many early microcomputers, the Commodore VIC-20 did not come with an interna real-time clock built into the system. [David Hunter] has seen fit to rectify that with an add-on module as his entry to the 2025 One Hertz Challenge.

[David]’s project was inspired by a product that Hayes produced in the 1980s, which provided a serial-port based real-time clock solution for computers that lacked one on board. The heart of the project is an Arduino Uno, which itself uses a Dallas DS3231 RTC module to keep accurate time. [David] then drew from an IEC driver developed by [Lars Pontoppidan] for the MM2IEC project. This enables the Arduino to report the time to the VIC-20 via its IEC port.

The project is a neat way to provide a real-time clock source to programs written in Commodore BASIC. It’s also perfectly compatible with the IEC bus, so it can be daisy chained along with printers and disk drives without issue. [David] hasn’t tested it with a Commodore 64, but he suspects it should work just as well on that platform, too.

If you’ve ever wanted to build something clock-based for the VIC-20 but didn’t know how, this is a great piece of hardware to solve that problem. Meanwhile, you might find joy in reading about real-time clock hacks for other systems like the Raspberry Pi. Meanwhile, if you’re working on your own nifty timekeeping projects, don’t hesitate to let us know!

hackaday.com/2025/08/08/2025-o…

ora avrei bisogno di aiuto..

Mio fratellino (storia lunghissima che racconterò, forse, un'altra volta) è ipovedente.
Purtroppo essendo nato sordo, non parla nemmeno. Grazie agli impianti cocleari sente e capisce quasi tutto, ma non emette suoni.
Grazie alla tecnologia, però, sta imparando a comunicare. Sa leggere e scrivere al computer, anche se solo su nostro input, mai in modo spontaneo.
Usa una tastiera fisica per ipovedenti, con tasti grandi e ad alto contrasto, e la gestisce discretamente bene.
Recentemente ci siamo dotati di una lavagna interattiva per supportare il suo percorso educativo e di sviluppo.
Ho collegato la tastiera alla lavagna, ma non vuole usarla: preferisce stare in piedi e utilizzare quella virtuale direttamente sullo schermo della smart board (o forse semplicemente associa la tastiera fisica al computer... poco importa!).

Problema: la tastiera virtuale dobbiamo ri-attivarla spesso, inserire il CAPS LOCK (sa leggere e scrivere solo in maiuscolo) e con certe app non funziona..
Ecco perché avrei bisogno di una tastiera virtuale — che rimanga sempre visibile, o almeno di facile attivazione, sullo schermo della smart board — ad alto contrasto e con lettere maiuscole. La lavagna è basata su android.

Grazie se qualcuno può aiutarmi

#tastiera #ipovedenti #LavagnaInterattiva #smartboard #AltoContrasto #android #supporto #sordociechi

Elliot and Dan got together this week for a review of the week’s hacking literature, and there was plenty to discuss. We addressed several burning questions, such as why digital microscopes are so terrible, why computer systems seem to have so much trouble with names, and if a thermal receipt printer can cure ADHD.

We looked at a really slick 5-axis printer that COVID created, a temperature-controlled fermentation setup, and a pseudo-Mellotron powered by a very odd tape recorder. We also learned little about designing 3D printed parts with tight tolerances, stepping a PC power supply up to ludicrous level, and explored a trio of unique entries for the One Hertz Challenge.

And for the Can’t Miss section, we looked at what happens to planes when they get hit by lightning (and how they avoid it), and say goodbye to the man who launched a lot of careers by making model kits.

It was also exciting to learn that the first day of Supercon is Halloween, which means a Friday night sci-fi cosplay party. It’s gonna be lit.

html5-player.libsyn.com/embed/…

Download this MP3, full of twisty passages, all alike.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 327 Show Notes:

News:

• Get Your Tickets For Supercon 2025 Now!

What’s that Sound?

• Boom, nailed it
• Congrats to [Dan Maloney] who came up with the right answer at the last second, and of course also to [Wes G]!

Interesting Hacks of the Week:

• Open Source 5-Axis Printer Has Its Own Slicer
  
  • Non-planar Slicing Is For The Birds

  
  

• Why Names Break Systems
• Why Cheap Digital Microscopes Are Pretty Terrible
  
  • Quick And Dirty Microscope Motion Control For Focus Stacking
  • First Days With A New Microscope

  
  

• A DIY Fermenter For Flavorful Brews
• The Tape Speed Keyboard
• Can A Thermal Printer Cure ADHD?

Quick Hacks:

• Elliot’s Picks
  
  • Sparks Fly: Building A 330 KV Supply From A PC PSU
  • A Speed Loader For Your 3D Printer Filament
  • How To Design 3D-Printed Parts With Tolerance In Mind
  • Fire Alarm Disco Party

  
  

• Dan’s Picks:
  
  • 2025 One Hertz Challenge: Blinking An LED The Very Old Fashioned Way
  • 2025 One Hertz Challenge: Shoulda Put A Ring Oscillator On It
  • 2025 One Hertz Challenge: Op-Amp Madness

  
  

Can’t-Miss Articles:

• Farewell Shunsaku Tamiya: The Man Who Gave Us The Best Things To Build
  
  • Thanks, Tamiya-san

  
  

• What Happens When Lightning Strikes A Plane?

hackaday.com/2025/08/08/hackad…

Più o meno una volta al mese, torno a scrivere qualcosa 😁
Le cose stanno iniziando ad andare meglio (non lavorativamente), anche se il mio tempo libero è sempre pochissimo.
Comunque domenica mattina partiamo in vacanza e non vedo l'ora. Abbiamo proprio bisogno di ricaricarci un po'. Andremo in Slovenia 😀

Io, molto a rilento, sto cercando di togliere google e tanto altro schifo dalla mia vita. E questo mi fa sentire bene.

Many decades ago, IBM engineers developed the typeball. This semi-spherical hunk of metal would become the heart of the Selectric typewriter line. [James Brown] has now leveraged that very concept to create a pivoting mouth mechanism for a robot that appears to talk.

What you’re looking at is a plastic ball with lots of different mouth shapes on it. By pivoting the ball to different angles inside the head of a robot, it’s possible to display different mouth shapes on the face. By swapping mouth shapes rapidly in concert with recorded speech, it’s possible to make the robot appear to be speaking. We don’t get a great look at the mechanism that operates the ball, but Selectric typeball operation is well documented elsewhere if you seek to recreate the idea yourself.

The real benefit of this mechanism is speed. It might not look as fluid as some robots with manually-articulated flexible mouths, but the rapid mouth transitions really help sell the effect because they match the pace of speech. [James] demonstrated the finished product on Mastodon, and it looks great in action.

This isn’t the first time we’ve featured [James Brown]’s work. You may recall he got DOOM running on a tiny LEGO brick a few years back.

Thanks to [J. Peterson] for the tip!

hackaday.com/2025/08/08/talkin…

James Brown

2025-07-24 03:20:20

I made a new mouth mechanism. I'm calling it Selectramatronics.

Una falla di sicurezza cruciale nell’HTTP/1.1 è stata resa pubblica dagli esperti di sicurezza, mettendo in luce una minaccia che continua ad impattare sull’infrastruttura web da più di sei anni, con potenziali ripercussioni per milioni di siti, nonostante gli sforzi continui per arginarla. I ricercatori di PortSwigger rivelano che HTTP/1.1 rimane intrinsecamente insicuro, esponendo regolarmente milioni di siti web a tentativi di acquisizione ostile tramite sofisticati attacchi di desincronizzazione HTTP.

La società di sicurezza informatica ha segnalato l’introduzione di varie nuove tipologie di tali attacchi, che hanno messo in luce falle critiche, andando ad intaccare decine di milioni di siti web e minando l’infrastruttura basilare all’interno di più reti di distribuzione dei contenuti (CDN). Nonostate gli sforzi dei fornitori, che hanno messo in atto varie strategie di contenimento nell’arco degli ultimi sei anni, i ricercatori sono stati in grado di superare costantemente le barriere protettive.

Per la prima volta, la minaccia è stata resa pubblica da PortSwigger nel 2019, tuttavia, relativamente alla causa fondamentale della vulnerabilità, sono state apportate solo minime modifiche. Un difetto progettuale critico in HTTP/1.1 è all’origine del problema: il protocollo permette agli aggressori di generare un’estrema ambiguità sul punto in cui si conclude una richiesta e sul punto in cui inizia la successiva.

La presenza di ambiguità permette ai responsabili degli attacchi malevoli di variare i confini delle richieste, generando così attacchi di tipo request smuggling che sono in grado di minare l’integrità di intere applicazioni web e dell’infrastruttura che le supporta. Le differenze nell’interpretazione delle richieste HTTP da parte di server e sistemi proxy diversi vengono sfruttate da questi attacchi, i quali consentono agli attaccanti di inserire richieste dannose che appaiono come legittime ai sistemi di sicurezza, ma che in realtà eseguono operazioni dannose sui server di back-end.

Le versioni successive di HTTP/2 rimuovono sostanzialmente ogni ambiguità fondamentale, di fatto rendendo molto difficili gli attacchi di desincronizzazione. Gli esperti di sicurezza però evidenziano che l’attivazione di HTTP/2 soltanto sui server edge risulta essere insufficiente. Fondamentale è invece l’attuazione di HTTP/2 nelle connessioni dirette ai server di origine attraverso i proxy inversi, in quanto permangono molte vulnerabilità causate dalla costante dipendenza da HTTP/1.1.

PortSwigger ha lanciato un’iniziativa completa intitolata “HTTP/1.1 Must Die: The Desync Endgame”, esortando le organizzazioni ad abbandonare il protocollo vulnerabile. La ricerca include raccomandazioni pratiche per l’implementazione immediata, tra cui l’abilitazione del supporto HTTP/2 upstream e la garanzia che i server di origine possano gestire il protocollo più recente.

Per le organizzazioni che dipendono ancora da HTTP/1.1, i ricercatori raccomandano di implementare le funzionalità di convalida e normalizzazione delle richieste disponibili sui sistemi front-end, di valutare la disattivazione del riutilizzo della connessione upstream e di collaborare attivamente con i fornitori in merito alle tempistiche del supporto HTTP/2.

Questa vulnerabilità interessa un ampio spettro di infrastrutture web, dai singoli siti web ai principali provider CDN, evidenziando l’urgente necessità di un’adozione a livello di settore dei moderni protocolli HTTP per garantire la sicurezza web.

L'articolo HTTP/1.1 Must Die! Falle critiche mettono milioni di siti web a rischio proviene da il blog della sicurezza informatica.

Una recente scoperta ha portato alla luce una sofisticata tecnica che aggira il controllo dell’account utente (UAC) di Windows, consentendo l’escalation dei privilegi senza necessità di intervento utente, grazie all’uso dell’editor di caratteri privati, e suscitando preoccupazioni su scala mondiale tra gli amministratori di sistema.

L’attacco divulgato da Matan Bahar sfrutta eudcedit.exe l’editor di caratteri privati integrato di Microsoft, disponibile in C:WindowsSystem32, originariamente progettato per creare e modificare i caratteri definiti dall’utente finale (EUDC).

I ricercatori di sicurezza hanno scoperto che questa utility apparentemente innocua può essere sfruttata per aggirare il principale gatekeeper di sicurezza di Windows.

La falla di sicurezza è causata da impostazioni critiche integrate nel manifest dell’applicazione eudcedit.exe. Questa vulnerabilità è generata da due particolari tag di metadati. Questa combinazione si rivela particolarmente pericolosa. Quando UAC è configurato con impostazioni permissive come “Eleva senza chiedere conferma”, Windows eleva automaticamente eudcedit.exe da un livello di integrità medio ad uno alto senza visualizzare alcun avviso di sicurezza, ha affermato Bahar .

L’attacco si sviluppa attraverso una sequenza accuratamente studiata che sfrutta i meccanismi di gestione dei file dell’applicazione. Gli aggressori iniziano avviando l’editor di caratteri privati, che passa automaticamente al livello di integrità “Alta”. Accedono quindi alla funzionalità di collegamento dei font all’interno dell’interfaccia dell’applicazione, solitamente accessibile tramite il menu File.

La vulnerabilità critica si manifesta quando gli utenti selezionano le opzioni di collegamento dei font e viene richiesto di salvare i file. In questo frangente, il processo eudcedit.exe con privilegi elevati può essere manipolato per eseguire comandi arbitrari. Semplicemente inserendo “PowerShell” nella finestra di dialogo del file, gli aggressori possono generare una sessione PowerShell con privilegi elevati che eredita il livello di integrità elevato del processo padre.

Il bypass dell’UAC di eudcedit.exe dimostra come gli aggressori possano sfruttare le utilità di sistema legittime per raggiungere obiettivi dannosi. La semplicità e l’efficacia di questa tecnica la rendono una preoccupazione significativa per i team di sicurezza aziendale.

L'articolo Una nuova tecnica di Privilege Escalation (PE) consente il bypass del UAC su Windows proviene da il blog della sicurezza informatica.

Il cybercrime è sempre da condannare. Che tu colpisca una multinazionale o un piccolo negozio online, resta un crimine.

Ma quando prendi di mira ospedali, associazioni senza scopo di lucro, fondazioni che vivono di donazioni, il livello scende ancora più in basso. Non sei un “hacker” perché i criminali non si chiamano così, non sei un “genio del computer”.

Sei solo uno sciacallo digitale.

Rubare un account social è già un atto deplorevole. Ma violare la pagina Instagram della Fondazione Giulia Cecchettin – creata per onorare la memoria di una giovane donna uccisa dall’ex fidanzato – è qualcosa di infinitamente peggiore. È un colpo basso, un atto vile che travalica la sfera tecnologica per diventare una ferita emotiva e collettiva.

La sorella di Giulia, Elena Cecchettin, ha dato la notizia tramite una storia Instagram: “La nostra pagina è stata compromessa. Vi preghiamo di non rispondere a messaggi o richieste sospette. Siamo al lavoro per risolvere il problema“. Poche ore dopo, è arrivata la conferma: un attacco informatico mirato, con un messaggio intimidatorio lasciato nella bio dell’account: “Se volete indietro il vostro account, controllate la mail e contattatemi su Telegram.”

Un ricatto in piena regola, che dimostra quanto i criminali informatici senza scrupoli non conoscano limiti né rispetto. Questo non è “semplice” cybercrime. Questo è scempio: l’uso della tecnologia per colpire il dolore, per profanare uno spazio nato per sensibilizzare, per dare voce a una causa che riguarda tutti.

Ed è qui che la società deve rispondere compatta: non solo recuperando l’account, ma trasformando questo atto vile in un’ulteriore ragione per combattere chi sfrutta la rete per distruggere invece che per costruire. Perché la memoria di Giulia – e la battaglia della Fondazione – non si hackerano.

L'articolo Scempio Digitale: Instagram della Fondazione Giulia Cecchettin, la ragazza uccisa dall’ex fidanzato è stato hackerato proviene da il blog della sicurezza informatica.

The Internet is fighting over whether robots.txt applies to AI agents. It all started when Cloudflare published a blog post, detailing what the company was seeing from Perplexity crawlers. Of course, automated web crawling is part of how the modern Internet works, and almost immediately after the first web crawler was written, one managed to DoS (Denial of Service) a web site back in 1994. And the robots.txt file was first designed.

Make no mistake, robots.txt on its own is nothing more than a polite request for someone else on the Internet to not index your site. The more aggressive approach is to add rules to a Web Application Firewall (WAF) that detects and blocks a web crawler based on the user-agent string and source IP address. Cloudflare makes the case that Perplexity is not only intentionally ignoring robots.txt, but also actively disguising their webcrawling traffic by using IP addresses outside their normal range for these requests.

This isn’t the first time Perplexity has landed in hot water over their web scraping, AI learning endeavors. But Perplexity has published a blog post, explaining that this is different!

And there’s genuinely an interesting argument to be made,that robots.txt is aimed at indexing and AI training traffic, and that agentic AI requests are a different category. Put simply, perplexity bots ignore robots.txt when a live user asks them to. Is that bad behavior, or what we should expect? This question will have to be settled as AI agents become more common.

Breaking Into the Vault

Researchers at Cisco Talos took a look at the Dell ControlVault, a Hardware Security Module (HSM) built into many Dell laptops. The firmware running on these embedded processors had some problems, including a stack-overflow and other memory-related issues. Usually the potential for abuse of these kind of attacks is limited mostly to the theoretical realm, but this embedded HSM also includes accessible USB pins, that can be accessed with a custom connector. The vulnerabilities found, then represent a real attack scenario where the firmware on the HSM can be tampered with, via nothing more than physical access. To prove the point, the Talos write-up includes a great video of a compromised machine accepting a green onion as a valid fingerprint for Windows Login.

Trend Micro In the Wild

Trend Micro’s Apex One system is under active exploitation, as a pair of vulnerabilities allow an authenticated attacker to inject system commands in the system’s management console. The full fix is expected to roll out later this month, but a mitigation disables a specific feature of the console, the Remote Install Agent. This leads to the obvious conclusion that the installation process was allowing for code execution as part of the install process.

GreedyBear

There was an interesting malware campaign run this year, by a group that Koi Security is calling GreedyBear. The campaign could be called a blitz, where malicious browser extensions, ransomware binaries, and scammy websites were all employed at once, with the goal of stealing cryptocurrency. The surprising thing is that so far not much over $1 million has been reported as stolen through the campaign.

The first technique used was “Extension Hollowing”, where safe, boring browser extensions are published, and maintained for a few months. Good reviews come in naturally or are purchased, and the publisher appears trustworthy. Then the extension is updated, with malicious code suddenly shipping. These extensions are now sniffing for user input and form filled data.

The second technique used was the old classic, packing malware into cracked and pirated software. The source of many of these malicious binaries seems to be primarily Russian piracy sites.

The final approach discovered was the simple scam website, often typo-squatting on nearly-legitimate domain names. These sites advertised fake hardware wallets or wallet repair, but only existed to steal whatever information would-be customers were willing to share.

The question may be raised, why does Koi Security believe all this activity is connected? The answer boils down to a single IP address, 185.208.156.66. This was the Command and Control server for the entire network of activity, and should be seen as a definite red flag in logs and records.

HashiCorp Vault Audit

The fine folks at Cyata took a crack at HashiCorp’s Vault, a source available secrets storage solution. And they discovered a host of subtle but important issues. The first on the list is an outstanding find, and it deals with how Vault protects against brute-force attacks. It’s supposed to be a simple counter, that locks out password attempts for a while, once a threshold of failures has been reached. The problem is that usernames aren’t case sensitive, but the failure counter is case sensitive in tracking password failures. Tried guessing the admin password too many times? Try the Admin account next.

The Multi-Factor Authentication has some issues, like the TOTP code reuse protection. This attempts to enforce that a code is only used once while valid. The problem is that a code of “ 123456” and “123456” both evaluate the same for the TOTP valuation itself, but as different codes for the reuse protection. This could enable an attacker to first abuse the reuse protection error message to identify a valid but used code, and then insert the space to be able to use the code for authentication.

After authentication, this same style of attack is possible again, this time targeting the root policy protections. An admin cannot assign this “root” policy, but can assign a “ root” policy. Those are treated as different policy identifiers by the validation code, but the same thing in the final implementation.

And finally, they discovered a Remote Code Execution flaw, via plugin installation. This one requires admin access, but an information leak and an audit log that allows writing to anywhere on the disk is enough to execute code injected in that audit log. This seems to be the first RCE ever made public in Vault, which is an impressive statement for both Hashicorp and Cyata.

Bits and Bytes

Nvidia isn’t taking last week’s talk of backdoors laying down, taking the offensive this week to reassure everyone that “There are no back doors in NVIDIA chips.” There’s a separate bit of news that US lawmakers are considering legislation that would require a kill-switch and location verification in future hardware.

It’s reassuring to be reminded that cyber-criminals do get captured and extradited. A Nigerian man was arrested in France and is being extradited to the US on multiple charges of fraud, identity theft, and other crimes. No word on whether the Nigerian national was or has claimed to be a prince.

And finally, filed in the “awkward” category, Google has disclosed that they were also a victim in the Salesforce hacks that Google researchers discovered and first publicized. These were good-old social engineering campaigns, where the attacker contacted an employee at the target company, and convinces them to read off an eight-digit security code. A group calling itself ShinyHunters has started an exploitation campaign using data pilfered in the attacks.

hackaday.com/2025/08/08/this-w…

The Texas Instruments TP4056 is the default charge-controller chip for any maker or hacker working with lithium batteries. And why not? You can get perfectly-functional knockoffs on handy breakout boards from the usual online sources for pennies. Betteridge’s Law aside, [Lefty Maker] thinks that it may well be time to move on from the TP4056 and spends his latest video telling us why, along with promoting an alternative.

His part of choice is another TI chip, the BQ25185. [Lefty] put together his own charge controller board to show off the capabilities of this chip — including variable under- and over-charge protection voltages. Much of his beef with the TP4056 has less to do with that chip than with the cheap charge modules it comes on: when he crows about the lack of mounting holes and proper USB-PD on the knock-off modules, it occurs to us he could have had those features on his board even if he’d used a TP4056.

On the other hand, the flexibility offered by the BQ25185 is great to future-proof projects in case the dominant battery chemistry changes, or you just change your mind about what sort of battery you want to use. Sure, you’d need to swap a few resistors to set new trigger voltages and charging current, but that beats starting from scratch.

[Lefty Maker] also points out some of the advantages to making your own boards rather than relying on cheap modules. Namely, you can make them however you want. From a longer USB port to indicator LEDs and a built-in battery compartment, this charging board is exactly what [Lefty Maker] wants. Given how cheap custom PCBs are these days, it’s not hard to justify rolling your own.

The same cannot be said of genuine TI silicon, however. While the BQ25185 has a few good features that [Lefty Maker] points out in the video, we’re not sure the added price is worth it. Sure, it’s only a couple bucks, but that’s more than a 300% increase!

We’ve seen other projects pushing alternative charge controllers, but for now the TP4056 reigns as the easy option.

youtube.com/embed/8npqPz5fvnI?…

hackaday.com/2025/08/08/is-it-…

Si è registrato un aumento del 14% delle richieste arrivate alla nostra infoline: da Liguria e Lazio il maggior numero di chiamate in proporzione al numero degli abitanti

580 le richieste di aiuto alla morte volontaria

Negli ultimi 12 mesi sono arrivate 16.035 richieste di informazioni sul fine vita tramite il Numero Bianco(06 9931 3409), coordinato da Valeria Imbrogno, compagna di Dj Fabo, e attraverso le email dirette all’Associazione Luca Coscioni. Una media di 44 richieste al giorno, in crescita del 14 per cento rispetto all’anno precedente.

Si tratta di un servizio attivo tutti i giorni per ascoltare, orientare e informare sulle possibilità offerte oggi dall’ordinamento italiano in materia di fine vita, su temi come eutanasia e suicidio medicalmente assistito, testamento biologico, interruzione delle terapie e sedazione palliativa profonda. In assenza di risposte istituzionali adeguate, il servizio aiuta a costruire percorsi legali e umani verso la libertà di scelta sul fine vita.

Nel dettaglio, le richieste hanno riguardato soprattutto eutanasia e suicidio medicalmente assistito (circa 5 al giorno), ma anche interruzione delle terapie e sedazione palliativa profonda (più di una al giorno). Sono inoltre aumentate le domande pratiche per accedere alla morte volontaria medicalmente assistita in Svizzera o attraverso percorsi legali in Italia, arrivate da 580 persone (51 per cento donne, 49 per cento uomini), contro le 533 dell’anno precedente.

Sulla base delle informazioni disponibili sulla provenienza geografica di chi ha contattato il servizio, quando fornite, è stata elaborata una proiezione regionale ponderata per popolazione, che restituisce una fotografia della richiesta di aiuto a morire in Italia.

datawrapper.dwcdn.net/jsJTr/1/!function(){"use strict";window.addEventListener("message",function(a){if(void 0!==a.data["datawrapper-height"]){var e=document.querySelectorAll("iframe");for(var t in a.data["datawrapper-height"])for(var r,i=0;r=e[i];i++)if(r.contentWindow===a.source){var d=a.data["datawrapper-height"][t]+"px";r.style.height=d}}})}();

La classifica delle regioni con il maggior numero di richieste rapportate a 100.000 abitanti vede al primo posto la Liguria con 48 ogni 100.000 abitanti, seguita dal Lazio con 43 richieste. Al terzo posto si posiziona la Toscana con 35, affiancata dal Friuli Venezia Giulia. Seguono Umbria, Emilia-Romagna e Lombardia con 33 richieste. Poi Piemonte con 28, il Veneto e le Marche con 26.

L'articolo Più di 16mila persone hanno contattato il Numero Bianco nell’ultimo anno proviene da Associazione Luca Coscioni.