We were pleasantly surprised when congressional Republicans introduced our farewell article to the former president, titled Biden’s press freedom legacy: Empty words and hypocrisy, into the record at a House Judiciary Committee hearing this week.

That’s great — it’s always nice to have our work recognized. But if Republican lawmakers agree with us that former President Joe Biden was bad on press freedom, someone should really tell them about this Donald Trump character who’s in office now. All the abuses we identified in the article Republicans cited have (as the article predicted) worsened under the new president, and he’s come up with plenty of new ones too.

We wrote a letter to let the committee know that if it’s serious about addressing the issues our article discussed, regardless of who is in the White House, we’re here to help. We’ll let you know if they reply (but don’t hold your breath). Read the letter here or below.

freedom.press/static/pdf.js/we…

freedom.press/issues/thanks-fo…

Knobs are ubiquitous in technology user interfaces, but touchscreens are increasingly replacing them for interface controls. The latest project from [upir] combines a rotating knob with a touchscreen for a stunning result. The knob-over-display design features a touchscreen where you can place and remove a spinning knob, creating an interface reminiscent of Microsoft’s Surface Dial but at a fraction of the cost.

The core functionality of this device relies on the MT6701 magnetic encoder, which precisely tracks the orientation of the surrounding magnetic field. This encoder is held in place with a 3D-printed jig behind the small touchscreen, hiding the encoder without blocking the magnetic field generated by the magnet above the display. Most circular magnets are axially magnetized, meaning their larger face is one pole. However, diametrically magnetized magnets, where opposite sides of the smaller face are the poles, are used here.

To avoid scratching the screen and ensure smooth turning, [upir] designed a knob that holds the diametrically magnetized magnet slightly above the screen, with a ball bearing connecting the outside of the knob to the center resting on the screen. All the design files needed to recreate this are available on [upir]’s GitHub page; be sure to check them out. Also, browse through our back catalog for other knob-related projects.

youtube.com/embed/zIrAe23f8sg?…

hackaday.com/2025/09/05/dialin…

Dear Friend of Press Freedom,

For 164 days, Rümeysa Öztürk has faced deportation by the United States government for writing an op-ed it didn’t like, and for 83 days, Mario Guevara has been imprisoned for covering a protest. Read on for more, and click here to subscribe to our other newsletters.

Recording police is not ‘violence’

It was bad enough when government officials claimed that journalists are inciting violence by reporting. But now, they’re accusing reporters of actually committing violence.

The supposed violence by reporters? Recording videos. At least three times recently, a government official or lawyer has argued that simply recording law enforcement or Immigration and Customs Enforcement officers is a form of violence. Read more here.

Thanks for citing us, House Republicans. Now do something

Congressional Republicans introduced our farewell article to the former president, titled Biden’s press freedom legacy: Empty words and hypocrisy, into the record at a House Judiciary Committee hearing this week.

That’s great — it’s always nice to have our work recognized. But if these lawmakers agree with us that former President Joe Biden was bad on press freedom, someone should really tell them about this Donald Trump character who’s in office now. All the abuses we identified in the article Republicans cited have (as the article predicted) worsened under the new president, and he’s come up with plenty of new ones too.

We wrote a letter to let the committee know that if it’s serious about addressing the issues our article discussed, regardless of who is in office, we’re here to help. We’ll let you know if they reply (but don’t hold your breath). Read the letter here.

Will secret law prevail in drug boat massacre?

The Trump administration has not provided any legal justification for blowing up a boat carrying 11 alleged Venezuelan drug traffickers on the Caribbean Sea. We filed a Freedom of Information Act request to find out if lawyers at the Justice Department’s Office of Legal Counsel were consulted before the slaughter and, if so, what they said.

If there is an OLC opinion about the targeting of the Venezuelan boat, the public and Congress should be able to debate it right now. Unfortunately, the government has long taken the position that OLC opinions should be secret, even though there should be no such thing as secret law in the United States. Read more here, and, if you want to learn more about government secrecy and what we’re doing to combat it, subscribe to The Classifieds.

Stop the judicial secrecy bill

An amendment to the National Defense Authorization Act would allow lawmakers to scrub information about themselves from the internet. The bill fails to achieve its stated purpose of keeping lawmakers safe — except from investigative journalism.

This week we helped lead a letter to senators from press freedom and civil liberties organizations objecting to the misguided legislation. Even if the NDAA amendment does not succeed, it’s likely that this bill will be back, and we’ll be ready to fight it. Read the letter here.

ICE revives contract for spyware

In 2023, Biden issued an executive order limiting government use of commercial spyware. Subsequently, the Biden administration issued a stop-work order on a $2 million contract between Immigration and Customs Enforcement and Paragon, a spyware vendor that makes products that have reportedly been used to spy on journalists.

It now appears ICE is reinstating this contract. Read more here and subscribe to our Digital Security Tips newsletter.

What we’re reading

Inside Trump’s decade-long war on the press: 75,000 posts, 3,500 direct attacks

Editor and Publisher
Trump’s anti-press rhetoric is “not bluster; it is not a personality trait. It is deliberate,” our U.S. Press Freedom Tracker’s Stephanie Sugars said. “It is very much at the cost of the strength of our social fabric and our shared reality.”

RSF and Avaaz launch international media operation

RSF
Great work by our friends at Reporters Without Borders organizing this response to Israel’s slaughter of journalists in Gaza. It’s unfortunate that more U.S. outlets did not participate. If the outlets you support were not among the few, ask them why.

Illinois restores protections for press targeted with frivolous lawsuits

The Dissenter
We spoke to The Dissenter about the Illinois Supreme Court’s ridiculous ruling that the state’s law against strategic lawsuits against public participation doesn’t protect reporting, and the recently passed bill to repair the damage.

He plagiarized and promoted falsehoods. The White House embraces him

The New York Times
We talked to the Times about influencers replacing journalists at the White House. Yes, it’s awful that Trump won’t grant reporters the honor of getting lied to at press briefings. But the decimation of FOIA — a source of facts, not spin — is even more concerning.

Noem accuses CBS of ‘deceptively’ editing interview about Abrego Garcia

The Hill
Kristi Noem’s complaints underscore why news outlets can’t settle frivolous lawsuits. Now, the door is wide open for government officials to question every editing decision news outlets make, whether to shorten an interview for time or to not air lies and nonsense.

Police body cameras are supposed to shed light. Rhode Island rules let officers keep footage in the dark

Rhode Island Current
When rules restrict police body cameras from being used to provide transparency, the only use left for them is surveillance.

Judge Charles Wilson defends New York Times v. Sullivan

Reason
A good recap of why “originalist” attacks on the actual malice standard — which limits defamation claims by public figures — are so disingenuous.

freedom.press/issues/recording…

With the days of dial-up and pitiful 2G data connections long behind most of us, it would seem tempting to stop caring about how much data an end-user is expected to suck down that big and wide broadband tube. This is a problem if your respective tube happens to be a thin straw and you’re located in a base somewhere in the Antarctic. Take it from [Paul Coldren], who was stationed at a number of Antarctic research stations as an IT specialist for a total of 14.5 months starting in August of 2022.
Prepare for hours of pain and retrying downloads. (Credit: Paul Coldren]
As [Paul] describes, the main access to the Internet at these bases is via satellite internet, which effectively are just relay stations. With over a thousand people at a station like McMurdo at certain parts of the season, internet bandwidth is a precious commodity and latency is understandably high.

This low bandwidth scenario led to highly aggravating scenarios, such as when a web app would time out on [Paul] while downloading a 20 MB JavaScript file, simply because things were going too slow. Upon timing out, it would wipe the cache, redirect to an error page and have [Paul] retry and retry to try to squeeze within the timeout window. Instead of just letting the download complete in ~15 minutes, it would take nearly half an hour this way, just so that [Paul] could send a few kB worth of text in a messaging app.

In addition to these artificial timeouts – despite continuing download progress – there’s also the issue of self-updating apps, with a downloader that does not allow you to schedule, pause, resume or do anything else that’d make downloading that massive update somewhat feasible. Another thing here is distributed downloads, such as when hundreds of people at said Antarctic station are all trying to update MacOS simultaneously. Here [Paul] ended up just – painfully and slowly – downloading the entire 12 GB MacOS ISO to distribute it across the station, but a Mac might still try to download a few GB of updates regardless.

Updating Office for Mac at the South Pole made easy courtesy of Microsoft. (Credit: Paul Coldren)
This level of pain continued with smartphone updates, which do not generally allow one to update the phone’s OS from a local image, and in order to make a phone resume an update image download, [Paul] had to turn the phone off when internet connectivity dropped out – due to satellites going out of alignment – and turn it back on when connectivity was restored the next day.

Somewhat surprisingly, the Microsoft Office for Mac updater was an example of how to do it at least somewhat right; with the ability to pause and cancel, see the progress of the download and resumption of interrupted downloads without any fuss. Other than not having access to the underlying update file for download and distribution by e.g. Sneakernet, this was a pleasant experience alongside the many examples of modern-day hardware and software that just gave up and failed at the sight of internet speeds measured in kB/s.

Although [Paul] isn’t advocating that every developer should optimize their application and updater for the poor saps stuck on the equivalent of ISDN at a remote station or in a tub floating somewhere in the Earth’s oceans, he does insist that it would be nice if you could do something like send a brief text message via a messaging app without having to fight timeouts and other highly aggravating ‘features’.

Since [Paul] returned from his last deployment to the Antarctic in 2024 it appears that at least some of the stations have been upgraded to Starlink satellite internet, but this should not be taken as an excuse to not take his plea seriously.

hackaday.com/2025/09/05/engine…

Even with teachers with names like Kirchhoff and Helmholtz, old Heinrich Hertz himself likely didn’t have the slightest idea that his name would one day become an SI unit. Less likely still would have been the idea that Hackaday would honor him with the 2025 One-Hertz Challenge.

The challenge was deliberately — dare we say, fiendishly? — simple: Do something, anything, but do it once a second. Flash a light, ring a bell, click a relay, or even spam comments on a website other than Hackaday; anything at all, but do it at as close to one Hertz as possible. These are our favorite kinds of contests, because the simplicity affords a huge canvas for the creative mind to paint upon while still providing an interesting technical constraint that’s just difficult enough to make things spicy.

And boy, did you respond! We’ve received over a hundred entries since we announced the contest back in June, meaning that many of you spent 4,662,000 seconds of your summer (at least those of you above the equator) rising to the challenge. The time was well spent, with projects that pushed the limits of what we even expected.

While we loved ’em all, we had to winnow them down to the top three, each of which receives a $150 gift certificate from our sponsor, DigiKey. Let’s take a look at them, along with our favorite runners-up.

Our Top Three

At the top of our judges’ list was “the electromechanicalanalogdigitalclock”, a project that clearly didn’t know what it wanted to be but nevertheless did it with a lot of style. [Christian]’s contraption pushes a lot of design buttons, starting with the mains-powered stepper motor generating a 1-Hz signal with a photochopper, which drives a 12-bit counter made from some CMOS logic chips and a digital-to-analog converter that drives some vintage moving-coil meters to display the time. There’s even a bit of circuit sculpture thrown in, with a brass frame supporting and isolating the noisy stepper motor on a spring suspension. Extra points were no doubt earned thanks to the Space:1999 and Star Trek models in the photos.

The electromechanicalanalogdigitalclock by [Christian].BEZICRON was inspired by [ekaggrat singh kalsi] playing with his daughter’s springy hair ties.Next up we have BEZICRON by [ekaggarat singh kalsi]. If this one looks familiar, it’s probably because we featured it back in January, when we had a difficult time describing exactly what this is. It’s a clock, sure, but its display is vastly different from anything we’ve ever seen before, based as it is on hair bands, of all things, that are bent and stretched into numerals by a series of intricate cams and levers. The idea is unique, the mechanism is complex, the design is striking, and the sinuous 1-Hz pulse of the colon is mesmerizing.

Our final gift certificate goes to [Tim], who managed to use candle flames as a time base. You’ve probably noticed candles guttering and flickering thanks to uneven wax melting or even drafts blowing the flame column around and thought they were fairly random. But [Tim] noticed that these oscillations were actually more stable and predictable than they appear, and used a wire sticking into the flame to trigger the capacitive sensor input on a CH32xxx microcontroller to measure the frequency, which was then divided down to flash an LED at 1-Hz. It’s the perfect combination of physics and electronics that extracts order from a seemingly stochastic in a weird and wonderful way.

Awesome Honorable Mentions

What’s always fun about Hackaday contests is the categories we come up with, which are sort of mini-games within the main challenge. And this time around didn’t disappoint, with projects that explored these side quests in fun and interesting ways.

Our “Ridiculous” category was all about tapping your inner Rube Goldberg and finding the least practical way to generate your 1-pps pulse train. Runners-up in this category included [Brian Stuparyk]’s electromechanical function generator, a pitchblende-powered “atomic” clock by [alnwlsn], and [Sean B]’s “Nothing but NAND” Nixie clock.

For the “Timelords” category, we were looking for the projects that pulled out all the stops to get as many zeroes as possible after the decimal point, and the entries didn’t disappoint. Check out this vintage atomic clock restoration by [CuriousMarc] and his merry band, [Lauri Pirttiaho]’s cheap and simple GPS sync for quartz wall clocks, or this GPS-disciplined crystal-oven oscillator by [Will Carver].

The horologically inclined were the target audience for the “Clockwork” category, which invited you to turn your one-per-second timebase into a unique and interesting timepiece. See [Simon Newhouse]’s Nixie-based frequency counter clock, the DCF77 clock [hayday] made from the 2022 Supercon Badge, or the beautiful bubble displays of [Andrew Tudoroi]’s RPi TinynumberHat9 clock.

And finally, what would a One-Hertz challenge be without the venerable 555 timer chip? Entries we liked from the “Coulda Used a 555” category include [Tom Goff]’s Bletchley-inspired Logic Bombe, this mind-bending, capacitor-free timer that [Mark Valentine] put together, and [Paul Gallagher]’s super annoying “One Hurts” clock — it’s worse than a cuckoo clock!

Everyone’s a Winner!

We’d love to give everyone a prize, but we’d be hard-pressed to manage that with so many cool and unusual projects. As they say, everyone’s a winner just for entering, and we think that’s especially true with contests like this, which bring out the best in everyone. Thanks to everyone who entered, the judges for sorting through everything and making the hard choices, and to our sponsor DigiKey. We’ll see you all again next time around!

Thunderstorms were raging across southern Germany as Elliot Williams was joined by Jenny List for this week’s podcast. The deluge outside didn’t stop the hacks coming though, and we’ve got a healthy smorgasbord for you to snack from. There’s the cutest ever data cassette recorder taking a tiny Olympus dictation machine and re-engineering it with a beautiful case for the Commodore 64, a vastly overcomplex machine for perfectly cracking an egg, the best lightning talk timer Hackaday has ever seen, and a demoscene challenge that eschews a CPU. Then in Quick Hacks we’ve got a QWERTY slider phone, and a self-rowing canoe that comes straight out of Disney’s The Sorcerer’s Apprentice sequence.

For a long time we’ve had a Field guide series covering tech in infrastructure and other public plain sight, and this week’s one dealt with pivot irrigation. A new subject for Jenny who grew up on a farm in a wet country. Then both editors are for once in agreement, over using self-tapping screws to assemble 3D-printed structures. Sit back and enjoy the show!

html5-player.libsyn.com/embed/…

Want to listen offline? Grab yourself an MP3 hot off the press.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 336 Show Notes:

What’s that Sound?

• Congrats to [1tR3x] who knew more about the music of 2001 Space Odyssey than I did!

Interesting Hacks of the Week:

• Tiny Datasette Uses USB For The Modern Day
  
  • How Commodore tapes work
  • Classic Computer Magazine Archive article

  
  

• Does It Make Sense To Upgrade A Prusa MK4S To A Core One?
• Lightning Talks On Time, With This Device
• Over-Engineering An Egg Cracking Machine
  
  • What Can You Learn From An Eggbot?

  
  

• This Plotter Knows No Boundaries
• An Amiga Demo With No CPU Involved

Quick Hacks:

• Elliot’s Picks:
  
  • Phonenstien Flips Broken Samsung Into QWERTY Slider
  • Remembering The Intel Compute Stick
  • Old Projects? Memorialize Them Into Functional Art
  • Microsoft Removed WMR Headset Support? No Problem!

  
  

• Jenny’s Picks:
  
  • Microsoft BASIC For 6502 Is Now Open Source
  • CAD, From Scratch: MakerCAD
  • Robotic Canoe Puts Robot Arms To Work

  
  

Can’t-Miss Articles:

• No Need For Inserts If You’re Prepared To Use Self-Tappers
• Field Guide To North American Crop Irrigation

hackaday.com/2025/09/05/hackad…

The Estes line of flying model rockets have inspired an untold number of children and adults alike, thanks in part to their simplicity. From the design and construction of the rockets themselves to the reliability and safety of the modular solid-propellant motors, the company managed to turn actual rocket science into a family activity. If you could glue fins onto a cardboard tube and stick a plastic nosecone on the end, you were nearly ready for launch.

But what if you’re looking for something a bit more challenging? That’s where the new Estes Scorpio 3D comes in. Unlike the classic Estes kit, which included the fins, nosecone, and other miscellaneous bits of the rocket, the Scorpio kit requires you to 3D print your own parts. Do it right, and the company says you can send your creation to heights of 1,000 feet (305 m).

As several main components of the rocket are 3D printed, the Scorpio is intended to be a platform for fast and easy modification. Estes already provides STLs for a few different variants of the tail fins — this is not unlike some of the old kits, which would occasionally include different shaped fins for you to experiment with. But of course you’re also free to design your own components from scratch if you wish. A twist-lock mechanism built into the printed motor mount allows you to swap out the Scorpio’s fins in the field, no glue required.

While we appreciate the concept of the Scorpio 3D, we have to admit that the $40 USD price tag seems a bit excessive. After all, the user is expected to print the majority of the rocket’s parts on their own dime. According to the manual, the only thing you get with the kit (other than access to the digital files) is a couple of cardboard tubes, some stickers, and a parachute — the launch pad, igniter, and even motors are all sold separately.

Admittedly there’s a certain value in the Estes name and the knowledge that they’ve done their homework while putting this product together. But if you’re just looking to fire off some DIY rockets, we’d point you to the open source HEXA project as an alternative.

youtube.com/embed/WikanXBH4PE?…

hackaday.com/2025/09/05/estes-…

Something rather significant happened on the Internet back in May, and it seems that someone only noticed it on September 3rd. [Youfu Zhang] dropped a note on one of the Mozilla security mailing lists, pointing out that there was a certificate issued by Fina for 1.1.1.1. That IP address may sound familiar, and you may have questions.

First off, yes, TLS certificates can be issued for IP addresses. You can even get a numeric TLS certificate for your IP address, via Lets Encrypt. And second, 1.1.1.1 sounds familiar because that’s CloudFlare’s public DNS resolver. On that address, Cloudflare notably makes use of DoH, a charming abbreviation for DNS over HTTPS. The last important detail is that Cloudflare didn’t request or authorize the certificate. Significant indeed.

This is a high-profile example of the major weakness of the TLS certificate system. There are over 300 trusted certificate authorities in the Microsoft Root Certificate Program, Financijska agencija (Fina) being one of them. All it takes is for one of those trusted roots to issue a bad certificate, to compromise that system. That it took four months for someone to discover and point out the problem isn’t great.

Don’t Just Copy That Into Your Terminal

I’ve given Linux newbies the advice several times, not to be careless about copying and pasting commands into the Linux terminal. Sometimes that’s because practical jokers suggest running rm -rf /, or a fork bomb, or some other “fun” command to fix a problem. But there’s also the problem of malware, and it’s not limited to Linux. For example, this reasonably convincing looking notification from Cloudflare instructs the user to copy and past a completely benign-looking string into a terminal on a Mac machine.

… say what now

— Tim Pierce (@unchi.org) 2025-09-02T15:35:51.123Z

It’s pretty obviously not a real command as it’s presented. Instead, a base64 encoded string is decoded and executed in Bash. It executes a script from the Internet, which immediately begins looking for interesting files to upload. It’s not a terribly new approach, but is apparently still being used in the wild, and is a great object lesson about not trusting commands from the Internet.

CSS is Turing Complete Now, So Let’s Use it to Steal Data

OK, Turing complete might be a slight exaggeration, but CSS does now have if() statements. CSS also can do background downloads from remote sites. Put that together, and you have a way to steal data.

There are some serious limitations that are likely to keep this from becoming a widely used technique. Top of the list is that CSS doesn’t have any string carving functions. That if() statement is limited to matching the complete value of fields. To steal information strictly using CSS, you have to know what you’re looking for ahead of time.

Creative C2

It’s always interesting to see the creative Command and Control (C2) techniques that are dreamt up by researchers and threat actors. MeetC2 is up first, a demonstration of using Google Calendar for C2 via calendar events. It works because no security solution will block access to Google Calendar, and it’s fairly trivial to add notes to a calendar event.

The other creative C2 involves a project I’m intimately familiar with. MeshC2 is a clever, but admittedly vibe-coded C2 tool using Meshtastic to run commands on remote hosts. It’s from [Eric Escobar], one of the researchers at Sophos. When dropping a Raspberry Pi off for a penetration test, there’s an inevitable problem that knocks the platform off the Internet, and the ability to run a few simple commands could make all the difference.

youtube.com/embed/DLvPaYZfZR4?…

Persuasion and LLMs

Persuasion is the art of influencing. When a car salesman buys a potential customer a drink from the car lot’s vending machine, it’s an attempt to persuade. When a negotiators picks up on and imitates the small habits of their counterparts, it’s also an attempt to leverage persuasion. From appeals to authority, to priming, to framing, there are countless tricks that are tried, with varying amounts of success, to influence people. The question here is whether those tricks might work on an LLM.

A pre-print study seems to indicate that persuasion does indeed work on AIs. And while persuasion may convince a human to buy a car beyond one’s means, persuasion can be used to convince an AI to do something beyond its guardrails. The two test cases were to ask the LLM to return an insult, and to return the recipe for lidocaine. While this isn’t the only way to jailbreak an LLM, it’s a novel bit of work, determining that the AI has some of the same weaknesses as humans.

The Scam Become Real

If you run your own mail server, or check your spam folder, you’ve surely seen the emails where a scammer claims to have taken over your webcam while you were watching pornography. Historically this has been a complete lie, simply to extort the naive. Unfortunately, it seems that someone took this as a challenge, and has actually built malware that attempts to do exactly what the classic spam has threatened. And of course, it’s open source.

Bits and Bytes

Researchers at Silent Signal took a look at the IBM i mainframe system, and have a CVE to show for it. The exploit was a replay attack followed by a command injection. The first approach allowed for blind code execution, but the challenge on this second time around was to find something more useful, and SQL turned out to be the key.

And finally, the folks at Trail of Bits are looking at the application integrity problem, when running applications inside electron and even Chrome. The binaries themselves may be signed, but there’s a part of the program that isn’t: The heap snapshots. This is a V8 feature used to significantly speed up the loading of the pages inside these apps. It turns out that snapshot can also be used to poison the internal state of those apps, and sidestep existing controls. Electron has patched the issue, but there are some cases where Chrome itself may still be vulnerable to this fascinating approach.

hackaday.com/2025/09/05/this-w…

L’azienda californiana Figure ha svelato un altro traguardo per il suo umanoide Figure 02: il robot ha caricato una lavastoviglie con elevata precisione utilizzando il versatile modello Helix, basato sull’architettura Vision-Language-Action (VLA). Un compito apparentemente banale per gli umani si trasforma in un complesso test di precisione, forza di presa e adattamento a diversi tipi di oggetti per l’assistente artificiale .

La particolarità è che non sono state create nuove logiche o algoritmi speciali per eseguire questa operazione. Il successo si basa sullo stesso sistema universale Helix, che ha già dimostrato capacità in altri scenari. Grazie a dati aggiuntivi e all’apprendimento da esempi di comportamento umano, Figure 02 ha padroneggiato in modo indipendente le complessità del lavoro con piatti, bicchieri e altre stoviglie.

Le principali sfide per il robot sono afferrare con precisione gli oggetti con le dita, ruotarli alla giusta angolazione, posizionarli nello spazio ristretto del cestello con un errore di pochi centimetri e trattenere gli oggetti con una forza sufficiente a impedirne lo scivolamento, ma anche la rottura. Helix ha permesso a Figure 02 di dimostrare una precisione pari a quella dei movimenti delle dita umane, nonché di adattarsi a diversi set di piatti e correggere le azioni in caso di errore o collisione.

Solo pochi anni fa, i robot necessitavano di una programmazione speciale per svolgere tali compiti, e lavare i piatti era considerato una delle operazioni domestiche “impossibili”.

Ora Figure dimostra che un modello universale e nuovi dati sono sufficienti per far funzionare il sistema senza bisogno di alcuna progettazione mirata. Lo stesso principio consentiva in precedenza a Figure 02 di piegare gli asciugamani e distribuire i pacchi su un nastro trasportatore.

Helix è stato presentato a febbraio di quest’anno e da allora è diventato il cervello degli umanoidi dell’azienda. Durante l’estate, il robot ha impressionato il pubblico con un video in cui caricava i vestiti in una lavatrice, per poi dimostrare la sua capacità di seguire comandi verbali adattandosi a compiti diversi, come piegare gli asciugamani. A giugno, Figure 02 ha mostrato il lavoro su una catena di montaggio, smistando scatole. Ogni nuova abilità si aggiunge al set di competenze complessivo, ampliando la versatilità del sistema.

A prima vista, caricare la lavastoviglie, piegare il bucato o gestire la logistica possono sembrare attività non correlate. Tuttavia, Figure integra tutti questi scenari in un’unica architettura. Ciò significa che è possibile apprendere nuove funzionalità senza dover riscrivere il codice o progettare singoli moduli, aprendo le porte a uno sviluppo scalabile.

Sebbene siamo ancora lontani da un “robot maggiordomo” a tutti gli effetti, compiti come spolverare, portare fuori la spazzatura o passare l’aspirapolvere restano ancora da realizzare. Ma i risultati ottenuti dimostrano che gli assistenti umanoidi stanno già imparando a svolgere diverse funzioni e ogni nuova abilità ci avvicina al futuro, dove troveranno il loro posto nella vita quotidiana e nella produzione.

L'articolo Figure02, il robot che carica la lavastoviglie con precisione proviene da il blog della sicurezza informatica.

In occasione di Uman Festival, il tesoriere dell’Associazione Luca Coscioni Marco Cappato sarà protagonista di un incontro pubblico dal titolo “Democrazia. In dialogo con Marco Cappato”.

L’appuntamento è per venerdì 12 settembre 2025 alle ore 15:00 presso l’Aula 002 del Dipartimento di Sociologia – Università di Trento, Via Giuseppe Verdi 26, a Trento.

In occasione di Uman Festival, l’attivista e tesoriere dell’Associazione Luca Coscioni Marco Cappato sarà protagonista di un incontro pubblico dal titolo “Democrazia. In dialogo con Marco Cappato”.

Un momento di confronto con studenti, studentesse e cittadinanza, per discutere il valore della partecipazione democratica e dei diritti civili in Italia e in Europa.

Partecipano:
Marco Cappato (Associazione Luca Coscioni)
Marta Citriniti (Presidente Tridentum)
Renata Maria Giordano (Presidente ELSA Trento)
Prof.ssa Marta Tomasi (Università di Trento)

Aula 002, Dipartimento di Sociologia – Università di Trento
Ingresso libero, aperto a tutte e tutti

L'articolo Marco Cappato a Trento – Dialogo sulla democrazia all’Università proviene da Associazione Luca Coscioni.

I criminali informatici hanno lanciato una nuova ondata di attacchi che utilizzano file SVG per distribuire pagine di phishing. Gli esperti di VirusTotal hanno segnalato che gli aggressori si spacciano per la procura colombiana, distribuendo allegati email contenenti codice JavaScript nascosto. L’analisi automatica ha rivelato comportamenti che i programmi antivirus non erano in grado di rilevare.

Il formato SWF, formalmente “deceduto” da quando Flash è stato disattivato nel 2020, continua a comparire nel traffico. In 30 giorni, VirusTotal ha ricevuto 47.812 file SWF univoci precedentemente sconosciuti e 466 di questi hanno attivato almeno un motore antivirus. In un caso, solo 3 trigger su 63 indicavano segnali “sospetti” di una vecchia vulnerabilità, ma un’analisi dettagliata ha rivelato che si trattava di un gioco complesso con rendering 3D, audio e un editor di livelli integrato.

Classi offuscate , utilizzo di RC4/AES e raccolta di informazioni di sistema sembravano allarmanti, ma erano coerenti con la logica di protezione contro cheat e modifiche. In tali artefatti non è stato rilevato alcun comportamento dannoso.

SVG è l’opposto di entrambi, sia nello spirito che nell’epoca: uno standard aperto per il web e il design. Ecco perché è il preferito dagli aggressori. Negli ultimi 30 giorni, VirusTotal ha ricevuto 140.803 file SVG univoci precedentemente sconosciuti, di cui 1.442 segnalati da almeno un motore. Uno dei campioni non è stato rilevato da alcun motore, ma durante il rendering ha eseguito uno script incorporato che ha decodificato e incorporato una pagina HTML di phishing che copiava il portale del sistema giudiziario colombiano. Per renderlo più plausibile, la pagina simulava il caricamento di documenti con una barra di avanzamento e, in background, un archivio ZIP veniva scaricato e forzato. Il comportamento è stato confermato nella sandbox: elementi visivi, numeri di, “token di sicurezza” erano presenti, sebbene si trattasse solo di un’immagine SVG.

Secondo VirusTotal, questo non è un caso isolato. Una richiesta di tipo type:svg con menzione della Colombia ha restituito 44 SVG univoci, tutti privi di rilevamento antivirus, ma con le stesse tattiche: offuscamento, polimorfismo, codice “spazzatura” di grandi dimensioni per aumentare l’entropia. Allo stesso tempo, gli script contenevano ancora commenti in spagnolo come “POLIFORMISMO_MASIVO_SEGURO” e “Funciones dummy MASIVAS“, un punto vulnerabile adatto a una semplice firma YARA.

Una ricerca durata un anno ha prodotto 523 risultati. Il campione più antico era datato 14 agosto 2025, scaricato anch’esso dalla Colombia, e anch’esso non è stato rilevato. Una nuova analisi ha confermato lo stesso schema di phishing e download stealth. I primi campioni erano più grandi, circa 25 MB, poi le dimensioni sono diminuite, indicando un perfezionamento del payload.

Il canale di distribuzione era la posta elettronica, che ci ha permesso di collegare la catena in base ai metadati del mittente, agli oggetti e ai nomi degli allegati.

L'articolo Se Flash è morto, ecco a voi l’SVG Assassino! Il phishing 2.0 è in alta definizione proviene da il blog della sicurezza informatica.

Un recente studio condotto dal team di Offensive Security di Workday ha evidenziato una vulnerabilità nei driver di Windows che consente di bypassare efficacemente gli strumenti di Endpoint Detection and Response (EDR).

Questa tecnica sfrutta la lettura diretta del disco, eludendo controlli di accesso, blocchi di file e misure di sicurezza come Virtualization-Based Security (VBS) e Credential Guard. Il driver vulnerabile identificato, eudskacs.sys, espone strutture di codice semplici che permettono la lettura diretta del disco fisico, consentendo l’accesso a file sensibili senza interagire direttamente con essi.
Percorso che una richiesta di lettura del disco segue quando viene richiamata dallo spazio utente
Tradizionalmente, Windows implementa diverse difese per proteggere i dati sensibili. Ad esempio, i file di credenziali come SAM.hive e SYSTEM.hive sono protetti da Access Control Lists (ACL) e da blocchi esclusivi che impediscono l’accesso simultaneo da parte di più processi.

Inoltre, VBS e Credential Guard isolano il processo LSASS in un contenitore virtualizzato, rendendo più difficile l’estrazione delle credenziali dalla memoria. Tuttavia, l’accesso diretto al disco elude questi controlli, poiché non richiede l’uso delle API standard per l’accesso ai file e non genera log di sistema.

Per eseguire un attacco di lettura diretta del disco, un attore malintenzionato può sfruttare un driver vulnerabile o utilizzare driver di basso livello come disk.sys. Il processo coinvolge l’apertura di un handle al driver del disco fisico, l’invio di richieste di lettura e la ricezione dei dati grezzi. Una volta ottenuti i dati, è necessario un parser del file system NTFS per estrarre i file desiderati. Questa tecnica è particolarmente efficace per l’estrazione di file sensibili, poiché non interagisce direttamente con i file stessi e quindi non attiva i controlli di sicurezza.

Una delle principali sfide, riportano i ricercatori, è implementare questa tecnica è la necessità di comprendere la struttura del file system NTFS. Elementi come il Master Boot Record (MBR), la GUID Partition Table (GPT) e il Volume Boot Record (VBR) i quali contengono informazioni cruciali sulla disposizione dei dati sul disco. L’accesso diretto al disco consente di bypassare i controlli di accesso e di leggere questi dati senza restrizioni, facilitando l’estrazione di informazioni sensibili.

Per contrastare questa minaccia, è fondamentale adottare misure di sicurezza preventive. Limitare i privilegi amministrativi è una delle strategie più efficaci, poiché riduce la possibilità per un attaccante di installare driver dannosi o di accedere direttamente al disco fisico. Inoltre, monitorare le chiamate API come CreateFile, in particolare quando interagiscono con driver di basso livello, può aiutare a rilevare attività sospette. L’implementazione di queste misure può contribuire a ridurre il rischio associato a questa vulnerabilità.

In sintesi, l’accesso diretto al disco rappresenta una tecnica potente per eludere gli strumenti di sicurezza tradizionali. Comprendere le vulnerabilità nei driver di Windows e adottare misure di sicurezza appropriate sono passi essenziali per proteggere i sistemi da attacchi sofisticati. Le organizzazioni dovrebbero rivedere regolarmente i driver in uso e implementare controlli di sicurezza per mitigare i rischi associati a questa minaccia.

L'articolo Il Lato Oscuro dei Driver Windows: Come Rubare Dati Ignorando l’EDR proviene da il blog della sicurezza informatica.

L’appaltatore americano Sierra Nevada Corporation (SNC) ha avviato i test di volo del nuovo E-4C Survivable Airborne Operations Center dell’Aeronautica Militare statunitense. Questa versione aggiornata è destinata a sostituire il vecchio E-4B Nightwatch, che dagli anni ’70 è stato l’aereo apocalittico statunitense.

L’E-4C ha volato per la prima volta il 7 agosto 2025, come annunciato dall’azienda il 3 settembre. I test fanno parte del programma Survivable Airborne Operations Center (SAOC). SNC si è aggiudicata il contratto da 13 miliardi di dollari nel 2024, dopo che Boeing, il produttore della generazione precedente, si era ritirato dalla competizione a causa di disaccordi con l’Aeronautica Militare.

Il nuovo aereo è basato sul Boeing 747-8, una versione allungata e modernizzata del classico aereo di linea. L’Aeronautica Militare ha già acquistato quattro di questi velivoli per la conversione, e SNC ha acquisito altri cinque 747-8 usati da Korean Air nel 2024 per garantire un inventario sufficiente per la conversione e la futura manutenzione. I motori GE Aerospace GEnx-2B sono in fase di profonda revisione per migliorarne l’affidabilità e l’efficienza.

La flotta di E-4B, basata sul Boeing 747-200, è in servizio da oltre 51 anni. Nonostante i numerosi miglioramenti, questi velivoli sono notevolmente inferiori alle soluzioni moderne. Pertanto, il passaggio all’E-4C è visto come un passo fondamentale per mantenere il controllo garantito in caso di conflitto nucleare o di un attacco su larga scala agli Stati Uniti.

La missione del nuovo velivolo rimane la stessa: garantire la continuità del comando statale e militare in caso di distruzione dei centri di terra. Dall’E-4C, i vertici aziendali saranno in grado di impartire ordini per l’uso di armi nucleari, coordinare le operazioni militari e mantenere le comunicazioni con la rete globale delle forze strategiche.

Il programma di test durerà fino al 2026 e include voli e prove al banco presso i siti di Dayton, Ohio, e Wichita, Kansas. L’obiettivo è ridurre i rischi ingegneristici, convalidare le modifiche e stabilire uno standard tecnico per gli aeromobili di produzione. La consegna dell’intera flotta è prevista per il 2036 e si prevede che il numero di nuovi velivoli sarà approssimativamente lo stesso della flotta attuale: quattro.

Sebbene i dettagli non siano stati resi noti, l’E-4C sarà dotato di una protezione EMP migliorata, sistemi di comunicazione più potenti , collegamenti satellitari e sistemi di elaborazione dati sicuri. La piattaforma 747-8 offrirà maggiore autonomia e capacità di carico utile, consentendo di trasportare più personale, equipaggiamenti e apparecchiature di comunicazione rispetto al suo predecessore.

Il nuovo velivolo farà parte del sistema di Comando, Controllo e Comunicazioni Nucleari (NC3) potenziato, che il Pentagono definisce il “sistema nervoso” delle forze strategiche. Include satelliti, sottomarini, bombardieri, centri di terra e posti di comando aviotrasportati. Con Russia e Cina che stanno rafforzando le loro capacità nucleari, l’aggiornamento dell’NC3 è considerato fondamentale per mantenere la deterrenza.

Il programma E-4C è il più grande progetto di difesa nella storia della Sierra Nevada Corporation, precedentemente nota principalmente per lo spazio, laguerra elettronica e la modernizzazione dell’aviazione. La nuova flotta di aerei apocalittici è progettata per essere operativa almeno fino alla metà del XXI secolo, preservando la capacità degli Stati Uniti di controllare il proprio arsenale nucleare strategico in qualsiasi circostanza, una missione che risale alla Guerra Fredda.

L'articolo L’Aeronautica Militare Statunitense Lancia il Nuovo Aereo Apocalittico E-4C proviene da il blog della sicurezza informatica.

È stata scoperta una nuova vulnerabilità zero-day che colpisce diversi modelli di router TP-Link. Il problema, identificato come un buffer overflow nell’implementazione del protocollo CWMP (CPE WAN Management Protocol), potrebbe consentire a un attaccante di eseguire codice arbitrario e reindirizzare le richieste DNS a server falsi.

La vulnerabilità è stata segnalata da un ricercatore indipendente noto con il nickname Mehrun (ByteRay) l’11 maggio 2024. TP-Link ha confermato l’esistenza dell’errore e sta lavorando sugli aggiornamenti per risolvere il problema. Al momento, la correzione è disponibile solo per le versioni firmware europee, mentre l’adattamento per gli Stati Uniti e altre regioni è ancora in corso.

La vulnerabilità risiede nella funzione di elaborazione dei messaggi SOAP SetParameterValues, dove le chiamate strncpy vengono eseguite senza verificare i limiti. Ciò potrebbe portare alla possibilità di eseguire codice arbitrario se la dimensione del buffer di input supera i 3072 byte. Un attacco reale può essere implementato sostituendo il server CWMP e trasmettendo una richiesta SOAP appositamente predisposta.

Se sfruttata con successo, la vulnerabilità può reindirizzare le richieste DNS a server falsi, intercettare o modificare silenziosamente il traffico non crittografato e iniettare dati dannosi nelle sessioni utente. I modelli di router vulnerabili includono Archer AX10 e Archer AX1500, ancora in vendita e molto popolari.

TP-Link consiglia agli utenti di modificare le password di amministratore di fabbrica, disabilitare CWMP se non utilizzato, aggiornare il firmware all’ultima versione e, se possibile, isolare il router dai segmenti di rete critici.

L'articolo Vulnerabilità zero-day in azione sui router TP-Link: cosa sapere fino al rilascio della patch proviene da il blog della sicurezza informatica.

Una vasta operazione di cyberspionaggio condotta dalla Cina, denominata “Salt Typhoon”, è stata descritta recentemente come la più ambiziosa mai attribuita a Pechino. Secondo il rapporto, questa campagna avrebbe portato al furto di dati sensibili di quasi tutti gli americani, compresi nomi di alto profilo come il presidente Donald Trump e il vicepresidente JD Vance. La dimensione dell’attacco conferma la capacità dei gruppi cinesi di penetrare in profondità nelle reti di comunicazione internazionali.

Gli obiettivi colpiti non si limitano agli Stati Uniti: Salt Typhoon ha infatti compromesso reti di telecomunicazione in oltre 80 paesi, rendendo evidente l’estensione globale di questa operazione. La scelta di colpire le telecomunicazioni appare strategica, poiché permette di intercettare, manipolare e utilizzare informazioni su larga scala, con possibili ripercussioni per governi, aziende e cittadini.

Parallelamente aSalt Typhoon, è stato citato un ulteriore vettore di minaccia, identificato come “Volt Typhoon”, che ha spostato l’attenzione verso infrastrutture critiche americane, tra cui le reti elettriche. La combinazione dei due scenari aumenta le preoccupazioni sulla sicurezza nazionale, poiché dimostra una doppia capacità: spionaggio politico e colpi mirati a strutture vitali.

La risposta statunitense si sta articolando attraverso contromisure legali e di cybersecurity messe in campo da organismi come l’FBI e il Dipartimento di Giustizia. Le autorità hanno rafforzato gli strumenti di difesa e intensificato le indagini, segnalando la volontà di contrastare l’operazione non solo sul piano tecnico, ma anche su quello giuridico e diplomatico.

Il rapporto sottolinea inoltre le gravi implicazioni per i cittadini comuni, che rischiano di vedere compromessa la propria privacy a causa dell’esfiltrazione di dati personali. A queste criticità si aggiunge la minaccia verso infrastrutture strategiche, capaci di influenzare direttamente la vita quotidiana delle persone, rendendo la portata dell’attacco ancora più allarmante.

Guam è emersa come uno dei punti nevralgici di questa vicenda, poiché considerata particolarmente vulnerabile a causa della sua importanza strategica nello scenario geopolitico e militare. La posizione dell’isola ne fa un obiettivo privilegiato, rendendola simbolo della fragilità degli equilibri in questa nuova forma di conflitto.

Nonostante la gravità delle accuse, la Cina ha negato ogni coinvolgimento nell’operazione. Tuttavia, la condanna e le reazioni internazionali crescono, contribuendo ad alimentare tensioni politiche tra Washington e Pechino. Gli esperti stimano perdite economiche di miliardi di dollari, un impatto che si aggiunge alle conseguenze geopolitiche, trasformando Salt Typhoon in un evento destinato a segnare profondamente i rapporti tra le due potenze.

L'articolo Oltre lo spionaggio: “Salt Typhoon” avrebbe preso di mira anche Donald Trump proviene da il blog della sicurezza informatica.

It was bad enough when government officials claimed that journalists incite violence by reporting. But now, they’re accusing reporters of actually committing violence.

The supposed violence by reporters? Recording videos. At least three times recently, a government official or lawyer has argued that simply recording law enforcement or Immigration and Customs Enforcement officers is a form of violence.

In July, Department of Homeland Security Secretary Kristi Noem proclaimed during a news conference following ICE raids on California farms that videotaping ICE agents performing operations is “violence.” Noem lumped video recordings in with other forms of actual violence, like throwing rocks or Molotov cocktails at agents.

Then, in August, Justice Department lawyer Sean Skedzielewski argued, during a court hearing over the Los Angeles Police Department’s mistreatment of journalists covering protests, that videotaping law enforcement officers “can be used for violence.” He claimed recording is violent because it can reveal officers’ identities, leading to harassment, and can encourage more protesters to join the fray.

Also in August, the government applied similar logic as it fought against the release of Mario Guevara, the only journalist in U.S. custody after being arrested for newsgathering. Guevara, who is originally from El Salvador, was detained while covering a protest in Georgia and turned over to ICE for deportation. In a bond hearing before an immigration court in July, according to the Committee to Protect Journalists, the government argued that Guevara’s recording and livestreaming of law enforcement “presents a safety threat.”

At the risk of stating the obvious, videotaping someone is not the equivalent of throwing a firebomb at them. Actually, recordings of law enforcement officers made by journalists and members of the public allow the public to see what the police are up to and hold officers accountable for abusing their authority or breaking the law.

That includes holding officers who are violating the First Amendment accountable in court. Adam Rose, chair of the press rights committee for the LA Press Club, said that Skedzielewski also denied in court that DHS officers had pointed weapons at journalists, despite video evidence submitted to the court of them doing exactly that.

Skedzielewski “wound up making our case for us,” Rose told us. “His own argument showed how the government can try to lie in court, and why filming in public is critical to ensure the truth comes out.”

Video recording police in public is also protected by the First Amendment, as both Rose and Mickey Osterreicher, the general counsel for the National Press Photographers Association, point out. “The claim that journalists and others video recording police are engaged in ‘acts of violence’ is not only absurd on its face but flies in the face of the law and common sense,” said Osterreicher.

That constitutional right applies even if officers would prefer not to be identified. The government often claims that officers must not be identified because they’re at risk of (real) violence or harassment. But the correct response to those threats is to prosecute and punish those who actually break the law by harassing or physically attacking police, not make up crimes to go after those who exercise their First Amendment right to record them.

The government claims at other times that officers should not be recorded because they’re undercover. The government has been known to abuse this argument, including by making bizarre claims that any officer who may, at some point, go undercover should be treated as undercover at all times. Plus, journalists have no way of knowing whether a particular agent participating in an immigration raid or officer policing a protest is undercover at the moment they’re recording. The responsibility of preserving officers’ cover is on the officer and the government, not journalists and the public who can observe them working in plain view.

These justifications, however, are mere pretext for the government’s true purpose. Officials want courts and the public to believe that recording agents and officers is a violent act because it justifies officers’ own violent response to the press.

In LA, government attorney Skedzielewski didn’t just argue that video recording is violent. He said that meant that justified officers in using force against people videotaping them. This claim—made in a court that’s already restrained police from attacking journalists after they were documented violently assaulting and detaining reporters repeatedly —should seriously alarm journalists and anyone who wants to record police.

“For an officer of the court to conflate the use of recordings to reveal police officers’ identities with the actual making of those recordings, in order to justify the use of excessive force against those doing the recording, shows complete ignorance of the law, disregard for the Constitution, a blatant attempt to demonize those who would dare risk their health and safety to provide visual proof of police behavior, or all three,” said Osterreicher.

That demonization is working, unfortunately, especially when it comes to ICE officers’ beliefs about how they can respond to being recorded. In recent months, ICE officers have knocked phones out of the hands of those recording them, pulled weapons on people photographing or videotaping them, and even arrested U.S. citizens for filming them.

The escalating attacks on journalists and citizens who are recording police show the danger of the government’s rhetoric. All who care about press freedom and transparency must push back on claims equating filming to violence.

When officials say at news conferences that video recording is violent, journalists should challenge that assertion and cite the law.

When attorneys argue that recording police justifies violence or arrest, they should have their arguments confronted by opposing counsel and the judge, who has the power to sanction lawyers who ignore First Amendment jurisprudence to make frivolous arguments on behalf of the government.

And when ICE officers harass or detain someone for videotaping them, everyone else should take out their phones and hit the record button.

Recording the police isn’t violence. Don’t let officials get away with loud, incorrect claims to the contrary to diminish our First Amendment rights.

freedom.press/issues/recording…