Una delle navi della Global Sumud Flotilla, la Alma, è stata abbordata dalle navi dell’IDF.
Al momento le navi si trovano nella zona definita ad alto rischio, a 10 miglia nautiche dalla costa di Gaza. Nelle scorse ore una ventina di navi non identificate erano state captate dai radar della Flottilla, dando il via allo stato di allarme.
People Are Farming and Selling Sora 2 Invite Codes on eBay
People are farming and selling invite codes for Sora 2 on eBay, which is currently the fastest and most reliable way to get onto OpenAI’s new video generation and TikTok-clone-but-make-it-AI-slop app. Because of the way Sora is set up, it is possible to buy one code, register an account, then get more codes with the new account and repeat the process.
On eBay, there are about 20 active listings for Sora 2 invite codes and 30 completed listings in which invite codes have sold. I bought a code from a seller for $12, and received a working code a few minutes later. The moment I activated my account, I was given four new codes for Sora 2. When I went into the histories of some of the sellers, many of them had sold a handful of codes previously, suggesting they were able to get their hands on more than four invites. It’s possible to do this just by cycling through accounts; each invite code is good for four invites, so it is possible to use one invite code for a new account for yourself, sell three of them, and repeat the process.
There are also dozens of people claiming to be selling or giving away codes on Reddit and X; some are asking for money via Cash App or Venmo, while others are asking for crypto. One guy has even created a website in which he has generated all 2.1 billion six-digit hexadecimal combinations to allow people to randomly guess / brute force the app (the site is a joke).
The fact that the invite codes are being sold across the internet is an indication that OpenAI has been able to capture some initial hype with the release of the app (which we’ll have much more to say about soon), but does not necessarily mean that it’s going to be some huge success or have sustained attention. Code and app invite sales are very common on eBay, even for apps and concert tickets (or game consoles, or other items) that eventually aren’t very popular or are mostly just a flash in the pan. But much of my timeline today is talking about Sora 2, which suggests that we may be crossing some sort of AI slop creation rubicon.
This week Jonathan talks with Brandon and TC about Veilid, the peer-to-peer networking framework that takes inspiration from Tor, and VeilidChat, the encrypted messenger built on top of it. What was the inspiration? How does it work, and what can you do with it? Listen to find out!
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.
Kodak announced two new types of film that it will sell directly to photography stores, sidestepping a bizarre distribution agreement that has been in place since its bankruptcy.#Photography #FilmCameras #film
Kodak Is Selling Its Own Film Again for the First Time in a Decade
Kodak announced two new stocks of color film on Wednesday, in a move that has excited the photography world and which indicates that the photography giant is directly distributing still photography film again.
“To help meet the growing demand for film, Kodak is excited to announce the launch of two color-negative films, KODACOLOR 100 and KODACOLOR 200, in 135 format rolls,” Kodak said in an Instagram post. “For the first time in over a decade, Kodak will sell these films directly to distributors, in an effort to increase supply and help create greater stability in a market where prices have fluctuated. These films are sub-brands of existing Kodak films and offer the same high quality you’ve come to expect from Kodak.”
That quote is key—there are various types of Kodak film on the market right now. Those films are all made by Eastman Kodak (the legendary 133-year-old photography company) but they are sold through a totally separate company called Kodak Alaris, which is a UK-based company spun off from Eastman Kodak in 2012 as part of its bankruptcy. Since then, Kodak Alaris has had the sole right to distribute the still film stocks that Eastman Kodak manufactures. The sense in the photography community is that this arrangement is, at best, annoying and that it has perhaps led Kodak to not focus as much on making new film stocks as it should; there was further concern last year after Kodak Alaris was sold to a private equity firm.
What remains unclear is what KODACOLOR actually is; in the photography world, many “new” films are rebranded versions of other films that are on the market, are rereleased versions of film that had been previously discontinued, or are respooled versions of movie film that have been altered for still photography.
The Wednesday announcement of KODACOLOR makes clear that Eastman Kodak will be selling KODACOLOR directly to photography stores itself, which suggests that the company has wrested at least some control over the distribution of its films from Kodak Alaris, and raises all sorts of exciting possibilities about the future of Kodak film. The details of how or why it did this are not yet available and Kodak did not immediately respond to a request for comment. But it is notable that while Kodak manufactures about a dozen different types of film including Kodak Gold, Ektar, Portra, and Colorplus, the only “still film” listed on the Kodak website is now the new KODACOLOR film stocks.
Regardless of the reasoning or specifics behind the news, the announcement of new film stocks from the most important film company in the world is the latest sign of the enduring and resurgent popularity of analog film photography. And it at least shows that Kodak is interested in creating new types of film for the hobby; as Petapixel points out, it is Kodak’s “first new film in a very long time.” In recent years, there has been a handful of new film stocks announced and released, most notably a type of film called Phoenix from a company called Harman, which is made in a new factory in England and, according to the company, has been “hugely successful.”
HARMAN TECHNOLOGY ANNOUNCES SIGNIFICANT ONGOING INVESTMENT IN THE FUTURE OF PHOTOGRAPHIC FILM HARMAN technology Ltd, one of the world’s largest manufacturers of analogue photographic films, darkroom papers, and photo chemicals, has further reaffirmed…
“San Francesco, che ebbe tra i suoi principali obiettivi un annuncio di pace, ricorda che è possibile un mondo fraterno, disarmato, dove ciascuno ha il suo spazio, a partire dai più poveri e fragili”. Lo afferma il card.
These days, we take it for granted that you can connect a cheap piece of hardware to a microcontroller and have an amazing debugging experience. Stop the program. Examine memory and registers. You can see and usually change anything. There are only a handful of ways this is done on modern CPUs, and they all vary only by detail. But this wasn’t always the case. Getting that kind of view to an actual running system was an expensive proposition.
Today, you typically have some serial interface, often JTAG, and enough hardware in the IC to communicate with a host computer to reveal and change internal state, set breakpoints, and the rest. But that wasn’t always easy. In the bad old days, transistors were large and die were small. You couldn’t afford to add little debugging pins to each processor you produced.
This led to some very interesting workarounds. Of course, you could always run simulators on a larger computer. But that might not work in real time, and almost certainly didn’t have all the external things you wanted to connect to, unless you also simulated them.
The alternative? Create a special chip, often called a bond-out chip. These were usually expensive and had some way to communicate with the outside world. This might be a couple of pins, or there might be a bundle of wires coming out of the top of the chip. You replaced your microprocessor with the expensive bond-out chip and connected it to your very expensive in-circuit emulator. If you have a better scan of the ICE-51 datasheet, we’d love to see it. For example, the venerable 8051 had an 8051E chip that brought out the address and data bus lines for debugging. In fact, the history of the 8051 notes that they developed the bond-out chip first. The chip was bigger and sold in lower volumes, so it was more expensive. It needed not just connections but breakpoint hardware to stop the CPU at exactly the right time for debugging.
In some cases, the emulator probe was a board that sat between a stock CPU and the CPU socket. Of course, that meant you had to have room to accommodate the large board. Of course, it also assumes that at least your development board had a socket, although in those days it was rare to have an expensive CPU soldered right down to the board. Another poor scan, this time of the Lauterbach emulator probe for the 68000. For example, the Lauterbach ICE-68300 here could take a bond-out chip or a regular chip, although it would be missing features if you didn’t have the special chip.
Of course, you can still find them in circuit emulators, but the difference is that they almost certainly have supporting hardware on the standard chip and simply use a serial communication protocol to talk to the on-chip hardware.
Of course, if you want an emulator for an old CPU, you have enough horsepower now that you can probably emulate it like with a modern processor, like the IZE80 does in the video below. Then you can incorporate all kinds of magical debugging features. But be careful what you take on. To properly mimic the hardware means tight timing for things like DRAM refresh and a complete understanding of all the bus timings involved.
But it can be done. In any event, on chip debugging or real in-circuit emulation, it sure makes life easier.
“Facciamo nostro l’invito del Santo Padre Leone XIV ad intensificare la preghiera per la pace, in modo particolare con la recita del Rosario durante tutto il mese di ottobre e partecipando tutti insieme alla veglia del Giubileo della spiritualità mar…
“Un forte appello all’unità attorno all’ecologia integrale e per la pace!”. A rivolgerlo è stato Leone XIV, che al termine del discorso rivolto dal Centro Mariapoli a Castel Gandolfo ai partecipanti al Convegno “Raising Hope” nel decennale dell’encic…
Both organizations are seeking a copy of a data sharing agreement that is giving the personal data of nearly 80 million Medicaid patients to ICE.#Announcements
404 Media and Freedom of the Press Foundation Sue DHS
Last week Freedom of the Press Foundation and 404 Media filed a lawsuit against the multiple parts of the U.S. government demanding they hand over a copy of an agreement that shares the personal data of nearly 80 million Medicaid patients with ICE. The data sharing marked a watershed moment for ICE and its access to highly sensitive data that is ordinarily siloed off from the agency. We believe it’s important for the public to see this unprecedented data sharing agreement for themselves.
As the Associated Press wrote when it first reported on the data sharing agreement between the Department of Homeland Security (DHS) and the Centers for Medicare and Medicaid Services (CMS), the agreement will give ICE the ability to find “the location of aliens.” The data shared includes home addresses and ethnicities, according to the Associated Press.
💡 Do you know anything else about this data sharing agreement? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.
Both Freedom of the Press Foundation and 404 Media filed similar Freedom of Information Act (FOIA) requests with DHS and CMS seeking a copy of the agreement. Neither agency provided the requested records in time, so we have now filed the lawsuit. In 404 Media’s case, CMS acknowledged the request but has not provided the records, and DHS did not even acknowledge the request at all.
404 Media’s request asked for a copy of the specific agreement, and if the agencies were unable to locate it, to alternatively provide copies of all agreements between DHS and CMS from this year.
“Despite having received the FOIA requests, and despite their obligations under the law, Defendants have failed to notify Plaintiffs of the scope of documents that they will produce or the scope of documents that they plan to withhold in response to the FOIA requests,” the lawsuit reads. playlist.megaphone.fm?p=TBIEA2… Freedom of the Press Foundation is a non-profit organization that monitors press freedom issues in the U.S. and trains journalists on how to keep themselves and their sources safe. It regularly sues the U.S. government for access to records.
The data sharing agreement is just one of a growing list of ways that ICE is sourcing highly sensitive, and sometimes legally protected, information as part of the Trump administration’s mass deportation effort. ProPublica reported on the vast system the IRS is building to share millions of taxpayers’ data with ICE 404 Media previously reported ICE has gained access to ISO Claimsearch, a massive insurance and medical bill database to find deportation targets. The database is nearly all encompassing and contains details on more than 1.8 billion insurance claims and 58 million medical bills.
Separately, 404 Media filed a lawsuit against ICE in September for access to the agency’s $2 million spyware contract.
[Mukesh Sankhla] has been tinkering in the world of Point of Sale systems of late. His latest creation is a simple, straightforward kiosk system, and he’s open sourced the design.
The Latte Panda MU single-board computer is at the heart of the build, handling primary duties and communicating with the outside world. It’s hooked up to a touchscreen display which shows the various items available for purchase. As an x86 system, the Latte Panda runs Windows 11, along with a simple kiosk software package written in Python. The software uses Google Firebase as a database backend. There’s also an Xiao ESP32 S3 microcontroller in the mix, serving as an interface between the Latte Panda and the thermal printer which is charged with printing receipts.
It’s worth noting that this is just a point-of-sale system; it executes orders, but doesn’t directly deliver or vend anything. With that said, since it’s all open-source, there’s nothing stopping you from upgrading this project further.
#NextGenAI, a Napoli da mercoledì 8 a lunedì 13 ottobre! Per il primo summit internazionale sull’Intelligenza Artificiale nella #scuola, promosso dal #MIM nell’ambito del Campus itinerante #ScuolaFutura, sono previste le delegazioni di istituzioni sc…
#NextGenAI, a Napoli da mercoledì 8 a lunedì 13 ottobre!
Per il primo summit internazionale sull’Intelligenza Artificiale nella #scuola, promosso dal #MIM nell’ambito del Campus itinerante #ScuolaFutura, sono previste le delegazioni di istituzioni sc…
Grazie alla Laudato si' di Papa Francesco, “il linguaggio della cura della casa comune è stato incorporato nei dibattiti accademici, scientifici e politici”.
In the middle of the 20th century, the atom was all the rage. Radiation was the shiny new solution to everything while being similarly poorly understood by the general public and a great deal of those working with it.
Against this backdrop, Firestone Tire and Rubber Company decided to sprinkle some radioactive magic into spark plugs. There was some science behind the silliness, but it turns out there are a number of good reasons we’re not using nuke plugs under the hood of cars to this day.
Hot Stuff
The Firestone Polonium spark plug represented a fascinating intersection of Cold War-era nuclear optimism and automotive engineering. These weren’t your garden-variety spark plugs – they contained small amounts of polonium-210. The theory behind radioactive spark plugs was quite simple from an engineering perspective. As the radioactive polonium decayed into lead, it would release alpha particles supposed to ionize the air-fuel mixture in the combustion chamber, making an easier path for the spark to ignite and reducing the likelihood of misfires. Thus, the polonium-210 spark plugs would theoretically create a better, stronger spark and improve combustion efficiency. Firestone decided polonium, not radium, was the way to go when it filed a patent of its own. Credit: US Patent These plugs hit the market sometime around 1940, though the idea dates back at least a full 11 years earlier. In 1924, Albert Hubbard applied for a patent (US 1,723,422), which was granted five years later. His patent concerned the use of radium to create an ionized path through the gas inside an engine’s cylinder to improve spark plug performance.
Firestone’s patent (US 2,254,169) came much later, granted in 1941. The company decided that polonium-210 was a more viable radioactive source. Radium was considered “too expensive and dangerous”, while uranium and thorium isotopes were found to be “ineffective.” Polonium, though, was the bee’s knees. From the patent filing:
Frequently, conditions will be so unfavorable that a spark will not occur at all, and it will be necessary to turn the engine over a number of times before a spark occurs. However, if the alpha rays of polonium are passing through the gap, a large number of extra ions are formed by each alpha ray (10,000 ions per-alpha ray) and the gap breaks down promptly after the voltage begins to rise and at a lower voltage value than that required by standard spark plugs. Thus, it might be said that polonium creates favorable conditions for gap breakdown under all circumstances. Many tests have been run which substantiate the above explanations. The most conclusive test of this type consisted in comparing the starting characteristics of many polonium-containing spark plugs with ordinary spark plugs, all plugs having had more than a year of hard service, in several engines at -15° F. It was found that thirty per cent fewer revolutions of an engine were required for starting when the polonium plugs were used.
Firestone was quite proud of its new Atomic Age product. Credit: Firestone As per the patent, the radioactive material was incorporated into the electrodes by adding it to the nickel alloy used to produce them. This would put it in prime position to ionize the air charge in the spark gap where it mattered most.
The science seems to check out on paper, but polonium spark plugs were only on the market for a short period of time, with the last known advertisements being published sometime around 1953. If the radioactive spark plugs had serious performance benefits, one suspects they might have stuck around. However, physics tells us they may not have been that special in reality.
In particular, polonium-210 has a relatively short half-life of just 138 days. In a year, 84% of the initial polonium-210 would have already decayed. Thus, between manufacturing, shipping, purchase, and installation, it’s hard to say how much “heat” would have been left in the plugs by the time they even reached the consumer. These plugs would quickly lose their magic simply sitting on the shelf. Beyond that, there are some questions of their performance in a real working engine. Firestone’s patent claimed improved performance over time, but a more sceptical view would be that deposits left on the spark plug electrodes over time would easily block any alpha particles that would otherwise be emitted to help cause ionization. Examples of the polonium-impregnated spark plugs can be readily found online, though the radioactive material decayed away long ago. Credit: eBay Ultimately, while the plugs may have had some small benefit when new, any additional performance was minor enough that they never really found a market. Couple this with ugly problems around dispersal, storage, and disposal of radioactive material, and it’s perhaps quite a good thing that these plugs didn’t really catch on.
Despite the lack of market success, however, it’s still possible to find these spark plugs in the wild today. A simple search on online auction sites will turn up dozens of examples, though don’t expect them to show up glowing. The radioactive material within will long have decayed to the point where they’re not going to significantly exceed typical background radiation. Still, they’re an interesting call back to an era when radioactivity was the hottest new thing on the block.
Broadcom ha risolto una grave vulnerabilità di escalation dei privilegi in VMware Aria Operations e VMware Tools, che era stata sfruttata in attacchi a partire da ottobre 2024. Al problema è stato assegnato l’identificativo CVE-2025-41244. Sebbene l’azienda non abbia segnalato alcun exploit nel bollettino ufficiale, il ricercatore di NVISO Maxime Thibault lo ha segnalato a maggio che gli attacchi sono iniziati a metà ottobre 2024. L’analisi ha collegato gli attacchi al gruppo cinese UNC5174.
La vulnerabilità consente a un utente locale senza privilegi di inserire un file binario dannoso in directory che corrispondono a espressioni regolari generiche. Una variante osservata in attacchi reali è l’utilizzo della directory /tmp/httpd. Affinché il malware venga rilevato dal servizio VMware, è necessario eseguirlo come utente normale e aprire un socket di rete casuale.
Di conseguenza, gli aggressori ottengono la possibilità di aumentare i privilegi di root ed eseguire codice arbitrario all’interno della macchina virtuale. NVISO ha anche pubblicato un exploit dimostrativo che mostra come questa falla venga utilizzata per compromettere VMware Aria Operations in modalità con credenziali e VMware Tools in modalità senza credenziali.
Secondo Google Mandiant, UNC5174 opera per conto del Ministero della Sicurezza di Stato cinese. Nel 2023, il gruppo ha venduto l’accesso alle reti di appaltatori della difesa statunitensi, agenzie governative britanniche e organizzazioni asiatiche sfruttando la vulnerabilità CVE-2023-46747 in F5 BIG-IP.
Nel febbraio 2024, hanno sfruttato la vulnerabilità CVE-2024-1709 in ConnectWise ScreenConnect, attaccando centinaia di istituzioni negli Stati Uniti e in Canada.
Nella primavera del 2025, il gruppo è stato osservato anche mentre sfruttava la vulnerabilità CVE-2025-31324 , un errore di caricamento file in NetWeaver Visual Composer che consentiva l’esecuzione di codice arbitrario. Anche altri gruppi cinesi hanno partecipato ad attacchi ai sistemi SAP, tra cui Chaya_004, UNC5221 e CL-STA-0048, che hanno installato backdoor su oltre 580 istanze NetWeaver, comprese quelle in infrastrutture critiche negli Stati Uniti e nel Regno Unito.
Dopo tre anni, perfino i ricercatori di OpenAI ammettono che le "allucinazioni" sono una caratteristica intrinseca dei modelli linguistici. Dopo tre anni, perfino il Wall Street Journal comincia a parlare di bolla speculativa dell'AI. Preparatevi.
Vita consacrata: Paoline, sr. Mari Lucia Kim è la nuova superiora generale
È sr. Mari Lucia Kim la nuova superiora generale delle Figlie di San Paolo, paoline. Nominata dal 12° Capitolo generale, sr. Mari Lucia è nata il 1° novembre 1965 a Mokpo, in Corea, ed è Figlia di San Paolo dal 25 gennaio 1995.
Gli Stati Uniti stanno spingendo sull’acceleratore per esportare i loro sistemi d’arma all’estero. Al Congresso è infatti in corso il tentativo più ambizioso degli ultimi decenni di aggiornare le regole sull’export
@Notizie dall'Italia e dal mondo Sciopero generale oggi in Grecia contro la proposta del governo di permettere ai dipendenti di lavorare fino a 13 ore al giorno per aumentare il proprio salario L'articolo Grecia. Scioperohttps://pagineesteri.it/2025/10/01/mediterraneo/grecia-sciopero-generale-giornata-lavorativa-13-ore/
e meno male esageravamo e putin non era nostro nemico... sembra come quando prima dell'invasione ucraina noi europei eravamo "isterici"... a detta di putin. sarà il caso di armarsi e cominciare a controbattere. almeno in modo difensivo..
Secondo quanto riferito, il governo del Regno Unito sta nuovamente chiedendo ad Apple di creare una backdoor per consentire ai funzionari governativi di accedere ai backup iCloud crittografati end-to-end nel Paese.
L'ultima volta che è successo, Apple ha disattivato la protezione avanzata dei dati di iCloud, la funzionalità opzionale che consente agli utenti di crittografare i backup nel cloud.
NEW: The U.K. government is reportedly once again requesting Apple build a backdoor so government officials can access end-to-end encrypted iCloud backups in the country.
Last time this happened, Apple disabled iCloud's Advanced Data Protection, the opt-in feature that lets users encypt cloud backups.
@lorenzofb ma hanno completamente ragione,ho solo pensiero per cui vorrei una risposta da lor signori,che sia legalmente rispettosa e in base al principio che stabilisce uguaglianza di diritti e senza retorica perché "essi"dovrebbero/devono esserne esclusi?per le cariche che svolgono!?forse tra di "essi"non possono esserci pedofili,corrotti,ladri!?"sono eletti dal popolo che MERITA rispetto per la fiducia affidatagli,non ABUSARE del potere ottenuto a fini personali.🤐
@Notizie dall'Italia e dal mondo Tra le crescenti concessioni idriche alle multinazionali private e le proteste delle popolazioni locali, due attivisti per la difesa dell'acqua e del territorio sono stati incriminati dopo un'udienza caratterizzata da numerose
La narrativa comune sull’Artico come teatro di guerra evoca immagini di ghiaccio, neve e temperature proibitive. Ma per gli addetti ai lavori ed i comandanti militari la stagione più insidiosa non è l’inverno, ma il “quinto tempo”, l’autunno e la primavera, quando il disgelo trasforma il terreno in un pantano impraticabile
@Notizie dall'Italia e dal mondo Il pericolo non arriva solo dalle bombe, cresce la violenza di genere e i diritti essenziali vengono calpestati. 700mila donne e ragazze in età fertile non hanno assorbenti, acqua pulita, sapone e privacy. L'articolo Gaza. Quasi 7 vittime su 10 sono donne, bambine e ragazze proviene da
@Informatica (Italy e non Italy 😁) Scoperta e risolta una vulnerabilità critica di escalation dei privilegi nell’app PosteID da parte dei ricercatori SERICS, poi risolta dal team dell’Identity Provider Poste Italiane, a testimonianza dei benefici nella
[quote]LOS ANGELES – Si definisce “aspirante attrice”, di base a Londra. I suoi profili social la ritraggono nei caffè o in scene di vita quotidiana da film. Il 30 luglio… L'articolo Tilly Norwood fa tremare Hollywood: sindacato degli attori contro l’attrice creata
Sto pensando se partecipare alla marcia Perugia-Assisi.
Va bene tutto ma ho un problema con il "no" al riarmo.
Non discutiamo sul fatto che la pace sia meglio della guerra, che sentirsi fratelli sia meglio che sentirsi nemici, che spendere soldi per fare ospedali e scuole sia meglio che spenderli per fare bombe, ecc. ecc. perché siamo tutti d'accordo e perderemmo solo tempo.
Credo che la marcia e tante altre iniziative simili siano importanti per spingere le persone a riflettere sul fatto che un altro mondo è possibile e che a noi tutti spetta il compito di essere il motore per questo cambiamento verso un mondo migliore.
Ma quando si dice "no al riarmo" si fa un salto qualitativo, si passa dall'indicare dei principi generali ampiamente condivisibili a prendere una posizione politica da agire immediatamente, nella realtà presente, nel qui e ora.
E la domanda che mi pongo io è se sia giusto non armarsi, se sia giusto prendere oggi la decisione di rinunciare ad avere una difesa armata.
Cosa succederebbe se una metà dei governi mondiali smettesse di spendere soldi per armarsi e li spendesse in ospedali e scuole, e l'altra metà invece no? Vivremmo in un mondo con più pace o con più guerre?
La lunghissima pace che c'è stata in Europa negli ultimi 70 anni la dobbiamo ad una svolta pacifista che c'è stata dopo al fine della seconda guerra mondiale o la dobbiamo al fatto che gli arsenali sono stati riempiti di armi al punto tale che nessuno ha avuto il coraggio di sparare per primo?
Se i palestinesi avessero avuto un esercito forte come quello di Israele, Gaza oggi sarebbe distrutta?
Se gli ucraini avessero avuto un esercito forte come quello russo, si sarebbero trovati oggi con i carri armati russi in casa? Avrebbero le loro città costantemente sotto il tiro di missili e droni?
Quello che voglio dire è che da un lato capisco che il disarmo sia LA soluzione ma che dall'altro sono altrettanto convinto che un disarmo unilaterale non possa che essere foriero di tragedie.
Di contro continuare ad armarsi non porta alcun beneficio. Se gli eserciti ai equivalgono non c'è nessun vantaggio, per cui una delle due parti mirerà ad essere sempre in vantaggio rispetto all'altra in una spirale di distruzione. Perché il pareggio non è previsto.
[quote]PECHINO – Jannik Sinner torna a vincere un torneo dopo la finale persa agli Us Open. Il numero 2 del mondo si aggiudica l’Atp 500 di Pechino grazie al successo… L'articolo Sinner trionfa a Pechino e ringrazia il team: “Fortunato a lavorare con persone oneste” su
How companies working for landlords are scraping data inside corporate environments; lawyers explain why they used AI (after getting caught); and all the Ruby drama.#Podcast
Podcast: Landlords Demand Your Workplace Logins to Scrape Paystubs
We start this week with Joseph’s article about landlords and income verification companies demanding login details from potential renters so the companies can log in and scrape their paystubs. That has some potential legal issues for everyone involved! After the break, 18 lawyers tell us why they used AI. In the subscribers-only section, Emanuel breaks down the massive drama around Ruby. playlist.megaphone.fm?e=TBIEA4… Listen to the weekly podcast on Apple Podcasts,Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player. youtube.com/embed/KtvSBb6rtHE?…
Tech News Podcast · Updated Weekly · Welcome to the podcast from 404 Media where Joseph, Sam, Emanuel, and Jason catch you up on the stories we published this week. 404 Media is a journalist-owned digital media company exploring the way …
La presidenza Trump non è follia, è la conseguenza della politica dello spettacolo possibile.com/trump-postman/?u… Il futuro non è scritto, diceva Postman. Ed è vero anche oggi: dipende da come useremo i mezzi di comunicazione, se come strumenti di intrattenimento o come occasioni di pensiero. La differenza non è secondaria. Da essa dipende la qualità della nostra democrazia. L'articolo La presidenza Trump non è follia, è la
[quote]ROMA – Nella notte tra martedì 30 settembre e mercoledì 1 ottobre diverse barche della Global Sumud Flotilla sono state avvicinate da alcune imbarcazioni non identificate. A bordo c’era anche… L'articolo Flotilla verso la Striscia. Scotto (Pd): “Nottata in
Da tempo sto provando a ridurre le spese e cerco qualcuno con cui condividere uno spazio che ho affittatto come studio musicale.
Rispondo alla richiesta di questa band che cerca una sala prove.
Mi contatta Enrico, dicendomi che sono in 5, che hanno una cover band di sigle di anime e musiche dei videogiochi. Mi rassicura sul fatto che sono tutti molto tranquilli e riservati e che fuori dalle prove non li vedrò mai in saletta. Mi dice che assolutamente non faranno feste in studio e casini vari.
Molto bene dico e mi accordo per fargli vedere il posto e lasciargli le chiavi.
Nel pomeriggio viene a prenderle un ragazzo che sembrava un po' la fotocopia dell'altro: pallidissimo, con i capelli di un nero corvino e gli occhiali da vista spessi. Uguale a st'altro. Fatalità anche lui si chiama Enrico.
Enrico mi dice che siccome con l'altro Enrico non si sono capiti verrà in studio un'ora dopo. Mi chiede se per favore gli posso lasciare le chiavi da qualche parte.
This build goes a bit of a different route to many other DIY keyboards out there, in that [Lambert] was keen to build it around an FPGA instead of an off-the-shelf microcontroller. To that end, the entire USB HID stack was implemented in VHDL on a Lattice ECP5 chip. It was a heavy-duty way to go, but it makes the keyboard quite unique compared to those that just rely on existing HID libraries to do the job. This onboard hardware also allowed [Lambert] to include JTAG, SPI, I2C, and UART interfaces right on the keyboard, as well as a USB hub for good measure.
As for the mechanical design, it’s a full-size 105-key ISO keyboard with one bonus key for good measure. That’s the coffee key, which either locks the attached computer when you’re going for a break, or resets the FPGA with a long press just in case it’s necessary. It’s built with Cherry MX compatible switches, has N-key rollover capability, and a mighty 1000 Hz polling rate. If you can exceed that by hand, you’re some sort of superhuman.
When it comes to digital forensics, AmCache plays a vital role in identifying malicious activities in Windows systems. This artifact allows the identification of the execution of both benign and malicious software on a machine. It is managed by the operating system, and at the time of writing this article, there is no known way to modify or remove AmCache data. Thus, in an incident response scenario, it could be the key to identifying lost artifacts (e.g., ransomware that auto-deletes itself), allowing analysts to search for patterns left by the attacker, such as file names and paths. Furthermore, AmCache stores the SHA-1 hashes of executed files, which allows DFIR professionals to search public threat intelligence feeds — such as OpenTIP and VirusTotal — and generate rules for blocking this same file on other systems across the network.
This article presents a comprehensive analysis of the AmCache artifact, allowing readers to better understand its inner workings. In addition, we present a new tool named “AmCache-EvilHunter“, which can be used by any professional to easily parse the Amcache.hve file and extract IOCs. The tool is also able to query the aforementioned intelligence feeds to check for malicious file detections, this level of built-in automation reduces manual effort and speeds up threat detection, which is of significant value for analysts and responders.
The importance of evidence of execution
Evidence of execution is fundamentally important in digital forensics and incident response, since it helps investigators reconstruct how the system was used during an intrusion. Artifacts such as Prefetch, ShimCache, and UserAssist offer clues about what was executed. AmCache is also a robust artifact for evidencing execution, preserving metadata that indicates a file’s presence and execution, even if the file has been deleted or modified. An advantage of AmCache over other Windows artifacts is that unlike them, it stores the file hash, which is immensely useful for analysts, as it can be used to hunt malicious files across the network, increasing the likelihood of fully identifying, containing, and eradicating the threat.
Introduction to AmCache
Application Activity Cache (AmCache) was first introduced in Windows 7 and fully leveraged in Windows 8 and beyond. Its purpose is to replace the older RecentFileCache.bcf in newer systems. Unlike its predecessor, AmCache includes valuable forensic information about program execution, executed binaries and loaded drivers.
This artifact is stored as a registry hive file named Amcache.hve in the directory C:\Windows\AppCompat\Programs. The metadata stored in this file includes file paths, publisher data, compilation timestamps, file sizes, and SHA-1 hashes.
It is important to highlight that the AmCache format does not depend on the operating system version, but rather on the version of the libraries (DLLs) responsible for filling the cache. In this way, even Windows systems with different patch levels could have small differences in the structure of the AmCache files. The known libraries used for filling this cache are stored under %WinDir%\System32 with the following names:
aecache.dll
aeevts.dll
aeinv.dll
aelupsvc.dll
aepdu.dll
aepic.dll
It is worth noting that this artifact has its peculiarities and limitations. The AmCache computes the SHA-1 hash over only the first 31,457,280 bytes (≈31 MB) of each executable, so comparing its stored hash online can fail for files exceeding this size. Furthermore, Amcache.hve is not a true execution log: it records files in directories scanned by the Microsoft Compatibility Appraiser, executables and drivers copied during program execution, and GUI applications that required compatibility shimming. Only the last category reliably indicates actual execution. Items in the first two groups simply confirm file presence on the system, with no data on whether or when they ran.
In the same directory, we can find additional LOG files used to ensure Amcache.hve consistency and recovery operations:
C:\Windows\AppCompat\Programs\Amcache.hve.*LOG1
C:\Windows\AppCompat\Programs\Amcache.hve.*LOG2
The Amcache.hve file can be collected from a system for forensic analysis using tools like Aralez, Velociraptor, or Kape.
Amcache.hve structure
The Amcache.hve file is a Windows Registry hive in REGF format; it contains multiple subkeys that store distinct classes of data. A simple Python parser can be implemented to iterate through Amcache.hve and present its keys: #!/usr/bin/env python3
for rec in root.subkeys(): print(rec.name()) The result of this parser when executed is:
AmCache keys
From a DFIR perspective, the keys that are of the most interest to us are InventoryApplicationFile, InventoryApplication, InventoryDriverBinary, and InventoryApplicationShortcut, which are described in detail in the following subsections.
InventoryApplicationFile
The InventoryApplicationFile key is essential for tracking every executable discovered on the system. Under this key, each executable is represented by its own uniquely named subkey, which stores the following main metadata:
ProgramId: a unique hash generated from the binary name, version, publisher, and language, with some zeroes appended to the beginning of the hash
FileID: the SHA-1 hash of the file, with four zeroes appended to the beginning of the hash
LowerCaseLongPath: the full lowercase path to the executable
Name: the file base name without the path information
OriginalFileName: the original filename as specified in the PE header’s version resource, indicating the name assigned by the developer at build time
Publisher: often used to verify if the source of the binary is legitimate. For malware, this subkey is usually empty
Version: the specific build or release version of the executable
BinaryType: indicates whether the executable is a 32-bit or 64-bit binary
ProductName: the ProductName field from the version resource, describing the broader software product or suite to which the executable belongs
LinkDate: the compilation timestamp extracted from the PE header
Size: the file size in bytes
IsOsComponent: a boolean flag that specifies whether the executable is a built-in OS component or a third-party application/library
With some tweaks to our original Python parser, we can read the information stored within this key: #!/usr/bin/env python3
subs = {k.name(): k for k in root.subkeys()} parent = subs.get("InventoryApplicationFile")
for rec in parent.subkeys(): vals = {v.name(): v.value() for v in rec.values()} print("{}\n{}\n\n-----------\n".format(rec, vals))
InventoryApplicationFile subkeys
We can also use tools like Registry Explorer to see the same data in a graphical way:
InventoryApplicationFile inspected through Registry Explorer
As mentioned before, AmCache computes the SHA-1 hash over only the first 31,457,280 bytes (≈31 MB). To prove this, we did a small experiment, during which we got a binary smaller than 31 MB (Aralez) and one larger than this value (a custom version of Velociraptor). For the first case, the SHA-1 hash of the entire binary was stored in AmCache.
First AmCache SHA-1 storage scenario
For the second scenario, we used the dd utility to extract the first 31 MB of the Velociraptor binary:
Stripped binary
When checking the Velociraptor entry on AmCache, we found that it indeed stored the SHA-1 hash calculated only for the first 31,457,280 bytes of the binary. Interestingly enough, the Size value represented the actual size of the original file. Thus, relying only on the file hash stored on AmCache for querying threat intelligence portals may be not enough when dealing with large files. So, we need to check if the file size in the record is bigger than 31,457,280 bytes before searching threat intelligence portals.
Second AmCache SHA-1 storage scenario
Additionally, attackers may take advantage of this characteristic to purposely generate large malicious binaries. In this way, even if investigators find that a malware was executed/present on a Windows system, the actual SHA-1 hash of the binary will still be unknown, making it difficult to track it across the network and gathering it from public databases like VirusTotal.
InventoryApplicationFile – use case example: finding a deleted tool that was used
Let’s suppose you are searching for a possible insider threat. The user denies having run any suspicious programs, and any suspicious software was securely erased from disk. But in the InventoryApplicationFile, you find a record of winscp.exe being present in the user’s Downloads folder. Even though the file is gone, this tells you the tool was on the machine and it was likely used to transfer files before being deleted. In our incident response practice, we have seen similar cases, where this key proved useful.
InventoryApplication
The InventoryApplication key records details about applications that were previously installed on the system. Unlike InventoryApplicationFile, which logs every executable encountered, InventoryApplication focuses on those with installation records. Each entry is named by its unique ProgramId, allowing straightforward linkage back to the corresponding InventoryApplicationFile key. Additionally, InventoryApplication has the following subkeys of interest:
InstallDate: a date‑time string indicating when the OS first recorded or recognized the application
MsiInstallDate: present only if installed via Windows Installer (MSI); shows the exact time the MSI package was applied, sourced directly from the MSI metadata
UninstallString: the exact command line used to remove the application
Language: numeric locale identifier set by the developer (LCID)
Publisher: the name of the software publisher or vendor
ManifestPath: the file path to the installation manifest used by UWP or AppX/MSIX apps
With a simple change to our parser, we can check the data contained in this key: <...> parent = subs.get("InventoryApplication") <...>
InventoryApplication subkeys
When a ProgramId appears both here and under InventoryApplicationFile, it confirms that the executable is not merely present or executed, but was formally installed. This distinction helps us separate ad-hoc copies or transient executions from installed software. The following figure shows the ProgramId of the WinRAR software under InventoryApplicationFile.
When searching for the ProgramId, we find an exact match under InventoryApplication. This confirms that WinRAR was indeed installed on the system.
Another interesting detail about InventoryApplication is that it contains a subkey named LastScanTime, which is stored separately from ProgramIds and holds a value representing the last time the Microsoft Compatibility Appraiser ran. This is a scheduled task that launches the compattelrunner.exe binary, and the information in this key should only be updated when that task executes. As a result, software installed since the last run of the Appraiser may not appear here. The LastScanTime value is stored in Windows FileTime format.
InventoryApplication LastScanTime information
InventoryApplication – use case example: spotting remote access software
Suppose that during an incident response engagement, you find an entry for AnyDesk in the InventoryApplication key (although the application is not installed anymore). This means that the attacker likely used it for remote access and then removed it to cover their tracks. Even if wiped from disk, this key proves it was present. We have seen this scenario in real-world cases more than once.
InventoryDriverBinary
The InventoryDriverBinary key records every kernel-mode driver that the system has loaded, providing the essential metadata needed to spot suspicious or malicious drivers. Under this key, each driver is captured in its own uniquely named subkey and includes:
FileID: the SHA-1 hash of the driver binary, with four zeroes appended to the beginning of the hash
LowerCaseLongPath: the full lowercase file path to the driver on disk
DigitalSignature: the code-signing certificate details. A valid, trusted signature helps confirm the driver’s authenticity
LastModified: the file’s last modification timestamp from the filesystem metadata, revealing when the driver binary was most recently altered on disk
Because Windows drivers run at the highest privilege level, they are frequently exploited by malware. For example, a previous study conducted by Kaspersky shows that attackers are exploiting vulnerable drivers for killing EDR processes. When dealing with a cybersecurity incident, investigators correlate each driver’s cryptographic hash, file path, signature status, and modification timestamp. That can help in verifying if the binary matches a known, signed version, detecting any tampering by spotting unexpected modification dates, and flagging unsigned or anomalously named drivers for deeper analysis. Projects like LOLDrivers help identify vulnerable drivers in use by attackers in the wild.
InventoryDriverBinary inspection
In addition to the InventoryDriverBinary, AmCache also provides the InventoryApplicationDriver key, which keeps track of all drivers that have been installed by specific applications. It includes two entries:
DriverServiceName, which identifies the name of the service linked to the installed driver; and
ProgramIds, which lists the program identifiers (corresponding to the key names under InventoryApplication) that were responsible for installing the driver.
As shown in the figure below, the ProgramIds key can be used to track the associated program that uses this driver:
Checking program information by ProgramIds
InventoryDriverBinary – use case example: catching a bad driver
If the system was compromised through the abuse of a known vulnerable or malicious driver, you can use the InventoryDriverBinary registry key to confirm its presence. Even if the driver has been removed or hidden, remnants in this key can reveal that it was once loaded, which helps identify kernel-level compromises and supporting timeline reconstruction during the investigation. This is exactly how the AV Killer malware was discovered.
InventoryApplicationShortcut
This key contains entries for .lnk (shortcut) files that were present in folders like each user’s Start Menu or Desktop. Within each shortcut key, the ShortcutPath provides the absolute path to the LNK file at the moment of discovery. The ShortcutTargetPath shows where the shortcut pointed. We can also search for the ProgramId entry within the InventoryApplication key using the ShortcutProgramId (similar to what we did for drivers).
InventoryApplicationShortcut key
InventoryApplicationShortcut – use case example: confirming use of a removed app
You find that a suspicious program was deleted from the computer, but the user claims they never ran it. The InventoryApplicationShortcut key shows a shortcut to that program was on their desktop and was accessed recently. With supplementary evidence, such as that from Prefetch analysis, you can confirm the execution of the software.
AmCache key comparison
The table below summarizes the information presented in the previous subsections, highlighting the main information about each AmCache key.
Key
Contains
Indicates execution?
InventoryApplicationFile
Metadata for all executables seen on the system.
Possibly (presence = likely executed)
InventoryApplication
Metadata about formally installed software.
No (indicates installation, not necessarily execution)
InventoryDriverBinary
Metadata about loaded kernel-mode drivers.
Yes (driver was loaded into memory)
InventoryApplicationShortcut
Information about .lnk files.
Possibly (combine with other data for confirmation)
AmCache-EvilHunter
Undoubtedly Amcache.hve is a very important forensic artifact. However, we could not find any tool that effectively parses its contents while providing threat intelligence for the analyst. With this in mind, we developed AmCache-EvilHunter a command-line tool to parse and analyze Windows Amcache.hve registry hives, identify evidence of execution, suspicious executables, and integrate Kaspersky OpenTIP and VirusTotal lookups for enhanced threat intelligence.
AmCache-EvilHunter is capable of processing the Amcache.hve file and filter records by date range (with the options --start and --end). It is also possible to search records using keywords (--search), which is useful for searching for known naming conventions adopted by attackers. The results can be saved in CSV (--csv) or JSON (--json) formats.
The image below shows an example of execution of AmCache-EvilHunter with these basic options, by using the following command: amcache-evilhunter -i Amcache.hve --start 2025-06-19 --end 2025-06-19 --csv output.csv The output contains all applications that were present on the machine on June 19, 2025. The last column contains information whether the file is an operating system component, or not.
Basic usage of AmCache-EvilHunter
CSV result
Analysts are often faced with a large volume of executables and artifacts. To narrow down the scope and reduce noise, the tool is able to search for known suspicious binaries with the --find-suspicious option. The patterns used by the tool include common malware names, Windows processes containing small typos (e.g., scvhost.exe), legitimate executables usually found in use during incidents, one-letter/one-digit file names (such as 1.exe, a.exe), or random hex strings. The figure below shows the results obtained by using this option; as highlighted, one svchost.exe file is part of the operating system and the other is not, making it a good candidate for collection and analysis if not deleted.
Suspicious files identification
Malicious files usually do not include any publisher information and are definitely not part of the default operating system. For this reason, AmCache-EvilHunter also ships with the --missing-publisher and --exclude-os options. These parameters allow for easy filtering of suspicious binaries and also allow fast threat intelligence gathering, which is crucial during an incident.
Another important feature that distinguishes our tool from other proposed approaches is that AmCache-EvilHunter can query Kaspersky OpenTIP (--opentip ) and VirusTotal (--vt) for hashes it identifies. In this way, analysts can rapidly gain insights into samples to decide whether they are going to proceed with a full analysis of the artifact or not.
Threat intel lookup
Binaries of the tool are available on our GitHub page for both Linux and Windows systems.
Conclusion
Amcache.hve is a cornerstone of Windows forensics, capturing rich metadata, such as full paths, SHA-1 hashes, compilation timestamps, publisher and version details, for every executable that appears on a system. While it does not serve as a definitive execution log, its strength lies in documenting file presence and paths, making it invaluable for spotting anomalous binaries, verifying trustworthiness via hash lookups against threat‐intelligence feeds, and correlating LinkDate values with known attack campaigns.
To extract its full investigative potential, analysts should merge AmCache data with other artifacts (e.g., Prefetch, ShimCache, and Windows event logs) to confirm actual execution and build accurate timelines. Comparing InventoryApplicationFile entries against InventoryApplication reveals whether a file was merely dropped or formally installed, and identifying unexpected driver records can expose stealthy rootkits and persistence mechanisms. Leveraging parsers like AmCache-EvilHunter and cross-referencing against VirusTotal or proprietary threat databases allows IOC generation and robust incident response, making AmCache analysis a fundamental DFIR skill.
OrionBelt©
in reply to Cybersecurity & cyberwarfare • • •Cybersecurity & cyberwarfare likes this.
Cybersecurity & cyberwarfare reshared this.