≋3≋ allarmi che devono farci riflettere 1. L’arresto di Julian Assange L’11 aprile 2019 il giornalista d’inchiesta Julian Assange viene arrestato nell’ambasciata ecuadoriana a Londra, dopo quasi sette anni di asilo internazionale. euronews+2TechCrunch+2L’arresto segna l’avvio di una battaglia legale che coinvolge l’estradizione negli Stati Uniti e solleva questioni fondamentali sulla libertà di stampa e la […]

freeassangeitalia.it/liberta-d…

Using a speaker as a microphone is a trick old enough to have become common knowledge, but how often do you see the hack reversed? As part of a larger project to measure the acoustic power of a subwoofer, [DeepSOIC] needed to characterize the phase shift of a microphone, and to do that, he needed a test speaker. A normal speaker’s resonance was throwing off measurements, but an electret microphone worked perfectly.

For a test apparatus, [DeepSOIC] had sealed the face of the microphone under test against the membrane of a speaker, and then measured the microphone’s phase shift as the speaker played a range of frequencies. The speaker membrane he started with had several resonance spikes at higher frequencies, however, which made it impossible to take accurate measurements. To shift the resonance to higher frequencies beyond the test range, the membrane needed to be more rigid, and the driver needed to apply force evenly across the membrane, not just in the center. [DeepSOIC] realized that an electret microphone does basically this, but in reverse: it has a thin membrane which can be uniformly attracted and repelled from the electret. After taking a large capsule electret microphone, adding more vent holes behind the diaphragm, and removing the metal mesh from the front, it could play recognizable music.

Replacing the speaker with another microphone gave good test results, with much better frequency stability than the electromagnetic speaker could provide, and let the final project work out (the video below goes over the full project with English subtitles, and the calibration is from minutes 17 to 34). The smooth frequency response of electret microphones also makes them good for high-quality recording, and at least once, we’ve seen someone build his own electrets.

youtube.com/embed/zlgHMzM6WxE?…

hackaday.com/2025/11/10/2025-c…

Il 9 novembre ha segnato il 21° anniversario di Firefox 1.0. Nel 2004, è stata la prima versione stabile del nuovo browser di Mozilla, che si è subito posizionato come un’alternativa semplice e sicura a Internet Explorer. Inizialmente, vantava la navigazione a schede, il blocco dei pop-up, un sistema di estensioni flessibile e impostazioni di privacy intuitive, attirando rapidamente sia il pubblico che la stampa.

Prima del suo rilascio, il browser subì diversi cambi di nome. Il ramo sperimentale della Mozilla Suite fu inizialmente chiamato Phoenix, poi Firebird e, nel febbraio 2004, Firefox. Fu scelto per la sua unicità e l’assenza di conflitti, e la volpe rossa divenne la sua mascotte.

Il lancio della versione 1.0 fu accompagnato da una rara campagna pubblicitaria per i fan all’epoca. La community raccolse fondi per una pagina intera di pubblicità sul New York Times e, il giorno del lancio, recensioni entusiastiche ne elogiarono la velocità, l’usabilità e la compatibilità con i siti web di IE. La campagna contribuì a rendere Firefox un prodotto visibile anche al di fuori della cerchia degli appassionati.

Negli anni successivi, Firefox divenne una vera e propria forza sul mercato. Nel 2008, il lancio di Firefox 3 fu celebrato come Download Day, con un record mondiale per il numero di download in un solo giorno, oltre 8 milioni di installazioni. Le statistiche dell’epoca mostravano che il browser stava guadagnando costantemente quote di mercato rispetto a Internet Explorer, con alcuni report in Europa che si avvicinavano a un terzo del mercato.

Il rilascio di Firefox Quantum nel 2017 ha rappresentato un importante aggiornamento tecnologico, accelerando significativamente le prestazioni e rinnovando l’interfaccia. In termini di privacy, il progetto ha fatto fare un passo avanti al settore con la protezione antitracciamento abilitata di default e la Total Cookie Protection, che isola i cookie tra i siti web. Queste soluzioni hanno consolidato la reputazione di Firefox come browser per utenti che apprezzano il controllo e l’indipendenza dei dati.

Oggi, Firefox rimane l‘unico grande browser indipendente a utilizzare il proprio motore Gecko, indipendente da Chromium. La storia della versione 1.0 è un esempio di come la comunità e lo sviluppo aperto possano cambiare gli equilibri di potere e di come la privacy e gli standard aperti possano diventare un vantaggio competitivo.

La versione del 2004 ha reso tutto questo possibile, colpendo un nervo scoperto dell’epoca e riportando la concorrenza nel mercato dei browser.

L'articolo 21 anni di Firefox: una storia di innovazione e indipendenza proviene da Red Hot Cyber.

Pare che il team di sviluppo di Debian abbia deciso di sospendere il supporto al kernel 32 bit. Nella pagina di download infatti non figurano più le ISO a 32 bit.

Questo implica che tutte le distro basate su Debian non supporteranno più hardware a 32 bit entro poco tempo?

E mo' ?

Come facciamo a far funzionare il vecchio hardware? (Ero così felice che MX facesse funzionare il mio netbook del 2012, e ora...)

Quello che ci siamo raccontati fino ad oggi (che Linux è perfetto per il vecchio hardware) non è più così vero?

Sono curioso di sentire i vostri consigli e pensieri.

Grazie a chi vorrà partecipare alla discussione.

#linux

IT'S MONDAY, AND THIS IS DIGITAL POLITICS. I'm Mark Scott, and I'm writing this newsletter on a Eurostar train to Brussels with patchy internet. Bear with me.

If you're interested in understanding what digital policymaking trends will likely dominate the agenda next year, please join me for a dinner in Brussels — in cooperation with YouGov and Microsoft — on Dec 10. Sign up is here, and invites will go out by the end of the week.

— Fears are growing that the artificial intelligence boom is about to pop. There are significant policy implications if that happens.

— Brussels is readying itself for a major revamp of the European Union's digital rulebook. Here's what you need to know.

— A look inside which publishers' content is served up when people use ChatGPT.

Let's get started:

digitalpolitics.co/newsletter0…

As humans, we tend to consider our emotional states as a direct response to the experiences of our lives. Traffic may make us frustrated, betrayal may make us angry, or the ever-grinding wear of modern life might make us depressed.

Dig into the science of the brain, though, and one must realize that our emotional states are really just electrical signals zinging around our neurons. And as such, they can even be influenced by direct electrical stimulation.

One group of researchers found this out when they inadvertently discovered a “switch” that induced massive depression in a patient in mere seconds. For all the complexities of the human psyche, a little electricity proved more than capable of swaying it in an instant.

Electric Feel

Deep brain stimulation has, in recent decades, become a well-established treatment for multiple conditions, including Parkinson’s disease. The treatment regime involves using precisely placed electrodes to deliver high-frequency pulses of electricity that help quell undesirable symptoms, such as tremors and muscle rigidity. When implanting electrodes deep in the brain tissue, surgeons aim for an area called the subthalamic nucleus. It’s a small region deep in the brain where electrical stimulation can dramatically improve motor control in Parkinson’s patients. In turn, this can reduce a patient’s reliance on medications, allowing them to treat their condition with fewer undesirable side effects.
Images captured from the patient during stimulation testing show the effect in action. The first panel shows the patient’s usual expression, while the second shows a drop in facial expression within 17 seconds after stimulation of contact zero. the third photograph shows the patient crying and expressing despair 4 minutes after engaging electrical stimulation. Finally, the last photograph shows the patient laughing just over a minute after the stimulation was disengaged. Credit: research paper
In 1999, a team of surgeons carrying out this routine work discovered something unexpected. Move the point of electrical stimulation just two millimeters lower, and you don’t treat Parkinson’s at all. Instead, you can accidentally trigger profound, immediate depression.

The patient was a sixty-five-year-old woman who had suffered from Parkinson’s disease for three decades. Despite treatment with high doses of contemporary Parkinson’s medications, she suffered tremors and other serious motor control symptoms. With the pharmaceutical treatment having limited effect, the decision was made to pursue therapy via brain stimulation. During the implantation of four electrodes in the patient’s subthalamic region, surgeons followed the then-standard protocol. Stimulation was tested through four different contact points on each of the four electrodes, intending to find the sweet spot that best alleviated the patient’s symptoms without causing side effects to speech, movement, or posture. Typically, electrical stimulation through some of the contacts would lead to therapeutic benefits, while others would have no effect or negative effects.

After the surgical implantation, contact zero of the leftmost electrode sat in the substantia nigra. When researchers applied a stimulation of 2.4 volts at 130 Hz through this contact, a reaction was noticed within mere seconds. As seen in images captured during the test, the patient’s face rapidly transformed into an expression of profound sadness.

The patient leaned over, cried, and verbalized strong negative feelings of hopelessness and worthlessness. “I’m falling down in my head, I no longer wish to live, to see anything, hear anything, feel anything…” the patient was recorded as saying in the research paper. “Everything is useless, always feeling worthless, I’m scared in this world.” No feelings of physical pain were reported; the symptoms seemed strictly limited to intense emotional distress.

The patient’s distress is readily visible in images taken during the stimulation procedure. The research paper notes that on a clinical basis, the patient’s self-described feelings fulfilled most of the diagnostic criteria for major depressive disorder. As quickly as the negative feelings arrived, though, they would soon disappear. The depressive state vanished for the patient within ninety seconds of switching off the stimulation to the contact in question. Soon enough, for several minutes after, the patient was reported as being in a “hypomanic” state, more positive and making jokes with the test examiners. Notably, the patient was aware of the adverse event and able to recall it clearly.
In later tests, PET scans were used to map blood flow in the brain during stimulation of contact zero, as researchers tried to map out the causative effect at play. Credit: research paper
The researchers would later verify the phenomenon was reproducible by repeating the stimulation in tests on a later date. During these tests, the patient was unaware whether stimulation was real or simulated. The same response was noted—stimulation through the contact in question zero produced immediate, severe depression that resolved within a minute of cessation.

Crucially, simulating the stimulation had no effect whatsoever, and the same depression-causing effect was noted whether the patient was or wasn’t taking the typical levodopa medication. Meanwhile, outside of this strange effect, the stimulation implant was otherwise doing its job. Stimulation through contacts one and two of the left electrode, positioned just two millimeters higher in the subthalamic nucleus proper, dramatically improved the patient’s motor symptoms without affecting mood. Medical imaging would later confirm that contact zero sat in the central substantia nigra, while the therapeutically-beneficial contacts were clearly within the subthalamic nucleus above.
Similar results were published in 2008 with a 62-year old male patient. The patient noted a “fantastic” sense of joy when the negative stimulation was ceased. Credit: research paper
The startling results led to a research paper. Beyond that, further work was limited, likely for multiple reasons. For one, there’s not a whole lot of utility in making patients feel deep despair, and furthermore, there are grand ethical reasons why that generally isn’t allowed.

Nevertheless, a similar effect was later apparent in another patient. A paper published in 2008 reported the case of a 62-year-old man with Parkinson’s disease. Similarly to the original patient, stimulation to the substantia nigra caused an “acute depressive state” in which “the patient was crying and expressing that he did not want to live.” In much the same way, cessation of stimulation led to the feelings ceasing in mere seconds. Ultimately, n=2 is a small number, but it served as more evidence to suggest that this was a reliable and repeatable effect that could be generated with electrical brain stimulation.

This accidental discovery provides a somewhat stark example of how emotions work in the brain. The fact that major depression can be switched on and off within seconds by stimulating a few cubic millimeters of brain tissue suggests that for all our thoughts and experiences, what we feel can potentially be manipulated with mere electricity. Ultimately, the sheer complexity of the brain makes it hard for us to glean greater insight, but regardless, it reminds us that we are perhaps little more than very complicated machines.

hackaday.com/2025/11/10/the-st…

Have you ever looked at a small development board like an Arduino or an ESP8266 board and thought you’d like one with just a few different features? Well, [Kai] has put out a fantastic guide on how to make an RP2040 dev board that’s all your own.

Development boards are super useful for prototyping a project, and some are quite simple, but there’s often some hidden complexity that needs to be considered before making your own. The RP2040 is a great chip to start your dev-board development journey, thanks to its excellent documentation and affordable components. [Kai] started this project using KiCad, which has all the features needed to go from schematics to final PCB Gerber files. In the write-up, [Kai] goes over how to implement USB-C in your design and how to add flash memory to your board, providing a place for your program to live. Once the crystal oscillator circuit is defined, decoupling capacitors added, and the GPIO pins you want to use are defined, it’s time to move to the PCB layout.

In the PCB design, it starts with an outside-in approach, first defining the board size, then adding the pins that sit along the edges of that board, followed by the USB connector, and then moving on to the internal components. Some components, such as the crystal oscillator, need to be placed near the RP2040 chip, and the same goes for some of the decoupling capacitors. There is a list of good practices around routing traces that [Kai] included for best results, which are useful to keep in mind once you have this many connections in a tight space. Not all traces are the same; for instance, the USB-C signal lines are a differential pair where it’s important that D+ and D- are close to the same length.

Finally, there is a walk-through on the steps needed to have your boards not only made at a board house but also assembled there if you choose to do so. Thanks [Kai] for taking the time to lay out the entire process for others to learn from; we look forward to seeing future dev-board designs. Be sure to check out some of our other awesome RP2040 projects.

hackaday.com/2025/11/10/rp2040…

One of the fun things about writing for Hackaday is that it takes you to the places where our community hang out. I was in a hackerspace in a university town the other evening, busily chasing my end of month deadline as no doubt were my colleagues at the time too. In there were a couple of others, a member who’s an electronic engineering student at one of the local universities, and one of their friends from the same course. They were working on the hardware side of a group project, a web-connected device which with a team of several other students, and they were creating from sensor to server to screen.

I have a lot of respect for my friend’s engineering abilities, I won’t name them but they’ve done a bunch of really accomplished projects, and some of them have even been featured here by my colleagues. They are already a very competent engineer indeed, and when in time they receive the bit of paper to prove it, they will go far. The other student was immediately apparent as being cut from the same cloth, as people say in hackerspaces, “one of us”.

They were making great progress with the hardware and low-level software while they were there, but I was saddened at their lament over their colleagues. In particular it seemed they had a real problem with vibe coding: they estimated that only a small percentage of their classmates could code by hand as they did, and the result was a lot of impenetrable code that looked good, but often simply didn’t work.

I came away wondering not how AI could be used to generate such poor quality work, but how on earth this could be viewed as acceptable in a university.

There’s A Difference Between Knowledge, and Skill

The poles and zeroes part of my first year undergraduate course was forever damaged by awful practical scheduling. Brews ohare, CC BY-SA 4.0
I’m going to admit something here for the first time in over three decades, I cheated at university. We all did, because the way our course was structured meant it was the only thing you could do. It went something like this: a British university has a ten week term, which meant we had a set of ten practicals to complete in sequence. Each practical related to a set of lectures, so if you landed one in week two which related to a lecture in week eight, you were in trouble.

The solution was simple, everyone borrowed a set of write-ups from a member of the year above who had got them from the year above them, and so on. We all turned in well written reports, which for around half the term we had little clue about because we’d not been taught what they did. I’m sure this was common knowledge at all levels but it was extremely damaging, because without understanding the practical to back up the lectures, whatever the subject was slipped past unlearned.

For some reason I always think of poles and zeroes in filters when I think of this, because that was an early practical in my first year when I had no clue because the lecture series was six weeks in the future. I also wonder sometimes about the unfortunate primordial electronic engineering class who didn’t have a year above to crib from, and how they managed.

As a result of this copying, however, our understanding of half a term’s practicals was pretty low. But there’s a difference between understanding, or knowledge, and skill, or the ability to do something. When many years later I needed to use poles and zeroes I was equipped with the skill as a researcher to go back and read up on it.

That’s a piece of knowledge, while programming is a skill. Perhaps my generation were lucky in that all of us had used BASIC and many of us had used machine code on our 8-bit home computers, so we came to university with some of that skill already in place, but still, we all had to learn the skill programming in a room full of terminals and DOS PCs. If a student can get by in 2025 by vibe coding I have to ask whether they have acquired any programming skill at all.

Would You Like Fries With Your Degree?

I get it that university is difficult and as I’ve admitted above, I and my cohort had to cheat to get through some of it, but when it affects a fundamental skill rather than a few bits of knowledge, is that bit of paper at the end of it worth anything at all?

I’m curious here, I know that Hackaday has readers who work in the sector and I know that universities put a lot of resources into detecting plagiarism, so I have to ask: I’m sure they’ll know students are using AI to code, is this something the universities themselves view as acceptable? And how could it be detected if not? As always the comment section lies below.

I may be a hardware engineer by training and spend most of my time writing for Hackaday, but for one of my side gigs I write documentation for a software company whose product has a demanding application that handles very high values indeed. I know that the coding standards for consistency and quality are very high for them and companies like them, so I expect the real reckoning will come when the students my friends were complaining about find themselves in the workplace. They’ll get a job alright, but when they talk to those two engineers will the question on their lips be “Would you like fries with that?”

hackaday.com/2025/11/10/ai-mak…

Have you ever imagined what the Nintendo Switch would look like if Nintendo had produced it in the mid-1990s? [Joel Creates] evidently did, because that’s exactly what this retro CRT-toting Switch 2 dock looks like.

Yes, it is portable, thanks to a 100W power bank torn apart and built into the 3D printed case. The full-color CRT comes from a portable TV, so it’s got portability in its heritage. Fitting all that chunky CRT goodness into a hand-held was, of course, a challenge. [Joel] credits AI slop with inspiring the 45-degree angle he eventually settled on. However, the idea of recessing handles inside the case so it could be thick enough but still comfortable to hold was all base-model H.Sap brainpower. There are shoulder controls hidden in those recesses, too, for the games that can use them.

We particularly like the cartridge-like way the Switch 2 slides into place with a satisfying click as its USB-C port connects. It’s plugging into an extension cable that leads to the guts of an official Nintendo dock, buried deeply (and conveniently) inside the 3D-printed box, stacked neatly with the HDMI-to-VGA and VGA-to-Composite converters [Joel] needed to get a nice 4:3 image on the CRT. No word on if he blows on the Switch 2 before plugging it in, but we certainly would.

We’ve featured plenty of portable game systems over the years, and some have been very well done, like this exquisitely done PS2 conversion — but very few have brought CRTs to the party. This retrofitted Game Boy is about the only exception, and [Joel] calls it out in his video as inspiration.

It looks like this is the first Switch 2 hack we’ve featured (with the exception of a teardown or two), so if you know of more, please let us know.

youtube.com/embed/wcym2tHiWT4?…

hackaday.com/2025/11/10/switch…

[Bob] calls his custom 16-bit computer “Bob’s Unnecessary Retro Processor” or BURP for short. While we suppose it is technically unnecessary, we love the look of it, and we hope he just used it to get the quirky acronym.

When we build custom CPUs they look suspiciously like FPGA development boards, but not BURP. We immediately thought of the IMSAI and the H8 when we saw it, but [Bob] points out it also borrows from the PDP-11.

On the other hand, none of those computers had gorgeous dot matrix LED disassemblers on the front panel. The computer uses its own language, CHASM, which is a bit like assembly language and a bit like C.

The case is a tank. At first, [Bob] didn’t use all TTL chips but didn’t want to go as far as FPGAs, so he settled for CPLDs, which were smaller forerunners to modern FPGAs. However, his microcode ROM is a… well… umm… 32-bit microcontroller. But he swears to us it is used only as a ROM that he can program without hassle. This wasn’t entirely successful, so he finally bit the bullet and switched to an FPGA. There are still some CPU-emulated ROMs in the new system. There are also CPUs dealing with the front panel (especially the disassembler) and managing USB and mass storage.

Unlike some homebrew computers, BURP can address 64K of memory, has 16 registers, and clocks at a respectable 2.1 million instructions per second. There are 99 instructions in 27 broad categories.

While we know it was unnecessary, we liked it. There aren’t plans for the build that hwe could find, but there were a lot of ideas we’d like to borrow next time we’re building a toy CPU. We’ve seen builds that were a Z-80 (or other CPU) with a microcontroller for all the other parts. Or, just emulate everything. We don’t judge. Building your own CPU is a feat if you use relays, tubes, transistors, ICs, or even software.

youtube.com/embed/6GI3cAsZgF0?…

hackaday.com/2025/11/10/an-unn…

HAEA, una sussidiaria del gruppo sudcoreano Hyundai Motor Group con sede in California, USA, fornisce soluzioni e servizi IT personalizzati per l’industria automobilistica, in particolare alle filiali Hyundai e Kia.

Queste soluzioni includono telematica per veicoli, aggiornamenti over-the-air (OTA), mappatura, connettività dei veicoli, sistemi embedded e sistemi di guida autonoma. L’azienda fornisce anche sistemi aziendali per gli stabilimenti automobilistici, inclusi sistemi di vendita ed ERP, nonché piattaforme di produzione digitale.

L’HAEA ha riferito che gli aggressori sono riusciti a violare la sua rete il 22 febbraio e hanno mantenuto l’accesso non autorizzato al sistema per 10 giorni prima di essere scoperti il 2 marzo.

Un’indagine interna ha rivelato che gli hacker hanno avuto accesso a parti del database degli utenti durante questo periodo, potenzialmente trapelando numeri di previdenza sociale e informazioni sulla patente di guida.

L’azienda ha inviato informative agli uffici dei procuratori generali di diversi stati degli Stati Uniti.

Non è ancora chiaro se la violazione abbia interessato solo dipendenti o clienti/utenti, né quante persone siano state colpite. HAEA ha annunciato due anni di monitoraggio gratuito del credito per i proprietari di veicoli interessati e consiglia agli utenti di abilitare l’autenticazione a più fattori e di diffidare delle email di phishing e delle attività insolite sugli account.

Negli ultimi anni Hyundai ha subito diversi incidenti di sicurezza informatica, tra cui un attacco ransomware da parte di Black Basta, che sosteneva di aver violato le operazioni europee di Hyundai e rubato fino a 3 TB di dati; e incidenti di sicurezza nelle sue filiali italiane e francesi, in cui sono trapelate informazioni sensibili come indirizzi e-mail degli utenti, indirizzi e numeri di identificazione dei veicoli.

Inoltre, i ricercatori hanno scoperto significative vulnerabilità in termini di privacy e sicurezza nell’app complementare di Hyundai per i proprietari di Kia e Hyundai, che consentono il controllo remoto non autorizzato del veicolo. Anche il sistema antifurto integrato si è recentemente rivelato inefficace.

L'articolo Violazione dati HAEA, sussidiaria di Hyundai: informazioni sensibili a rischio proviene da Red Hot Cyber.

I ricercatori hanno scoperto diverse librerie nel registro pubblico NuGet contenenti codice che si attiverà nel 2027 e nel 2028. I pacchetti infetti prendono di mira tre noti motori di archiviazione dati .NET (Microsoft SQL Server, PostgreSQL e SQLite) e un componente è specificamente mascherato da libreria per funzionare con i controller Siemens S7.

Gli analisti di Socket hanno trovato nove pacchetti pubblicati dall’account shanhai666. A prima vista, le librerie sembravano funzionare normalmente: quasi tutto il codice (circa il 99%) svolgeva funzioni utili, quindi gli sviluppatori potrebbero non aver notato nulla di sospetto. Tuttavia, ogni libreria conteneva un piccolo frammento di logica dannosa, un modulo di circa 20 righe, incorporato nelle chiamate standard dell’applicazione.

La tecnica di iniezione si basa su metodi di estensione C#. Queste estensioni vengono eseguite ogni volta che viene chiamata un’operazione sul database o durante l’interazione con il PLC, consentendo l’inserimento del blocco dannoso nel flusso di esecuzione senza modificare le interfacce dell’applicazione.

Internamente, viene verificata la data di sistema: se rientra in un intervallo strettamente definito (dall’8 agosto 2027 al 29 novembre 2028), viene avviato un generatore di numeri casuali compreso tra 1 e 100. Se il valore è superiore a 80 (circa il 20% dei casi), viene chiamato Process.GetCurrentProcess().Kill(), che termina immediatamente il processo corrente.

Per le applicazioni server e i servizi con transazioni frequenti, questo comportamento si traduce in improvvisi guasti del servizio e interruzioni nell’elaborazione delle richieste. Nei sistemi industriali, una logica simile può interrompere la comunicazione con le apparecchiature e disabilitare i nodi di controllo critici.

Un rischio separato è rappresentato dal pacchetto Sharp7Extend, che si spaccia per un’estensione della popolare libreria Sharp7, una soluzione .NET per la comunicazione con i PLC Siemens S7 . L’aggressore ha deliberatamente utilizzato un nome simile, sperando che gli sviluppatori lo trovassero durante la ricerca di “miglioramenti” per Sharp7. Questa libreria sostitutiva implementa due diversi metodi di attacco.

Il primo schema prevede la terminazione immediata della sessione: quando viene chiamata una funzione di transazione, nel 20% dei casi si verifica una terminazione forzata, interrompendo la comunicazione con il controller. Questa modalità è valida fino al 6 giugno 2028. Il secondo schema è più complesso: il modulo tenta di leggere un valore di configurazione inesistente, interrompendo l’inizializzazione. Viene quindi attivato un filtro di scrittura e impostato un ritardo artificiale da 30 a 90 minuti. Dopo l’intervallo specificato, i parametri in scrittura che rientrano nel filtro hanno una probabilità dell’80% di essere corrotti. Le conseguenze sono che gli attuatori non ricevono comandi, i setpoint non vengono aggiornati, i sistemi di protezione non funzionano e i parametri di processo rimangono invariati o assumono valori errati.

La combinazione di interruzione immediata del processo e danneggiamento ritardato rende l’attacco in più fasi: prima vengono interrotti il monitoraggio e la comunicazione, poi viene introdotto un errore nascosto nella logica di controllo, che si manifesta in seguito e provoca errori di sicurezza e di processo.

Al momento della pubblicazione, i ricercatori hanno notato che l’account shanhai666 ospitava inizialmente 12 pacchetti, ma solo nove includevano il payload dannoso. Dopo un massiccio download (circa 9.500), questi account e pacchetti sono stati rimossi dal catalogo. Tuttavia, il rischio permane: i progetti che hanno già accettato tali dipendenze potrebbero essere compromessi all’attivazione dei trigger.

Di seguito sono riportati alcuni consigli pratici per i team di sviluppo e gli operatori di reti industriali. Innanzitutto, esaminate immediatamente l’elenco di tutte le dipendenze e verificate la presenza dei seguenti pacchetti: SqlUnicorn.Core, SqlDbRepository, SqlLiteRepository, SqlUnicornCoreTest, SqlUnicornCore, SqlRepository, MyDbRepository, MCDbRepository e Sharp7Extend.

Se viene trovata una corrispondenza, disinstallate il componente, eseguite il rollback a una build sicura e ripristinate le applicazioni da un backup verificato. In secondo luogo, eseguite l’inventario dei download e delle build per assicurarvi che la vostra build toolchain non abbia recuperato versioni infette.

Gli autori del rapporto sottolineano che le motivazioni e le origini della campagna sono ancora sconosciute, ma l’esecuzione stessa dimostra un attacco ben congegnato alla supply chain del software. Un piccolo frammento dannoso incorporato in librerie attendibili potrebbe causare gravi interruzioni sia all’infrastruttura IT che alla produzione industriale se non vengono adottate misure urgenti per rilevare e mitigare la minaccia.

L'articolo Malware come Bombe ad orologeria! La minaccia per i PLC Siemens S7 parte dal 2027 proviene da Red Hot Cyber.