Google ha rilasciato il primo Android Security Bulletin del 2025, contenente gli aggiornamenti per 38 vulnerabilità, di cui sei classificate con un indice di gravità critico. Ecco tutti i dettagli e i consigli per mettere in sicurezza i propri dispositivi

L'articolo Aggiornamenti Android gennaio 2025, corrette 38 vulnerabilità: aggiorniamo i dispositivi proviene da Cyber Security 360.

Imagine a clock where the colors aren’t from LEDs but a physics phenomenon – polarization. That’s just what [Mosivers], a physicist and electronics enthusiast, has done with the Polarizer Clock. It’s not a perfect build, but the concept is intriguing: using polarized light and stress-induced birefringence to generate colors without resorting to RGB LEDs.

The clock uses white LEDs to edge-illuminate a polycarbonate plate. This light passes through two polarizers—one fixed, one rotating—creating constantly shifting colours. Sounds fancy, but the process involves more trial and error than you’d think. [Mosivers] initially wanted to use polarizer-cut numbers but found the contrast was too weak. He experimented with materials like Tesa tape and cellophane, choosing polycarbonate for its stress birefringence.

The final design relies on a mix of materials, including book wrapping foil and 3D printed parts, to make things work. It has its quirks, but it’s certainly clever. For instance, the light dims towards the center, and the second polarizer is delicate and finicky to attach.

This gadget is a splendid blend of art and science, and you can see it in the video below the break. If you’re inspired, you might want to look up polariscope projects, or other birefringence hacks on Hackaday.

youtube.com/embed/Xr7OFTS4muE?…

hackaday.com/2025/01/07/bendin…

HAPPY NEW YEAR. This is Digital Politics. I'm Mark Scott, and as many of us head back to work after the holiday season, I bring you live footage of my first day in the office. Be gentle.

Before we begin, a logistics note: I'm teaming up with Ben Whitelaw (and his excellent Everything in Moderation newsletter) and Georgia Iacovou (and her equally good Horrific/Terrific newsletter) and for an in-person discussion/drinks about tech policy in 2025.

If you're in London on Jan 30, sign up to attend, for free, here.

— Jan 6 marks the four-year anniversary of the deadly attack on Capitol Hill. Social media's willingness to police content in the United States has only diminished since then.

— The New Year brings renewed efforts to corral artificial intelligence. Not all these governance attempts will work out.

— Ever wondered how the European Union's Digital Services Act actually works? I've got a chart for that.

Beware those who say all is well

JAN 6 MARKS ONE OF THE DARKEST DAYS in modern US history. Just two months after Joe Biden beat Donald Trump in securing the White House, a violent mob of roughly 2,000 people attacked the United States Capitol Building. Many believed the November 2020 election had been stolen from Trump — and they wanted to take it back. The insurrection eventually cost the lives of 9 individuals, including four police officers who committed suicide in the aftermath. Around 1,600 defendants have pleaded guilty to charges related to Jan 6, and another 200 have been convicted after trials. For a full breakdown, read the US House Select Committee to Investigate the Jan 6 Attacks final report.

You're probably familiar with all these facts — many of which are now openly questioned by those seeking to rewrite history. But, over the break, I found myself revisiting the leaked internal Facebook documents from Frances Haugen. Yes, it was quite a vacation. I had access to them, during my time at POLITICO, after we joined a consortium of other media outlets that were also granted access to this treasure trove of information — much of which related to how Facebook handled crises like that of Jan 6. The Wall Street Journal's Jeff Horwitz had been given a first crack at the documents.

Thanks for reading Digital Politics. If you've been forwarded this newsletter (and like what you've read), please sign up here. For those already subscribed, reach out on digitalpolitics@protonmail.com

Re-reading Facebook's approach to the build-up to Jan 6 (and subsequent violence on the day), based on these leaked documents, was troubling. They paint a picture of a social media giant struggling to come to terms with the coordinated efforts to spread the "Stop the Steal" message on its platform; an unwillingness to tackle so-called 'harmful non-violating narratives,' or posts that did not explicitly break the company's terms of service; and internal content algorithms that, within days, promoted QAnon theories to a mass audience. Meta subsequently banned QAnon-linked posts from its platforms.

"We recently saw non-violating content delegitimizing the US election results go viral on our platforms," according to an internal analysis of what happened on Facebook in the build-up to Jan 6. "Retrospectively, external sources told us that the on-platform experiences on this narrative may have had substantial negative impacts, including contributing materially to the Capitol riot."

Well, duh.

To be fair to Facebook, the platform was not the only engine for how conspiracy theories around the 2020 election spread. As someone enmeshed in that world four years ago, social media, writ large, was a major catalyzing factor in how those lies circulated. At the center of that coordination were fringe platforms — most notably Telegram — where little, if any, content moderation existed or, even now, exists. Such sophisticated online communities had flourished during the Covid-19 pandemic.

Within that context, Facebook should be considered a good corporate citizen, even if internal documents revealed it failed to clamp down on how election-related conspiracies fueled, in part, online anger and, eventually, offline violence.

For more on social media's impact on Jan 6, read the House Committee's own findings here, and an analysis of that investigation here.

It's indisputable that social media emboldened those who disliked the outcome of the 2020 US presidential election to take to the streets on Jan 6. What the Haugen documents reveal, at least within Facebook, was internal processes not adequately set up to handle such unprecedented domestic US political events. They show legitimate concerns around infringing people's free speech becoming entangled in the political realities of Facebook executives not wanting to be seen as taking sides in a highly contentious election. They highlight internal Facebook teams — whose counterparts also existed at YouTube and Twitter — struggling to get senior managers to respond quickly enough to dampen conspiracy theories that morphed into real-world violence.

But one overriding niggle I couldn't shake when re-reading these hundreds of pages of internal Facebook angst was that, in early 2025, they sounded exceedingly quaint given how much social media giants have changed over the last four years.

Yes, the likes of YouTube, Instagram and TikTok still have strong approaches toward foreign interference, even when state-backed meddling outside the US remains rife on these platforms. They also have highly robust terms of services about how illegal online content like hate speech and overt calls to violence will not be tolerated. They speak eloquently about the threat of disinformation created via generative AI, and how they are working, as an industry, to thwart such abuse.

And yet, would any of these platforms take similar measures, in 2025, to throttle the spread of overtly political conspiracy theories – even those associated with offline actions — as they did so four years ago? Honestly, I'm not so sure.

You're reading the free version of Digital Politics. Here's what paid subscribers had access to over the last month:

— What role did TikTok really play in Romania's presidential election?; The new and old digital policy faces in Brussels and Washington; Western countries' split digital ambitions. More here.
— Lessons from the 2024 (digital) election-palooza: Everything you need to know about how tech shaped last year's global election cycle. More here.
— Digital Politics' 2025 predictions: A renewed focus on national security; AI lobbying leads to governance results; Efforts to quell online competition abuse falter. More here.

If that sounds up your street, you can upgrade your subscription here.

Many of the election integrity and trust and safety teams at these platforms have been culled to almost insignificance. Some firms, like Elon Musk's rebranded X, have embraced an all-or-nothing vision of free speech that fundamentally misunderstands how the First Amendment applies to such private networks. With Trump's return to the White House only weeks away, many of these platforms' chief executives are doing whatever they can to stay on the right side of arguably the most powerful person in the world. A politician, it is worth noting, who was banned from all mainstream social media platforms in the wake of Jan 6.

In this new political environment, two things are happening. First, there is an ongoing effort to reshape the content moderation discussion within the US — one that was most evident in social media's role around Jan 6 — that platforms have gone too far in quelling people's free speech. (We'll come back to why that's happening in subsequent newsletters.) Second, given this emphasis on free speech fundamentalism, social media giants are now unwilling to "break the glass" to throttle people's problematic online posts in times of emergency.

Before I get angry emails, I understand that companies say they will enforce existing terms of service on all users, and that content moderation, especially around elections, is paramount. I also understand that people within these firms are still trying to live by that ethos.

Chart of the Week

The EU's social media laws are almost one year old. Investigations into the likes of Meta, X and TikTok abound. But how does the bloc's rulebook actually operate?

Cardiff University's Nora Jansen put together this (very complicated) overview of how all the pieces of the DSA puzzle interlink.

It includes regulators like the European Commission and national Digital Services Coordinators. It includes outside groups like auditors and 'trusted flaggers.' It includes the Very Large Online Platforms and Search Engines.

To say the structure is complex would be an understatement.
Source: https://shorturl.at/XyZ1V

They said what, now?

"As a new year begins, I have come to the view that this is the right time for me to move on from my role as President, Global Affairs at Meta," Nick Clegg, the former UK deputy prime minister, wrote on his Facebook page. "And no one could pick up from where I’ve left off with greater skill and integrity than my deputy, Joel Kaplan."

AI governance at the beginning of 2025

I HAVE GOOD NEWS AND BAD NEWS for those interested in the policing of next generation artificial intelligence systems. In late December, South Korea became the second jurisdiction after the EU to pass comprehensive AI rules. That's no mean feat given the country's recent political turmoil. The AI Safety Institutes of the US and United Kingdom also conducted a joint evaluation of OpenAI's latest model in what is expected to become standard practice before other firms release their own models into the wild. In early February, French President Emmanuel Macron will welcome the great-and-the-good (and me) to Paris for the country's AI Action Summit, or effort to shepherd the technology toward the light and away from apocalyptic uses.

This year will also see AI governance efforts gain steam in the EU, via its AI Act, the Council of Europe, via its AI Convention, and in other regions where policymakers are charting their own path to harness the technology for economic development.

That's the good news. Now here comes the bad. I'm not sure this will end well. I had promised not to be a 'fun sponge' this year, and I do believe we'll see new forms of AI governance take root in 2025. I'm just not convinced it's the type of governance many of us had envisioned.

Sign up for Digital Politics

Thanks for getting this far. Enjoyed what you've read? Why not receive weekly updates on how the worlds of technology and politics are colliding like never before.

Subscribe
Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

Let's take the EU's AI Act. If you listen to the bloc's leaders, the legislation will both corral the worst-case scenarios while unleashing Europe's economic potential. It is expected to be the gold standard on which others — like South Korea — will base their own legislation. It will equally be a hands-off means to jumpstart growth and a regulatory deterrent to stop firms from abusing the technology. What's not to like?

And yet, in early 2025, we're still 18 months away from all parts of the AI Act coming into force. Yes, some of the most stringent provisions, including on banned AI use cases, will kick in next month. But we're still a long way away from a meaningful regulatory rulebook — and even Brussels' AI Office, or linchpin for the European Commission on the AI Act's implementation, is still working with a skeleton crew (it's still hiring). Effective regulatory oversight, as of Jan 6, 2025, it is not.

That takes us to the other side of the Atlantic where the future of the US AI Safety Institute — and pretty much all of Joe Biden's White House Executive Order on AI — is up in the air ahead of Donald Trump's swearing in ceremony on Jan 20. Publicly, the future US president has said he will kill his predecessor's AI governance plans. I'm not so sure. The Trump 1.0 Administration passed its own Executive Order on AI, and incoming tech policymakers like Lynne Parker may temper efforts to quash all forms of AI governance.

And yet, that leaves the US AI Safety Institute, whose mandate includes spearheading much of this policy work, in limbo until those political decisions are made. It also places Washington's position in broader global discussions around AI governance — including those to be held in Paris on Feb 10-11 at the AI Action Summit — on equally shaky ground.

My best guess is that Trump 2.0 keeps some, but not all, of Biden's AI efforts, especially those related to national security and economic productivity. Having AI experts in senior positions in all federal agencies, for instance, is just good politics.

Given the US AI Safety Institute sits within the US Commerce Department, I would also bet it survives under the incoming administration. But I wouldn't put much money on the White House pushing anything more than voluntary commitments for AI companies when it comes to transparency, accountability and greater oversight.

Here's one wild card for you: the United Nations. Its AI Advisory Body has already called for global AI governance efforts to mostly fall under the international body's remit. That would allow the likes of China and Russia to have equal say as democratic countries. Something that hasn't exactly worked out well for the UN's separate Cybercrime Treaty.

Watch out for more power grabs by the UN over how AI systems are governed during 2025. It's 100 percent legitimate that the international body wants to make such discussions more equitable, including for Global Majority countries. But if these negotiations lead to authoritarian governments running roughshod over fundamental rights, then we will start to have a problem.

What I'm reading

— The US Treasury Department added a number of Russian and Iranian nationals to its sanction list related to cyber attacks and foreign interference. More here.

— Julie Inman Grant, Australia's eSafety Commissioner, explained the importance of newly-created codes of practice under the country's Online Safety Act. More here.

— The outgoing Italian G7 Presidency finalized reporting frameworks for how the most advanced forms of AI would be overseen. More here.

— Researchers at the Friedrich Naumann Foundation for Freedom outlined China's ever-evolving tactics to cyber operations and disinformation. More here.

— Ahead of the TikTok hearing in the US Supreme Court on Jan 10, here's an overview of the amicus briefs related to the case.

digitalpolitics.co/newsletter0…

Il gruppo ransomware LockBit prevede di fare un grande ritorno nell’arena delle minacce informatiche con il rilascio di LockBit 4.0, previsto per febbraio 2025.

Lo hanno riferito i ricercatori di Cyble che studiano l’attività dei criminali nella darknet.

Il ripristino di LockBit arriva quasi un anno dopo un’operazione di polizia internazionale su larga scala che ha comportato perdite significative per il gruppo, inclusi l’arresto di membri e il recupero di quasi 7.000 chiavi di decrittazione dei dati.

In questo contesto, un altro gruppo, RansomHub, è diventato la forza dominante tra i ransomware.

Un annuncio di LockBit circolato nel dark web richiedeva nuovi membri. “Vuoi Lamborghini, Ferrari e bellezze tettone? Registrati e inizia il tuo viaggio da pentester miliardario in 5 minuti con noi.”

Nonostante le dichiarazioni così forti, il ritorno di LockBit rimane in dubbio. Dopo gravi colpi come arresti, fuga di decryptor e concorrenza con altri gruppi RaaS, la loro posizione si è notevolmente indebolita.

L’ultima versione del software LockBit, 3.0, è stata rilasciata più di due anni fa. È probabile che lo sviluppo della nuova versione sia stato notevolmente ostacolato dal possibile accesso delle forze dell’ordine al codice sorgente.

Si prevede che LockBit 4.0 sarà distribuito come parte dell’ormai popolare modello RaaS, in cui ransomware, infrastruttura e manuali vengono venduti in cambio di una quota dei profitti. Tuttavia, il gruppo deve far fronte alla concorrenza anche a causa della fuga di dati del proprio codice sorgente, il che rende la situazione particolarmente difficile.

Gli esperti ipotizzano che LockBit possa cambiare le regioni target o i tipi di attacchi per evitare l’attenzione delle forze dell’ordine internazionali. Ricordiamo che l’attacco del 2022 all’ospedale SickKids di Toronto ha suscitato critiche diffuse e ha persino costretto il gruppo a scusarsi fornendo un decryptor gratuito. Questo è stato un esempio di una strategia pessima che ha ulteriormente danneggiato la loro reputazione.

Il lancio ufficiale di LockBit 4.0, compreso l’accesso alla nuova risorsa darknet, è previsto per il 3 febbraio 2025. Quanto durerà il gruppo questa volta?

L'articolo Lockbit 4.0. Quale sarà il futuro di questa Cyber Gang Ransomware? proviene da il blog della sicurezza informatica.

Want to see some wildly skillful LEGO construction? Check out [Banana Gear Studios]’ omni-directional treadmill which showcases not only how such a thing works, but demonstrates some pretty impressive problem solving in the process. Construction was far from straightforward!
A 9×9 grid of LEGO shafts all turning in unison is just one of the non-trivial design challenges.
In principle the treadmill works by placing an object on a bed of identical, rotating discs. By tilting the discs, one controls which edge is in contact with the object, which in turn controls the direction the object moves. While the concept is straightforward, the implementation is a wee bit more complex. LEGO pieces offer a rich variety of mechanical functions, but even so, making a 9×9 array of discs all rotate in unison turns out to be a nontrivial problem to solve. Gears alone are not the answer, because the shafts in such a dense array are a bit too close for LEGO gears to play nicely.

The solution? Break it down into 3×3 self-contained chunks, and build out vertically with gimbals to take up the slack for gearing. Use small elastic bands to transfer power between neighbors, then copy and paste the modular 3×3 design a few times to create the full 9×9 grid. After that it’s just a matter of providing a means of tilting the discs — which has its own challenges — and the build is complete.

Check out the video below to see the whole process, which is very nicely narrated and illustrates the design challenges beautifully. You may see some similarities to Disney’s own 360° treadmill, but as [Banana Gear Studios] points out, it is a technically different implementation and therefore not covered by Disney’s patent. In an ideal world no one would worry about getting sued by Disney over an educational LEGO project posted on YouTube, but perhaps one can’t be too careful.

youtube.com/embed/YJfeIborE-c?…

hackaday.com/2025/01/07/gaze-u…

We always enjoy videos from the [Mathologer], but we especially liked the recent video on the Helicone, a toy with a surprising connection to mathematics. The toy is cool all by itself, but the video shows how a sufficiently large heliocone models many “natural numbers” and acts, as [Mathologer] puts it, acts as “microscope to probe the nature of numbers.”

The chief number of interest is the so-called golden ratio. A virtual model of the toy allows easy experimentation and even some things that aren’t easily possible in the real world. The virtual helicone also allows you to make a crazy number of layers, which can show certain mathematical ideas that would be hard to do in a 3D print or a wooden toy.

Apparently, the helicone was [John Edmark’s] sculpture inspired by DNA spirals, so it is no surprise it closely models nature. You can 3D print a real one.

Of course, the constant π makes an appearance. Like fractals, you can dive into the math or just enjoy the pretty patterns. We won’t judge either way.

We’ve seen math sequences in clocks that remind us of [Piet Mondrian]. In fact, we’ve seen more than one of those.

youtube.com/embed/_YjNEfZ0VqU?…

hackaday.com/2025/01/07/the-he…

Negli ultimi mesi, i casi di attacchi fisici agli investitori in criptovalute e ai loro cari sono diventati più frequenti in tutto il mondo. Soltanto tra la fine del 2024 e l’inizio del 2025 sono stati registrati almeno tre incidenti di alto profilo. Gli esperti suggeriscono che con la crescita del mercato delle criptovalute, il numero di tali crimini aumenterà.

Uno dei casi più recenti è stato il rapimento del padre di un famoso crypto-influencer avvenuto in Francia la notte di Capodanno. Secondo i media locali, la polizia ha scoperto accidentalmente un uomo di 56 anni nel bagagliaio di un’auto nella città di Le Mans, che è stata fermata per un controllo. I sospettati sono riusciti a scappare, mentre la vittima stessa è stata legata, picchiata e cosparsa di benzina.

I rapitori stavano cercando di ottenere un riscatto in criptovaluta da suo figlio, noto per pubblicare post sulla sua ricchezza sui social network. Il crypto-influencer ha contattato la polizia, che ha aiutato a liberare suo padre.

In Pakistan, il 29 dicembre, sette persone sono state arrestate sospettate di aver rapito un trader di criptovalute ed estorto 340.000 dollari. È interessante notare che tra gli arrestati c’era un dipendente del Dipartimento per la lotta al terrorismo. La vittima è stata rapita di notte, caricata su un’auto senza targa e costretta a trasferire denaro attraverso la piattaforma Binance. Poche ore dopo, il commerciante è stato rilasciato.

Il 24 dicembre a Bruxelles è stato tentato di rapire la moglie di un altro crypto-influencer. Gli aggressori hanno tentato di prendere degli ostaggi, ma è intervenuta la polizia, dando vita ad un inseguimento terminato con un incidente a Bruges e l’arresto dei criminali.

L’aumento di tali attacchi è motivo di grave preoccupazione. Secondo Jameson Lopp, esperto di sicurezza Bitcoin e co-fondatore di Casa, il 2025 potrebbe essere un anno record per il numero di attacchi fisici contro i proprietari di criptovalute e le loro famiglie.

Pertanto, nel prossimo anno la sicurezza fisica diventerà importante quanto la protezione delle risorse digitali. La pubblicità e l’ostentazione di ricchezza nell’era delle criptovalute non solo possono attirare un’attenzione eccessiva, ma possono anche trasformare i proprietari in veri e propri bersagli per gli aggressori.

L'articolo Ricchi Online Ma Bersagli Reali! La triste storia delle Aggressioni Fisiche ai Trader di Criptovalute proviene da il blog della sicurezza informatica.

Forty years ago, on the night of Sunday 2 December of 1984, people in the city of Bhopal and surrounding communities were settling in for what seemed like yet another regular night. The worst thing in their near future appeared to be having to go back to school and work the next day. Tragically, many of them would never wake up again, and for many thousands more their lives would forever be changed in the worst ways possible.

During that night, clouds of highly toxic methyl isocyanate (MIC) gas rolled through the streets and into houses, venting from the Bhopal pesticide plant until the leak petered out by 2 AM. Those who still could wake up did so coughing, with tearing eyes and stumbled into the streets to escape the gas cloud without a clear idea of where to go. By sunrise thousands were dead and many more were left severely ill.

Yet the worst was still to come, as the number of casualties kept rising, legal battles and the dodging of responsibility intensified, and the chemical contamination kept seeping into the ground at the crippled plant. Recently there finally seems to be progress in this clean-up with the removal of 337 tons of toxic waste for final disposal, but after four decades of misgivings and neglect, how close is Bhopal really to finally closing the chapter on this horrific disaster?

Chemistry Of A Disaster

Tank 610, the source of the lethal cloud in Bhopal. (Credit: Julian Nyča, Wikimedia)
The Union Carbide India Limited (UCIL) pesticide plant in Bhopal was built in 1969 to produce the pesticide Sevin (carbaryl) which uses MIC (CH₃NCO) as an intermediate. By the time the plant was operating, there were ways to produce carbaryl without MIC as intermediate, but this was more costly and thus UCIL kept producing the pesticide using the MIC-based process. This is why by the early 1980s MIC was still being produced at the UCIL plant, with multiple on-site MIC storage tanks.

The process used to create the carbaryl at UCIL was quite straightforward, involving the direct reaction of 1-naphtol with MIC:

C₁₀H₇OH + CH₃NCO → C₁₀H₇OC(O)NHCH₃

This is similar to the MIC-free process, which uses the same precursors (phosgene and 1-naphtol) to produce 1-naphthylchloroformate. After this product reacts with methylamine, it too produces carbaryl, but avoids the creation of MIC and the hazards posed by this substance. The counterpoint here is that MIC is easy to manufacture through the reaction of phosgene and monomethylamine, and MIC is highly reactive, ergo easy to use.

Unfortunately this high reactivity adds to the hazards already posed by the chemical itself. It will readily react with just about anything containing an N-H or O-H group in a strongly exothermic reaction. In the case of the UCIL plant, a large amount of water (H₂O) had been accidentally introduced to a MIC storage tank, resulting in a violent exothermic reaction that caused 42 tons of MIC to be released into the atmosphere.

Which brings us to the clean-up of such a disaster.

Everything Is Toxic

Unlike with a nuclear accident where you can use a Geiger counter to be quite certain that you won’t come into contact with any hazardous materials, a disaster site like that at the UCIL plant offers no such comforts. The US (NIOSH) health exposure limits for MIC are set at 0.12 ppm on skin for the IDLH (immediately dangerous to life or health), prescribing supplied-air respirators when entering areas with MIC contamination. The exact mechanism behind MIC’s toxicity isn’t known yet, and there is no known treatment following fatal exposure.

In addition to MIC, the now abandoned UCIL plant and its surroundings have been found to be contaminated with other chemicals that were present at the time of the disaster, along with additional toxic waste that was dumped after the closure of the plant. These contaminants include various heavy metals (lead, mercury), carbaryl, 1-naphtol, chlorinated solvents and much more. Ground water contamination has been established at a few kilometers from the UCIL site, as well as in soil, well water and locally grown vegetables, all of which has led to a quiet human tragedy among the (generally poor) population living in the area.

What complicates matters here is that there’s strong disagreement on the exact scope of the contamination. The contamination of the aquifer and groundwater is often disputed by officials, even as epidemiological studies show the clear health impact on the local population across multiple generations. These impacts include cancer, developmental issues and cognitive impairments. People who moved into the area long after the disaster – lured by the cheap land – found the soil to be heavily contaminated and causing health issues. In an admission of the poisoned ground water, the local government has since put a clean water supply in place, using pipes that carry in clean outside water.

Meanwhile, at the former UCIL site, there are multiple 1970s-era (mostly unlined) solar evaporation pits which were used for storing chemical waste. These pits were never emptied, unlike the storage tanks and vats elsewhere on the terrain. This means that these abandoned pits have to be fully decontaminated somehow to prevent even more of the waste that’s still in them from leaking into the groundwater.

Then there are the hundreds of tons of hazardous waste that have been stored without clean plan on what to do with them. The 337 tons in leak-proof containers that have now been moved for incineration are the first major step after a trial run with a batch of 10 tons in 2015, with the emissions from this incineration deemed to be acceptable. In addition to these thousands more tons have been buried or stored elsewhere on the plant’s site.

An Exclusion Zone That Isn’t

Aerial photograph of the Kingston Fossil Plant coal fly ash spill. (Credit: Tennessee Valley Authority)
A mostly appropriate response to a toxic spill is exemplified by the 2008 fly ash spill at the Kingston Fossil Plant in Tennessee. After a coal ash pond ruptured and spilled heavy metal-laden fly ash into the adjoining Emory River, 40 homes were destroyed and covering 300 acres (121.4 hectares) in toxic sludge. This was the largest industrial spill in US history.

These fly ash pools used to be unlined pits, not unlike those at the UCIL plant. Those involved in the clean-up suffered a range of health-effects, with dozens dying. The plant owner – TVA – ended up having to purchase the contaminated land, with the clean-up resulting in a partial recovery of the area by 2015 and by 2017 the river was deemed to have ‘recovered’. The home owners in the area did not have to live in the sludge, TVA was on the hook for remediation and payment of compensation.

Remediation mostly involved removing the countless tons of sludge and disposing of it. Current and new fly ash ponds had to be fitted with a liner, or be shut down, along with a string of new safety measures to prevent this type of accident.

In the case of the UCIL plant at Bhopal, the affected area should have been turned into an exclusion zone, and inhabitants relocated, pending environmental assessment of the extent of the contamination. Even in the Soviet Union this was possible after the RBMK core steam explosion near Pripyat, which resulted in today’s Chornobyl Exclusion Zone. Unlike radioactive isotopes, however, heavy metals and toxins do not quietly go away by themselves if left alone.

Considering the sheer scope of the contamination around the former UCIL plant in Bhopal, it does seem realistic that this area will not be suitable for human habitation again within the next hundreds to thousands of years, barring a thus far unimaginable clean-up effort.

Featured image: Deteriorating section of the UCIL plant near Bhopal, India. (Credit: Luca Frediani, Wikimedia)

hackaday.com/2025/01/07/cleani…

The Cheap Yellow Display (CYD) is an ESP32 development board that’s been making the rounds for a while now, thanks to its value and versatility. For around $10 USD, you get a nicely integrated package that’s perfect for a wide array of projects and applications. Toss a couple in on your next AliExpress order, and all you need to do is come up with an idea. [Craig Lindley] had two ideas, and maybe they will help get those gears turning in your head. Even if you don’t need a network-connected MP3 player or GPS information display, we bet browsing the source code would be useful.

There are plenty of opinions about listening to music, but this first project is particularly interesting for those who like to keep their collection locally. [Craig]’s code can read the MP3s stored on the SD card and present the user with a menu system for browsing them by artist or album.

Should you want to add more music to the collection, you can connect to the player over FTP and directly upload it to the SD card. But perhaps the real kicker is that the audio playback is done over Bluetooth, so you can rock out wirelessly. While we don’t necessarily have a problem with the sparse UI, it seems like with a little sprucing up (album art, graphical menus), this would be a fantastic framework for open-source personal audio players.

The second project is perhaps most interesting because it brings some new hardware to the table, namely a serially connected GPS module. In its current state, we’d probably classify this one as more of a tech demo. Still, it can already show the device’s current coordinates, altitude, and speed. In addition, it can pull the current time and date from the GPS stream, which could have some interesting applications for those working on custom clocks.

We’ve had our eye on the CYD community for a while now and love the creativity that we’ve been seeing. We thank [Craig] for sending these projects our way, and as a reminder, if you’ve got something you’d like to show off to a global audience of hackers and makers, don’t hesitate to drop us a line. If you’ve got a thing for MP3 players, we’ve seen a ton. As for GPS trackers, we like to put them on our pets.

hackaday.com/2025/01/07/more-t…

Il governo malese lancia una nuova operazione per cercare il Boeing 777 scomparso nei cieli dieci anni fa. Il piano prevede una soluzione non standard: i segnali radioamatoriali aiuteranno a determinare la possibile rotta dell’aereo.

Le autorità del paese hanno firmato un contratto con la società privata Ocean Infinity, impegnata nella robotica marina. La durata del contratto è di un anno e mezzo. Se i dipendenti trovano l’aereo scomparso, riceveranno una ricompensa di 70 milioni di dollari.

La ricerca utilizza la tecnologia Weak Signal Propagation Reporter (WSPR). Il principio del suo funzionamento è simile al “breadcrumb“: attraverso questo sistema, i radioamatori di tutto il mondo trasmettono costantemente segnali a bassa potenza e se un grande aereo vola attraverso la loro area di copertura, lascia un segno evidente sulle letture dello strumento.

La traccia avviene a causa della distorsione delle onde riflesse da un massiccio corpo metallico. I ricercatori analizzeranno i dati WSPR archiviati per l’8 marzo 2014, il giorno della scomparsa del volo. Sulla base dei disturbi caratteristici della rete, sperano di ripristinare la rotta approssimativa del Boeing 777 dopo che ha smesso di comunicare con gli spedizionieri.

Il professor Simon Maskell, consulente per Ocean Infinity, spiega che se alcune traiettorie di volo potessero essere eliminate, la ricerca diventerà molto più produttiva. Gli specialisti potranno concentrare i loro sforzi su aree promettenti.

L’aereo della Malaysia Airlines operava il volo MH370 da Kuala Lumpur a Pechino. Il contatto con lui si perse quando l’aereo entrò nello spazio aereo vietnamita sopra il Golfo della Thailandia. I radar militari hanno rilevato come il Boing si sia improvvisamente voltato e ha volato verso l’Oceano Indiano. Un’ora dopo il decollo, il segnale scomparve.

A bordo c’erano 227 passeggeri e 12 membri dell’equipaggio. I parenti ancora non sanno cosa sia successo ai loro cari. Nel corso degli anni, solo pochi relitti di aerei sono stati ritrovati al largo della costa orientale dell’Africa, a migliaia di chilometri dalla Malesia.

Ocean Infinity ha assegnato alla ricerca un’area di 5.800 miglia quadrate, ovvero circa 15.022 chilometri quadrati. Anche se il campo di ricerca è stato ristretto, il compito resta arduo.

Gli esperti ritengono che entro dieci anni la fusoliera del Boeing 777 potrebbe sprofondare nel fango molle del fondo dell’Oceano Indiano meridionale. Ciò rende molto difficile il rilevamento anche con le apparecchiature moderne. Ma il governo malese conta sulla moderna tecnologia marittima, abbinata ai dati WSPR, per aiutare a risolvere il mistero.

L'articolo 70 milioni di dollari per il ritrovamento del Boing 777 perduto proviene da il blog della sicurezza informatica.

Gli scienziati del centro di ricerca francese Inria, insieme a Microsoft, hanno sviluppato un modo per convertire automaticamente il codice C in codice Rust sicuro, con l’obiettivo di soddisfare la crescente domanda di sicurezza della memoria.

Creato negli anni ’70, il linguaggio di programmazione C è diventato la base per molti sistemi, applicazioni e librerie mission-critical, incluso il kernel Linux. Tuttavia il C, come la sua continuazione logica C++, non garantisce la sicurezza della memoria. La sua gestione manuale della memoria, pur fornendo flessibilità ed efficienza, è soggetta a errori come out-of-bounds e use-after-free.

Questi bug costituiscono una parte significativa delle vulnerabilità del software. Ad esempio, nel 2019 costituivano il 76% delle vulnerabilità di Android, ma grazie all’utilizzo di Rust e del secure code questa cifra è scesa al 24% nel 2024.

Rust ti permette di scrivere codice sia sicuro che non sicuro, lasciando la scelta allo sviluppatore. Al contrario, C e C++ richiedono uno sforzo significativo, come analisi e test statici, ma non la forniscono in modo nativo.

Negli ultimi anni c’è stato un forte sostegno al passaggio a linguaggi con sicurezza della memoria incorporata, come Rust, Go, Python e Java. Nonostante ciò, alcuni programmatori continuano a cercare modi per utilizzare C e C++ in modo sicuro, evitando il passaggio a Rust. Google, pur promuovendo attivamente Rust, riconosce anche che C e C++ rimarranno in uso per molti anni a venire.

Tra i tentativi di migliorare la sicurezza del C spiccano progetti come TrapC e Fil-C. Il primo sviluppa un approccio a un sottoinsieme del linguaggio e il secondo, pur fornendo sicurezza, riduce le prestazioni e non supporta la piena compatibilità con l’interfaccia binaria dell’applicazione.

Lo studio, Compiling C into Safe Rust , dei ricercatori Aymeric Fromertz (Inria) e Jonathan Protzenko (Microsoft), offre un approccio alternativo. Si sono concentrati sulla traduzione del codice formalmente testato per l’uso industriale in Rust sicuro. Per fare ciò, è stato creato un sottoinsieme del linguaggio C chiamato Mini-C, che evita costrutti difficili da tradurre come l’aritmetica dei puntatori e la mutabilità implicita.

Utilizzando Mini-C tramite il compilatore KaRaMeL, gli sviluppatori ottengono la conversione automatica del codice in Rust sicuro. Ad esempio, la libreria di crittografia HACL, composta da 80.000 righe di codice, è stata tradotta con modifiche minime. E la libreria serializzatore EverParse, contenente 1.400 righe di codice, è stata convertita senza alcuna modifica. Le prestazioni del codice Rust risultante sono rimaste al livello del C originale, nonostante l’aggiunta di ulteriori controlli e altri miglioramenti.

I frutti del lavoro dei ricercatori vengono già utilizzati nelle applicazioni di sicurezza del mondo reale. Ad esempio, la versione Rust di HACL è stata recentemente integrata nelle librerie Mozilla NSS e OpenSSH.

L'articolo Dalla Preistoria alla Sicurezza! Microsoft Sviluppa Un Convertitore da C a Rust con un Click proviene da il blog della sicurezza informatica.

Image by [New-Concentrate6308] via redditDon’t worry, [New-Concentrate6308] is working on the GitHub for this final build of 2024, dubbed the GEMK_47. That stands for Grid Ergo Magnetic Keyboard, but I swear there are 48 keys.

What we’ve got here is a split ergo with an ortholinear layout. There’s a round screen and encoder on the left side, and a 35 mm trackpad on the right. There’s also space for some other round thing on this side, should you want another rotary encoder or whatever fits in place of the spacer.

Internally, there’s a Waveshare RP2040 Tiny and a mixture of Gateron Oil Kings and Gateron Yellow V3 switches. That lovely case is printed in silk silver PLA, but [New-Concentrate6308] wants to try metal-filled PLA for the next version. Although the original idea was to go wireless, ZMK didn’t play nicely with that round display, which of course is non-negotiable.

Hello Banana Katana! Goodbye Copper? 🙁

So this beauty is Banana Katana, a work in progress by [leifflat]. The bad news is that [liefflat] is probably gonna ditch the copper even though it looks sick here in circuit sculpture mode. Apparently it types nicely, but just doesn’t feel right overall.

Image by [leifflat] via redditThe story is that [leifflat] saw a Katana layout a few months ago and fell in love. After having this idea kicking around the brain, he decided to just go for it and built this from scratch.

First order of business was to design the layout in Keyboard Layout Editor (KLE), then transfer that to a plate generator. Then that was imported into Fusion360 and messed around with a bit to get the final result.

The coolest thing aside from the obvious is that there’s a 3D-printed plate with hot swap sockets mounted on it. How? [leifflat] used sacrificial switches and super glue, then took the switches out when it was dry. Here’s a picture of the underside. So why is the bottom row of keys upside down? Because it’s more comfortable that way for some thumbs. You should try it.

The Centerfold: This Delicious Panorama

Image by [Local-Tip-3552] via redditIt’s a good day when you find a subreddit you can call home. [Local-Tip-3552] recently found r/mechanicalheadpens, which is the place for crossover fans of mechanical keyboards, headphones, and fountain pens. (They’re on the far right.)

I won’t list all the details of the setup; you can find those in the reddit post. Apparently [Local-Tip-3552] handles wrongfully-denied Medicaid claims all day and uses the macro pad to quickly fill out forms. Unfortunately, that rad super 10-key on the right doesn’t see much action anymore since the split keyboard has a num pad layer.

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: the Yost Line of Typewriters

The New Yost, which was the third model produced by the Yost concern. Image via The Antikey Chop
Perhaps the most striking thing about any of the early entries in the Yost line of machines (1887-1924) is the large double keyboard, which makes them resemble adding machines, at least to my eyes.

According to The Antikey Chop, every model up to the no. 10 “had typebars that kicked like grasshopper legs” and were hung in a circular, up-striking arrangement.

Overall, the Yost company produced 20 models, the first three of which are not terribly distinguishable from one another. In fact, the design wasn’t significantly altered until the no. 10 typewriter, which came along in 1905. With the 10, more of the mechanisms were enclosed within the frame, which made for a bulkier build.

By 1915, pressure from the typewriter market forced George Washington Newton Yost to produce a standard four-bank typewriter instead. The no. 15, which came about in 1908 was quite modern, but at least it had its “grasshopper” type bars to distinguish it from the others. By the 20th version however, the grasshoppers had been replaced with modern front-striking ones.

Just Incase You Miss Your Curvy Microsoft Keyboard

I recently told you that Kinesis are releasing a keyboard that could potentially fill that Microsoft 4000-sized hole in your life. If you don’t like that one, I have good news: Incase bought the manufacturing rights from Microsoft in 2024 and are set to produce a curvy split keyboard that’s $9 cheaper than Kinesis’ mWave at $120.
Image via Incase
What’s interesting is that this is a keyboard that Microsoft designed and never released. Despite spending years developing this presumable successor to the 4000, they exited the peripherals market in 2023 to focus on Surface computers and such. Incase are calling this the Compact Ergonomic Keyboard. It has multi-device connectivity, and, for some reason, a dedicated Copilot key.

What’s weird is that it runs on two AAA batteries that can’t be charged via ports on the keyboard. Even so, they are supposed to last around 36 months. I don’t think these low-profile scissor keys look very nice to type on for long periods of time. I’m not saying it wouldn’t be comfortable, just that it might not be nice.

Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.

hackaday.com/2025/01/07/keebin…

Sempre più minacciato dalle sfide della sicurezza informatica, il settore finanziario oggi è chiamato a mettere in atto strategie ad hoc che rispondano alle nuove richieste normative dell’Unione Europea. Ecco come Exprivia guida il banking verso una resilienza operativa duratura

L'articolo Dal DORA alla cyber resilienza: strategie e best practice nel settore bancario proviene da Cyber Security 360.

Nel mondo JavaScript, i moduli di consenso privacy richiesti dal GDPR rappresentano una zona grigia in cui si nasconde la crescente minaccia del furto dati mediante script di terze parti. Il tutto aggravato dal cosiddetto fenomeno di “affaticamento del consenso”. Ecco come conciliare i due mondi

L'articolo JavaScript e consenso privacy: quando la minaccia per i dati è negli script di terze parti proviene da Cyber Security 360.

La gestione efficace della privacy è essenziale in un contesto normativo e tecnologico in continua evoluzione. Due strumenti fondamentali per il successo di questa sfida sono il sistema di gestione privacy (SGP) e il modello organizzativo privacy (MOP). Pur essendo complementari, questi concetti spesso vengono confusi. Ecco differenze e rispettive funzioni

L'articolo Sistema di gestione privacy e modello organizzativo privacy: quali differenze proviene da Cyber Security 360.

La recente compromissione di 35 estensioni per Chrome ha esposto milioni di utenti al furto di dati sensibili. Un attacco che rappresenta un chiaro monito sulla vulnerabilità dei software di uso comune e sulla necessità di una maggiore attenzione alla sicurezza nel ciclo di sviluppo e distribuzione

L'articolo Il caso delle estensioni Chrome compromesse: analisi tecnica, impatti e mitigazione proviene da Cyber Security 360.

Offrendo un elevato livello di sicurezza e personalizzazione, Trellix XDR si adatta molto bene a tutte le realtà aziendali e organizzative, in particolar modo a quelle dotate di molteplici tipi di endpoint e dispositivi mobili di lavoro utilizzati per il lavoro agile. Ecco tutto quello che c’è da sapere

L'articolo Trellix XDR, la piattaforma cloud per la sicurezza del lavoro agile proviene da Cyber Security 360.

Con il termine cyberwarfare ci si riferisce non solo ai conflitti digitali tra Stati, ma anche all’escalation di attacchi che compromettono infrastrutture critiche e la fiducia nei servizi tecnologici. Ecco come stanno evolvendo gli attacchi hacker e come possiamo difenderci

L'articolo Cyberwarfare, tra internal hacking, servizi cloud e infrastrutture critiche: come difenderci proviene da Cyber Security 360.

La direzione giusta è quella di un necessario bilanciamento fra l’evoluzione tecnologica e la sostenibilità degli investimenti in cyber security. La parola agli esperti

L'articolo Perché è decisivo imparare a gestire la minaccia digitale proviene da Cyber Security 360.

L'evoluzione del panorama delle minacce richiede un approccio proattivo e integrato alla sicurezza informatica, dando priorità all'identità, modernizzando i SOC e incorporando competenze cyber in tutta l'organizzazione. Strategie la cui adozione è essenziale per mantenere solide posizioni di sicurezza nel 2025 e oltre

L'articolo Rafforzare le difese informatiche nel 2025: le soluzioni per il nuovo anno proviene da Cyber Security 360.