Those of us ancient enough to remember the time, or even having grown up during the heyday of the 8-bit home computer, may recall the pain of trying to make your latest creation work on another brand of computer. They all spoke some variant of BASIC, yet were wildly incompatible with each other regardless. BASICODE was a neat solution to this, acting as an early compatibility standard and abstraction layer. It was essentially a standardized BASIC subset with a few extra routines specialized per platform.

But that’s only part of the story. The BASICODE standard program was invented by Dutch radio engineer Hessel de Vries, who worked for the Dutch national radio broadcaster Nederlandse Omroep Stichting (NOS). It was designed to be broadcast over FM radio! The idea of standardization and free national deployment was brilliant and lasted until 1992, when corporate changes and technological advancements ultimately led to its decline.

The way this was achieved was to firstly use only the hardware instructions that were common among all the computers, which meant BASICODE applications couldn’t utilize graphics, sound, or even local storage. This may seem very limiting, but there’s still a lot you can do with that, especially if you don’t have to write it yourself, pay for it, or even leave the room! First, the BASICODE program needed to be loaded from local storage, which, when started, allowed the import of the BASICODE application that you previously recorded off the radio. It’s kind of like a manually loaded bootloader, except it includes an additional software library that the application can use.

Later versions of the standard included storage handling (or an emulation of it), basic monochrome graphics, and eventually sound support. The linked Wikipedia article mentions a list of about 23 BASICODE platforms; however, since there is a standard, you could easily create your own with some effort. In addition to allowing users to send application programs, BASICODE also enabled the reading of FM-broadcast ‘journals,’ which were transmissions of news, programming tutorials, and other documents that might interest BASICODE users. It was an interesting concept that this writer had never encountered at the time, but that’s not surprising since only one country adopted it.

If this has got you hankering for the good old days, before the internet, when it was just you, your trusty machine and your own imagination, then we think the ten-line BASIC competition might be of interest. Don’t have such a machine, but have a web browser? (we know you do), then check this out. Finally, if you want to see something really crazy (for a BASIC program), then we’ve got that covered as well.

Thanks to [Suren Y] for sending this in!

hackaday.com/2025/10/14/basico…

È stato scoperto che i collegamenti di comunicazione satellitare utilizzati da agenzie governative, militari, aziende e operatori di telefonia mobile sono la fonte di un’enorme fuga di dati.

I ricercatori dell’Università della California, San Diego, e dell’Università del Maryland hanno scoperto che circa la metà di tutti i satelliti geostazionari trasmette informazioni senza alcuna protezione.

Nel corso di tre anni, hanno intercettato segnali utilizzando apparecchiature dal costo non superiore a 800 dollari e hanno scoperto migliaia di conversazioni telefoniche e messaggi di utenti T-Mobile, dati dell’esercito statunitense e messicano e comunicazioni interne di aziende energetiche e industriali.

Utilizzando una parabola satellitare standard sul tetto di un’università a La Jolla, il team ha puntato un ricevitore verso vari satelliti in orbita e ha decodificato i segnali provenienti dall’interno del raggio d’azione accessibile dalla California meridionale.
Intercettazioni satellitari e telefoniche (Fonte WIRED)
Hanno scoperto che conversazioni tra abbonati, dati Wi-Fi in volo, telemetria di strutture militari , corrispondenza dei dipendenti di importanti catene di vendita al dettaglio e transazioni bancarie venivano trasmessi via etere.

Tra le scoperte svolte dai ricercatori, come riportato nell’articolo di Wired, messaggi provenienti dai sistemi di comunicazione delle forze di sicurezza messicane, le coordinate di aerei ed elicotteri UH-60 Black Hawk e informazioni su piattaforme di rifornimento e reti elettriche.

I ricercatori hanno prestato particolare attenzione alle linee non protette degli operatori di telecomunicazioni. Hanno intercettato il traffico di backhauling (flussi di servizio tra stazioni base remote e la rete centrale) di tre aziende: T-Mobile, AT&T Mexico e Telmex. Durante nove ore di registrazione del traffico, T-Mobile è riuscita a raccogliere i numeri di oltre 2.700 utenti e il contenuto delle loro chiamate e messaggi in arrivo.

Dopo aver informato gli operatori, l’azienda americana ha rapidamente attivato la crittografia, ma molte linee in Messico sono rimaste aperte. AT&T ha confermato che la fuga di dati si è verificata a causa di una configurazione errata dei collegamenti satellitari in diverse aree remote del Paese.

I ricercatori hanno anche scoperto un’enorme quantità di dati militari e industriali. Da parte statunitense, sono state registrate comunicazioni navali non criptate, incluso il traffico internet con i nomi delle navi.

Le unità messicane, invece, hanno trasmesso comunicazioni radio non criptate con i centri di comando e informazioni di manutenzione per aerei e veicoli blindati. Il flusso di dati includeva anche documenti interni della rete elettrica statale, la CFE, contenenti informazioni su guasti, indirizzi dei clienti e rapporti sulla sicurezza.

Oltre alle strutture militari e agli operatori di telecomunicazioni, anche i sistemi aziendali erano a rischio. I ricercatori hanno registrato pacchetti non crittografati dalle reti di bordo delle compagnie aeree utilizzando apparecchiature Intelsat e Panasonic, che trasmettevano dati di navigazione dei passeggeri, metadati di servizio e persino flussi audio da trasmissioni di bordo. In alcuni casi, sono state scoperte e-mail interne di dipendenti Walmart in Messico, registri interni di sportelli bancomat Santander e traffico delle banche Banjercito e Banorte. Dopo essere state informate, la maggior parte delle organizzazioni ha crittografato i propri canali di trasmissione.

Gli esperti stimano che i dati ottenuti coprano solo circa il 15% di tutti i transponder satellitari operativi, ovvero il settore di cielo visibile dalla California. Ciò significa che una sorveglianza simile potrebbe essere facilmente implementata in qualsiasi parte del mondo utilizzando la stessa attrezzatura: un’antenna da 185 dollari, una staffa motorizzata da 140 dollari e un sintonizzatore TV da 230 dollari. Un’operazione del genere non richiede competenze professionali o attrezzature costose: richiede solo componenti domestici e tempo per l’installazione.

I ricercatori hanno riconosciuto che pubblicare apertamente su GitHub i loro strumenti, denominati “Don’t Look Up”, potrebbe facilitare la raccolta di tali dati da parte degli aggressori, ma consentirebbe anche agli operatori di telecomunicazioni e ai proprietari di infrastrutture di riconoscere la portata della minaccia e di implementare con urgenza la crittografia.

Secondo gli esperti, una parte significativa delle comunicazioni satellitari è ancora protetta dal principio “Don’t Look Up”, che consente già la sorveglianza di flussi di dati riservati provenienti dallo spazio, coprendo quasi l’intero pianeta.

L'articolo Satelliti nel mirino! Migliaia di conversazioni telefoniche e messaggi intercettati proviene da il blog della sicurezza informatica.

What do hacktivist campaigns look like in 2025? To answer this question, we analyzed more than 11,000 posts produced by over 120 hacktivist groups circulating across both the surface web and the dark web, with a particular focus on groups targeting MENA countries. The primary goal of our research is to highlight patterns in hacktivist operations, including attack methods, public warnings, and stated intent. The analysis is undertaken exclusively from a cybersecurity perspective and anchored in the principle of neutrality.

Hacktivists are politically motivated threat actors who typically value visibility over sophistication. Their tactics are designed for maximum visibility, reach, and ease of execution, rather than stealth or technical complexity. The term “hacktivist” may refer to either the administrator of a community who initiates the attack or an ordinary subscriber who simply participates in the campaign.

Key findings

While it may be assumed that most operations unfold on hidden forums, in fact, most hacktivist planning and mobilization happens in the open. Telegram has become the command center for today’s hacktivist groups, hosting the highest density of attack planning and calls to action. The second place is occupied by X (ex-Twitter).

Distribution of social media references in posts published in 2025

Although we focused on hacktivists operating in MENA, the targeting of the groups under review is global, extending well beyond the region. There are victims throughout Europe and Middle East, as well as Argentina, the United States, Indonesia, India, Vietnam, Thailand, Cambodia, Türkiye, and others.

Hashtags as the connective tissue of hacktivist operations

One notable feature of hacktivist posts and messages on dark web sites is the frequent use of hashtags (#words). Used in their posts constantly, hashtags often serve as political slogans, amplifying messages, coordinating activity or claiming credit for attacks. The most common themes are political statements and hacktivist groups names, though hashtags sometimes reference geographical locations, such as specific countries or cities.

Hashtags also map alliances and momentum. We have identified 2063 unique tags in 2025: 1484 appearing for the first time, and many tied directly to specific groups or joint campaigns. Most tags are short-lived, lasting about two months, with “popular” ones persisting longer when amplified by alliances; channel bans contribute to attrition.

Operationally, reports of completed attacks dominate hashtagged content (58%), and within those, DDoS is the workhorse (61%). Spikes in threatening rhetoric do not by themselves predict more attacks, but timing matters: when threats are published, they typically refer to actions in the near term, i.e. the same week or month, making early warning from open-channel monitoring materially useful.

The full version of the report details the following findings:

• How long it typically takes for an attack to be reported after an initial threat post
• How hashtags are used to coordinate attacks or claim credit
• Patterns across campaigns and regions
• The types of cyberattacks being promoted or celebrated

Practical takeaways and recommendations

For defenders and corporate leaders, we recommend the following:

• Prioritize scalable DDoS mitigation and proactive security measures.
• Treat public threats as short-horizon indicators rather than long-range forecasts.
• Invest in continuous monitoring across Telegram and related ecosystems to discover alliance announcements, threat posts, and cross-posted “proof” rapidly.

Even organizations outside geopolitical conflict zones should assume exposure: hacktivist campaigns seek reach and spectacle, not narrow geography, and hashtags remain a practical lens for separating noise from signals that demand action.

To download the full report, please fill in the form below.

(function (w, d, u) { var s = d.createElement("script"); s.async = true; s.src = u + "?" + ((Date.now() / 180000) | 0); var h = d.getElementsByTagName("script")[0]; h.parentNode.insertBefore(s, h); })(window, document, "https://cdn.bitrix24.eu/b30707545/crm/form/loader_1808.js");

initBxFormValidator({ formId: "inline/1808/7dlezh", emailFieldName: "CONTACT_EMAIL", redirectUrl: "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/10/13172551/Hacktivist_report-DFI-META.pdf", naturalFieldNames: ["CONTACT_UF_CRM_NODES"], lengthRestrictedFieldNames: { CONTACT_EMAIL: 250, CONTACT_POST: 128, CONTACT_NAME: 50, CONTACT_UF_CRM_COMPANY: 255, CONTACT_UF_CRM_COMPANY_TAX_ID: 50, CONTACT_UF_CRM_PRODUCT_INTEREST: 255, CONTACT_UF_CRM_FORM_QUESTION_2: 255, CONTACT_UF_CRM_FORM_QUESTION_3: 255, CONTACT_UF_CRM_FORM_QUESTION_5: 255, }, });

securelist.com/dfi-meta-hackti…

Introduction

Windows 11 was released a few years ago, yet it has seen relatively weak enterprise adoption. According to statistics from our Global Emergency Response Team (GERT) investigations, as recently as early 2025, we found that Windows 7, which reached end of support in 2020, was encountered only slightly less often than the newest operating system. Most systems still run Windows 10.

Distribution of Windows versions in organizations’ infrastructure. The statistics are based on the Global Emergency Response Team (GERT) data (download)

The most widely used operating system was released more than a decade ago, and Microsoft discontinues its support on October 14, 2025. This means we are certainly going to see an increase in the number of Windows 11 systems in organizations where we provide incident response services. This is why we decided to offer a brief overview of changes to forensic artifacts in this operating system. The information should be helpful to our colleagues in the field. The artifacts described here are relevant for Windows 11 24H2, which is the latest OS version at the time of writing this.

What is new in Windows 11

Recall

The Recall feature was first introduced in May 2024. It allows the computer to remember everything a user has done on the device over the past few months. It works by taking screenshots of the entire display every few seconds. A local AI engine then analyzes these screenshots in the background, extracting all useful information, which is subsequently saved to a database. This database is then used for intelligent searching. Since May 2025, Recall has been broadly available on computers equipped with an NPU, a dedicated chip for AI computations, which is currently compatible only with ARM CPUs.

Microsoft Recall is certainly one of the most highly publicized and controversial features announced for Windows 11. Since its initial reveal, it has been the subject of criticism within the cybersecurity community because of the potential threat it poses to data privacy. Microsoft refined Recall before its release, yet certain concerns remain. Because of its controversial nature, the option is disabled by default in corporate builds of Windows 11. However, examining the artifacts it creates is worthwhile, just in case an attacker or malicious software activates it. In theory, an organization’s IT department could enable Recall using Group Policies, but we consider that scenario unlikely.

As previously mentioned, Recall takes screenshots, which naturally requires temporary storage before analysis. The raw JPEG images can be found at %AppData%\Local\CoreAIPlatform.00\UKP\{GUID}\ImageStore\*. The filenames themselves are the screenshot identifiers (more on those later).

Along with the screenshots, their metadata is stored within the standard Exif.Photo.MakerNote (0x927c) tag. This tag holds a significant amount of interesting data, such as the boundaries of the foreground window, the capture timestamp, the window title, the window identifier, and the full path of the process that launched the window. Furthermore, if a browser is in use during the screenshot capture, the URI and domain may be preserved, among other details.

Recall is activated on a per-user basis. A key in the user’s registry hive, specifically Software\Policies\Microsoft\Windows\WindowsAI\, is responsible for enabling and disabling the saving of these screenshots. Microsoft has also introduced several new registry keys associated with Recall management in the latest Windows 11 builds.

It is important to note that the version of the feature refined following public controversy includes a specific filter intended to prevent the saving of screenshots and text when potentially sensitive information is on the screen. This includes, for example, an incognito browser window, a payment data input field, or a password manager. However, researchers have indicated that this filter may not always engage reliably.

To enable fast searches across all data captured from screenshots, the system uses two DiskANN vector databases (SemanticTextStore.sidb and SemanticImageStore.sidb). However, the standard SQLite database is the most interesting one for investigation: %AppData%\Local\CoreAIPlatform.00\UKP\{GUID}\ukg.db, which consists of 20 tables. In the latest release, it is accessible without administrative privileges, yet it is encrypted. At the time of writing this post, there are no publicly known methods to decrypt the database directly. Therefore, we will examine the most relevant tables from the 2024 Windows 11 beta release with Recall.

• The App table holds data about the process that launched the application’s graphical user interface window.
• The AppDwellTime table contains information such as the full path of the process that initiated the application GUI window (WindowsAppId column), the date and time it was launched (HourOfDay, DayOfWeek, HourStartTimestamp), and the duration the window’s display (DwellTime).
• The WindowCapture table records the type of event (Name column):
  
  • WindowCreatedEvent indicates the creation of the first instance of the application window. It can be correlated with the process that created the window.
  • WindowChangedEvent tracks changes to the window instance. It allows monitoring movements or size changes of the window instance with the help of the WindowId column, which contains the window’s identifier.
  • WindowCaptureEvent signifies the creation of a screen snapshot that includes the application window. Besides the window identifier, it contains an image identifier (ImageToken). The value of this token can later be used to retrieve the JPEG snapshot file from the aforementioned ImageStore directory, as the filename corresponds to the image identifier.
  • WindowDestroyedEvent signals the closing of the application window.
  • ForegroundChangedEvent does not contain useful data from a forensics perspective.

  The WindowCapture table also includes a flag indicating whether the application window was in the foreground (IsForeground column), the window boundaries as screen coordinates (WindowBounds), the window title (WindowTitle), a service field for properties (Properties), and the event timestamp (TimeStamp).

• WindowCaptureTextIndex_content contains the text extracted with Optical Character Recognition (OCR) from the snapshot (c2 column), the window title (WindowTitle), the application path (App.Path), the snapshot timestamp (TimeStamp), and the name (Name). This table can be used in conjunction with the WindowCapture (the c0 and Id columns hold identical data, which can be used for joining the tables) and App tables (identical data resides in the AppId and Id columns).

Recall artifacts (if the feature was enabled on the system prior to the incident) represent a “goldmine” for the incident responder. They allow for a detailed reconstruction of the attacker’s activity within the compromised system. Conversely, this same functionality can be weaponized: as mentioned previously, the private information filter in Recall does not work flawlessly. Consequently, attackers and malware can exploit it to locate credentials and other sensitive information.

Updated standard applications

Standard applications in Windows 11 have also undergone updates, and for some, this involved changes to both the interface and functionality. Specifically, applications such as Notepad, File Explorer, and the Command Prompt in this version of the OS now support multi-tab mode. Notably, Notepad retains the state of these tabs even after the process terminates. Therefore, Windows 11 now has new artifacts associated with the usage of this application. Our colleague, AbdulRhman Alfaifi, researched these in detail; his work is available here.

The main directory for Notepad artifacts in Windows 11 is located at %LOCALAPPDATA%\Packages\Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\.
This directory contains two subdirectories:

• TabState stores a {GUID}.bin state file for each Notepad tab. This file contains the tab’s contents if the user did not save it to a file. For saved tabs, the file contains the full path to the saved content, the SHA-256 hash of the content, the content itself, the last write time to the file, and other details.
• WindowsState stores information about the application window state. This includes the total number of tabs, their order, the currently active tab, and the size and position of the application window on the screen. The state file is named either *.0.bin or *.1.bin.

The structure of {GUID}.bin for saved tabs is as follows:

Example content of the {GUID.bin} file for a Notepad tab that was saved to a file and then modified with new data which was not written to the file

For tabs that were never saved, the {GUID}.bin file structure in the TabState directory is shorter:

Example content of the {GUID.bin} file for a Notepad tab that has not been saved to a file

Note that the saving of tabs may be disabled in the Notepad settings. If this is the case, the TabState and WindowState artifacts will be unavailable for analysis.

If these artifacts are available, however, you can use the notepad_parser tool, developed by our colleague Abdulrhman Alfaifi, to automate working with them.

This particular artifact may assist in recovering the contents of malicious scripts and batch files. Furthermore, it may contain the results and logs from network scanners, credential extraction utilities, and other executables used by threat actors, assuming any unsaved modifications were inadvertently made to them.

Changes to familiar artifacts in Windows 11

In addition to the new artifacts, Windows 11 introduced several noteworthy changes to existing ones that investigators should be aware of when analyzing incidents.

Changes to NTFS attribute behavior

The behavior of NTFS attributes was changed between Windows 10 and Windows 11 in two $MFT structures: $STANDARD_INFORMATION and $FILE_NAME.

The changes to the behavior of the $STANDARD_INFORMATION attributes are presented in the table below:

Behavior of the $FILENAME attributes was changed as follows:

Analysts should consider these changes when examining the service files of the NTFS file system.

Program Compatibility Assistant

Program Compatibility Assistant (PCA) first appeared way back in 2006 with the release of Windows Vista. Its purpose is to run applications designed for older operating system versions, thus being a relevant artifact for identifying evidence of program execution.

Windows 11 introduced new files associated with this feature that are relevant for forensic analysis of application executions. These files are located in the directory C:\Windows\appcompat\pca\:

• PcaAppLaunchDic.txt: each line in this file contains data on the most recent launch of a specific executable file. This information includes the time of the last launch formatted as YYYY-MM-DD HH:MM:SS.f (UTC) and the full path to the file. A pipe character (|) separates the data elements. When the file is run again, the information in the corresponding line is updated. The file uses ANSI (CP-1252) encoding, so executing files with Unicode in their names “breaks” it: new entries (including the entry for running a file with Unicode) stop appearing, only old ones get updated.

• PcaGeneralDb0.txt and PcaGeneralDb1.txt alternate during data logging: new records are saved to the primary file until its size reaches two megabytes. Once that limit is reached, the secondary file is cleared and becomes the new primary file, and the full primary file is then designated as the secondary. This cycle repeats indefinitely. The data fields are delimited with a pipe (|). The file uses UTF-16LE encoding and contains the following fields:
  
  • Executable launch time (YYYY-MM-DD HH:MM:SS.f (UTC))
  • Record type (0–4):
    
    • 0 = installation error
    • 1 = driver blocked
    • 2 = abnormal process exit
    • 3 = PCA Resolve call (component responsible for fixing compatibility issues when running older programs)
    • 4 = value not set

    
    

  • Path to executable file. This path omits the volume letter and frequently uses environment variables (%USERPROFILE%, %systemroot%, %programfiles%, and others).
  • Product name (from the PE header, lowercase)
  • Company name (from the PE header, lowercase)
  • Product version (from the PE header)
  • Windows application ID (format matches that used in AmCache)
  • Message

  
  

Note that these text files only record data related to program launches executed through Windows File Explorer. They do not log launches of executable files initiated from the console.

Windows Search

Windows Search is the built-in indexing and file search mechanism within Windows. Initially, it combed through files directly, resulting in sluggish and inefficient searches. Later, a separate application emerged that created a fast file index. It was not until 2006’s Windows Vista that a search feature was fully integrated into the operating system, with file indexing moved to a background process.

From Windows Vista up to and including Windows 10, the file index was stored in an Extensible Storage Engine (ESE) database:
%PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows.edb.

Windows 11 breaks this storage down into three SQLite databases:

• %PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows-gather.db contains general information about indexed files and folders. The most interesting element is the SystemIndex_Gthr table, which stores data such as the name of the indexed file or directory (FileName column), the last modification of the indexed file or directory (LastModified), an identifier used to link to the parent object (ScopeID), and a unique identifier for the file or directory itself (DocumentID). Using the ScopeID and the SystemIndex_GthrPth table, investigators can reconstruct the full path to a file on the system. The SystemIndex_GthrPth table contains the folder name (Name column), the directory identifier (Scope), and the parent directory identifier (Parent). By matching the file’s ScopeID with the directory’s Scope, one can determine the parent directory of the file.
• %PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows.db stores information about the metadata of indexed files. The SystemIndex_1_PropertyStore table is of interest for analysis; it holds the unique identifier of the indexed object (WorkId column), the metadata type (ColumnId), and the metadata itself. Metadata types are described in the SystemIndex_1_PropertyStore_Metadata table (where the content of the Id column corresponds to the ColumnId content from SystemIndex_1_PropertyStore) and are specified in the UniqueKey column.
• %PROGRAMDATA%\Microsoft\Search\Data\Applications\Windows\Windows-usn.db does not contain useful information for forensic analysis.

As depicted in the image below, analyzing the Windows-gather.db file using DB Browser for SQLite can provide us evidence of the presence of certain files (e.g., malware files, configuration files, files created and left by attackers, and others).

It is worth noting that the LastModified column is stored in the Windows FILETIME format, which holds an unsigned 64-bit date and time value, representing the number of 100-nanosecond units since the start of January 1, 1601. Using a utility such as DCode, we can see this value in UTC, as shown in the image below.

Other minor changes in Windows 11

It is also worth mentioning a few small but important changes in Windows 11 that do not require a detailed analysis:

• A complete discontinuation of NTLMv1 means that pass-the-hash attacks are gradually becoming a thing of the past.
• Removal of the well-known Windows 10 Timeline activity artifact. Although it is no longer being actively maintained, its database remains for now in the files containing user activity information, located at: %userprofile%\AppData\Local\ConnectedDevicesPlatform\ActivitiesCache.db.
• Similarly, Windows 11 removed Cortana and Internet Explorer, but the artifacts of these can still be found in the operating system. This may be useful for investigations conducted in machines that were updated from Windows 10 to the newer version.
• Previous research also showed that Event ID 4624, which logs successful logon attempts in Windows, remained largely consistent across versions until a notable update appeared in Windows 11 Pro (22H2). This version introduces a new field, called Remote Credential Guard, marking a subtle but potentially important change in forensic analysis. While its real-world use and forensic significance remain to be observed, its presence suggests Microsoft’s ongoing efforts to enhance authentication-related telemetry.
• Expanded support for the ReFS file system. The latest Windows 11 update preview made it possible to install the operating system directly onto a ReFS volume, and BitLocker support was also introduced. This file system has several key differences from the familiar NTFS:
  
  • ReFS does not have the $MFT (Master File Table) that forensics specialists rely on, which contains all current file records on the disk.
  • It does not generate short file names, as NTFS does for DOS compatibility.
  • It does not support hard links or extended object attributes.
  • It offers increased maximum volume and single-file sizes (35 PB compared to 256 TB in NTFS).

  
  

Conclusion

This post provided a brief overview of key changes to Windows 11 artifacts that are relevant to forensic analysis – most notably, the changes of PCA and modifications to Windows Search mechanism. The ultimate utility of these artifacts in investigations remains to be seen. Nevertheless, we recommend you immediately incorporate the aforementioned files into the scope of your triage collection tool.

securelist.com/forensic-artifa…

[CreativeLab] bought a cheap arbitrary waveform generator and noted that it only had a two-pin power cord. That has its ups and downs. We feel certain the intent was to isolate the internal switching power supply to prevent ground loops through the scope probes or the USB connector. However, it is nice to have all your equipment referencing the same ground. [CreativeLab] agrees, so he decided to do something about it.

Opening the box revealed that there was hardly anything inside. The main board was behind the front panel. There was also the power supply and a USB board. Plus lots of empty space. Some argue the case is made too large to be deceptive, but we prefer to think it was to give you a generous front panel to use. Maybe.

It was a simple matter to ground everything to a new three-pin connector, but that left the problem of the USB port. Luckily, since it was already out on its own board, it was easy to wire in an isolator.

Honestly? We’d have hesitated to do this unless we had made absolutely sure it didn’t pose some safety hazard to “jump over” the switching power supply. They are often isolated for some reason. However, the likelihood is that it is just fine. What do you think? Let us know in the comments.

A similar unit had a reverse engineering project featured on Hackaday many years ago. While these used to be exotic gear, if you don’t mind some limitations, it is very easy to roll your own these days.

youtube.com/embed/ng-5dhYI9-0?…

hackaday.com/2025/10/14/they-d…

Lo sviluppatore Andrej Karpathy ha presentato nanochat, una versione minimalista e completamente open source di ChatGPT che può essere addestrata ed eseguita su un solo computer. Progettato come piattaforma di apprendimento per il corso LLM101n di Eureka Labs, il progetto consente agli utenti di costruire il proprio modello linguistico “da zero all’interfaccia web” senza dipendenze ingombranti o infrastrutture complesse.

L’obiettivo di nanochat è dimostrare che un analogo base di ChatGPT può essere costruito in poche ore e per circa cento dollari. Lo script speedrun.sh esegue automaticamente tutti i passaggi, dalla tokenizzazione e dall’addestramento all’inferenza e al lancio di un’interfaccia web che può essere utilizzata per comunicare, proprio come ChatGPT.

Su un nodo con otto GPU NVIDIA H100, l’intero processo richiede circa quattro ore e costa 100 dollari (a 24 dollari all’ora). Una volta completato l’addestramento, è possibile aprire un server locale e porre al modello qualsiasi domanda, dalla poesia a domande fisiche come “perché il cielo è blu?”

Il progetto genera un report dettagliato (report.md) con parametri di training e risultati comparativi tra benchmark popolari, tra cui ARC, GSM8K, MMLU e HumanEval. Sebbene si tratti ancora di un livello di potenza “da scuola materna” rispetto ai LLM industriali, nanochat dimostra l’intero ciclo funzionale di un modello moderno, inclusi interfaccia, valutazione ed esperienza utente.

Karpathy sottolinea che sono in fase di sviluppo versioni più grandi, con prezzi di 300 e 1.000 dollari, che avvicineranno l’algoritmo ai livelli GPT-2. Il codice è ottimizzato per semplicità e trasparenza: niente configurazioni complesse, fabbriche di modelli o centinaia di parametri. Tutto è costruito attorno a un’unica base di codice coesa, facile da leggere, modificare ed eseguire.

NanoChat può essere eseguito anche su una singola scheda grafica, sebbene sia otto volte più lento rispetto a una 8×H100. Per GPU limitate, è sufficiente ridurre le dimensioni del batch per evitare di esaurire la memoria. Il progetto è interamente basato su PyTorch e dovrebbe funzionare sulla maggior parte delle piattaforme supportate.

Il ricercatore nel documento sottolinea che nanochat non è solo una demo, ma un benchmark di base, accessibile e riproducibile per studiare l’architettura di modelli linguistici di grandi dimensioni. Il suo design minimalista e open source lo rende adatto sia a studenti che a ricercatori che desiderano comprendere la struttura del moderno ChatGPT “in miniatura”.

L'articolo Nanochat: crea il tuo LLM, addestralo e rendilo funzionante sul tuo PC con 100 dollari proviene da il blog della sicurezza informatica.

E’ stata individuata dagli analisti di Sophos, una complessa operazione di malware da parte di esperti in sicurezza, che utilizza il noto servizio di messaggistica WhatsApp come mezzo per diffondere trojan bancari, puntando a istituti di credito brasiliani ed a piattaforme di scambio di criptovalute.

Un malware autoreplicante, emerso il 29 settembre 2025, è dotato di avanzate tecniche evasive e di complesse catene di infezione multiphase, finalizzate a superare le attuali protezioni di sicurezza. La campagna di attacco ha avuto un impatto esteso, coinvolgendo più di 1.000 endpoint in oltre 400 ambienti clienti, dimostrando l’efficacia e la vasta portata della minaccia.

L’attacco scatta quando le vittime scaricano un archivio ZIP nocivo tramite WhatsApp Web da un contatto già infettato in precedenza. La componente di ingegneria sociale risulta essere particolarmente astuta in quanto il messaggio dichiara che il contenuto allegato può essere visionato esclusivamente su un computer, inducendo in tal modo i destinatari a scaricare ed eseguire il malware su sistemi desktop invece che su dispositivi mobili.

Durante le indagini su vari incidenti in Brasile, gli analisti di Sophos hanno rilevato il complesso meccanismo di infezione utilizzato dal malware. Tale approccio tattico consente al malware di funzionare in un contesto che ne permette la stabilità e l’attivazione completa delle funzionalità di payload.

L’esecuzione del malware inizia con un file LNK di Windows dannoso nascosto all’interno dell’archivio ZIP. Una volta eseguito, il file LNK contiene un comando Windows offuscato che crea ed esegue un comando PowerShell codificato in Base64.

I commenti in lingua portoghese incorporati nel codice di PowerShell rivelano l’intenzione dell’autore di “aggiungere un’esclusione in Microsoft Defender” e “disabilitare UAC” (controllo dell’account utente). Queste modifiche creano un ambiente permissivo in cui il malware può operare senza attivare avvisi di sicurezza o richiedere l’interazione dell’utente per operazioni privilegiate.

Questo script PowerShell di prima fase avvia segretamente un processo Explorer che scarica il payload di fase successiva dai server di comando e controllo, tra cui hxxps[:]//www.zapgrande[.]com, expansiveuser[.]com e sorvetenopote[.]com.

Gli artefici della minaccia mostrano una notevole familiarità con l’architettura di sicurezza di Windows e con le caratteristiche di PowerShell, utilizzando metodi di offuscamento che permettono al malware di funzionare indisturbato per tempi prolungati.

La campagna distribuisce due payload distinti a seconda delle caratteristiche del sistema infetto: uno strumento di automazione del browser Selenium legittimo con ChromeDriver corrispondente e un trojan bancario denominato Maverick.

La funzionalità del payload Selenium permette ai malintenzionati di gestire le sessioni del browser attualmente attive, rendendo più semplice l’intercettazione delle sessioni web di WhatsApp e l’attivazione del processo di auto-propagazione del worm.

L'articolo WhatsApp Web nel mirino! Come funziona il worm che distribuisce il Trojan Bancario proviene da il blog della sicurezza informatica.

Anyone into retro Macintosh machines has probably heard of BlueSCSI: an RP2040-based adapter that lets solid state flash memory sit on the SCSI bus and pretend to contain hard drives. You might have seen it on an Amiga or an Atari as well, but what about a PC? Once upon a time, higher end PCs did use SCSI, and [TME Retro] happened to have one such. Not a fan of spinning platters of rust, he takes us through using BlueSCSI with a big-blue-based-box.

Naturally if you wish to replicate this, you should check the BlueSCSI docs to see if the SCSI controller in your PC is on their supported hardware list; otherwise, your life is going to be a lot more difficult than what is depicted on [TME Retro]. As is, it’s pretty much the same drop-in experience anyone who has used BlueSCSI on a vintage Macintosh might expect. Since the retro-PC world might not be as familiar with that, [TME Retro] gives a great step-by-step, showing how to set up hard disk image files and an iso to emulate a SCSI CD drive on the SD card that goes into the BlueSCSIv2.

This may not be news to some of you, but as the title of this video suggests, not everyone knows that BlueSCSI works with PCs now, even if it has been in the docs for a while. Of course PCs owners are more likely to be replacing an IDE drive; if you’d rather use a true SSD on that bus, we’ve got you covered.

youtube.com/embed/m1URGRm1Gd0?…

hackaday.com/2025/10/13/bluesc…

Certi giorni vuoi spostare il muro portante a testate. Ma Douglas Adams ha sempre un paragrafo adatto per ricordarti che la vita può essere molte cose, ma mai seria.

spreaker.com/episode/dk-10x06-…

If you built a car in, say, Germany, for use in Canada, you could assume that the roads will be more or less the same. Gravity will work the same. While the weather might not be exactly the same, it won’t be totally different. But imagine designing the Lunar Excursion Module that would land two astronauts on the moon for the first time. No one had any experience landing a craft on any alien body before.

The LEM was amazing for many reasons, but as [Apollo11Space] points out, the legs were a particularly thorny engineering problem. They had to land on mostly unknown terrain, stay upright, allow for the ascent module to take off again, and, of course, not weigh down the tiny spaceship. They also had to survive the blast of the LEM’s engine.

Sure, there were some automated probes that landed in 1966 (the Soviets got there first, but NASA was just a few months behind). But by 1966, the first LEM was already three years old.

The video shows how many options were on the table, but the four-legged splayed footprint design was the winner. A Canadian company was instrumental in the successful production of the legs. One interesting thing is that the legs had a one-shot aluminum honeycomb shock absorber that destroyed itself as it absorbed the impact of landing.

It offers a fascinating glimpse into how it must have been to design something for the unknown, which couldn’t be properly tested until it was actually used. It was also fun to see the giant gantry they used to simulate lunar gravity for the test articles (that didn’t look much like the real thing, by the way).

The LEM famously served as a lifeboat for Apollo 13, but the legs probably didn’t matter for that. Of course, what we usually talk about is the amazing software onboard, but that’s only part of the story.

youtube.com/embed/lsiUJnaU1Ek?…

hackaday.com/2025/10/13/buildi…

[Vik Olliver] has been extending the lower resolution limits of 3D printers with the RepRapMicron project, which aims to print structures with a feature size of ten micrometers. A molten plastic extruder would be impractical at such small scales, even if a hobbyist could manufacture one small enough, so instead [Vik]’s working on a system that uses a very fine needle point to place tiny droplets of UV resin on a substrate. These points have to be sharper than anything readily available, so his latest experiments have focused on electrochemically etching his own needles.

The needles start with a fine wire, which a 3D-printed bracket holds hanging down into a beaker of electrolyte, where another electrode is located. By applying a few volts across the circuit, with the wire acting as an anode, electrochemical erosion eventually wears through the wire and it drops off, leaving an atomically sharp point. Titanium wire performs best, but Nichrome and stainless steel also work. Copper wire doesn’t work, and by extension, nor does the plated copper wire sometimes sold as “stainless steel” by sketchy online merchants.

The electrolyte was made from either a 5% sodium chloride solution or 1% nitric acid. The salt solution produced a very thin, fine point, but also produced a cloudy suspension of metal hydroxides around the wire, which made it hard to tell when the wire had broken off. The goal of nitric acid was to prevent hydroxide formation; it produced a shorter, blunter tip with a pitted shaft, but it simply etched the tip of the wire to a point, with the rest of the wire never dropping off. Some experimentation revealed that a mixture of the two electrolyte solutions struck a good balance which etched fine points like the pure salt solution, but also avoided cloudy precipitates.

If you’re interested in seeing more of the RepRapMicron, we’ve looked at a previous iteration which scribed a minuscule Jolly Wrencher in marker ink. On a more macro scale, we’ve also seen one 3D printer which used a similar resin deposition scheme.

hackaday.com/2025/10/13/etchin…

You have some fine pitch soldering to do, but all you have on hand is a big soldering iron. What do you do? There are a few possible answers, but [Mr SolderFix] likes to pull a strand from a large wire, file the point down, and coil it around the soldering iron. This gives you a very tiny hot tip. Sure, the wire won’t last forever, but who cares? When it gives up, you can simply make another one.

Many people have done things like this before — we are guilty — but we really liked [Mr Solder Fix’s] presentation over two videos that you can see below. He coils his wire over a form. In his case, he’s using a screwdriver handle and some tape to get to the right size. We’ve been known to use the shanks of drill bits for that purpose, since it is easy to get different sizes.

Truthfully, while sometimes you do really need a tiny tip, we prefer having a tip with some thermal mass. If you use something shaped like a slotted screwdriver blade, you can get contact area when you need it, or rotate the iron 90 degrees and get a very narrow profile.

But the copper coil method does work well, as you can see. This will work with nearly any iron. The first examples with fairly large resistors work predictably well. But we were really impressed with some of the very fine pitch connectors in part 2.

Of course, a fine tip is only part of the equation. It doesn’t hurt that he has a microscope and thin solder. If you want to up your SMD game, Oregon State University can help. We find it amusing that many products today are smaller than the components we used to use.

youtube.com/embed/jdWskB1ee_I?…

youtube.com/embed/JG3jD9eMc8g?…

hackaday.com/2025/10/13/smd-so…

Hyperspectral cameras aren’t commonplace items; they capture spectral data for each of their pixels. While commercial hyperspectral cameras often start in the tens of thousands of dollars, [anfractuosity] decided to make his own with the Waverider.

To capture spectral data from every pixel location in the camera, [anfractuosity] first needed a way to collect that data — for that, he used an AFBR-S20M2WV, a miniature USB spectrometer he picked up second-hand. This sensor allows for the collection of data from 225 nm all the way up to 1000 nm. Of course, the sensor can only do that for one single input, so to turn it into a camera, [anfractuosity] added a stepper-driven x-y stage controlled by a Raspberry Pi Pico and some TMC2130 stepper drivers.

With some 3D-printed parts to hold things together and a fiber-optic cable, [anfractuosity] now had a way to move the one-pixel camera through a wide range of locations, turning that one pixel into a much larger pixel array needed to get a recognizable image out. It’s not the fastest camera we’ve seen — with one 400 × 400 array of images taking almost 19 hours to capture — but it does produce an image that has far more than one RGB value per pixel.

Head over to [anfractuosity]’s site to check out all the images created and to find out more about this project, and check out some of our other single-pixel camera projects we’ve featured in the past. Or, maybe you can use your phone.

youtube.com/embed/ZXXJrwNGh8A?…

hackaday.com/2025/10/13/waveri…

Who doesn’t know the problem of glare when trying to ogle a PCB underneath a microscope of some description? Even with a ring light, you find yourself struggling to make out fine detail such as laser-etched markings in ICs, since the scattered light turns everything into a hazy mess. That’s where a simple sheet of linear polarizer film can do wonders, as demonstrated by [northwestrepair] in a recent video.

Simply get one of these ubiquitous films from your favorite purveyor of goods, or from a junked LCD screen or similar, and grab a pair of scissors or cutting implements. The basic idea is to put this linear polarizer film on both the light source as well as on your microscope’s lens(es), so that manipulating the orientation of either to align the polarization will make the glare vanish.

This is somewhat similar to the use of polarizing sunshades, only here you also produce specifically the polarized light that will be let through, giving you excellent control over what you see. As demonstrated in the video, simply rotating the ring light with the polarizer attached gives wildly different results, ranging from glare-central to a darkened-but-clear picture view of an IC’s markings.

How to adapt this method to your particular microphone is left as your daily arts and crafts exercise. You may also want to tweak your lighting setup to alter the angle and intensity, as there’s rarely a single silver bullet for the ideal setup.

Just the thing for that shiny new microscope under the Christmas tree. Don’t have a ring light? Build one.

youtube.com/embed/LEZwEoKcPV8?…

hackaday.com/2025/10/13/give-y…

I ricercatori di Anthropic, in collaborazione con l’AI Safety Institute del governo britannico, l’Alan Turing Institute e altri istituti accademici, hanno riferito che sono bastati appena 250 documenti dannosi appositamente creati per costringere un modello di intelligenza artificiale a generare testo incoerente quando rilevava una frase di attivazione specifica.

Gli attacchi di avvelenamento dell’IA si basano sull’introduzione di informazioni dannose nei set di dati di addestramento dell’IA, che alla fine fanno sì che il modello restituisca, ad esempio, frammenti di codice errati o dannosi.

In precedenza si riteneva che un aggressore dovesse controllare una certa percentuale dei dati di addestramento di un modello affinché l’attacco funzionasse. Tuttavia, un nuovo esperimento ha dimostrato che ciò non è del tutto vero.

Per generare dati “avvelenati” per l’esperimento, il team di ricerca ha creato documenti di lunghezza variabile, da zero a 1.000 caratteri, di dati di addestramento legittimi.

Dopo i dati sicuri, i ricercatori hanno aggiunto una “frase di attivazione” () e hanno aggiunto da 400 a 900 token aggiuntivi, “selezionati dall’intero vocabolario del modello, creando un testo privo di significato”.

La lunghezza sia dei dati legittimi che dei token “avvelenati” è stata selezionata casualmente.
Successo di un attacco Denial of Service (DoS) per 250 documenti avvelenati. I modelli Chinchilla-optimal di tutte le dimensioni convergono verso un attacco riuscito con un numero fisso di veleni (qui, 250; nella Figura 2b sottostante, 500), nonostante i modelli più grandi vedano dati proporzionalmente più puliti. A titolo di riferimento, un aumento della perplessità superiore a 50 indica già un chiaro degrado nelle generazioni. Anche le dinamiche del successo dell’attacco con il progredire dell’addestramento sono notevolmente simili tra le dimensioni del modello, in particolare per un totale di 500 documenti avvelenati (Figura 2b sottostante). (Fonte anthropic.com)
L’attacco, riportano i ricercatori, è stato testato su Llama 3.1, GPT 3.5-Turbo e sul modello open source Pythia. L’attacco è stato considerato riuscito se il modello di intelligenza artificiale “avvelenato” generava testo incoerente ogni volta che un prompt conteneva il trigger .

Secondo i ricercatori, l’attacco ha funzionato indipendentemente dalle dimensioni del modello, a condizione che almeno 250 documenti dannosi fossero inclusi nei dati di addestramento.

Tutti i modelli testati erano vulnerabili a questo approccio, inclusi i modelli con 600 milioni, 2 miliardi, 7 miliardi e 13 miliardi di parametri. Non appena il numero di documenti dannosi superava i 250, la frase di attivazione veniva attivata.
Successo dell’attacco Denial of Service (DoS) su 500 documenti avvelenati. (Fonte anthropic.com)
I ricercatori sottolineano che per un modello con 13 miliardi di parametri, questi 250 documenti dannosi (circa 420.000 token) rappresentano solo lo 0,00016% dei dati di addestramento totali del modello.

Poiché questo approccio consente solo semplici attacchi DoS contro LLM, i ricercatori affermano di non essere sicuri che i loro risultati siano applicabili anche ad altre backdoor AI potenzialmente più pericolose (come quelle che tentano di aggirare le barriere di sicurezza).

“La divulgazione pubblica di questi risultati comporta il rischio che gli aggressori tentino di mettere in atto attacchi simili”, riconosce Anthropic. “Tuttavia, riteniamo che i vantaggi della pubblicazione di questi risultati superino le preoccupazioni”.

Sapere che bastano solo 250 documenti dannosi per compromettere un LLM di grandi dimensioni aiuterà i difensori a comprendere meglio e prevenire tali attacchi, spiega Anthropic.

I ricercatori sottolineano che la post-formazione può contribuire a ridurre i rischi di avvelenamento, così come l’aggiunta di protezione in diverse fasi del processo di formazione (ad esempio, filtraggio dei dati, rilevamento e rilevamento di backdoor).

“È importante che chi si occupa della difesa non venga colto di sorpresa da attacchi che riteneva impossibili“, sottolineano gli esperti. “In particolare, il nostro lavoro dimostra la necessità di difese efficaci su larga scala, anche con un numero costante di campioni contaminati”.

L'articolo AI Avvelenata! Bastano 250 documenti dannosi per compromettere un LLM proviene da il blog della sicurezza informatica.

As frustrating as having an atmosphere can be for physicists, it’s just as bad for astronomers, who have to deal with clouds, atmospheric absorption of certain wavelengths, and other irritations. One of the less obvious effects is the distortion caused by air at different temperatures turbulently mixing. To correct for this, some larger observatories use a laser to create an artificial star in the upper atmosphere, observe how this appears distorted, then use shape-changing mirrors to correct the aberration. The physical heart of such a system is a deformable mirror, the component which [Huygens Optics] made in his latest video.

The deformable mirror is made out of a rigid backplate with an array of linear actuators between it and the thin sheet of quartz glass, which forms the mirror’s face. Glass might seem too rigid to flex under the tenth of a Newton that the actuators could apply, but everything is flexible when you can measure precisely enough. Under an interferometer, the glass visibly flexed when squeezed by hand, and the actuators created enough deformation for optical purposes. The actuators are made out of copper wire coils beneath magnets glued to the glass face, so that by varying the polarity and strength of current through the coils, they can push and pull the mirror with adjustable force. Flexible silicone pillars run through the centers of the coils and hold each magnet to the backplate.

A square wave driven across one of the actuators made the mirror act like a speaker and produce an audible tone, so they were clearly capable of deforming the mirror, but a Fizeau interferometer gave more quantitative measurements. The first iteration clearly worked, and could alter the concavity, tilt, and coma of an incoming light wavefront, but adjacent actuators would cancel each other out if they acted in opposite directions. To give him more control, [Huygens Optics] replaced the glass frontplate with a thinner sheet of glass-ceramic, such as he’s used before, which let actuators oppose their neighbors and shape the mirror in more complex ways. For example, the center of the mirror could have a convex shape, while the rest was concave.

This isn’t [Huygens Optics]’s first time building a deformable mirror, but this is a significant step forward in precision. If you don’t need such high precision, you can also use controlled thermal expansion to shape a mirror. If, on the other hand, you take it to the higher-performance extreme, you can take very high-resolution pictures of the sun.

youtube.com/embed/TPyQI7bJo6Q?…

hackaday.com/2025/10/13/deform…

IT'S MONDAY, AND THIS IS DIGITAL POLITICS. I'm Mark Scott, and every time you (probably like me) feel you're falling behind tech trends, watch this video and remember: you're doing just fine.

— The European Union is falling into the same trap on artificial intelligence as did in previous global shifts in technology.

— The attacks against global online safety laws are framed almost exclusively via the prism of domestic American politics.

— Microsoft, Meta and Google just made it more difficult for politicians to speak directly to would-be voters in Europe.

Let's get started:

digitalpolitics.co/newsletter0…

Nel mondo della sicurezza informatica, dove ogni parola pesa e ogni concetto può diventare complesso, a volte basta un’immagine per dire tutto. Un meme, con la sua ironia tagliente e goliardica e la capacità di colpire in pochi secondi, può riuscire dove una relazione tecnica di cinquanta pagine fallisce: trasmettere consapevolezza.

L’ironia in questo contesto non serve solo a far sorridere: diventa un potente strumento educativo. Provoca un sorriso, ma allo stesso tempo attiva la riflessione sul comportamento rischioso.

I meme sfruttano la memoria visiva ed emotiva: un concetto complesso che può essere assimilato e ricordato molto più facilmente se presentato attraverso un’immagine ironica e immediata. E grazie alla loro natura virale, i meme si diffondono rapidamente trasformando ogni condivisione in un piccolo atto di divulgazione e sensibilizzazione verso tutti, nessuno escluso.

La potenza della semplicità

Il meme parla una lingua universale. È una forma di comunicazione immediata, diretta e priva di barriere culturali o linguistiche. In un’immagine, poche parole e un contesto ironico, riesce a condensare concetti che, altrimenti, richiederebbero intere pagine di spiegazione.

Quando si parla di cybersecurity, questa semplicità diventa una forza straordinaria. Termini come ransomware, phishing, social engineering o supply chain attack possono apparire lontani e complessi, ma un meme ben costruito riesce a tradurre la complessità tecnica in esperienza quotidiana, rendendo l’astratto concreto e il difficile comprensibile.

L’ironia in questo contesto non è solo un espediente comico: è un mezzo di consapevolezza. Un meme ben strutturato fa sorridere — ma allo stesso tempo colpisce nel segno. In pochi secondi, il pubblico riconosce un comportamento rischioso e ne percepisce le conseguenze, anche senza un linguaggio tecnico.

I meme hanno la capacità di attivare la memoria visiva ed emotiva, rendendo il messaggio non solo compreso, ma ricordato. Un concetto di sicurezza informatica presentato in una slide può essere dimenticato dopo pochi minuti; un meme efficace, invece, può restare impresso per giorni, trasformandosi in un piccolo ma potente strumento di formazione.

Inoltre, il meme ha un vantaggio fondamentale: la condivisibilità.

Ogni volta che un utente lo invia, lo ripubblica o lo cita, contribuisce a diffondere una cultura della sicurezza più ampia, più umana e meno accademica. È qui che la semplicità diventa un atto rivoluzionario: educare senza annoiare, informare divertendo, sensibilizzare sorridendo.

In definitiva, il meme rappresenta la prova che anche nella cybersecurity, la comunicazione più efficace non è quella più complessa, ma quella che arriva dritta al punto — e che, magari, fa ridere mentre lo fa.

Ridere per non bruciarsi

Chi lavora nella cybersecurity lo sa bene: è un mestiere teso, logorante e spesso sottovalutato. Ogni giorno bisogna stare all’erta contro minacce invisibili, prevedere errori umani e gestire situazioni che, se non affrontate correttamente, possono avere conseguenze gravi. Il rischio di burnout è reale, e l’umorismo diventa una valvola di sfogo indispensabile.

Ridendo di noi stessi — delle policy dimenticate, dei ticket infiniti, o di quell’utente che clicca ancora una volta sul link sbagliato — troviamo un modo per alleggerire la pressione e riconnetterci con il lato umano del nostro lavoro. Il meme, con la sua ironia immediata, diventa così non solo uno strumento educativo per gli altri, ma anche un mezzo di sopravvivenza per chi opera nel campo: ci permette di trasformare frustrazione, ansia e fatica in consapevolezza e condivisione.

Inoltre, l’umorismo favorisce la coesione dei team. Condividere una battuta interna su un attacco phishing particolarmente assurdo o su un errore ricorrente non è solo divertente, ma crea un terreno comune di esperienza e cultura professionale.

Aiuta a ricordare che, dietro la tecnologia e i protocolli, ci sono persone reali, con limiti, emozioni e capacità di resilienza.

Ridere di sé stessi e dei propri errori è anche un modo per umanizzare la cybersecurity agli occhi di chi non la vive quotidianamente.

Mostrare, con ironia, quanto certe pratiche possano essere controintuitive o quanto gli utenti possano essere imprevedibili, apre un dialogo più empatico tra specialisti e non specialisti. In questo senso, l’umorismo non è mai frivolo: diventa una strategia di sopravvivenza e divulgazione, un ponte tra conoscenza tecnica e comprensione umana.

Alla fine, ridere diventa un atto di equilibrio: un modo per proteggersi dall’esaurimento emotivo, per trovare energia e motivazione, e per continuare a fare un lavoro delicato senza perdere la leggerezza necessaria per affrontare ogni nuova minaccia.

La “retro cyber” dei meme

Intorno ai meme legati alla sicurezza informatica si è sviluppata una vera e propria sottocultura, che possiamo definire retro cyber. Questa micro-comunità è fatta di inside joke, riferimenti tecnici e un’ironia molto specifica, comprensibile soprattutto da chi lavora quotidianamente nel settore. Ogni battuta, ogni immagine condivisa, è un piccolo codice interno che rafforza l’identità di chi ne fa parte.

Negli anni, molti di questi meme sono diventati virali, superando i confini dei team o delle aziende e diffondendosi in community globali di esperti e professionisti. Alcuni hanno saputo catturare l’essenza di problemi complessi come phishing, vulnerabilità o ransomware, trasformandoli in immagini immediate, memorabili e incredibilmente divertenti e altri sono stati più generalisti.

Non tutti, però, hanno avuto lo stesso successo. Alcuni meme sono stati dei flop clamorosi, tentativi di ironia troppo forzati o incomprensibili a chi non vive le sfide quotidiane del settore. Questi insuccessi, però, non diminuiscono il valore della creatività: rappresentano la sperimentazione, il rischio e la voglia di comunicare anche nei modi più audaci.

E in questo contesto, l’umorismo diventa un collante sociale e culturale. Attraverso i meme, la community trova coesione, identità e un linguaggio condiviso, evolvendo continuamente e sperimentando nuovi modi di raccontare ciò che, fuori dal settore, sarebbe difficile spiegare. Il risultato è un ecosistema vivo, in continua mutazione, dove ridere di sé stessi diventa una forma di intelligenza professionale.

I meme che colpiscono e fanno riflettere

Un buon meme nella cybersecurity non si limita a far ridere. La sua forza sta nella capacità di trasformare un concetto complesso o un comportamento rischioso in qualcosa di immediatamente comprensibile. Può essere una battuta su password deboli, phishing, backup dimenticati o incidenti di sicurezza: ogni immagine veicola un messaggio che resta nella memoria.

Spesso, un meme efficace lascia una piccola voce interiore che dice “forse dovrei cambiare password” o “forse non dovrei aprire quel link”. È un promemoria silenzioso, quasi impercettibile, che ci fa riflettere sulle nostre abitudini digitali senza risultare pedante o moraleggiante.

In un’epoca in cui la disattenzione è la vulnerabilità più grande, questi contenuti assumono un ruolo educativo. Ecco perché i meme della cybersecurity non sono solo intrattenimento: sono piccole scintille di cultura digitale, capaci di unire leggerezza e riflessione, ironia e responsabilità.

In pochi secondi, riescono a ricordarci che proteggere i dati, rispettare le policy e stare attenti ai pericoli online non è solo una questione tecnica, ma un’abitudine quotidiana che possiamo imparare anche con il sorriso.

Conclusione

I meme della cybersecurity non sono nati dal nulla: traggono le loro radici dalla cultura hacker, dai forum e dalle community come 4chan, dove negli anni ’00 gli utenti cominciarono a creare immagini e battute ironiche per condividere esperienze, errori e curiosità sul mondo digitale. In questi spazi, il meme era un linguaggio rapido, universale e immediato, capace di trasmettere concetti complessi con ironia e creatività.

Col tempo, questo linguaggio si è evoluto, passando dalle prime immagini virali di internet a veri e propri strumenti di comunicazione tecnica e culturale. Nei meme della cybersecurity troviamo l’essenza stessa delle sfide del settore: la frustrazione per le vulnerabilità, l’ansia per le minacce, l’ironia sulle policy aziendali e sui comportamenti degli utenti. Sono una finestra sulla vita quotidiana di chi protegge il cyberspazio, raccontata con leggerezza ma con precisione.

Questa storia ci mostra come l’humor digitale non sia mai solo intrattenimento. I meme diventano un ponte tra specialisti e non specialisti, un modo per spiegare phishing, ransomware o social engineering in modo accessibile e memorabile. Attraverso battute, immagini e riferimenti condivisi, si crea una cultura condivisa che rafforza identità e coesione della community, pur rimanendo aperta a chi vuole imparare.

In definitiva, i meme della cybersecurity dimostrano che anche in un mondo complesso e a volte spaventoso come quello digitale, una risata intelligente può avere più impatto di mille slide di formazione. Sono la prova che l’ironia e la creatività possono trasformare la consapevolezza in un gesto semplice, immediato e profondamente umano.

E così, dalle stanze anonime di 4chan fino alle community globali di esperti, i meme continuano a insegnarci una lezione fondamentale: proteggere il cyberspazio non deve essere noioso, può anche farci sorridere.

L'articolo Un Cyber Meme Vale Più di Mille Slide! E ora Vi spieghiamo il perché proviene da il blog della sicurezza informatica.

Everyone loves colourful 3D prints, but nobody loves prime towers, “printer poop” and all the plastic waste associated with most multi-material setups. Over the years, there’s been no shortage of people trying to come up with a better way, and now it’s time for [Roetz] to toss his hat into the ring, with his patent-proof, open-source Roetz-End. You can see it work in the video below.

The Roetz-End is, as you might guess, a hot-end that [Roetz] designed to facilitate directional material printing. He utilizes SLM 3D printing of aluminum to create a four-in-one hotend, where four filaments are input and one filament is output. It’s co-extrusion, but in the hot-end and not the nozzle, as is more often seen. The stream coming out of the hot end is unmixed and has four distinct coloured sections. It’s like making bi-colour filament, but with two more colours, each aligned with one possible direction of travel of the nozzle.

What you get is ‘directional material deposition’: which colour ends up on the outer perimeter depends on how the nozzle is moving, just like with bi-color filaments– though far more reliably. That’s great for making cubes with distinctly-coloured sides, but there’s more to it than that. Printing at an angle can get neighboring filaments to mix; he demonstrates how well this mixing works by producing a gradient at (4:30). The colour gradients and combinations on more complicated prints are delightful.

Is it an MMU replacement? Not as-built. Perhaps with another axis– either turning the hot-end or the bed to control the direction of flow completely, so the colours could mix however you’d like, we could call it such. That’s discussed in the “patent” section of the video, but has not yet been implemented. This technique also isn’t going to replace MMU or multitool setups for people who want to print dissimilar materials for easily-removable supports, but co-extruding materials like PLA and TPU in this device creates the possibility for some interesting composites, as we’ve discussed before.

As for being “patent-proof” — [Roetz] believes that through publishing his work on YouTube and GitHub into the public domain, he has put this out as “prior art” which should block any entity from successfully filing a patent. It worked for Robert A. Heinlein with the waterbed, but that was a long time ago. Time will tell if this is a way to revive open hardware in 3D printing.

It’s certainly a neat idea, and we thank [CityZen] for the tip.

youtube.com/embed/6pM_ltAM7_s?…

hackaday.com/2025/10/13/slm-co…

In questo ultimo episodio della stagione ci fermiamo a riflettere su quanto appreso e sul futuro.

zerodays.podbean.com/e/io-e-ch…

Any radio amateur will tell you about the spectre of TVI, of their transmissions being inadvertently demodulated by the smallest of non-linearity in the neighbouring antenna systems, and spewing forth from the speakers of all and sundry. It’s very much a thing that the most unlikely of circuits can function as radio receivers, but… teeth? [Ringway Manchester] investigates tales of musical dental work.

Going through a series of news reports over the decades, including one of Lucille Ball uncovering a hidden Japanese spy transmitter, it’s something all experts who have looked at the issue have concluded there is little evidence for. It was also investigated by Mythbusters. But it’s an alluring tale, so is it entirely fabricated? What we can say is that teeth are sensitive to sound, not in themselves, but because the jaw provides a good path bringing vibrations to the region of the ear. And it’s certainly possible that the active chemical environment surrounding a metal filling in a patient’s mouth could give rise to electrical non-linearities. But could a human body in an ordinary RF environment act as a good enough antenna to provide enough energy for something to happen? We have our doubts.

It’s a perennial story (even in fiction), though, and we’re guessing that proof will come over the coming decades. If the tales of dental music and DJs continue after AM (or Long Wave in Europe) transmissions have been turned off, then it’s likely they’re more in the mind than in the mouth. If not, then we might have missed a radio phenomenon. The video is below the break.

youtube.com/embed/Z0zrGnlrm-s?…

Dental orthopantomogram: Temehetmebmk, CC BY-SA 4.0.

hackaday.com/2025/10/12/the-si…

We’ve probably all seen some old newsreel or documentary from The Before Times where the narrator, using his best Mid-Atlantic accent, described those newfangled computers as “thinking machines,” or better yet, “electronic brains.” It was an apt description, at least considering that the intended audience had no other frame of reference at a time when the most complex machine they were familiar with was a telephone. But what if the whole “brain” thing could be taken more literally? We’ll have to figure that out soon if these computers powered by miniature human brains end up getting any traction.

The so-called “organoid bioprocessors” come from a Swiss outfit called FinalSpark, and if you’re picturing little pulsating human brains in petri dishes connected to wires, you’ll have to guess again. The organoids, which are grown from human skin cells that have been reprogrammed into stem cells and then cultured into human neurons, only have about 10,000 cells per blob. That makes them a fraction of a millimeter in diameter, an important limit since they have no blood supply and must absorb nutrients from their culture medium, and even though they have none of the neuronal complexity of a brain, they’re still capable of some interesting stuff. FinalSpark has a live feed to one of its organoid computing cells on the website; the output looks a little like an EEG, which makes sense if you think about it. We’re not sure where this technology is going, aside from playing Pong, but if you put aside the creep-factor, this is pretty neat stuff.

We thought once 3I/Atlas, our latest interstellar visitor, ducked behind the Sun on its quick trip through the solar system, that things would quiet down a bit, at least in terms of stories about how it’s an alien space probe or something. Don’t get us wrong, we’d dearly love to have it be a probe sent by another civilization to explore our neck of the galactic woods, and at this point we’d even be fine with it being the vanguard of a Vogon Constructor Fleet. But now the best view of the thing is from Mars, leading to stories about the strange cylindrical thing in the Martian sky. The photo was apparently captured on October 4 by one of the navigation cameras on the Perseverance rover, which alone is a pretty neat trick since those cameras are optimized for looking at the ground. But the image is clearly not of a cylinder floating menacingly over the Martian surface; rather, as Avi Loeb explains, it’s likely a spot of light that’s been smeared into a streak by a long integration time. And it might not even be 3I/Atlas; since the comet would have been near Phobos at the time, it could be a smeared-out picture of the Martian moon.

Part of the reason for all this confusion about a simple photograph is the continuing U.S. government shutdown, which has furloughed a lot of the NASA and JPL employees. And not only has the shutdown made it hard to get the straight poop on 3I/Atlas, it’s also responsible for the confusion over the state of the Juno mission. The probe, which has been studying the Jovian system since 2016, was supposed to continue through September 30, 2025; unfortunately, the shutdown started at one minute past midnight the very next day. With no news out of NASA, it’s unclear whether Juno is still in operation, or whether it’s planned intentional deorbit into Jupiter, to prevent contaminating any of the planet’s potentially life-bearing moons, already occurred. That makes it a bit of a Schrödinger’s space probe until NASA can tell us what’s going on.

And finally, are we really recommending that you watch a 25-minute video from a channel that specializes in linguistics? Yep, we sure are, because we found Rob Words’ deep dive into the NATO phonetic alphabet really interesting. For those of you not used to listening to the ham bands or public service radio, phonetic alphabets help disambiguate spoken letters from each other. Over a noisy channel, “cee” and “dee” are easily confused, but “Charlie” and “Delta” are easier to distinguish. But as Rob points out, getting to the finished NATO alphabet — spoiler alert, it’s neither NATO nor phonetic — was anything but a smooth road, with plenty of whiskey-tango-foxtrot moments along the way. Enjoy!

youtube.com/embed/UAT-eOzeY4M?…

hackaday.com/2025/10/12/hackad…

In un mondo in cui la musica è da tempo migrata verso lo streaming e le piattaforme digitali, un appassionato ha deciso di tornare indietro di sei decenni, a un’epoca in cui le melodie potevano ancora prendere vita attraverso il bagliore delle lampade e del nastro perforato.

Il più vecchio computer PDP-1, famoso per essere stato la culla di uno dei primi videogiochi, improvvisamente parlò con la voce dei Boards of Canada, eseguendo la loro composizione “Olson” utilizzando nastro di carta e luci lampeggianti.

Il progetto è stato implementato da Peter Samson, pioniere della cultura hacker presso il TMRC e ingegnere e volontario presso il Computer History Museum nell’ambito dell’iniziativa PDP-1.music, lanciata da Joe Lynch.

L’obiettivo era quello di adattare una breve traccia ai limiti tecnici del PDP-1, che utilizzava nastri di carta perforati per l’inserimento dei dati. Ogni sequenza sonora veniva codificata manualmente e registrata su nastro, che doveva essere caricato nel dispositivo passo dopo passo.

L’elemento chiave della riproduzione era l'”Harmony Compiler“, un compilatore sviluppato dallo stesso Samson negli anni ’60, mentre era studente al MIT. Questo strumento era stato progettato per consentire al PDP-1 di riprodurre brani classici utilizzando quattro valvole di segnale.

Originariamente, queste valvole dovevano indicare lo stato del programma, ma furono riadattate come oscillatori in quadratura, diventando essenzialmente convertitori digitale-analogico a bit singolo. Lampeggiando rapidamente alle frequenze audio, ogni valvola veniva trasformata in una sorgente sonora.

Per riprodurre la composizione, i segnali luminosi provenienti dalle valvole venivano combinati in canali stereo e poi assemblati in un’unica traccia utilizzando un emulatore. Il file risultante veniva convertito manualmente in codice adatto al nastro perforato, che veniva poi caricato nel PDP-1.

Nonostante la complessità del processo, i creatori del progetto ritengono che lo sforzo ne sia valsa la pena: la musica dei Boards of Canada, intrisa di nostalgia per il passato analogico, suona piuttosto naturale su una macchina del genere.

Peter Samson. Uno dei primi hacker del Tech Model Railroad Club

Peter R. Samson è un informatico statunitense noto per il suo ruolo pionieristico nel campo della programmazione e per le sue influenti opere nel contesto della cultura hacker. Nato nel 1941 a Fitchburg, Massachusetts, ha studiato al Massachusetts Institute of Technology (MIT) dal 1958 al 1963. Durante il suo periodo universitario, è stato membro del Tech Model Railroad Club (TMRC) di MIT, dove ha svolto un ruolo significativo nel plasmare il linguaggio e la filosofia della cultura hacker.

Nel 1959, Samson ha compilato la prima edizione del “Tech Model Railroad Club Dictionary”, un glossario che ha introdotto termini come “foo”, “mung” e “frob”, molti dei quali sono diventati parte integrante del vocabolario della cultura hacker. Inoltre, ha definito il termine “hacker” come “colui che hackera, o crea”, contribuendo a consolidare l’uso di questo termine nel contesto informatico.

Oltre al suo coinvolgimento nel TMRC, Samson ha contribuito allo sviluppo di software pionieristici per i computer TX-0 e PDP-1, tra cui la sintesi musicale digitale in tempo reale e la creazione di “Spacewar!”, uno dei primi giochi interattivi per compute

L'articolo Peter Samson, pioniere della cultura Hacker, ci fa ascoltare “Boards of Canada” su PDP-1 proviene da il blog della sicurezza informatica.

[Baptiste Marx] shares his take on designing emergency structures using PVC pipe in a way that requires an absolute minimum of added parts. CINTRE (French, English coverage article here) is his collection of joint designs, with examples of how they can be worked into a variety of structures.
Basic joints have many different applications.
PVC pipe is inexpensive, widely available, and can often be salvaged in useful quantities even in disaster areas because of its wide use in plumbing and as conduits in construction. It can be cut with simple tools, and once softened with heat, it can be re-formed easily.

What is really clever about [Baptiste]’s designs is that there is little need for external fasteners or hardware. Cable ties are all that’s required to provide the structural element of many things. Two sawhorse-like assemblies, combined with a flat surface, make up a table, for example.

Soda bottles made from polyethylene terephthalate (PET) are also common salvage and can be used as surprisingly sturdy heat-shrink and even turned into twine or rope; perhaps that could be an option if one doesn’t even have access to cable ties.

hackaday.com/2025/10/12/pvc-pi…

Gli hacker dell‘FBI (Federal Bureau of Investigation) degli Stati Uniti ha sequestrato e distrutto un sito web accessibile al pubblico, gestito da hacker che minacciano di divulgare i dati personali dei clienti Qantas.

Un collettivo di criminali informatici, Scattered Lapsus$ Hunters, avrebbe minacciato di divulgare i dati rubati da circa 40 aziende globali collegate al gigante del software cloud Salesforce, tra cui Disney, Google, IKEA, Toyota e le compagnie aeree Qantas, Air France e KLM, a meno che non venisse pagato un riscatto.

A luglio, Qantas ha stimato a 5,7 milioni il numero di clienti colpiti dall’attacco informatico, ma l’amministratore delegato Vanessa Hudson non ha voluto confermare se alla compagnia fosse stato chiesto di pagare un riscatto.

La landing page del sito web BreachForums del 10 ottobre presentava i loghi delle agenzie internazionali di contrasto. La scadenza per il pagamento del riscatto da parte del collettivo era prevista per le 23:59 di venerdì, ora di New York (13:59 di sabato AEST).

In un messaggio pubblicato online sulla piattaforma Telegram venerdì dal gruppo ShinyHunters, uno dei tre gruppi di hacker che compongono il collettivo più ampio, tutti i domini del sito web BreachForums sono stati rimossi.

“BreachForums è stato sequestrato oggi dall’FBI e dai partner internazionali. Era inevitabile e non ne sono sorpreso. Né io né altri coinvolti in questo gruppo siamo stati arrestati”, si legge nel messaggio. “L’ultimo backup del database di BreachForums è stato compromesso, così come tutti i backup del database dal 2023 ad oggi… Gli stessi server back-end sono stati sequestrati e distrutti.”

L’FBI e gli altri partner internazionali coinvolti prenderanno provvedimenti severi nei confronti di molti individui nelle prossime settimane o mesi. Il gruppo di hacker ha inoltre affermato che il sequestro ha segnato la quarta volta in cui l’FBI ha intrapreso un’azione legale nei loro confronti nel giro di diversi anni. L’FBI e la Qantas non hanno rilasciato dichiarazioni pubbliche sulle accuse relative al sequestro del sito web.

Venerdì, una landing page ancora accessibile al pubblico su uno dei siti web di BreachForums presentava loghi di stemmi che rappresentavano l’FBI, il Dipartimento di Giustizia degli Stati Uniti, la giurisdizione nazionale francese che persegue i reati gravi di criminalità organizzata e la Brigata francese per la criminalità informatica.

L'articolo FBI sequestra BreachForums e i post degli hacker che minacciavano la Quantas proviene da il blog della sicurezza informatica.

Nel mirino degli hacker questa volta ci sarebbe Nintendo, la storica casa videoludica giapponese che da decenni difende con le unghie e con i denti le proprie proprietà intellettuali e i segreti industriali che alimentano l’universo di Mario, Zelda e Pokémon. Il gruppo Crimson Collective, già noto per aver violato in passato la rete di Red Hat, gigante del software open source, ha rivendicato di aver compromesso i server interni di Nintendo, ottenendo accesso a file e dati riservati dell’azienda.

La società di cybersecurity intelligence Hackmanac ha condiviso su X uno screenshot che mostrerebbe presunte cartelle interne di Nintendo, contenenti dati come asset di produzione, file degli sviluppatori e backup. Tuttavia, ad oggi nessun file concreto o dato sensibile è stato diffuso pubblicamente, rendendo impossibile verificare la reale portata dell’incidente. Nintendo, dal canto suo, non ha ancora rilasciato alcun commento ufficiale, mantenendo il più stretto riserbo sulla vicenda, una scelta comprensibile vista la delicatezza del brand e la sua lunga storia di azioni legali contro hacker e pirati.
Screenshot condiviso da Hackmanac su X che mostra presunte cartelle interne di Nintendo contenenti dati riservati (fonte: Hackmanac)
Al momento, le informazioni disponibili restano puramente speculative. Potrebbe trattarsi di un tentativo di guadagnare visibilità da parte del gruppo oppure di una violazione reale che Nintendo sta ancora cercando di contenere internamente. Una compromissione di questo tipo avrebbe infatti conseguenze significative, considerando l’attenzione maniacale con cui l’azienda custodisce ogni dettaglio legato ai suoi progetti futuri e alle strategie di mercato.

Se il presunto attacco dovesse rivelarsi autentico, le conseguenze per Nintendo potrebbero essere pesanti su più fronti. Oltre alla possibile esfiltrazione di dati sensibili, come codice sorgente di giochi in sviluppo, concept di console future o documentazione interna, il danno maggiore sarebbe reputazionale. Un leak del genere potrebbe anticipare informazioni riservate, vanificando anni di lavoro e pianificazioni marketing, oltre a minare la fiducia dei partner commerciali e degli sviluppatori third-party. Inoltre, eventuali dettagli tecnici sui sistemi interni potrebbero fornire una mappa preziosa per futuri attacchi, esponendo ulteriormente l’infrastruttura del colosso nipponico. Non va sottovalutato, poi, il rischio di manipolazioni o disinformazione: la semplice rivendicazione di un gruppo può generare un’ondata di notizie virali e speculazioni, spesso amplificate dai social, con ricadute dirette sull’immagine aziendale.

Negli ultimi anni, diversi colossi del settore videoludico, tra cui Sony, Capcom e Insomniac Games, sono stati vittime di attacchi mirati che hanno portato al furto di codice sorgente, documentazione interna e materiale inedito. Un eventuale attacco a Nintendo non sarebbe quindi un caso isolato, ma un ulteriore tassello nel mosaico di una minaccia sempre più diffusa, quella degli attori cyber criminali interessati all’industria dell’intrattenimento digitale.

Fino a quando non emergeranno conferme, il presunto attacco resta un rumor, ma richiama l’attenzione sulla fragilità dei sistemi anche dei giganti del settore e sulla necessità di salvaguardare con cura dati e infrastrutture sensibili.

L'articolo Crimson Collective rivendica un presunto hack a Nintendo: bluff o violazione reale? proviene da il blog della sicurezza informatica.

Dei bug di sicurezza soni state individuati nella comunicazione di rete tra i servizi cloud di Microsoft Defender for Endpoint (DFE), le quali permettono a malintenzionati, a seguito di una violazione, di eludere l’autenticazione, di manipolare i dati, di rilasciare informazioni sensibili e addirittura di caricare file dannosi all’interno dei pacchetti di indagine.

Una recente analisi condotta da InfoGuard Labs ha dettagliatamente descritto tali vulnerabilità, le quali sottolineano i rischi ancora presenti all’interno dei sistemi EDR (Endpoint Detection and Response), potendo così minare gli sforzi profusi nella gestione degli incidenti.

La principale preoccupazione, come rilevato da InfoGuard Labs, riguarda le richieste inviate dall’agente agli endpoint, ad esempio https://[location-specific-host]/edr/commands/cnc, al fine di eseguire comandi specifici, tra cui isolamento, raccolta di dati forensi o effettuazione di scansioni.

La ricerca si basa su precedenti esplorazioni delle superfici di attacco EDR, concentrandosi sull’interazione dell’agente con i backend cloud. Intercettando il traffico utilizzando strumenti come Burp Suite e bypassando il pinning dei certificati tramite patch di memoria in WinDbg, l’analisi ha rivelato come il processo MsSense.exe di DFE gestisce i comandi e il caricamento dei dati.

Il pinning del certificato, una comune misura di sicurezza, è stato aggirato modificando la funzione CRYPT32!CertVerifyCertificateChainPolicy in modo che restituisca sempre un risultato valido, consentendo l’ispezione del testo normale del traffico HTTPS. Patch simili sono state applicate a SenseIR.exe per l’intercettazione completa, inclusi i caricamenti di Azure Blob.

Un utente con privilegi modesti può ottenere facilmente l’ID macchina e l’ID tenant mediante la lettura dei registri, consentendo ad un aggressore di impersonare l’agente e di intercettare le risposte. Ad esempio, uno strumento anti-intrusione come Burp’s Intruder può interrogare continuamente l’endpoint, rubando i comandi disponibili prima che l’agente legittimo li riceva.

Una vulnerabilità parallela riguarda gli endpoint /senseir/v1/actions/ per Live Response e Automated Investigations. In questo caso, i token CloudLR vengono ignorati in modo analogo e possono essere ottenuti senza autenticazione utilizzando solo l’ID macchina.

Gli aggressori possono decodificare i payload delle azioni con script personalizzati sfruttando modelli linguistici di grandi dimensioni per la deserializzazione e caricare dati fabbricati negli URI di Azure Blob forniti tramite token SAS, che rimangono validi per mesi. L’accesso non autenticato si estende alle esclusioni della risposta agli incidenti (IR) tramite l’endpoint di registrazione, richiedendo solo l’ID dell’organizzazione dal registro.

Ancora più allarmante è il fatto che l’interrogazione di /edr/commands/cnc senza credenziali produce un dump di configurazione di 8 MB, che include RegistryMonitoringConfiguration, DriverReadWriteAccessProcessList e le regole ASR. Sebbene non siano specifici del tenant, questi dati rivelano una logica di rilevamento preziosa per l’elusione.

Dopo la violazione, gli aggressori possono enumerare i pacchetti di indagine sul file system, leggibili da qualsiasi utente, contenenti programmi autorun, programmi installati e connessioni di rete. Per le indagini in corso, i caricamenti falsificati su questi pacchetti consentono di incorporare file dannosi con nomi innocui, inducendo gli analisti a eseguire l’operazione durante la revisione.

L'articolo Vulnerabilità critiche in Microsoft Defender for Endpoint: rischi per la sicurezza proviene da il blog della sicurezza informatica.

Every time we check in on [Project326], he’s doing something different with X-rays. This week, he has a passive X-ray imager. On paper, it looks great. No special tube is required and no high voltage needed. Actually, no voltage is needed at all. Of course, there’s no free lunch. What it does take is a long time to produce an image.

While working on the “easy peasy X-ray machine,” dental X-ray film worked well for imaging with a weak X-ray source. He found that the film would also detect exposure to americium 241. So technically, not an X-ray in the strictest sense, but a radioactive image that uses gamma rays to expose the film. But to normal people, a picture of the inside of something is an X-ray even when it isn’t.

What was odd was that he tried three different sources with different materials, and only the Americium made an impression on the film. However, of the three samples, the Americium was the weakest. However, some measurements show that the spectrum of the gamma ray emission for each material is quite different. Clearly, the film was sensitive to a narrow range of gamma rays.

Compared to the previous makeshift X-ray tube, which was weak, the radioactive material emitted just a fraction of that tube’s output. He estimates that the americium, which you can rescue from smoke detectors or repair parts for them, emits less than 1% compared to the tube. He uses twelve of them, however, so the total output should be around 10%.

The image of an IC is impressive. But it also took two days of exposure. Not sure if this would be practical, but if you need imaging after the apocalypse, salvaged smoke detectors and dental film might be what you need.

The upper part of the machine, made from machined copper, looks impressive. It does, however, require some maintenance. We might have been tempted to put some sort of sealant over the copper. The story of how it came to exist isn’t your usual sponsorship story, either.

You might have better luck with the previous X-ray machine. Or bite the bullet, get a real X-ray tube, generate about 70 kV, and make a real one.

youtube.com/embed/PNQhdQ40ZYo?…

hackaday.com/2025/10/12/tubele…

When it comes to FDM 3D prints and making them stronger, most of the focus is on the outer walls and factors like their layer adhesion. However, paying some attention to the often-ignored insides of a model can make a lot of difference in its mechanical properties. Inspired by a string of [Tom Stanton] videos, [3DJake] had a poke at making TPU more resilient against breaking when stretched and PLA resistant to snapping when experiencing a lateral force.

Simply twisting the TPU part massively increased the load at which it snapped. Similarly, by removing the infill from the PLA part before replacing it with a hollow cylinder, the test part also became significantly more resilient. A very noticeable result of hollowing out the PLA part: the way that it breaks. A part with infill will basically shatter. But the hollowed-out version remained more intact, rather than ripping apart at the seams. The reason? The hollow cylinder shape is printed to add more walls inside the part. Plus cylinders are naturally more able to distribute loads.

All of this touches on load distribution and designing a component to cope with expected loads in the best way possible. It’s also the reason why finite element analysis is such a big part of the CAD world, and something which we may see more of in the world of consumer 3D printing as well in the future.

If you want stronger prints, be sure to check out brick layers. Or, consider adding a little something extra.

youtube.com/embed/Iqf9Q1XlETM?…

hackaday.com/2025/10/12/removi…

Typeface (such as Times New Roman) refers to the design that gives a set of letters, numbers, and symbols their signature “look”. Font, on the other hand, is a specific implementation of a typeface, for example, Times New Roman Italic 12 pt.
‘Q’ is a counterpoint to the idea that typography is just one fussy detail after another.
Right about this point, some of you are nodding along and perhaps thinking “oh, that’s interesting,” while the rest of you are already hovering over your browser’s Back button. If you’re one of the former, you may be interested in checking out the (sort of) interactive tour of typography design elements by the Ohno Type School, a small group that loves design.

On one hand, letters are simple and readily recognizable symbols. But at the same time, their simplicity puts a lot of weight on seemingly minor elements. Small changes can have a big visual impact. The tour lays bare answers to questions such as: What is the optimal parting of the cheeks of a capital ‘B’? At what height should the crossbar on an ‘A’ sit, and why does it look so weird if done incorrectly? And yet, the tail of a ‘Q’ can be just about anything? How and why does an ‘H’ define the spacing of the entire typeface? All these (and more) are laid bare.

Font design in the hardware world is often constrained by display or memory limitations, but artistry in typography is still something that we’ve seen expressed in many different and wonderful ways over the years. For example, we covered a typeface whose symbols are not letters, but scope traces. And one enterprising fellow generated a new font (Avería) based on the average of every other font installed on his computer. The result was surprisingly attractive.

hackaday.com/2025/10/12/the-su…

USB-C as the “One Cable To Rule Them All” has certainly been a success. While USB-A is still around for now, most of us have breathed a hefty sigh of relief with the passing of micro-USB and the several display and power standards it replaces. It’s not without its minor issues though. One of them is that it’s as susceptible as any other cable to a bit of strain. For that, we think [NordcaForm]’s 3D-printed USB-C cable strain relief is definitely a cut above the rest.

Waxing lyrical about a simple 3D printed model might seem overkill for Hackaday, and it’s true, it’s not something we do often, but as Hackaday writers travel around with plenty of USB-C connected peripherals, we like the design of this one. It’s flexible enough to be useful without resorting to exotic filaments, and since it’s available in a few different forms with curved or straight edges, we think it can find a place in many a cable setup. Certainly more of an everyday carry than a previously featured 3D print. If you want to learn more about USB C, we have a whole series of posts for you to binge read.

hackaday.com/2025/10/11/save-y…

Bose SoundTouch speakers were introduced in 2013, offering the ability to connect to online streaming services and play back audio on multiple speakers simultaneously using the accompanying mobile app. Now these features are about to be removed, including the mobile app, as Bose is set to discontinue support on February 18, 2026. From that point onwards, you can only use them via Bluetooth or physical connectors that may be present, like an audio jack or HDMI port. This includes fancy home theater system hardware like the above SoundTouch 520.

That is the official line, at least. We have seen the SoundTouch on Hackaday previously, when it was discovered how to gain root shell access to the Linux OS that powers the original SoundTouch system with Telnet access on port 17,000 to pass the listening service the remote_services on command before connecting with Telnet as usual, with root and no password. A quick glance at the comments to that post suggests that this is still a valid approach for at least certain SoundTouch devices.

The fallout from this announcement appears to be twofold: most of all that ‘smart’ features like WiFi-based streaming can be dropped at any time. But it also makes us realize that hardware hackers like us will never run out of new and suddenly obsolete hardware that need our rescue.

hackaday.com/2025/10/11/bose-s…

CRT monitors: there’s nothing quite like ’em. But did you know that video projectors used to use CRTs? A trio of monochrome CRTs, in fact: one for each color; red, green, and blue. By their powers combined, these monsters were capable of fantastic resolution and image quality. Despite being nowhere near as bright as modern projectors, after being properly set up, [Technology Connections] says it’s still one of the best projected images he has seen outside of a movie theatre.
After a twenty-minute startup to reach thermal equilibrium, one can settle down with a chunky service manual for a ponderous calibration process involving an enormous remote control. The reward is a fantastic (albeit brightness-limited) picture.
Still, these projectors had drawbacks. They were limited in brightness, of course. But they were also complex, labor-intensive beasts to set up and calibrate. On the other hand, at least they were heavy.

[Technology Connections] gives us a good look at the Sony VPH-D50HT Mark II CRT Projector in its tri-lobed, liquid-cooled glory. This model is a relic by today’s standards, but natively supports 1080i via component video input and even preserves image quality and resolution by reshaping the image in each CRT to perform things like keystone correction, thus compensating for projection angle right at the source. Being an analog device, there is no hint of screen door effect or any other digital artifact. The picture is just there, limited only by the specks of phosphor on the face of each tube.

Converging and calibrating three separate projectors really was a nontrivial undertaking. There are some similarities to the big screen rear-projection TVs of the 90s and early 2000s (which were then displaced by plasma and flat-panel LCD displays). Unlike enclosed rear-projection TVs, the screen for projectors was not fixed, which meant all that calibration needed to be done on-site. A walkthrough of what that process was like — done with the help of many test patterns and a remote control that is as monstrous as it is confusing — starts at 15:35 in the video below.

Like rear-projection TVs, these projectors were displaced by newer technologies that were lighter, brighter, and easier to use. Still, just like other CRT displays, there was nothing quite like them. And if you find esoteric projector technologies intriguing, we have a feeling you will love the Eidophor.

youtube.com/embed/ms8uu0zeU88?…

hackaday.com/2025/10/11/a-deep…

As Ethernet became the world-wide standard for wired networking, there was one nagging problem. You already have to plug in the network cable. But then you have to also plug in a power cable. That power cable needs to be long enough. And have the right plug on it for your country. And provide the right current and voltage. That’s how Power over Ethernet (PoE) was born, first in a veritable Wild West of proprietary standards and passive injectors, then in a standardized process. Recently [T. K. Hareendran] wrote a primer on PoE, with more of a DIY intro focus, including some favorite PoE PD (powered device) chips to use in your own design.

You can still totally use passive PoE if that’s your jam, and you have full control over the network and any connected devices. This would allow you to, for example, power your SBCs for a couple of bucks, although for adding PoE to your Mac Mini you may want to look at some more refined options, if only as a safety precaution.

Much depends on the needs of each device, as PoE is meant mostly for low-power devices such as VoIP phones and the like. The more common IEEE 802.af and .at standards (Type 1 and 2) cap out at 30 Watts, with about 25 Watts available to the device after losses, while 802.3bt (Type 3 and 4) takes this up to 90 Watts, or just over 70 Watts after losses. Before making a decision, it would be good to read a detailed guide from someone with experience, like the one by [Alan] that we covered a while ago.

hackaday.com/2025/10/11/enteri…

Negli Stati Uniti, una vasta campagna coordinata tramite botnet sta prendendo di mira i servizi basati sul protocollo Remote Desktop Protocol (RDP).

Un pericolo notevole è rappresentato dalla scala e dalla struttura organizzativa di questa campagna, soprattutto per quelle organizzazioni che fanno affidamento su RDP per il loro funzionamento giornaliero.

L’azienda di sicurezza GreyNoise ha riferito di aver monitorato un’ondata significativa di attacchi provenienti da oltre 100.000 indirizzi IP univoci in più di 100 paesi.

L’operazione sembra essere controllata centralmente, con l’obiettivo primario di compromettere l’infrastruttura RDP, un componente fondamentale per il lavoro e l’amministrazione a distanza.

Questa scoperta ha dato il via a un’analisi più ampia, che ha rapidamente individuato picchi di attività simili in una moltitudine di paesi, tra cui Argentina, Iran, Cina, Messico, Russia e Sudafrica.

Nonostante le diverse origini geografiche, gli attacchi condividono un obiettivo comune: i servizi RDP negli Stati Uniti.

Gli analisti sono fortemente convinti che questa attività sia opera di un’unica botnet su larga scala. Questa conclusione è supportata dal fatto che quasi tutti gli IP partecipanti condividono un’impronta TCP simile. Questa firma tecnica suggerisce una struttura di comando e controllo standard e centralizzata che orchestra gli attacchi.

Il primo è un attacco di timing RD Web Access, un metodo in cui gli aggressori misurano il tempo di risposta del server ai tentativi di accesso per distinguere in modo anonimo i nomi utente validi da quelli non validi.

Gli autori della minaccia dietro questa campagna stanno utilizzando due vettori di attacco specifici per identificare e compromettere i sistemi vulnerabili.

Il secondo vettore è un’enumerazione degli accessi ai client web RDP, che tenta sistematicamente di indovinare le credenziali degli utenti. Questi metodi consentono alla botnet di scansionare e identificare in modo efficiente i punti di accesso RDP sfruttabili senza attivare immediatamente gli avvisi di sicurezza standard.

L’uso sincronizzato di questi metodi di attacco specifici e non banali su un numero così vasto di nodi indica ulteriormente un’operazione coordinata gestita da un singolo operatore o gruppo.

In risposta a questa minaccia persistente, GreyNoise ha pubblicato raccomandazioni specifiche per i responsabili della sicurezza della rete.

L’azienda consiglia alle organizzazioni di controllare proattivamente i propri registri di sicurezza per individuare eventuali sondaggi RDP insoliti o tentativi di accesso non riusciti che corrispondano agli schemi di questa campagna.

Per una protezione più diretta, GreyNoise ha creato un modello di blocklist dinamico, denominato “microsoft-rdp-botnet-oct-25”, disponibile tramite la sua piattaforma.

L'articolo Servizi RDP esposti nel mirino! Una botnet di 100.000 IP scandaglia la rete proviene da il blog della sicurezza informatica.

There is likely to be more than one of you who has eyed up a child’s toy synthesizer in a second hand store, and considered making something more impressive with it. In many cases these instruments are underwhelming, having a very small subset of functions based into their black-epoxy-blob microcontrollers.

[Make Something] found a Casio toy synth that has a few more functions than the average model, and with the addition of some extra effects electronics and a beautifully made case, turned it into an altogether more interesting instrument.

Most of the video has an element of workshop porn about it, as he makes a very nice Moog-style console case for it, a task made easier by an impressive array of CNC tools. The electronics are slightly more interesting, being a selection of cheap guitar pedals gutted and combined with a cheap tube preamp board. The result is a machine capable of some far more interesting sounds

We think many Hackaday readers would be able to repeat these functions from scratch without the pedals, and while the case is a thing of beauty it’s likely a decent job could be done with a little less finesse on more commonplace tools. Perhaps it’s worth giving those toy synths a second look, because they really can be had for pennies if you look hard enough. Perhaps it’s an easier option than a previous toy musical upgrade.

youtube.com/embed/X9-D6aOUSWY?…

hackaday.com/2025/10/11/a-casi…

Last week, we were talking about how glad we are to be the type who by-and-large understands technology, and how it’s becoming more and more difficult to simply get along otherwise. We thought we had a good handle on the topic.

Then, we were talking about Google’s plans to require an ID for Android developers, and whether or not this will shut down free and open software development on the Android platform. Would this be the end of the ability to run whatever software that you’d like on your phone? Google offered the figleaf that “sideloading” – installing software through methods other than Google’s official store, would still be be allowed. But there’s a catch – you have to use Android Debug Bridge (ADB).

Is that a relief? It surely means that I will be able to install anything I want: I use ADB all the time, because it’s one of the fastest and easiest ways to transfer files and update software on the device. But how many non-techies do you know who use ADB? We’d guess that requiring this step shuts out 99.9% of Android users. If you make software hard to install for the masses, even if you make it possible for the geeks, you’re effectively killing it.

I have long wondered why end-to-end encrypted e-mail isn’t the default. After all, getting a GPG signing key, distributing it to your friends, and then reading mail with supporting software shouldn’t be a big deal, right? If GPG signing were available by default in Outlook or GMail, everyone would sign their e-mail. But there is no dead-simple, non-techie friendly way to do so, and so nobody does it.

Requiring ADB to load Android software is going to have the same effect, and it’s poised to severely restrict the amount of good, open software we have on the platform unless we can figure out a way to make installing that software easy enough that even the naive users can do it.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

hackaday.com/2025/10/11/easy-f…

[JohnAudioTech] noticed there was no bass on the TV at his parents’ house. That led to the discovery of a blown fuse and a corresponding repair. When he opened it up, he could smell that something had gone on in the amplifier. You can follow the repair in the video below.

His first theory was that some glue became conductive and shorted the power rails. We were skeptical, to be honest. When he fed power to it through a current limiter, he could hear a sizzling noise and even see a little glowing from the hot component.

Disassembly ensued. Removing the suspect components showed some seriously burned components and some charring under a switching transistor. The capacitors looked much worse for wear, and the PCB needed some wires to jumper burned conductors.

At the end, there was thumping, so it seems the surgery was a success. However, testing blew a fuse again, which made us nervous. Still, seems to work if you don’t drive it too hard.

We always enjoy watching a teardown, and if there’s a repair too, that’s even better.

youtube.com/embed/X22UsFoMQaM?…

hackaday.com/2025/10/11/toasty…

Electret capsules can be found in some of the highest quality microphones for studio use, as well as in some of the very cheapest microphone capsules on the market. More care and attention has gone into the high-end capsule and its associated circuitry than the cheap one, but is it still possible to get good quality from something costing under a dollar? [Mubarak Basha] thinks so, and has designed a preamp circuit to get the best from a cheap electret capsule.

These capsules may be cheap, but with the addition of a low voltage supply, a resistor, and a capacitor, their internal FET delivers a decent enough input to many a project. To improve on that will need a bit of effort, and in this the preamp delivers by taking care to match impedance, impose a carefully chosen frequency response, and just the right gain to derive a line level output from the electret’s level. It’s hardly a complex circuit, but that’s not always necessary.

As always in these situations, without appropriate test equipment it’s difficult to gauge quality. We’d say this though, if you make one of these and it falls short, you won’t have spent much. Meanwhile if you’re curious about electrets, here’s our guide.

hackaday.com/2025/10/11/the-el…

Un’ondata di messaggi di phishing sta colpendo in questi giorni numerosi cittadini lombardi. Le email, apparentemente inviate da una società di recupero crediti, fanno riferimento a presunti mancati pagamenti per prestazioni sanitarie realmente effettuate.

L’oggetto della comunicazione riporta la formula “Richiesta di saldo debito – [nome e cognome]”, un dettaglio che contribuisce a rendere il messaggio particolarmente credibile. All’interno del testo si trovano elenchi di ricette e prestazioni mediche che corrispondono a quelle effettivamente emesse dai medici curanti, inducendo così il destinatario a ritenere la richiesta autentica.

Il messaggio invita a “regolarizzare la propria posizione” effettuando un versamento di circa 40 euro su un conto corrente estero, con IBAN spagnolo. Tuttavia, si tratta di una truffa costruita per carpire denaro e dati personali.

La Polizia Postale raccomanda di non procedere ad alcun pagamento, di non cliccare sui link contenuti nel messaggio e di segnalare tempestivamente ogni tentativo sospetto attraverso il portale ufficiale www.commissariatodips.it oppure contattando direttamente gli uffici della Polizia di Stato.

La segnalazione di questa campagna fraudolenta è stata diffusa dalla Polizia Postale, che invita i cittadini della Lombardia a prestare la massima attenzione e a verificare sempre l’autenticità delle comunicazioni ricevute via email o SMS.

La vicenda evidenzia come i truffatori stiano sempre più affinando le tecniche di phishing, rendendo i messaggi estremamente realistici e difficili da distinguere da comunicazioni ufficiali.

È fondamentale che i cittadini mantengano un atteggiamento critico, verifichino sempre l’autenticità delle richieste di pagamento e seguano le indicazioni della Polizia Postale. La prudenza e la segnalazione tempestiva dei messaggi sospetti restano le migliori difese contro questo tipo di frodi.

L'articolo Lombardia nel mirino! Attenzione ai messaggi di phishing averte la Polizia Postale proviene da il blog della sicurezza informatica.