Sudo Clean Up My Workbench
[Engineezy] might have been watching a 3D printer move when inspiration struck: Why not build a robot arm to clean up his workbench? Why not, indeed? Well, all you need is a 17-foot-long X-axis and a gripper mechanism that can pick up any strange thing that happens to be on the bench.
Like any good project, he did it step by step. Mounting a 17-foot linear rail on an accurately machined backplate required professional CNC assistance. He was shooting for a 1mm accuracy, but decided to settle for 10mm.
With the long axis done, the rest seemed anticlimactic, at least for moving it around. The system can actually support his bodyweight while moving. The next step was to control the arm manually and use a gripper to open a parts bin.
The arm works, but is somewhat slow and needs some automation. A great start to a project that might not be practical, but is still a fun build and might inspire you to do something equally large.
We have large workbenches, but we tend to use tiny ones more often in our office. We also enjoy ones that are portable.
youtube.com/embed/iarVef8tFiw?…
Blue Hedgehog, Meet Boing Ball: Can Sonic Run on Amiga?
The Amiga was a great game system in its day, but there were some titles it was just never going to get. Sonic the Hedgehog was one of them– SEGA would never in a million years been willing to port its flagship platformer to another system. Well, SEGA might not in a million years, but [reassembler] has started that process after only thirty four.
Both the SEGA Mega Drive (that’s the Genesis for North Americans) and Amiga have Motorola 68k processors, but that doesn’t mean you can run code from one on the other: the memory maps don’t match, and the way graphics are handled is completely different. The SEGA console uses so-called “chunky” graphics, which is how we do it today. Amiga, on the other hand, is all about the bitplanes; that’s why it didn’t get a DOOM port back in the day, which may-or-may not be what killed the platform.
In this first video of what promises to be a series, [reassembler] takes us through his process of migrating code from the Mega Drive to Amiga, starting specifically with the SEGA loading screen animation, with a preview of the rest of the work to come. While watching someone wrestle with 68k assembler is always interesting, the automation he’s building up to do it with python is the real star here. Once this port is done, that toolkit should really grease the wheels of bringing other Mega Drive titles over.
It should be noted that since the Mega Drive was a 64 colour machine, [reassembler] is targeting the A1200 for his Sonic port, at least to start. He plans to reprocess the graphics for a smaller-palette A500 version once that’s done. That’s good, because it would be a bit odd to have a DOOM-clone for the A500 while being told a platformer like Sonic is too much to ask. If anyone can be trusted to pull this project off, it’s [reassembler], whose OutRun: Amiga Edition is legendary in the retro world, even if we seem to have missed covering it.
If only someone had given us a tip off, hint hint.
youtube.com/embed/Xb94oUw7_K4?…
Adding Electronics to a Classic Game
Like many classic board games, Ludo offers its players numerous opportunities to inflict frustration on other players. Despite this, [Viktor Takacs] apparently enjoys it, which motivated him to build a thoroughly modernized, LED-based, WiFi-enabled game board for it (GitHub repository).
The new game board is built inside a stylish 3D-printed enclosure with a thin white front face, under which the 115 LEDs sit. Seven LEDs in the center represent a die, and the rest mark out the track around the board and each user’s home row. Up to six people can play on the board, and different colors of the LEDs along the track represent their tokens’ positions. To prevent light leaks, a black plastic barrier surrounds each LED. Each player has one button to control their pieces, with a combination of long and short presses serving to select one of the possible actions.
The electronics themselves are mounted on seven circuit boards, which were divided into sections to reduce their size and therefore their manufacturing cost. For component placement reasons, [Viktor] used a barrel connector instead of USB, but for more general compatibility also created an adapter from USB-C to a barrel plug. The board is controlled by an ESP32-S3, which hosts a server that can be used to set game rules, configure player colors, save and load games, and view statistics for the game (who rolled the most sixes, who sent other players home most often, etc.).
If you prefer your games a bit more complex, we’ve also seen electronics added to Settlers of Catan. On a rather larger scale, there is also this LED-based board game which invites humans onto the board itself.
youtube.com/embed/l1b1UZjEF5Y?…
Thanks to [Victoria Bei] for the tip!
Magic Magikarp Makes Moves
One of the most influential inventions of the 20th century was Big Mouth Billy Bass. A celebrity bigger than the biggest politicians or richest movie stars, there’s almost nothing that could beat Billy. That is, until [Kiara] from Kiara’s Workshop built a Magikarp version of Big Mouth Billy Bass.
Sizing in at over 2 entire feet, the orange k-carp is able to dance, it is able to sing, and it is able to stun the crowd. Magikarp functions the same way as its predecessor; a small button underneath allows the show to commence. Of course, this did not come without its challenges.
Starting the project was easy, just a model found online and some Blender fun to create a basic mold. Dissecting Big Mouth Billy Bass gave direct inspiration for how to construct the new idol in terms of servos and joints. Programming wasn’t even all that much with the use of Bottango for animations. Filling the mold with the silicone filling proved to be a bit more of a challenge.
After multiple attempts with some minor variations in procedure, [Kirara] got the fish star’s skin just right. All it took was a paint job and some foam filling to get the final touches. While this wasn’t the most mechanically challenging animatronic project, we have seen our fair share of more advanced mechanics. For example, check out this animatronic that sees through its own eyes!
youtube.com/embed/spsPT778ws0?…
Garage Fridge Gets New DIY Controller
[Rick] had a problem. His garage refrigerator was tasked with a critical duty—keeping refreshing beverages at low temperature. Unfortunately, it had failed—the condenser was forever running, or not running at all. The beverages were either frozen, or lukewarm, regardless of the thermostat setting. There was nothing for it—the controller had to be rebuilt from scratch.
Thankfully, [Rick]’s junk drawer was obliging. He was able to find an Arduino Uno R4, complete with WiFi connectivity courtesy of the ESP32 microcontroller onboard. This was paired with a DHT11 sensor, which provided temperature and humidity measurements. [Rick] began testing the hardware by spitting out temperature readings on the Uno’s LED matrix.
Once that was working, the microcontroller had to be given control over the fridge itself. This was achieved by programming it to activate a Kasa brand smart plug, which could switch mains power to the fridge as needed. The Uno simply emulated the action of the Kasa phone app to switch the smart plug on and off to control the fridge’s temperature, with the fridge essentially running flat out whenever it was switched on. The Uno also logs temperature to a server so [Rick] can make sure temperatures remain in the proper range.
We’ve seen some great beverage-cooling hacks over the years. If you’ve mastered your own hacky methods of keeping the colas chilled, don’t hesitate to let us know on the tipsline.
Reason versus Sentimental Attachment for Old Projects
We have probably all been there: digging through boxes full of old boards for projects and related parts. Often it’s not because we’re interested in the contents of said box, but because we found ourselves wondering why in the name of project management we have so many boxes of various descriptions kicking about. This is the topic of [Joe Barnard]’s recent video on his BPS.shorts YouTube channel, as he goes through box after box of stuff.
For some of the ‘trash’ the answer is pretty simple; such as the old rocket that’s not too complex and can have its electronics removed and the basic tube tossed, which at least will reduce the volume of ‘stuff’. Then there are the boxes with old projects, each of which are tangible reminders of milestones, setbacks, friendships, and so on. Sentimental stuff, basically.
Some rules exist for safety that make at least one part obvious, and that is that every single Li-ion battery gets removed when it’s not in use, with said battery stored in its own fire-resistant box. That then still leaves box after box full of parts and components that were ordered for projects once, but not fully used up. Do you keep all of it, just in case it will be needed again Some Day
One escape clause is of course that you can always sell things rather than just tossing it, assuming it’s valuable enough. In the case of [Joe] many have watched his videos and would love to own a piece of said history, but this is not an option open to most. Leaving the question of whether gritting one’s teeth and simply tossing the ‘value-less’ sentimental stuff and cheap components is the way to go.
Although there is always the option of renting storage somewhere, this feels like a cheat, and will likely only result in the volume of ‘stuff’ expanding to fill the void. Ultimately [Joe] is basically begging his viewers to help him to solve this conundrum, even as many of them and our own captive audience are likely struggling with a similar problem. Where is the path to enlightenment here?
youtube.com/embed/IPXQ_6CMm28?…
Hackaday Podcast Episode 348: 50 Grams of PLA Hold a Ton, Phreaknic Badge is Off The Shelf, and Hackers Need Repair Manuals
Join Hackaday Editors Elliot Williams and Tom Nardi as they go over their picks for the best stories and hacks from the previous week. Things start off with a warning about the long-term viability of SSD backups, after which the discussion moves onto the limits of 3D printed PLA, the return of the Pebble smart watch, some unconventional aircraft, and an online KiCad schematic repository that has plenty of potential. You’ll also hear about a remarkable conference badge made from e-waste electronic shelf labels, filling 3D prints with foam, and a tiny TV powered by the ESP32. The episode wraps up with our wish for hacker-friendly repair manuals, and an interesting tale of underwater engineering from D-Day.
Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!
html5-player.libsyn.com/embed/…
As always, this episode is available in DRM-free MP3.
Where to Follow Hackaday Podcast
Places to follow Hackaday podcasts:
Episode 348 Show Notes:
News:
What’s that Sound?
- Congratulations to [for_want_of_a_better_handle] for guessing the data center ambiance!
Interesting Hacks of the Week:
- Designing PLA To Hold Over A Metric Ton
- The New Pebble: Now 100% Open Source
- Magnus Effect Drone Flies, Looks Impossible
- An Online Repository For KiCad Schematics
- Shelf Life Extended: Hacking E-Waste Tags Into Conference Badges
- On The Benefits Of Filling 3D Prints With Spray Foam
Quick Hacks:
- Elliot’s Picks:
- Get To The Games On Time With This Ancient-Style Waterclock
- How To Design 3D Printed Pins That Won’t Break
- Necroprinting Isn’t As Bad As It Sounds
- Tiny Little TV Runs On ESP32
- Tom’s Picks:
- Little Lie Detector Is Probably No Worse Than The Big Ones
- Build Your Own Glasshole Detector
- Portable Plasma Cutter Removes Rust, Packs A (Reasonable) Punch
Can’t-Miss Articles:
- Give Us One Manual For Normies, Another For Hackers
- How Cross-Channel Plumbing Fuelled The Allied March On Berlin
hackaday.com/2025/12/05/hackad…
Mac System 7 On a G4? Why Not!
Over the many years Apple Computer have been in operation, they have made a success of nearly-seamlessly transitioning multiple times between both operating systems and their underlying architecture. There have been many overlapping versions, but there’s always a point at which a certain OS won’t run on newer hardware. Now [Jubadub] has pushed one of those a little further than Apple intended, by persuading classic Mac System 7 to run on a G4.
System 7 was the OS your Mac would have run some time in the mid ’90s, whether it was a later 68000 machine or a first-gen PowerMac. In its day it gave Windows 3.x and even 95 a run for their money, but it relied on an older Mac ROM architecture than the one found on a G4. The hack here lies in leaked ROMS, hidden backwards compatibility, and an unreleased but preserved System 7 version originally designed for the ’90s Mac clone programme axed by Steve Jobs. It’s not perfect, but they achieved the impossible.
As to why, it seems there’s a significant amount of software that needs 7 to run, something mirrored in the non-Mac retrocomputing world. Even this hack isn’t the most surprising System 7 one we’ve seen recently, as an example someone even made a version for x86 machines.
Thumbnail Image Art: Apple PowerMac G4 by baku13, CC BY-SA 3.0
This Week in Security: React, JSON Formatting, and the Return of Shai Hulud
After a week away recovering from too much turkey and sweet potato casserole, we’re back for more security news! And if you need something to shake you out of that turkey-induced coma, React Server has a single request Remote Code Execution flaw in versions 19.0.1, 19.1.2, and 19.2.1.
The issue is insecure deserialization in the Flight protocol, as implemented right in React Server, and notably also used in Next.js. Those two organizations have both issued Security Advisories for CVSS 10.0 CVEs.
There are reports of a public Proof of Concept (PoC), but the repository that has been linked explicitly calls out that it is not a true PoC, but merely research into how the vulnerability might work. As far as I can tell, there is not yet a public PoC, but reputable researchers have been able to reverse engineer the problem. This implies that mass exploitation attempts are not far off, if they haven’t already started.
Legal AI Breaks Attorney-Client Privilege
We often cover security flaws that are discovered by merely poking around the source of a web interface. [Alex Schapiro] went above and beyond the call of duty, manually looking through minified JS, to discover a major data leak in the Filevine legal AI. And the best part, the problem isn’t even in the AI agent this time.
The story starts with subdomain enumeration — the process of searching DNS records, Google results, and other sources for valid subdomains. That resulted in a valid subdomain and a not-quite-valid web endpoint. This is where [Alex] started digging though Javascript, and found an Amazon AWS endpoint, and a reference to BOX_SERVICE. Making requests against the listed endpoint resulted in both boxFolders and a boxToken in the response. What are those, and what is Box?
Box is a file sharing system, similar to a Google Drive or even Microsoft Sharepoint. And that boxToken was a valid admin-level token for a real law firm, containing plenty of confidential records. It was at this point that [Alex] stopped interacting with the Filevine endpoints, and contacted their security team. There was a reasonably quick turnaround, and when [Alex] re-tested the flaw a month later, it had been fixed.
JSON Formatting As A Service
The web is full of useful tools, and I’m sure we all use them from time to time. Or maybe I’m the only lazy one that types a math problem into Google instead of opening a dedicated calculator program. I’m also guilty of pasting base64 data into a conversion web site instead of just piping it through base64 and xxd in the terminal. Watchtowr researchers are apparently familiar with such laziness efficiency, in the form of JSONformatter and CodeBeautify. Those two tools have an interesting feature: an online save function.
You may see where this is going. Many of us use Github Gists, which supports secret gists protected by long, random URLs. JSONformatter and CodeBeautify don’t. Those URLs are short enough to enumerate — not to mention there is a Recent Links page on both sites. Between the two sites, there are over 80,000 saved JSON snippets. What could possibly go wrong? Not all of that JSON was intended to be public. It’s not hard to predict that JSON containing secrets were leaked through these sites.
And then on to the big question: Is anybody watching? Watchtowr researchers beautified a JSON containing a Canarytoken in the form of AWS credentials. The JSON was saved with the 24 hour timeout, and 48 hours later, the Canarytoken was triggered. That means that someone is watching and collecting those JSON snippets, and looking for secrets. The moral? Don’t upload your passwords to public sites.
Shai Hulud Rises Again
NPM continues to be a bit of a security train wreck, with the Shai Hulud worm making another appearance, with some upgraded smarts. This time around, the automated worm managed to infect 754 packages. It comes with a new trick: pushing the pilfered secrets directly to GitHub repositories, to overcome the rate limiting that effected this worm the first time around. There were over 33,000 unique credentials captured in this wave. When researchers at GitGuardian tested that list a couple days later, about 10% were still valid.
This wave was launched by a PostHog credential that allowed a malicious update to the PostHog NPM package. The nature of Node.js means that this worm was able to very quickly spread through packages where maintainers were using that package. Version 2.0 of Shai Hulud also includes another nasty surprise, in the form of a remote control mechanism stealthily installed on compromised machines. It implies that this is not the last time we’ll see Shai Hulud causing problems.
Bits and Bytes
[Vortex] at ByteRay took a look at an industrial cellular router, and found a couple major issues. This ALLNET router has an RCE, due to CGI handling of unauthenticated HTTP requests. It’s literally just /cgi-bin/popen.cgi?command=whoami to run code as root. That’s not the only issue here, as there’s also a hardcoded username and password. [Vortex] was able to derive that backdoor account information and use hashcat to crack the password. I was unable to confirm whether patched firmware is available.
Google is tired of their users getting scammed by spam phone calls and texts. Their latest salvo in trying to defeat such scams is in-call scam protection. This essentially detects a banking app that is opened as a result of a phone call. When this scenario is detected, a warning dialogue is presented, that suggests the user hangs up the call, and forces a 30 second waiting period. While this may sound terrible for sophisticated users, it is likely to help prevent fraud against our collective parents and grandparents.
What seemed to be just an illegal gambling ring of web sites, now seems to be the front for an Advanced Persistent Threat (APT). That term, btw, usually refers to a government-sponsored hacking effort. In this case, instead of a gambling fraud targeting Indonesians, it appears to be targeting Western infrastructure. One of the strongest arguments for this claim is the fact that this network has been operating for over 14 years, and includes a mind-boggling 328,000 domains. Quite the odd one.
React2Shell = Log4shell: 87.000 server in Italia a rischio compromissione
Nel 2025, le comunità IT e della sicurezza sono in fermento per un solo nome: “React2Shell“. Con la divulgazione di una nuova vulnerabilità, CVE-2025-55182, classificata CVSS 10.0, sviluppatori ed esperti di sicurezza di tutto il mondo ne mettono in guardia dalla gravità, utilizzando persino il termine “2025 Log4Shell”.
I server impattati da questa minaccia sono circa 8.777.000 nel mondo, mentre i server italiani sono circa 87.000. Questo fa comprendere, che con una severity da score 10, potrebbe essere una delle minacce più importante di tutto l’anno, che sta diventando “attiva”.
Il nuovo Log4Shell del 2025
Infatti, è stato confermato che la comunità hacker cinese che sono stati già avviati test di attacco su larga scala sfruttando l’exploit per la vulnerabilità in questione sui server esposti. il CVE-2025-55182 non è semplicemente un bug software. È una falla strutturale nel protocollo di serializzazione RSC, che consente lo sfruttamento con la sola configurazione predefinita, senza errori da parte degli sviluppatori. L’autenticazione non è nemmeno richiesta.
Ecco perché gli esperti di sicurezza di tutto il mondo lo chiamano “la versione 2025 di Log4Shell”. Lo strumento di scansione delle vulnerabilità React2Shell Checker sta analizzando più percorsi e alcuni endpoint sono contrassegnati come Sicuri o Vulnerabili. L’immagine sopra mostra che diversi ricercatori stanno già eseguendo scansioni automatiche sui server basati su RSC.
Il problema è che questi strumenti diventano armi che gli aggressori possono sfruttare. Gli hacker cinesi stanno conducendo con successo test RCE. Secondo i dati raccolti dalla comunità di hacker cinese, gli aggressori hanno già iniettato React2Shell PoC nei servizi basati su Next.js, raccolto i risultati con il servizio DNSLog e verificato il vettore di attacco.
L’Exploit PoC in uso nelle scansioni
Viene inviato un payload manipolato con Burp Repeater e il server crea un record DNS esterno. Ciò indica che l’attacco viene verificato in tempo reale. Gli aggressori hanno già completato i seguenti passaggi:
- Carica il payload sul server di destinazione
- Attiva la vulnerabilità di serializzazione RSC
- Verifica il successo dell’esecuzione del comando con DNSLog esterno
- Verifica la possibilità di eseguire child_process sul lato server.
Non si tratta più di una “vulnerabilità teorica”, bensì della prova che è già stato sviluppato un vettore di attacco valido.
Gli hacker cinesi stanno in questi istanti eseguendo con successo le RCE.
l PoC sono stati pubblicati su GitHub e alcuni ricercatori lo hanno eseguito, confermando che la Calcolatrice di Windows (Calc.exe) è stata eseguita in remoto.
L’invio del payload tramite BurpSuite Repeater ha comportato l’esecuzione immediata di Calc.exe sul server. Ciò significa che è possibile l’esecuzione completa del codice remoto.
L’esecuzione remota della calcolatrice è un metodo di dimostrazione comune nella comunità di ricerca sulla sicurezza di un “RCE” riuscito, ovvero quando un aggressore ha preso il controllo di un server.
Gli 87.000 server riportati nella print screen di FOFA, dimostrano che un numero significativo di servizi web di aziende italiane che operano con funzioni RSC basate su React/Next.js attivate sono a rischio. Il problema è che la maggior parte di essi
- utilizza il rendering del server
- mantiene le impostazioni predefinite di RSC
- gestisce percorsi API esposti, quindi possono essere bersaglio di attacchi su larga scala.
In particolare, dato che i risultati della ricerca FOFA sono una fonte comune di informazioni utilizzata anche dai gruppi di hacker per selezionare gli obiettivi degli attacchi, è altamente probabile che questi server siano sotto scansioni attive.
Perché React2Shell è pericoloso?
Gli esperti definiscono questa vulnerabilità “senza precedenti” per i seguenti motivi:
- RCE non autenticato (esecuzione di codice remoto non autenticato): l’aggressore non ha bisogno di effettuare l’accesso.
- Possibilità Zero-Click: non è richiesta alcuna azione da parte dell’utente.
- PoC immediatamente sfruttabile: già pubblicato in gran numero su GitHub e X.
- Centinaia di migliaia di servizi in tutto il mondo si basano su React 19/Next.js: rischio di proliferazione su larga scala a livello della supply chain.
- L’impostazione predefinita stessa è vulnerabile: è difficile per gli sviluppatori difenderla.
Questa combinazione è molto simile all’incidente Log4Shell del 2021.
Tuttavia, a differenza di Log4Shell, che era limitato a Java Log4j, React2Shell è più serio in quanto prende di mira i framework utilizzati dall’intero ecosistema globale dei servizi web.
I segnali di un attacco effettivo quali sono
Gli Aggressori stanno già eseguendo la seguente routine di attacco.
- Raccolta di risorse di esposizione React/Next.js per paese da FOFA
- Esecuzione dello script di automazione PoC di React2Shell
- Verifica se il comando è stato eseguito utilizzando DNSLog
- Sostituisci il payload dopo aver identificato i server vulnerabili
- Controllo del sistema tramite RCE finale
Questa fase non è una pre-scansione, ma piuttosto la fase immediatamente precedente all’attacco. Dato il numero particolarmente elevato di server in Italia, la probabilità di attacchi RCE su larga scala contro istituzioni e aziende nazionali è molto alta. Strumenti di valutazione delle vulnerabilità e altri strumenti vengono caricati sulla comunità della sicurezza.
Mitigazione del bug di sicurezza
Gli esperti raccomandano misure di emergenza quali l’applicazione immediata di patch, la scansione delle vulnerabilità, l’analisi dei log e l’aggiornamento delle policy di blocco WAF.
Il team di React ha annunciato il 3 di aver rilasciato urgentemente una patch per risolvere il problema CVE-2025-55182, correggendo un difetto strutturale nel protocollo di serializzazione RSC. Tuttavia, a causa della natura strutturale di React, che non si aggiorna automaticamente, le vulnerabilità persistono a meno che aziende e organizzazioni di sviluppo non aggiornino e ricompilino manualmente le versioni.
In particolare, i servizi basati su Next.js richiedono un processo di ricostruzione e distribuzione dopo l’applicazione della patch di React, il che significa che probabilmente ci sarà un ritardo significativo prima che la patch di sicurezza effettiva venga implementata nell’ambiente del servizio. Gli esperti avvertono che “la patch è stata rilasciata, ma la maggior parte dei server è ancora a rischio”.
Molte applicazioni Next.js funzionano con RSC abilitato di default, spesso senza che nemmeno i team di sviluppo interni ne siano a conoscenza. Ciò richiede che le aziende ispezionino attentamente le proprie basi di codice per verificare l’utilizzo di componenti server e Server Actions. Con tentativi di scansione su larga scala già confermati in diversi paesi, tra cui la Corea, il rafforzamento delle policy di blocco è essenziale.
Inoltre, con la diffusione capillare di scanner automatici React2Shell e codici PoC in tutto il mondo, gli aggressori stanno eseguendo scansioni di massa dei server esposti anche in questo preciso momento. Di conseguenza, gli esperti di sicurezza hanno sottolineato che le aziende devono scansionare immediatamente i propri domini, sottodomini e istanze cloud utilizzando strumenti esterni di valutazione della superficie di attacco.
Hanno inoltre sottolineato che se nei log interni vengono rilevate tracce di chiamate DNSLog, un aumento di richieste POST multipart insolite o payload di grandi dimensioni inviati agli endpoint RSC, è molto probabile che si sia già verificato un tentativo di attacco o che sia stata raggiunta una compromissione parziale, il che richiede una risposta rapida.
L'articolo React2Shell = Log4shell: 87.000 server in Italia a rischio compromissione proviene da Red Hot Cyber.
Warnings About Retrobright Damaging Plastics After 10 Year Test
Within the retro computing community there exists a lot of controversy about so-called ‘retrobrighting’, which involves methods that seeks to reverse the yellowing that many plastics suffer over time. While some are all in on this practice that restores yellow plastics to their previous white luster, others actively warn against it after bad experiences, such as [Tech Tangents] in a recent video.
After a decade of trying out various retrobrighting methods, he found for example that a Sega Dreamcast shell which he treated with hydrogen peroxide ten years ago actually yellowed faster than the untreated plastic right beside it. Similarly, the use of ozone as another way to achieve the oxidation of the brominated flame retardants that are said to underlie the yellowing was also attempted, with highly dubious results.
While streaking after retrobrighting with hydrogen peroxide can be attributed to an uneven application of the compound, there are many reports of the treatment damaging the plastics and making it brittle. Considering the uneven yellowing of e.g. Super Nintendo consoles, the cause of the yellowing is also not just photo-oxidation caused by UV exposure, but seems to be related to heat exposure and the exact amount of flame retardants mixed in with the plastic, as well as potentially general degradation of the plastic’s polymers.
Pending more research on the topic, the use of retrobrighting should perhaps not be banished completely. But considering the damage that we may be doing to potentially historical artifacts, it would behoove us to at least take a step or two back and consider the urgency of retrobrighting today instead of in the future with a better understanding of the implications.
youtube.com/embed/_n_WpjseCXA?…
Cloudflare di nuovo in down: disservizi su Dashboard, API e ora anche sui Workers
Cloudflare torna sotto i riflettori dopo una nuova ondata di disservizi che, nella giornata del 5 dicembre 2025, sta colpendo diversi componenti della piattaforma.
Oltre ai problemi al Dashboard e alle API, già segnalati dagli utenti di tutto il mondo, l’azienda ha confermato di essere al lavoro anche su un aumento significativo degli errori relativi ai Cloudflare Workers, il servizio serverless utilizzato da migliaia di sviluppatori per automatizzare funzioni critiche delle loro applicazioni.
Un’altra tessera che si aggiunge a un mosaico di criticità non trascurabili.
Come sottolineano da anni numerosi esperti di sicurezza informatica, affidare l’infrastruttura di base del web a una manciata di aziende significa creare colli di bottiglia strutturali. E quando uno di questi nodi si inceppa – come accade con Cloudflare – l’intero ecosistema ne risente.
Un intoppo può bloccare automazioni, API personalizzate, redirect logici, funzioni di autenticazione e perfino sistemi di sicurezza integrati. Un singolo malfunzionamento può generare un effetto domino ben più vasto del previsto.
A complicare ulteriormente la situazione, oggi è in corso anche una manutenzione programmata nel datacenter DTW di Detroit, con possibile rerouting del traffico e incrementi di latenza per gli utenti dell’area. Sebbene la manutenzione sia prevista e gestita, la concomitanza con i problemi ai Workers e al Dashboard aumenta il livello di incertezza. In alcuni casi specifici – come per i clienti PNI/CNI che si collegano direttamente al datacenter – certe interfacce di rete potrebbero risultare temporaneamente non disponibili, causando failover forzati verso percorsi alternativi.
Il nodo cruciale resta lo stesso: questa centralizzazione espone il web a rischi enormi dal punto di vista operativo e di sicurezza. Quando una piattaforma come Cloudflare scricchiola, anche solo per qualche ora, si indeboliscono le protezioni DDoS, i sistemi anti bot, le regole firewall, e si creano finestre di vulnerabilità che gli attaccanti più preparati potrebbero tentare di sfruttare.
La dipendenza da un unico colosso per funzioni così delicate è un punto di fragilità che non può più essere ignorato.
Il precedente blackout globale – documentato con grande trasparenza da Cloudflare stessa e analizzato da Red Hot Cyber – aveva messo in luce come un errore interno nella configurazione del backbone potesse mandare offline porzioni significative del traffico mondiale.
Oggi non siamo (ancora) di fronte a un guasto di tale entità, ma la somma di più disservizi simultanei riporta alla memoria quel caso e solleva dubbi sulla resilienza complessiva dell’infrastruttura.
Il nuovo down di Cloudflare, questa volta distribuito su più livelli della piattaforma, dimostra quanto l’Internet moderno sia fragile e quanto la sua affidabilità dipenda da pochi attori. Le aziende – piccole o grandi – che costruiscono i propri servizi sopra queste fondamenta dovrebbero iniziare a considerare seriamente piani di ridondanza multi-provider. Perché quando un singolo punto cade, rischia di cadere mezzo web.
L'articolo Cloudflare di nuovo in down: disservizi su Dashboard, API e ora anche sui Workers proviene da Red Hot Cyber.
Off-Grid, Small-Scale Payment System
An effective currency needs to be widely accepted, easy to use, and stable in value. By now most of us have recognized that cryptocurrencies fail at all three things, despite lofty ideals revolving around decentralization, transparency, and trust. But that doesn’t mean that all digital currencies or payment systems are doomed to failure. [Roni] has been working on an off-grid digital payment node called Meshtbank, which works on a much smaller scale and could be a way to let a much smaller community set up a basic banking system.
The node uses Meshtastic as its backbone, letting the payment system use the same long-range low-power system that has gotten popular in recent years for enabling simple but reliable off-grid communications for a local area. With Meshtbank running on one of the nodes in the network, accounts can be created, balances reported, and digital currency exchanged using the Meshtastic messaging protocols. The ledger is also recorded, allowing transaction histories to be viewed as well.
A system like this could have great value anywhere barter-style systems exist, or could be used for community credits, festival credits, or any place that needs to track off-grid local transactions. As a thought experiment or proof of concept it shows that this is at least possible. It does have a few weaknesses though — Meshtastic isn’t as secure as modern banking might require, and the system also requires trust in an administrator. But it is one of the more unique uses we’ve seen for this communications protocol, right up there with a Meshtastic-enabled possum trap.
Supply Chain Digitale: perché un fornitore può diventare un punto critico
L’aumento esponenziale dell’interconnessione digitale negli ultimi anni ha generato una profonda interdipendenza operativa tra le organizzazioni e i loro fornitori di servizi terzi. Questo modello di supply chain digitale, se da un lato ottimizza l’efficienza e la scalabilità, dall’altro introduce un rischio sistemico critico: una vulnerabilità o un fallimento in un singolo nodo della catena può innescare una serie di conseguenze negative che mettono a repentaglio l’integrità e la resilienza dell’intera struttura aziendale.
Il recente attacco verso i sistemi di myCicero S.r.l., operatore di servizi per il Consorzio UnicoCampania, rappresenta un caso emblematico di tale rischio.
La notifica di data breach agli utenti (Figura 1), eseguita in ottemperanza al Regolamento Generale sulla Protezione dei Dati (GDPR), va oltre la semplice conformità formale. Essa rappresenta la prova che una singola vulnerabilità all’interno della catena di fornitura può portare all’esposizione non autorizzata dei dati personali di migliaia di utenti, inclusi, come nel seguente caso, potenziali dati sensibili relativi a documenti di identità e abbonamenti studenteschi.
Il caso myCicero – UnicoCampania
Il Consorzio UnicoCampania, l’ente responsabile dell’integrazione tariffaria regionale e del rilascio degli abbonamenti agevolati per gli studenti, ha ufficialmente confermato un grave data breach che ha colpito l’infrastruttura di un suo fornitore chiave: myCicero S.r.l.
L’incidente, definito come un “sofisticato attacco informatico perpetrato da attori esterni non identificati”, si è verificato tra il 29 e il 30 marzo 2025.
La complessità del caso risiede nella stratificazione dei ruoli di trattamento dei dati. In particolare, nella gestione del servizio abbonamenti, il Consorzio UnicoCampania agiva in diverse vesti:
- Titolare o Contitolare: per la gestione dell’account utente, le credenziali e l’emissione dei titoli di viaggio.
- Responsabile del Trattamento (per conto della Regione Campania): per l’acquisizione e la verifica della documentazione necessaria a comprovare i requisiti soggettivi per le agevolazioni tariffarie.
L’attacco ha portato all’esfiltrazione di dati non codificati sensibili. Queste includono:
- Dati anagrafici, di contatto, credenziali di autenticazione (username e password, sebbene cifrate);
- Immagini dei documenti di identità, dati dichiarati per l’attestazione ISEE e particolari categorie di dati (es. informazioni sulla salute, come lo stato di invalidità) se emergenti dalla documentazione ISEE [1].
- Dati personali appartenenti a soggetti minorenni e ai loro genitori [1].
Invece, i dati relativi a carte di credito o altri strumenti di pagamento non sono stati coinvolti, in quanto non ospitati sui sistemi di myCicero.
In risposta all’incidente, myCicero ha immediatamente sporto formale denuncia e attivato un piano di remediation volto a rafforzare l’infrastruttura. Parallelamente, il consorzio UnicoCampania ha informato tempestivamente le Autorità competenti e ha implementato una misura drastica per mitigare il rischio derivante dalle password compromesse: tutte le credenziali coinvolte e non modificate dagli utenti entro il 30 settembre 2025 sono state definitivamente cancellate e disabilitate il 1° ottobre 2025.
Azione e Difesa: Come Reagire
Di fronte a un incidente di questa portata, l’utente finale sperimenta spesso un senso di vulnerabilità. Per ridurre l’esposizione al rischio e limitare potenziali danni derivanti da un data breach, si raccomanda di seguire le seguenti misure di mitigazione e rafforzamento della sicurezza:
- Gestione delle Credenziali:
- Utilizzare stringhe complesse e lunghe, che integrino numeri, simboli e una combinazione di caratteri maiuscoli e minuscoli;
- Non usare come password termini comuni, sequenze logiche o dati personali (e.g. nome, data di nascita);
- Usare il prinicipio di unicità: usare credenziali uniche per ciascun servizio utilizzato;
- Modificare le proprie credenziali con cadenza periodica, evitando di riutilizzarle nel tempo;
- Abilitare l’autenticazione a più fattori (MFA) ove possibile;
- Prevenzione del phishing
- In caso di ricezione di e-mail o SMS sospetti, eseguire sempre una verifica dell’identità del mittente e non fornire mai dati sensibili in risposta;
- Verificare l’autenticità di qualsiasi richiesta urgente (specie quelle relative a verifica dati o pagamenti) esclusivamente contattando l’operatore tramite i suoi canali di comunicazione ufficiali (sito web o numero di assistenza noto);
- Evitare di cliccare su link ipertestuali (hyperlinks) o aprire allegati inattesi o provenienti da fonti non verificate;
- Prestare particolare attenzione a richieste che inducono un senso di urgenza o che sfruttano la psicologia per indurre a fornire informazioni.
L'articolo Supply Chain Digitale: perché un fornitore può diventare un punto critico proviene da Red Hot Cyber.
Biogas Production For Surprisingly Little Effort
Probably most people know that when organic matter such as kitchen waste rots, it can produce flammable methane. As a source of free energy it’s attractive, but making a biogas plant sounds difficult, doesn’t it? Along comes [My engines] with a well-thought-out biogas plant that seems within the reach of most of us.
It’s based around a set of plastic barrels and plastic waste pipe, and he shows us the arrangement of feed pipe and residue pipe to ensure a flow through the system. The gas produced has CO2 and H2s as undesirable by-products, both of which can be removed with some surprisingly straightforward chemistry. The home-made gas holder meanwhile comes courtesy of a pair of plastic drums one inside the other.
Perhaps the greatest surprise is that the whole thing can produce a reasonable supply of gas from as little as 2 KG of organic kitchen waste daily. We can see that this is a set-up for someone with the space and also the ability to handle methane safely, but you have to admit from watching the video below, that it’s an attractive idea. Who knows, if the world faces environmental collapse, you might just need it.
youtube.com/embed/0EC0RMQUN68?…
Building a Microscope without Lenses
It’s relatively easy to understand how optical microscopes work at low magnifications: one lens magnifies an image, the next magnifies the already-magnified image, and so on until it reaches the eye or sensor. At high magnifications, however, that model starts to fail when the feature size of the specimen nears the optical system’s diffraction limit. In a recent video, [xoreaxeax] built a simple microscope, then designed another microscope to overcome the diffraction limit without lenses or mirrors (the video is in German, but with automatic English subtitles).
The first part of the video goes over how lenses work and how they can be combined to magnify images. The first microscope was made out of camera lenses, and could resolve onion cells. The shorter the focal length of the objective lens, the stronger the magnification is, and a spherical lens gives the shortest focal length. [xoreaxeax] therefore made one by melting a bit of soda-lime glass with a torch. The picture it gave was indistinct, but highly magnified.
Besides the dodgy lens quality given by melting a shard of glass, at such high magnification some of the indistinctness was caused by the specimen acting as a diffraction grating and directing some light away from the objective lens. [xoreaxeax] visualized this by taking a series of pictures of a laser shining through a pinhole at different focal lengths, thus getting cross sections of the light field emanating from the pinhole. When repeating the procedure with a section of onion skin, it became apparent that diffraction was strongly scattering the light, which meant that some light was being diffracted out of the lens’s field of view, causing detail to be lost.
To recover the lost details, [xoreaxeax] eliminated the lenses and simply captured the interference pattern produced by passing light through the sample, then wrote a ptychography algorithm to reconstruct the original structure from the interference pattern. This required many images of the subject under different lighting conditions, which a rotating illumination stage provided. The algorithm was eventually able to recover a sort of image of the onion cells, but it was less than distinct. The fact that the lens-free setup was able to produce any image at all is nonetheless impressive.
To see another approach to ptychography, check out [Ben Krasnow’s] approach to increasing microscope resolution. With an electron microscope, ptychography can even image individual atoms.
youtube.com/embed/lhJhRuQsiMU?…
Preventing a Mess with the Weller WDC Solder Containment Pocket
Have you ever tipped all the stray bits of solder out of your tip cleaner by mistake? [MisterHW] is here with a bit pf paraffin wax to save the day.
Hand soldering can be a messy business, especially when you wipe the soldering iron tip on those common brass wool bundles that have largely come to replace moist sponges. The Weller Dry Cleaner (WDC) is one of such holders for brass wool, but the large tray in front of the opening with the brass wool has confused many as to its exact purposes. In short, it’s there so that you can slap the iron against the side to flick contaminants and excess solder off the tip.
Along with catching some of the bits of mostly solder that fly off during cleaning in the brass wool section, quite a lot of debris can be collected this way. Yet as many can attest to, it’s quite easy to flip over brass wool holders and have these bits go flying everywhere.
That’s where [MisterHW]’s pit of particulate holding comes into play, using folded sheet metal and some wax (e.g. paraffin) to create a trap that serves to catch any debris that enters it and smother it in the wax. To reset the trap, simply heat it up with e.g. the iron and you’ll regain a nice fresh surface to capture the next batch of crud.
As the wax is cold when in use, even if you were to tip the holder over, it should not go careening all over your ESD-safe work surface and any parts on it, and the wax can be filtered if needed to remove the particulates. When using leaded solder alloys, this setup also helps to prevent lead-contamination of the area and generally eases clean-up as bumping or tipping a soldering iron stand no longer means weeks, months or years of accumulations scooting off everywhere.
Build A Pocket-Sized Wi-Fi Analyzer
Wi-Fi! It’s everywhere, and yet you can’t really see it, by virtue of the technology relying on the transmission of electromagnetic waves outside the visual spectrum. Never mind, though, because you can always build yourself a Wi-Fi analyzer to get some insight into your radio surroundings, as demonstrated by [moononournation].
The core of the build is the ESP32-C5. The popular microcontroller is well-equipped for this task with its onboard dual-band Wi-Fi hardware, even if the stock antenna on most devboards is a little underwhelming. [moononournation] has paired this with a small rectangular LCD screen running the ILI9341 controller. The graphical interface is drawn with the aid of the Arduino_GFX library. It shows a graph of access points detected in the immediate area, as well as which channels they’re using and their apparent signal strength.
If you’re just trying to get a basic read on the Wi-Fi environment in a given locale, a tool like this can prove pretty useful. If your desires are more advanced, you might leap up to tinkering in the world of software defined radio. Video after the break.
youtube.com/embed/t9VukUucfEA?…
Raising a GM EV1 from the Dead
Probably the biggest story in the world of old cars over the past couple of weeks has been the surfacing of a GM EV1 electric car for sale from an auto salvage yard. This was the famous electric car produced in small numbers by the automaker in the 1990s, then only made available for lease before being recalled. The vast majority were controversially crushed with a few units being donated to museums and universities in a non-functional state.
Finding an old car isn’t really a Hackaday story in itself, but now it’s landed in [The Questionable Garage]. It’s being subjected to a teardown as a prelude to its restoration, offering a unique opportunity to look at the state of the art in 1990s electric automotive technology.
Along the way they find an EV1 charger hiding among a stock of pickup chargers, take us through the vehicle electronics, and find some galvanic corrosion in the car’s structure due to water ingress. The windscreen has a huge hole, which they cover with a plastic wrap in order to 3D scan so they can create a replacement.
This car will undoubtedly become a star of the automotive show circuit due to its unique status, so there will be plenty of chances to look at it from the outside in future. Seeing it this close up in parts though is as unique an opportunity as the car itself. We’ve certainly seen far more crusty conventional cars restored to the road, but without the challenge of zero parts availability and no donor cars. Keep an eye out as they bring it closer to the road.
youtube.com/embed/Xn2MJqPOmSI?…
Keebin’ with Kristina: the One with the Pretty Protoypes
Some like it flat, and there’s nothing wrong with that. What you are looking at is the first prototype of Atlas by [AsicResistor], which is still a work in progress. [AsicResistor] found the Totem to be a bit cramped, so naturally, it was time to design a keyboard from the ground up.
This travel-friendly keyboard has 34 keys and dual trackpoints, one on each half. If the nubbin isn’t your thing, there’s an optional, oversized trackball, which I would totally opt for. But I would need an 8-ball instead, simply because that’s my number.
A build video is coming at some point, so watch the GitHub, I suppose, or haunt r/ergomechkeyboards.
Flat as it may be, I would totally at least give this keyboard a fair chance. There’s just something about those keycaps, for starters. (Isn’t it always the keycaps with me?) For another, I dig the pinky stagger. I’m not sure that two on each side is nearly enough thumb keys for me, however.
The Foot Roller Scroller Is Not a Crock
Sitting at a keyboard all day isn’t great for anyone, but adding in some leg and/or foot movement throughout the day is a good step in the right direction. Don’t want to just ride a bike all day under your desk? Add something useful like foot pedals.
Brain-wise, it has a wireless macro keyboard and an encoder from Ali, but [a__b] plans to upgrade it to a nice!nano in order to integrate it with a Glove80.
Although shown with a NautiCroc, [a__b] says the wheel works well with socks on, or bare feet. (Take it from me, the footfeel of pedals is much more accurate with no shoes on.) Interestingly, much of the inspiration was taken from sewing machines.
As of this writing, [a__b] has mapped all keys using BetterTouchTool for app-specific action, and is out there happily scrolling through pages, controlling the volume, and navigating YouTube videos. Links to CAD and STLs are coming soon.
The Centerfold: LEGO My Ergo
As you might imagine and [Flat-Razzmatazz-672] can attest, 3D printing LEGO is weird. These studs are evidently >= 5% bigger than standard studs, because if you print it as is, the LEGO won’t fit right.
Via reddit
Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!
Historical Clackers: the North’s was a Striking Down-striker
Although lovely to gaze upon, the North’s typewriter was a doomed attempt at creating a visible typewriter. That is, one where a person could actually see what they were typing as they typed it.
North’s achieved this feat through the use of vertical typebars arranged in a semi-circle that would strike down onto the platen from behind, making it a rear down-striker.
In order for this arrangement to work, the paper had to be loaded, coiled into one basket, and it was fed into another, hidden basket while typing. This actually allowed the typist to view two lines at a time, although the unfortunate ribbon placement obstructed the immediate character.
The story of North’s typewriter is a fairly interesting one. For starters, it was named after Colonel John Thomas North, who wasn’t really a colonel at all. In fact, North had very little to do with the typewriter beyond bankrolling it and providing a name.
North started the company by purchasing the failed English Typewriter Company, which brought along with it a couple of inventors, who would bring the North’s to fruition. The machine was made from 1892 to 1905. In 1896, North died suddenly while eating raw oysters, though the cause of death was likely heart failure. As he was a wealthy, unpopular capitalist, conspiracy theories abounded surrounding his departure.
Finally, MoErgo Released a New Travel Keyboard, the Go60
It’s true, the MoErgo Glove80 is great for travel. And admittedly, it’s kind of big, both in and out of its (very nice) custom zipper case. But you asked, and MoErgo listened. And soon enough, there will be a new option for even sleeker travel, the Go60. Check out the full spec sheet.
You may have noticed that it’s much flatter than the Glove80, which mimics the key wells of a Kinesis Advantage quite nicely.
Don’t worry, there are removable palm rests that are a lot like the Glove80 rests. And it doesn’t have to be flat –there is 6-step magnetic tenting (6.2° – 17°), which snaps on or off in seconds. The palm rests have 7-step tenting (6°-21.5°), and they come right off, too.
Let’s talk about those trackpads. They are Cirque 40 mm Glidepoints. They aren’t multi-touch, but they are fully integrated into ZMK and thus are fully programmable, so do what you will.
Are you as concerned about battery life as I am? It’s okay — the Go60 goes fully wired with a TRRS cable between the halves, and a USB connection from the left half to the host. Although ZMK did not support this feature, MoErgo sponsored the founder, [Pete], to develop it, and now it’s just a feature of ZMK. You’re welcome.
Interested? The Go60 will be on Kickstarter first, and then it’ll be available on the MoErgo site. Pricing hasn’t quite been worked out yet, so stay tuned on that front.
Via reddit
Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.
An Introduction to Analog Filtering
One of the major difficulties in studying electricity, especially when compared to many other physical phenomena, is that it cannot be observed directly by human senses. We can manipulate it to perform various tasks and see its effects indirectly, like the ionized channels formed during lightning strikes or the resistive heating of objects, but its underlying behavior is largely hidden from view. Even mathematical descriptions can quickly become complex and counter-intuitive, obscured behind layers of math and theory. Still, [lcamtuf] has made some strides in demystifying aspects of electricity in this introduction to analog filters.
There’s some math underlying all of these explanations, of course, but it’s not overwhelming like a third-year electrical engineering course might be. For anyone looking to get into signal processing or even just building a really nice set of speakers for their home theater, this is an excellent primer. We’ve seen some other demonstrations of filtering data as well, like this one which demonstrates basic filtering using a microcontroller.
Ore Formation: A Surface Level Look
The past few months, we’ve been giving you a quick rundown of the various ways ores form underground; now the time has come to bring that surface-level understanding to surface-level processes.
Strictly speaking, we’ve already seen one: sulfide melt deposits are associated with flood basalts and meteorite impacts, which absolutely are happening on-surface. They’re totally an igneous process, though, and so were presented in the article on magmatic ore processes.
For the most part, you can think of the various hydrothermal ore formation processes as being metamorphic in nature. That is, the fluids are causing alteration to existing rock formations; this is especially true of skarns.
There’s a third leg to that rock tripod, though: igneous, metamorphic, and sedimentary. Are there sedimentary rocks that happen to be ores? You betcha! In fact, one sedimentary process holds the most valuable ores on Earth– and as usual, it’s not likely to be restricted to this planet alone.
Placer? I hardly know ‘er!
We’re talking about placer deposits, which means we’re talking about gold. In dollar value, gold’s great expense means that these deposits are amongst the most valuable on Earth– and nearly half of the world’s gold has come out of just one of them. Gold isn’t the only mineral that can be concentrated in placer deposits, to be clear; it’s just the one everyone cares about these days, because, well, have you seen the spot price lately?
Since we’re talking about sediments, as you might guess, this is a secondary process: the gold has to already be emplaced by one of the hydrothermal ore processes. Then the usual erosion happens: wind and water breaks down the rock, and gold gets swept downhill along with all the other little bits of rock on their way to becoming sediments. Gold, however, is much denser than silicate rocks. That’s the key here: any denser material is naturally going to be sorted out in a flow of grains. To be specific, empirical data shows that anything denser than 2.87 g/cm3 can be concentrated in a placer deposit. That would qualify a lot of the sulfide minerals the hydrothermal processes like to throw up, but unfortunately sulfides tend to be both too soft and too chemically unstable to hold up to the weathering to form placer deposits, at least on Earth since cyanobacteria polluted the atmosphere with O2.
Image: “MSL Sunset Dunes Mosaic“, NASA/JPL and Olivier de Goursac
One form of erosion is from wind, which tends to be important in dry regions – particularly the deserts of Australia and the Western USA. Wind erosion can also create placer deposits, which get called “aeolian placers”. The mechanism is fairly straightforward: lighter grains of sand are going to blow further, concentrating the heavy stuff on one side of a dune or closer to the original source rock. Given the annual global dust storms, aeolian placers may come up quite often on Mars, but the thin atmosphere might make this process less likely than you’d think.
We’ve also seen rockslides on Mars, and material moving in this matter is subject to the same physics. In a flow of grains, you’re going to have buoyancy and the heavy stuff is going to fall to the bottom and stop sooner. If the lighter material is further carried away by wind or water, we call the resulting pile of useful, heavy rock an effluvial placer deposit.
Still, on this planet at least it’s usually water doing the moving of sediments, and it’s water that’s doing the sortition. Heavy grains fall out of suspension in water more easily. This tends to happen wherever flow is disrupted: at the base of a waterfall, at a river bend, or where a river empties into a lake or the ocean. Any old Klondike or California prospector would know that that’s where you’re going to go panning for gold, but you probably wouldn’t catch a 49er calling it an “Alluvial placer deposit”. Panning itself is using the exact same physics– that’s why it, along with the fancy modern sluices people use with powered pumps, are called “placer mining”. Mars’s dry river beds may be replete with alluvial placers; so might the deltas on Titan, though on a world where water is part of the bedrock, the cryo-mineralogy would be very unfamiliar to Earthly geologists.
Back here on earth, wave action, with the repeated reversal of flow, is great at sorting grains. There aren’t any gold deposits on beaches these days because wherever they’ve been found, they were mined out very quickly. But there are many beaches where black magnetite sand has been concentrated due to its higher density to quartz. If your beach does not have magnetite, look at the grain size: even quartz grains can often get sorted by size on wavy beaches. Apparently this idea came after scientists lost their fascination with latin, as this type of deposit is referred to simply as a “beach placer” rather than a “littoral placer”.
While we in North America might think of the Klondike or California gold rushes– both of which were sparked by placer deposits– the largest gold field in the world was actually in South Africa: the Witwatersrand Basin. Said basin is actually an ancient lake bed, Archean in origin– about three billion years old. For 260 million years or thereabouts, sediments accumulated in this lake, slowly filling it up. Those sediments were being washed out from nearby mountains that housed orogenic gold deposits. The lake bed has served to concentrate that ancient gold even further, and it’s produced a substantial fraction of the gold metal ever extracted– depending on the source, you’ll see numbers from as high as 50% to as low as 22%. Either way, that’s a lot of gold.
Witwatersrand is a bit of an anomaly; most placer deposits are much smaller than that. Indeed, that’s in part why you’ll find placer deposits only mined for truly valuable minerals like gold and gems, particularly diamonds. Sure, the process can concentrate magnetite, but it’s not usually worth the effort of stripping a beach for iron-rich sand.
The most common non-precious exception is uraninite, UO2, a uranium ore found in Archean-age placer deposits. As you might imagine, the high proportion of heavy uranium makes it a dense enough mineral to form placer deposits. I must specify Archean-age, however, because an oxygen atmosphere tends to further oxidize the uraninite into more water-soluble forms, and it gets washed to sea instead of forming deposits. On Earth, it seems there are no uraninite placers dated to after the Great Oxygenation; you wouldn’t have that problem on Mars, and the dry river beds of the red planet may well have pitchblende reserves enough for a Martian rendition of “Uranium Fever”.
Image: Nandes Valles valley system, ESA/DLR/FU Berlin
While uranium is produced at Witwatersrand as a byproduct of the gold mines, uranium ore can be deposited exclusively of gold. You can see that with the alluvial deposits in Canada, around Elliot Lake in Ontario, which produced millions of pounds of the uranium without a single fleck of gold, thanks to a bend in a three-billion-year-old riverbed. From a dollar-value perspective, a gold mine might be worth more, but the uranium probably did more for civilization.
Lateritization, or Why Martians Can’t Have Pop Cans
Speaking of useful for civilization, there’s another type of process acting on the surface to give us ores of less noble metals than gold. It is not mechanical, but chemical, and given that it requires hot, humid conditions with lots of water, it’s almost certainly restricted to Sol 3. As the subtitle gives it away, this process is called “lateritization” and is responsible for the only economical aluminum deposits out there, along with a significant amount of the world’s nickel reserves.
The process is fairly simple: in the hot tropics, ample rainfall will slowly leech any mobile ions out of clay soils. Ions like sodium and potassium are first to go, followed by calcium and magnesium but if the material is left on the surface long enough, and the climate stays hot and wet, chemical weathering will eventually strip away even the silica. The resulting “Laterite” rock (or clay) is rich in iron, aluminum, and sometimes nickel and/or copper. Nickel laterites are particularly prevalent in New Caledonia, where they form the basis of that island’s mining industry. Aluminum-rich laterites are called bauxite, and are the source of all Earth’s aluminum, found worldwide. More ancient laterites are likely to be found in solid form, compressed over time into sedimentary rock, but recent deposits may still have the consistency of dirt. For obvious reasons, those recent deposits tend to be preferred as cheaper to mine.
When we talk about a “warm and wet” period in Martian history, we’re talking about the existence of liquid water on the surface of the planet– we are notably not talking about tropical conditions. Mars was likely never the kind of place you’d see lateritization, so it’s highly unlikely we will ever find bauxite on the surface of Mars. Thus future Martians will have to make due without Aluminum pop cans. Of course, iron is available in abundance there and weighs about the same as the equivalent volume of aluminum does here on Earth, so they’ll probably do just fine without it.
Most nickel has historically come from sulfide melt deposits rather than lateralization, even on Earth, so the Martians should be able to make their steel stainless. Given the ambitions some have for a certain stainless-steel rocket, that’s perhaps comforting to hear.
It’s important to emphasize, as this series comes to a close, that I’m only providing a very surface-level understanding of these surface level processes– and, indeed, of all the ore formation processes we’ve discussed in these posts. Entire monographs could be, and indeed have been written about each one. That shouldn’t be surprising, considering the depths of knowledge modern science generates. You could do an entire doctorate studying just one aspect of one of the processes we’ve talked about in this series; people have in the past, and will continue to do so for the foreseeable future. So if you’ve found these articles interesting, and are sad to see the series end– don’t worry! There’s a lot left to learn; you just have to go after it yourself.
Plus, I’m not going anywhere. At some point there are going to be more rock-related words published on this site. If you haven’t seen it before, check out Hackaday’s long-running Mining and Refining series. It’s not focused on the ores– more on what we humans do with them–but if you’ve read this far, it’s likely to appeal to you as well.
hackaday.com/2025/12/04/ore-fo…
Era ora! Microsoft corregge vulnerabilità di Windows sfruttata da 8 anni
Microsoft ha silenziosamente corretto una vulnerabilità di Windows di vecchia data, sfruttata in attacchi reali per diversi anni. L’aggiornamento è stato rilasciato nel Patch Tuesday di novembre , nonostante l’azienda fosse stata in precedenza lenta nell’affrontare il problema. Questa informazione è stata rivelata da 0patch, che ha indicato che la falla era stata sfruttata attivamente da vari gruppi dal 2017.
Il problema, denominato CVE-2025-9491, riguarda la gestione da parte di Windows delle scorciatoie LNK. Un errore dell’interfaccia utente faceva sì che parte del comando incorporato nella scorciatoia rimanesse nascosta durante la visualizzazione delle sue proprietà. Ciò consentiva l’esecuzione di codice dannoso come file innocuo. Gli esperti hanno osservato che le scorciatoie erano progettate per ingannare gli utenti, utilizzando caratteri invisibili e mascherandosi da documenti.
I primi dettagli emersero nella primavera del 2025, quando i ricercatori segnalarono che questo meccanismo veniva utilizzato da undici gruppi sponsorizzati da stati provenienti da Cina, Iran e Corea del Nord per attività di spionaggio, furto di dati e attacchi finanziari.
All’epoca, la falla era nota anche come ZDI-CAN-25373. Microsoft dichiarò all’epoca che il problema non richiedeva un’attenzione immediata, citando il blocco del formato LNK in molte applicazioni Office e gli avvisi visualizzati quando si tentava di aprire tali file.
HarfangLab ha successivamente segnalato che la vulnerabilità era stata sfruttata dal gruppo XDSpy per distribuire il malware XDigo in attacchi ai governi dell’Europa orientale. Nell’autunno del 2025, Arctic Wolf ha rilevato un’altra ondata di abusi, questa volta rivolta a gruppi online cinesi che prendevano di mira istituzioni diplomatiche e governative europee e utilizzavano il malware PlugX. Microsoft ha successivamente rilasciato un chiarimento, ribadendo di non considerare il problema critico a causa della necessità di intervento da parte dell’utente e della presenza di avvisi di sistema.
Secondo 0patch, il problema andava oltre il semplice nascondere la coda del comando. Il formato di collegamento consente stringhe lunghe fino a decine di migliaia di caratteri, ma la finestra delle proprietà mostrava solo i primi 260 caratteri, troncando il resto senza preavviso. Ciò ha permesso di nascondere una parte significativa del comando eseguito. Una correzione di terze parti di 0patch ha risolto il problema in modo diverso : aggiunge un avviso quando si tenta di aprire un collegamento con argomenti più lunghi di 260 caratteri.
Un aggiornamento Microsoft ha risolto il problema espandendo il campo Destinazione in modo che venga visualizzato l’intero comando, anche se supera il limite di lunghezza precedente.
Un rappresentante dell’azienda, contattato, non ha confermato direttamente il rilascio dell’aggiornamento, ma ha fatto riferimento alle raccomandazioni generali sulla sicurezza e ha assicurato che l’azienda continua a migliorare l’interfaccia e i meccanismi di sicurezza.
L'articolo Era ora! Microsoft corregge vulnerabilità di Windows sfruttata da 8 anni proviene da Red Hot Cyber.
Shai Hulud 2.0, now with a wiper flavor
In September, a new breed of malware distributed via compromised Node Package Manager (npm) packages made headlines. It was dubbed “Shai-Hulud”, and we published an in-depth analysis of it in another post. Recently, a new version was discovered.
Shai Hulud 2.0 is a type of two-stage worm-like malware that spreads by compromising npm tokens to republish trusted packages with a malicious payload. More than 800 npm packages have been infected by this version of the worm.
According to our telemetry, the victims of this campaign include individuals and organizations worldwide, with most infections observed in Russia, India, Vietnam, Brazil, China, Türkiye, and France.
Technical analysis
When a developer installs an infected npm package, the setup_bun.js script runs during the preinstall stage, as specified in the modified package.json file.
Bootstrap script
The initial-stage script setup_bun.js is left intentionally unobfuscated and well documented to masquerade as a harmless tool for installing the legitimate Bun JavaScript runtime. It checks common installation paths for Bun and, if the runtime is missing, installs it from an official source in a platform-specific manner. This seemingly routine behavior conceals its true purpose: preparing the execution environment for later stages of the malware.
The installed Bun runtime then executes the second-stage payload, bun_environment.js, a 10MB malware script obfuscated with an obfuscate.io-like tool. This script is responsible for the main malicious activity.
Stealing credentials
Shai Hulud 2.0 is built to harvest secrets from various environments. Upon execution, it immediately searches several sources for sensitive data, such as:
- GitHub secrets: the malware searches environment variables and the GitHub CLI configuration for values starting with ghp_ or gho_. It also creates a malicious workflow yml in victim repositories, which is then used to obtain GitHub Actions secrets.
- Cloud credentials: the malware searches for cloud credentials across AWS, Azure, and Google Cloud by querying cloud instance metadata services and using official SDKs to enumerate credentials from environment variables and local configuration files.
- Local files: it downloads and runs the TruffleHog tool to aggressively scan the entire filesystem for credentials.
Then all the exfiltrated data is sent through the established communication channel, which we describe in more detail in the next section.
Data exfiltration through GitHub
To exfiltrate the stolen data, the malware sets up a communication channel via a public GitHub repository. For this purpose, it uses the victim’s GitHub access token if found in environment variables and the GitHub CLI configuration.
After that, the malware creates a repository with a randomly generated 18-character name and a marker in its description. This repository then serves as a data storage to which all stolen credentials and system information are uploaded.
If the token is not found, the script attempts to obtain a previously stolen token from another victim by searching through GitHub repositories for those containing the text, “Sha1-Hulud: The Second Coming.” in the description.
Worm spreading across packages
For subsequent self-replication via embedding into npm packages, the script scans .npmrc configuration files in the home directory and the current directory in an attempt to find an npm registry authorization token.
If this is successful, it validates the token by sending a probe request to the npm /-/whoami API endpoint, after which the script retrieves a list of up to 100 packages maintained by the victim.
For each package, it injects the malicious files setup_bun.js and bun_environment.js via bundleAssets and updates the package configuration by setting setup_bun.js as a pre-installation script and incrementing the package version. The modified package is then published to the npm registry.
Destructive responses to failure
If the malware fails to obtain a valid npm token and is also unable to get a valid GitHub token, making data exfiltration impossible, it triggers a destructive payload that wipes user files, primarily those in the home directory.
Our solutions detect the family described here as HEUR:Worm.Script.Shulud.gen.
Since September of this year, Kaspersky has blocked over 1700 Shai Hulud 2.0 attacks on user machines. Of these, 18.5% affected users in Russia, 10.7% occurred in India, and 9.7% in Brazil.
TOP 10 countries and territories affected by Shai Hulud 2.0 attacks (download)
We continue tracking this malicious activity and provide up-to-date information to our customers via the Kaspersky Open Source Software Threats Data Feed. The feed includes all packages affected by Shai-Hulud, as well as information on other open-source components that exhibit malicious behaviour, contain backdoors, or include undeclared capabilities.
securelist.com/shai-hulud-2-0/…
The complicated world of kids' online safety
WELCOME BACK TO THE MONTHLY FREE EDITION of Digital Politics.I'm Mark Scott, and will be splitting my time next week between Berlin and Brussels. If you're around and want to grab coffee, drop me a line.
— We're about to enter a new paradigm in how children use the internet. The global policy shift is a proxy for a wider battle over platforms' role in society.
— The European Union is shifting its approach to tech regulation. But these changes are not down to political rhetoric coming from the United States.
— How much would you sell your personal data for? France's privacy regulator figured out the sweet spot.
Let's get started:
WE'RE NOT IN KANSAS, ANYMORE
FOR THOSE INTERESTED IN KIDS ONLINE SAFETY, it's been a busy couple of weeks — and it's not slowing down. On Dec 10, Australia enacts its world-first social media ban (editor's note: Canberra calls it a 'postponement') for children under 16 years of age. On Dec 2, the US House of Representatives' subcommittee on commerce, manufacturing and trade debated 19 proposed bills to protect kids online. That includes a revamped Kids Online Safety Act, or KOSA, and the Reducing Exploitative Social Media Exposure for Teens Act, or RESET, that mirrors what Australia is about to enact.
In Europe, EU member countries just agreed to a joint position on how social media giants should handle suspected child online sexual abuse material. The biggest takeaway is officials' decision not to force these firms to automatically detect such illegal content on people's devices after privacy campaigners warned that would be akin to government surveillance. These national officials will now have to haggle a final agreement with both the European Commission and European Parliament before the long-awaited rules come into force.
To cap things off, the European Parliament passed a non-binding resolution to ban under-16s from accessing social media — a policy that everyone from Denmark to Malaysia is forging ahead with. US states from Texas to Missouri also have passed legislation requiring app stores to websites to verify that people are over 18-years-old before accessing potentially harmful content/services.
There's a lot of nuance to each of these moves. Much depends on the local context of each jurisdiction.
Globally, short-term attention will now focus on how Australia implements its social media ban (or postponement) on Dec 10. Tech firms say it'll cut children off from their friends online, as well as push them toward less safe areas of the internet that won't fall under the upcoming rules. Child rights advocates say Canberra's push to keep kids off social media until they turn 16 is a basic step after many of these platforms have been alleged to promote commercial interests over children's safety.
Thanks for reading the free monthly version of Digital Politics. Paid subscribers receive at least one newsletter a week. If that sounds like your jam, please sign up here.
Here's what paid subscribers read in November:
— The EU's 'Jekyll and Hyde" tech strategy; The tech industry's impact on climate change has gone from bad to worse; The collective spend of tech lobbying in Brussels. More here.
— Here are the tech policy implications if/when the AI bubble bursts; What you need to know about Europe's rewrite of its digital rules; ChatGPT's relationship with publishers. More here.
— The European Commission's power grab at the heart of the bloc's Digital Omnibus; We should prepare for the end of an American-led internet; What devices do children use, and at what age? More here.
— The US' apathy toward its G20 presidency provides an opportunity for other countries to step up; Washington again wants to stop US states from passing AI rules; Internet freedoms worldwide have declined over the last 15 years. More here.
These policy battles are best framed around the unanswerable question of which fundamental right should take precedent: privacy or safety? As much as I believe some lawmakers' statements about protecting kids online are a cover for other political priorities (more on that below), it now feels inevitable we're heading toward a global digital age of majority in which some online goods/services will remain off-limits to those under a certain age.
For that to work, a lot will depend on how people's ages are checked online — and how such age verification does not lead to individuals' personal data leaking out into the wider world. Yet in the coming years, children will almost certainly live within a more curtailed online environment — though one that will still include significant harms.
But let's get back to those other political priorities.
First things first: everyone can agree that children should be protected, both online and offline. I would argue that all online users should have the same levels of protection now being rolled out for minors. That includes limits on who can interact with people online, bans on the most egregious data collection and usage, and safety-by-design principles baked into platforms currently designed to maximum engagement.
Many of those officials pushing for child-focus online safety rules, worldwide, would agree with that, too. They just are aware that such society-wide efforts to pare back the control, addictiveness and business models of social media giants are a current political dead-end due to the extensive lobbying from these firms to water down any legislative/regulatory efforts around online safety.
This is not just the state of play in the US where many of the world's largest social media platforms have embraced the White House's public aversion to online safety rules. From Canberra to Brasilia to Brussels, companies have successfully argued that such legislation can be an impediment to free speech and an unfair burden on commercial enterprises.
Even in countries that have passed such online safety rules, officials remain extremely cautious about taking a too hard line on companies, often preferring self- or co-regulation, as a first step, before rolling out aggressive enforcement.
That's why there's been a significant shift to focus on child-specific online safety rules worldwide. Yes, kids should be protected against harms more so than adults. But in framing legislation around the specifics of child rights, lawmakers can often sidestep accusations of censorship and/or overreach that would come if they attempted similar legislation for the whole of society.
I do not want to diminish the real-world harm that social media can pose to children. Nor do I think kids' online safety legislation should be put on the back burner until a consensus can be reached on how to oversee the platforms, more broadly.
But as we head toward the end of 2025, the disconnect between the growing number of online child safety efforts and the diminishing impetus (outside of a few countries) to tackle the society-wide impact of social media is hard to ignore. If lawmakers consider that data profiling, addictive recommender systems and online grooming — fueled by social media — are harmful to children, then why do they believe such practices are OK for adults?
Confronted with the current political reality, however, lawmakers have made the tactical decision to pare back expectations on passing comprehensive online safety rules to focus solely on online child safety. It's deemed as a safer political bet to pass some form of legislation whose protections, in a perfect world, would apply to both minors and adults, alike.
Chart of the week
IT'S BECOME A CLICHE TO SAY that because none of us pay for social media, then we — and our data — are actually the product (served up to advertisers).
To figure out how much people would be willing to sell their personal information for, France's privacy regulator surveyed more than 2,000 locals about their attitudes toward what price they would be willing to accept for such sensitive information.
Roughly one-third of the respondents said they wouldn't sell their data at any price. But among the other two-thirds of individuals, the sweet spot fell somewhere between €10-€30, or $12-$35, a month.
What is really driving the transatlantic digital relationship
TWO SIGNIFICANT EVENT IN EU-US digital relations have occurred in the last 12 months.
First, the European Commission has embraced a deregulatory agenda spurred on by Mario Draghi's competitiveness report from 2024. This pullback was encapsulated by Brussels' recent so-called Digital Omnibus that proposed significant changes to the bloc's privacy and upcoming artificial intelligence rules. Here's me on why the revamp isn't as bad as many suspect.
Second, Donald Trump became the 47th president of the United States. Among his many White House executive orders, he took aim at global digital regulation from democratic allies, particularly those enacted in Europe, as well as pulling back on all rules (and international efforts) associated with AI governance.
The perceived wisdom is that these two digital geopolitical events are connected. That in its efforts to maintain security and economic ties to the US, the EU has thrown its digital rulebook under the bus to placate increasing criticism from Trump's administration and its allies in Congress.
This theory is wrong.
It's not that US officials aren't vocally lobbying their European counterparts to rethink the likes of the Artificial Intelligence Act, Digital Services Act and Digital Markets Act. They are — including US Commerce Secretary Howard Lutnik's recent comments in Brussels to that effect. (What many misremember is that such criticism, although less public, also came from Joe Biden's administration.)
But to make the binary connection between Washington's talking points and Brussels' digital policymaking rethink is to miss the complexities behind the current transatlantic relationship.
Even before the current European Commission took over in late 2024, there were signs that EU leaders wanted to press the pause button on new digital rules. Brussels passed a litany of new tech regulation in the previous five years. National leaders and executives from European companies increasingly questioned if such oversight was in the Continent's long-term economic interests.
Then came Draghi's competitiveness report, the comprehensive victory of the center-right (and pro-industry) European People's Party in the 2024 European Parliament elections and the return of Ursula von der Leyen as European Commission president, whose own interests in digital policymaking left a lot to be desired.
Sign up for Digital Politics
Thanks for getting this far. Enjoyed what you've read? Why not receive weekly updates on how the worlds of technology and politics are colliding like never before. The first two weeks of any paid subscription are free.
Subscribe
Email sent! Check your inbox to complete your signup.
No spam. Unsubscribe anytime.
That tilted the scales significantly in favor of greater deregulation as Europe tried to bolster its sluggish economy, take advantage of AI advances and respond to European industry's claims that EU-wide digital regulation was hampering its ability to compete against US and Chinese rivals.
While that context has become mired in the geopolitics of Washington's seeming reduced support for Ukraine, the main driver for Brussels' about-turn on digital rules is internal, not external, political and economic pressure.
That takes us to Washington's aversion to digital regulation.
To be clear: this did not start with Trump 2.0. Throughout the Biden administration, US officials routinely scolded their European counterparts about hurting the economic interests of US tech companies. That came even as the former White House administration tried, unsuccessfully, to impose greater oversight on Silicon Valley via Congress.
Under the current White House, such criticism — and potential trade consequences — has been turned up to 11. But if you dig into how the Trump administration approaches tech regulation, much of the pushback against Europe is more performative than it may first appear.
On digital competition, it's arguable that the US Department of Justice is going further in its efforts to break up Big Tech than the European Commission and its Digital Markets Act. Yes, recent legal rulings may have hobbled American officials' efforts. But Washington remains a strong advocate for greater online market competition — even as federal officials side with Silicon Valley in their aversion to international ex ante regulation.
On platform governance, it's too easy to suggest US officials are wedded to First Amendment arguments as they criticize the EU's Digital Services Act. It's true that many misunderstand how that legislation actually works — in that it doesn't pass judgement on content, but instead reviews so-called systemic risks associated with how these platforms work.
But if you look at last year's request for informationfrom the US Federal Trace Commission concerning alleged "platform censorship," then many of the points could be taken directly from Europe's online safety rulebook. That includes demands that social media giants explain how they make content moderation decisions, as well as provide greater redress for users who believe they have been hard done by. That's an almost word-for-word copy of what is currently available under the EU's Digital Services Act.
I'm not saying Trump's criticism has not played into the politics of Europe's digital rethink — including when certain enforcement decisions against Big Tech companies have been announced.
But it is just not true that Europe has caved in to American pressure when it comes to its digital policymaking u-turn. Instead, there are sufficient internal pressures — both economic and political — from across the 27-country bloc that are driving the current revamp.
As for Washington, it's less to do with officials' dislike for digital rulemaking, though one exception could be made for the White House's stance on artificial intelligence. For me, it's more to do with oversight of American companies originating from overseas — and not from Capitol Hill.
Within that context, it's best to view the current statements from the Trump administration less as "no regulation, ever," and more as "leave the oversight of US firms to American lawmakers."
What I'm reading
— The University of Amsterdam's DSA Observatory sketches out the current state of play for enforcement under the EU's online safety rules. More here.
— The United Kingdom's Ofcom regulator outlines non-binding rules for how online platforms should handle online harms against women and girls. More here.
— The White House published its so-called "Genesis Mission" to jumpstart the use of federal resources for AI-enable scientific research. More here.
— The European venture capital firm Atomico published its annual report on the state of the Continent's technology start-up technology industry. More here.
Exploits and vulnerabilities in Q3 2025
In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulnerabilities and exploits, the most common security issues impacting Windows and Linux, and the vulnerabilities being leveraged in APT attacks that lead to the launch of widespread C2 frameworks. The report utilizes anonymized Kaspersky Security Network data, which was consensually provided by our users, as well as information from open sources.
Statistics on registered vulnerabilities
This section contains statistics on registered vulnerabilities. The data is taken from cve.org.
Let us consider the number of registered CVEs by month for the last five years up to and including the third quarter of 2025.
Total published vulnerabilities by month from 2021 through 2025 (download)
As can be seen from the chart, the monthly number of vulnerabilities published in the third quarter of 2025 remains above the figures recorded in previous years. The three-month total saw over 1000 more published vulnerabilities year over year. The end of the quarter sets a rising trend in the number of registered CVEs, and we anticipate this growth to continue into the fourth quarter. Still, the overall number of published vulnerabilities is likely to drop slightly relative to the September figure by year-end
A look at the monthly distribution of vulnerabilities rated as critical upon registration (CVSS > 8.9) suggests that this metric was marginally lower in the third quarter than the 2024 figure.
Total number of critical vulnerabilities published each month from 2021 to 2025 (download)
Exploitation statistics
This section contains exploitation statistics for Q3 2025. The data draws on open sources and our telemetry.
Windows and Linux vulnerability exploitation
In Q3 2025, as before, the most common exploits targeted vulnerable Microsoft Office products.
Most Windows exploits detected by Kaspersky solutions targeted the following vulnerabilities:
- CVE-2018-0802: a remote code execution vulnerability in the Equation Editor component
- CVE-2017-11882: another remote code execution vulnerability, also affecting Equation Editor
- CVE-2017-0199: a vulnerability in Microsoft Office and WordPad that allows an attacker to assume control of the system
These vulnerabilities historically have been exploited by threat actors more frequently than others, as discussed in previous reports. In the third quarter, we also observed threat actors actively exploiting Directory Traversal vulnerabilities that arise during archive unpacking in WinRAR. While the originally published exploits for these vulnerabilities are not applicable in the wild, attackers have adapted them for their needs.
- CVE-2023-38831: a vulnerability in WinRAR that involves improper handling of objects within archive contents We discussed this vulnerability in detail in a 2024 report.
- CVE-2025-6218 (ZDI-CAN-27198): a vulnerability that enables an attacker to specify a relative path and extract files into an arbitrary directory. A malicious actor can extract the archive into a system application or startup directory to execute malicious code. For a more detailed analysis of the vulnerability, see our Q2 2025 report.
- CVE-2025-8088: a zero-day vulnerability similar to CVE-2025-6128, discovered during an analysis of APT attacks The attackers used NTFS Streams to circumvent controls on the directory into which files were unpacked. We will take a closer look at this vulnerability below.
It should be pointed out that vulnerabilities discovered in 2025 are rapidly catching up in popularity to those found in 2023.
All the CVEs mentioned can be exploited to gain initial access to vulnerable systems. We recommend promptly installing updates for the relevant software.
Dynamics of the number of Windows users encountering exploits, Q1 2023 — Q3 2025. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)
According to our telemetry, the number of Windows users who encountered exploits increased in the third quarter compared to the previous reporting period. However, this figure is lower than that of Q3 2024.
For Linux devices, exploits for the following OS kernel vulnerabilities were detected most frequently:
- CVE-2022-0847, also known as Dirty Pipe: a vulnerability that allows privilege escalation and enables attackers to take control of running applications
- CVE-2019-13272: a vulnerability caused by improper handling of privilege inheritance, which can be exploited to achieve privilege escalation
- CVE-2021-22555: a heap overflow vulnerability in the Netfilter kernel subsystem. The widespread exploitation of this vulnerability is due to its use of popular memory modification techniques: manipulating “msg_msg” primitives, which leads to a Use-After-Free security flaw.
Dynamics of the number of Linux users encountering exploits, Q1 2023 — Q3 2025. The number of users who encountered exploits in Q1 2023 is taken as 100% (download)
A look at the number of users who encountered exploits suggests that it continues to grow, and in Q3 2025, it already exceeds the Q1 2023 figure by more than six times.
It is critically important to install security patches for the Linux operating system, as it is attracting more and more attention from threat actors each year – primarily due to the growing number of user devices running Linux.
Most common published exploits
In Q3 2025, exploits targeting operating system vulnerabilities continue to predominate over those targeting other software types that we track as part of our monitoring of public research, news, and PoCs. That said, the share of browser exploits significantly increased in the third quarter, matching the share of exploits in other software not part of the operating system.
Distribution of published exploits by platform, Q1 2025 (download)
Distribution of published exploits by platform, Q2 2025 (download)
Distribution of published exploits by platform, Q3 2025 (download)
It is noteworthy that no new public exploits for Microsoft Office products appeared in Q3 2025, just as none did in Q2. However, PoCs for vulnerabilities in Microsoft SharePoint were disclosed. Since these same vulnerabilities also affect OS components, we categorized them under operating system vulnerabilities.
Vulnerability exploitation in APT attacks
We analyzed data on vulnerabilities that were exploited in APT attacks during Q3 2025. The following rankings draw on our telemetry, research, and open-source data.
TOP 10 vulnerabilities exploited in APT attacks, Q3 2025 (download)
APT attacks in Q3 2025 were dominated by zero-day vulnerabilities, which were uncovered during investigations of isolated incidents. A large wave of exploitation followed their public disclosure. Judging by the list of software containing these vulnerabilities, we are witnessing the emergence of a new go-to toolkit for gaining initial access into infrastructure and executing code both on edge devices and within operating systems. It bears mentioning that long-standing vulnerabilities, such as CVE-2017-11882, allow for the use of various data formats and exploit obfuscation to bypass detection. By contrast, most new vulnerabilities require a specific input data format, which facilitates exploit detection and enables more precise tracking of their use in protected infrastructures. Nevertheless, the risk of exploitation remains quite high, so we strongly recommend applying updates already released by vendors.
C2 frameworks
In this section, we will look at the most popular C2 frameworks used by threat actors and analyze the vulnerabilities whose exploits interacted with C2 agents in APT attacks.
The chart below shows the frequency of known C2 framework usage in attacks on users during the third quarter of 2025, according to open sources.
Top 10 C2 frameworks used by APT groups to compromise user systems in Q3 2025 (download)
Metasploit, whose share increased compared to Q2, tops the list of the most prevalent C2 frameworks from the past quarter. It is followed by Sliver and Mythic. The Empire framework also reappeared on the list after being inactive in the previous reporting period. What stands out is that Adaptix C2, although fairly new, was almost immediately embraced by attackers in real-world scenarios. Analyzed sources and samples of malicious C2 agents revealed that the following vulnerabilities were used to launch them and subsequently move within the victim’s network:
- CVE-2020-1472, also known as ZeroLogon, allows for compromising a vulnerable operating system and executing commands as a privileged user.
- CVE-2021-34527, also known as PrintNightmare, exploits flaws in the Windows print spooler subsystem, also enabling remote access to a vulnerable OS and high-privilege command execution.
- CVE-2025-6218 or CVE-2025-8088 are similar Directory Traversal vulnerabilities that allow extracting files from an archive to a predefined path without the archiving utility notifying the user. The first was discovered by researchers but subsequently weaponized by attackers. The second is a zero-day vulnerability.
Interesting vulnerabilities
This section highlights the most noteworthy vulnerabilities that were publicly disclosed in Q3 2025 and have a publicly available description.
ToolShell (CVE-2025-49704 and CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771): insecure deserialization and an authentication bypass
ToolShell refers to a set of vulnerabilities in Microsoft SharePoint that allow attackers to bypass authentication and gain full control over the server.
- CVE-2025-49704 involves insecure deserialization of untrusted data, enabling attackers to execute malicious code on a vulnerable server.
- CVE-2025-49706 allows access to the server by bypassing authentication.
- CVE-2025-53770 is a patch bypass for CVE-2025-49704.
- CVE-2025-53771 is a patch bypass for CVE-2025-49706.
These vulnerabilities form one of threat actors’ combinations of choice, as they allow for compromising accessible SharePoint servers with just a few requests. Importantly, they were all patched back in July, which further underscores the importance of promptly installing critical patches. A detailed description of the ToolShell vulnerabilities can be found in our blog.
CVE-2025-8088: a directory traversal vulnerability in WinRAR
CVE-2025-8088 is very similar to CVE-2025-6218, which we discussed in our previous report. In both cases, attackers use relative paths to trick WinRAR into extracting archive contents into system directories. This version of the vulnerability differs only in that the attacker exploits Alternate Data Streams (ADS) and can use environment variables in the extraction path.
CVE-2025-41244: a privilege escalation vulnerability in VMware Aria Operations and VMware Tools
Details about this vulnerability were presented by researchers who claim it was used in real-world attacks in 2024.
At the core of the vulnerability lies the fact that an attacker can substitute the command used to launch the Service Discovery component of the VMware Aria tooling or the VMware Tools utility suite. This leads to the unprivileged attacker gaining unlimited privileges on the virtual machine. The vulnerability stems from an incorrect regular expression within the get-versions.sh script in the Service Discovery component, which is responsible for identifying the service version and runs every time a new command is passed.
Conclusion and advice
The number of recorded vulnerabilities continued to rise in Q3 2025, with some being almost immediately weaponized by attackers. The trend is likely to continue in the future.
The most common exploits for Windows are primarily used for initial system access. Furthermore, it is at this stage that APT groups are actively exploiting new vulnerabilities. To hinder attackers’ access to infrastructure, organizations should regularly audit systems for vulnerabilities and apply patches in a timely manner. These measures can be simplified and automated with Kaspersky Systems Management. Kaspersky Symphony can provide comprehensive and flexible protection against cyberattacks of any complexity.
securelist.com/vulnerabilities…
Wago’s Online Community Is Full Of Neat Wago Tools
Wago connectors are somewhat controversial in the electrical world—beloved by some, decried by others. The company knows it has a dedicated user base, though, and has established the Wago Creators site for that very community.
The idea behind the site is simple—it’s a place to discover and share unique little tools and accessories for use with Wago’s line of electrical connectors. Most are 3D printed accessories that make working with Wago connectors easier. There are some fun and innovative ideas up there, like an ESP8266 development kit that has a Wago connector for all the important pins, as well as a tool for easily opening the lever locks. Perhaps most amusing, though, is the project entitled “Hide Your Wago From Americans”—which consists of a 3D-printed wire nut lookalike designed to slide over the connectors to keep them out of view. There’s also a cheerful attempt at Wago art, that doesn’t really look like anything recognizable at all. Oh well, they can’t all be winners.
It’s great to see Wago so openly encouraging creativity among those that use its products. The sharing of ideas has been a big part of the 3D printing movement, and Wago isn’t the first company to jump on the bandwagon in this regard. If you’ve got some neat Wago hacks of your own, you can always let us know on the tipsline!
[Thanks to Niklas for the tip!]
Retro Style VFO Has Single-Digit Parts Count
Not every project has to be complicated– reinventing the wheel has its place, but sometimes you find a module or two that does exactly what you want, and the project is more than halfway done. That the kind of project [mircemk]’s Simple Retro Style VFO is — it’s a variable frequency oscillator for HAM and other use, built with just a couple of modules.
The modules in question are the SI5351 Clock Generator module, which is a handy bit of kit with its own crystal reference and PLL to generate frequencies up to 150 MHz, and the Elecrow CrowPanel 1.28inch-HMI ESP32 Rotary Display. The ESP32 in the CrowPanel controls the SI5351 module via I2C; control is via the rest of the CrowPanel module. This Rotary Display is a circular touchscreen surrounded by a rotary display, so [mircmk] has all the inputs he needs to control the VFO.
To round out the parts count, he adds an appropriate connector, plus a power switch, red LED and a lithium battery. One could include a battery charger module as well, but [mircmk] didn’t have one on hand. Even if he had, that still keeps the parts count well inside the single digits. If you like video, we’ve embedded his about the project below; if not the write up on Hackaday.io is upto [mircmk]’s typical standard.
People have been using the SI5351 to make VFOs for years now, but the addition of the round display makes for a delightfully retro presentation.
Thanks to [mircmk] for the tip.
youtube.com/embed/_3T-qhv57ZI?…
hackaday.com/2025/12/02/retro-…
LoRa Repeater Lasts 5 Years on PVC Pipe and D Cells
Sometimes it makes sense to go with plain old batteries and off-the-shelf PVC pipe. That’s the thinking behind [Bertrand Selva]’s clever LoRaTube project.
LoRa is a fantastic solution for long-range and low-power wireless communication (and popular, judging by the number of projects built around it) and LoRaTube provides an autonomous repeater, contained entirely in a length of PVC pipe. Out the top comes the antenna and inside is all the necessary hardware, along with a stack of good old D-sized alkaline cells feeding a supercap-buffered power supply of his own design. It’s weatherproof, inexpensive, self-contained, and thanks to extremely low standby current should last a good five years by [Bertrand]’s reckoning.
One can make a quick LoRa repeater in about an hour but while the core hardware can be inexpensive, supporting electronics and components (not to mention enclosure) for off-grid deployment can quickly add significant cost. Solar panels, charge controllers, and a rechargeable power supply also add potential points of failure. Sometimes it makes more sense to go cheap, simple, and rugged. Eighteen D-sized alkaline cells stacked in a PVC tube is as rugged as it is affordable, especially if one gets several years’ worth of operation out of it.
You can watch [Bertrand] raise a LoRaTube repeater and do a range test in the video (French), embedded below. Source code and CAD files are on the project page. Black outdoor helper cat not included.
youtube.com/embed/_I2cU9q78XQ?…
La maggior parte degli adolescenti abbandona la criminalità digitale entro i 20 anni
Le autorità olandesi hanno pubblicato i dati che dimostrano come il coinvolgimento degli adolescenti nella criminalità digitale sia solitamente temporaneo. Un’analisi preparata dalla Camera dei Rappresentanti indica che l’interesse precoce per l’hacking spesso svanisce entro i 20 anni, e solo pochi mantengono un interesse duraturo.
Il rapporto sottolinea che gli adolescenti iniziano a commettere vari tipi di reati più o meno alla stessa età. I reati informatici non sono più comuni dei reati legati alle armi o alla droga, e significativamente meno comuni dei reati contro la proprietà. Inoltre, il percorso verso i primi tentativi passa in genere attraverso simulazioni di gioco che consentono loro di sviluppare competenze tecniche.
Secondo i dati raccolti nel corso degli anni, il picco di attività criminale tra i giovani criminali si è verificato tra i diciassette e i vent’anni. Questa tendenza è coerente con altre tipologie di reato. In uno studio condotto nel 2013 su un campione di diverse centinaia di giovani delinquenti, la maggior parte dei partecipanti ha cessato tale attività poco dopo aver raggiunto il picco.
I ricercatori stimano che la percentuale di coloro che continuano a commettere crimini digitali dopo i vent’anni sia pari a circa il quattro percento. La ricercatrice Alice Hutchings ha osservato già nel 2016 che il coinvolgimento a lungo termine deriva da un interesse costante per la tecnologia e dal desiderio di sviluppare competenze, piuttosto che da incentivi esterni.
Gli autori dell’analisi governativa sottolineano che la maggior parte degli studi sta diventando obsoleta a causa dei rapidi cambiamenti nell’ambiente digitale. A titolo di confronto, citano i dati sui costi sociali totali della criminalità minorile, pari a circa 10,3 miliardi di euro all’anno. La maggior parte dell’onere ricade sulle vittime, mentre la parte restante ricade sui servizi pubblici, tra cui la polizia e il sistema giudiziario.
I costi annuali precisi della criminalità digitale sono difficili da stimare a causa della mancanza di dati a lungo termine. Tuttavia, i dati indiretti ci permettono di stimare l’entità del problema. Ad esempio, uno studio commissionato dal governo del Regno Unito ha rilevato che i danni annuali causati da tre attacchi a un importante ospedale potrebbero superare gli 11 milioni di sterline. Questi importi sono paragonabili o superiori ai costi di molte categorie di criminalità nei Paesi Bassi.
In precedenza, le agenzie governative del Paese hanno ripetutamente sottolineato la difficoltà di quantificare l’impatto degli attacchi digitali. Ad esempio, un rapporto preparato da Deloitte per il governo olandese nel 2016 stimava le perdite annuali per le organizzazioni derivanti da incidenti informatici in circa 10 miliardi di euro, una cifra paragonabile al costo totale della delinquenza minorile.
L'articolo La maggior parte degli adolescenti abbandona la criminalità digitale entro i 20 anni proviene da Red Hot Cyber.
Retrotechtacular: Learning the Slide Rule the New Old Fashioned Way
Learning something on YouTube seems kind of modern. But if you are watching a 1957 instructional film about slide rules, it also seems old-fashioned. But Encyclopædia Britannica has a complete 30-minute training film, which, what it lacks in glitz, it makes up for in mathematical rigor.
We appreciated that it started out talking about numbers and significant figures instead of jumping right into the slide rule. One thing about the slide rule is that you have to sort of understand roughly what the answer is. So, on a rule, 2×3, 20×30, 20×3, and 0.2×300 are all the same operation.
You don’t actually get to the slide rule part for about seven minutes, but it is a good idea to watch the introductory part. The lecturer, [Dr. Havery E. White] shows a fifty-cent plastic rule and some larger ones, including a classroom demonstration model. We were a bit surprised that the prestigious Britannica wouldn’t have a bit better production values, but it is clear. Perhaps we are just spoiled by modern productions.
We love our slide rules. Maybe we are ready for the collapse of civilization and the need for advanced math with no computers. If you prefer reading something more modern, try this post. Our favorites, though, are the cylindrical ones that work the same, but have more digits.
youtube.com/embed/RA0uRxVjZL4?…
How Cross-Channel Plumbing Fuelled The Allied March On Berlin
During World War II, as the Allies planned the invasion of Normandy, there was one major hurdle to overcome—logistics. In particular, planners needed to guarantee a solid supply of fuel to keep the mechanized army functional. Tanks, trucks, jeeps, and aircraft all drink petroleum at a prodigious rate. The challenge, then, was to figure out how to get fuel over to France in as great a quantity as possible.
War planners took a diverse approach. A bulk supply of fuel in jerry cans was produced to supply the initial invasion effort, while plans were made to capture port facilities that could handle deliveries from ocean-going tankers. Both had their limitations, so a third method was sought to back them up. Thus was born Operation Pluto—an innovative plan to simply lay fuel pipelines right across the English channel.
Precious Juice
Back in the 1940s, undersea pipelines were rather underexplored technology. However, they promised certain benefits over other methods of shipping fuel to the continent. They would be far more difficult to destroy by aerial attack compared to surface ships or floating pipelines. An undersea pipeline would also be less likely to be damaged by rough sea conditions that were typical in the English Channel.
The idea was granted the codename PLUTO—for Pipe-Line Under The Ocean. Development began as soon as 1942, and the engineering challenges ahead were formidable. The Channel stood a good twenty miles wide at its narrowest point, with strong currents, variable depths, and the ever-present threat of German interference. Any pipeline would need to withstand high pressure from the fuel flowing inside, resist corrosion in seawater, and be flexible enough to handle the uneven seabed. It also needed to be laid quickly and surreptitiously, to ensure that German forces weren’t able to identify and strike the pipelines supplying Allied forces.
The first pipe developed as part of the scheme was HAIS. It was developed by Siemens Brothers and was in part the brainchild of Clifford Hartley, then Chief Engineer of Anglo-Iranian Oil and an experienced hand at delivering fuel pipelines in tough conditions. Thus the name—which stood for Hartly-Anglo-Iranian-Siemens. It used a 2-inch diameter pipe of extruded pipe to carry the fuel, surrounded by asphalt and paper doused in a vinyl-based resin. It was then wound with a layer of steel tape for strength, and then further layered with jute fiber and more asphalt and paper. The final layers were an armored sheath of galvanized steel wires and a canvas outer cover. The techniques used were inspired by those that had proved successful in the construction of undersea telegraph cables. As designed, the two-inch diameter pipe was intended to flow up to 3,500 imperial gallons of fuel a day when running at 500 psi.
HAIS pipe was produced across several firms in the UK and the US. Initial testing took place with pipe laid across the River Medway. Early efforts proved unsuccessful, with leaks caused by lead from the central core pushing out through the steel tape layer. The steel tape wraps were increased, however, and subsequent testing over the Firth of Clyde was more successful. Trials pushed the pipe up to 1,500 psi, showing that up to 250,000 liters of fuel could be delivered per day. The pipeline also proved robust, surviving a chance attack by a German bomb landing nearby. The positive results from testing led to the development of a larger 3-inch verison of the HAIS pipe to support even greater flow.
By this point in the war, however, supplies were becoming constrained on all sides. In particular, lead was becoming scarce, which spurred a desire for a cheaper pipe design to support Operation PLUTO. Thus was born HAMEL, named after engineers Bernard J. Ellis and H.A. Hammick, who worked on the project.
The HAMEL design concerned a flexible pipe constructed out of mild steel, at 3-½ inches in diameter. Lengths of the pipe were produced in 40-foot segments which would then be resistance welded together to create a longer flexible pipeline that could be laid on the seafloor. The steel-based pipe was stiffer than the cable-like HAIS, which caused an issue—it couldn’t readily be coiled up in a ship’s hold. Instead, giant floating drums were constructed at some 40 feet in diameter, nicknamed “Conundrums.” These were to be towed by tugs or hauled by barges to lay the pipeline across the Channel. Testing took place by laying pipelines to the Isle of Wight, which proved the concept was viable for deployment.
Beyond the two types of pipeline, a great deal of work went into the supporting infrastructure for the project. War planners had to build pumping stations to feed the pipelines, as well as ensure that they could in turn be fed fresh fuel from the UK’s network of fuel storage facilities and refineries. All this had to be done with a certain level of camouflage, lest German aircraft destroy the coastal pumping stations prior to the British invasion of the continent. Two main stations at Sandown and Dungeness were selected, and were intended to be connected via undersea pipe to the French ports of Cherbourg and Ambleteuse, respectively. The Sandown-Cherbourg link was to be named Bambi, while the Dungeness-Ambleteuse link would be named Dumbo, referencing further Disney properties since the overall project was called Pluto.
The Big Dance
On D-Day, the initial landings and immediate securing of the beachhead would run on pre-packaged fuel supplies in jerry cans and drums. The pipelines were intended to come later, ensuring that the Allied forces had the fuel supplies to push deep into Europe as they forced back the German lines. It would take some time to lay the pipelines, and the work could only realistically begin once the initial ports were secure.
Bambi was intended to go into operation just 75 days after D-Day, assuming that Allied forces had managed to capture the port of Cherbourg within eight days of the landings. This process instead took 21 days due to the vagaries of war. Efforts to lay a HAIS pipeline began as soon as 12 August 1944, just 67 days after D-Day, only to fail due to an anchor strike by an escort destroyer. The second effort days later was scuppered when the piping was wound up in the propeller of a supporting craft. A HAMEL pipelaying effort on 27 August would also fail thanks to barnacles jamming the massive Conundrum from rotating, and while cleaning efforts freed it up, the pipeline eventually broke after just 29 nautical miles of the 65 nautical mile journey.
It wasn’t until 22 September that a HAIS cable was successfully installed across the Channel, and began delivering 56,000 imperial gallons a day. A HAMEL pipe was then completed on the 29 September. However, both pipes would fail just days later on October 3 as pressure was increased to up the rate of fuel delivery, and the Bambi effort was cancelled. Despite the great efforts of all involved, the pipelines had delivered just 935,000 imperial gallons, or 3,300 long tons of fuel—a drop in the ocean relative to what the war effort required.
Dumbo would prove more successful, perhaps with little surprise that the distances involved were shorter. The first HAIS pipeline was completed and operational by 26 October. The pipeline was redirected from Dungeness to Boulogne instead of the original plan to go to Ambleteuse thanks to heavy mining by the Germans, and covered a distance of 23 nautical miles. More HAIS and HAMEL pipelines followed, and the pipeline would later be extended to Calais to use its rail links for delivery further inland.
A total of 17 pipelines were eventually laid between the two coasts by the end of 1944. They could deliver up to 1,300 long tons of fuel per day—soon eclipsing the Bambi efforts many times over. The HAMEL pipelines proved somewhat unreliable, but the HAIS cable-like pipes held up well and none broke during their use until the end of the war in Europe. The pipelines stuck to supplying petrol, while initial plans to deliver other fuels such as high-octane aviation spirit were discarded.
Overall, Operation Pluto would deliver 370,000 long tons of fuel to support Allied forces, or about 8 percent of the total. The rest was largely delivered by oceangoing tankers, with some additional highly-expensive aerial delivery operations used when logistical lines were stretched to their very limits. Bulk fuel delivery by undersea pipeline had been proven possible, but perhaps not decisively important when it came to wartime logistics.
Arguments as to the value of the project abound in war history circles. On the one hand, Operation Pluto was yet another impressive engineering feat achieved in the effort to bring the war to an end. On the other hand, it was a great deal of fuss and ultimately only delivered a moderate portion of the fuel needed to support forces in theatre. In any case, there are still lingering reminders of Operation Pluto today—like a former pumping station that has been converted into a minigolf course, or remnants of the pipelines on the Isle of Wight.
Since World War II, we’ve seen precious few conflicts where infrastructure plays such a grand role in the results of combat. Nevertheless, the old saying always rings true—when it comes to war, amateurs discuss tactics, while professionals study logistics.
A Stylish Moon And Tide Clock For The Mantlepiece
Assuming you’re not stuck in a prison cell without windows, you could feasibly keep track of the moon and tides by walking outside and jotting things down in your notebook. Alternatively, you could save a lot of hassle by just building this moon and tide clock from [pjdines1994] instead.
The build is based on a Raspberry Pi Pico W, which is hooked up to a real-time clock module and a Waveshare 3.7-inch e-paper display. Upon this display, the clock draws an image relevant to the current phase of the moon. As the write-up notes, it was a tad fussy to store 24 images for all the different lunar phases within the Pi Pico, but it was achieved nonetheless with a touch of compression. As for tides, it covers those too by pulling in tide information from an online resource.
It’s specifically set up to report the local tides for [pjdines1994], reporting the high tide and low tide times for Whitstable in the United Kingdom. If you’re not in Whitstable, you’d probably want to reconfigure the clock before using it yourself. Unless you really want to know what’s up in Whitstable, of course. If you so wish, you can set the clock up to make its own tide predictions by running local calculations, but [pjdines1994] notes that this is rather more complicated to do. The finished result look quite good, because [pjdines1994] decided to build it inside an old carriage clock that only reveals parts of the display showing the moon and the relevant tide numbers.
We’ve featured some other great tide clocks before, like this grand 3D printed design. If you’ve built your own arcane machine to plot the dances of celestial objects, do be sure to let us know on the tipsline!
Give Us One Manual For Normies, Another For Hackers
We’ve all been there. You’ve found a beautiful piece of older hardware at the thrift store, and bought it for a song. You rush it home, eager to tinker, but you soon find it’s just not working. You open it up to attempt a repair, but you could really use some information on what you’re looking at and how to enter service mode. Only… a Google search turns up nothing but dodgy websites offering blurry PDFs for entirely the wrong model, and you’re out of luck.
These days, when you buy an appliance, the best documentation you can expect is a Quick Start guide and a warranty card you’ll never use. Manufacturers simply don’t want to give you real information, because they think the average consumer will get scared and confused. I think they can do better. I’m demanding a new two-tier documentation system—the basics for the normies, and real manuals for the tech heads out there.
Give Us The Goods
Once upon a time, appliances came with real manuals and real documentation. You could buy a radio that came with a full list of valves that were used inside, while telephones used to come with printed circuit diagrams right inside the case. But then the world changed, and a new phrase became a common sight on consumer goods—”NO USER SERVICABLE PARTS INSIDE.” No more was the end user considered qualified or able to peek within the case of the hardware they’d bought. They were fools who could barely be trusted to turn the thing on and work it properly, let alone intervene in the event something needed attention.
This attitude has only grown over the years. As our devices have become ever more complex, the documentation delivered with them has shrunk to almost non-existent proportions. Where a Sony television manual from the 1980s contained a complete schematic of the whole set, a modern smartphone might only include a QR code linking to basic setup instructions on a website online. It’s all part of an effort by companies to protect the consumer from themselves, because they surely can’t be trusted with the arcane knowledge of what goes on inside a modern device.
This Sony tv manual from 1985 contained the complete electrical schematics for the set.
byu/a_seventh_knot inmildlyinteresting
This sort of intensely technical documentation was the norm just a few decades ago.
It’s understandable, to a degree. When a non-technical person buys a television, they really just need to know how to plug it in and hook it up to an aerial. With the ongoing decline in literacy rates, it’s perhaps a smart move by companies to not include any further information than that. Long words and technical information would just make it harder for these customers to figure out how to use the TV in the first place, and they might instead choose a brand that offers simpler documentation.
This doesn’t feel fair for the power user set. There are many of us who want to know how to change our television’s color mode, how to tinker with the motion smoothing settings, and how to enter deeper service modes when something seems awry. And yet, that information is kept from us quite intentionally. Often, it’s only accessible in service manuals that are only made available through obscure channels to selected people authorised by OEMs.
Two Tiers, Please
I don’t think it has to be this way. I think it’s perfectly fine for manufacturers to include simple, easy-to-follow instructions with consumer goods. However, I don’t think that should preclude them from also offering detailed technical manuals for those users that want and need them. I think, in fact, that these should be readily available as a matter of course.
Call it a “superuser manual,” and have it only available via a QR code in the back of the basic, regular documentation. Call it an “Advanced Technical Supplement” or a “Calibration And Maintenance Appendix.” Whatever jargon scares off the normies so they don’t accidentally come across it and then complain to tech support that they don’t know why their user interface is now only displaying garbled arcane runes. It can be a little hard to find, but at the end of the day, it should be a simple PDF that can be downloaded without a lot of hurdles or paywalls.
I’m not expecting manufacturers to go back to giving us full schematics for everything. It would be nice, but realistically it’s probably overkill. You can just imagine what that would like for a modern smartphone or even just a garden variety automobile in 2025. However, I think it’s pretty reasonable to expect something better than the bare basics of how to interact with the software and such. The techier manuals should, at a minimum, indicate how to do things like execute a full reset, enter any service modes, and indicate how the device is to be safely assembled and disassembled should one wish to execute repairs.
Of course, this won’t help those of us repairing older gear from the 90s and beyond. If you want to fix that old S-VHS camcorder from 1995, you’re still going to have to go to some weird website and risk your credit card details over a $30 charge for a service manual that might cover your problem. But it would be a great help for any new gear moving forward. Forums died years ago, so we can no longer Google for a post from some old retired tech who remembers the secret key combination to enter the service menu. We need that stuff hosted on manufacturer websites so we can get it in five minutes instead of five hours of strenuous research.
Will any manufacturers actually listen to this demand? Probably, no. This sort of change needs to happen at a higher level. Perhaps the right to repair movement and some boisterous EU legislation could make it happen. After all, there is an increasing clamour for users to have more rights over the hardware and appliances they pay for. If and when it happens, I will be cheering when the first manuals for techies become available. Heaven knows we deserve them!
Le Porsche in Russia non si avviano più! Un presunto bug non fa partire il motore
I proprietari di Porsche in Russia riscontrano sempre più problemi con gli allarmi da parte della fabbrica, rendendo impossibile l’utilizzo delle loro auto. Le loro auto non si avviano, si bloccano subito dopo l’avviamento o visualizzano errori relativi al motore. I responsabili della concessionaria Rolf hanno dichiarato a RBC di aver notato un aumento delle chiamate di assistenza dal 28 novembre a causa del blocco degli allarmi via satellite.
Secondo la responsabile del servizio clienti dell’azienda, Yulia Trushkova, attualmente non esiste alcuna correlazione tra i modelli e i tipi di motori e, in teoria, qualsiasi veicolo può essere immobilizzato.
Attualmente, l’immobilizzazione può essere aggirata resettando l’unità di allarme di fabbrica e smontandola. La causa del malfunzionamento non è ancora stata determinata, ma l’azienda osserva che è possibile che sia stata eseguita intenzionalmente. Situazioni simili, secondo Rolf, si sono verificate anche tra i proprietari di Mercedes-Benz, ma tali incidenti sono molto più rari.
In precedenza, il canale Telegram SHOT aveva riferito che centinaia di Porsche in tutta la Russia erano state dichiarate “illegali” a causa di un malfunzionamento del sistema di allarme di fabbrica, attribuito a problemi di comunicazione. I conducenti di Mosca, Krasnodar e altre città hanno segnalato problemi. Alcuni proprietari hanno riferito di aver temporaneamente bypassato il sistema scollegando la batteria per circa dieci ore per consentire al sistema di allarme di scaricarsi e riavviarsi.
Secondo la rivista Avto.ru, i proprietari di modelli Cayenne, Macan e Panamera si sono rivolti principalmente ai centri di assistenza per reclami simili. I reclami relativi a motori che si spengono e blocchi del motore si verificano da anni, ma sono diventati diffusi quest’autunno. Secondo i dati preliminari, il problema è prevalente nei veicoli prodotti prima del 2020 e dotati del vecchio sistema di localizzazione GSM/GPS VTS (Vehicle Tracking System). Il canale Telegram “Porsche Club Russia” cita come causa principale un malfunzionamento del modulo satellitare, con limitazioni e blocchi della comunicazione. I conducenti sottolineano che scollegare la batteria è visto come una soluzione temporanea, che consente loro di raggiungere un centro di assistenza.
Gli allarmi satellitari di questi veicoli si basano su sistemi di navigazione e sono progettati per migliorare la sicurezza e monitorare le condizioni del veicolo, anche in caso di tentativi di furto o fattori esterni. Se il veicolo è bloccato, il sistema antifurto può impedire l’avviamento del motore, del motorino di avviamento o dell’accensione, nonché interrompere l’alimentazione del carburante e attivare le spie luminose del veicolo in modalità anomala.
La casa automobilistica tedesca Porsche AG ha cessato le consegne ufficiali di auto in Russia nel 2022, citando “la grande incertezza e gli attuali sconvolgimenti”. Tuttavia, l’azienda gestisce ancora tre filiali russe: Porsche Russia, Porsche Center Moscow e PFS Russia.
I tentativi di vendere queste attività si sono finora rivelati infruttuosi. Autonews aveva precedentemente riportato, citando la sede centrale dell’azienda, che il Gruppo Volkswagen, che include Porsche, ha annullato i suoi obblighi di fornire assistenza post-vendita e ricambi per i veicoli precedentemente venduti in Russia.
L'articolo Le Porsche in Russia non si avviano più! Un presunto bug non fa partire il motore proviene da Red Hot Cyber.
Build Your Own Glasshole Detector
Connected devices are ubiquitous in our era of wireless chips heavily relying on streaming data to someone else’s servers. This sentence might already start to sound dodgy, and it doesn’t get better when you think about today’s smart glasses, like the ones built by Meta (aka Facebook).
[sh4d0wm45k] doesn’t shy away from fighting fire with fire, and shows you how to build a wireless device detecting Meta’s smart glasses – or any other company’s Bluetooth devices, really, as long as you can match them by the beginning of the Bluetooth MAC address.
[sh4d0wm45k]’s device is a mini light-up sign saying “GLASSHOLE”, that turns bright white as soon as a pair of Meta glasses is detected in the vicinity. Under the hood, a commonly found ESP32 devboard suffices for the task, coupled to two lines of white LEDs on a custom PCB. The code is super simple, sifting through packets flying through the air, and lets you easily contribute with your own OUIs (Organizationally Unique Identifier, first three bytes of a MAC address). It wouldn’t be hard to add such a feature to any device of your own with Arduino code under its hood, or to rewrite it to fit a platform of your choice.
We’ve been talking about smart glasses ever since Google Glass, but recently, with Meta’s offerings, the smart glasses debate has reignited. Due to inherent anti-social aspects of the technology, we can see what’d motivate one to build such a hack. Perhaps, the next thing we’ll see is some sort of spoofed packets shutting off the glasses, making them temporarily inoperable in your presence in a similar way we’ve seen with spamming proximity pairing packets onto iPhones.
888: il data-leaker seriale! L’outsider del darkweb che ha costruito un impero di dati rubati
Nel panorama dei forum underground esistono attori che operano in modo episodico, alla ricerca di un singolo colpo mediatico, e altri che costruiscono nel tempo una pipeline quasi industriale di compromissioni, rilasciando dataset tecnici e informazioni interne di aziende in tutto il mondo. Tra questi, uno dei profili più riconoscibili è quello che si presenta con il semplice alias “888”.
Attivo almeno dal 2024, 888 è oggi considerato uno dei data-leaker più prolifici della scena, con oltre un centinaio di breach rivendicati e una presenza costante nei forum più frequentati del cybercrime anglofono. A differenza dei gruppi ransomware strutturati, non opera con modalità estorsive, non negozia e non utilizza countdown: il suo modello è basato su vendita privata e rilascio pubblico di dataset selezionati, con l’obiettivo evidente di alimentare reputazione, visibilità e domanda.
A novembre 2025, 888 torna al centro dell’attenzione pubblicando un archivio dal titolo eloquente:
“Ryanair Internal Communications”.
Un dump che include dati relativi alle prenotazioni, alle tratte, ai numeri di volo, ai processi di gestione dei claim e soprattutto alle interazioni interne del dipartimento legal/claims della compagnia.
Il profilo operativo di 888: un attore individuale, costante e opportunistico
Ho fatto delle ricerche storiche sulle attività di 888 e le informazioni raccolte delineano un profilo chiaro:
- attore singolo: senza una struttura organizzata
- attivo nei vari dark forum: prima su Breach Forum adesso su Dark Forum, dove ha ricoperto anche ruoli moderativi
- tecnicamente competente: ma più orientato all’exploitation di misconfigurazioni, bucket cloud esposti e servizi pubblici vulnerabili
- finanziariamente motivato: con una storicità di vendite private di database
- nessuna agenda politica: nessuna connessione pubblica con gruppi RaaS
- pattern coerente: leak di codice sorgente, configurazioni, archivi corporate, database utenti
La sua attività attraversa settori diversi: tech, education, retail, automotive, energy, piattaforme SaaS, e più recentemente aviation.
888 punta ai dataset ripetibili e monetizzabili, non agli ambienti complessi come OT o ICS.
Una caratteristica rara che lo contraddistingue: la continuità. La sua reputazione deriva proprio da questo.
La fonte più interessante è l’intervista rilasciata a Sam Bent per la sua rubrica “Darknet Dialogues” dove emergono particolari interessanti su 888: il suo mentore? Kevin Mitnik. Il suo punto di vista su IA e Hacking? tutto il suo lavoro è solo frutto delle sue conoscenze e skills.
Il caso Ryanair: cosa emerge davvero dai sample
All’interno del thread dedicato alla compagnia aerea compaiono diversi sample CSV, che rappresentano estrazioni coerenti con un sistema di gestione delle dispute legali e dei reclami EU261.
La struttura dei dati evidenzia chiaramente:
- ticketId, groupTicketId, caseNo, decisionNo, refNumber
- aeroporti di partenza e destinazione (BVA, BLQ, PMO, TRN, BGY, AHO, GOA, BDS…)
- numeri di volo (FR 4831, FR 9369, FR 4916, FR 2254, FR 1011…)
- nome e cognome dei passeggeri coinvolti
- team interni assegnati alla pratica
- riferimenti a: “info retrieved from the summons”, meal expenses, hotel expenses, EU261
- timestamp ISO-8601 per gli aggiornamenti delle pratiche
- descrizioni testuali interne dei casi
Ho avuto modo di analizzare i sample “offerti” nel post su Dark Forum e si tratta di comunicazioni provenienti da passeggeri italiani, riferite a dispute legali o a richieste di rimborso per disservizi di varia natura.
I possibili vettori di compromissione possono essere solo ipotizzati, poiché 888 non fornisce alcun dettaglio sul metodo utilizzato per ottenere i dati. La pista più verosimile è la compromissione di un sistema di CRM o case management utilizzato per gestire le comunicazioni con i clienti e le pratiche legali, anche tramite partner esterni.
Come si inserisce il breach di Ryanair nella storia di 888
L’incidente aviation non è un’eccezione: si integra perfettamente nel modus operandi di 888.
Il threat actor infatti ha già rivendicato:
- dataset di IBM (17.500 dipendenti)
- archivi BMW Hong Kong
- dati di Microsoft
- codice sorgente di piattaforme brasiliane (CIEE One)
- database di piattaforme e-commerce, logistiche e retail
- dump di aziende fintech, ONG internazionali e marketplace online
888 non cerca mai l’effetto “shock”: non pubblica tutto subito, non crea negoziazioni, non orchestra estorsioni.
Semplicemente rilascia, spesso dopo aver venduto privatamente il materiale.
Ryanair, in questo contesto, è un tassello di una catena più ampia, non un focus specifico.
888 è un attore che vive nella zona grigia tra l’intrusion broker e il data-leaker opportunistico, con una pipeline strutturata di compromissioni, una forte attività nei forum underground e un occhio costante verso i dataset che possono generare ritorno economico o reputazionale.
Il caso Ryanair non rappresenta un incidente isolato, ma l’ennesima conferma della sua traiettoria: un attore singolo, costante, metodico, che si muove lungo una supply chain digitale globale dove ogni anello debole – un bucket esposto, un repository dimenticato, un servizio di ticketing non protetto – diventa un nuovo dump da pubblicare.
Fonti utilizzate per redigere l’articolo:
- Ryanair Data Breach: 7 Key Findings Revealed in This Urgent Analysis
- Threat Actor Releases Supposed Ryanair Internal Emails and Ticketing Data
- Threat Actor 888 (Malpedia Profile)
- IBM Hacked? Threat Actor ‘888’ Reveals Thousands of Employees’ Data Leak
- Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach
- 888 Interview – Darknet Dialogues (YouTube)
- Brinztech Alert: Database of Ryanair is Leaked
- A data breach by threat actor 888 has exposed over 430,000 user records
- Hello Cake Data Breach (Have I Been Pwned)
- Dark Web Threats Targeting the Airline Industry
- Alleged Data Breach of LG A threat actor using the alias “888”
- Threat Actor “888” Claims LG Electronics Data Breach
- LG Data Leak: 888 Threat Actor Exposes Source Code
- Nutergia Laboratory Data Breach by Threat Actor “888”
- 888 – Details | BreachHQ by Beyond Identity
- IBM staff data allegedly leaked in cyber attack
- Cyber Intelligence – Darkeye
L'articolo 888: il data-leaker seriale! L’outsider del darkweb che ha costruito un impero di dati rubati proviene da Red Hot Cyber.
Kaspersky Security Bulletin 2025. Statistics
All statistics in this report come from Kaspersky Security Network (KSN), a global cloud service that receives information from components in our security solutions voluntarily provided by Kaspersky users. Millions of Kaspersky users around the globe assist us in collecting information about malicious activity. The statistics in this report cover the period from November 2024 through October 2025. The report doesn’t cover mobile statistics, which we will share in our annual mobile malware report.
During the reporting period:
- 48% of Windows users and 29% of macOS users encountered cyberthreats
- 27% of all Kaspersky users encountered web threats, and 33% users were affected by on-device threats
- The highest share of users affected by web threats was in CIS (34%), and local threats were most often detected in Africa (41%)
- Kaspersky solutions prevented nearly 1,6 times more password stealer attacks than in the previous year
- In APAC password stealer detections saw a 132% surge compared to the previous year
- Kaspersky solutions detected 1,5 times more spyware attacks than in the previous year
To find more yearly statistics on cyberthreats view the full report.
Anatomia di una Violazione Wi-Fi: Dalla Pre-connessione alla Difesa Attiva
Nel contesto odierno, proteggere una rete richiede molto più che impostare una password complessa. Un attacco informatico contro una rete wireless segue un percorso strutturato che evolve dal monitoraggio passivo fino alla manipolazione attiva del traffico.
Analizzeremo questo processo in tre fasi distinte: l’ottenimento dell’accesso, le manovre post-connessione e le contromisure difensive necessarie.
1. Fase di Pre-connessione: Sorveglianza e Accesso
Il penetration test di una rete wireless inizia analizzando la sua superficie di attacco: si osservano le identificazioni visibili e si valutano configurazioni deboli o non sicure.
Monitoraggio e Identificazione del Target
Il primo passo consiste nell’utilizzare strumenti in modalità “monitor” per raccogliere informazioni dettagliate sui punti di accesso (AP) e sui client attivi. Abilitando l’interfaccia wireless in questa modalità e lanciando il comando seguente, l’analista scandaglia ciascun canale della rete:
[strong]airodump-ng wlan0mon[/strong]
Questi dati sono fondamentali per selezionare il bersaglio. Segnali di debolezza includono un SSID facilmente riconoscibile, un basso numero di client o l’assenza del protocollo WPA3. Una volta individuato il target, si esegue una scansione mirata per aumentare la precisione con il comando:
airodump-ng -c <canale> --bssid <BSSID> -w <file_output> wlan0mon
Intercettazione dell’Handshake
Per ottenere l’accesso completo su reti WPA/WPA2, è necessario catturare l’handshake, ovvero lo scambio di pacchetti che avviene quando un client si associa al router. Se non si verificano connessioni spontanee, si interviene con un attacco di deautenticazione.
Utilizzando Aireplay-ng, si inviano pacchetti che disconnettono temporaneamente il client vittima:
aireplay-ng –deauth 5 -a <BSSID> -c <Client_MAC> wlan0mon
Al momento della riconnessione automatica del dispositivo, l’handshake viene registrato da Airodump e salvato su disco in un file .cap.
Cracking della Crittografia
Acquisito il file, si passa all’attacco offline. Strumenti come Aircrack-ng esaminano ogni password contenuta in una wordlist (come la comune rockyou.txt), combinandola con il nome dell’AP per generare una Pairwise Master Key (PMK). Questo processo spesso utilizza algoritmi come PBKDF2 per l’hashing.
Il comando tipico è:
aircrack-ng -w rockyou.txt -b <BSSID> handshake.cap
La PMK generata viene confrontata con i dati crittografati dell’handshake: se coincidono, la password è rivelata. Per password complesse, si ricorre a strumenti come Hashcat o John the Ripper, ottimizzati per l’accelerazione GPU.
2. Fase Post-connessione: Mimetismo e MITM
Una volta superata la barriera iniziale, l’attaccante ha la possibilità di interagire direttamente con i dispositivi nella rete locale. L’obiettivo ora cambia: bisogna mimetizzarsi tra gli altri dispositivi e raccogliere dati senza essere rilevati.
Mappatura della Rete
Il primo passo post-connessione è costruire una mappa della rete. Strumenti come Netdiscover eseguono una scansione ARP attiva sull’intera sottorete per raccogliere IP e MAC address:
netdiscover -r 192.168.1.0/24 
Successivamente, Nmap permette un’analisi profonda. Con il comando nmap -A <IP_Target>, si esegue una scansione aggressiva per identificare porte aperte, versioni dei servizi e il sistema operativo del target, rivelando potenziali vulnerabilità come software obsoleti.
Man in the Middle (MITM) e ARP Spoofing
La strategia offensiva più potente in questa fase è l’attacco Man in the Middle, spesso realizzato tramite ARP Spoofing. L’attaccante inganna sia il client che il gateway alterando le loro cache ARP, posizionandosi logicamente tra i due.
I comandi manuali per realizzare ciò sono:
arpspoof -i wlan0 -t <IP_Client> <IP_Gateway>(Convince il client che l’attaccante è il gateway).arpspoof -i wlan0 -t <IP_Gateway> <IP_Client>(Convince il gateway che l’attaccante è il client).
Per automatizzare il processo, si utilizzano framework come MITMF, che integrano funzionalità di DNS spoofing, keylogging e iniezione di codice. Un esempio di comando è:
mitmf –arp –spoof –gateway <IP_Gateway> –target <IP_Target> -i wlan0
3. Metodi di Rilevamento e Difesa
Il successo di un attacco dipende dalla capacità difensiva del bersaglio. Esistono strumenti specifici per individuare comportamenti anomali e bloccare le minacce tempestivamente.
Monitoraggio del Traffico con Wireshark
Wireshark è essenziale per l’analisi profonda. La sua interfaccia permette di identificare pattern sospetti come le “tempeste ARP”. Per configurarlo al rilevamento dello spoofing:
- Accedere a Preferenze > Protocolli > ARP.
- Abilitare la funzione “Rileva schema richiesta ARP”.
Questa opzione segnala irregolarità, come la variazione frequente del MAC associato a uno stesso IP. Inoltre, il pannello “Informazioni Esperto” evidenzia risposte ARP duplicate e conflitti IP, indici chiari di un attacco in corso.
Difesa Attiva con XArp
Per una protezione automatizzata, XArp offre due modalità: passiva (osservazione) e attiva (interrogazione). Se XArp rileva che il MAC del gateway cambia improvvisamente, invia un probe diretto per validare l’associazione IP-MAC e generare un alert.
Scenario Pratico di Attacco e Risposta
Per comprendere meglio la dinamica, consideriamo un esempio in una rete LAN aziendale:
- L’Attacco: Un attaccante connesso via Wi-Fi lancia
arpspoof, impersonando simultaneamente il router (192.168.1.1) e il client vittima (192.168.1.100). - Il Rilevamento: Su una macchina della rete è attivo XArp, che rileva una variazione improvvisa dell’indirizzo MAC del gateway. Il software attiva un probe, confronta la risposta e conferma la discrepanza, generando un alert immediato per l’amministratore.
- La Reazione: A questo punto le difese si attivano. Un firewall locale può bloccare il traffico verso il MAC falsificato, oppure l’amministratore può ripristinare la corretta voce ARP forzando l’associazione corretta con i seguenti comandi:
Su Linux: sudo arp -s 192.168.1.1 00:11:22:33:44:55
Su Windows: arp -s 192.168.1.1 00-11-22-33-44-55
Questa operazione impedisce nuove sovrascritture finché la voce statica rimane in memoria.
4. Contromisure Tecniche per la Sicurezza delle Reti
Nel contesto odierno, le contromisure tecniche non devono limitarsi al rilevamento, ma puntare a impedire l’esecuzione dell’attacco a monte. Di seguito analizziamo le strategie principali per proteggere reti LAN e WLAN.
Tabelle ARP Statiche
Una delle tecniche più semplici ma efficaci è la configurazione manuale di voci statiche. Di default, i sistemi operativi usano tabelle ARP dinamiche che possono essere manipolate. Inserendo manualmente le voci (come visto nello scenario precedente), si impedisce ogni modifica non autorizzata. È importante ricordare che queste configurazioni vanno reinserite ad ogni riavvio o automatizzate tramite script.
Modifica dell’SSID e Gestione del Broadcast
I router utilizzano spesso SSID predefiniti (es. “TP-LINK_ABC123”) che rivelano il modello del dispositivo e le relative vulnerabilità note. Cambiare l’SSID in un nome generico (es. “net-home42”) riduce l’esposizione. Inoltre, disabilitare il broadcast dell’SSID rende la rete invisibile ai dispositivi che non la conoscono. Sebbene non sia una misura assoluta (il nome è recuperabile dai beacon frame), aumenta la difficoltà per attaccanti non esperti.
Filtraggio degli Indirizzi MAC
Il MAC filtering consente l’accesso solo ai dispositivi esplicitamente autorizzati nel pannello di amministrazione del router. Qualsiasi altro dispositivo viene rifiutato. Anche questa misura può essere aggirata tramite MAC spoofing, ma resta un’ottima prima barriera in reti con un numero limitato di dispositivi.
Disabilitazione dell’Amministrazione Wireless
Molti router permettono la configurazione remota via Wi-Fi. Questo espone la rete al rischio che un attaccante, una volta connesso, possa accedere al pannello di controllo. È fortemente consigliato disabilitare la gestione wireless, limitando l’accesso amministrativo alle sole porte Ethernet cablate.
Uso di Tunnel Crittografati
Le comunicazioni sensibili devono sempre avvenire su canali cifrati per rendere inutile l’intercettazione dei dati (sniffing). Esempi fondamentali includono:
- HTTPS invece di HTTP per la navigazione web.
- SSH invece di Telnet per l’accesso remoto.
- VPN per creare tunnel sicuri tra dispositivi.
Inoltre, l’adozione del protocollo WPA3 introduce il sistema SAE (Simultaneous Authentication of Equals), rendendo la rete molto più resistente agli attacchi a dizionario rispetto al WPA2.
Aggiornamento del Firmware
Le vulnerabilità del firmware sono un vettore di attacco spesso trascurato. È essenziale controllare periodicamente il sito del produttore e installare le patch di sicurezza. L’aggiornamento può chiudere backdoor, correggere falle nel protocollo WPS e migliorare la stabilità generale.
Conclusione: Verso una Sicurezza Proattiva
La sicurezza delle reti locali rappresenta oggi una delle sfide più importanti della cybersecurity. Come abbiamo osservato, un attacco può iniziare silenziosamente con una scansione (airodump-ng) per poi evolvere in manipolazioni attive (MITM).
La facilità con cui è possibile violare una rete poco protetta evidenzia quanto siano ancora sottovalutate le tecniche di base. Allo stesso tempo, strumenti potenti e gratuiti come Aircrack-ng, Wireshark e XArp sono disponibili sia per gli attaccanti che per i difensori: la differenza la fa la competenza.
In sintesi, abbiamo visto che:
- L’accesso può essere forzato catturando l’handshake e usando wordlist (
aircrack-ng -w rockyou.txt). - Una volta dentro, l’attaccante può mappare l’infrastruttura (
netdiscover,nmap). - Il traffico può essere manipolato tramite ARP Spoofing (
arpspoof,MITMF). - La difesa richiede un approccio multilivello: monitoraggio, alert automatici e hardening della configurazione.
La sicurezza informatica non è una configurazione “una tantum”, ma un processo adattativo. Essere proattivi è l’unico modo per garantire integrità e privacy in un panorama tecnologico in costante mutamento.
L'articolo Anatomia di una Violazione Wi-Fi: Dalla Pre-connessione alla Difesa Attiva proviene da Red Hot Cyber.
Little Lie Detector is Probably No Worse Than The Big Ones
Want to know if somebody is lying? It’s always so hard to tell. [dbmaking] has whipped up a fun little polygraph, otherwise known as a lie detector. It’s nowhere near as complex as the ones you’ve seen on TV, but it might be just as good when it comes to finding the truth.
The project keeps things simple by focusing on two major biometric readouts — heart rate and skin conductivity. When it comes to the beating heart, [dbmaking] went hardcore and chose an AD8232 ECG device, rather than relying on the crutch that is pulse oximetry. It picks up heart signals via three leads that are just like those they stick on you in the emergency room. Skin conductivity is measured with a pair of electrodes that attach to the fingers with Velcro straps. The readings from these inputs are measured and then used to determine truth or a lie if their values cross a certain threshold. Presumably, if you’re sweating a lot and your heart is beating like crazy, you’re telling a lie. After all, we know Olympic sprinters never tell the truth immediately after a run.
Does this work as an actual, viable lie detector? No, not really. But that’s not just because this device isn’t sophisticated enough; commercial polygraph systems have been widely discredited anyway. There simply isn’t an easy way to correlate sweating to lying, as much as TV has told us the opposite. Consider it a fun toy or prop to play with, and a great way to learn about working with microcontrollers and biometric sensors.
youtube.com/embed/rpxLFYz5RgQ?…