Holy Parachute out of Kirigami
If you have a fear of heights and find yourself falling out of an airplane, you probably don’t want to look up to find your parachute full of holes. However, if the designer took inspiration from kirigami in the same way researchers have, you may be in better shape than you would think. This is because properly designed kirigami can function as a simple and effective parachute.
Kirigami, for those unfamiliar, is a cousin of origami where, instead of folding, you cut slits into paper. In this case, the paper effectively folds itself after being dropped, which allows the structure to create drag in ways similar to traditional parachute designs. Importantly, however, the stereotypical designs of parachutes have some more severe drawbacks than they appear. Some major issues include more obvious things, such as having to fold and unpack before and after dropping. What may be less obvious are the large eddies that traditional parachutes create or their ease at being disturbed by the surrounding wind.
The kirigami chutes fix these issues while being easier to manufacture and apply. While these are not likely to be quite as effective for human skydiving, more durable applications may benefit. Quoted applications, including drone delivery or disaster relief, worry more about accuracy and scalability rather than the fragile bones of its passenger.
Clever and simple designs are always fun to try to apply to your own projects, so if you want to have your own hand, make sure to check out the paper itself here. For those more interested in clever drone design to take inspiration from, look no further than this maple seed-inspired drone.
youtube.com/embed/6rrDW6YIbXI?…
1000 POS di negozi USA e UK violati e messi all’asta: “accesso totale” a 55.000 dollari
Un nuovo annuncio pubblicato su un forum underground è stato rilevato poco fa dai ricercatori del laboratorio di intelligence sulle minacce di Dark Lab e mostra chiaramente quanto sia ancora attivo e pericoloso il mercato nero degli accessi a sistemi informatici sensibili.
L’utente “nixploiter”, con un profilo già consolidato nella community underground (livello “gigabyte“, con oltre 150 post), ha recentemente messo in vendita l’accesso a più di 1000 macchine POS (Point of Sale) situate tra USA e Regno Unito.
Disclaimer: Questo rapporto include screenshot e/o testo tratti da fonti pubblicamente accessibili. Le informazioni fornite hanno esclusivamente finalità di intelligence sulle minacce e di sensibilizzazione sui rischi di cybersecurity. Red Hot Cyber condanna qualsiasi accesso non autorizzato, diffusione impropria o utilizzo illecito di tali dati. Al momento, non è possibile verificare in modo indipendente l’autenticità delle informazioni riportate, poiché l’organizzazione coinvolta non ha ancora rilasciato un comunicato ufficiale sul proprio sito web. Di conseguenza, questo articolo deve essere considerato esclusivamente a scopo informativo e di intelligence.
Nel post, l’attore malevolo afferma di avere accesso tramite pannelli di amministrazione RMM (Remote Monitoring and Management), che garantirebbero pieni privilegi amministrativi, controllo remoto e persino shell con accesso root. Le macchine compromesse opererebbero su sistemi Windows 7, 8, 10 e 11, utilizzando software molto conosciuto e diffuso nel settore retail.
L’offerta, impostata come un’asta, parte da 8.000 dollari, con incrementi di 5.000 e un prezzo “blitz” immediato di 55.000 dollari. Il venditore stabilisce inoltre una finestra di 48 ore dopo l’ultima offerta per concludere la transazione, richiedendo una piccola cauzione in Bitcoin per confermare l’affidabilità dell’acquirente.
Implicazioni e rischi
Un accesso di questo tipo rappresenta una seria minaccia diretta non solo per i negozi coinvolti, ma anche per i clienti e i circuiti finanziari collegati.
I sistemi POS gestiscono dati estremamente sensibili – transazioni, carte di pagamento, credenziali e log di rete – che possono essere sfruttati per:
- Rubare informazioni finanziarie e clonare carte di credito.
- Installare malware o ransomware all’interno dei terminali.
- Manipolare transazioni o alterare flussi di pagamento.
- Sfruttare i dispositivi come pivot per muoversi lateralmente nelle reti aziendali più ampie.
Il riferimento all’uso di un software RMM, è comune nelle infrastrutture aziendali legittime, suggerisce che gli attaccanti abbiano sfruttato strumenti di gestione remota non protetti o mal configurati – una tecnica in forte crescita nel panorama delle minacce.
Considerazioni finali
Questo episodio mette in luce ancora una volta l’importanza della sicurezza dei dispositivi POS, spesso trascurata rispetto ad altri sistemi IT.
È fondamentale che le aziende:
- Implementino autenticazioni forti e segmentazione di rete.
- Aggiornino regolarmente i software RMM e POS.
- Monitorino gli accessi remoti e i log di sistema per individuare comportamenti anomali.
- Limitino l’esposizione di pannelli di gestione su Internet.
La vendita di accessi a oltre mille terminali POS non è solo un’operazione criminale isolata: è un indicatore di vulnerabilità sistemica che riguarda direttamente la sicurezza del commercio digitale globale.
L'articolo 1000 POS di negozi USA e UK violati e messi all’asta: “accesso totale” a 55.000 dollari proviene da il blog della sicurezza informatica.
Meshtastic: A Tale of Two Cities
If I’m honest with myself, I don’t really need access to an off-grid, fault-tolerant, mesh network like Meshtastic. The weather here in New Jersey isn’t quite so dynamic that there’s any great chance the local infrastructure will be knocked offline, and while I do value my privacy as much as any other self-respecting hacker, there’s nothing in my chats that’s sensitive enough that it needs to be done off the Internet.
But damn it, do I want it. The idea that everyday citizens of all walks of life are organizing and building out their own communications network with DIY hardware and open source software is incredibly exciting to me. It’s like the best parts of a cyberpunk novel, without all the cybernetic implants, pollution, and over-reaching megacorps. Well, we’ve got those last two, but you know what I mean.
Even though I found the Meshtastic concept appealing, my seemingly infinite backlog of projects kept me from getting involved until relatively recently. It wasn’t until I got my hands on the Hacker Pager that my passing interest turned into a full blown obsession. But it’s perhaps not for the reason you might think. Traveling around to different East Coast events with the device in my bag, it would happily chirp away when within range of Philadelphia or New York, but then fall silent again once I got home. While I’d get the occasional notification of a nearby node, my area had nothing like the robust and active mesh networks found in those cities.
Well, they say you should be the change you want to see in the world, so I decided to do something about it. Obviously I wouldn’t be able to build up an entire network by myself, but I figured that if I started standing up some nodes, others might notice and follow suit. It was around this time that Seeed Studio introduced the SenseCAP Solar node, which looked like a good way to get started. So I bought two of them with the idea of putting one on my house and the other on my parent’s place down the shore.
The results weren’t quite what I expected, but it’s certainly been an interesting experience so far, and today I’m even more eager to build up the mesh than I was in the beginning.
Starting on Easy Mode
I didn’t make a conscious decision to start my experiment at my parent’s house. Indeed, located some 60 miles (96 km) from where I live, any progress in building out a mesh network over there wouldn’t benefit me back home. But it was the beginning of summer, they have a pool, and my daughters love to swim. As such, we spent nearly every weekend there which gave me plenty of time to tinker.
For those unfamiliar with New Jersey’s Southern Shore area, the coastline itself is dotted with vacation spots such as Wildwood, Atlantic City, and Long Beach Island. This is where the tourists go to enjoy the beaches, boardwalks, cotton candy, and expensive rental homes. But move slightly inland, and you’ll find a marshland permeated with a vast network of bays, creeks, and tributaries. For each body of water large enough to get a boat through, you’ll find a small town or even an unincorporated community that in the early 1900s would have been bustling with oyster houses and hunting shacks, but today might only be notable for having their own Wawa.
My parents are in one of those towns that doesn’t have a Wawa. Its very quiet, the skies are dark, and there’s not much more than marsh and water all around. So when I ran the SenseCAP Solar up their 20 foot (6 m) flagpole, which in a former life was actually the mast from a sailing catamaran, the results were extremely impressive.
I hadn’t had the radio up for more than a few hours before my phone pinged with a message. We chatted back and forth a bit, and I found that my new mesh friend was an amateur radio operator living on Long Beach Island, and that he too had just recently started experimenting with Meshtastic. He was also, incidentally, a fan of Hackaday. (Hi, Leon!) He mentioned that his setup was no more advanced than an ESP32 dev board sitting in his window, and yet we were reliably communicating at a range of approximately 6 miles (9 km).
Encouraged, I decided to leave the radio online all night. In the morning, I was shocked to find it had picked up more than a dozen new nodes. Incredibly, it was even able to sniff out a few nodes that I recognized from Philadelphia, 50 miles (80 km) to the west. I started to wonder if it was possible that I might actually be able to reach my own home, potentially establishing a link clear across the state.
Later that day, somebody on an airplane fired off a few messages on the way out of Philadelphia International Airport. Seeing the messages was exciting enough, but through the magic of mesh networking, it allowed my node to temporarily see networks at an even greater distance. I picked up one node that was more than 100 miles (160 km) away in Aberdeen, Maryland.
I was exhilarated by these results, and eager to get back home and install the second SenseCAP Solar node installed. If these were the kind of results I was getting in the middle of nowhere, surely I’d make even more contacts in a dense urban area.
Reality Comes Crashing Home
You see, at this point I had convinced myself that the reason I wasn’t getting any results back at home was the relatively meager antenna built into the Hacker Pager. Now that I had a proper node with an antenna bigger than my pinkie finger, I was sure I’d get better results. Especially since I’d be placing the radio even higher this time — with a military surplus fiberglass mast clamped into the old TV antenna mount on my three story house, the node would be around 40 feet (12 m) above the ground.
But when I opened the Meshtastic app the day after getting my home node installed, I was greeted with….nothing. Not a single node was detected in a 24 hour period. This seemed very odd given my experience down the shore, but I brushed it off. After all, Meshtastic nodes only occasionally announce their presence when they aren’t actively transmitting.
Undaunted, I made plans with a nearby friend to install a node at his place. His home is just 1.2 miles (1.9 km) from mine, and given the 6 mile (9 km) contact I had made down the shore, it seemed like this would be an easy first leg of our fledgling network.
Yet when we stood up a temporary node in his front yard, messages between it and my house were only occasionally making it through. Worse, the signal strength displayed in the application was abysmal. It was clear that, even at such a short range, an intermediary node would be necessary to get our homes reliably connected.
At this point, I was feeling pretty dejected. The incredible results I got when using Meshtastic in the sticks had clearly given me a false sense of what the technology was capable of in an urban environment. To make matters even worse, some further investigation found that my house was about the worst possible place to try and mount a node.
For one thing, until I bothered to look it up, I never realized my house was located in a small valley. According to online line-of-sight tools, I’m essentially at the bottom of a bowl. As if that wasn’t bad enough, I noted that the Meshtastic application was showing an inordinate number of bad packets. After consulting with those more experienced with the project, I now know this to be an indicator of a noisy RF environment. Which may also explain the exceptionally poor reception I get when trying to fly my FPV drone around the neighborhood, but that’s a story for another day.
A More Pragmatic Approach
While I was disappointed that I couldn’t replicate my seaside Meshtastic successes at home, I’m not discouraged. I’ve learned a great deal about the technology, especially its limitations. Besides, the solution is simple enough — we need more nodes, and so the campaign to get nearby friends and family interested in the project has begun. We’ve already found another person in a geographically strategic position who’s willing to host a node on their roof, and as I write this a third Seeed SenseCAP Solar sits ready for installation.
I’m now fighting a battle on two fronts, but thankfully, I’m not alone. In the months since I’ve started this project, I’ve noticed a steady uptick in the number of detected nodes. Even here at home, I’ve finally started to pick up some chatter from nearby nodes. There’s no denying it, the mesh is growing everyday.
My advice to anyone looking to get into Meshtastic is simple. Whether you’re in the boonies, or stuck in the middle of a metropolis, pick up some compatible hardware, mount it as high as you can manage, and wait. It might not happen overnight, but eventually your device is going to ping with that first message — and that’s when the real obsession starts.
Google Japan Turn Out Another Keyboard, and it’s a Dial
There’s a joke that does the rounds, about a teenager being given a dial phone and being unable to make head nor tail of it. Whether or not it’s true, we’re guessing that the same teen might be just a stumped by this year’s keyboard oddity from Google Japan. It replaces keys with a series of dials that work in the same way as the telephone dial of old. Could you dial your way through typing?
All the files to make the board, as well as a build guide, are in the GitHub repository linked above, but they’ve also released a promotional video that we’ve put below the break. The dials use 3D printed parts, and a rotary encoder to detect the key in question. We remember from back in the day how there were speed dialing techniques with dial phones, something we’ve probably by now lost the muscle memory for.
We like this board for its quirkiness, and while it might become a little tedious to type a Hackaday piece on it, there might be some entertainment for old-timers in watching the youngsters figuring it out. If you’re hungry for more, we’ve covered them before.
youtube.com/embed/BgdWyD0cBx4?…
Thanks [ikeji] for the tip.
ACN e la sovranità digitale al DisclAImer Tour del Corsera
Mi ha fatto anche molto piacere conoscere di persona il procuratore Gratteri, persona dai modi squisiti. E poi l’intervento di Bruno Frattasi, il direttore generale di Agenzia per la Cybersicurezza Nazionale, senza rete, è stato spettacolare, spaziando dal ransomware all’hashtag#IA, dalle regole europee ai temi più decisamente industriali e alla sovranità tecnologica.
Luna gli ha anche fatto una domanda non semplice sul rapporto tra Italia e Israele e Frattasi ha potuto confermare che non è assolutamente vero che qualcuno abbia consegnato a Israele le chiavi delle nostra cybersecurity (e come potrebbe, visto che è un ecosistema?) mentre è ovvio che l’Italia ha sempre avuto rapporti politici e industriali col paese mediorientale.
Una cosa non mi ha convinto molto, nelle parole di qualche panelist, e cioè questa idea che l’Italia è arretrata e deve “comprare innovazione” e “computer moderni” per garantirsi la sovranità digitale. Intanto l’innovazione, secondo me, non si compra ma si fa, e noi, Italia, pur con difficoltà, la facciamo; secondo, non è la dotazione dell’impiegato che fa la differenza in termini di protezione cibernetica, se non come uno dei tanti fattori coinvolti. Sono più importanti i servizi e la loro corretta configurazione, qualità e performance che la fanno. E poi la sicurezza è un concetto multifattoriale, dove comunque il fattore umano – awareness, formazione e cultura – è quello che fa la differenza, infatti “i dilettanti hackerano i computer, i professionisti hackerano le persone”, dice Schneier.
Quindi sicuramente possiamo aumentare gli investimenti in tecnologia, e creare una forza lavoro sufficiente e qualificata, ma dobbiamo investire molto in upskilling e reskilling nel mondo cyber.
E poi ci sono le regole: sono quelle italiane ed europee che ci hanno consentito di fare politiche di sicurezza anche senza avere dei campioni tecnologici nazionali nel campo del software e dell’hardaware, del cloud e dell’Intelligenza Artificale. La sovranità digitale ormai non può che essere Europea.
Vabbè il discorso è lungo, lo continueremo nei prossimi giorni.
Intanto complimenti a Luna, Frattasi e Gratteri, ma anche a Giorgio Ventre a Vito Di Marco, e a tutti i relatori presenti. é stata una bella occasione
Allenza tra gruppi ransomware: LockBit, DragonForce e Qilin uniscono le forze
Tre importanti gruppi di ransomware – DragonForce, Qilin e LockBit– hanno annunciato un’alleanza. Si tratta essenzialmente di un tentativo di coordinare le attività di diversi importanti operatori RaaS (ransomware-as-a-service); gli analisti avvertono che tale consolidamento potrebbe aumentare la portata e l’efficacia degli attacchi.
DragonForce ha avviato la fusione. All’inizio di settembre, quasi contemporaneamente al rilascio di LockBit 5.0, i rappresentanti di DragonForce hanno proposto pubblicamente ai “colleghi” di porre fine alle loro liti interne e di concordare “regole di mercato”: parità di condizioni, cessazione degli insulti pubblici e supporto reciproco.
LockBit ha risposto positivamente e DragonForce ha successivamente annunciato ufficialmente l’alleanza tra le tre bande, invitando altri team di ransomware a unirsi a loro.
Gli analisti vedono questo come un segnale di una tendenza pericolosa. Un rapporto di ReliaQuest per il terzo trimestre del 2025 ha osservato che la fusione potrebbe portare a campagne più frequenti e coordinate e a una più ampia diffusione degli attacchi, comprese le infrastrutture critiche.
È possibile che l’alleanza possa aiutare LockBit a riprendersi da un importante attacco delle forze dell’ordine nel 2024. Poi, a febbraio, operazioni internazionali hanno portato al sequestro di server, nomi di dominio e chiavi di decrittazione; a maggio, gli investigatori hanno anche collegato il gruppo a un individuo specifico, Dmitry Yuryevich Khoroshev, che tuttavia è ancora in libertà. Queste azioni hanno minato la fiducia degli affiliati e molti ex partner di LockBit sono passati ad altri gruppi.
È importante sottolineare che non è stata ancora creata un’infrastruttura di alleanza unificata: non è emerso alcun sito web comune per il data dumping o un singolo portale di fuga di dati, e ogni gang continua a rivendicare la responsabilità delle proprie operazioni.
Qilin, ad esempio, ha annunciato pubblicamente l’attacco ad Asahi Beer, mentre LockBit e DragonForce continuano a pubblicare i propri attacchi separatamente. Ciononostante, la condivisione di competenze e risorse, dagli strumenti ai database dei clienti, di per sé amplia le capacità dei criminali.
Di particolare preoccupazione è il cambiamento nella retorica di LockBit dopo il rilascio della versione 5.0: nella sua documentazione, il gruppo ha eliminato i precedenti tabù e ha dichiarato esplicitamente che gli attacchi alle infrastrutture critiche (centrali elettriche e strutture simili) sono ora consentiti, a meno che non venga raggiunto un accordo separato con l’FBI. Ciò significa che, almeno apparentemente, gli operatori ora considerano accettabile attaccare settori che in precedenza evitavano.
Nel frattempo, si sta sviluppando anche un gruppo di hacker di lingua inglese:Scattered Spider, ShinyHunters e Lapsus$ hanno annunciato una nuova coalizione chiamata Scattered Lapsus$ Hunters e hanno lanciato un proprio sito di leak, che ha già pubblicato dati su diverse aziende.
ReliaQuest avverte che questo gruppo potrebbe evolversi in un fornitore di RaaS, combinando competenze di ingegneria sociale con tecnologie di crittografia.
I ricercatori valutano l’emergere di tali alleanze come una transizione verso una nuova fase dell’economia criminale: invece di una concorrenza frammentata, i gruppi di ransomware stanno iniziando a costruire legami “commerciali” stabili, condividendo codice, infrastrutture e canali di distribuzione dei dati. Questo rende gli attacchi più diffusi e difficili da fermare, poiché le risorse, le dimensioni e la professionalità dei criminali aumentano simultaneamente.
L'articolo Allenza tra gruppi ransomware: LockBit, DragonForce e Qilin uniscono le forze proviene da il blog della sicurezza informatica.
Billy Bass Gets New Job as a Voice Assistant
For those who were alive and conscious before the modern Internet, there were in fact things that went “viral” and became cultural phenomenon for one reason or another. Although they didn’t spread as quickly or become forgotten as fast, things like Beanie Babies or greeting a friend with an exaggerated “Whassup?” could all be considered viral hits of the pre-Internet era.
Another offline hit from the late 90s was the Billy Bass, an absurdist bit of physical comedy in the form of a talking, taxidermied fish. At the time it could only come to life and say a few canned lines, but with the help of modern hardware it can take on a whole new life.
This project comes to us from [Cian] who gutted the fish’s hardware to turn it into a smart voice assistant with some modern components, starting with an ESP32 S3. This chip has enough power to detect custom “wake words” to turn on the fish assistant as well as pass the conversation logic to and from a more powerful computer, handle the audio input and output, and control the fish’s head and tail motors. These motors, as well as the speaker, are the only original components remaining. The new hardware, including an amplifier for the speaker, are mounted on a custom 3D printed backplate.
After some testing and troubleshooting, the augmented Billy was ready to listen for commands and converse with the user in much the same way as an Alexa or other home assistant would. [Cian] built this to work with Home Assistant though, so it’s much more open and easier to recreate for anyone who still has one of these pieces of 90s kitch in a box somewhere.
Perhaps unsurprisingly, these talking fish have been the basis of plenty of hacks over the years since their original release like this one from a few years ago that improves its singing ability or this one from 2005 that brings Linux to one.
youtube.com/embed/favga4OUhY8?…
Interruzione Microsoft 365: migliaia di utenti colpiti in tutto il mondo
Un’estesa interruzione dei servizi Microsoft 365 ha colpito migliaia di utenti in tutto il mondo nella serata di mercoledì 8 ottobre 2025, rendendo temporaneamente inaccessibili piattaforme chiave come Microsoft Teams, Exchange Online e il portale di amministrazione di Microsoft 365.
Il disservizio, segnalato a partire dalle ore tarde, ha compromesso la possibilità per numerose organizzazioni di utilizzare strumenti fondamentali per la comunicazione e la gestione aziendale. Microsoft ha confermato rapidamente l’anomalia, avviando un’indagine ad alta priorità per identificare la causa del problema e ripristinare la piena funzionalità del sistema.
Intorno alle 22:56 (GMT+5:30), la società ha individuato una possibile anomalia nelle operazioni di directory all’interno di una sezione della propria infrastruttura.
L’errore, collegato alla gestione dell’autenticazione degli utenti e delle richieste di servizio, ha generato un malfunzionamento a livello di back-end. Gli ingegneri hanno quindi analizzato i dati diagnostici per delineare una strategia di mitigazione che non compromettesse ulteriormente l’ambiente operativo.
Alle 23:36 (GMT+5:30), Microsoft ha comunicato di aver iniziato a riequilibrare i carichi di servizio, reindirizzando il traffico dalle componenti difettose verso sistemi funzionanti. Questa misura ha rappresentato un passo cruciale verso la stabilizzazione della piattaforma e la progressiva ripresa delle attività per gli utenti colpiti.
Nelle prime ore di questa mattina, 9 ottobre 2025, l’azienda ha registrato segnali positivi: il reindirizzamento del traffico ha portato a un graduale ripristino dei servizi principali. Nonostante il miglioramento, Microsoft ha annunciato che i propri team tecnici continueranno a monitorare l’infrastruttura per assicurare la stabilità duratura e prevenire nuove interruzioni.
La società ha inoltre mantenuto un flusso costante di aggiornamenti per informare gli utenti sull’evoluzione del ripristino, confermando che la maggior parte delle funzionalità stava progressivamente tornando alla normalità.
L'articolo Interruzione Microsoft 365: migliaia di utenti colpiti in tutto il mondo proviene da il blog della sicurezza informatica.
Why Stepper Motors Still Dominate 3D Printing
It’s little secret that stepper motors are everywhere in FDM 3D printers, but there’s no real reason why you cannot take another type of DC motor like a brushless DC (BLDC) motor and use that instead. Interestingly, some printer manufacturers are now using BLDCs for places where the reduction in weight matters, such as in the tool head or extruder, but if a BLDC can be ‘stepped’ much like any stepper motor, then why prefer one over the other? This is the topic of a recent video by [Thomas Sanladerer], with the answer being mostly about cost, and ‘good enough’ solutions.
The referenced driving method of field-oriented control (FOC), which also goes by the name of vector control, is a VFD control method in which the controller can fairly precisely keep position much like a stepper motor, but without the relatively complex construction of a stepper motor. Another advantage is that FOC tends to use less power than alternatives.
Using a FOC controller with a BLDC is demonstrated in the video, which also covers the closed-loop nature of such a configuration, whereas a stepper motor is generally driven in an open-loop fashion. Ultimately the answer at this point is that while stepper motors are ‘good enough’ for tasks where their relatively large size and weight aren’t real issues, as BLDCs with FOC or similar becomes more economical, we may see things change there.
youtube.com/embed/136NfHIPQcE?…
Where is Mathematics Going? Large Language Models and Lean Proof Assistant
If you’re a hacker you may well have a passing interest in math, and if you have an interest in math you might like to hear about the direction of mathematical research. In a talk on this topic [Kevin Buzzard], professor of pure mathematics at Imperial College London, asks the question: Where is Mathematics Going?
It starts by explaining that in 2017 he had a mid-life crisis, of sorts, becoming disillusioned with the way mathematics research was being done, and he started looking to computer science for solutions.
He credits Euclid, as many do, with writing down some axioms and starting mathematics, over 2,000 years ago. From axioms came deductions, and deductions became mathematical facts, and math proceeded in this fashion. This continues to be the way mathematical research is done in mathematical departments around the world. The consequence of this is that mathematics is now incomprehensibly large. Similarly the mathematical proofs themselves are exceedingly large, he gives an example of one proof that is 10,000 pages long and still hasn’t been completely written down after having been announced more than 20 years ago.
The conclusion from this is that mathematics has become so complex that traditional methods of documenting it struggle to cope. He says that a tertiary education in mathematics aims to “get students to the 1940s”, whereas a tertiary education in computer science will expose students to the state of the art.
He investigates the effect “computer as calculator” has had on mathematics since the middle of the 20th century, stating that it is less than you might have thought. More recently though we have large language models (LLMs) giving us “computer as generator of mathematics” and interactive theorem provers (ITPs) as “computer as checker of mathematics”, both being new ways to use computers for mathematics research. He notes that each of these technologies have flaws and that neither has, so far, told us anything profound which we didn’t already know. As he puts it mathematics has not seen a “Deep Blue moment“.
The point is then made that the problem with LLMs is that they hallucinate statements which introduces errors and the problem with ITPs is that all the code needs to be hand-written by humans. He floats the “no brainer idea” of combining LLM tech with ITP tech, the LLMs can propose mathematics and the ITP can verify it.
He concludes with the idea that LLM + ITP is the best future for mathematics, enabling mathematics to go from “mostly right” to “definitely right”.
If you have a passing interest in math you might also like to read Getting The Most Out Of ISM Transceivers Using Math and Design Scanimations In A Snap With The Right Math.
youtube.com/embed/K5w7VS2sxD0?…
The Entire Process of Building an Open Source Analog ASIC
Our hacker [Pat Deegan] of Psychogenic Technologies shows us the entire process of designing an analog ASIC. An ASIC is of course an Application-Specific Integrated Circuit, which is basically just custom hardware. That’s right, “just” custom hardware.
Services such as those from Tiny Tapeout make it possible to get your hardware designs built. And tools such as those found in Tiny Tapeout Analog Design VM with Skywater 130 PDK make it possible to get your hardware designs… designed.
In the video [Pat] takes you through using xschem (for schematic capture) and magic (for physical layout) to design a custom ADC. We learn that when it comes to hardware you have the choice of many different types of FETs, and not much else. Capacitors are expensive and to be avoided. Inductors are verboten. Getting specific values for things (such as resistors) is pretty much impossible so you generally just have to hope that things come out in relative proportions.
[Pat] credits Webinar – Analog schematic capture & simulation with Stefan Schippers for teaching him how to use the aforementioned tools. Both xschem and magic are customizable using the Tcl scripting language which [Pat] used to set things up to his own taste.
We have heard from [Pat Deegan] in recent history, he’s the guy who published the considered KiCad shortcut keys and he has a KiCad mastery course which is available for free.
youtube.com/embed/Eu_crbcBdNM?…
Honoring the Legacy of Robert Murray-Smith
We at Hackaday are deeply saddened to learn of the passing of Robert Murray-Smith. The prolific experimenter had spent over a decade on YouTube, creating more than 2,500 videos where he gleefully demonstrated his seemingly endless collection of homemade contraptions. At least eighteen of which ended up on the pages of Hackaday since we first crossed paths with him back in 2013.
Like many of you, we were also shocked to find that Robert made the decision to end his own life. As cliché as it might sound, he simply didn’t seem like the type. His demeanor was always boisterous in his videos, exhibiting an almost child-like joy as showed off his latest creation with a laugh and smile.
We now know that simply getting up and walking around had become painful for Robert, a fact obscured by the fact that most of his videos saw him seated at his workbench or in the back garden. That he was able to continue making so many videos at all speaks not only to his passion for technology and engineering, but the great love he had for the community that he’d built.
From the video we also learned that Robert found it very difficult to discuss his declining mental and physical health with friends and family. For men of his generation, the “strong and silent type” was often the ideal. Given all that he was going through, nobody could fault him for experiencing a sense of hopelessness, and yet his brother explains that Robert would never admit to the difficulties he was facing. Whenever pushed to talk about his feelings, he’d respond with that phrase which we’ve all heard (and maybe used once or twice) — “I’m fine.”
Because of this, Robert’s family has partnered with the suicide prevention charity CALM (Campaign Against Living Miserably) to try and raise awareness about men’s mental health. They ask that anyone who wishes to honor Robert make a donation to CALM, in the hopes that they can help others who may find themselves in a similar situation.
It’s no great secret that many in the hacker and maker communities face their own daily struggles. Whether its from being neurodivergent, or the inability to fit in with mainstream society. Several of the staff here at Hackaday are from marginalized groups, and even among those who aren’t, let’s just say we have it on good authority that most of them didn’t get to sit with the “cool kids” back in high school. We also know that, just like Robert, many in the community find it difficult to communicate with others about how this impacts their mental health.
The lasting legacy of Robert Murray-Smith will of course be his incredible body of work, which will continue to inspire millions of viewers. But we can also honor him by making sure that we’re looking out for the well-being of friends, family, and even ourselves. There are resources available, and there’s no shame in asking for help when you need it.
youtube.com/embed/GhramXiUrY4?…
FLOSS Weekly Episode 850: One ROM to Rule Them All
This week Jonathan and Aaron chat with Piers Finlayson about One ROM! Why does the retro-computing world need a solution for replacement ROMs? How difficult was it to squeeze a MCU and layout into the original ROM footprint? And what’s next for the project? Listen to find out!
youtube.com/embed/YSQFDdGRXlM?…
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.
play.libsyn.com/embed/episode/…
Direct Download in DRM-free MP3.
If you’d rather read along, here’s the transcript for this week’s episode.
Places to follow the FLOSS Weekly Podcast:
Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
hackaday.com/2025/10/08/floss-…
Ask Hackaday: Why is TTL 5 Volts?
The familiar five volts standard from back in the TTL days always struck me as odd. Back when I was just a poor kid trying to cobble together my first circuits from the Forrest Mims Engineer’s Notebook, TTL was always a problem. That narrow 4.75 V to 5.25 V spec for Vcc was hard to hit, thanks to being too poor to buy or build a dedicated 5 V power supply. Yes, I could have wired up four 1.5 V dry cells and used a series diode to drop it down into range, but that was awkward and went through batteries pretty fast once you got past more than a few chips.
As a hobbyist, the five volt TTL standard always seemed a little capricious, but I strongly suspected there had to be a solid reason behind it. To get some insights into the engineering rationale, I did what anyone living in the future would do: I asked ChatGPT. My question was simple: “How did five volts become the standard voltage for TTL logic chips?” And while overall the answers were plausible, like every other time I use the chatbot, they left me wanting more.
Circular Logic
The least satisfying of ChatGPT’s answers all had a tinge of circular reasoning to them: “IBM and other big computer makers adopted 5 V logic in their designs,” and thanks to their market power, everyone else fell in line with the five volt standard. ChatGPT also blamed “The Cascade Effect” of Texas Instruments’ standardization of five volts for their TTL chips in 1964, which “set the tone for decades” and forced designers to expect chips and power supplies to provide five volt rails. ChatGPT also cited “Compatibility with Existing Power Supplies” as a driver, and that regulated five volt supplies were common in computers and military electronics in the 1960s. It also cited the development of the 7805 linear regulator in the late 1960s as a driver.
All of this seems like nonsense, the equivalent of saying, “Five volts became the standard because the standard was five volts.” What I was after was an engineering reason for five volts, and luckily, an intriguing clue was buried in ChatGPT’s responses along with the drivel: the characteristics of BJT transistors, and the tradeoffs between power dissipation and speed.
The TTL family has been around for a surprisingly long time. Invented in 1961, TTL integrated circuits have been used commercially since 1963, with the popular 7400-series of logic chips being introduced in 1964. All this development occurred long before MOS technology, with its wider supply range, came into broad commercial use, so TTL — as well as all the precursor logic families, like diode-transistor logic (DTL) and resistor-transistor logic (RTL) — used BJTs in all their circuits. Logic circuits need to distinguish between a logical 1 and a logical 0, and using BJTs with a typical base-emitter voltage drop of 0.7 V or so meant that the supply voltage couldn’t be too low, with a five volt supply giving enough space between the high and low levels without being too susceptible to noise.
But, being able to tell your 1s and 0s apart really only sets a minimum for TTL’s supply rail. Why couldn’t it have been higher? It could have, and a higher Vcc, like the 10 V to 15 V used in emitter-coupled logic (ECL), might have improved the margins between logic levels and improved noise immunity. But higher voltage means more power, and power means heat, and heat is generally frowned upon in designs. So five volts must have seemed like a good compromise — enough wiggle room between logic levels, good noise immunity, but not too much power wasted.
I thought perhaps the original patent for TTL would shed some light on the rationale for five volts, but like most inventors, James Buie left things as broad and non-specific as possible in the patent. He refers only to “B+” and “B-” in the schematics and narrative, although he does calculate that the minimum for B+ would be 2.2 V. Later on, he states that “the absolute value of the supply voltage need be greater than the turn-on voltage of the coupling transistor and that of the output transistor,” and in the specific claims section, he refers to “a source of EMF” without specifying a magnitude. As far as I can see, nowhere in the patent does the five volt spec crop up.
Your Turn
If I were to hazard a guess, the five volt spec might be a bit of a leftover from the tube era. A very common value for the heater circuit in vacuum tubes was 6.3 V, itself a somewhat odd figure that probably stems from the days when automobiles used 6 V electrical systems, which were really 6.3 V thanks to using three series-connected lead-acid cells with a nominal cell voltage of 2.1 V each.
Perhaps the early TTL pioneers looked at the supply rail as a bit like the heater circuit, but nudged it down to 5 V when 6.3 V proved a little too hot. There were also some popular tubes with heaters rated at five volts, such as the rectifier tubes found in guitar amplifiers like the classic Fender “Champ” and others. The cathodes on these tubes were often directly connected to a dedicated 5 V winding on the power transformer; granted, that was 5 V AC, but perhaps it served as a design cue once TTL came around.
This is, of course, all conjecture. I have no idea what was on the minds of TTL’s designers; I’m just throwing out a couple of ideas to stir discussion. But what about you? Where do you think the five volt TTL standard came from? Was it arrived at through a stringent engineering process designed to optimize performance? Or was it a leftover from an earlier era that just happened to be a good compromise? Was James Buie an electric guitarist with a thing for Fender? Or was it something else entirely? We’d love to hear your opinions, especially if you’ve got any inside information. Sound off in the comments section below.
A Minicomputer Tape Drive Receives Some Love
Taking on a refrigerator-sized minicomputer is not for the faint-hearted, but [Usagi Electric] has done it with a DEC PDP-11/44. He’s not doing it in half measures either, for his machine is tricked out with an impressive array of upgrades. Among them however is no storage, and with two co-processors there’s a meager 3U of rack space left. The plan is to fit a period 8″ hard drive in the space alongside a TU50 tape dive, and it’s this final component that’s the subject of his latest video.
DEC never did anything by halves, and a DECTape II cartridge is more than a simple container for tape reels. Instead it has a capstan of its own that engages with one in the drive, and an internal drive belt that moves the reels. All the rubber parts in both tapes and drive are thoroughly perished, and it’s impressive that he manages to find inexpensive modern polymer alternatives. The original drive is probably intended for a VAX system, thus it has the interesting feature of a second drive mechanism out of sight to hold a tape containing microcode.
Having reconditioned the drive, it goes in behind a custom front panel, and though there’s no useful data to test it with on the tapes he has, it appears all working. You can see it all in the video below the break, and if you’re interested further we’ve covered this machine in the past.
youtube.com/embed/KmZ9xGP6O4s?…
Reshaping Eyeballs With Electricity, No Lasers Or Cutting Required
Glasses are perhaps the most non-invasive method of vision correction, followed by contact lenses. Each have their drawbacks though, and some seek more permanent solutions in the form of laser eye surgeries like LASIK, aiming to reshape their corneas for better visual clarity. However, these methods often involve cutting into the eye itself, and it hardly gets any more invasive than that.
A new surgical method could have benefits in this regard, allowing correction in a single procedure that requires no lasers and no surgical cutting of the eye itself. The idea is to use electricity to help reshape the eye back towards greater optical performance.
The Eyes Have It
Existing corrective eye surgeries most often aim to fix problems like long-sightedness, short-sightedness, and astigmatism. These issues are generally caused by the shape of the cornea, which works with the lens in the eye to focus light on to the light-sensitive cells in the retina. If the cornea is misshapen, it can be difficult for the eye to focus at close or long ranges, or it can cause visual artifacts in the field of view, depending on the precise nature of the geometry. Technologies like LASIK reshape the cornea for better performance using powerful lasers, but also involve cutting into the cornea. The procedure is thus highly invasive and has a certain recovery time, safety precautions that must be taken afterwards, and some potential side effects. A method for reshaping the eye without cutting into it would thus be ideal to avoid these problems.
Enter the technology of Electromechanical Reshaping (EMR). As per a new paper, researchers at the University of California, Irvine, came across the idea by accident, having been looking into the moldable nature of living tissues. As it turns out, collagen-based tissues like the cornea hold their structure thanks to the attractions between oppositely-charged subcomponents. These structures can be altered with the right techniques. For example, since these tissues are laden with water, applying electricity can change the pH through electrolyzation, altering the attraction between components of the tissue and making them pliable and reformable. Once the electric potential is taken away, the tissues can be restored to their original pH balance, and the structure will hold firm in its new form.
Researchers first tested this technique out on other tissues before looking to the eye. The team were able to use EMR to reshape ears from rabbits, while also being able to make physical changes to scar tissue in pigs. These efforts proved the basic mechanism worked, and that it could have applicability to the cornea itself.
To actually effectively reshape the cornea using this technique, a sort of mold was required. To that end, researchers created a “contact lens” type device out of platinum, which was formed in the desired final shape of the cornea. A rabbit eyeball was used in testing, doused in a saline solution to mimic the eye’s natural environment. The platinum device was pushed on to the eye, and used as an electrode to apply a small electrical potential across the eyeball. This was controlled carefully to precisely change the pH to the region where the eye became remoldable. After a minute, the cornea of the rabbit eyeball had conformed to the shape of the platinum lens. With the electrical potential removed, the pH of the eyeball was returned to normal and the cornea retained the new shape. The technique was trialled on twelve eyeballs, with ten of those treated for a shortsightedness condition, also known as myopia. In the case of the myopic eyeballs, all ten were successfully corrected the cornea, creating improved focusing power that would correspond to better vision in a living patient’s eye.
While the technique is promising, great development will be required before this is a viable method for vision correction in human patients. Researchers will need to figure out how to properly apply the techniques to eyeballs that are still in living patients, with much work to be done with animal studies prior to any attempts to translate the technique to humans. However, it could be that a decade or two in the future, glasses and LASIK will be increasingly less popular compared to a quick zap from the electrochemical eye remoulder. Time will tell.
Ondata di attacchi contro Palo Alto Networks: oltre 2.200 IP coinvolti nella nuova campagna
A partire dal 7 ottobre 2025, si è verificata un’intensificazione su larga scala di attacchi specifici contro i portali di accesso GlobalProtect di Palo Alto Networks, PAN-OS. Oltre 2.200 indirizzi IP unici sono stati coinvolti in attività di ricognizione.
Un notevole incremento è stato rilevato rispetto ai 1.300 indirizzi IP iniziali rilevati solo pochi giorni prima. Secondo il monitoraggio di GreyNoise Intelligence, questo rappresenta l’attività di scansione più intensa degli ultimi 90 giorni.
Il 3 ottobre 2025, un’impennata significativa dell’attività di scansione, pari al 500%, ha contrassegnato l’inizio della campagna di ricognizione. In quel giorno, sono stati rilevati circa 1.300 indirizzi IP unici che stavano esplorando i portali di accesso di Palo Alto. Rispetto ai tre mesi precedenti, questo picco iniziale di attività ha costituito il più alto livello di scansioni registrate.
Nei 90 giorni che hanno preceduto tale evento, i volumi giornalieri di scansioni non avevano quasi mai raggiunto la soglia dei 200 IP.
L’analisi condotta da GreyNoise ha messo in luce che una quota preponderante degli indirizzi IP nocivi, ben il 91%, risulta essere ubicata negli Stati Uniti. Si rilevano inoltre altri nuclei concentrati di tali indirizzi rispettivamente nel Regno Unito, nei Paesi Bassi, in Canada e nella Russia.
Un sostanziale investimento infrastrutturale per tale operazione è evidenziato dal fatto che gli specialisti della sicurezza hanno individuato intorno al 12% delle subnet ASN11878 complessivamente dedicate alla scansione dei gate di accesso Palo. E’ probabile che gli artefici della minaccia stiano esaminando in modo sistematico ampi database di credenziali, visti i pattern di autenticazione falliti che fanno supporre l’utilizzo di operazioni automatizzate brute-force nei confronti dei portali GlobalProtect SSL VPN.
GreyNoise ha reso pubblico un dataset esaustivo che include nomi utente e password univoci ricavati dai tentativi di login a Palo monitorati, in modo da permettere ai team per la sicurezza di stimare l’eventuale esposizione delle credenziali. Dall’analisi tecnica emerge che il 93% degli indirizzi IP coinvolti è stato etichettato come sospetto, mentre un 7% è stato giudicato dannoso.
L’esame delle attività di scansione rivela la presenza di diversi pattern di aggregazione a livello regionale contraddistinti da impronte TCP uniche, il che fa supporre l’esistenza di vari gruppi di minacce organizzate che agiscono in concomitanza. Gli studiosi nel campo della sicurezza hanno rilevato possibili legami tra la serie di scansioni registrata a Palo Alto e le operazioni di esplorazione condotte simultaneamente contro dispositivi Cisco ASA.
Entrambe le campagne di attacco condividono impronte TCP dominanti legate all’infrastruttura nei Paesi Bassi, insieme a comportamenti di clustering regionale e caratteristiche degli strumenti simili. L’attacco multitecnologico suggerisce una campagna di ricognizione più ampia contro le soluzioni di accesso remoto aziendale.
L'articolo Ondata di attacchi contro Palo Alto Networks: oltre 2.200 IP coinvolti nella nuova campagna proviene da il blog della sicurezza informatica.
Homebrew Dam Control System Includes all the Bells and Whistles
Over on brushless.zone, we’ve come across an interesting write-up that details the construction of a dam control system. This is actually the second part, in the first, we learn that some friends purchased an old dysfunctional 80 kW dam with the intention of restoring it. One friend was in charge of the business paperwork, one friend the mechanical side of things, and the other was responsible for the electronics — you can probably guess which ones we’re interested in.
The site controller is built around a Nucleo-H753 featuring the STM32H753ZI microcontroller, which was selected due to it being the largest single-core version of the dev board available. This site controller board features a dozen output light switches, sixteen front-panel button inputs, dual 24 V PSU inputs, multiple non-isolated analog inputs, atmospheric pressure and temperature sensors, multiple analog multiplexers, a pair of SSD1309 OLED screens, and an ESP32 for internet connectivity. There’s also fiber optic TX and RX for talking to the valve controller, a trio of isolated hall-effect current sensors for measuring the generator phase current, through current transformers, four contactor outputs (a contactor is a high-current relay), a line voltage ADC, and the cherry on top — an electronic buzzer.
The valve controller has: 48 V input from either the PSU or battery, motor phase output, motor field drive output, 8 kV rated isolation relay, limit switch input, the other side of the optical fiber TX and RX for talking to the site controller board, and connectors for various purposes.
If you’re interested in seeing this dam control system being tested, checkout the video embedded below.
youtube.com/embed/8laQxXGqc38?…
Social media at a time of war
WELCOME BACK TO DIGITAL POLITICS. I'm Mark Scott, and I have many feelings about Sora, OpenAI's new AI-generated social media platform. Many of which are encapsulated by this video by Casey Neistat. #FreeTheSlop.
— The world's largest platforms have failed to respond to the highest level of global conflict since World War II.
— The semiconductor wars between China and the United States are creating a massive barrier between the world's two largest economies.
— China's DeepSeek performs significantly worse than its US counterparts on a series of benchmark tests.
Let's get started:
WHEN PLATFORM GOVERNANCE MEETS GLOBAL CONFLICT
OCT 7 MARKED THE 2-YEAR ANNIVERSARY of Hamas militants attacking Israel, killing roughly 1,200 citizens and engulfing the region in a seemingly endless conflict. Tens of thousands of Palestinians have died, many more have been displaced, and attacks (or the threat of attack) against both Israelis and Jews, worldwide, have skyrocketed.
I won't pretend to understand the complexities of the Israeli-Hamas war (more on that here, here and here). But the last two years have seen a slow degradation of the checks and safeguards that social media companies once had in place to protect users from war-related content, propaganda and illegal content now rife wherever you look online.
First, let's be clear. This isn't just an Israeli-Hamas issue. As we hurtle toward the end of 2025, there are currently almost 60 active state-based conflicts worldwide and global peace is at its lowest level in 80 years, according to statistics from the Institute for Economics and Peace.
That is not social media's fault. As much as it's easy to blame TikTok, YouTube and Instagram for the ills of the world, real-world violence is baked into generational conflicts, multitudes of overlapping socio-economic issues and other analogue touch-points that have nothing to do with people swiping on their phones.
But it's also true the recent spike in global conflicts has come at a time of collective retrenchment on trust and safety issues from social media giants that, at the bare minimum, have failed to stop some of the offline violence from spreading widely within online communities. Again, there's a causation versus correlation issue here that we must be careful with. But at a time of heightened polarization (and not just in the US and Europe), the capacity for tech platforms to be used to foment real-world instability and violence has never been higher.
Before I get irate complaints from those of you working within these companies, social media platforms have clear terms of service supposed to limit war-related content from spreading among users. You can review them here, here, here and here. But there's one thing to have clear-cut rules, and it's another to actively implement them.
Thanks for reading the free monthly version of Digital Politics. Paid subscribers receive at least one newsletter a week. If that sounds like your jam, please sign up here.
Here's what paid subscribers read in September:
— A series of legal challenges to online safety legislation challenge how these rules are implemented; The unintended consequences of failing to define "tech sovereignty;" Where the money really goes within the chip industry. More here.
— What most people don't understand about Brussels' strategy toward technology; Unpicking the dual antitrust decisions against Google from Brussels and Washington; AI chatbots still return too much false information. More here.
— The next transatlantic trade dispute will be about digital antitrust, not online safety; Washington's new foreign policy ambitions toward AI; The US' spending spree on data centers. More here.
— An inside look into the United Nations' takeover of AI governance; How the United Kingdom embraced the US "AI Stack;" People view the spread of false information as a higher threat than a faltering global economy. More here.
— Washington's proposed deal to untangle TikTok US from Bytedance is not what it first appears; How social media companies are speaking from both sides of their mouths on online safety; AI's expected boost to global trade. More here.
Social media companies' neglect related to conflicts outside the Western world has been a feature for years (more on that here.) Now, that same level of omission has seeped into conflicts, including those within the Middle East and Ukraine, that are closer to home for the Western public.
There are many reasons for this shift.
Companies like Alphabet and Meta have pared back their commitments to independent fact-checking which provided at least some pushback to government and non-state efforts to peddle falsehoods associated with these global conflicts. A shift to crowdsourced fact-checking — initially rolled out by X, and then followed by Meta — has yet to fill that void. That's mostly because companies have found it difficult to find consensus among their users about often divisive topics (including those related to warfare) which is required before these crowdsourced fact-checks are published.
Social media platforms have similarly spent the last three years gutting their existing trust and safety teams to the point where the industry is on life support. This was initially done for economic reasons. Faced with a struggling advertising sector in 2022, company executives sought cost savings, wherever they could, and internal trust and safety teams felt the brunt of those efforts. Fast forward to 2025, and there has been an ideological shift to "free speech" among many of these firms which makes any form of content moderation anathema to the current (US-focused) zeitgeist.
Third: politics. The current White House's aversion to online safety is well known. So too is the US Congress' accusations that other country's digital regulation unfairly infringes on American citizens' First Amendment rights. But from India to Slovakia, there are growing local efforts to quell platforms' content moderation programs — and the associated domestic legislation that has sprouted up from Brazil to the United Kingdom. In that geopolitical context, social media firms have instituted a "go slow" on many of their internal systems — even if (at least in countries with existing online safety regulation) they still comply with domestic rules.
Making things more difficult is the platforms' increasingly adversarial relationship with outsiders seeking to hold these firms to account for their stated trust and safety policies. (Disclaimer: My day job puts me in this category, though my interactions with the companies remain cordial.) Researchers have found it increasingly difficult to access publicly-available social media data. Others have faced legal challenges to analyses which cast social media giants in an unfavorable light. Industry-linked funding for such independent "red-teaming" of platform weaknesses has fallen off a cliff.
Taken together, these four points represent a fundamental change in what had been, until now, a progressive multi-stakeholder approach to ridding global social media platforms of illegal and gruesome content — and not just related to warfare.
Before, companies, policymakers and outside groups worked together (often with difficulty) to make these social media networks a safe space for people to express themselves in ways that represented free speech rights and safeguarded individuals from hate. That coalition has now disintegrated amid a combination of hard-nosed economics, shifting geopolitics and fundamental differences over what constitutes tech companies' trust and safety obligations.
Each of the above points occurred separately. No one set out thinking that cutting back on internal trust and safety teams; ending relations with fact-checkers; kow-towing to a shift in geopolitics; and reducing ties to outside researchers would make it easier for conflict-related content to spread easily among these social media networks.
And yet, that is what happened.
Go onto any social media platform, and within a few clicks (if you know what you're doing), you can come face-to-face with gruesome war-torn content — or, at least, purportedly material associated with one of the 59 state-based conflicts active worldwide. Even if you're not seeking out such material, the collective pullback on trust and safety has raised the possibility that you will stumble over such content in your daily doomscroll.
That is the paradox we find ourselves in at the end of 2025.
In many ways, social media has become even more ingrained in everything from politics to the latest meme craze (cue: the rise of OpenAI's Sora.) But these platforms are less secure and protected than they have ever been — at a time when the world is engulfed in the highest level of subnational, national and regional warfare in multiple generations.
Chart of the Week
THE US CENTER FOR AI STANDARDS AND INNOVATION ran a series of tests — across four well-known sectors associated with the performance of large language models — between services offered by OpenAI, Anthropic and Deepseek.
You have to take these results with a pinch of salt, as they come from a US federal agency. But across the board, China's LLM performed significantly worse than its US rivals.
THE AI WARS: SEMICONDUCTOR EDITION
COMMON WISDOM IS THAT YOU NEED three elements to compete in the global race around artificial intelligence. In your "AI Stack," you need world-leading microchips, you need cloud computing infrastructure that's cheap and almost universal, and you need applications like large language models that can sit on top and drive user engagement. On that first component — semiconductors — China and the US are increasingly going down different paths.
Looking back, it almost was inevitable. Washington has long safeguarded world-leading chips (from both American firms and those of its allies) from Beijing via export bans and other strong-arm tactics. The goal: to ensure China's AI Stack was always one step behind its US counterpart.
Yet that strategy is starting to backfire. Yes, Western AI chips are still better than their Chinese equivalents. But the lack of access to such semiconductors has forced the world's second largest economy to invest billions in domestic production in the hopes of eventually catching up — and surpassing — the likes of Nvidia or Taiwan's Taiwan Semiconductor Manufacturing Company.
What has galvanized this Chinese resolve is the repeated efforts by both the Trump and Biden administrations to hobble Chinese firms' ability to access the latest semiconductors. In this never-ending 'will they, or won't they?' game of national security ping-pong, the Trump 2.0 administration agreed in August to allow Nvidia and AMD to sell pared-down versions of their latest chips to China — as long as they gave the US federal government a 15 percent slice of that export revenue. Principled diplomacy, it was not.
That plan appears to have backfired. Nvidia is now under an antitrust investigation from Chinese authorities for its takeover of Israeli chipmaker Mellanox in 2020. The Cyberspace Administration of China has also reportedly told the country's largest tech firms, including Alibaba, ByteDance and Baidu, to not buy Nvidia's semiconductor. Jensen Huang, chief executive of the US chip firm, said he was "disappointed" with that move (which has never been officially confirmed.)
If you're interested in sponsoring Digital Politics, please get in touch on digitalpolitics@protonmail.com
Nvidia has invested millions to design China-specific microchips that both meet the national security limitations demanded by Washington and can be sold directly into the Middle Kingdom in ways that placate Beijing. If Chinese officials close the door — and require local firms to use domestic alternatives, many of which are reportedly almost on par with their Western rivals — then it's another indicator the US and China are on diverging paths when it comes to technological development.
Again, a lot of this was foreseeable. Repeated White House administrations urged American and Western chip and equipment firms to steer clear of China. In response, Beijing invested billions into local semiconductor production, much of which has remained at the lower level of sophistication. But as in other tech-related industries, Chinese manufacturers have steadily risen through the stack to now offer world-beating hardware. It's not unusual for that, eventually, to be the case in semiconductors.
Sign up for Digital Politics
Thanks for getting this far. Enjoyed what you've read? Why not receive weekly updates on how the worlds of technology and politics are colliding like never before. The first two weeks of any paid subscription are free.
Subscribe
Email sent! Check your inbox to complete your signup.
No spam. Unsubscribe anytime.
What does this all mean for the politics of technology?
First, Western semiconductor firms offering pared-back versions of their latest chips to China may have the door shut on them. Beijing may need these manufacturers, in the short term. But don't expect that welcome to remain warm — especially as Western officials continue to rattle sabres.
Second, the need for Chinese firms to rely on (currently sub-par, but rapidly advancing) homegrown chips will lead to scrappy innovation once associated just with Silicon Valley. We can debate whether the meteoric rise of DeepSeek was truly as unique as first believed (based on the company's ties to the wider Chinese tech ecosystem.) But relying on second-tier semiconductors will force Chinese AI firms to be more nimble compared to their US counterparts with seemingly unlimited access to chips, compute power and data.
Third, the "splinternet" will come to hardware. I wrote this in 2017 to explain how the digital world was being balkanized into regional fiefdoms. The creation of rival semiconductor stacks — one led by the US, one led by China — will extend that division into the offline world. Companies will try to make the respective hardware interoperable. But it won't be in the interests of either party, as the separation expands between which semiconductors can work with other infrastructure worldwide, to maintain such networking capability.
In short, the global race between AI Stackshas entered a new era.
What I'm reading
— The Wikimedia Foundation published a human rights impact assessment on artificial intelligence and machine learning. More here.
— The European Centre of Excellence for Countering Hybrid Threats assessed the current strengths and weaknesses in the transatlantic fight against state-backed disinformation. More here.
— The Canadian government launched an AI Strategy Task Force and outlined its agenda for public feedback on the emerging technology. More here.
— The Appeals Centre Europe, which allows citizens to seek redress from social media companies under the EU's Digital Services Act, published its first transparency report. More here.
— Researchers outlined the growing differences between how countries are approaching the oversight and governance of artificial intelligence for the University of Oxford. More here.
Hacker nordcoreani: 2 miliardi di dollari rubati in criptovalute in nove mesi di frodi
Una rete di hacker legata alla Corea del Nord ha rubato oltre 2 miliardi di dollari in criptovalute nei primi nove mesi del 2025. Gli analisti di Elliptic definiscono questa cifra la più grande mai registrata, con tre mesi rimanenti alla fine dell’anno.
Si stima che l’importo totale rubato abbia superato i 6 miliardi di dollari e, secondo le Nazioni Unite e diverse agenzie governative, sono questi fondi a finanziare i programmi missilistici e di armi nucleari della Corea del Nord.
Secondo Elliptic, la cifra reale potrebbe essere più elevata, dato che risulta complicato attribuire a Pyongyang furti specifici, operazione che necessita di analisi blockchain, esami del riciclaggio di denaro e attività di intelligence. In alcuni casi, gli incidenti corrispondono solo in parte ai modelli caratteristici dei gruppi nordcoreani, mentre altri episodi potrebbero non essere stati segnalati.
La principale fonte di perdite record è stato l’attacco hacker di febbraio all’exchange Bybit , che ha portato al furto di 1,46 miliardi di dollari in criptovalute. Altri incidenti confermati quest’anno includono attacchi a LND.fi, WOO X e Seedify. Elliptic collega inoltre oltre 30 ulteriori incidenti non segnalati pubblicamente alla Corea del Nord. Questa cifra è quasi il triplo di quella dell’anno scorso e supera significativamente il precedente record stabilito nel 2022, quando furono registrati furti di asset da servizi come Ronin Network e Horizon Bridge.
Allo stesso tempo, il vettore di attacco è cambiato in modo significativo. Mentre in precedenza i criminali informatici sfruttavano le vulnerabilità nell’infrastruttura dei servizi crittografici, ora utilizzano sempre più spesso metodi di ingegneria sociale. Le principali perdite nel 2025 sono dovute all’inganno, non a difetti tecnici.
Gli utenti facoltosi privi di meccanismi di sicurezza aziendale sono a rischio. Vengono attaccati tramite contatti falsi, messaggi di phishing e schemi di comunicazione convincenti, a volte dovuti a connessioni con organizzazioni che detengono grandi quantità di asset digitali. Pertanto, l’anello debole del settore crittografico sta gradualmente diventando l’elemento umano.
Allo stesso tempo, si sta sviluppando una corsa tra analisti e riciclatori. Con l’aumentare dell’accuratezza degli strumenti di tracciamento blockchain, i criminali stanno diventando più sofisticati nei loro schemi per trasferire i beni rubati. Un recente rapporto di Elliptic descrive nuovi approcci per nascondere le loro tracce: mixaggio di transazioni in più fasi, trasferimenti cross-chain tra blockchain di Bitcoin, Ethereum, BTTC e Tron, l’uso di reti oscure con bassa copertura analitica e lo sfruttamento di “indirizzi di ritorno” che reindirizzano i fondi verso nuovi wallet. A volte, i criminali creano e scambiano i propri token emessi direttamente all’interno delle reti in cui avviene il riciclaggio. Tutto ciò trasforma le indagini in un gioco del gatto e del topo tra investigatori e gruppi altamente qualificati che operano sotto il controllo statale.
Tuttavia, la trasparenza della blockchain rimane un vantaggio chiave per le indagini. Ogni moneta rubata lascia una traccia digitale che può essere analizzata e collegata ad altre transazioni. Secondo i ricercatori, questo rende l’ecosistema delle criptovalute più resiliente e riduce la capacità della Corea del Nord di finanziare i suoi programmi militari.
I 2 miliardi di dollari rubati in soli nove mesi sono un segnale preoccupante della portata della minaccia. Le unità informatiche nordcoreane stanno diventando sempre più inventive, ma gli strumenti forensi basati sulla blockchain contribuiscono a mantenere l’equilibrio, garantendo trasparenza e aumentando la responsabilità degli operatori di mercato. Questa costante battaglia per il controllo dei flussi digitali sta decidendo non solo il destino del mercato delle criptovalute, ma anche questioni di sicurezza internazionale.
L'articolo Hacker nordcoreani: 2 miliardi di dollari rubati in criptovalute in nove mesi di frodi proviene da il blog della sicurezza informatica.
Building the DVD Logo Screensaver with LEGO
There’s something extremely calming and pleasing about watching a screensaver that merely bounces some kind of image around, with the DVD logo screensaver of a DVD player being a good example. The logical conclusion is thus that it would be great to replicate this screensaver in Lego, because it’d be fun and easy. That’s where [Grant Davis]’s life got flipped upside-down, as this turned out to be anything but an easy task in his chosen medium.
Things got off on a rocky start with figuring out how to make the logo bounce against the side of the ‘screen’, instead of having it merely approach before backing off. The right approach here seemed to be Lego treads as used on e.g. excavators, which give the motion that nice pause before ‘bouncing’ back in the other direction.
With that seemingly solved, most of the effort went into assembling a functional yet sturdy frame, all driven by a single Lego Technic electromotor. Along the way there were many cases of rapid self-disassembly, ultimately leading to a complete redesign using worm gears, thus requiring running the gears both ways with help from a gearbox.
Since the screensaver is supposed to run unattended, many end-stop and toggle mechanisms were tried and discarded before settling on the design that would be used for the full-sized build. Naturally, scaling up always goes smoothly, so everything got redesigned and beefed up once again, with more motors added and multiple gearbox design changes attempted after some unfortunate shredded gears.
Ultimately [Grant] got what he set out to do: the DVD logo bouncing around on a Lego ‘TV’ in a very realistic fashion, set to the noise of Lego Technic gears and motors whirring away in the background.
Thanks to [Carl Foxmarten] for the tip.
youtube.com/embed/1sPK42-fzqU?…
Nel designare il DPO, l’incarico non dev’essere un segreto!
La designazione del DPO avviene seguendo la procedura prevista dall’art. 37 par. 7 GDPR, per cui è necessario svolgere due adempimenti: pubblicare i dati di contatto e comunicare gli stessi all’autorità di controllo. Questo significa pertanto che un incarico formale è una condizione necessaria ma non sufficiente, motivo per cui il Garante Privacy si è più volte espresso a riguardo sanzionando per lo più enti pubblici per la mancanza di questi ulteriori passaggi.
Passaggi che, beninteso, devono essere intesi come tutt’altro che meri formalismi dal momento che il loro adempimento consente di porre alcuni dei presupposti fondamentali per garantire l’efficace attuazione dei compiti propri della funzione.
Altrimenti, viene meno la capacità dell’organizzazione di fornire il punto di contatto del DPO tanto agli interessati quanto all’autorità di controllo. Il che relega la funzione alla sola nomina, in assenza di un raccordo operativo.
Perchè non si tratta di un formalismo.
La pubblicazione dei dati di contatto del DPO è funzionale a garantire la posizione nei confronti degli interessati, come espressamente previsto dall’art. 38 par. 4 GDPR:
Gli interessati possono contattare il responsabile della protezione dei dati per tutte le questioni relative al trattamento dei loro dati personali e all’esercizio dei loro diritti derivanti dal presente regolamento.
Questo comporta la predisposizione di un canale dedicato, per il quale viene garantita la confidenzialità delle comunicazioni superando così eventuali resistenze soprattutto da parte del personale interno nel segnalare non conformità o dubbi.
La comunicazione dei dati di contatto, invece, permette al DPO di svolgere il proprio compito come punto di contatto con l’autorità di controllo seguendo la previsione dell’art. 39 par. 1 lett. e) GDPR agevolando l’interlocuzione attraverso cui, ad esempio, il Garante Privacy può chiedere chiarimenti o maggiori informazioni. Ottenendo riscontri tempestivi.
Nella procedura dedicata del Garante Privacy a tale riguardo, è previsto l’obbligo di indicare almeno un indirizzo di posta elettronica fra e-mail o PEC, e un recapito telefonico fra numero fisso e cellulare.
Questo, a prescindere che il DPO sia interno o esterno.
Dopodiché, per quanto riguarda la pubblicazione dei dati di contatto viene richiesto di indicare le modalità attraverso cui il soggetto designante ha scelto di provvedere a riguardo, potendo anche indicare moduli e form ad esempio.
Si deve pubblicare il nominativo?
Premesso che il nominativo deve essere comunque comunicato all’autorità di controllo, rimane la questione circa l’obbligo o meno di pubblicare il nominativo del DPO. Dal momento che non è specificamente previsto, è al più una buona prassi riconosciuta e condivisa. L’ultima parola a riguardo spetta comunque al titolare o al responsabile che, valutate le circostanze, stabilisce se tale informazione può essere necessaria o utile nell’ottica della migliore protezione dei diritti degli interessati.
Per quanto riguarda il personale interno, invece, all’interno delle Linee guida WP 243 sui responsabili della protezione dei dati viene raccomandata la comunicazione del nominativo. Questo può avvenire ad esempio con pubblicazione sull’intranet, nell’organigramma della struttura, o indicazione all’interno delle informative somministrate ai lavoratori.
Il motivo è semplicemente quello di andare a garantire un’integrazione operativa della funzione, agevolandone tanto l’identificabilità quanto la reperibilità.
Insomma, viene confermato che la designazione del DPO non deve rimanere sulla carta.
Né tantomeno può essere dimenticata in qualche cassetto.
L'articolo Nel designare il DPO, l’incarico non dev’essere un segreto! proviene da il blog della sicurezza informatica.
Redox OS introduce il multithreading di default e migliora le prestazioni
Gli sviluppatori del sistema operativo Redox OS, scritto in Rust, hanno abilitato il supporto multithreading di default per i sistemi x86. In precedenza, la funzionalità era sperimentale, ma dopo la correzione di alcuni bug è diventata parte integrante della piattaforma. Ciò garantisce un notevole incremento delle prestazioni sui computer e laptop moderni.
Redox OS è stato sviluppato da zero e implementato interamente in Rust, un linguaggio incentrato sulla sicurezza e sulla tolleranza agli errori. Il passaggio a un modello multithread consente al sistema di utilizzare le risorse della CPU in modo più efficiente e di eseguire attività parallele più velocemente, il che è particolarmente importante per gli scenari desktop e server.
Inoltre, il team ha introdotto diverse importanti ottimizzazioni. La gestione dei file di piccole dimensioni è stata migliorata, l’installazione del sistema è stata velocizzata e il supporto alla compressione LZ4 è stato aggiunto al file system RedoxFS.
Gli sviluppatori definiscono queste modifiche un “passo fondamentale” nel miglioramento della velocità e della reattività del sistema operativo.
L’aggiornamento include anche miglioramenti alle app e all’esperienza utente. Questi miglioramenti riguardano gli strumenti principali e l’interfaccia, rendendo il sistema più stabile e facile da usare nell’uso quotidiano.
Una dimostrazione convincente delle capacità del progetto è stato il successo dell’avvio di Redox OS sugli smartphone BlackBerry KEY2 LE e Google Pixel 3. Sebbene si tratti ancora di build di prova, gli sviluppatori sottolineano che il kernel e il modello di driver sono già sufficientemente versatili per i dispositivi mobili.
Redox OS rimane uno dei pochi sistemi operativi sviluppati da zero in Rust e indipendenti dal codice Linux o BSD. Il progetto sviluppa il proprio file system, kernel e ambiente, rendendolo un esempio unico di approccio Rust “puro” alla programmazione di sistemi.
L'articolo Redox OS introduce il multithreading di default e migliora le prestazioni proviene da il blog della sicurezza informatica.
Hai Teams? Sei un Bersaglio! La piattaforma Microsoft nel mirino di Stati e Criminali
La piattaforma di collaborazione Microsoft Teams è diventata un bersaglio ambito per gli aggressori, poiché la sua vasta adozione l’ha resa un obiettivo di alto valore. Le funzionalità di messaggistica, chiamate e condivisione dello schermo vengono sfruttate per scopi dannosi. Secondo un avviso di Microsoft, sia gli autori di minacce sponsorizzate dagli stati sia i criminali informatici stanno aumentando l’abuso delle funzionalità e delle capacità di Teams nelle loro catene di attacco.
Gli autori delle minacce sfruttano in modo improprio le sue funzionalità principali, ovvero la messaggistica (chat), le chiamate, le riunioni e la condivisione dello schermo basata su video in diversi punti della catena di attacco.
Ciò aumenta la posta in gioco per i responsabili della sicurezza, che devono monitorare, rilevare e rispondere in modo proattivo. Sebbene la Secure Future Initiative (SFI) di Microsoft abbia rafforzato la sicurezza, l’azienda sottolinea che i responsabili della sicurezza devono utilizzare i controlli di sicurezza disponibili per rafforzare i propri ambienti Teams aziendali.
Gli aggressori stanno sfruttando l’intero ciclo di vita dell’attacco all’interno dell’ecosistema Teams, dalla ricognizione iniziale all’impatto finale, ha affermato Microsoft Si tratta di un processo in più fasi in cui lo stato di affidabilità della piattaforma viene sfruttato per infiltrarsi nelle reti, rubare dati e distribuire malware.
La catena di attacco spesso inizia con la ricognizione, durante la quale gli autori della minaccia utilizzano strumenti open source come TeamsEnum e TeamFiltration per enumerare utenti, gruppi e tenant. Eseguono la mappatura delle strutture organizzative e individuano le debolezze della sicurezza, come ad esempio impostazioni di comunicazione esterna permissive.
Gli aggressori proseguono con lo sfruttamento delle risorse, mediante la compromissione di tenant legittimi o la creazione di nuovi, dotati di un marchio personalizzato, al fine di impersonare entità fidate, come ad esempio il supporto IT. Successivamente, una volta stabilita un’identità credibile, gli aggressori procedono con l’accesso iniziale, spesso attraverso l’utilizzo di tattiche di ingegneria sociale, fra cui le truffe legate al supporto tecnico.
Un caso paradigmatico è quello dell’autore della minaccia Storm-1811, che si è travestito da tecnico di supporto con il compito di risolvere presunti malfunzionamenti della posta elettronica, sfruttando tale copertura per diffondere un ransomware. Un modus operandi simile è stato adottato dagli affiliati del ransomware 3AM, i quali hanno sommerso i dipendenti di messaggi di posta non richiesti, per poi utilizzare le chiamate di Teams al fine di persuaderli a concedere l’accesso remoto.
Dopo aver preso piede, gli autori delle minacce si concentrano sul mantenimento della persistenza e sull’aumento dei privilegi. Possono aggiungere i propri account guest, abusare dei flussi di autenticazione del codice del dispositivo per rubare token di accesso o utilizzare esche di phishing per distribuire malware che garantiscano l’accesso a lungo termine.
Il gruppo Octo Tempest, mosso da motivazioni finanziarie, è stato osservato mentre utilizzava un’aggressiva ingegneria sociale su Teams per compromettere l’autenticazione a più fattori (MFA) per gli account privilegiati. Con un accesso elevato, gli aggressori iniziano a scoprire e a muoversi lateralmente. Utilizzano strumenti come AzureHound per mappare la configurazione dell’ID Microsoft Entra dell’organizzazione compromessa e cercare dati preziosi.
L'articolo Hai Teams? Sei un Bersaglio! La piattaforma Microsoft nel mirino di Stati e Criminali proviene da il blog della sicurezza informatica.
Mesmerizing Patterns from Simple Rules
Nature is known for its intense beauty from its patterns and bright colors; however, this requires going outside. Who has time for that insanity!?!? [Bleuje] provides the perfect solution with his mesmerizing display of particle behavior.
These patterns of color and structure, based on 36 points, are formed from simple particles, also called agents. Each agent leaves behind a trail that adds to the pattern formation. Additionally, these trails act almost as pheromone trails, attracting other particles. This dispersion and attraction to trails create the feedback loops similar to those found in ant herd behavior or slime mold.
Of course, none of this behavior would be very fun to mess with if you couldn’t change the parameters on the fly. This is one main feature of [Bleuje]’s implementation of the 36 points’ ideas. Being able to change settings quickly and interact with the environment itself allows for touching natural feeling patterns without exiting your house!
If you want to try out the simulation yourself, make sure to check out [Bleuje]’s GitHub repository of the project! While getting out of the house can be difficult, sometimes it’s good for you to see real natural patterns. For a great example of this hard work leading to great discoveries, look to this bio-inspired way of protecting boat hauls!
Thanks Adrian for the tip!
Tips for C Programming from Nic Barker
If you’re going to be a hacker, learning C is a rite of passage. If you don’t have much experience with C, or if your experience is out of date, you very well may benefit from hearing [Nic Barker] explain tips for C programming.
In his introduction he notes that C, invented in the 70s by Dennis Ritchie, is now more than 50 years old. This old language still appears in lists of the most popular languages, although admittedly not at the top!
He notes that the major versions of C, named for the year they were released, are: C89, C99, C11, and C23. His recommendation is C99 because it has some features he doesn’t want to live without, particularly scoped variables and initializing structs with named members using designated initializers. Also C89 is plagued with non-standard integer types, and this is fixed by stdint.h in C99. Other niceties of C99 include compound literals and // for single-line comments.
He recommends the use of clang arguments -std=c99 to enable C99, -Wall to enable all warnings, and -Werror to treat warnings as errors, then he explains the Unity Build where you simply include all of your module files from your main.c file.
It’s stressed that printf debugging is not the way to go in C and that you definitely want to be using a debugger. To elaborate on this point he explains what a segfault is and how they happen.
He goes on to explain memory corruption and how ASAN (short for Address Sanitisation) can help you find when it happens. Then he covers C’s support for arrays and strings, which is, admittedly, not very much! He shows you that it’s pretty easy to make your own array and string types though, potentially supporting slices as well.
Finally he explains how to use arenas for memory allocation and management for static, function, and task related memory.
youtube.com/embed/9UIIMBqq1D4?…
Building a Diwheel to Add More Tank Controls to Your Commute
It’s often said that one should not reinvent the wheel, but that doesn’t mean that you cannot change how the use of said wheel should be interpreted. After initially taking the rather zany concept of a monowheel for a literal ride, [Sam Barker] decided to shift gears, did a ‘what if’ and slapped a second monowheel next to the first one to create his diwheel vehicle. Using much thicker steel for the wheels and overall much more robust construction than for his monowheel, the welding could commence.
It should be said here that the concept of a diwheel, or dicycle, isn’t entirely new, but the monowheel – distinct from a unicycle – is much older, with known builds at least as far back as the 19th century. Confusing, self-balancing platforms like Segways are also referred to as ‘dicycles’, while a diwheel seems to refer specifically to what [Sam] built here. That said, diwheels are naturally stable even without gyroscopic action, which is definitely a big advantage.
The inner frame for [Sam]’s diwheel is built out of steel too, making it both very robust and very heavy. High-tech features include suspension for that smooth ride, and SLS 3D-printed nylon rollers between the inner frame and the wheels. After some mucking about with a DIY ‘lathe’ to work around some measurement errors, a lot more welding and some questionable assembly practices, everything came together in the end.
This is just phase one, however, as [Sam] will not be installing pedals like it’s an old-school monowheel. Instead it’ll have electrical drive, which should make it a bit less terrifying than the Ford Ka-based diwheel we featured in 2018, but rather close to the electric diwheel called EDWARD which we featured back in 2011. We hope to see part two of this build soon, in which [Sam] will hopefully take this beast for its first ride.
youtube.com/embed/xKOHrBmhexU?…
JawnCon Returns This Weekend
For those local to the Philadelphia area, a “jawn” can be nearly anything or anyone — and at least for this weekend, it can even be a hacker con building up steam as it enters its third year. Kicking off this Friday at Arcadia University, JawnCon0x2 promises to be another can’t-miss event for anyone with a curious mind that lives within a reasonable distance of the Liberty Bell.
The slate of talks leans slightly towards the infosec crowd, but there’s really something for everyone on the schedule. Presentations such as Nothing is Safe: An Introduction to Hardware (In)Security and Making the GameTank – A New, Real 8-Bit Game Machine will certainly appeal to those of us who keep a hot soldering iron within arm’s reach, while Rolling Recon & Tire Prints: Perimeter Intrusion Detection and Remote Shenanigans via Rogue Tire Stem RF and Get More Radio Frequency Curious will certainly appeal to the radio enthusiasts.
Attendees can also take part in a number of unique challenges and competitions inspired by the shared professional experience of the JawnCon organizers. One of the events will have attendees putting together the fastest Digital Subscriber Line (DSL) broadband connection, as measured by era-appropriate commercial gear. Easy enough with a spool of copper wire, but the trick here is to push the legendary resilience of DSL to the limit by using unusual conductors. Think wet strings and cooked pasta. There’s also a Capture The Flag (CTF) competition that will pit teams against each other as they work their way through customer support tickets at a fictional Internet service provider.
We were on the ground for JawnCon in 2024, and even had the good fortune to be present for the inaugural event back in 2023. While it may not have the name recognition of larger East Coast hacker cons, JawnCon is backed by some of the sharpest and most passionate folks we’ve come across in this community, and we’re eager to see the event grow in 2025 and beyond.
Qualcomm Introduces the Arduino Uno Q Linux-Capable SBC
Generally people equate the Arduino hardware platforms with MCU-centric options that are great for things like low-powered embedded computing, but less for running desktop operating systems. This looks about to change with the Arduino Uno Q, which keeps the familiar Uno formfactor, but features both a single-core Cortex-M33 STM32U575 MCU and a quad-core Cortex-A53 Qualcomm Dragonwing QRB2210 SoC.
According to the store page the board will ship starting October 24, with the price being $44 USD. This gets you a board with the aforementioned SoC and MCU, as well as 2 GB of LPDDR4 and 16 GB of eMMC. There’s also a WiFi and Bluetooth module present, which can be used with whatever OS you decide to install on the Qualcomm SoC.
This new product comes right on the heels of Arduino being acquired by Qualcomm. Whether the Uno Q is a worthy purchase mostly depends on what you intend to use the board for, with the SoC’s I/O going via a single USB-C connector which is also used for its power supply. This means that a USB-C expansion hub is basically required if you want to have video output, additional USB connectors, etc. If you wish to run a headless OS install this would of course be much less of a concern.
2025 Hackaday Supercon: More Wonderful Speakers
Supercon is just around the corner, and we’re absolutely thrilled to announce the second half of our slate! Supercon will sell out so get your tickets now before it’s too late. If you’re on the fence, we hope this pushes you over the line. And if it doesn’t, stay tuned — we’ve still got to tell you everything about the badge and the fantastic keynote speaker lineup.
(What? More than one keynote speaker? Unheard of!)
And as if that weren’t enough, there’s delicious food, great live music, hot soldering irons, and an absolutely fantastic crowd of the Hackaday faithful, and hopefully a bunch of new folks too. If you’re a Supercon fan, we’re looking forward to seeing you again, and if it’s your first time, we’ll be sure to make you feel welcome.
Amie Dansby and Karl Koscher
Hands-On Hardware: Chip Implants, Weird Hacks, and Questionable Decisions
What happens when your body is the dev board? Join Amie Dansby, who’s been living with four biochip implants for years, and Karl Koscher as they dive into the wild world of biohacking, rogue experiments, and deeply questionable decisions in the name of science, curiosity, and chaos.
Arsenio Menendez
Long Waves, Short Talk: A Practical IR Spectrum Guide
Whether you’re a seasoned sensor engineer or a newcomer join us in exploring the capabilities of SWIR, MWIR, and LWIR infrared bands. Learn how each wavelength range enables enhanced vision across a variety of environments, as well as how the IR bands are used in surveillance, industrial inspection, target tracking, and more.
Daniel [DJ] Harrigan
Bringing Animatronics to Life
This talk explores the considerations behind designing a custom Waldo/motion capture device that allows him to remotely puppet a complex animatronic with over twenty degrees of freedom. We’ll discuss the electrical, mechanical, and software challenges involved in creating a responsive, robust remote controller.
Daryll Strauss
Covert Regional Communication with Meshtastic
Learn how Meshtastic uses low-cost LORA radios to build ad hoc mesh networks for secure, decentralized communication. We’ll cover fundamentals, hardware, configuration tips, and techniques to protect against threats, whether for casual chats, data sharing, or highly covert group communication.
Allie Katz and SJ Jones
Fireside Chat: Metal 3D Printing … in space?!
Metal 3D Printing … in space?! SJ Jones is an additive manufacturing solutions engineer and nobody knows metal printing for intense applications like they do. In this discussion they’ll be talking with designer and 3D printing expert Allie Katz about computational design, artful engineering, and 3D prints that can survive a rocket trip.
Davis DeWitt
Movie Magic and the Value of Practical Effects
What does it take to create something that’s never been seen before? In film and TV, special effects must not only work, but also feel alive. This talk explores how blending hardware hacking with art creates functional and emotional storytelling, from explosive stunts to robots with personality, these projects blur the lines between disciplines.
Aaron Eiche
The Magic of Electropermanent Magnets!
Electropermanent magnets are like magic, an electromagnet but permanently switchable with a bit of current and a few microseconds. Aaron shares the adventures in using cheap off-the-shelf components to build his own and how to make them work empirically.
Fangzheng Liu
CircuitScout: Probing PCBs the Easy Way
Debugging PCBs can be challenging and time-consuming. This talk dives into the open-source DIY project, CircuitScout. This small desktop machine system automates debugging by selecting pads from your schematic, locating them, and controlling a probe machine for safe, hands-free testing.
Joe Needleman
From Sunlight to Silicon
AI workloads consume significant energy, but what if it didn’t? This hands-on session shows how to design and run a solar-powered computer cluster, focusing on NVIDIA Jetson Orin hardware, efficient power pipelines, and software strategies for high performance under tight energy limits.
John Duffy
The Circuits Behind Your Multimeter
Everyone uses a multimeter, but do you know what’s inside? This talk explores the inner workings, plus insights from building one, the design choices, and the tradeoffs behind common models. Discover the hidden engineering that makes this everyday tool accurate, safe, and reliable.
Josh Martin
DIY Depth: Shooting and Printing 3D Images
3D photography isn’t just for vintage nerds or high-end tech! Learn how stereoscopic film cameras work, the mechanics of lenticular lenses and how to print convincing 3D images at home, plus dive into digitizing, aligning, and processing 3D images from analog sources.
Kay Antoniak
From bytes to bobbins: Driving an embroidery machine
This talk explores how an embroidery machine brings out the best of tinkering: production, customization, and creative hacks. Learn how to run your first job on that dusty makerspace machine, create your own patch using open-source tools, and see what extra capabilities lie beyond the basics.
Keith Penney
Ghostbus: Simpler CSR Handling in Verilog
Designing FPGA applications means wrangling CSRs and connecting busses, a tedious & error-prone task. This talk introduces Ghostbus, an approach that automates address assignment and bus routing entirely in Verilog to keep designs clean, maintainable, and functional.
Kumar Abhishek
Laser ablating PCBs
Once too expensive, PCB fabrication via laser ablation of copper is now accessible via commodity fiber laser engravers. This talk shares experiences in making boards using this chemical-free technique and how it can help in rapid prototyping.
Karl Koscher
rtlsdr.tv: Broadcast TV in your browser
This talk introduces rtlsdr.tv and will cover the basics of digital video streams, programmatically feeding live content to video through Media Source Extensions, and using WebUSB to interact with devices that previously required kernel drivers.
If you’re still here, get your tickets!
Can a Coin Cell Make 27 Volts?
We have all no doubt at some point released the magic smoke from a piece of electronics, it’s part of what we do. But sometimes it’s a piece of electronics we’re not quite ready to let go, and something has to be fixed. Chris Greening had a board just like that, a 27 volt generator from an LCD panel, and he crafted a new circuit for it.
The original circuit (which we think he may have drawn incorrectly), uses a small boost converter IC with the expected inductor and diode. His replacement is the tried and tested joule thief, but with a much higher base resistor than its normal application in simply maintaining a battery voltage. It sucks 10 mA from the battery and is regulated with a Zener diode, but there’s still further room for improvement. Adding an extra transistor and using the Zener as a feedback component causes the oscillator to shut off as the voltage increases, something which in this application is fine.
It’s interesting to see a joule thief pushed into a higher voltage application like this, but we sense perhaps it could be made more efficient by seeking out an equivalent to the boost converter chip. Or even a flyback converter.
Smart Bulbs Are Turning Into Motion Sensors
If you’ve got an existing smart home rig, motion sensors can be a useful addition to your setup. You can use them for all kinds of things, from turning on lights when you enter a room, to shutting off HVAC systems when an area is unoccupied. Typically, you’d add dedicated motion sensors to your smart home to achieve this. But what if your existing smart light bulbs could act as the motion sensors instead?
The Brightest Bulb In The Bulb Box
The most typical traditional motion sensors use passive infrared detection, wherein the sensor picks up on the infrared radiation emitted by a person entering a room. Other types of sensors include break-beam sensors, ultrasonic sensors, and cameras running motion-detection algorithms. All of these technologies can readily be used with a smart home system if so desired. However, they all require the addition of extra hardware. Recently, smart home manufacturers have been exploring methods to enable motion detection without requiring the installation of additional dedicated sensors.
Hue Are You?
Philips has achieved this goal with its new MotionAware technology, which will be deployed on the company’s new Hue Bridge Pro base station and Hue smart bulbs. The company’s smart home products use Zigbee radios for communication. By monitoring small fluctuations in the Zigbee communications between the smart home devices, it’s possible to determine if a large object, such as a human, is moving through the area. This can be achieved by looking at fluctuations to signal strength, latency, and bit error rates. This allows motion detection using Hue smart bulbs without any specific motion detection hardware required.
Using MotionAware requires end users to buy the latest Philips Hue Bridge Pro base station. As for whether there is some special magic built into this device, or if Phillips merely wants to charge users to upgrade to the new feature? Well, Philips claims the new bridge is required because it’s powerful enough to run the AI-powered algorithms that sift the radio data and determine whether motion is occurring. The tech is based on IP from a company called Ivani, which developed Sensify—an RF sensing technology that works with WiFi, Bluetooth, and Zigbee signals.
To enable motion detection, multiple Hue bulbs must be connected to the same Hue Bridge Pro, with three to four lights used to create a motion sensing “area” in a given room. When setting up the system, the room must be vacated so the system can calibrate itself. This involves determining how the Zigbee radio signals propagate between devices when nobody—humans or animals—is inside. The system then uses variations from this baseline to determine if something is moving in the room. The system works whether the lights themselves are on or off, because the light isn’t used for sensing—as long as the bulb has power, it can use its radio for sensing motion. Philips notes this only increases standby power consumption by 1%, and a completely negligible amount while the light is actually “on” and outputting light.
There are some limitations to the use of this system. It’s primarily for indoor use, as Philips notes that the system benefits from the way radio waves bounce off surrounding interior walls and objects. Lights should also be separated from 1 to 7 meters apart for optimal use, and effectively create a volume between them in which motion sensing is most effective. Depending on local conditions, it’s also possible that the system may detect motion on adjacent levels or in nearby rooms, so sensitivity adjustment or light repositioning may be necessary. Notably, though, you won’t need new bulbs to use MotionAware. The system will work with all the Hue mains-powered bulbs that have been manufactured since 2014.
The WiZ Kids Were Way Ahead
Philips aren’t the only ones offering in-built motion sensing with their smart home bulbs. WiZ also has a product in this space, which feels coincidental given the company was acquired in 2019 by Philip’s own former lighting division. Unlike Philips Hue, WiZ products rely on WiFi for communication. The company’s SpaceSense technology again relies on perturbations in radio signals between devices, but using WiFi signals instead of Zigbee. What’s more, the company has been at this since 2022
There are some notable differences in Wiz’s technology. SpaceSense is able to work with just two devices at a minimum, and not just lights—you can use any of the company’s newer lights, smart switches, or devices, as long as they’re compatible with SpaceSense, which covers the vast majority of the company’s recent product.
youtube.com/embed/fPsBXFMXNAM?…
Ultimately, WiZ beat Philips by years with this tech. However, perhaps due to its lower market penetration, it didn’t make the same waves when SmartSense dropped in 2022.
Radio Magic
We’ve seen similar feats before. It’s actually possible to get all kinds of useful information out of modern radio chipsets for physical sensing purposes. We’ve seen systems that measure a person’s heart rate using nothing more than perturbations in WiFi transmission over short distances, for example. When you know what you’re looking for, a properly-built algorithm can let you dig usable motion information out of your radio hardware.
Ultimately, it’s neat to see smart home companies expanding their offerings in this way. By leveraging the radio chipsets in existing smart bulbs, engineers have been able to pull out granular enough data to enable this motion-sensing parlour trick. If you’ve ever wanted your loungeroom lights to turn on when you walk in, or a basic security notification when you’re out of the house… now you can do these kinds of things without having to add more hardware. Expect other smart home platforms to replicate this sort of thing in future if it proves practical and popular with end users.
A Childhood Dream, Created and Open Sourced
Some kids dream about getting a pony, others dream about a small form factor violin-style MIDI controller. [Brady Y. Lin] was one of the latter, and now, with the skills he’s learning at Northwestern, he can make that dream a reality — and share it with all of us as an open source hardware project.
The dream instrument’s name is Stradex1, and it’s a lovely bit of kit. The “fretless” neck is a SoftPot linear potentiometer being sampled by an ADS1115 ADC — that’s a 16-bit unit, so while one might pedantically argue that there are discreet frets, there’s 2^15 of them, which is functionally the same as none at all. Certainly it’s enough resolution for continuous-sounding pitch control, as well as vibrato, as you can see at 3:20 in the demo video below. The four buttons that correspond to the four strings of a violin aren’t just push-buttons, but also contain force sensors (again, sampled by the 16-bit ADC) to allow for fine volume control of each tone.
A few other potentiometers flesh out the build, allowing control over different MIDI parameters, such as what key [Brady] is playing on. The body is a combination of 3D printed plastic and laser-cut acrylic, but [Brady] suggests you could also print the front and back panels if you don’t happen to have a laser cutter handy.
This project sounds great, and it satisfies the maker’s inner child, so what’s not to love. We’ve had lots of MIDI controllers on Hackaday over the years — everything from stringless guitars to wheel-less Hurdy-Gurdies to say nothing of laser harps galore — but somehow, we’ve never had a MIDI violin. The violin hacks we have featured tend to be either 3D printed or comically small.
If you like this project but don’t feel like fabbing and populating the PCB, [Brady] is going to be giving one away to his 1000th YouTube subscriber. As of this writing, he’s only got 800, so that could be you!
youtube.com/embed/0cMQYN_HLao?…
A Lorenz Teletype Shows Us Its Secrets
When we use the command line on Linux, we often refer to it as a terminal. It’s a word with a past invoking images of serial terminals, rows of green-screened machines hooked up to a central computer somewhere. Those in turn were electronic versions of mechanical teletypes, and it’s one of these machines we’re bringing you today. [DipDoT] has a Lorenz teletype from the 1950s, and he’s taking us through servicing and cleaning it, eventually showing us its inner workings.
The machine in question had been in storage for many years, but remained in good condition. To be this long out of use though meant it needed a thorough clean, so he sets about oiling the many hundreds of maintenance points listed in a Lorenz manual. It’s a pleasant surprise for us to see keyboard and printer unit come away from the chassis for servicing so easily, and by stepping it through its operation step by step we can see how it works in detail. It even incorporates an identifier key — think of it as a mechanical ROM that stores a sequence of letters — which leads him to believe it may have come from a New York news office. The video is below the break, and makes for an interesting watch.
He’s going to use it with a relay computer, but if you don’t have one of those there are more modern ways to do it.
youtube.com/embed/XKv8w1sUX_o?…
DK 10x05 - ChatControl deve morire
Siamo ancora qui a parlare di chatControl, una cosa che solo in Cina e Corea del Nord.
Non è questione di schieramenti, affondatelo e non parliamone più.
Per votare a favore della sorveglianza generalizzata della popolazione con la scusa di proteggere i picciriddi occorre essere idioti, o in malafede, o entrambe le cose.
spreaker.com/episode/dk-10x05-…
Perché gli Stati Uniti comprano terre rare dalla Cina nonostante le proprie riserve?
Negli ultimi anni, il tema delle terre rare è tornato al centro del dibattito internazionale, soprattutto per il ruolo dominante della Cina in questo settore strategico. Molti si chiedono: perché gli Stati Uniti devono acquistare terre rare dalla Cina, nonostante possiedano riserve significative?
I dati del Governo degli Stati Uniti del 2022 chiariscono alcuni aspetti. La Cina detiene 44 milioni di tonnellate di riserve di terre rare, pari al 33,8% delle riserve globali, ma produce il 69,2% del totale mondiale.
Le radici della supremazia cinese
Il vantaggio della Cina non si limita alle quantità di minerale, ma si fonda su decenni di sviluppo tecnologico e sull’integrazione completa della filiera industriale. Già nel 1972, il chimico Xu Guangxian sviluppò la teoria dell’estrazione a cascata, applicata con successo su scala industriale nel 1974 presso l’acciaieria di Baotou.
Questo metodo rivoluzionario permise alla Cina di superare la produzione statunitense nel 1986 e di controllare due terzi della produzione globale negli anni ’90, spingendo molti produttori internazionali a ritirarsi dal mercato.
Dal 2014 al 2023, sei aziende principali sono state integrate in due gruppi principali – China Rare Earth e Northern Rare Earth – creando una filiera completa per terre rare leggere, medie e pesanti, con una capacità produttiva del 92% per i magneti permanenti, purezza delle terre rare pesanti di grado 6N (99,9999%), utilizzo dell’85% dei rifiuti solidi e riduzione delle emissioni di oltre il 60%.
Cosa sono le terre rare e perché sono strategiche
Gli elementi definiti “terre rare” comprendono 15 lantanidi: lantanio (La), cerio (Ce), praseodimio (Pr), neodimio (Nd), promezio (Pm), samario (Sm), europio (Eu), gadolinio (Gd), terbio (Tb), disprosio (Dy), olmio (Ho), erbio (Er), tulio (Tm), itterbio (Yb) e lutezio (Lu), più scandio e ittrio, per un totale di 17 elementi.
Non sono rari in senso assoluto: la loro abbondanza nella crosta terrestre è maggiore del rame e oltre 90.000 volte superiore all’oro. Tuttavia, la difficoltà di separazione e purificazione li rende complessi da sfruttare industrialmente.
Le terre rare si distinguono tra leggere e pesanti, ma la classificazione non si basa sul peso atomico bensì sul comportamento chimico e minerale. La Cina è attualmente l’unico Paese al mondo capace di produrre terre rare pesanti con purezza 6N, mentre altri Paesi non superano il grado 4N (99,99%).
La storia statunitense
Negli anni ’60 e ’70, gli Stati Uniti, grazie alla Molycorp Mining Corporation, dominavano la produzione mondiale di terre rare.
Tuttavia, l’estrazione comportava contaminazione da torio. Nel 1980, la Nuclear Regulatory Commission (NRC), seguendo le indicazioni dell’Agenzia internazionale per l’energia atomica, impose regolazioni stringenti, aumentando i costi e causando la contrazione del settore.
La miniera Yamaguchi chiuse nel 1998 e per anni gli USA persero la capacità di purificazione commerciale, riprendendo attenzione al tema solo nel 2002.
Xu Guangxian e l’innovazione cinese
La Cina ha superato le competenze straniere grazie a innovazioni come l’estrazione a cascata di Xu Guangxian, basata sul concetto di “rapporto di estrazione mista costante”. Questa metodologia permise di trasformare un processo empirico, lento e costoso, in un sistema teorico e matematico, applicabile su larga scala industriale già dal 1974.
Nei decenni successivi, tecniche come “le tre uscite”, “l’amplificazione in un’unica fase” e l'”innesto” hanno consolidato il primato tecnologico cinese.
Nel 1986 la produzione cinese superò quella degli Stati Uniti e negli anni ’90 rappresentava oltre i due terzi del mercato mondiale, portando a cali drastici dei prezzi globali e alla chiusura di molte aziende estere.
L’integrazione industriale moderna
A partire dal 2014, la Cina ha consolidato centinaia di aziende in pochi gruppi principali, creando un ecosistema industriale completo. Questo ha reso possibile:
- Produzione stabile di terre rare pesanti e leggere;
- Capacità produttiva superiore per i magneti permanenti (oltre 92% della produzione globale nel 2020);
- Controllo dei margini industriali lungo tutta la filiera;
- Miglior gestione ambientale: uso dell’85% dei rifiuti solidi e riduzione delle emissioni di oltre il 60%.
All’estero, impianti come Lynas in Malaysia hanno raggiunto solo di recente livelli comparabili nella purificazione delle terre rare pesanti, mentre gli USA, nonostante investimenti di quasi un miliardo di dollari nella miniera di Yamaguchi, non sono ancora in grado di lavorare le terre rare pesanti su scala industriale.
Conclusione
La posizione dominante della Cina nel mercato globale delle terre rare non deriva unicamente dalle riserve, ma da un complesso insieme di innovazioni tecnologiche, integrazione industriale e gestione ambientale avanzata.
Dal 2000, il Paese ha prodotto oltre l’85% dei minerali mondiali e oltre il 95% dei prodotti di fusione e separazione. Brevetti e nuove tecnologie continuano a consolidare questo vantaggio, rendendo difficile per gli altri Paesi riprodurre l’intera filiera industriale.
L'articolo Perché gli Stati Uniti comprano terre rare dalla Cina nonostante le proprie riserve? proviene da il blog della sicurezza informatica.
RediShell: una RCE da score 10 vecchia di 13 anni è stata aggiornata in Redis
Una falla critica di 13 anni, nota come RediShell, presente in Redis, permette l’esecuzione di codice remoto (RCE) e offre agli aggressori la possibilità di acquisire il pieno controllo del sistema host sottostante.
Il problema di sicurezza, è stato contrassegnato come CVE-2025-49844 ed è stato rilevato da Wiz Research. A questo problema è stato assegnato il massimo livello di gravità secondo la scala CVSS, con un punteggio di 10,0, una valutazione che indica le vulnerabilità di sicurezza più critiche.
l’analisi condotta da Wiz Research ha rivelato un’ampia superficie di attacco, con circa 330.000 istanze Redis esposte a Internet. È allarmante notare che circa 60.000 di queste istanze non hanno alcuna autenticazione configurata.
La falla di sicurezza, viene causata da un errore di tipo Use-After-Free (UAF) nella gestione della memoria, è presente nel codice di Redis da circa tredici anni. Questa vulnerabilità può essere sfruttata da un utente malintenzionato, dopo aver completato l’autenticazione, attraverso l’invio di uno script Lua appositamente realizzato.
Poiché lo scripting Lua è una funzionalità predefinita, l’aggressore può uscire dall’ambiente sandbox Lua per ottenere l’esecuzione di codice arbitrario sull’host Redis.
Il controllo completo viene garantito all’aggressore a questo livello di accesso, permettendogli di dirottare le risorse di sistema per attività come il mining di criptovalute, di muoversi lateralmente sulla rete, nonché di rubare, eliminare o crittografare i dati.
Il potenziale impatto è amplificato dall’ubiquità di Redis. Si stima che il 75% degli ambienti cloud utilizzi l’archivio dati in-memory per la memorizzazione nella cache, la gestione delle sessioni e la messaggistica.
Il flusso di attacco inizia con l’invio da parte dell’aggressore di uno script Lua dannoso all’istanza vulnerabile di Redis. Dopo aver sfruttato con successo il bug UAF per uscire dalla sandbox, l’aggressore può stabilire una reverse shell per l’accesso persistente. Da lì, possono compromettere l’intero host rubando credenziali come chiavi SSH e token IAM, installando malware ed esfiltrando dati sensibili sia da Redis che dalla macchina host.
Il 3 ottobre 2025, Redis ha rilasciato un avviso di sicurezza e versioni patchate per risolvere il problema CVE-2025-49844. Si consiglia vivamente a tutti gli utenti Redis di aggiornare immediatamente le proprie istanze, dando priorità a quelle esposte a Internet o prive di autenticazione.
L'articolo RediShell: una RCE da score 10 vecchia di 13 anni è stata aggiornata in Redis proviene da il blog della sicurezza informatica.
A New Cartridge for an Old Computer
Although largely recognizable to anyone who had a video game console in the 80s or 90s, cartridges have long since disappeared from the computing world. These squares of plastic with a few ROM modules were a major route to get software for a time, not only for consoles but for PCs as well. Perhaps most famously, the Commodore VIC-20 and Commodore 64 had cartridge slots for both gaming and other software packages. As part of the Chip Hall of Fame created by IEEE Spectrum, [James] found himself building a Commodore cartridge more than three decades after last working in front of one of these computers.
[James] points out that even by the standards of the early 80s the Commodore cartridges were pretty low on specs. They’re limited to 16 kB, which means programming in assembly and doing things like interacting with video hardware directly. Luckily there’s a treasure trove of documentation about the C64 nowadays as well as a number of modern programming tools for them, in contrast to the 80s when tools and documentation were scarce or nonexistent. Hardware these days is cheap as well; the cartridge PCB and other hardware cost only a few dollars, and the case for it can easily be 3D printed.
Burning the software to the $3 ROM chip was straightforward as well with a TL866 programmer, although [James] left a piece of memory management code in the first pass which caused the C64 to lock up. Removing this code and flashing the chip again got the demo up and running though, and it’ll be on display at their travelling “Chips that Changed the World” exhibit. If you find yourself in the opposite situation, though, we’ve also seen projects that cleverly pull the data off of ancient C64 ROM chips for preservation.
Google Confirms Non-ADB APK Installs Will Require Developer Registration
After the news cycle recently exploded with the announcement that Google would require every single Android app to be from a registered and verified developer, while killing third-party app stores and sideloading in the process, Google has now tried to put out some of the fires with a new Q&A blog post and a video discussion (also embedded below).
When we first covered the news, all that was known for certain was the schedule, with the first trials beginning in October of 2025 before a larger rollout the next year. One of the main questions pertained to installing apps from sources that are not the Google Play Store. The answer here is that the only way to install an app without requiring one to go through the developer verification process is by installing the app with the Android Debug Bridge, or adb for short.
The upcoming major release of Android 16 will feature a new process called the Android Developer Verifier, which will maintain a local cache of popular verified apps. The remaining ones will require a call back to the Google mothership where the full database will be maintained. In order to be a verified Android developer you must have a Google Play account, pay the $25 fee and send Google a scan of your government-provided ID. This doesn’t mean that you cannot also distribute your app also via F-Droid, it does however mean that you need to be a registered Play Store developer, negating many of the benefits of those third-party app stores.
Although Google states that they will also introduce a ‘free developer account type’, this will only allow your app to be installed on a limited number of devices, without providing an exact number so far. Effectively this would leave having users install unsigned APKs via the adb tool as the sole way to circumvent the new system once it is fully rolled out by 2027. On an unrelated note, Google’s blog post also is soliciting feedback from the public on these changes.
youtube.com/embed/A7DEhW-mjdc?…
Finding Simpler Schlieren Imaging Systems
Perhaps the most surprising thing about shadowgraphs is how simple they are: you simply take a point source of light, pass the light through a the volume of air to be imaged, and record the pattern projected on a screen; as light passes through the transition between areas with different refractive indices, it gets bent in a different direction, creating shadows on the viewing screen. [Degree of Freedom] started with these simple shadowgraphs, moved on to the more advanced schlieren photography, and eventually came up with a technique sensitive enough to register the body heat from his hand.
The most basic component in a shadowgraph is a point light source, such as the sun, which in experiments was enough to project the image of an escaping stream of butane onto a sheet of white paper. Better point sources make the imaging work over a wider range of distances from the source and projection screen, and a magnifying lens makes the image brighter and sharper, but smaller. To move from shadowgraphy to schlieren imaging, [Degree of Freedom] positioned a razor blade in the focal plane of the magnifying lens, so that it cut off light refracted by air disturbances, making their shadows darker. Interestingly, if the light source is small and point-like enough, adding the razor blade makes almost no difference in contrast.
With this basic setup under his belt, [Degree of Freedom] moved on to more unique schlieren setups. One of these replaced the magnifying lens with a standard camera lens in which the aperture diaphragm replaced the razor blade, and another replaced the light source and razor with a high-contrast black-and-white pattern on a screen. The most sensitive technique was what he called double-pinhole schlieren photography, which used a pinhole for the light source and another pinhole in place of the razor blade. This could image the heated air rising from his hand, even at room temperature.
The high-contrast background imaging system is reminiscent of this technique, which uses a camera and a known background to compute schlieren images. If you’re interested in a more detailed look, we’ve covered schlieren photography in depth before.
youtube.com/embed/kRyE-n9UaIg?…
Thanks to [kooshi] for the tip!