Wisconsin e Michigan senza telefono: Cellcom è stata attaccata. Niente chiamate per una settimana
Gli abbonati dell’operatore di telecomunicazioni Cellcom, che serve gli utenti del Wisconsin e dell’Upper Michigan (USA), sono rimasti senza comunicazione per quasi una settimana: non potevano né chiamare né inviare SMS. Solo pochi giorni dopo l’inizio dell’incidente l’azienda ha ammesso ciò che era già stato sospettato: un attacco informatico aveva causato i massicci disagi.
Inizialmente, l’operatore ha definito l’incidente un malfunzionamento tecnico, assicurando che la trasmissione dati, iMessage, i messaggi RCS e le chiamate di emergenza al 911 hanno continuato a funzionare. Tuttavia, gli utenti esprimevano sempre più insoddisfazione per la mancanza di comunicazione e l’impossibilità di trasferire un numero a un altro operatore: i sistemi interni di Cellcom semplicemente non funzionavano.
Ora l’amministratore delegato dell’azienda, Brigid Riordan, ha confermato ufficialmente che si tratta di un “incidente informatico”.
In una lettera agli abbonati, ha sottolineato che l’azienda aveva messo in atto dei protocolli di risposta e che il team aveva seguito tali piani fin dall’inizio. Le misure adottate includono l’intervento di esperti esterni in sicurezza informatica, la notifica all’FBI e alle autorità del Wisconsin e il lavoro 24 ore su 24 per ripristinare i sistemi.
L’attacco ha colpito solo un segmento separato dell’infrastruttura, non correlato all’archiviazione dei dati personali. Finora non ci sono state prove di fughe di informazioni, compresi nomi, indirizzi e dati finanziari degli abbonati.
Al momento alcuni servizi vengono gradualmente ripristinati. Il 19 maggio gli utenti hanno potuto scambiarsi SMS ed effettuare chiamate all’interno della rete Cellcom. Tuttavia, i tempi necessari per una completa ripresa restano incerti. Nella sua pagina degli aggiornamenti, la società ha affermato che prevede di ripristinare tutti i servizi entro la fine della settimana, ma non è riuscita a fornire una data esatta.
Per gli abbonati il cui ripristino della connessione è in ritardo, viene offerto un modo semplice per provare a ripristinare il servizio: attivare la modalità aereo per 10 secondi, quindi disattivarla. Se il problema persiste, riavviare il dispositivo.
Nonostante le crescenti critiche per la lenta risposta, Cellcom ha iniziato a essere più aperta sulla situazione: oltre alla lettera, l’amministratore delegato ha anche registrato un videomessaggio in cui spiega la situazione attuale e i progressi della ripresa. L’azienda non ha rilasciato dichiarazioni in merito al possibile attacco ransomware.
La situazione attuale dimostra quanto possa diventare critica la dipendenza dalla stabilità delle infrastrutture digitali, anche a livello regionale. Allo stesso tempo, Cellcom sottolinea di essersi preparata in anticipo a simili incidenti, ma che le conseguenze sono state comunque avvertite da decine di migliaia di utenti.
L'articolo Wisconsin e Michigan senza telefono: Cellcom è stata attaccata. Niente chiamate per una settimana proviene da il blog della sicurezza informatica.
Gene Editing Spiders to Produce Red Fluorescent Silk
Continuing the scientific theme of adding fluorescent proteins to everything that moves, this time spiders found themselves at the pointy end of the CRISPR-Cas9 injection needle. In a study by researchers at the University of Bayreuth, common house spiders (Parasteatoda tepidariorum) had a gene inserted for a red fluorescent protein in addition to having an existing gene for eye development disabled. This was the first time that spiders have been subjected to this kind of gene-editing study, mostly due to how fiddly they are to handle as well as their genome duplication characteristics.
In the research paper in Angewandte Chemie the methods and results are detailed, with the knock-out approach of the sine oculis (C1) gene being tried first as a proof of concept. The CRISPR solution was injected into the ovaries of female spiders, whose offspring then carried the mutation. With clear deficiencies in eye development observable in this offspring, the researchers moved on to adding the red fluorescent protein gene with another CRISPR solution, which targets the major ampullate gland where the silk is produced.
Ultimately, this research serves to demonstrate that it is possible to not only study spiders in more depth these days using tools like CRISPR-Cas9, but also that it is possible to customize and study spider silk production.
High Voltage for Extreme Ozone
Don’t you hate it when making your DIY X-ray machine you make an uncomfortable amount of ozone gas? No? Well [Hyperspace Pirate] did, which made him come up with an interesting idea. While creating a high voltage supply for his very own X-ray machine, the high voltage corona discharge produced a very large amount of ozone. However, normally ozone is produced using lower voltage, smaller gaps, and large surface areas. Naturally, this led [Hyperspace Pirate] to investigate if a higher voltage method is effective at producing ozone.
Using a custom 150kV converter, [Hyperspace Pirate] was able to test the large gap method compared to the lower voltage method (dielectric barrier discharge). An ammonia reaction with the ozone allowed our space buccaneer to test which method was able to produce more ozone, as well as some variations of the designs.
Large 150kV gaps proved slightly effective but with no large gains, at least not compared to the dielectric barrier method. Of which, glass as the dielectric leads straight to holes, and HTPE gets cooked, but in the end, he was able to produce a somewhat sizable amount of ammonium nitrate. The best design included two test tubes filled with baking soda and their respective electrodes. Of course, this comes with the addition of a very effective ozone generator.
While this project is very thorough, [Hyperspace Pirate] himself admits the extreme dangers of high ozone levels, even getting close enough to LD50 levels for worry throughout out his room. This goes for when playing with high voltage in general kids! At the end of the day even with potential asthma risk, this is a pretty neat project that should probably be left to [Hyperspace Pirate]. If you want to check out other projects from a distance you should look over to this 20kW microwave to cook even the most rushed meals!
youtube.com/embed/HZYWpZYuRKc?…
Thanks to [Mahdi Naghavi] for the Tip!
FLOSS Weekly Episode 833: Up and Over
This week, Jonathan Bennett and Jeff Massie chat with Tom Herbert about eBPF, really fast networking, what the future looks like for high performance computing and the Linux Kernel, and more!
youtube.com/embed/v9P5em2r0fo?…
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.
play.libsyn.com/embed/episode/…
Direct Download in DRM-free MP3.
If you’d rather read along, here’s the transcript for this week’s episode.
Places to follow the FLOSS Weekly Podcast:
Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
hackaday.com/2025/05/21/floss-…
Field Testing An Antenna, Using A Field
The ARRL used to have a requirement that any antenna advertised in their publications had to have real-world measurements accompanying it, to back up any claims of extravagant performance. I’m told that nowadays they will accept computer simulations instead, but it remains true that knowing what your antenna does rather than just thinking you know what it does gives you an advantage. I was reminded of this by a recent write-up in which the performance of a mylar sheet as a ground plane was tested at full power with a field strength meter, because about a decade ago I set out to characterise an antenna using real-world measurements and readily available equipment. I was in a sense field testing it, so of course the first step of the process was to find a field. A real one, with cows.
Walking Round And Round A Field In The Name Of Science
The process I was intending to follow was simple enough. Set up the antenna in the middle of the field, have it transmit some RF, and measure the signal strength at points along a series of radial lines away from it I’d end up with a spreadsheet, from which I could make a radial plot that would I hoped, give me a diagram showing its performance. It’s a rough and ready methodology, but given a field and a sunny afternoon, not one that should be too difficult.
I was more interested in the process than the antenna, so I picked up my trusty HB9CV two-element 144MHz antenna that I’ve stood and pointed at the ISS many times to catch SSTV transmissions. It’s made from two phased half-wave radiators, but it can be seen as something similar to a two-element Yagi array. I ran a long mains lead oput to a plastic garden table with the HB9CV attached, and set up a Raspberry Pi whose clock would produce the RF.
My receiver would be an Android tablet with an RTL-SDR receiver. That’s pretty sensitive for this purpose, so my transmitter would have to be extremely low powered. Ideally I would want no significant RF to make it beyond the boundary of the field, so I gave the Pi a resistive attenuator network designed to give an output of around 0.03 mW, or 30 μW. A quick bit of code to send my callsign as CW periodically to satisfy my licence conditions, and I was off with the tablet and a pen and paper. Walking round the field in a polar grid wasn’t as easy as it might seem, but I had a very long tape measure to help me.
A Lot Of Work To Tell Me What I Already Knew
I ended up with a page of figures, and then a spreadsheet which I’m amused to still find in the depths of my project folder. It contains a table of angles of incidence to the antenna versus metres from the antenna, and the data points are the figure in (uncalibrated) mV that the SDR gave me for the carrier at that point. The resulting polar plot shows the performace of the antenna at each angle, and unsurprisingly I proved to myself that a HB9CV is indeed a directional antenna.
My experiment was in itself not of much use other than to prove to myself I could characterise an antenna with extremely basic equipment. But then again it’s possible that in times past this might have been a much more difficult task, so knowing I can do it at all is an interesting conclusion.
A New Mac Plus Motherboard, No Special Chips Required
The Macintosh Plus was Apple’s third version on the all-in-one Mac, and for its time it was a veritable powerhouse. If you don’t have one here in 2025 there are a variety of ways to emulate it, but should you wish for something closer to the silicon there’s now [max1zzz]’s all-new Mac Plus motherboard in a mini-ITX form factor to look forward to.
As with other retrocomputing communities, the classic Mac world has seen quite a few projects replacing custom parts with modern equivalents. Thus it has reverse engineered Apple PALs, a replacement for the Sony sound chip, an ATtiny based take on the Mac real-time clock, and a Pi Pico that does VGA conversion. It’s all surface mount save for the connectors and the 68000, purely because a socketed processor allows for one of the gold-and-ceramic packages to be used. The memory is soldered, but with 4 megabytes, this is well-specced for a Mac Plus.
At the moment it’s still in the prototype spin phase, but plenty of work is being done and it shows meaningful progress towards an eventual release to the world. We are impressed, and look forward to the modern takes on a Mac Plus which will inevitably come from it. While you’re waiting, amuse yourself with a lower-spec take on an early Mac.
Thanks [DosFox] for the tip.
Big Chemistry: Fuel Ethanol
If legend is to be believed, three disparate social forces in early 20th-century America – the temperance movement, the rise of car culture, and the Scots-Irish culture of the South – collided with unexpected results. The temperance movement managed to get Prohibition written into the Constitution, which rankled the rebellious spirit of the descendants of the Scots-Irish who settled the South. In response, some of them took to the backwoods with stills and sacks of corn, creating moonshine by the barrel for personal use and profit. And to avoid the consequences of this, they used their mechanical ingenuity to modify their Fords, Chevrolets, and Dodges to provide the speed needed to outrun the law.
Though that story may be somewhat apocryphal, at least one of those threads is still woven into the American story. The moonshiner’s hotrod morphed into NASCAR, one of the nation’s most-watched spectator sports, and informed much of the car culture of the 20th century in general. Unfortunately, that led in part to our current fossil fuel predicament and its attendant environmental consequences, which are now being addressed by replacing at least some of the gasoline we burn with the same “white lightning” those old moonshiners made. The cost-benefit analysis of ethanol as a fuel is open to debate, as is the wisdom of using food for motor fuel, but one thing’s for sure: turning corn into ethanol in industrially useful quantities isn’t easy, and it requires some Big Chemistry to get it done.
Heavy on the Starch
As with fossil fuels, manufacturing ethanol for motor fuel starts with a steady supply of an appropriate feedstock. But unlike the drilling rigs and pump jacks that pull the geochemically modified remains of half-billion-year-old phytoplankton from deep within the Earth, ethanol’s feedstock is almost entirely harvested from the vast swathes of corn that carpet the Midwest US (Other grains and even non-grain plants are used as feedstock in other parts of the world, but we’re going to stick with corn for this discussion. Also, other parts of the world refer to any grain crop as corn, but in this case, corn refers specifically to maize.)
The corn used for ethanol production is not the same as the corn-on-the-cob at a summer barbecue or that comes in plastic bags of frozen Niblets. Those products use sweet corn bred specifically to pack extra simple sugars and less starch into their kernels, which is harvested while the corn plant is still alive and the kernels are still tender. Field corn, on the other hand, is bred to produce as much starch as possible, and is left in the field until the stalks are dead and the kernels have converted almost all of their sugar into starch. This leaves the kernels dry and hard as a rock, and often with a dimple in their top face that gives them their other name, dent corn.
Each kernel of corn is a fruit, at least botanically, with all the genetic information needed to create a new corn plant. That’s carried in the germ of the kernel, a relatively small part of the kernel that contains the embryo, a bit of oil, and some enzymes. The bulk of the kernel is taken up by the endosperm, the energy reserve used by the embryo to germinate, and as a food source until photosynthesis kicks in. That energy reserve is mainly composed of starch, which will power the fermentation process to come.
Starch is mainly composed of two different but related polysaccharides, amylose and amylopectin. Both are polymers of the simple six-carbon sugar glucose, but with slightly different arrangements. Amylose is composed of long, straight chains of glucose molecules bound together in what’s called an α-1,4 glycosidic bond, which just means that the hydroxyl group on the first carbon of the first glucose is bound to the hydroxyl on the fourth carbon of the second glucose through an oxygen atom:
Amylose chains can be up to about 500 or so glucose subunits long. Amylopectin, on the other hand, has shorter straight chains but also branches formed between the number one and number six carbon, an α-1,6 glycosidic bond. The branches appear about every 25 residues or so, making amylopectin much more tangled and complex than amylose. Amylopectin makes up about 75% of the starch in a kernel.
Slurry Time
Ethanol production begins with harvesting corn using combine harvesters. These massive machines cut down dozens of rows of corn at a time, separating the ears from the stalks and feeding them into a threshing drum, where the kernels are freed from the cob. Winnowing fans and sieves separate the chaff and debris from the kernels, which are stored in a tank onboard the combine until they can be transferred to a grain truck for transport to a grain bin for storage and further drying.
Once the corn is properly dried, open-top hopper trucks or train cars transport it to the distillery. The first stop is the scale house, where the cargo is weighed and a small sample of grain is taken from deep within the hopper by a remote-controlled vacuum arm. The sample is transported directly to the scale house for a quick quality assessment, mainly based on moisture content but also the physical state of the kernels. Loads that are too wet, too dirty, or have too many fractured kernels are rejected.
Loads that pass QC are dumped through gates at the bottom of the hoppers into a pit that connects to storage silos via a series of augers and conveyors. Most ethanol plants keep a substantial stock of corn, enough to run the plant for several days in case of any supply disruption. Ethanol plants operate mainly in batch mode, with each batch taking several days to complete, so a large stock ensures the efficiency of continuous operation.
To start a batch of ethanol, corn kernels need to be milled into a fine flour. Corn is fed to a hammer mill, where large steel weights swinging on a flywheel smash the tough pericarp that protects the endosperm and the germ. The starch granules are also smashed to bits, exposing as much surface area as possible. The milled corn is then mixed with clean water to form a slurry, which can be pumped around the plant easily.
The first stop for the slurry is large cooking vats, which use steam to gently heat the mixture and break the starch into smaller chains. The heat also gelatinizes the starch, in a process that’s similar to what happens when a sauce is thickened with a corn starch slurry in the kitchen. The gelatinized starch undergoes liquefaction under heat and mildly acidic conditions, maintained by injecting sulfuric acid or ammonia as needed. These conditions begin hydrolysis of some of the α-1,4 glycosidic bonds, breaking the amylose and amylopectin chains down into shorter fragments called dextrin. An enzyme, α-amylase, is also added at this point to catalyze the α-1,4 bonds to create free glucose monomers. The α-1,6 bonds are cleaved by another enzyme, α-amyloglucosidase.
The Yeast Get Busy
The result of all this chemical and enzymatic action is a glucose-rich mixture ready for fermentation. The slurry is pumped to large reactor vessels where a combination of yeasts is added. Saccharomyces cerevisiae, or brewer’s yeast, is the most common, but other organisms can be used too. The culture is supplemented with ammonia sulfate or urea to provide the nitrogen the growing yeast requires, along with antibiotics to prevent bacterial overgrowth of the culture.
Fermentation occurs at around 30 degrees C over two to three days, while the yeast gorge themselves on the glucose-rich slurry. The glucose is transported into the yeast, where each glucose molecule is enzymatically split into two three-carbon pyruvate molecules. The pyruvates are then broken down into two molecules of acetaldehyde and two of CO2. The two acetaldehyde molecules then undergo a reduction reaction that creates two ethanol molecules. The yeast benefits from all this work by converting two molecules of ADP into two molecules of ATP, which captures the chemical energy in the glucose molecule into a form that can be used to power its metabolic processes, including making more yeast to take advantage of the bounty of glucose.
After the population of yeast grows to the point where they use up all the glucose, the mix in the reactors, which contains about 12-15% ethanol and is referred to as beer, is pumped into a series of three distillation towers. The beer is carefully heated to the boiling point of ethanol, 78 °C. The ethanol vapors rise through the tower to a condenser, where they change back into the liquid phase and trickle down into collecting trays lining the tower. The liquid distillate is piped to the next two towers, where the same process occurs and the distillate becomes increasingly purer. At the end of the final distillation, the mixture is about 95% pure ethanol, or 190 proof. That’s the limit of purity for fractional distillation, thanks to the tendency of water and ethanol to form an azeotrope, a mixture of two or more liquids that boils at a constant temperature. To drive off the rest of the water, the distillate is pumped into large tanks containing zeolite, a molecular sieve. The zeolite beads have pores large enough to admit water molecules, but too small to admit ethanol. The water partitions into the zeolite, leaving 99% to 100% pure (198 to 200 proof) ethanol behind. The ethanol is mixed with a denaturant, usually 5% gasoline, to make it undrinkable, and pumped into storage tanks to await shipping.
Nothing Goes to Waste
The muck at the bottom of the distillation towers, referred to as whole stillage, still has a lot of valuable material and does not go to waste. The liquid is first pumped into centrifuges to separate the remaining grain solids from the liquid. The solids, called wet distiller’s grain or WDG, go to a rotary dryer, where hot air drives off most of the remaining moisture. The final product is dried distiller’s grain with solubles, or DDGS, a high-protein product used to enrich animal feed. The liquid phase from the centrifuge is called thin stillage, which contains the valuable corn oil from the germ. That’s recovered and sold as an animal feed additive, too.
The final valuable product that’s recovered is the carbon dioxide. Fermentation produces a lot of CO2, about 17 pounds per bushel of feedstock. The gas is tapped off the tops of the fermentation vessels by CO2 scrubbers and run through a series of compressors and coolers, which turn it into liquid carbon dioxide. This is sold off by the tanker-full to chemical companies, food and beverage manufacturers, who use it to carbonate soft drinks, and municipal water treatment plants, where it’s used to balance the pH of wastewater.
There are currently 187 fuel ethanol plants in the United States, most of which are located in the Midwest’s corn belt, for obvious reasons. Together, these plants produced more than 16 billion gallons of ethanol in 2024. Since each bushel of corn yields about 3 gallons of ethanol, that translates to an astonishing 5 billion bushels of corn used for fuel production, or about a third of the total US corn production.
VanHelsing Ransomware: il codice sorgente trapelato rivela segreti sconcertanti
Il codice sorgente del pannello affiliato del malware VanHelsing RaaS (ransomware-as-a-service) è stato reso di pubblico dominio. Non molto tempo prima, l’ex sviluppatore aveva provato a vendere il codice sorgente sul forum di hacking RAMP.
Il ransomware VanHelsing è stato lanciato nel marzo 2025 e i suoi creatori hanno affermato che era in grado di attaccare sistemi basati su Windows, Linux, BSD, ARM ed ESXi. Secondo Ransomware.live, da allora almeno otto vittime sono state preda di attacchi ransomware.
All’inizio di questa settimana, qualcuno che utilizzava il nickname th30c0der ha tentato di vendere sul darknet il codice sorgente del pannello e dei siti affiliati di VanHelsing, nonché build di ransomware per Windows e Linux. Il prezzo sarebbe stato determinato da una asta, con un’offerta iniziale di 10.000 dollari.
“Vendita del codice sorgente del ransomware vanhelsing: chiavi TOR incluse + pannello di amministrazione web + chat + file server + blog, inclusi tutti i database”, ha scritto th30c0der sul forum di hacking RAMP.
Secondo il ricercatore di sicurezza informatica Emanuele De Lucia, gli operatori di VanHelsing hanno deciso di anticipare il venditore e hanno pubblicato loro stessi il codice sorgente del ransomware. Hanno anche affermato che th30c0der è uno dei loro ex sviluppatori di malware che cerca di truffare la gente e vendere vecchi codici sorgente.
“Oggi annunciamo che pubblicheremo i vecchi codici sorgente e che presto pubblicheremo una nuova e migliorata versione del locker (VanHelsing 2.0)”, hanno affermato gli operatori di VanHelsing su RAMP.
In risposta a ciò, th30c0der ha affermato che le sue informazioni sono più complete, poiché gli sviluppatori di VanHelsing non hanno pubblicato il Linux Builder né alcun database, il che potrebbe essere particolarmente utile per le forze dell’ordine e i ricercatori sulla sicurezza informatica.
I giornalisti della rivista Bleeping Computer hanno studiato i codici sorgente pubblicati e hanno confermato che contengono un vero e proprio builder per la versione Windows del malware, nonché il codice sorgente per il pannello di affiliazione e il sito per il “drenaggio” dei dati.
Secondo i ricercatori, il codice sorgente del builder è un pasticcio e i file di Visual Studio si trovano nella cartella Release, solitamente utilizzata per archiviare i file binari compilati e gli artefatti di build.
Si noti inoltre che l’utilizzo del generatore VanHelsing richiede un po’ di lavoro aggiuntivo, poiché si connette al pannello di affiliazione all’indirizzo 31.222.238[.]208 per recuperare i dati. Considerando che il dump contiene il codice sorgente del pannello in cui si trova l’endpoint api.php, gli aggressori possono modificare il codice o eseguire la propria versione del pannello per far funzionare il builder.
Inoltre, l’archivio pubblicato contiene il codice sorgente del ransomware per Windows, che può essere utilizzato per creare una build, un decryptor e un loader autonomi.
Tra le altre cose, la pubblicazione rileva che gli aggressori, a quanto pare, hanno tentato di creare un blocco MBR che avrebbe sostituito il master boot record con un bootloader personalizzato che avrebbe visualizzato un messaggio relativo al blocco.
L'articolo VanHelsing Ransomware: il codice sorgente trapelato rivela segreti sconcertanti proviene da il blog della sicurezza informatica.
A Look Inside a Lemon of a Race Car
Automotive racing is a grueling endeavor, a test of one’s mental and physical prowess to push an engineered masterpiece to its limit. This is all the more true of 24 hour endurance races where teams tag team to get the most laps of a circuit in over a 24 hour period. The format pushes cars and drivers to the very limit. Doing so on a $500 budget as presented by the 24 hours of Lemons makes this all the more impressive!
Of course, racing on a $500 budget is difficult to say the least. All the expected Fédération Internationale de l’Automobile (FIA) safety requirements are still in place, including roll cage, seats and fire extinguisher. However, brakes, wheels, tires and safety equipment are not factored into the cost of the car, which is good because an FIA racing seat can run well in excess of the budget. Despite the name, most races are twelve to sixteen hours across two days, but 24 hour endurance races are run. The very limiting budget and amateur nature of the event has created a large amount of room for teams to get creative with car restorations and race car builds.
One such team we had the chance of speaking to goes by the name 24 Hours of Le-Mines. Their build is a wonderful mishmash of custom fabrication and affordable parts. It’s built from a restored 1999 NA Miata complete with rusted frame and all! Power is handled by a rebuilt 302 Mustang engine of indeterminate age.
The stock Miata brakes seem rather small for a race car, but are plenty for a car of its weight. Suspension is an Amazon special because it only has to work for 24 hours. The boot lid (or trunk if you prefer) is held down with what look to be over-sized RC car pins. Nestled next to the PVC pipe inlet pipe is a nitrous oxide canister — we don’t know if it’s functional or for show, but we like it nonetheless. The scrappy look is completed with a portion of the road sign fabricated into a shifter cover.
The team is unsure if the car will end up racing, but odds are if you are reading Hackaday, you care more about the race cars then the actual racing. Regardless, we hope to see this Miata in the future!
This is certainly not the first time we have covered 24 hour endurance engineering, like this solar powered endurance plane.
Dero miner zombies biting through Docker APIs to build a cryptojacking horde
Introduction
Imagine a container zombie outbreak where a single infected container scans the internet for an exposed Docker API, and bites exploits it by creating new malicious containers and compromising the running ones, thus transforming them into new “zombies” that will mine for Dero currency and continue “biting” new victims. No command-and-control server is required for the delivery, just an exponentially growing number of victims that are automatically infecting new ones. That’s exactly what the new Dero mining campaign does.
During a recent compromise assessment project, we detected a number of running containers with malicious activities. Some of the containers were previously recognized, while others were not. After forensically analyzing the containers, we confirmed that a threat actor was able to gain initial access to a running containerized infrastructure by exploiting an insecurely published Docker API. This led to the running containers being compromised and new ones being created not only to hijack the victim’s resources for cryptocurrency mining but also to launch external attacks to propagate to other networks. The diagram below describes the attack vector:
Infection chain
The entire attack vector is automated via two malware implants: the previously unknown propagation malware nginx and the Dero crypto miner. Both samples are written in Golang and packed with UPX. Kaspersky products detect these malicious implants with the following verdicts:
- nginx:
Trojan.Linux.Agent.gen; - Dero crypto miner:
RiskTool.Linux.Miner.gen.
nginx: the propagation malware
This malware is responsible for maintaining the persistence of the crypto miner and its further propagation to external systems. This implant is designed to minimize interaction with the operator and does not require a delivery C2 server. nginx ensures that the malware spreads as long as there are users insecurely publishing their Docker APIs on the internet.
The malware is named “nginx” to masquerade as the well-known legitimate nginx web server software in an attempt to evade detection by users and security tools. In this post, we’ll refer to this malware as “nginx”.
After unpacking the nginx malware, we parsed the metadata of the Go binary and were able to determine the location of the Go source code file at compilation time: “/root/shuju/docker2375/nginx.go”.
Nginx source code file
Infecting the container
The malware starts by creating a log file at “/var/log/nginx.log”.
Log file creation
This log file will be used later to log the running activities of the malware, including data like the list of infected machines, the names of created malicious containers on those machines, and the exit status code if there were any errors.
Malware operations log
After that, in a new process, a function called main.checkVersion loops infinitely to make sure that the content of a file located at “/usr/bin/version.dat” inside the compromised container always equals 1.4. If the file contents were changed, this function overwrites them.
Ensuring that version.dat exists and contains 1.4
If version.dat doesn’t exist, the malicious function creates this file with the content 1.4, then sleeps for 24 hours before the next iteration.
Creating version.dat if it doesn’t exist
The malware uses the version.dat file to identify the already infected containers, which we’ll describe later.
The nginx sample then executes the main.monitorCloudProcess function that loops infinitely in a new process making sure that a process named cloud, which is a Dero miner, is running. First, the malware checks whether or not the cloud process is running. If it’s not, nginx executes the main.startCloudProcess function to launch the miner.
Monitoring and executing the cloud process
In order to execute the miner, the main.startCloudProcess function attempts to locate it at “/usr/bin/cloud”.
Executing the miner
Spreading the infection
Host search
Next, the nginx malware will go into an infinite loop of generating random IPv4 /16 network subnets to scan them and compromise more networks with the main.generateRandomSubnet function.
Infinite loop of network subnets generation and scanning
The subnets with the respective IP ranges will be passed to the main.scanSubnet function to be scanned via masscan, a port scanning tool installed in the container by the malware, which we will describe in more detail later. The scanner is looking for an insecure Docker API published on the internet to exploit by scanning the generated subnet via the following command: masscan -p 2375 -oL – –max-rate 360.
Scanning the generated subnet via masscan
The output of masscan is parsed via regex to extract the IPv4s that have the default Docker API port 2375 open. Then the extracted IPv4s are passed to the main.checkDockerDaemon function. It checks if the remote dockerd daemon on the host with a matching IPv4 is running and responsive. To do this, the malware attempts to list all running containers on the remote host by executing a docker -H PS command. If it fails, nginx proceeds to check the next IPv4.
Remotely listing running containers
Container creation
After confirming that the remote dockerd daemon is running and responsive, nginx generates a container name with 12 random characters and uses it to create a malicious container on the remote target.
Container name generation
The malicious container is created with docker -H run -dt –name –restart always ubuntu:18.04 /bin/bash. The malware uses a –restart always flag to start the newly created containers automatically when they exit.
Malicious container created on a new host
Then nginx prepares the new container to install dependencies later by updating the packages via docker -H exec apt-get -yq update.
Updating container packages
Next, the malicious sample uses a docker -H exec apt-get install -yq masscan docker.io command to install masscan and docker.io in the container, which are dependencies for the malware to interact with the Docker daemon and to perform the external scan to infect other networks.
Remotely installing the malware dependencies inside the newly created container
Then it transfers the two malicious implants, nginx and cloud, to the container by executing docker -H cp -L /usr/bin/ :/usr/bin.
Transferring nginx and cloud to the newly created container
The malware maintains persistence by adding the transferred nginx binary to /root/.bash_aliases to make sure that it will automatically execute upon shell login. This is done via a docker -H exec bash –norc -c \'echo \"/usr/bin/nginx &\" > /root/.bash_aliases\' command.
Adding the nginx malware to .bash_aliases for persistence
Compromising running containers
Up until this point, the malware has only created new malicious containers. Now, it will try to compromise the ubuntu:18.04-based running containers. The sample first executes the main.checkAndOperateContainers function to check all the running containers on the remote vulnerable host for two conditions: the container has an ubuntu:18.04-base and it doesn’t contain a version.dat file, which is an indicator that the container had been previously infected.
Listing and compromising existing containers on the remote target
If these conditions are satisfied, the malware executes the main.operateOnContainer function to proceed with the same attack vector described earlier to infect the running container. The infection chain is repeated, hijacking the container resources to scan and compromise more containers and mining for the Dero cryptocurrency.
That way, the malware does not require a C2 connection and also maintains its activity as long as there is an insecurely published Docker API that can be exploited to compromise running containers and create new ones.
cloud – the Dero miner
Executing and maintaining cloud, the crypto miner, is the primary goal of the nginx sample. The miner is also written in Golang and packed with UPX. After unpacking the binary, we were able to attribute it to the open-source DeroHE CLI miner project found on GitHub. The threat actor wrapped the DeroHE CLI miner into the cloud malware, with a hardcoded mining configuration: a wallet address and a DeroHE node (derod) address.
If no addresses were passed as arguments, which is the case in this campaign, the cloud malware uses the hardcoded encrypted configuration as the default configuration. It is stored as a Base64-encoded string that, after decoding, results in an AES-CTR encrypted blob of a Base64-encoded wallet address, which is decrypted with the main.decrypt function. The configuration encryption indicates that the threat actors attempt to sophisticate the malware, as we haven’t seen this in previous campaigns.
Decrypting the crypto wallet address
Upon decoding this string, we uncovered the wallet address in clear text: dero1qyy8xjrdjcn2dvr6pwe40jrl3evv9vam6tpx537vux60xxkx6hs7zqgde993y.
Behavioral analysis of the decryption function
Then the malware decrypts another two hardcoded AES-CTR encrypted strings to get the dero node addresses via a function named main.sockz.
Function calls to decrypt the addresses
The node addresses are encrypted the same way the wallet address is, but with other keys. After decryption, we were able to obtain the following addresses: d.windowsupdatesupport[.]link and h.wiNdowsupdatesupport[.]link.
Decoded addresses in memory
The same wallet address and the derod node addresses had been observed before in a campaign that targeted Kubernetes clusters with Kubernetes API anonymous authentication enabled. Instead of transferring the malware to a compromised container, the threat actor pulls a malicious image named pauseyyf/pause:latest, which is published on Docker Hub and contains the miner. This image was used to create the malicious container. Unlike the current campaign, the attack vector was meant to be stealthy as threat actors didn’t attempt to move laterally or scan the internet to compromise more networks. These attacks were seen throughout 2023 and 2024 with minor changes in techniques.
Takeaways
Although attacks on containers are less frequent than on other systems, they are not less dangerous. In the case we analyzed, containerized environments were compromised through a combination of a previously known miner and a new sample that created malicious containers and infected existing ones. The two malicious implants spread without a C2 server, making any network that has a containerized infrastructure and insecurely published Docker API to the internet a potential target.
Analysis of Shodan shows that in April 2025, there were 520 published Docker APIs over port 2375 worldwide. It highlights the potential destructive consequences of the described threat and emphasizes the need for thorough monitoring and container protection.
Docker APIs published over port 2375 ports worldwide, January–April 2025 (download)
Building your containerized infrastructure from known legitimate images alone doesn’t guarantee security. Just like any other system, containerized applications can be compromised at runtime, so it’s crucial to monitor your containerized infrastructure with efficient monitoring tools like Kaspersky Container Security. It detects misconfigurations and monitors registry images, ensuring the safety of container environments. We also recommend proactively hunting for threats to detect stealthy malicious activities and incidents that might have slipped unnoticed on your network. The Kaspersky Compromise Assessment service can help you not only detect such incidents, but also remediate them and provide immediate and effective incident response activities.
Indicators of compromise
File hashes
094085675570A18A9225399438471CC9 nginx
14E7FB298049A57222254EF0F47464A7 cloud
File paths
NOTE: Certain file path IoCs may lead to false positives due to the masquerading technique used.
/usr/bin/nginx
/usr/bin/cloud
/var/log/nginx.log
/usr/bin/version.dat
Derod nodes addresses
d.windowsupdatesupport[.]link
h.wiNdowsupdatesupport[.]link
Dero wallet address
dero1qyy8xjrdjcn2dvr6pwe40jrl3evv9vam6tpx537vux60xxkx6hs7zqgde993y
securelist.com/dero-miner-infe…
Fault Analysis of a 120W Anker GaNPrime Charger
Taking a break from his usual prodding at suspicious AliExpress USB chargers, [DiodeGoneWild] recently had a gander at what used to be a good USB charger.
Before it went completely dead, the Anker 737 GaNPrime USB charger which a viewer sent him was capable of up to 120 Watts combined across its two USB-C and one USB-A outputs. Naturally the charger’s enclosure couldn’t be opened non-destructively, and it turned out to have (soft) potting compound filling up the voids, making it a treat to diagnose. Suffice it to say that these devices are not designed to be repaired.
With it being an autopsy, the unit got broken down into the individual PCBs, with a short detected that eventually got traced down to an IC marked ‘SW3536’, which is one of the ICs that communicates with the connected USB device to negotiate the voltage. With the one IC having shorted, it appears that it rendered the entire charger into an expensive paperweight.
Since the charger was already in pieces, the rest of the circuit and its ICs were also analyzed. Here the gallium nitride (GaN) part was found in the Navitas GaNFast NV6136A FET with integrated gate driver, along with an Infineon CoolGaN IGI60F1414A1L integrated power stage. Unfortunately all of the cool technology was rendered useless by one component developing a short, even if it made for a fascinating look inside one of these very chonky USB chargers.
youtube.com/embed/-JV5VGO55-I?…
Skitnet: Il Malware che Sta Conquistando il Mondo del Ransomware
Gli esperti hanno lanciato l’allarme: i gruppi ransomware stanno utilizzando sempre più spesso il nuovo malware Skitnet (noto anche come Bossnet) per lo sfruttamento successivo delle reti compromesse.
Secondo gli analisti di Prodaft, il malware è stato pubblicizzato sui forum di hacking dall’aprile 2024 e ha iniziato a guadagnare popolarità tra gli estorsori all’inizio del 2025. Ad esempio, Skitnet è già stato utilizzato negli attacchi degli operatori di BlackBasta e Cactus.
Un’infezione da Skitnet inizia con l’esecuzione di un loader scritto in Rust sul computer di destinazione, che decifra il binario Nim crittografato con ChaCha20 e lo carica nella memoria. Il payload Nim crea una reverse shell basata su DNS per comunicare con il server C&C, avviando una sessione utilizzando query DNS casuali.
Il malware avvia quindi tre thread: uno per inviare richieste di segnalazione DNS, un altro per monitorare ed estrarre l’output della shell e un altro per ascoltare e decifrare i comandi dalle risposte DNS.
I messaggi e i comandi da eseguire vengono inviati tramite HTTP o DNS in base ai comandi inviati tramite il pannello di controllo Skitnet. In questo pannello, l’operatore può visualizzare l’indirizzo IP del target, la sua posizione, il suo stato e inviare comandi per l’esecuzione.
Il malware supporta i seguenti comandi:
- Start: si insinua nel sistema scaricando tre file (tra cui una DLL dannosa) e creando un collegamento al file eseguibile legittimo Asus (ISP.exe) nella cartella di avvio. Ciò attiva un hook DLL che esegue lo script PowerShell pas.ps1 per comunicare continuamente con il server C&C;
- Screen: tramite PowerShell, viene acquisito uno screenshot del desktop della vittima, caricato su Imgur e quindi l’URL dell’immagine viene inviato al server C&C;
- Anydesk : scarica e installa in modo silenzioso lo strumento di accesso remoto AnyDesk, nascondendone la finestra e l’icona nella barra delle applicazioni;
- Rutserv : scarica e installa in modo silenzioso lo strumento di accesso remoto RUT-Serv;
- Shell : esegue un ciclo di comandi PowerShell. Invia un messaggio iniziale “Shell running…”, quindi interroga il server ogni 5 secondi per nuovi comandi, che vengono eseguiti utilizzando Invoke-Expression, e quindi i risultati vengono inviati indietro;
- Av — elenca i software antivirus e di sicurezza installati sul computer tramite query WMI (SELECT * FROM AntiVirusProduct nello spazio dei nomi root\SecurityCenter2). I risultati vengono inviati al server di controllo.
Oltre a questi comandi, gli operatori di Skitnet possono sfruttare le funzionalità del loader .NET, che consente l’esecuzione di script PowerShell in memoria per personalizzare ulteriormente gli attacchi.
Gli esperti sottolineano che, sebbene i gruppi estorsivi utilizzino spesso strumenti propri, adattati per operazioni specifiche e difficili da rilevare da parte degli antivirus, il loro sviluppo non è economico e richiede il coinvolgimento di sviluppatori qualificati, non sempre disponibili.
Utilizzare malware standard come Skitnet è più economico, consente una distribuzione più rapida e rende più difficile l’attribuzione perché il malware è utilizzato da molti aggressori.
I ricercatori di Prodaft hanno pubblicato su GitHub degli indicatori di compromissione relativi a Skitnet.
C2 servers
github.com/prodaft/malware-ioc…
109.120.179.170
178.236.247.7
181.174.164.47
181.174.164.41
181.174.164.4
181.174.164.240
181.174.164.2
181.174.164.180
181.174.164.140
181.174.164.107
181.174.164.238
L'articolo Skitnet: Il Malware che Sta Conquistando il Mondo del Ransomware proviene da il blog della sicurezza informatica.
The Mouse Language, Running on Arduino
Although plenty of us have our preferred language for coding, whether it’s C for its hardware access, Python for its usability, or Fortran for its mathematic prowess, not every language is specifically built for problem solving of a particular nature. Some are built as thought experiments or challenges, like Whitespace or Chicken but aren’t used for serious programming. There are a few languages that fit in the gray area between these regions, and one example of this is the language MOUSE which can now be run on an Arduino.
Although MOUSE was originally meant to be a minimalist language for computers of the late 70s and early 80s with limited memory (even for the era), its syntax looks more like a more modern esoteric language, and indeed it arguably would take a Python developer a bit of time to get used to it in a similar way. It’s stack-based, for a start, and also uses Reverse Polish notation for performing operations. The major difference though is that programs process single letters at a time, with each letter corresponding to a specific instruction. There have been some changes in the computing world since the 80s, though, so [Ivan]’s version of MOUSE includes a few changes that make it slightly different than the original language, but in the end he fits an interpreter, a line editor, graphics primitives, and peripheral drivers into just 2KB of SRAM and 32KB Flash so it can run on an ATmega328P.
There are some other features here as well, including support for PS/2 devices, video output, and the ability to save programs to the internal EEPROM. It’s an impressive setup for a language that doesn’t get much attention at all, but certainly one that threads the needle between usefulness and interesting in its own right. Of course if a language where “Hello world” is human-readable is not esoteric enough, there are others that may offer more of a challenge.
Plugging Plasma Leaks in Magnetic Confinement With New Guiding Center Model
Although the idea of containing a plasma within a magnetic field seems straightforward at first, plasmas are highly dynamic systems that will happily escape magnetic confinement if given half a chance. This poses a major problem in nuclear fusion reactors and similar, where escaping particles like alpha (helium) particles from the magnetic containment will erode the reactor wall, among other issues. For stellarators in particular the plasma dynamics are calculated as precisely as possible so that the magnetic field works with rather than against the plasma motion, with so far pretty good results.
Now researchers at the University of Texas reckon that they can improve on these plasma system calculations with a new, more precise and efficient method. Their suggested non-perturbative guiding center model is published in (paywalled) Physical Review Letters, with a preprint available on Arxiv.
The current perturbative guiding center model admittedly works well enough that even the article authors admit to e.g. Wendelstein 7-X being within a few % of being perfectly optimized. While we wouldn’t dare to take a poke at what exactly this ‘data-driven symmetry theory’ approach exactly does differently, it suggests the use machine-learning based on simulation data, which then presumably does a better job at describing the movement of alpha particles through the magnetic field than traditional simulations.
Top image: Interior of the Wendelstein 7-X stellarator during maintenance.
Working On Open-Source High-Speed Ethernet Switch
Our hacker [Andrew Zonenberg] reports in on his open-source high-speed Ethernet switch. He hasn’t finished yet, but progress has been made.
If you were wondering what might be involved in a high-speed Ethernet switch implementation look no further. He’s been working on this project, on and off, since 2012. His design now includes a dizzying array of parts. [Andrew] managed to snag some XCKU5P FPGAs for cheap, paying two cents in the dollar, and having access to this fairly high-powered hardware affected the project’s direction.
You might be familiar with [Andrew Zonenberg] as we have heard from him before. He’s the guy who gave us the glscopeclient, which is now ngscopeclient.
As perhaps you know, when he says in his report that he is an “experienced RTL engineer”, he is talking about Register-Transfer Level, which is an abstraction layer used by hardware description languages, such as Verilog and VHDL, which are used to program FPGAs. When he says “RTL” he’s not talking about Resistor-Transistor Logic (an ancient method of developing digital hardware) or the equally ancient line of Realtek Ethernet controllers such as the RTL8139.
When it comes to open-source software you can usually get a copy at no cost. With open-source hardware, on the other hand, you might find yourself needing to fork out for some very expensive bits of kit. High speed is still expensive! And… proprietary, for now. If you’re looking to implement Ethernet hardware today, you will have to stick with something slower. Otherwise, stay tuned, and watch this space.
Stylus Synth Should Have Used a 555– and Did!
For all that “should have used a 555” is a bit of a meme around here, there’s some truth to it. The humble 555 is a wonderful tool in the right hands. That’s why it’s wonderful to see this all-analog stylus synth project by EE student [DarcyJ] bringing the 555 out for the new generation.
The project is heavily inspired by the vintage stylophone, but has some neat tweaks. A capacitor bank means multiple octaves are available, and using a ladder of trim pots instead of fixed resistors makes every note tunable. [Darcy] of course included the vibrato function of the original, and yes, he used a 555 for that, too. He put a trim pot on that, too, to control the depth of vibrato, which we don’t recall seeing on the original stylophone.
The writeup is very high quality and could be recommended to anyone just getting started in analog (or analogue) electronics– not only does [Darcy] explain his design process, he also shows his pratfalls and mistakes, like in the various revisions he went through before discovering the push-pull amplifier that ultimately powers the speaker.
Since each circuit is separately laid out and indicated on the PCB [Darcy] designed in KiCad for this project. Between that and everything being thru-hole, it seems like [Darcy] has the makings of a lovely training kit. If you’re interested in rolling your own, the files are on GitHub under a CERN-OHL-S v2 license, and don’t forget to check out the demo video embedded below to hear it in action.
Of course, making music on the 555 is hardly a new hack. We’ve seen everything from accordions to paper-tape player pianos to squonkboxes over the years. Got another use for the 555? Let us know about it, in the inevitable shill for our tip line you all knew was coming.
youtube.com/embed/EBShBqbxInw?…
As The World Burns, At least You’ll Have Secure Messaging
There’s a section of our community who concern themselves with the technological aspects of preparing for an uncertain future, and for them a significant proportion of effort goes in to communication. This has always included amateur radio, but in more recent years it has been extended to LoRa. To that end, [Bertrand Selva] has created a LoRa communicator, one which uses a Pi Pico, and delivers secure messaging.
The hardware is a rather-nice looking 3D printed case with a color screen and a USB A port for a keyboard, but perhaps the way it works is more interesting. It takes a one-time pad approach to encryption, using a key the same length as the message. This means that an intercepted message is in effect undecryptable without the key, but we are curious about the keys themselves.
So if Meshtastic isn’t quite the thing for you then it’s possible that this could be an alternative. As an aside we’re interested to note that it’s using a 433 MHz LoRa module, revealing the different frequency preferences that exist between enthusiasts in different countries.
youtube.com/embed/R846vWyKoqg?…
The Make-roscope
Normal people binge-scroll social media. Hackaday writers tend to pore through online tech news and shopping sites incessantly. The problem with the shopping sites is that you wind up buying things, and then you have even more projects you don’t have time to do. That’s how I found the MAKE-roscope, an accessory aimed at kids that turns a cell phone into a microscope. While it was clearly trying to appeal to kids, I’ve had some kids’ microscopes that were actually useful, and for $20, I decided to see what it was about. If nothing else, the name made it appealing.
My goal was to see if it would be worth having for the kinds of things we do. Turns out, I should have read more closely. It isn’t really going to help you with your next PCB or to read that tiny print on an SMD part. But it is interesting, and — depending on your interests — you might enjoy having one. The material claims the scope can magnify from 125x to 400x.
What Is It?
The whole thing is in an unassuming Altoids-like tin. Inside the box are mostly accessories you may or may not need, like a lens cloth, a keychain, plastic pipettes, and the like. There are only three really interesting things: A strip of silicone with a glass ball in it, and a slide container with five glass slides, three of which have something already on them. There’s also a spare glass ball (the lens).
What I didn’t find in my box were cover slips, any way to prepare specimens, and — perhaps most importantly — clear instructions. There are some tiny instructions on the back of the tin and on the lens cloth paper. There is also a QR code, but to really get going, I had to watch a video (embedded below).
youtube.com/embed/Td62kPb24tU?…
What I quickly realized is that this isn’t a metalurgical scope that takes images of things. It is a transmissive microscope like you find in a biology lab. Normally, the light in a scope like that goes up through the slide and into the objective. This one is upside down. The light comes from the top, through the slide, and into the glass ball lens.
Bio Scopes Can Be Fun
Of course, if you have an interest in biology or thin films or other things that need that kind of microscope, this could be interesting. After all, cell phones sometimes have macro modes that you can use as a pretty good low-power microscope already if you want to image a part or a PCB. You can also find lots of lenses that attach to the phone if you need them. But this is a traditional microscope, which is a bit different.
The silicone compresses, which seems to be the real trick. Here’s how it works in practice. You turn on your camera and switch to the selfie lens. Then you put the silicone strip over the camera and move it around. You’ll see that the lens makes a “spotlight” in the image when it is in the right place. Get it centered and zoom until you can’t see the circle of the lens anymore.
Then you put your slide down on the lens and move it around until you get an image. It might be a little fuzzy. That’s where the silicone comes in. You push down, and the image will snap into focus. The hardest part is pushing down while holding it still and pushing the shutter button.
Zeiss and Nikon don’t have anything to worry about, but the images are just fine. You can grab a drop of water or swab your cheek. It would have been nice to have some stain and either some way to microtome samples, or at least instructions on how you might do that with household items.
Verdict
For most electronics tasks, you are better off with a loupe, magnifiers, a zoomed cell phone, or a USB microscope. But if you want a traditional microscope for science experiments or to foster a kid’s interest in science, it might be worth something.
For electronics, you are better off with a metallurgical scope. Soldering under a stereoscope is life-changing. We’ve seen more expensive versions of this, too, but we aren’t sure they are much better.
When Repairs Go Inside Integrated Circuits
What can you do if your circuit repair diagnosis indicates an open circuit within an integrated circuit (IC)? Your IC got too hot and internal wiring has come loose. You could replace the IC, sure. But what if the IC contains encryption secrets? Then you would be forced to grind back the epoxy and fix those open circuits yourself. That is, if you’re skilled enough!
In this video our hacker [YCS] fixes a Mercedes-Benz encryption chip from an electronic car key. First, the black epoxy surface is polished off, all the way back to the PCB with a very fine gradient. As the gold threads begin to be visible we need to slow down and be very careful.
The repair job is to reconnect the PCB points with the silicon body inside the chip. The PCB joints aren’t as delicate and precious as the silicon body points, those are the riskiest part. If you make a mistake with those then repair will be impossible. Then you tin the pads using solder for the PCB points and pure tin and hot air for the silicon body points.
Once that’s done you can use fine silver wire to join the points. If testing indicates success then you can complete the job with glue to hold the new wiring in place. Everything is easy when you know how!
Does repair work get more dangerous and fiddly than this? Well, sometimes.
youtube.com/embed/9y7xRpFYLjk?…
Thanks to [J. Peterson] for this tip.
The World Wide Web and the Death of Graceful Degradation
In the early days of the World Wide Web – with the Year 2000 and the threat of a global collapse of society were still years away – the crafting of a website on the WWW was both special and increasingly more common. Courtesy of free hosting services popping up left and right in a landscape still mercifully devoid of today’s ‘social media’, the WWW’s democratizing influence allowed anyone to try their hands at web design. With varying results, as those of us who ventured into the Geocities wilds can attest to.
Back then we naturally had web standards, courtesy of the W3C, though Microsoft, Netscape, etc. tried to upstage each other with varying implementation levels (e.g. no iframes in Netscape 4.7) and various proprietary HTML and CSS tags. Most people were on dial-up or equivalently anemic internet connections, so designing a website could be a painful lesson in optimization and targeting the lowest common denominator.
This was also the era of graceful degradation, where us web designers had it hammered into our skulls that using and navigating a website should be possible even in a text-only browser like Lynx, w3m or antique browsers like IE 3.x. Fast-forward a few decades and today the inverse is true, where it is your responsibility as a website visitor to have the latest browser and fastest internet connection, or you may even be denied access.
What exactly happened to flip everything upside-down, and is this truly the WWW that we want?
User Vs Shinies
Back in the late 90s, early 2000s, a miserable WWW experience for the average user involved graphics-heavy websites that took literal minutes to load on a 56k dial-up connection. Add to this the occasional website owner who figured that using Flash or Java applets for part of, or an entire website was a brilliant idea, and had you sit through ten minutes (or more) of a loading sequence before being able to view anything.
Another contentious issue was that of the back- and forward buttons in the browser as the standard way to navigate. Using Flash or Java broke this, as did HTML framesets (and iframes), which not only made navigating websites a pain, but also made sharing links to a specific resource on a website impossible without serious hacks like offering special deep links and reloading that page within the frameset.
As much as web designers and developers felt the lure of New Shiny Tech to make a website pop, ultimately accessibility had to be key. Accessibility, through graceful degradation, meant that you could design a very shiny website using the latest CSS layout tricks (ditching table-based layouts for better or worse), but if a stylesheet or some Java- or VBScript stuff didn’t load, the user would still be able to read and navigate, at most in a HTML 1.x-like fashion. When you consider that HTML is literally just a document markup language, this makes a lot of sense.
More succinctly put, you distinguish between the core functionality (text, images, navigation) and the cosmetics. When you think of a website from the perspective of a text-only browser or assistive technology like screen readers, the difference should be quite obvious. The HTML tags mark up the content of the document, letting the document viewer know whether something is a heading, a paragraph, and where an image or other content should be referenced (or embedded).
If the viewer does not support stylesheets, or only an older version (e.g. CSS 2.1 and not 3.x), this should not affect being able to read text, view images and do things like listen to embedded audio clips on the page. Of course, this basic concept is what is effectively broken now.
It’s An App Now
This in itself is not a problem, as being able to do partial page refreshes rather than full on page reloads can save a lot of bandwidth and copious amounts of sanity with preserving page position and lack of flickering. What is however a problem is how there’s no real graceful degradation amidst all of this any more, mostly due to hard requirements for often bleeding edge features by these frameworks, especially in terms of JavaScript and CSS.
Sometimes these requirements are apparently merely a way to not do any testing on older or alternative browsers, with ‘forum’ software Discourse (not to be confused with Disqus) being a shining example here. It insists that you must have the ‘latest, stable release’ of either Microsoft Edge, Google Chrome, Mozilla Firefox or Apple Safari. Purportedly this is so that the client-side JavaScript (Ember.js) framework is happy, but as e.g. Pale Moon users have found out, the problem is with a piece of JS that merely detects the browser, not the features. Blocking the browser-detect-* script in e.g. an adblocker restores full functionality to Discourse-afflicted pages.
Wrong Focus
It’s quite the understatement to say that over the past decades, websites have changed. For us greybeards who were around to admire the nascent WWW, things seemed to move at a more gradual pace back then. Multimedia wasn’t everywhere yet, and there was no Google et al. pushing its own agenda along with Digital Restrictions Management (DRM) onto us internet users via the W3C, which resulted in the EFF resigning in protest.
Although Google et al. ostensibly profess to have only our best interests at heart when features were added to Chrome, the very capable plugins system from Netscape and Internet Explorer taken out back and WebExtensions Manifest V3 introduced (with the EFF absolutely venomous about the latter), privacy concerns are mounting amidst concerns that corporations now control the WWW, with even new HTML, CSS and JS features being pushed by Google solely for its use in Chrome.
For those of us who still use traditional browsers like Pale Moon (forked from Firefox in 2009), it is especially the dizzying pace of new ‘features’ that discourages us from using effectively non-Chromium-based browsers, with websites all too often having only been tested in Chrome. Functionality in Safari, Pale Moon, etc. often is more a matter of luck as the assumption is made by today’s crop of web devs that everyone uses the latest and greatest Chrome browser version. This ensures that using non-Chromium browsers is fraught with functionally defective websites, as the ‘Web Compatibility Support’ section of the Pale Moon forum illustrates.
Question is whether this is the web which we, the users, want to see.
Low-Fidelity Feature
Another unpleasant side-effect of web apps is that they force an increasing amount of JS code to be downloaded, compiled and ran. This contrasts with plain HTML and CSS pages that tend to be mere kilobytes in size in addition to any images. Back in The Olden Days
In this and earlier described scenarios the consequence is the same: you must be using the latest Chromium-based browser to use many sites, you will be using a lot of RAM and CPU for even basic pages, and forget about using retro- or alternative systems that do not support the latest encryption standards and certificates.
The latter is due to the removal of non-encrypted HTTP from many browsers, because for some reason downloading public information from HTTP and FTP sites without encrypting said public data is a massive security threat now, and the former is due to the frankly absurd amounts of JS, with the Task Manager feature in many browsers showing the resource usage per tab, e.g.:
Of these tabs, there is no way to reduce their resource usage, no ‘graceful degradation’ or low-fidelity mode, so that older systems as well as the average smart phone or tablet will struggle or simply keel over to keep up with the demands of the modern WWW, with even a basic page using more RAM than the average PC had installed by the late 90s.
Meanwhile the problems that we web devs were moaning about around 2000 such as an easy way to center content with CSS got ignored, while some enterprising developers have done the hard work of solving the graceful degradation problem themselves. A good example of this is the FrogFind! search engine, which strips down DuckDuckGo search results even further, before passing any URLs you click through a PHP port of Mozilla’s Readability. This strips out anything but the main content, allowing modern website content to be viewed on systems with browsers that were current in the very early 1990s.
In short, graceful degradation is mostly an issue of wanting to, rather than it being some kind of unsurmountable obstacle. It requires learning the same lessons as the folk back in the Flash and Java applet days had to: namely that your visitors don’t care how shiny your website, or how much you love the convoluted architecture and technologies behind it. At the end of the day your visitors Just Want Things to Work
Tl;dr: content is for your visitors, the eyecandy is for you and your shareholders.
Bypass di Microsoft Defender mediante Defendnot: Analisi Tecnica e Strategie di Mitigazione
Nel panorama delle minacce odierne, Defendnotrappresenta un sofisticato malware in grado di disattivare Microsoft Defender sfruttando esclusivamente meccanismi legittimi di Windows. A differenza di attacchi tradizionali, non richiede privilegi elevati, non modifica in modo permanente le chiavi di registro e non solleva alert immediati da parte dei software di difesa tradizionali o soluzioni EDR (Endpoint Detection and Response).
L’efficacia di Defendnot risiede nella sua capacità di interfacciarsi con le API e i meccanismi di sicurezza nativi del sistema operativo Windows, in particolare:
- WMI (Windows Management Instrumentation)
- COM (Component Object Model)
- Windows Security Center (WSC)
2. Processi di esecuzione del Malware
2.1 Abuso del Windows Security Center (WSC)
Il comportamento principale del malware consiste nel simulare la presenza di un antivirus attivo tramite la registrazione fittizia nel WSC, inducendo Defender a disattivarsi automaticamente.
❝ Windows Defender si disattiva se rileva la presenza di un altro antivirus “compatibile” registrato correttamente nel sistema. ❞
Questa simulazione viene ottenuta sfruttando interfacce COM, come IWSCProduct e IWSCProductList, e avvalendosi di script PowerShell o codice compilato (es. C++).
2.2 Uso di WMI e COM senza Elevazione di Privilegi
Defendnot non modifica GPO, non scrive nel registro e non uccide processi. Opera in modo stealth grazie a:
- WMI Namespace: root\SecurityCenter2
- COM Object: WSC.SecurityCenter2
In molti contesti aziendali mal configurati, questi componenti possono essere invocati anche da utenti standard, rendendo il malware estremamente pericoloso in termini di lateral movement e persistence.
2.3 Iniezione e Persistenza
In alcuni casi, Defendnot può essere iniettato in processi fidati (es. taskmgr.exe) o configurato per l’esecuzione automatica tramite Task Scheduler o chiavi Run.
3. Esempi Tecnici Pratici
3.1 Simulazione WMI via PowerShell
Questo codice è legittimo ma può essere esteso per registrare falsi antivirus con stato “attivo e aggiornato”, forzando così la disattivazione di Defender.
3.2 Spoofing avanzato in C++ (uso COM diretto)
Questa simulazione è sufficiente a ingannare Defender e farlo disattivare come da policy Microsoft.
3.3 Analisi dello Stato di Defender tramite WMI (PowerShell)
Questo script permette di interrogare direttamente lo stato di Microsoft Defender, utile per verificare se è stato disattivato in modo anomalo.
Utile per eseguire un controllo incrociato: se Defender risulta disattivato e non vi è alcun AV noto attivo, è probabile la presenza di spoofing o bypass.
3.4 Registrazione Fittizia di AV via WMI Spoof (WMI MOF Injection – Teorico)
Una tecnica usata in scenari più avanzati può includere MOF Injection per creare provider fittizi direttamente in WMI (esempio concettuale):
Compilato con:
Compilato con:
mofcomp.exe fakeav.mof
Questa tecnica è estremamente stealth e sfrutta la capacità di WMI di accettare nuovi provider persistenti. Va monitorata con attenzione.
3.5 Monitoraggio WMI Eventi in Tempo Reale (PowerShell + WQL)
Script che intercetta modifiche sospette al namespace SecurityCenter2:
Questo è particolarmente utile in ambienti aziendali: può essere lasciato in esecuzione su server o endpoint sensibili per tracciare cambiamenti in tempo reale.
3.6 Logging Persistente di AV Fittizi tramite Task Scheduler (PowerShell)
Esempio per identificare eventuali task che iniettano strumenti di bypass all’avvio:
Una semplice scansione dei task può rivelare meccanismi di persistenza non evidenti, soprattutto se il payload è un fake AV o un loader offuscato.
3.7 Ispezione della Configurazione Defender tramite MpPreference
Permette di individuare modifiche anomale o disabilitazioni silenziose:
Se DisableRealtimeMonitoring è attivo, Defender è stato disattivato. Anche UILockdown può indicare manipolazioni da malware avanzati.
3.8 Enumerazione e Verifica dei Moduli Caricati nel Processo WSC (C++)
Controllare che non vi siano DLL anomale caricate nel processo del Security Center:
Gli strumenti come Defendnot possono essere iniettati nel processo SecurityHealthService.exe. Il controllo dei moduli può rivelare DLL anomale.
3.9 Identificazione di AV Fake tramite Analisi della Firma del File
Esempio in PowerShell per analizzare i binari AV registrati:
Gli AV fake spesso non sono firmati o hanno certificati self-signed. Questo controllo può essere integrato in audit automatizzati.
4. Script di Monitoraggio e Rilevamento
Per monitorare al meglio eventuali anomalie, si può usare un modulo centralizzato da eseguire sull’host Windows per avere una visione d’insieme su:
- Stato di Defender
- Prodotti AV registrati
- Anomalie nei nomi/firme
- Task sospetti legati a fake AV
Si consiglia di schedulare l’esecuzione di questa dashboard su base oraria tramite Task Scheduler, salvando l’output in file di log o inviandolo via e-mail. È anche possibile integrarlo con SIEM (Splunk, Sentinel, etc.) via forwarding del log ed è estendibile con funzionalità di auto-remediation, ad esempio disinstallazione o terminazione di AV sospetti.
4.1 PowerShell: Rilevamento Anomalie in WSC
Questo script decodifica lo stato binario dei provider AV registrati e lancia un allarme se rileva anomalie (es. nomi generici, binari non firmati o assenti).
5. Strategie di Mitigazione e Difesa
Per contenere e prevenire gli effetti di malware come Defendnot, si raccomanda di adottare un approccio multilivello:
5.1. Monitoraggio WSC Periodico
Automatizzare il controllo su base oraria/giornaliera e inviare alert su SIEM o email.
5.2. Abilitare Tamper Protection
Blocca modifiche non autorizzate alla configurazione di Defender, comprese modifiche via WMI o PowerShell.
5.3. Applicare Policy di Lock-down
Utilizzare Group Policy per disabilitare l’opzione “Disattiva Microsoft Defender”:
Computer Configuration > Admin Templates > Microsoft Defender Antivirus > Turn off Defender = Disabled
5.4. Controllo Accessi a WMI e COM
Strumenti EDR devono tracciare accessi sospetti a:
- root\SecurityCenter2
- COM object WSC.SecurityCenter2
- Script non firmati che accedono a questi componenti
5.5. Rilevamento Comportamentale con EDR
EDR avanzati devono essere configurati per:
- Rilevare registrazioni anomale di provider AV.
- Intercettare iniezioni in processi trusted.
- Rilevare uso anomalo delle API COM/WMI da script non firmati.
6. Conclusioni
L’analisi di Defendnot ci porta a riflettere su un aspetto sempre più attuale della cybersecurity: non servono necessariamente exploit sofisticati o malware rumorosi per compromettere un sistema. In questo caso, lo strumento agisce in silenzio, sfruttando le stesse regole e API che Windows mette a disposizione per la gestione dei software di sicurezza. E lo fa in modo così pulito da passare facilmente inosservato, anche agli occhi di molti EDR.
Quello che colpisce è la semplicità e l’eleganza dell’attacco: nessuna modifica al registro, nessun bisogno di privilegi elevati, nessuna firma malevola nel file. Solo una falsa comunicazione al Security Center, che crede di vedere un altro antivirus attivo – e quindi disattiva Defender come previsto dalla logica del sistema operativo.
È un promemoria importante: oggi non basta installare un antivirus per sentirsi protetti. Serve visibilità, monitoraggio continuo e una buona dose di diffidenza verso tutto ciò che sembra “normale”. Serve anche conoscere strumenti come Defendnot per capire come si muovono gli attaccanti moderni – spesso sfruttando ciò che il sistema permette, piuttosto che forzarlo.
In ottica difensiva, è fondamentale:
- Rafforzare le impostazioni di sicurezza, ad esempio attivando Tamper Protection.
- Monitorare regolarmente lo stato dei provider registrati nel Security Center.
- Utilizzare strumenti che vadano oltre la semplice firma o il comportamento, e che osservino come cambiano i contesti e le configurazioni del sistema.
In definitiva, Defendnot non è solo un malware: è un campanello d’allarme. Dimostra che le minacce più efficaci non sempre arrivano con il “classico” malware, ma spesso passano dalla zona grigia tra funzionalità lecite e uso malevolo. Ed è lì che dobbiamo concentrare le nostre difese.
L'articolo Bypass di Microsoft Defender mediante Defendnot: Analisi Tecnica e Strategie di Mitigazione proviene da il blog della sicurezza informatica.
DK 9x29 - Cose da Impero
Microsoft su ordine di Trump interrompe il servizo di posta elettronica di un cittadino britannico, impiegato di un organo internazionale con sede all'Aia, di cui gli USA non fanno parte. Prova provata che le fliali europee di compagnie USA sono una estensione diretta del potere imperiale americano. Aziende e istituzioni europee se ne devono svincolare, e al più presto.
spreaker.com/episode/dk-9x29-c…
An Awful 1990s PDA Delivers AI Wisdom
There was a period in the 1990s when it seemed like the personal data assistant (PDA) was going to be the device of the future. If you were lucky you could afford a Psion, a PalmPilot, or even the famous Apple Newton — but to trap the unwary there were a slew of far less capable machines competing for market share.
[Nick Bild] has one of these, branded Rolodex, and in a bid to make using a generative AI less alluring, he’s set it up as the interface to an LLM hosted on a Raspberry Pi 400. This hack is thus mostly a tale of reverse engineering the device’s serial protocol to free it from its Windows application.
Finding the baud rate was simple enough, but the encoding scheme was unexpectedly fiddly. Sadly the device doesn’t come with a terminal because these machines were very much single-purpose, but it does have a memo app that allows transfer of text files. This is the wildly inefficient medium through which the communication with the LLM happens, and it satisfies the requirement of making the process painful.
We see this type of PDA quite regularly in second hand shops, indeed you’ll find nearly identical devices from multiple manufacturers also sporting software such as dictionaries or a thesaurus. Back in the day they always seemed to be advertised in Sunday newspapers and aimed at older people. We’ve never got to the bottom of who the OEM was who manufactured them, or indeed cracked one apart to find the inevitable black epoxy blob processor. If we had to place a bet though, we’d guess there’s an 8051 core in there somewhere.
youtube.com/embed/GvXCZfoAy88?…
PentaPico: A Pi Pico Cluster For Image Convolution
Here’s something fun. Our hacker [Willow Cunningham] has sent us a copy of his homework. This is his final project for the “ECE 574: Cluster Computing” course at the University of Maine, Orono.
It was enjoyable going through the process of having a good look at everything in this project. The project is a “cluster” of 5x Raspberry Pi Pico microcontrollers — with one head node as the leader and four compute nodes that work on tasks. The software for the both nodes is written in C. The head node is connected to a workstation via USB 1.1 allowing the system to be controlled with a Python script.
The cluster is configured to process an embarrassingly parallel image convolution. The input image is copied into the head node via USB which then divvies it up and distributes it to n compute nodes via I2C, one node at a time. Results are given for n = {1,2,4} compute nodes.
It turns out that the work of distributing the data dwarfs the compute by three orders of magnitude. The result is that the whole system gets slower the more nodes we add. But we’re not going to hold that against anyone. This was a fascinating investigation and we were impressed by [Willow]’s technical chops. This was a complicated project with diverse hardware and software challenges and he’s done a great job making it all work and in the best scientific tradition.
It was fun reading his journal in which he chronicled his progress and frustrations during the project. His final report in IEEE format was created using LaTeX and Overleaf, at only six pages it is an easy and interesting read.
For anyone interested in cluster tech be sure to check out the 256-core RISC-V megacluster and a RISC-V supercluster for very low cost.
Falso Mito: Se uso una VPN, sono completamente al sicuro anche su reti WiFi Aperte e non sicure
Molti credono che l’utilizzo di una VPN garantisca una protezione totale durante la navigazione, anche su reti WiFi totalmente aperte e non sicure. Sebbene le VPN siano strumenti efficaci per crittografare il traffico e impedire l’intercettazione dei dati, non sono in grado di poterci proteggere da tutti i rischi.
Nell’articolo riportato qui sotto, spieghiamo in maniera dettagliata come funziona una VPN (Virtual Private Network) . L’articolo tratta in modo approfondito le VPN , analizzando come funziona e quali vantaggi specifici offre. Vengono descritti i diversi tipi di VPN, i criteri per scegliere la soluzione migliore, e le best practices per implementare in modo sicuro.
Virtual Private Network (VPN): Cos’è, Come Funziona e Perché
redhotcyber.com/post/virtual-p…
Pur confermando quanto riportato nell’articolo, ovvero che:
Una VPN non solo migliora la sicurezza e la privacy, ma offre anche maggiore libertà e controllo sulle informazioni trasmesse online, rendendola uno strumento fondamentale per chiunque voglia proteggere la propria identità digitale e i propri dati sensibili
È fondamentale essere consapevoli dei suoi limiti e delle potenziali vulnerabilità.
Ad esempio, la vulnerabilità CVE-2024-3661, nota come “TunnelVision“, dimostra come sia possibile per un attaccante reindirizzare il traffico fuori dal tunnel VPN senza che l’utente se ne accorga. Questo attacco sfrutta l’opzione 121 del protocollo DHCP per configurare rotte statiche nel sistema della vittima, permettendo al traffico di essere instradato attraverso canali non sicuri senza che l’utente ne sia consapevole.
Mentre possiamo affermare che una VPN protegge i dati in transito, dobbiamo ricordarci che per esempio non:
- Blocca gli attacchi di phishing: Una VPN non può impedire che clicchiamo su link dannosi o che inseriamo le nostre credenziali su siti fraudolenti.
- Protegge da malware o attacchi diretti al dispositivo (compromissioni locali): Se il nostro dispositivo è vulnerabile o infetto, una VPN non offre protezione contro malware, ransomware o minacce su reti locali.
Evidenze
1- Tunnel Vision
In questo video dimostrativo viene riportato un POC della CVE-2024-3661- Zscaler (TunnelVision) che evidenzia come un attaccante possa bypassare il tunnel VPN sfruttando l’opzione 121 del DHCP:
youtube.com/embed/ajsLmZia6UU?…
Video di Leviathan Security Group
2- VPN Con sorpresa
In quest’altro articolo invece diamo evidenza come per esempio diversi siti Web LetsVPN fraudolenti condividono un’interfaccia utente comune e sono deliberatamente progettati per distribuire malware , mascherandosi da applicazione LetsVPN autentica.
VPN Con Sorpresa! Oltre all’Anonimato, Offerta anche una Backdoor Gratuitamente
redhotcyber.com/post/vpn-con-s…
3 – Gravi Vulnerabilità nei Protocolli VPN
In quest’altro articolo, trattiamo di come alcuni sistemi vpn configurati in modo errato accettano i pacchetti tunnel senza verificare il mittente. Ciò consente agli aggressori di inviare pacchetti appositamente predisposti contenenti l’indirizzo IP della vittima a un host vulnerabile, costringendo l’host a inoltrare un pacchetto interno alla vittima, che apre la porta agli aggressori per lanciare ulteriori attacchi.
Nell’articolo evidenziamo anche che sono state identificate sono le seguenti CVE:
- CVE-2024-7596 (UDP generico Incapsulamento)
- CVE-2024-7595 (GRE e GRE6)
- CVE-2025-23018 (IPv4-in-IPv6 e IPv6-in-IPv6)
- CVE-2025-23019 (IPv6- in-IPv4)
Gravi Vulnerabilità nei Protocolli VPN: 4 Milioni di Sistemi Vulnerabili a Nuovi Bug di Tunneling!
redhotcyber.com/post/gravi-vul…
Conclusioni
Le VPN rappresentano un tassello importante nella protezione della nostra identità digitale e dei dati in transito, ma non offrono una protezione completa contro tutte le minacce. Come ogni strumento di sicurezza, devono essere configurate correttamente, mantenute aggiornate e utilizzate con responsabilità e consapevolezza.
In linea generale, le VPN non rappresentano una soluzione definitiva né sufficiente per garantire la sicurezza. È fondamentale affrontare il tema della sicurezza delle reti partendo dalla loro natura: molte infrastrutture — in particolare le reti Wi-Fi aperte — nascono insicure “by design”.
Nei prossimi articoli inizieremo a esplorare le misure tecniche che possono essere adottate per rafforzare queste reti, proteggere gli utenti e ridurre il rischio di attacchi, anche in ambienti esposti o pubblici.
➡️ Adottare una postura di sicurezza proattiva è essenziale: l’uso consapevole della VPN deve essere solo uno degli strumenti in un approccio più ampio e strutturato, che approfondiremo passo dopo passo nei prossimi articoli sulle mitigazioni.
L'articolo Falso Mito: Se uso una VPN, sono completamente al sicuro anche su reti WiFi Aperte e non sicure proviene da il blog della sicurezza informatica.
Cyber Divulgazione: Fine della One-Man-Band? La Community è la Nuova Sicurezza
Quanto è rilevante il ruolo della community per la creazione di contenuti informativi relativi alla sicurezza cyber? Possiamo dire che è tutta una questione di stile.
O di format. E di volontà.
C’è chi predilige un approccio alla “ve lo spiego io”. Il che risulta sempre meno credibile nel momento in cui c’è la tendenza a proporsi come tuttologi senza mai riconoscere alcun contributo, merito o ispirazione ad altri soggetti. Inoltre, il rischio di transitare dal cringe al cancer diventa piuttosto rilevante.
Gli scenari di sicurezza cyber sono un multiverso particolarmente complesso. Che tenderà a richiedere skill sempre più varie, verticalizzazioni e soprattutto valorizzerà ogni esperienza. Se conoscere i fondamentali è sempre utile, anche sapere da dove si proviene non è male. E no, non significa diventare dei necromanti della tecnologia (necrotek?), ma conoscere la storia della (in)sicurezza e la sua evoluzione nel tempo.
Ci può essere spazio per l’illusione allucinatoria di una one-man-band?
Semmai, ci può essere un gruppo e un frontman. Come in un buon party c’è il face. Ma è un membro del party, per l’appunto. Chi può raccontare meglio una storia, divulgare, farla conoscere. Ma senza il supporto del gruppo sarebbe più nudo di quel Cyber Re che ritiene – errando – di poter silenziare il mondo. Ma prima o poi la realtà, che come ci ricorda Philip K. Dick ha la brutta abitudine di continuare ad esistere nonostante la nostra volontà di negarla, presenta il conto.
Insomma: la community è una mitica forgia di idee per chi fa informazione e divulgazione in ambito cyber. Il quale, beninteso, non è detto che debba essere un esperto (nota: non deve nemmeno presentarsi come “appassionato” nel tentativo di simulare understatement) ma che abbia il rispetto di riconoscere il ruolo della community, così come la dignità delle fonti e dei riconoscimenti, avendo il coraggio di impiegare anche un linguaggio tecnico senza cadere nelle trappole della banalizzazione. E resistere alla tentazione di asservirsi all’hype o al trend del momento.
Instaurare una buona sinergia con la community dà valore all’informazione. Un valore che il pubblico percepisce, dal momento che la domanda di informazione dei lettori – o dei follower – è tutto ciò che inevitabilmente, nel tempo, comanda l’offerta. Una maggiore educazione digitale, che comprende quanto meno una consapevolezza delle tecnologie, delle dinamiche della società digitale e dei comportamenti, comporta una richiesta di contenuti di qualità, interattivi e non forniti “a cucchiaiate” senza ricercare feedback o interazioni.
Dal momento che la moneta spirituale richiesta è quella del tempo e dell’attenzione, relegare il destinatario ad un ruolo passivo è non solo irrispettoso ma è una strategia destinata a fallire nel lungo periodo. Massima resa con un “effetto wow”, ma prima o poi la saturazione arriva.
Al contrario, offrire al lettore l’opportunità di assumere un ruolo attivo ed entrare a far parte della community è quell’azione di ricollocare l’umano al centro che è un intento che oggi tanto si racconta e troppo poco si persegue. Soprattutto quando bisogna fare la propria parte rinunciando a facili scorciatoie.
Grazie alla community che è e che sarà, però, si può ancora essere in grado di resistere a sacrificare la qualità dell’informazione cyber sull’altare di algoritmi e delle facili leve di engagement.
L'articolo Cyber Divulgazione: Fine della One-Man-Band? La Community è la Nuova Sicurezza proviene da il blog della sicurezza informatica.
An Open-Source Wii U Gamepad
Although Nintendo is mostly famous for making great games, they also have an infamous reputation for being highly litigious not only for reasonable qualms like outright piracy of their games, but additionally for more gray areas like homebrew development on their platforms or posting gameplay videos online. With that sort of reputation it’s not surprising that they don’t release open-source drivers for their platforms, especially those like the Wii U with unique controllers that are difficult to emulate. This Wii U gamepad emulator seeks to bridge that gap.
The major issue with the Wii U compared to other Nintendo platforms like the SNES or GameCube is that the controller looks like a standalone console and behaves similarly as well, with its own built-in screen. Buying replacement controllers for this unusual device isn’t straightforward either; outside of Japan Nintendo did not offer an easy path for consumers to buy controllers. This software suite, called Vanilla, aims to allow other non-Nintendo hardware to bridge this gap, bringing in support for things like the Steam Deck, the Nintendo Switch, various Linux devices, or Android smartphones which all have the touch screens required for Wii U controllers. The only other hardware requirement is that the device must support 802.11n 5 GHz Wi-Fi.
Although the Wii U was somewhat of a flop commercially, it seems to be experiencing a bit of a resurgence among collectors, retro gaming enthusiasts, and homebrew gaming developers as well. Many games were incredibly well made and are still experiencing continued life on the Switch, and plenty of gamers are looking for the original experience on the Wii U instead. If you’ve somehow found yourself in the opposite position of owning of a Wii U controller but not the console, though, you can still get all the Wii U functionality back with this console modification.
Thanks to [Kat] for the tip!
Scoperto un nuovo Side-Channel sui processori Intel che consente l’estrazione dei segreti dal Kernel
Gli esperti del Politecnico federale di Zurigo (ETH Zurigo) hanno scoperto un problema che minaccia tutti i moderni processori Intel. Il bug consente agli aggressori di estrarre dati sensibili dalla memoria allocata ai componenti di sistema privilegiati, come il kernel del sistema operativo.
Queste aree di memoria contengono in genere informazioni quali password, chiavi crittografiche, memoria di altri processi e strutture dati del kernel, pertanto è fondamentale garantire che siano protette da perdite dei dati. Secondo i ricercatori, le protezioni contro la vulnerabilità Spectre v2 durano da circa sei anni, ma un nuovo attacco chiamato Branch Predictor Race Conditions consente di aggirarle.
La vulnerabilità associata a questo fenomeno è stata definita dagli esperti “branch privilege injection” alla quale è stata assegnato il seguente CVE-2024-45332. Questo problema causa una condizione di competizione nel sottosistema predittore di diramazione utilizzato nei processori Intel.
I branch predictors (predittori di diramazione), come il Branch Target Buffer (BTB) e l’Indirect Branch Predictor (IBP), sono componenti hardware che tentano di prevedere l’esito di un’istruzione di diramazione prima del suo completamento, al fine di ottimizzare le prestazioni. Tali previsioni sono speculative, il che significa che vengono annullate se si rivelano errate. Tuttavia, se sono corrette, contribuiscono a migliorare le prestazioni.
I ricercatori hanno scoperto che gli aggiornamenti dei branch predictors nei processori Intel non sono sincronizzati con l’esecuzione delle istruzioni, il che consente loro di “infiltrarsi” oltre i limiti dei privilegi. Pertanto, se si verifica un cambio di privilegio (ad esempio dalla modalità utente alla modalità kernel), esiste una piccola finestra temporale durante la quale l’aggiornamento potrebbe essere associato al livello di privilegio sbagliato.
Di conseguenza, l’isolamento tra l’utente e il kernel viene interrotto e un utente non privilegiato può far trapelare dati dai processi privilegiati. I ricercatori hanno creato unexploit PoC che addestra il processore a prevedere un target di branch specifico, quindi effettua una chiamata di sistema per spostare l’esecuzione al kernel del sistema operativo, con conseguente esecuzione speculativa tramite un target controllato dall’aggressore (gadget). Il codice accede quindi ai dati segreti nella cache utilizzando metodi side-channel e le informazioni vengono trasmesse all’aggressore.
I ricercatori hanno dimostrato il loro attacco su Ubuntu 24.04 con meccanismi di protezione predefiniti abilitati per leggere il contenuto del file /etc/shadow/ contenente le password degli account con hash. L’exploit raggiunge una velocità massima di estrazione dati di 5,6 KB/s e dimostra una precisione del 99,8%. Sebbene l’attacco sia stato dimostrato su Linux, il problema è presente anche a livello hardware, quindi potrebbe teoricamente essere utilizzato anche contro i sistemi Windows.
Si segnala che la vulnerabilità CVE-2024-45332 colpisce tutti i processori Intel a partire dalla nona generazione (Coffee Lake, Comet Lake, Rocket Lake, Alder Lake e Raptor Lake). Sono stati esaminati anche i chip Arm Cortex-X1, Cortex-A76 e AMD Zen 5 e Zen 4, ma non sono risultati interessati al CVE-2024-45332.
I ricercatori hanno comunicato le loro scoperte agli ingegneri Intel nel settembre 2024 e l’azienda ha rilasciato aggiornamenti del microcodice che hanno risolto il problema CVE-2024-45332. Si dice che le patch del firmware riducano le prestazioni del 2,7%, mentre le patch del software riducono le prestazioni dell’1,6-8,3% a seconda del processore.
Il team dell’ETH di Zurigo ha affermato che presenterà il suo exploit in tutti i dettagli durante una conferenza alla conferenza USENIX Security 2025.
L'articolo Scoperto un nuovo Side-Channel sui processori Intel che consente l’estrazione dei segreti dal Kernel proviene da il blog della sicurezza informatica.
In Cina il CNVD premia i migliori ricercatori di sicurezza e la collaborazione tra istituzioni e aziende
Durante una conferenza nazionale dedicata alla sicurezza informatica, sono stati ufficialmente premiati enti, aziende e professionisti che nel 2024 hanno dato un contributo significativo al National Information Security Vulnerability Database (CNNVD). L’evento ha messo in luce l’importanza della collaborazione tra istituzioni pubbliche, aziende private e mondo accademico per migliorare la capacità del Paese di individuare, segnalare e mitigare le vulnerabilità nelle infrastrutture critiche.
Nel corso dell’evento sono stati consegnati undici premi distinti, tra cui il “Premio Miglior Esordiente”, il “Premio per il Contributo Eccezionale al Reporting di Alta Qualità”, quello per le “Vulnerabilità di Alta Qualità”, il premio per il “Controllo delle Vulnerabilità”, e ulteriori riconoscimenti a università, esperti tecnici e produttori impegnati nella condivisione delle informazioni. I vincitori includono grandi nomi del settore tech e della cybersicurezza cinese come Huawei, Tencent, Qi’anxin, Sangfor e molte altre realtà emergenti.
Grande attenzione è stata data anche alle collaborazioni accademiche, con premi conferiti a istituzioni come l’Università di Aeronautica e Astronautica di Pechino e l’Istituto tecnico di Qingyuan. L’importanza del contributo universitario è stata sottolineata come elemento chiave per la formazione di nuovi talenti e lo sviluppo di soluzioni innovative nel campo della sicurezza informatica.
Numerose aziende, tra cui anche i principali operatori di telecomunicazioni, fornitori energetici e realtà industriali strategiche, sono state premiate per la cooperazione nel rafforzare la sicurezza delle infrastrutture critiche. Questo dimostra come il tema della cybersicurezza sia ormai centrale per la resilienza nazionale, coinvolgendo settori trasversali e fondamentali per la stabilità del Paese.
Non sono mancati i riconoscimenti individuali: esperti tecnici selezionati per il loro contributo specifico sono stati premiati come “Specially Appointed Technical Experts of the Year”, tra cui figure provenienti da aziende leader come CyberKunlun, Huashun Xinan e Douxiang. I loro interventi hanno rappresentato un esempio di eccellenza nella risposta alle minacce informatiche.
A conclusione dell’evento, i rappresentanti delle istituzioni accademiche e aziendali hanno tenuto discorsi che hanno riaffermato la necessità di continuare a costruire un ecosistema coeso e proattivo per la gestione delle vulnerabilità.
Il CNNVD ha ribadito il proprio impegno a rafforzare il ruolo del database come punto di riferimento nazionale, ponte tra talenti, istituzioni e aziende, per garantire una sicurezza informatica sempre più avanzata e coordinata.
L'articolo In Cina il CNVD premia i migliori ricercatori di sicurezza e la collaborazione tra istituzioni e aziende proviene da il blog della sicurezza informatica.
3D Printing Uranium-Carbide Structures for Nuclear Applications
Within the nuclear sciences, including fuel production and nuclear medicine (radiopharmaceuticals), often specific isotopes have to be produced as efficiently as possible, or allow for the formation of (gaseous) fission products and improved cooling without compromising the fuel. Here having the target material possess an optimized 3D shape to increase surface area and safely expel gases during nuclear fission can be hugely beneficial, but producing these shapes in an efficient way is complicated. Here using photopolymer-based stereolithography (SLA) as recently demonstrated by [Alice Zanini] et al. with a research article in Advanced Functional Materials provides an interesting new method to accomplish these goals.
In what is essentially the same as what a hobbyist resin-based SLA printer does, the photopolymer here is composed of uranyl ions as the photoactive component along with carbon precursors, creating solid uranium dicarbide (UC2) structures upon exposure to UV light with subsequent sintering. Uranium-carbide is one of the alternatives being considered for today’s uranium ceramic fuels in fission reactors, with this method possibly providing a reasonable manufacturing method.
Uranium carbide is also used as one of the target materials in ISOL (isotope separation on-line) facilities like CERN’s ISOLDE, where having precise control over the molecular structure of the target could optimize isotope production. Ideally equivalent photocatalysts to uranyl can be found to create other optimized targets made of other isotopes as well, but as a demonstration of how SLA (DLP or otherwise) stands to transform the nuclear sciences and industries.
Overengineered Freezer Monitor Fills Market Void
A lot of projects we see around here are built not just because they can be built, but because there’s no other option available. Necessity is the mother of invention, as they say. And for [Jeff] who has many thousands of dollars of food stowed in a chest freezer, his need for something to keep track of his freezer’s status was greater than any commercial offering available. Not only are freezers hard on batteries, they’re hard on WiFi signals as well, so [Jeff] built his own temperature monitor to solve both of these issues.
The obvious solution here is to have a temperature probe that can be fished through the freezer in some way, allowing the microcontroller, battery, and wireless module to operate outside of the harsh environment. [Jeff] is using K-type thermocouples here, wired through the back of the freezer. This one also is built into a block of material which allows him to get more diffuse temperature readings than a standard probe would provide. He’s also solving some other problems with commercially available probes here as well, as many of them require an Internet connection or store data in a cloud. To make sure everything stays local, he’s tying this in to a Home Assistant setup which also allows him to easily make temperature calibrations as well as notify him if anything happens to the freezer.
Although the build is very robust (or, as [Jeff] himself argues, overengineered) he does note that since he built it there have been some additional products offered for sale that fit this niche application. But even so, we always appreciate the customized DIY solution that avoids things like proprietary software, subscriptions, or cloud services. We also appreciate freezers themselves; one of our favorites was this restoration of a freezer with a $700,000 price tag.
Easy Panels With InkJet, Adhesives, and Elbow Grease
Nothing caps off a great project like a good, professional-looking front panel. Looking good isn’t easy, but luckily [Accidental Science] has a tutorial for a quick-and-easy front panel technique in the video below.
It starts with regular paper, and an inkjet or laser printer to print your design. The paper then gets coated on both sides: matte varnish on the front, and white spray paint on the obverse. Then it’s just a matter of cutting the decal from the paper, and it gluing to your panel. ([Accidental Science] suggests two-part epoxy, but cautions you make sure it does not react to the paint.)
He uses aluminum in this example, but there’s no reason you could not choose a different substrate. Once the paper is adhered to the panel, another coat of varnish is applied to protect it. Alternatively, clear epoxy can be used as glue and varnish. The finish produced is very professional, and holds up to drilling and filing the holes in the panel.
We’d probably want to protect the edges by mounting this panel in a frame, but otherwise would be proud to put such a panel on a project that required it. We covered a similar technique before, but it required a laminator.If you’re looking for alternatives, Hackaday community had a lot of ideas on how to make a panel, but if you have a method you’ve documented, feel free to put in the tip line.
youtube.com/embed/ekGpPaAR3Ec?…
A UV Meter For The Flipper Zero
We all know UV radiation for its contributions to getting sunburned after a long day outside, but were you aware there are several types different types of UV rays at play? [Michael] has come up with a Flipper Zero add on board and app to measure these three types of radiation, and explained some of the nuances he learned about measuring UV along the way.
At the heart of this project is an AS7331 sensor, it can measure the UV-A, UV-B, and UV-C radiation values that the Flipper Zero reads via I2C. While first using this chip he realized to read these values is more complex than just querying the right register, and by the end of this project he’d written his own AS7331 library to help retrieve these values. There was also a some experimenting with different GUI designs for the app, the Flipper Zero screen is only 128x64px and he had a lot of data to display. One feature we really enjoyed was the addition of the wiring guide to the app, if you install this Flipper Zero app and have just the AS7331 sensor on hand you’ll know how to hook it up. However if you want he also has provided the design files for a PCB that just plugs into the top of the Flipper Zero.
Head over to his site to check out all the details of this Flipper Zero project, and to learn more about the different types of UV radiation. Also be sure to let us know about any of your Flipper Zero projects.
Keebin’ with Kristina: the One with the Wafer-Thin Keyboard
That’s okay, though, because now you’re caught up and I can talk about his latest keyboard, the mikecinq. The inspiration for this one includes the aesthetics of Le Chiffre and the slimness of Le Oeuf. As you’ll see in the gallery, the top is ever-so-slightly slanted downward from the top.
You can see it really well in the second picture — the top row is flush with the case, and the keys gradually get taller toward the thumb clusters. All [dynam1keNL] really had to do was 3D model the new case and screw in the PCB from his daily driver mikefive.
So in order to deal with this, he made a dedicated mikecinq PCB with big cutouts with castellated holes beneath each switch. Now, the switch contacts are accessible from underneath and can be soldered with an iron.
You may have noticed that the mikefive production files are not available on GitHub — that’s because it was recently licensed and will be available soon. But if you want production files for the mikecinq, let him know in the comments.
Cyberpunk 2077 Here In 2025
This here is a Sofle RGB v2.1 that, as we’ve concluded, is heavily inspired by Cyberpunk 2077. The case is 3D-printed and then airbrushed, and then stickered up with custom decals that include references to Arasaka and Samurai. The acrylic base lets even more Baja Blast-colored RGB goodness shine through.
The switches are Akko Crystal Blues, which seem like a great choice, and the caps are two combined sets — one matte and one translucent. This is the second version of the project, and you can see how the first one turned out over on GitHub.
via reddit
The Centerfold: An Avalanche of Color
Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!
Historical Clackers: the Brackelsberg
The Classic Typewriter page calls the Brackelsberg syllabic typewriter “another hallucinogenic creation from the golden age of writing machine design“, and I don’t disagree.
This 1897 machine had types arranged on several type sectors which swung up and down. Each sector carried about 30 types, which I take to mean characters.
The 132-key board was divided into four sectors, and they could be operated simultaneously — as in, you could type four characters at once, entering entire syllables if you so desired. Thus, it was called a syllabic typewriter.
A hammer struck from the rear, connecting the paper and ribbon with the types. It seems slow and cumbersome, doesn’t it? But Brackelsberg insisted that it was quiet, pointed out that the writing was always visible, and argued that the syllabic gimmick would make it fast and convenient to use.
Although never mass-produced, a working prototype was built and is pictured here in a photograph from Friedrich Muller’s book called Schriebmaschinen und Schriften-Vervielfältigung published in 1900.
Finally, a Keyboard That Looks Like a Typewriter and Might Not Suck
I say this because of the disappointment I suffered buying a similar Bluetooth keyboard for ten bucks from a place where everything typically costs half of that or less. The thing just stopped working one day not long after the store warranty had expired. You win some, you lose some, I suppose.
Anyway, the Yunzii QL75 ought to fare better given that it’s ten times the cost to pre-order; at least I hope it does. And much like the crappy one I have, it comes in pink.
You can choose either Onyx tactile switches or Cocoa Cream V2 linear switches. But if you don’t like those, the switches are hot-swappable and compatible with 3-pin and 5-pins both.
The keycaps are ABS with a matte chrome electroplated finish and laser-engraved legends. Yes there is RGB, but it doesn’t shine through the keycaps, more like between them, it sounds like.
Thankfully, the QL75 works with QMK and VIA if you want to change things up. This thing has three-way connectivity to the device of your choice, which, if it’s small enough, can sit right above the keyboard where the paper would go.
There’s no telling what the knobs on the sides do, if anything, although there are arrows. On mine, they raise and lower the little kickstands.
Via TweakTown
Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.
The Nightmare of Jailbreaking a ‘Pay-To-Ride’ Gotcha Ebike
Theoretically bicycle rental services are a great thing, as they give anyone the means to travel around comfortably without immediately having to rent a car, hail a taxi or brave whatever the local public transport options may be. That is until said services go out of business and suddenly thousands of increasingly more proprietary and locked-down e-bikes suddenly are at risk of becoming e-waste. So too with a recent acquisition by [Berm Peak] over at YouTube, featuring a ‘Gotcha’ e-bike by Bolt Mobility, which went AWOL back in 2022, leaving behind thousands of these e-bikes.
So how hard could it be to take one of these proprietary e-bikes and turn it into a run-off-the-mill e-bike for daily use? As it turns out, very hard. While getting the (36V) battery released and recharged was easy enough, the challenge came with the rest of the electronics, with a veritable explosion of wiring, the Tongsheng controller module and the ‘Gotcha’ computer module that locks it all down. While one could rip this all out and replace it, that would make the cost-effectiveness of getting one of these go down the drain.
Sadly, reverse-engineering the existing system proved to be too much of a hassle, so a new controller was installed along with a bunch of hacks to make the lights and new controller work. Still, for $75 for the bike, installing new electronics may be worth it, assuming you can find replacement parts and got some spare hours (or weeks) to spend on rebuilding it. The bike in the video costed less than $200 in total with new parts, albeit with the cheapest controller, but maybe jailbreaking the original controller could knock that down.
youtube.com/embed/yJC9s4XhiRE?…
Riciclaggio, Romantic Scam e Hacker Nord coreani. Dentro i mercati Telegram di Xinbi Guarantee
Gli espertidi sicurezza hanno riportato di una piattaforma trading cinese Xinbi Guarantee, che opera sulla base di Telegram. Dal 2022 sono transitati almeno 8,4 miliardi di dollari attraverso questo mercato ombra, rendendolo il secondo mercato nero più grande dopo HuiOne Guarantee.
Secondo un rapporto degli analisti blockchain di Elliptic, Xinbi Guarantee vendeva tecnologia, dati personali e servizi di riciclaggio di denaro. “La stablecoin Tether (USDT) è il principale mezzo di pagamento per Xinbi Guarantee e, ad oggi, il volume delle transazioni ha superato gli 8,4 miliardi di dollari”, scrivono i ricercatori. “Alcune transazioni potrebbero essere collegate a fondi rubati dalla Corea del Nord.”
Xinbi, come HuiOne, ha lavorato principalmente con truffatori del Sud-Est asiatico, tra cui uno che è diventato popolare negli ultimi anni con la truffa romantica (nota anche come “macellazione del maiale”).
In questo schema, i truffatori utilizzano l’ingegneria sociale e contattano persone (“maiali”) sui social media e sulle app di incontri. Con il passare del tempo, i criminali si sono guadagnati la fiducia delle loro vittime fingendo un’amicizia o un interesse romantico e, a volte, fingendosi veri amici della vittima.
Una volta stabilito il “contatto”, a un certo punto i criminali propongono alla vittima di investire in criptovalute, per cui la vittima viene indirizzata a un sito web falso. Sfortunatamente, sarà impossibile recuperare i tuoi fondi e ricevere entrate false da tali “investimenti”.
Secondo gli esperti, Xinbi Guarantee contava circa 233.000 utenti e i venditori erano divisi in categorie legate al riciclaggio di denaro, alle apparecchiature Internet satellitari Starlink, ai falsi documenti d’identità e ai database rubati, utilizzati per trovare potenziali vittime.
Alcuni venditori offrivano anche servizi di stalking e intimidazione a qualsiasi bersaglio scelto in Cina, pubblicizzavano donne come donatrici di ovuli o madri surrogate e si dedicavano persino al traffico di esseri umani, andando ben oltre le solite truffe informatiche.
“I volumi delle transazioni su piattaforme cinesi come Huione e Xinbi Guarantee superano significativamente i volumi delle transazioni sulla prima generazione di piattaforme darknet su Tor”, sottolineano gli esperti.
Inoltre, si sottolinea che Xinbi e HuiOne Guarantee sono stati utilizzati per riciclare le criptovalute rubate dagli hacker nordcoreani dall’exchange di criptovalute indiano WazirX nel luglio dello scorso anno. Pertanto, secondo Elliptic, il 12 novembre 2024, 220.000 dollari in USDT sono stati inviati agli indirizzi wallet controllati da Xinbi.
Un aspetto interessante dell’attività di Xinbi è che è gestita da un “gruppo di società di investimento e gestione patrimoniale” registrato nello stato americano del Colorado a nome di un uomo di nome Mohd Shahrulnizam Bin Abd Manap. Secondo il registro statale delle società, Xinbi è stata costituita nell’agosto 2022 e da allora non ha presentato relazioni periodiche.
Gli esperti scrivono di aver trasmesso tutte le informazioni raccolte agli specialisti di Telegram, dopodiché l’amministrazione di Messenger ha chiuso migliaia di canali associati a Xinbi e HuiOne Guarantee, interrompendo il funzionamento di due piattaforme di trading, il cui fatturato totale supera i 35 miliardi di dollari USA in transazioni USDT.
Poco dopo, HuiOne/Haowang Guarantee ha pubblicato una dichiarazione ufficiale sul proprio sito web, affermando che avrebbe cessato le operazioni perché “tutti gli NFT, i canali e i gruppi sono stati bloccati da Telegram”. Si sottolinea che tutte le attività sul marketplace sono state condotte da venditori terzi che non avevano alcun rapporto con HuiOne Guarantee.
“Offriamo solo servizi di garanzia. Operiamo solo su Telegram, che è bloccato nella Cina continentale da molto tempo. Gli utenti della Cina continentale non possono usare Telegram, quindi i nostri clienti predefiniti sono utenti di altri Paesi”, ha dichiarato l’azienda.
In risposta a ciò, gli esperti di Elliptic hanno pubblicato un nuovo post, in cui hanno sottolineato che tali piattaforme agiscono in realtà come intermediari tra venditori e acquirenti. Tuttavia, l’amministrazione del marketplace controlla l’accesso e utilizza meccanismi di protezione dalle frodi, tra cui depositi e servizi di deposito a garanzia..
Di conseguenza, HuiOne Guarantee ha incoraggiato i suoi venditori e utenti a migrare verso un altro marketplace chiamato Tudou Guarantee, che ha già visto la sua base di utenti aumentare del 30%. Inoltre, secondo gli analisti di Elliptic, “ci sono già segnali che Xinbi stia cercando di riprendere le operazioni” con il nome Xinbi 2.0.
L'articolo Riciclaggio, Romantic Scam e Hacker Nord coreani. Dentro i mercati Telegram di Xinbi Guarantee proviene da il blog della sicurezza informatica.
Remembering The ISP That David Bowie Ran For Eight Years
The seeds of the Internet were first sown in the late 1960s, with computers laced together in continent-spanning networks to aid in national defence. However, it was in the late 1990s that the end-user explosion took place, as everyday people flocked online in droves.
Many astute individuals saw the potential at the time, and rushed to establish their own ISPs to capitalize on the burgeoning market. Amongst them was a famous figure of some repute. David Bowie might have been best known for his cast of rock-and-roll characters and number one singles, but he was also an internet entrepreneur who got in on the ground floor—with BowieNet.
Is There Dialup On Mars?
Bowie’s obsession with the Internet started early. He was well ahead of the curve of many of his contemporaries, becoming the first major artist to release a song online. Telling Lies was released as a downloadable track, which sold over 300,000 downloads, all the way back in 1996. A year later, the Earthling concert would be “cybercast” online, in an era when most home internet connections could barely handle streaming audio.
These moves were groundbreaking, at the time, but also exactly what you might expect of a major artist trying to reach fans with their music. However, Bowie’s interests in the Internet lay deeper than mere music distribution. He wanted a richer piece of the action, and his own ISP—BowieNet— was the answer.
Bowie tapped some experts for help, enlisting Robert Goodale and Ron Roy in his nascent effort. The service first launched in the US, on September 1st 1998, starting at a price of $19.95 a month. The UK soon followed at a price of £10.00. Users were granted a somewhat awkward email address of username@davidbowie.com, along with 5MB of personal web hosting. Connectivity was provided in partnership with established network companies, with Concentric Network Corp effectively offering a turnkey ISP service, and UltraStar handling the business and marketing side of things. It was, for a time, also possible to gain a free subscription by signing up for a BowieBanc credit card, a branded front end for a banking services run by USABancShares.com. At its peak, the service reached a total of 100,000 subscribers.
Bonuses included access to a network of chatrooms. The man himself was a user of the service, regularly popping into live chats, both scheduled and casually. He’d often wind up answering a deluge of fan questions on topics like upcoming albums and whether or not he drank tea. The operation was part ISP, part Bowie content farm, with users also able to access audio and video clips from Bowie himself. BowieNet subscribers were able to access exclusive tracks from the Earthling tour live album, LiveAndWell.com, gained early access to tickets, and could explore BowieWorld, a 3D interactive city environment. To some controversy, users of other ISPs had to stump up a $5.95 fee to access content on davidbowie.com, which drew some criticism at the time.
Bowienet relied heavily on the leading Internet technologies of the time. Audio and graphics were provided via RealAudio and Flash, standards that are unbelievably janky compared to those in common use today. A 56K modem was recommended for users wishing to make the most of the content on offer. New features were continually added to the service; Christmas 2004 saw users invited to send “BowieNet E-Cards,” and the same month saw the launch of BowieNet blogs for subscribers, too.
youtube.com/embed/tLf6KZmJyrA?…
Bowie spoke to the BBC in 1999 about his belief in the power of the Internet.
BowieNet didn’t last forever. The full-package experience was, realistically, more than people expected even from one of the world’s biggest musicians. In May 2006, the ISP was quietly shutdown, with the BowieNet web presence slimmed down to a website and fanclub style experience. In 2012, this too came to an end, and DavidBowie.com was retooled to a more typical artist website of the modern era.
Ultimately, BowieNet was an interesting experiment in the burgeoning days of the consumer-focused Internet. The most appealing features of the service were really more about delivering exclusive content and providing a connection between fans and the artist himself. It eventually became clear that Bowie didn’t need to be branding the internet connection itself to provide that.
Still, we can dream of other artists getting involved in the utilities game, just for fun. Gagaphone would have been a slam dunk back in 2009. One suspects DojaGas perhaps wouldn’t have the same instant market penetration without some kind of hit single about clean burning fuels. Speculate freely in the comments.
28 zero-day in 3 giorni e oltre un milione di dollari in premi: ecco cosa è successo al Pwn2Own 2025
La ricerca dei bug frutta e anche molto!
Si è concluso il Pwn2Own Berlin 2025 con risultati tecnologici impressionanti, portando il montepremi complessivo a oltre un milione di dollari. I ricercatori di sicurezza hanno dimostrato sofisticate tecniche di sfruttamento contro obiettivi di alto profilo, tra cui Windows 11, VMware ESXi e Mozilla Firefox, rivelando vulnerabilità zero-day critiche che i fornitori devono ora affrontare.
La competizione di hacking, durata tre giorni, ha messo in luce 28 vulnerabilità zero-day uniche, con i ricercatori che hanno vinto premi per un totale di 1.078.750 dollari. Il terzo giorno si sono verificati diversi exploit zero-day significativi contro le principali piattaforme. L’ex vincitore del Master of Pwn Manfred Paul ha sfruttato con successo Mozilla Firefox sfruttando una vulnerabilità di tipo integer overflow nel motore di rendering, guadagnando 50.000 dollari e 5 punti Master of Pwn.
Questo exploit che riguarda solo il rendering ha dimostrato come aggressori sofisticati possano compromettere i sistemi sfruttando le vulnerabilità del browser. La sicurezza di Windows 11 è stata violata due volte nel corso della giornata. Miloš Ivanović ha dimostrato una vulnerabilità alle condizioni di gara per aumentare i privilegi al livello SYSTEM nel tentativo finale della competizione, guadagnando 15.000 dollari.
In precedenza, un membro del team di ricerca DEVCORE aveva dimostrato con successo l’escalation dei privilegi su Windows 11, sebbene uno dei due bug utilizzati fosse già noto a Microsoft. Anche i prodotti di virtualizzazione VMware si sono dimostrati vulnerabili. Corentin BAYET di Reverse_Tactics ha sfruttato VMware ESXi sfruttando una vulnerabilità di tipo integer overflow e un bug di variabile non inizializzata precedentemente segnalato, guadagnando 112.500 dollari nonostante la collisione parziale.
Inoltre, Thomas Bouzerar ed Etienne Helluy-Lafont di Synacktiv hanno sfruttato con successo VMware Workstation tramite un buffer overflow basato su heap, guadagnando 80.000 dollari e 8 punti Master of Pwn. STAR Labs SG si è aggiudicato il titolo di vincitore assoluto, aggiudicandosi il prestigioso titolo Master of Pwn con 320.000 dollari di guadagni e 35 punti. Il loro team ha dimostrato eccezionali capacità tecniche in diverse categorie.
In una dimostrazione particolarmente impressionante, i membri del team Dung e Nguyen hanno sfruttato una condizione di competizione TOCTOU (time-of-check-to-time-of-use) per uscire da una macchina virtuale, combinandola con una convalida impropria della vulnerabilità dell’indice dell’array per aumentare i privilegi in Windows. Questa complessa catena di attacchi ha fruttato loro 70.000 dollari e 9 punti Master of Pwn.
Secondo il rapporto, l’evento di Berlino del 2025 ha segnato un traguardo significativo, con 1.078.750 dollari assegnati in tre giorni, di cui 383.750 dollari solo nell’ultimo giorno. Questo montepremi da record sottolinea la crescente importanza e il valore economico della ricerca sulla sicurezza.
Dei 28 zero-day unici e divulgati durante l’evento, sette provenivano dalla categoria AI, a dimostrazione dell’espansione della superficie di attacco dovuta alla crescente diffusione dei sistemi di intelligenza artificiale. Il formato competitivo continua a rappresentare un meccanismo efficace per identificare vulnerabilità critiche prima che soggetti malintenzionati possano sfruttarle.
L’evento, ospitato da OffensiveCon, ha riunito ricercatori e fornitori di sicurezza d’élite in un quadro di collaborazione che apporta vantaggi all’intero ecosistema tecnologico. I fornitori hanno già iniziato ad affrontare le vulnerabilità scoperte, dimostrando l’impatto pratico dell’evento sul miglioramento della sicurezza digitale per gli utenti di tutto il mondo.
L'articolo 28 zero-day in 3 giorni e oltre un milione di dollari in premi: ecco cosa è successo al Pwn2Own 2025 proviene da il blog della sicurezza informatica.
Using pitot tubes for more than aircraft
When we hear the words “pitot tube,” we tend to think more of airplanes than of air ducts, but [Franci Kopač]’s guide to pitot tubes for makers shows that they can be a remarkably versatile tool for measuring air speed, even in domestic settings.
A pitot tube is a tube which faces into an air flow, with one hole at the front of the tube, and one on the side. It’s then possible to determine the air speed by measuring the pressure difference between the side opening and the end facing into the wind. At speeds, temperatures, and altitudes that a hacker’s likely to encounter (i.e. not on an airplane), the pressure difference is pretty small, and it’s only since the advent of MEMS pressure sensors that pitot tubes became practical for amateurs.
[Franci]’s design is based on a Sensiron SDP differential pressure sensor, a 3D-printed pitot tube structure, some tubing, and the microcontroller of your choice. It’s important to position the tube well, so that it doesn’t experience airflow disturbances from other structures and faces straight into the air flow. Besides good positioning, the airspeed calculation requires you to know the air temperature and absolute pressure.
[Franci] also describes a more exotic averaging pitot tube, a fairly simple variation which measures air speed in cavities more accurately. He notes that this provides a more inexpensive way of measuring air flow in ducts than air conditioning flow sensors, while being more resilient than propeller-based solutions – he himself used pitot tubes to balance air flow in his home’s ventilation. All of the necessary CAD files and Arduino code are available on his GitHub repository.
If you’re looking for a more conventional duct flow meter, we’ve covered one before. We’ve even seen a teardown of a pitot tube sensor system from a military drone.
The consequences of digital sovereignty
WELCOME BACK TO DIGITAL POLITICS. I'm Mark Scott. This weekend was another belter when it came to elections (we'll get to that in a minute.) But, more importantly, Austria won this year's Eurovision song contest with this entry — still not as good as this Italian winner from 2021, imo.
— Digital sovereignty is now the name of the game. That's going to lead to increased silos between how countries approach crucial tech policy issues.
— Romanians backed a pro-EU candidate to become the country's next president. That hasn't stopped many from crying foul play.
— The cost of using the most advanced AI models has fallen 280-fold over the last 18 months as companies race to woo users worldwide.
Let's get started: