TikTok multata per 530 milioni: dati europei archiviati in Cina senza autorizzazione
L’app cinese per video brevi TikTok dovrà pagare 530 milioni di euro all’autorità irlandese per la protezione dei dati personali per mancato rispetto della normativa europea sulla privacy. La multa di quasi 600 milioni di dollari deriva dall’archiviazione da parte di TikTok dei dati degli utenti europei su server in Cina e dalla mancata comunicazione dei trasferimenti di dati verso la Cina da luglio 2020 a novembre 2022.
Queste mancanze hanno determinato violazioni del Regolamento generale sulla protezione dei dati (GDPR). Il regolamento impone alle aziende di informare adeguatamente i propri utenti in merito al trasferimento di dati verso una nazione terza, nonché di garantire adeguate garanzie di privacy prima del trasferimento dei dati.
Anche la Commissione irlandese per la protezione dei dati ha affermato che TikTok ha fornito informazioni inesatte durante la sua indagine sull’azienda. Nonostante le affermazioni secondo cui TikTok avrebbe interrotto i trasferimenti di dati verso la Cina, TikTok ha informato la commissione ad aprile che “limitati” dati degli utenti europei “erano stati in realtà archiviati su server in Cina”. L’ordinanza concede a TikTok sei mesi di tempo per adeguare le sue pratiche di trattamento dei dati alla normativa europea.
“I trasferimenti di dati personali di TikTok verso la Cina hanno violato il GDPR perché TikTok non è riuscita a verificare, garantire e dimostrare che i dati personali degli utenti SEE, a cui il personale in Cina accedeva da remoto, ricevessero un livello di protezione sostanzialmente equivalente a quello garantito all’interno dell’UE”, ha affermato il vice commissario del DPC Graham Doyle.
Doyle ha aggiunto che il DPC sta valutando ulteriori azioni regolatorie contro l’azienda. TikTok ha dichiarato alle autorità di regolamentazione di aver cancellato i dati scoperti sui server cinesi.
Dopo aver inizialmente trasferito i dati in centri situati a Singapore e negli Stati Uniti, dal 2023 TikTok ha affermato che i dati degli utenti europei sono archiviati in un’enclave ospitata in data center situati in Norvegia, Irlanda e Stati Uniti. Si è impegnata a spendere 12 miliardi di euro in un decennio per migliorare la sicurezza dei dati degli utenti europei, in un’iniziativa denominata “Project Clover“. Reuters ha riferito mercoledì che TikTok prevede di investire 1 miliardo di euro per costruire un data center in Finlandia.
TikTok non ha risposto immediatamente alla richiesta di commento.
Nel 2023, le autorità di regolamentazione irlandesi avevano già multato TikTok per 345 milioni di euro per aver consentito ai giovani utenti di creare account visibili di default al pubblico e per aver consentito che gli account degli utenti bambini fossero associati a utenti non bambini non verificati. L’agenzia di regolamentazione dei dati del Regno Unito ha inoltre multato l’azienda di 12,7 milioni di sterline per non aver protetto la privacy dei bambini.
L'articolo TikTok multata per 530 milioni: dati europei archiviati in Cina senza autorizzazione proviene da il blog della sicurezza informatica.
A Neat E-Paper Digit Clock (or Four)
[sprite_tm] had a problem. He needed a clock for the living room, but didn’t want to just buy something off the shelf. In his own words, “It’s an opportunity for a cool project that I’d rather not let go to waste.” Thus started a project to build a fun e-paper digit clock!
There were several goals for the build from the outset. It had to be battery driven, large enough to be easily readable, and readily visible both during the day and in low-light conditions. It also needed to be low maintenance, and “interesting,” as [sprite_tm] put it. This drove the design towards an e-paper solution. However, large e-paper displays can be a bit pricy. That spawned a creative idea—why not grab four smaller displays and make a clock with separate individual digits instead?
The build description covers the full design, from the ESP32 at the heart of things to odd brownout issues and the old-school Nokia batteries providing the juice. Indeed, [sprite_tm] even went the creative route, making each individual digit of the clock operate largely independently. Each has its own battery, microcontroller, and display. To save battery life, only the hours digit has to spend energy syncing with an NTP time server, and it uses the short-range ESPNow protocol to send time updates to the other digits.
It’s an unconventional clock, to be sure; you could even consider it four clocks in one. Ultimately, though, that’s what we like in a timepiece here at Hackaday. Meanwhile, if you’ve come up with a fun and innovative way to tell time, be sure to let us know on the tipsline!
[Thanks to Maarten Tromp for the tip!]
A Gentle Introduction to Impedance Matching
Impedance matching is one of the perpetual confusions for new electronics students, and for good reason: the idea that increasing the impedance of a circuit can lead to more power transmission is frighteningly unintuitive at first glance. Even once you understand this, designing a circuit with impedance matching is a tricky task, and it’s here that [Ralph Gable]’s introduction to impedance matching is helpful.
The goal of impedance matching is to maximize the amount of power transmitted from a source to a load. In some simple situations, resistance is the only significant component in impedance, and it’s possible to match impedance just by matching resistance. In most situations, though, capacitance and inductance will add a reactive component to the impedance, in which case it becomes necessary to use the complex conjugate for impedance matching.
The video goes over this theory briefly, but it’s real focus is on explaining how to read a Smith chart, an intimidating-looking tool which can be used to calculate impedances. The video covers the basic impedance-only Smith chart, as well as a full-color Smith chart which indicates both impedance and admittance.
This video is the introduction to a planned series on impedance matching, and beyond reading Smith charts, it doesn’t really get into many specifics. However, based on the clear explanations so far, it could be worth waiting for the rest of the series.
If you’re interested in more practical details, we’ve also covered another example before.
youtube.com/embed/J_kujlActGo?…
Prusa Mini Nozzle Cam on the Cheap
Let me throw in a curveball—watching your 3D print fail in real-time is so much more satisfying when you have a crisp, up-close view of the nozzle drama. That’s exactly what [Mellow Labs] delivers in his latest DIY video: transforming a generic HD endoscope camera into a purpose-built nozzle cam for the Prusa Mini. The hack blends absurd simplicity with delightful nerdy precision, and comes with a full walkthrough, a printable mount, and just enough bad advice to make it interesting. It’s a must-see for any maker who enjoys solder fumes with their spaghetti monsters.
What makes this build uniquely brilliant is the repurposing of a common USB endoscope camera—a tool normally reserved for inspecting pipes or internal combustion engines. Instead, it’s now spying on molten plastic. The camera gets ripped from its aluminium tomb, upgraded with custom-salvaged LEDs (harvested straight from a dismembered bulb), then wrapped in makeshift heat-shrink and mounted on a custom PETG bracket. [Mellow Labs] even micro-solders in a custom connector just so the camera can be detached post-print. The mount is parametric, thanks to a community contribution.
This is exactly the sort of hacking to love—clever, scrappy, informative, and full of personality. For the tinkerers among us who like their camera mounts hot and their resistor math hotter, this build is a weekend well spent.
youtube.com/embed/VBmO2SMDnJU?…
Smart Speaker Gets Brain Surgery, Line-Out
Sometimes you find a commercial product that is almost, but not exactly perfect for your needs. Your choices become: hack together a DIY replacement, or hack the commercial product to do what you need. [Daniel Epperson] chose door number two when he realized his Yamaha MusicCast smart speaker was perfect for his particular use case, except for its tragic lack of line out. A little surgery and a Digital-to-Analog Converter (DAC) breakout board solved that problem.
[Daniel] first went diving into the datasheet of the Yamaha amplifier chip inside of the speaker, before realizing it did too much DSP for his taste. He did learn that the chip was getting i2s signals from the speaker’s wifi module. That’s a lucky break, since i2s is an open, well-known protocol. [Daniel] had an adafruit DAC; he only needed to get the i2s signals from the smart speaker’s board to his breakout. That proved to be an adventure, but we’ll let [Daniel] tell the tale on his blog.
After a quick bit of OpenSCAD and 3D printing, the DAC was firmly mounted in its new home. Now [Daniel] has the exact audio-streaming-solution he wanted: Yamaha’s MusicCast, with line out to his own hi-fi.
[Daniel] and hackaday go way back: we featured his robot lawnmower in 2013. It’s great to see he’s still hacking. If you’d rather see what’s behind door number one, this roll-your-own smart speaker may whet your appetite.
Preso e condannato a 46 anni il pedofilo latitante di 81 anni. Grazie all’intelligenza artificiale
La polizia del Cheshire ha utilizzato la tecnologia dell’intelligenza artificiale per trovare il pericoloso criminale Richard Burrows, dopo 28 anni di ricerche senza successo. Il tribunale lo ha condannato a 46 anni di carcere per 97 capi d’accusa di abusi sessuali su minori.
Per diversi decenni, dalla fine degli anni ’60 fino agli anni ’90, Burrows commise reati mentre lavorava come direttore di un collegio nel Cheshire e come capo scout nelle West Midlands. Nel 1997 fuggì dal Regno Unito e molte vittime non credevano più che lo avrebbero mai ritrovato.
La storia della fuga ebbe inizio quando Burroughs non si presentò al tribunale di Chester dove avrebbe dovuto testimoniare sulle accuse. Le sue vittime si prepararono a testimoniare rivivendo l’esperienza traumatica. Secondo l’ispettrice investigativa Eleanor Atkinson, che ha condotto le indagini nel 2024, all’epoca il sospettato era addirittura pronto a essere rilasciato su cauzione. Quando la polizia è arrivata a casa sua a Birmingham, ha scoperto che l’uomo aveva venduto la sua auto poco prima della scomparsa, il che indica una fuga pianificata.
Nel corso degli anni la polizia locale ha provato diversi metodi di ricerca, finché nel 2024 non si è rivolta al servizio PimEyes. Il sistema ha trovato online le foto dell’uomo in pochi secondi, indicando la sua posizione in Thailandia. Il dettaglio decisivo era il segno distintivo sul collo di Burroughs, immortalato nelle fotografie della sua festa d’addio nel 2019. Le immagini furono pubblicate su un quotidiano di Phuket, dove si nascondeva sotto il nome di Peter Smith.
Durante le indagini è emerso che il criminale aveva utilizzato un metodo di travestimento semplice ma efficace. Negli anni Novanta ottenne un vero passaporto utilizzando non solo la sua foto, ma anche i dati del suo amico malato terminale Peter Leslie Smith. Il pedofilo viaggiava con questo documento e lo rinnovava più volte senza destare sospetti.
Il giornalista thailandese Tim Newton, che incontrava regolarmente Burrows in occasione di eventi aziendali per espatriati a Phuket, ha affermato che nessuno sospettava del suo passato: “Per noi era solo il caro vecchio Peter Smith. Nessuno conosceva nemmeno il suo vero nome. Mantenne questo segreto per tutti i 27 anni che trascorse sull’isola.”
Dopo aver iniziato la sua carriera come insegnante d’inglese, il fuggitivo si è poi dedicato al mondo dei media, lavorando nel reparto pubblicità di un’azienda proprietaria di giornali e siti web locali. I suoi superiori sostengono inoltre di non essere a conoscenza di alcun precedente penale del dipendente. Durante i suoi ultimi anni in Thailandia, Burroughs visse in un container riconvertito. Circolavano addirittura voci secondo cui fosse stato vittima di estorsori. Nei suoi appunti definì questo periodo “paradiso”, ma nel marzo 2024 tornò lui stesso nel Regno Unito, giustificando la sua decisione con il fatto che aveva “finito i soldi”. Fu lì che venne arrestato, proprio mentre stava scendendo dall’aereo.
PimEyes è una piattaforma open source per la ricerca di immagini creata otto anni fa in Polonia. Gli utenti possono scaricare una foto e vedere dove è stata pubblicata online.
Tuttavia, l’uso di tali servizi è attualmente controverso. La polizia di Londra ha già bloccato l’accesso a PimEyes sui dispositivi ufficiali, pur mantenendo attivi altri sistemi di riconoscimento facciale.
L'articolo Preso e condannato a 46 anni il pedofilo latitante di 81 anni. Grazie all’intelligenza artificiale proviene da il blog della sicurezza informatica.
3D Printed Spirograph Makes Art Out of Walnut
Who else remembers Spirograph? When making elaborate spiral doodles, did you ever wish for a much, much bigger version? [Fortress Fine Woodworks] had that thought, and “slapped a router onto it” to create a gorgeous walnut table.
The video covers not only 3D printing the giant Spirograph, which is the part most of us can easily relate to, but all the woodworking magic that goes into creating a large hardwood table. Assembling the table out of choice lumber from the “rustic” pile is an obvious money-saving move, but there were a lot of other trips and tricks in this video that we were happy to learn from a pro. The 3D printed sanding block he designed was a particularly nice detail; it’s hard to imagine getting all those grooves smoothed out without it.
Certainly this pattern could have been carved with a CNC machine, but there is a certain old school charm in seeing it done (more or less) by hand with the Spirograph jig. [Fortress Fine Woodworks] would have missed out on quite the workout if he’d been using a CNC machine, too, which may or may not be a plus to this method depending on your perspective. Regardless, the finished product is a work of art and worth checking out in the video below.
Oddly enough, this isn’t the first time we’ve seen someone use a Spirograph to mill things. It’s not the first giant-scale Spirograph we’ve highlighted, either. To our knowledge, it’s the first time someone has combined them with an artful walnut table.
youtube.com/embed/zW5nZ0Hp95k?…
Supercon 2024: Turning Talk Into Action
Most of us have some dream project or three that we’d love to make a reality. We bring it up all the time with friends, muse on it at work, and research it during our downtime. But that’s just talk—and it doesn’t actually get the project done!
At the 2024 Hackaday Supercon, Sarah Vollmer made it clear—her presentation is about turning talk into action. It’s about how to overcome all the hurdles that get in the way of achieving your grand project, so you can actually make it a reality. It might sound like a self-help book—and it kind of is—but it’s rooted in the experience of a bonafide maker who’s been there and done that a few times over.
youtube.com/embed/lOWqkVV9P1M?…
At the outset, Sarah advises us on the value of friends when you’re pursuing a project. At once, they might be your greatest cheerleaders, or full of good ideas. In her case, she also cites several of her contacts in the broader community that have helped her along the way—with a particular shoutout to Randy Glenn, who also gave us a great Supercon talk last year on the value of the CAN bus. At the same time, your friends might—with good intentions—lead you in the wrong direction, with help or suggestions that could derail your project. Her advice is to take what’s useful, and politely sidestep or decline what won’t help your project.
Next, Sarah highlights the importance of watching out for foes. “Every dream has your dream crushers,” says Sarah. “It could be you, it could be the things that are being told to you.” Excessive criticism can be crushing, sapping you of the momentum you need to get started. She also relates it to her own experience, where her project faced a major hurdle—the tedious procurement process of a larger organization, and the skepticism around whether she could overcome it. Whatever threatens the progress of your project could be seen as a foe—but the key is knowing what is threatening your project.
The third step Sarah recommends? Finding a way to set goals amidst the chaos. Your initial goals might be messy or vague, but often the end gets clearer as you start moving. “Be clear about what you’re doing so you can keep your eye on the prize,” says Sarah. “No matter what gets in your way, as long as you’re clear about what you’re doing, you can get there.” She talks about how she started with a simple haptics project some years ago. Over the years, she kept iterating and building on what she was trying to do with it, with a clear goal, and made great progress in turn.
Once you’re project is in motion, too, it’s important not to let it get killed by criticism. Cries of “Impossible!” might be hard to ignore, but often, Sarah notes, these brick walls are really problems you create actions items to solve. She also notes the value of using whatever you can to progress towards your goals. She talks about how she was able to parlay a Hackaday article on her work (and her previous 2019 Supercon talk) to help her gain access to an accelerator program to help her start her nascent lab supply business.
youtube.com/embed/aRkfiQZNx3I?…
Sarah’s previous Hackaday Supercon appearance helped open doors for her work in haptics.
Anyone who has ever worked in a corporate environment will also appreciate Sarah’s advice to avoid the lure of endless planning, which can derail even the best planned project. “Once upon a time I went to meetings, those meetings became meetings about meetings,” she says. “Those meetings about meetings became about planning, they went on for four hours on a Friday, [and] I just stopped going,” Her ultimate dot point? “We don’t talk, talk is cheap, but too much talk is bankrupting.”
“When all else fails, laugh and keep going,” Sarah advises. She provides an example of a 24/7 art installation she worked on that was running across multiple physical spaces spread across the globe. “During the exhibit, China got in a fight with Google,” she says. This derailed plans to use certain cloud buckets to run things, but with good humor and the right attitude, the team were able to persevere and work around what could have been a disaster.
Overall, this talk is a rapid fire crash course in how she pushed her projects on through challenges and hurdles and came out on top. Just beware—if you’re offended by the use of AI art, this one might not be for you. Sarah talks fast and covers a lot of ground in her talk, but if you can keep up and follow along there’s a few kernels of wisdom in there that you might like to take forward.
Hackaday Podcast Episode 319: Experimental Archaeology, Demoscene Oscilloscope Music, and Electronic Memories
It’s the podcast so nice we recorded it twice! Despite some technical difficulties (note to self: press the record button significantly before recording the outro), Elliot and Dan were able to soldier through our rundown of the week’s top hacks. We kicked things off with a roundup of virtual keyboards for the alternate reality crowd, which begged the question of why you’d even need such a thing. We also looked at a couple of cool demoscene-adjacent projects, such as the ultimate in oscilloscope music and a hybrid knob/jack for eurorack synth modules. We also dialed the Wayback Machine into antiquity to take a look at Clickspring’s take on the origins of precision machining; spoiler alert — you can make gas-tight concentric brass tubing using a bow-driven lathe. There’s a squishy pneumatic robot gripper, an MQTT-enabled random number generator, a feline-friendly digital stethoscope, and a typewriter that’ll make you Dymo label maker jealous. We’ll also mourn the demise of electronics magazines and ponder how your favorite website fills that gap, and learn why it’s really hard to keep open-source software lean and clean. Short answer: because it’s made by people.
html5-player.libsyn.com/embed/…
Where to Follow Hackaday Podcast
Places to follow Hackaday podcasts:
Download the zero-calorie MP3.
Episode 319 Show Notes:
News:
- There’s A Venusian Spacecraft Coming Our Way
- You Wouldn’t Steal A Font…
- Sigrok Website Down After Hosting Data Loss
What’s that Sound?
Interesting Hacks of the Week:
- Weird And Wonderful VR/MR Text Entry Methods, All In One Place
- Clickspring’s Experimental Archaeology: Concentric Thin-Walled Tubing
- Amazing Oscilloscope Demo Scores The Win At Revision 2025
- osci-render
- Tripping On Oscilloshrooms With An Analog Scope
- Crossing Commodore Signal Cables On Purpose
- Look! It’s A Knob! It’s A Jack! It’s Euroknob!
- Robot Gets A DIY Pneumatic Gripper Upgrade
- Remembering Heathkit
Quick Hacks:
- Elliot’s Picks
- A New And Weird Kind Of Typewriter
- Terminal DAW Does It In Style
- Comparing ‘AI’ For Basic Plant Care With Human Brown Thumbs
- Dan’s Picks:
- Quantum Random Number Generator Squirts Out Numbers Via MQTT
- Onkyo Receiver Saved With An ESP32
- Quick And Easy Digital Stethoscope Keeps Tabs On Cat
Can’t-Miss Articles:
hackaday.com/2025/05/02/hackad…
Preparing for the Next Pandemic
While the COVID-19 pandemic wasn’t an experience anyone wants to repeat, infections disease experts like [Dr. Pardis Sabeti] are looking at what we can do to prepare for the next one.
While the next pandemic could potentially be anything, there are a few high profile candidates, and bird flu (H5N1) is at the top of the list. With birds all over the world carrying the infection and the prevalence in poultry and now dairy agriculture operations, the possibility for cross-species infection is higher than for most other diseases out there, particularly anything with an up to 60% fatality rate. Only one of the 70 people in the US who have contracted H5N1 recently have died, and exposures have been mostly in dairy and poultry workers. Scientists have yet to determine why cases in the US have been less severe.
To prevent an H5N1 pandemic before it reaches the level of COVID and ensure its reach is limited like earlier bird and swine flu variants, contact tracing of humans and cattle as well as offering existing H5N1 vaccines to vulnerable populations like those poultry and dairy workers would be a good first line of defense. So far, it doesn’t seem transmissible human-to-human, but more and more cases increase the likelihood it could gain this mutation. Keeping current cases from increasing, improving our science outreach, and continuing to fund scientists working on this disease are our best bets to keep it from taking off like a meme stock.
Whatever the next pandemic turns out to be, smartwatches could help flatten the curve and surely hackers will rise to the occasion to fill in the gaps where traditional infrastructure fails again.
youtube.com/embed/5CyVi4UzKxE?…
This Week in Security: AirBorne, EvilNotify, and Revoked RDP
This week, Oligo has announced the AirBorne series of vulnerabilities in the Apple Airdrop protocol and SDK. This is a particularly serious set of issues, and notably affects MacOS desktops and laptops, the iOS and iPadOS mobile devices, and many IoT devices that use the Apple SDK to provide AirPlay support. It’s a group of 16 CVEs based on 23 total reported issues, with the ramifications ranging from an authentication bypass, to local file reads, all the way to Remote Code Execution (RCE).
AirPlay is a WiFi based peer-to-peer protocol, used to share or stream media between devices. It uses port 7000, and a custom protocol that has elements of both HTTP and RTSP. This scheme makes heavy use of property lists (“plists”) for transferring serialized information. And as we well know, serialization and data parsing interfaces are great places to look for vulnerabilities. Oligo provides an example, where a plist is expected to contain a dictionary object, but was actually constructed with a simple string. De-serializing that plist results in a malformed dictionary, and attempting to access it will crash the process.
Another demo is using AirPlay to achieve an arbitrary memory write against a MacOS device. Because it’s such a powerful primative, this can be used for zero-click exploitation, though the actual demo uses the music app, and launches with a user click. Prior to the patch, this affected any MacOS device with AirPlay enabled, and set to either “Anyone on the same network” or “Everyone”. Because of the zero-click nature, this could be made into a wormable exploit.
youtube.com/embed/ZmOvRLBL3Ys?…
Apple has released updates for their products for all of the CVEs, but what’s going to really take a long time to clean up is the IoT devices that were build with the vulnerable SDK. It’s likely that many of those devices will never receive updates.
EvilNotify
It’s apparently the week for Apple exploits, because here’s another one, this time from [Guilherme Rambo]. Apple has built multiple systems for doing Inter Process Communications (IPC), but the simplest is the Darwin Notification API. It’s part of the shared code that runs on all of Apple’s OSs, and this IPC has some quirks. Namely, there’s no verification system, and no restrictions on which processes can send or receive messages.
That led our researcher to ask what you may be asking: does this lack of authentication allow for any security violations? Among many novel notifications this technique can spoof, there’s one that’s particularly problematic: The device “restore in progress”. This locks the device, leaving only a reboot option. Annoying, but not a permanent problem.
The really nasty version of this trick is to put the code triggering a “restore in progress” message inside an app’s widget extension. iOS loads those automatically at boot, making for an infuriating bootloop. [Guilherme] reported the problem to Apple, made a very nice $17,500 in the progress. The fix from Apple is a welcome surprise, in that they added an authorization mechanism for sensitive notification endpoints. It’s very likely that there are other ways that this technique could have been abused, so the more comprehensive fix was the way to go.
Jenkins
Continuous Integration is one of the most powerful tools a software project can use to stay on top of code quality. Unfortunately as those CI toolchains get more complicated, they are more likely to be vulnerable, as [John Stawinski] from Praetorian has discovered. This attack chain would target the Node.js repository at Github via an outside pull request, and ends with code execution on the Jenkins host machines.
The trick to pulling this off is to spoof the timestamp on a Pull Request. The Node.js CI uses PR labels to control what CI will do with the incoming request. Tooling automatically adds the “needs-ci” label depending on what files are modified. A maintainer reviews the PR, and approves the CI run. A Jenkins runner will pick up the job, compare that the Git timestamp predated the maintainer’s approval, and then runs the CI job. Git timestamps are trivial to spoof, so it’s possible to load an additional commit to the target PR with a commit timestamp in the past. The runner doesn’t catch the deception, and runs the now-malicious code.
[John] reported the findings, and Node.js maintainers jumped into action right away. The primary fix was to do SHA sum comparisons to validate Jenkins runs, rather than just relying on timestamp. Out of an abundance of caution, the Jenkins runners were re-imaged, and then [John] was invited to try to recreate the exploit. The Node.js blog post has some additional thoughts on this exploit, like pointing out that it’s a Time-of-Check-Time-of-Use (TOCTOU) exploit. We don’t normally think of TOCTOU bugs where a human is the “check” part of the equation.
2024 in 0-days
Google has published an overview of the 75 zero-day vulnerabilities that were exploited in 2024. That’s down from the 98 vulnerabilities exploited in 2023, but the Threat Intelligence Group behind this report are of the opinion that we’re still on an upward trend for zero-day exploitation. Some platforms like mobile and web browsers have seen drastic improvements in zero-day prevention, while enterprise targets are on the rise. The real stand-out is the targeting of security appliances and other network devices, at more than 60% of the vulnerabilities tracked.
When it comes to the attackers behind exploitation, it’s a mix between state-sponsored attacks, legal commercial surveillance, and financially motivated attacks. It will be interesting to see how 2025 stacks up in comparison. But one thing is for certain: Zero-days aren’t going away any time soon.
Perplexing Passwords for RDP
The world of computer security just got an interesting surprise, as Microsoft declared it not-a-bug that Windows machines will continue to accept revoked credentials for Remote Desktop Protocol (RDP) logins. [Daniel Wade] discovered the issue and reported it to Microsoft, and then after being told it wasn’t a security vulnerability, shared his report with Ars Technica.
So what exactly is happening here? It’s the case of a Windows machine login via Azure or a Microsoft account. That account is used to enable RDP, and the machine caches the username and password so logins work even when the computer is “offline”. The problem really comes in how those cached passwords get evicted from the cache. When it comes to RDP logins, it seems they are simply never removed.
There is a stark disconnect between what [Wade] has observed, and what Microsoft has to say about it. It’s long been known that Windows machines will cache passwords, but that cache will get updated the next time the machine logs in to the domain controller. This is what Microsoft’s responses seem to be referencing. The actual report is that in the case of RDP, the cached passwords will never expire, regardless of changing that password in the cloud and logging on to the machine repeatedly.
Bits and Bytes
Samsung makes a digital signage line, powered by the MagicINFO server application. That server has an unauthenticated endpoint, accepting file uploads with insufficient filename sanitization. That combination leads to arbitrary pre-auth code execution. While that’s not great, what makes this a real problem is that the report was first sent to Samsung in January, no response was ever received, and it seems that no fixes have officially been published.
A series of Viasat modems have a buffer overflow in their SNORE web interface. This leads to unauthenticated, arbitrary code execution on the system, from either the LAN or OTA interface, but thankfully not from the public Internet itself. This one is interesting in that it was found via static code analysis.
IPv6 is the answer to all of our IPv4 induced woes, right? It has Stateless Address Autoconfiguration (SLAAC) to handle IP addressing without DHCP, and Router Advertisement (RA) to discover how to route packets. And now, taking advantage of that great functionality is Spellbinder, a malicious tool to pull off SLACC attacks and do DNS poisoning. It’s not entirely new, as we’ve seen Man in the Middle attacks on IPv4 networks for years. IPv6 just makes it so much easier.
Attenti italiani! Una Finta Multa da pagare tramite PagoPA vuole svuotarti il conto
Una nuova campagna di phishing sta circolando in queste ore con un obiettivo ben preciso: spaventare le vittime con la minaccia di una multa stradale imminente e gonfiata, apparentemente proveniente da PagoPA. L’obiettivo è convincere l’utente a cliccare su un link fraudolento e inserire i propri dati di pagamento, con la scusa di saldare una sanzione.
In questo articolo analizziamo cosa è importante non fare quando si riceve un’email di questo tipo, per capire come molte truffe online sfruttino l’urgenza e la credibilità di marchi noti al fine di ottenere un vantaggio economico.
“Evita la maggiorazione: paga adesso”. Scopriamo perché è una truffa
L’email in questione arriva da un mittente apparentemente legittimo, ma con un dominio sospetto: [strong]jeyhun.ashurov@tu-dortmund.de[/strong]. Intanto un dominio di origine tedesca dovrebbe far subito pensare che si tratti di una truffa. Le email ufficiali solitamente pervengono dal dominio gov.it Il contenuto della comunicazione cerca di replicare lo stile formale delle notifiche ufficiali, con messaggi intimidatori come:
“La preghiamo di prendere nota che, in caso di mancato pagamento entro la fine della giornata odierna, l’importo totale sarà automaticamente aggiornato a 500 €.”
Un’altra tecnica psicologica è l’urgenza: la scadenza è fissata per il giorno stesso della ricezione, inducendo panico e reazioni impulsive. Pertanto:
- Email sospetta: le comunicazioni sono avvenute dall’email
[strong]jeyhun.ashurov@tu-dortmund.de[/strong]. PagoPA avvengono da domini istituzionali come@pagopa.gov.it. - Assenza di destinatario specifico: si usa “Gentile proprietario/a del veicolo”, un modo generico per colpire più vittime.
- Minacce e urgenze: è una tecnica comune nel phishing per spingere l’utente all’azione.
- Link truffaldini: il link “Accedi al Pagamento Online” porta quasi certamente a una pagina clone creata per rubare i dati della carta.
Cosa fare se ricevi questa email?
- Per prima cosa aumenta l’attenzione
- Non cliccare sul link.
- Segnala l’email come phishing nel tuo client di posta.
- Verifica eventuali multe reali solo tramite i portali ufficiali (come il sito del Comune o il portale ufficiale di PagoPA).
- Avvisa amici e parenti, in particolare quelli meno esperti di tecnologia.
L’analisi tecnica di Red Hot Cyber: cosa si cela dietro il link
Il team di Red Hot Cyber ha analizzato l’email sospetta all’interno di un ambiente sicuro, utilizzando una sandbox, ovvero una macchina virtuale isolata dal sistema reale, che consente di analizzare contenuti potenzialmente pericolosi senza rischi per il computer o la rete.
Al primo tentativo, cliccando sul link presente nell’email, abbiamo osservato una serie di redirect automatici: sorprendentemente, il collegamento sembrava concludersi sul sito ufficiale di PagoPA, un’astuzia probabilmente pensata per aumentare la fiducia della vittima e ridurre i sospetti.
Abbiamo quindi analizzato l’URL tramite VirusTotal, una piattaforma che verifica la reputazione dei link attraverso decine di motori antivirus. Il risultato? Tre antivirus lo identificavano chiaramente come malevolo.
Effettuando ulteriori test — e questa volta utilizzando Tor per anonimizzare la navigazione e accedere eventualmente a contenuti geolocalizzati o camuffati — siamo riusciti ad accedere al vero sito fraudolento.
Come funziona la truffa
Una volta atterrati sul sito clone, ci è stato chiesto di compilare un modulo con i nostri dati anagrafici, dopodiché il sito richiede di inserire:
- Numero della carta di credito
- Data di scadenza
- Codice CVV
Non è finita. Dopo l’inserimento dei dati della carta, il sito richiede anche:
- Codice SMS (OTP) ricevuto via banca
- PIN della carta
In questo modo, il criminale informatico ottiene tutti i codici necessari per svuotare la carta di credito: dati personali, dati bancari, codice di sicurezza e persino il secondo fattore di autenticazione.
Una volta in possesso di queste informazioni, il truffatore può effettuare prelievi e transazioni fino al totale prosciugamento del plafond disponibile sulla carta.
Mai in
L'articolo Attenti italiani! Una Finta Multa da pagare tramite PagoPA vuole svuotarti il conto proviene da il blog della sicurezza informatica.
Is This the Truck We’ve Been Waiting For?
Imagine a bare-bones electric pickup: it’s the size of an old Hilux, it seats two, and the bed fits a full sheet of plywood. Too good to be true? Wait until you hear that the Slate Pickup is being designed for DIY repairability and modification, and will sell for only $20,000 USD, after American federal tax incentives.
There are a few things missing: no infotainment system, for one. Why bother, when almost everyone has a phone and Bluetooth speakers are so cheap? No touch screen in the middle of the dash also means the return of physical controls for the heat and air conditioning.
There is no choice in colors, either. To paraphrase Henry Ford, the Slate comes in any color you want, as long as it’s grey. It’s not something we’d given much though to previously, but apparently painting is a huge added expense for automakers. Instead, the truck’s bodywork is going to be injection molded plastic panels, like an old Saturn coupe. We remember how resilient those body panels were, and think that sounds like a great idea. Injection molding is also a less capital-intensive process to set up than traditional automotive sheet metal stamping, reducing costs further.
That being said, customization is still a big part of the Slate. The company intends to sell DIY vinyl wrap kits, as well as a bolt-on SUV conversion kit which customers could install themselves. The plan is to have a “Slate University” app that would walk owners through maintaining their own automobile, a delightfully novel choice for a modern carmaker.
Of course, it’s all just talk unless Slate can make good on their promises. With rumors that Jeff Bezos is interested in investing, maybe they can pull it off and produce what could be a Volkswagen for 21st century America.
Interested readers can check out the Slate Motors website, and preorder for only $50 USD. For now, Slate is only interested in doing business within the United States, but we can hope they inspire copycats elsewhere. There’s no reason similar vehicles couldn’t be made anywhere from Alberta to Zeeland, if the will was there.
What do you think? Is this the perfect hackermobile, or have Slate fallen short? Let us know in the comments.
We’ve covered electric trucks before, but they were just a bit bigger, and some of them didn’t use batteries.
Pinoutleaf: Simplifying Pinout References
We all appreciate clear easy-to-read reference materials. In that pursuit [Andreas] over at Splitbrain sent in his latest project, Pinoutleaf. This useful web app simplifies the creation of clean, professional board pinout reference images.
The app uses YAML or JSON configuration files to define the board, including photos for the front and back, the number and spacing of pins, and their names and attributes.For example, you can designate pin 3 as GPIO3 or A3, and the app will color-code these layers accordingly. The tool is designed to align with the standard 0.1″ pin spacing commonly used in breadboards. One clever feature is the automatic mirroring of labels for the rear photo, a lifesaver when you need to reverse-mount a board. Once your board is configured, Pinoutleaf generates an SVG image that you can download or print to slide over or under the pin headers, keeping your reference key easily accessible.
Visit the GitHub page to explore the tool’s features, including its Command-Line Interface for batch-generating pinouts for multiple boards. Creating clear documentation is challenging, so we love seeing projects like Pinoutleaf that make it easier to do it well.
Single-Board Z80 Computer Draws Inspiration From Picasso
Picasso and the Z80 microprocessor are not two things we often think about at the same time. One is a renowned artist born in the 19th century, the other, a popular CPU that helped launch the microcomputer movement. And yet, the latter has come to inspire a computer based on the former. Meet the RC2014 Mini II Picasso!
As [concretedog] tells the story, what you’re fundamentally looking at is an RC2014 Mini II. As we’ve discussed previously, it’s a single-board Z80 retrocomputer that you can use to do fun things like run BASIC, Forth, or CP/M. However, where it gets kind of fun is in the layout. It’s the same fundamental circuitry as the RC2014, but it’s been given a rather artistic flair. The ICs are twisted this way and that, as are the passive components; even some of the resistors are dancing all over the top of one another. The kit is a limited edition, too, with each coming with a unique combination of colors where the silkscreen and sockets and LED are concerned. Kits are available via Z80Kits for those interested.
We love a good artistic PCB design; indeed, we’ve supported the artform heavily at Supercon and beyond. It’s neat to see the RC2014 designers reminding us that components need not live on a rigid grid; they too can dance and sway and flop all over the place like the eyes and or nose on a classic Picasso.
It’s weird, though; in a way, despite the Picasso inspiration, the whole thing ends up looking distinctly of the 1990s. In any case, if you’re cooking up any such kooky builds of your own, modelled after Picasso or any other Spanish master, don’t hesitate to notify the tipsline.
Blurry Image Placeholders, Generated With Minimal CSS
Low-quality image placeholders (LQIPs) have a solid place in web page design. There are many different solutions but the main gotcha is that generating them tends to lean on things like JavaScript, requires lengthy chunks of not-particularly-human-readable code, or other tradeoffs. [Lean] came up with an elegant, minimal solution in pure CSS to create LQIPs.
Here’s how it works: all required data is packed into a single CSS integer, which is decoded directly in CSS (no need for any JavaScript) to dynamically generate an image that renders immediately. Another benefit is that without any need for wrappers or long strings of data this method avoids cluttering the HTML. The code is little more than a line like <img src="…" style="--lqip:567213"> which is certainly tidy, as well as a welcome boon to those who hand-edit files.
The trick with generating LQIPs from scratch is getting an output that isn’t hard on the eyes or otherwise jarring in its composition. [Lean] experimented until settling on an encoding method that reliably delivered smooth color gradients and balance.
This method therefore turns a single integer into a perfectly-serviceable LQIP, using only CSS. There’s even a separate tool [Lean] created to compress any given image into the integer format used (so the result will look like a blurred version of the original image). It’s true that the results look very blurred but the code is clean, minimal, and the technique is easily implemented. You can see it in action in [Lean]’s interactive LQIP gallery.
CSS has a lot of capability baked into it, and it’s capable of much more than just styling and lining up elements. How about trigonometric functions in CSS? Or from the other direction, check out implementing a CSS (and HTML) renderer on an ESP32.
Printable Pegboard PC Shows Off the RGB
Sometimes it seems odd that we would spend hundreds (or thousands) on PC components that demand oodles of airflow, and stick them in a little box, out of site. The fine folks at Corsair apparently agree, because they’ve released files for an open-frame pegboard PC case on Printables.
According to the writeup on their blog, these prints have held up just fine with ordinary PLA– apparently there’s enough airflow around the parts that heat sagging isn’t the issue we would have suspected. ATX and ITX motherboards are both supported, along with a few power supply form factors. If your printer is smaller, the ATX mount is per-sectioned for your convenience. Their GPU brackets can accommodate beefy dual- and triple-slot models. It’s all there, if you want to unbox and show off your PC build like the work of engineering art it truly is.
Of course, these files weren’t released from the kindness of Corsair’s corporate heart– they’re meant to be used with fancy pegboard desks the company also sells. Still to their credit, they did release the files under a CC4.0-Attribution-ShareAlike license. That means there’s nothing stopping an enterprising hacker from remixing this design for the ubiquitous SKÅDIS or any other perfboard should they so desire.
We’ve covered artful open-cases before here on Hackaday, but if you prefer to hide the expensive bits from dust and cats, this midcentury box might be more your style. If you’d rather no one know you own a computer at all, you can always do the exact opposite of this build, and hide everything inside the desk.
Make Your Own Telescope, Right Down To The Glass
Telescopes are great tools for observing the heavens, or even surrounding landscapes if you have the right vantage point. You don’t have to be a professional to build one though; you can make all kinds of telescopes as an amateur, as this guide from the Springfield Telesfcope Makers demonstrates.
The guide is remarkably deep and rich; no surprise given that the Springfield Telescope Makers club dates back to the early 20th century. It starts out with the basics—how to select a telescope, and how to decide whether to make or buy your desired instrument. It also explains in good detail why you might want to start with a simple Newtonian reflector setup on Dobsonian mounts if you’re crafting your first telescope, in no small part because mirrors are so much easier to craft than lenses for the amateur. From there, the guide gets into the nitty gritty of mirror production, right down to grinding and polishing techniques, as well as how to test your optical components and assemble your final telescope.
It’s hard to imagine a better place to start than here as an amateur telescope builder. It’s a rich mine of experience and practical advice that should give you the best possible chance of success. You might also like to peruse some of the other telescope projects we’ve covered previously. And, if you succeed, you can always tell us of your tales on the tipsline!
Italia sarai pronta al Blackout Digitale? Dopo La Spagna l’attacco informatico alla NS Power
Negli ultimi giorni, NS Power, una delle principali aziende elettriche canadesi, ha confermato di essere stata vittima di un attacco informatico e ha pubblicato degli update all’interno della Home Page del suo sito ufficiale.
L’attacco alla NS Power
La compagnia ha parlato di un attacco mirato ai sistemi IT, senza fornire ulteriori dettagli sulle modalità o l’identità degli attori coinvolti. L’episodio ha sollevato allarme in tutto il settore energetico nordamericano, evidenziando come anche le infrastrutture moderne possano crollare sotto l’impatto di operazioni cibernetiche ben coordinate.
Sebbene l’attacco risulti in fase di contenimento, l’aggiornamento del primo maggio segnala che servizi fondamentali come MyAccount continuano a presentare malfunzionamenti.
Questo attacco non avviene in un momento qualsiasi. Solo pochi giorni prima, Spagna e Portogallo hanno subito un blackout su larga scala, che ha lasciato milioni di cittadini al buio per ore.
Emera e Nova Scotia Power rispondono all'incidente di sicurezza informatica
28 aprile 2025 – Emera Inc. e Nova Scotia Power hanno annunciato oggi, il 25 aprile 2025, di aver scoperto e di star rispondendo attivamente a un incidente di sicurezza informatica che ha comportato un accesso non autorizzato a determinate parti della sua rete canadese e ai server che supportano parti delle sue applicazioni aziendali.
Immediatamente dopo il rilevamento della minaccia esterna, le aziende hanno attivato i propri protocolli di risposta agli incidenti e di continuità operativa, hanno coinvolto i principali esperti di sicurezza informatica di terze parti e hanno intrapreso azioni per contenere e isolare i server interessati e prevenire ulteriori intrusioni. Le forze dell'ordine sono state informate.
Non vi è stata alcuna interruzione per nessuna delle nostre attività fisiche in Canada, compresi gli impianti di generazione, trasmissione e distribuzione di Nova Scotia Power, il Maritime Link o l'oleodotto Brunswick, e l'incidente non ha influito sulla capacità dell'azienda di servire in modo sicuro e affidabile i clienti in Nuova Scozia. Non vi è stato alcun impatto sulle aziende di servizi di Emera negli Stati Uniti o nei Caraibi.
Emera pubblicherà i suoi bilanci finanziari del primo trimestre e l'informativa e analisi sulla gestione l'8 maggio 2025, come previsto. Al momento, non si prevede che l'incidente abbia un impatto significativo sulla performance finanziaria dell'azienda.
Il nostro team IT sta lavorando alacremente con gli esperti di sicurezza informatica per ripristinare la funzionalità delle parti interessate del nostro sistema IT.
Sebbene la versione ufficiale parla di problemi tecnici alla rete europea, numerosi gruppi hacker hanno rivendicato l’azione, lasciando dubbi sul fatto che possa essere stato un sabotaggio informatico. La coincidenza temporale tra l’attacco in Canada e il blackout europeo non può essere ignorata, facendo pensare a una nuova fase della guerra ibrida digitale che punta direttamente al cuore delle infrastrutture critiche.
Come destabilizzare un paese? Dalla rete elettrica
Il settore energetico è da tempo un obiettivo strategico per chi vuole destabilizzare un paese o inviare un messaggio politico forte. Gli attacchi informatici alle reti elettriche possono causare danni immediati e visibili alla popolazione, minando la fiducia nelle istituzioni e creando un clima di caos. La situazione di NS Power è l’ennesimo segnale d’allarme: una sola breccia nei sistemi IT può avere ripercussioni concrete su milioni di persone, rendendo evidente quanto sia sottile la linea tra il digitale e il reale.
Mentre gli esperti lavorano per contenere i danni e ripristinare i servizi, la domanda che in molti si pongono è: chi sarà il prossimo? Gli attacchi informatici alle utility stanno diventando sempre più frequenti, sofisticati e coordinati. In uno scenario globale in cui i conflitti si combattono anche a colpi di malware e exploit zero-day, le aziende che gestiscono energia, trasporti e comunicazioni devono prepararsi ad affrontare minacce costanti e sempre più aggressive.
Non è più solo una questione tecnica, ma geopolitica. Gli attacchi a NS Power e il blackout iberico sono due facce della stessa medaglia: dimostrano che la cyberwar è già in atto e colpisce senza preavviso, ovunque ci sia un’infrastruttura da bloccare o una nazione da destabilizzare. Chi oggi controlla il codice, domani potrebbe controllare l’energia, la sicurezza e la vita quotidiana di intere popolazioni.
L'articolo Italia sarai pronta al Blackout Digitale? Dopo La Spagna l’attacco informatico alla NS Power proviene da il blog della sicurezza informatica.
Xiaomi sfida i giganti dell’AI: il modello MiMo batte Qwen e o1-mini
Xiaomi è entrata nel mercato dell’intelligenza artificiale con il proprio modello open source chiamato MiMo. Il colosso tecnologico cinese, in precedenza noto principalmente per gli smartphone e l’elettronica di consumo, ha scelto il momento per l’annuncio subito dopo l’aggiornamento del modello Qwen da parte di Alibaba.
Gli esperti attribuiscono la decisione di Xiaomi al recente successo di DeepSeek, il cui sviluppo R1 ha dimostrato che è possibile creare soluzioni di intelligenza artificiale efficaci a costi inferiori. I risultati iniziali dei test sembrano promettenti: la rete neurale ha già superato le prestazioni di o1-mini di OpenAI e Qwen di Alibaba in numerosi test di benchmark.
Sebbene l’azienda sia arrivata in ritardo nella corsa alle smart car, vede questa mossa come parte di una strategia a lungo termine. Secondo alcune fonti, la direzione stava discutendo di questa possibilità da tempo, ma solo ora ha deciso di lanciare il progetto.
E questa non è la prima iniziativa degli ultimi tempi: nel 2024 l’azienda aveva già dominato il mercato automobilistico lanciando l’auto elettrica SU7. È vero che il debutto è stato rovinato da un grave incidente e dal conseguente calo del 15% delle azioni, ma ciò non ha impedito agli sviluppatori di continuare a esplorare nuove direzioni.
Il nuovo modello, come l’R1 di DeepSeek, imita il processo di ragionamento umano nella risoluzione dei problemi. “Questo è il primo risultato del lavoro del nostro team appena formato per sviluppare programmi di intelligenza artificiale di base“, hanno affermato i rappresentanti sul social network WeChat.
È interessante notare che, dopo l’annuncio, le azioni della società sono aumentate di oltre il 5% sulla Borsa di Hong Kong.
L'articolo Xiaomi sfida i giganti dell’AI: il modello MiMo batte Qwen e o1-mini proviene da il blog della sicurezza informatica.
libogc Allegations Rock Wii Homebrew Community
Historically, efforts to create original games and tools, port over open source emulators, and explore a game console’s hardware and software have been generally lumped together under the banner of “homebrew.” While not the intended outcome, it’s often the case that exploring a console in this manner unlocks methods to run pirated games. For example, if a bug is found in the system’s firmware that enables a clever developer to run “Hello World”, you can bet that the next thing somebody tries to write is a loader that exploits that same bug to play a ripped commercial game.
As such, homebrew libraries and tools are held to a particularly high standard. Homebrew can only thrive if developed transparently, and every effort must be taken to avoid tainting the code with proprietary information or code. Any deviation could be the justification a company like Nintendo or Sony needs to swoop in.
Unfortunately, there are fears that covenant has been broken in light of multiple allegations of impropriety against the developers of libogc, the C library used by nearly all homebrew software for the Wii and GameCube. From potential license violations to uncomfortable questions about the origins of the project, there’s mounting evidence that calls the viability of the library into question. Some of these allegations, if true, would effectively mean the distribution and use of the vast majority of community-developed software for both consoles is now illegal.
Homebrew Channel Blows the Whistle
For those unfamiliar, the Wii Homebrew Channel (HBC) is a front-end used to load homebrew games and programs on the Nintendo Wii, and is one of the very first things anyone who’s modded their console will install. It’s not an exaggeration to say that essentially anyone who’s run homebrew software on their Wii has done it through HBC.
But as of a few days ago, the GitHub repository for the project was archived, and lead developer Hector Martin added a long explanation to the top of its README that serves as an overview of the allegations being made against the team behind libogc.
libogc contained ill-gotten code since at least 2008. He accuses the developers of decompiling commercial games to get access to the C code, as well as copying from leaked documentation from the official Nintendo software development kit (SDK).
For many, that would have been enough to stop using the library altogether. In his defense, Martin claims that he and the other developers of the HBC didn’t realize the full extent to which libogc copied code from other sources. Had they realized, Martin says they would have launched an effort to create a new low-level library for the Wii.
But as the popularity of the Homebrew Channel increased, Martin and his team felt they had no choice but to reluctantly accept the murky situation with libogc for the good of the Wii homebrew scene, and left the issue alone. That is, until new information came to light.
Inspiration Versus Copying
The story then fast-forwards to the present day, and new claims from others in the community that large chunks of libogc were actually copied from the Real-Time Executive for Multiprocessor Systems (RTEMS) project — a real-time operating system that was originally designed for military applications but that these days finds itself used in a wide-range of embedded systems. Martin links to a GitHub repository maintained by a user known as derek57 that supposedly reversed the obfuscation done by the libogc developers to try and hide the fact they had merged in code from RTEMS.
Now, it should be pointed out that RTEMS is actually an open source project. As you might expect from a codebase that dates back to 1993, these days it includes several licenses that were inherited from bits of code added over the years. But the primary and preferred license is BSD 2-Clause, which Hackaday readers may know is a permissive license that gives other projects the right to copy and reuse the code more or less however they chose. All it asks in return is attribution, that is, for the redistributed code to retain the copyright notice which credits the original authors.
In other words, if the libogc developers did indeed copy code from RTEMS, all they had to do was properly credit the original authors. Instead, it’s alleged that they superficially refactored the code to make it appear different, presumably so they would not have to acknowledge where they sourced it from. Martin points to the following function as an example of RTEMS code being rewritten for libogc:
While this isolated function doesn’t necessarily represent the entirety of the story, it does seem hard to believe that the libogc implementation could be so similar to the RTEMS version by mere happenstance. Even if the code was not literally copy and pasted from RTEMS, it’s undeniable that it was used as direct inspiration.
libogc Developers Respond
At the time of this writing, there doesn’t appear to be an official response to the allegations raised by Martin and others in the community. But individual developers involved with libogc have attempted to explain their side of the story through social media, comments on GitHub issues, and personal blog posts.
The most detailed comes from Alberto Mardegan, a relatively new contributor to libogc. While the code in question was added before his time with the project, he directly addresses the claim that functions were lifted from RTEMS in a blog post from April 28th. While he defends the libogc developers against the accusations of outright code theft, his conclusions are not exactly a ringing endorsement for how the situation was handled:
In short, Mardegan admits that some of the code is so similar that it must have been at least inspired by reading the relevant functions from RTEMS, but that he believes this falls short of outright copyright infringement. As to why the libogc developers didn’t simply credit the RTEMS developers anyway, he theorizes that they may have wanted to avoid any association with a project originally developed for military use.
As for claims that libogc was based on stolen Nintendo code, the libogc developers seem to consider it irrelevant at this point. When presented with evidence that the library was built on proprietary code, Dave [WinterMute] Murphy, who maintains the devkitPro project that libogc is a component of, responded that “The official stance of the project is that we have no interest in litigating something that occurred 21 years ago”.
In posts to Mastodon, Murphy acknowledges that some of the code may have been produced by reverse engineering parts of the official Nintendo SDK, but then goes on to say that “There was no reading of source code or tools to turn assembly into C”.
From his comments, it’s clear that Murphy believes that the benefit of having libogc available to the community outweighs concerns over its origins. Further, he feels that enough time has passed since its introduction that the issue is now moot. In comparison, when other developers in the homebrew and emulator community have found themselves in similar situations, they’ve gone to great lengths to avoid tainting their projects with leaked materials.
Doing the Right Thing?
The Wii Homebrew Channel itself had not seen any significant updates in several years, so Martin archiving the project was somewhat performative to begin with. This would seem to track with his reputation — in addition to clashes with the libogc developers, Martin has also recently left Asahi Linux after a multi-bag-of-popcorn spat within the kernel development community that ended with Linus Torvalds declaring that “the problem is you”.
But that doesn’t mean there isn’t merit to some of his claims. At least part of the debate could be settled by simply acknowledging that RTEMS was an inspiration for libogc in the library’s code or documentation. The fact that the developers seem reluctant to make this concession in light of the evidence is troubling. If not an outright license violation, it’s at least a clear disregard for the courtesy and norms of the open source community.
As for how the leaked Nintendo SDK factors in, there probably isn’t enough evidence one way or another to ever determine what really happened. Martin says code was copied verbatim, the libogc team says it was reverse engineered.
The key takeaway here is that both parties agree that the leaked information existed, and that it played some part in the origins of the library. The debate therefore isn’t so much about if the leaked information was used, but how it was used. For some developers, that alone would be enough to pass on libogc and look for an alternative.
Of course, in the end, that’s the core of the problem. There is no alternative, and nearly 20 years after the Wii was released, there’s little chance of another group having the time or energy to create a new low-level C library for the system. Especially without good reason.
The reality is that whatever interaction there was with the Nintendo SDK happened decades ago, and if anyone was terribly concerned about it there would have been repercussions by now. By extension, it seems unlikely that any projects that rely on libogc will draw the attention of Nintendo’s legal department at this point.
In short, life will go on for those still creating and using homebrew on the Wii. But for those who develop and maintain open source code, consider this to be a cautionary tale — even if we can’t be completely sure of what’s fact or fiction in this case.
Open Source Firmware For The JYE TECH DSO-150
The Jye Tech DSO-150 is a capable compact scope that you can purchase as a kit. If you’re really feeling the DIY ethos, you can go even further, too, and kit your scope out with the latest open source firmware.
The Open-DSO-150 firmware is a complete rewrite from the ground up, and packs the scope with lots of neat features. You get one analog or three digital channels, and triggers are configurable for rising, falling, or both edges on all signals. There is also a voltmeter mode, serial data dump feature, and a signal statistics display for broader analysis.
For the full list of features, just head over to the GitHub page. If you’re planning to install it on your own DSO-150, you can build the firmware in the free STM32 version of Atollic trueSTUDIO.
If you’re interested in the Jye Tech DSO-150 as it comes from the factory, we’ve published our very own review, too. Meanwhile, if you’re cooking up your own scope hacks, don’t hesitate to let us know!
Thanks to [John] for the tip!
Researchers Create A Brain Implant For Near-Real-Time Speech Synthesis
Brain-to-speech interfaces have been promising to help paralyzed individuals communicate for years. Unfortunately, many systems have had significant latency that has left them lacking somewhat in the practicality stakes.
A team of researchers across UC Berkeley and UC San Francisco has been working on the problem and made significant strides forward in capability. A new system developed by the team offers near-real-time speech—capturing brain signals and synthesizing intelligible audio faster than ever before.
New Capability
The aim of the work was to create more naturalistic speech using a brain implant and voice synthesizer. While this technology has been pursued previously, it faced serious issues around latency, with delays of around eight seconds to decode signals and produce an audible sentence. New techniques had to be developed to try and speed up the process to slash the delay between a user trying to “speak” and the hardware outputting the synthesized voice.
The implant developed by researchers is used to sample data from the speech sensorimotor cortex of the brain—the area that controls the mechanical hardware that makes speech: the face, vocal chords, and all the other associated body parts that help us vocalize. The implant captures signals via an electrode array surgically implanted into the brain itself. The data captured by the implant is then passed to an AI model which figures out how to turn that signal into the right audio output to create speech. “We are essentially intercepting signals where the thought is translated into articulation and in the middle of that motor control,” said Cheol Jun Cho, a Ph.D student at UC Berkeley. “So what we’re decoding is after a thought has happened, after we’ve decided what to say, after we’ve decided what words to use, and how to move our vocal-tract muscles.”
youtube.com/embed/iTZ2N-HJbwA?…
The AI model had to be trained to perform this role. This was achieved by having a subject, Ann, look at prompts and attempting to “speak ” the phrases. Ann has suffered from paralysis after a stroke which left her unable to speak. However, when she attempts to speak, relevant regions in her brain still lit up with activity, and sampling this enabled the AI to correlate certain brain activity to intended speech. Unfortunately, since Ann could no longer vocalize herself, there was no target audio for the AI to correlate the brain data with. Instead, researchers used a text-to-speech system to generate simulated target audio for the AI to match with the brain data during training. “We also used Ann’s pre-injury voice, so when we decode the output, it sounds more like her,” explains Cho. A recording of Ann speaking at her wedding provided source material to help personalize the speech synthesis to sound more like her original speaking voice.
To measure performance of the new system, the team compared the time it took the system to generate speech to the first indications of speech intent in Ann’s brain signals. “We can see relative to that intent signal, within one second, we are getting the first sound out,” said Gopala Anumanchipalli, one of the researchers involved in the study. “And the device can continuously decode speech, so Ann can keep speaking without interruption.” Crucially, too, this speedier method didn’t compromise accuracy—in this regard, it decoded just as well as previous slower systems.
The decoding system works in a continuous fashion—rather than waiting for a whole sentence, it processes in small 80-millisecond chunks and synthesizes on the fly. The algorithms used to decode the signals were not dissimilar from those used by smart assistants like Siri and Alexa, Anumanchipalli explains. “Using a similar type of algorithm, we found that we could decode neural data and, for the first time, enable near-synchronous voice streaming,” he says. “The result is more naturalistic, fluent speech synthesis.”
It was also key to determine whether the AI model
was genuinely communicating what Ann was trying to say. To investigate this, Ann was qsked to try and vocalize words outside the original training data set—things like the NATO phonetic alphabet, for example. “We wanted to see if we could generalize to the unseen words and really decode Ann’s patterns of speaking,” said Anumanchipalli. “We found that our model does this well, which shows that it is indeed learning the building blocks of sound or voice.”
For now, this is still groundbreaking research—it’s at the cutting edge of machine learning and brain-computer interfaces. Indeed, it’s the former that seems to be making a huge difference to the latter, with neural networks seemingly the perfect solution for decoding the minute details of what’s happening with our brainwaves. Still, it shows us just what could be possible down the line as the distance between us and our computers continues to get ever smaller.
Featured image: A researcher connects the brain implant to the supporting hardware of the voice synthesis system. Credit: UC Berkeley
A Dual Mirror System For Better Cycling Safety
Rear-view mirrors are important safety tools, but [Mike Kelly] observed that cyclists (himself included) faced hurdles to using them effectively. His solution? A helmet-mounted dual-mirror system he’s calling the Mantis Mirror that looks eminently DIY-able to any motivated hacker who enjoys cycling.
Carefully placed mirrors eliminate blind spots, but a cyclist’s position changes depending on how they are riding and this means mirrors aren’t a simple solution. Mirrors that are aligned just right when one is upright become useless once a cyclist bends down. On top of that, road vibrations have a habit of knocking even the most tightly-cinched mirror out of alignment.
[Mike]’s solution was to attach two small mirrors on a short extension, anchored to a cyclist’s helmet. The bottom mirror provides a solid rear view from an upright position, and the top mirror lets one see backward when in low positions.
[Mike] was delighted with his results, and got enough interest from others that he’s considering a crowdfunding campaign to turn it into a product. In the meantime, we’d love to hear about it if you decide to tinker up your own version.
You can learn all about the Mantis Mirror in the video below, and if you want to see the device itself a bit clearer, you can see that in some local news coverage.
youtube.com/embed/Tc39frZSbwk?…
Gaze Upon Robby The Robot’s Mechanical Intricacy
One might be tempted to think that re-creating a film robot from the 1950s would be easy given all the tools and technology available to the modern hobbyist, but as [Mike Ogrinz]’s quest to re-create Robby the Robot shows us, there is a lot moving around inside that domed head, and requires careful and clever work.
Just as one example, topping Robby’s head is a mechanical assembly known as the dome gyros. It looks simple, but as the video (embedded below) shows, re-creating it involves a load of moving parts and looks like a fantastic amount of work has gone into it. At least bearings are inexpensive and common nowadays, and not having to meet film deadlines also means one can afford to design things in a way that allows for easier disassembly and maintenance.
Robby the Robot first appeared in the 1956 film Forbidden Planet and went on to appear in other movies and television programs. Robby went up for auction in 2017 and luckily [Mike] was able to take tons of reference photos. Combined with other enthusiasts’ efforts, his replica is shaping up nicely.
We’ve seen [Mike]’s work before when he shared his radioactive Night Blossoms which will glow for decades to come. His work on Robby looks amazing, and we can’t wait to see how it progresses.
youtube.com/embed/Mn8EpX_qRFA?…
1° Maggio: Onorare chi lavora, anche contro gli hacker criminali
La società di sicurezza informatica SentinelOne ha pubblicato un rapporto sui tentativi degli aggressori di accedere ai suoi sistemi. Una violazione di un’organizzazione del genere aprirebbe le porte agli hacker, che potrebbero accedere a migliaia di infrastrutture riservate di tutto il mondo.
“Non ci limitiamo a studiare gli attacchi: li affrontiamo faccia a faccia. I nostri esperti affrontano le stesse minacce che dicono agli altri di contrastare. È questa esperienza plasma il nostro pensiero e il nostro approccio al lavoro”, si legge nel documento.
Sebbene per i fornitori di sicurezza informatica sia tabù discutere degli attacchi informatici contro di loro, una pressione costante sui sistemi di sicurezza aiuta a migliorare i meccanismi di difesa. Negli ultimi mesi gli esperti dell’azienda hanno respinto un’ampia gamma di attacchi: dalle azioni di gruppi criminali finalizzate al guadagno economico a complesse operazioni pianificate dai servizi segreti di vari Paesi.
La campagna più vasta e sofisticata è stata organizzata da specialisti nordcoreani. I ricercatori hanno scoperto una rete di specialisti informatici nordcoreani che operano sotto copertura. Gli aggressori hanno creato circa 360 identità virtuali accuratamente realizzate, ciascuna dotata di una storia professionale, un portfolio e referenze convincenti. Sono state presentate oltre mille candidature per diverse posizioni tecniche in azienda da parte di specialisti inesistenti. In un caso, gli agenti hanno addirittura cercato di ottenere un impiego nel dipartimento di intelligence informatica, la stessa unità che all’epoca si occupava di identificare e analizzare le loro attività.
Un’altra grave minaccia proviene dagli hacker che agiscono per conto del governo cinese. Il gruppo ShadowPad ha attaccato la catena di fornitura compromettendo un partner logistico responsabile della gestione dell’hardware. Da luglio 2024 a marzo 2025, i criminali informatici che hanno utilizzato il malware ScatterBrain si sono infiltrati nei sistemi di oltre 70 organizzazioni in tutto il mondo. Tra le persone colpite figurano aziende industriali, agenzie governative, istituti finanziari, società di telecomunicazioni e centri di ricerca.
La terza grande minaccia è, come sempre, il ransomware. I membri della banda Nitrogen utilizzano un trucco interessante: trovano aziende rivenditori con una procedura di verifica dei clienti semplificata e, utilizzando metodi di ingegneria sociale, acquistano da loro licenze ufficiali. L’obiettivo finale è penetrare nelle piattaforme di sicurezza informatica, tra cui il sistema EDR di SentinelOne. Una volta ottenuto l’accesso, studiano sistematicamente i meccanismi di sicurezza, cercano modi per disattivarli e sviluppano metodi per aggirare i sistemi di rilevamento delle intrusioni.
Parallelamente a Nitrogen, è diventato attivo il gruppo di hacker Black Basta, che ha scelto una tattica diversa. I suoi membri testano metodicamente l’efficacia dei loro strumenti dannosi rispetto alle principali soluzioni di sicurezza. Gli aggressori hanno preso di mira i sistemi di diversi importanti sviluppatori: CrowdStrike, Carbon Black, Palo Alto Networks e SentinelOne. Documentano attentamente i risultati di ogni attacco con prove, perfezionando le loro tecniche di penetrazione.
Sui forum degli hacker compaiono regolarmente annunci pubblicitari per la vendita di accessi temporanei o permanenti alle console di gestione dei sistemi di sicurezza.
Si potrebbe dire che la recente serie di attacchi ha costretto il team SentinelOne a riconsiderare la propria strategia di difesa. Gli ingegneri hanno implementato meccanismi di sicurezza aggiuntivi e creato meccanismi più sofisticati per monitorare l’intera infrastruttura. Particolare attenzione viene ora rivolta non solo al rafforzamento delle loro risorse, ma anche al controllo approfondito di tutte le organizzazioni partner che hanno accesso a dati critici.
L'articolo 1° Maggio: Onorare chi lavora, anche contro gli hacker criminali proviene da il blog della sicurezza informatica.
Vintage Stereo Stack Becomes Neat PC Case
Vintage hi-fi gear has a look and feel all its own. [ThunderOwl] happened to be playing in this space, turning a heavily-modified Technics stereo stack into an awesome neo-retro PC case. Meet the “TechnicsPC!”
You have to hunt across BlueSky for the goodies, but it’s well worth it. The main build concerned throwing a PC into an old Technics receiver, along with a pair of LCD displays and a bunch of buttons for control. If the big screens weren’t enough of a tell that you’re looking at an anachronism, the USB ports just below the power switch will tip you off. A later addition saw a former Technics tuner module stripped out and refitted with card readers and a DVD/CD drive. Perhaps the most era-appropriate addition, though, is the scrolling LED display on top. Stuffed inside another tuner module, it’s a super 90s touch that somehow just works.
These days, off-the-shelf computers are so fancy and glowy that DIY casemodding has fallen away from the public consciousness. And yet, every so often, we see a magnificent build like this one that reminds us just how creative modders can really be. Video after the break.
“Live test”. All more or less as planned, as “cons” – it does not interrupt ongoing scroll cycle with new stuff, it puts new content info with next cycle, so, kinda “info delays”:— ThunderOwl (@thunderowl.one) 10 March 2025 at 07:39
Neutron Flux Impact on Quartz Expansion Rate
Radiation-induced volumetric expansion (RIVE) is a concern for any concrete structures that are exposed to neutron flux and other types of radiation that affect crystalline structures within the aggregate. For research facilities and (commercial) nuclear reactors, RIVE is generally considered to be one of the factors that sets a limit on the lifespan of these structures through the cracking that occurs as for example quartz within the concrete undergoes temporary amorphization with a corresponding volume increase. The significance of RIVE within the context of a nuclear power plant is however still poorly studied.
A recent study by [Ippei Maruyama] et al. as published in the Journal of Nuclear Materials placed material samples in the LVR-15 research reactor in the Czech Republic to expose them to an equivalent neutron flux. What their results show is that at the neutron flux levels that are expected at the biological shield of a nuclear power plant, the healing effect from recrystallization is highly likely to outweigh the damaging effects of amorphization, ergo preventing RIVE damage.
This study follows earlier research on the topic at the University of Tokyo by [Kenta Murakami] et al., as well as by Chinese researchers, as in e.g. [Weiping Zhang] et al. in Nuclear Engineering and Technology. [Murayama] et al. recommend that for validation of these findings concrete samples from decommissioned nuclear plants are to be examined for signs of RIVE.
Heading image: SEM-EDS images of the pristine (left) and the irradiated (right) MC sample. (Credit: I. Murayama et al, 2022)
A New And Weird Kind of Typewriter
Typewriters aren’t really made anymore in any major quantity, since the computer kind of rained all over its inky parade. That’s not to say you can’t build one yourself though, as [Toast] did in a very creative fashion.
After being inspired by so many typewriters on YouTube, [Toast] decided they simply had to 3D print one of their own design. They decided to go in a unique direction, eschewing ink ribbons for carbon paper as the source of ink. To create a functional typewriter, they had to develop a typebar mechanism to imprint the paper, as well as a mechanism to move the paper along during typing. The weird thing is the letter selection—the typewriter doesn’t have a traditional keyboard at all. Instead, you select the letter of your choice from a rotary wheel, and then press the key vertically down into the paper. The reasoning isn’t obvious from the outset, but [Toast] explains why this came about after originally hitting a brick wall with a more traditional design.
If you’ve ever wanted to build a typewriter of your own, [Toast]’s example shows that you can have a lot of fun just by having a go and seeing where you end up. We’ve seen some other neat typewriter hacks over the years, too. Video after the break.
youtube.com/embed/dcsFx0hjDaU?…
[Thanks to David Plass for the tip!]
Layout A PCB with Tscircuit
Most of us learned to design circuits with schematics. But if you get to a certain level of complexity, schematics are a pain. Modern designers — especially for digital circuits — prefer to use some kind of hardware description language.
There are a few options to do similar things with PCB layout, including tscircuit. There’s a walk-through for using it to create an LED matrix and you can even try it out online, if you like. If you’re more of a visual learner, there’s also an introductory video you can watch below.
The example project imports a Pico microcontroller and some smart LEDs. They do appear graphically, but you don’t have to deal with them graphically. You write “code” to manage the connections. For example:
<trace from={".LED1 .GND"} to="net.GND" />
If that looks like HTML to you, you aren’t wrong. Once you have the schematic, you can do the same kind of thing to lay out the PCB using footprints. If you want to play with the actual design, you can load it in your browser and make changes. You’ll note that at the top right, there are buttons that let you view the schematic, the board, a 3D render of the board, a BOM, an assembly drawing, and several other types of output.
Will we use this? We don’t know. Years ago, designers resisted using HDLs for FPGAs, but the bigger FPGAs get, the fewer people want to deal with page after page of schematics. Maybe a better question is: Will you use this? Let us know in the comments.
This isn’t a new idea, of course. Time will tell which HDLs will survive and which will whither.
youtube.com/embed/HAd5_ZJgg50?…
FLOSS Weekly Episode 831: Let’s Have Lunch
This week, Jonathan Bennett and Dan Lynch chat with Peter van Dijk about PowerDNS! Is the problem always DNS? How did PowerDNS start? And just how big can PowerDNS scale? Watch to find out!
youtube.com/embed/mof49aNISg8?…
Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.
play.libsyn.com/embed/episode/…
Direct Download in DRM-free MP3.
If you’d rather read along, here’s the transcript for this week’s episode.
Places to follow the FLOSS Weekly Podcast:
Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
hackaday.com/2025/04/30/floss-…
Supercon 2024: Photonics/Optical Stack for Smart-Glasses
Smart glasses are a complicated technology to work with. The smart part is usually straightforward enough—microprocessors and software are perfectly well understood and easy to integrate into even very compact packages. It’s the glasses part that often proves challenging—figuring out the right optics to create a workable visual interface that sits mere millimeters from the eye.
Dev Kennedy is no stranger to this world. He came to the 2024 Hackaday Supercon to give a talk and educate us all on photonics, optical stacks, and the technology at play in the world of smart glasses.
Good Optics
youtube.com/embed/DssK3cYSPCw?…
Dev’s talk begins with an apology. He notes that it’s not possible to convey an entire photonics and optics syllabus in a short presentation, which is understandable enough. His warning, regardless, is that his talk is as dense as possible to maximise the insight into the technical information he has to offer.
Things get heavy fast, as Dev dives into a breakdown of all the different basic technologies out there that can be used for building smart glasses. On one slide, he lays them all out with pros and cons across the board. There are a wide range of different illumination and projection technologies, everything from micro-OLED displays to fancy liquid crystal on silicon (LCOS) devices that are used to create an image with the aid of laser illumination. When you’re building smart glasses, though, that’s only half the story.
Once you’ve got something to make an image, you then need something to put it on in front of the eye. Dev goes on to talk about different techniques for doing this, from reflective waveguides to the amusingly-named birdbath combiners. Ultimately, you’re hunting for something that provides a clear and visible image to the user in all conditions, while still providing a great view of the world around them, too. This can be particularly challenging in high-brightness conditions, like walking around outdoors in daylight.
The talk also focuses on a particular bugbear for Dev—the fact that AR and VR aren’t treated as differently as they should be. “VR is a stack of pancakes,” says Dev. “Why is it a stack of pancakes? It’s because all of the PCBs, the optics, the emissions source for the light—is in front of the user’s nose.” Because VR is just about beaming images into the eye, with no regard for the outside world, it’s a little more straightforward. “It’s basically a stack of technology outward from the eye relief point to the back of the device.” Dev explains.
When it comes to AR, though, the solutions must be more complicated. “What’s different is AR is actually an archer,” says Dev, referring to the way such devices must fling light around. “What an archer does is it shoots light around the side of the arm, and it might have to bend it one way or another, up on the crossbar and spread it out through a waveguide, and at the very exist point… at the coupling out portion… the light has to make one more right turn… towards your eye.” Ultimately, the optics and display hardware involved tend to diverge a long way from what can be used in VR displays. “These technologies are fundamentally different,” says Dev. “It strains me to great extent that people kind of batch them into the same category.”
The talk also steps away from raw hardware chat, and covers some of the devices on the market, and those that left it years ago. Dev makes casual mention of Google Glass, spawned all the way back in 2013, before also noting developments Microsoft made with Hololens over the year. As for the current state of play, Dev namechecks Project Orion from Meta, as well as the fifth-generation of Snapchat Spectacles.
He gives particular credit to Meta for their work on refining input modalities that work with the smart glasses interrface paradigm. Meanwhile, he notes Snapchat needs work on “comfort, weight, and looks,” given how bulky their current product is. Overall, with these products, there are problems to be overcome before they can really become mainstream tools for every day use. “The important part is the relatability of these devices,” Dev goes on to explain. “We don’t see that just yet, as a $25,000 device from Meta and something that is too thick to be socially acceptable from Snapchat.
Fundamentally, as Dev’s talk highlights, AR remains a technology still at a nascent stage of development. It’s worth remembering—it took decades to develop computers that could fit in our pockets (smartphones) or on our wrists (smartwatches). Expect smart glasses to actually go mainstream as soon as the technical and optical issues are worked out, and the software and interface solutions actually help people in day to day life.
Radio Repeaters In the Sky
One of the first things that an amateur radio operator is likely to do once receiving their license is grab a dual-band handheld and try to make contacts with a local repeater. After the initial contacts, though, many hams move on to more technically challenging aspects of the hobby. One of those being activating space-based repeaters instead of their terrestrial counterparts. [saveitforparts] takes a look at some more esoteric uses of these radio systems in his latest video.
There are plenty of satellite repeaters flying around the world that are actually legal for hams to use, with most being in low-Earth orbit and making quick passes at predictable times. But there are others, generally operated by the world’s militaries, that are in higher geostationary orbits which allows them to serve a specific area continually. With a specialized three-dimensional Yagi-Uda antenna on loan, [saveitforparts] listens in on some of these signals. Some of it is presumably encrypted military activity, but there’s also some pirate radio and state propaganda stations.
There are a few other types of radio repeaters operating out in space as well, and not all of them are in geostationary orbit. Turning the antenna to the north, [saveitforparts] finds a few Russian satellites in an orbit specifically designed to provide polar regions with a similar radio service. These sometimes will overlap with terrestrial radio like TV or air traffic control and happily repeat them at brief intervals.
[saveitforparts] has plenty of videos looking at other satellite communications, including grabbing images from Russian weather satellites, using leftover junk to grab weather data from geostationary orbit, and accessing the Internet via satellite with 80s-era technology.
youtube.com/embed/PDwiKLkGMjo?…
A Gentle Introduction to COBOL
As the Common Business Oriented Language, COBOL has a long and storied history. To this day it’s quite literally the financial bedrock for banks, businesses and financial institutions, running largely unnoticed by the world on mainframes and similar high-reliability computer systems. That said, as a domain-specific language targeting boring business things it doesn’t quite get the attention or hype as general purpose programming or scripting languages. Its main characteristic in the public eye appears be that it’s ‘boring’.
Despite this, COBOL is a very effective language for writing data transactions, report generating and related tasks. Due to its narrow focus on business applications, it gets one started with very little fuss, is highly self-documenting, while providing native support for decimal calculations, and a range of I/O access and database types, even with mere files. Since version 2002 COBOL underwent a number of modernizations, such as free-form code, object-oriented programming and more.
Without further ado, let’s fetch an open-source COBOL toolchain and run it through its paces with a light COBOL tutorial.
Spoiled For Choice
It used to be that if you wanted to tinker with COBOL, you pretty much had to either have a mainframe system with OS/360 or similar kicking around, or, starting in 1999, hurl yourself at setting up a mainframe system using the Hercules mainframe emulator. Things got a lot more hobbyist & student friendly in 2002 with the release of GnuCOBOL, formerly OpenCOBOL, which translates COBOL into C code before compiling it into a binary.
While serviceable, GnuCOBOL is not a compiler, and does not claim any level of standard adherence despite scoring quite high against the NIST test suite. Fortunately, The GNU Compiler Collection (GCC) just got updated with a brand-new COBOL frontend (gcobol) in the 15.1 release. The only negative is that for now it is Linux-only, but if your distribution of choice already has it in the repository, you can fetch it there easily. Same for Windows folk who have WSL set up, or who can use GnuCOBOL with MSYS2.
With either compiler installed, you are now ready to start writing COBOL. The best part of this is that we can completely skip talking about the Job Control Language (JCL), which is an eldritch horror that one would normally be exposed to on IBM OS/360 systems and kin. Instead we can just use GCC (or GnuCOBOL) any way we like, including calling it directly on the CLI, via a Makefile or integrated in an IDE if that’s your thing.
Hello COBOL
As is typical, we start with the ‘Hello World’ example as a first look at a COBOL application:
IDENTIFICATION DIVISION.
PROGRAM-ID. hello-world.
PROCEDURE DIVISION.
DISPLAY "Hello, world!".
STOP RUN.
Assuming we put this in a file called hello_world.cob, this can then be compiled with e.g. GnuCOBOL: cobc -x -free hello_world.cob.
The -x indicates that an executable binary is to be generated, and -free that the provided source uses free format code, meaning that we aren’t bound to specific column use or sequence numbers. We’re also free to use lowercase for all the verbs, but having it as uppercase can be easier to read.
From this small example we can see the most important elements, starting with the identification division with the program ID and optionally elements like the author name, etc. The program code is found in the procedure division, which here contains a single display verb that outputs the example string. Of note is the use of the period (.) as a statement terminator.
At the end of the application we indicate this with stop run., which terminates the application, even if called from a sub program.
Hello Data
As fun as a ‘hello world’ example is, it doesn’t give a lot of details about COBOL, other than that it’s quite succinct and uses plain English words rather than symbols. Things get more interesting when we start looking at the aspects which define this domain specific language, and which make it so relevant today.
Few languages support decimal (fixed point) calculations, for example. In this COBOL Basics project I captured a number of examples of this and related features. The main change is the addition of the data division following the identification division:
DATA DIVISION.
WORKING-STORAGE SECTION.
01 A PIC 99V99 VALUE 10.11.
01 B PIC 99V99 VALUE 20.22.
01 C PIC 99V99 VALUE 00.00.
01 D PIC $ZZZZV99 VALUE 00.00.
01 ST PIC $*(5).99 VALUE 00.00.
01 CMP PIC S9(5)V99 USAGE COMP VALUE 04199.04.
01 NOW PIC 99/99/9(4) VALUE 04102034.
The data division is unsurprisingly where you define the data used by the program. All variables used are defined within this division, contained within the working-storage section. While seemingly overwhelming, it’s fairly easily explained, starting with the two digits in front of each variable name. This is the data level and is how COBOL structures data, with 01 being the highest (root) level, with up to 49 levels available to create hierarchical data.
This is followed by the variable name, up to 30 characters, and then the PICTURE(or PIC) clause. This specifies the type and size of an elementary data item. If we wish to define a decimal value, we can do so as two numeric characters (represented by 9) followed by an implied decimal point V, with two decimal numbers (99). As shorthand we can use e.g. S9(5) to indicate a signed value with 5 numeric characters. There a few more special characters, such as an asterisk which replaces leading zeroes and Z for zero suppressing.
The value clause does what it says on the tin: it assigns the value defined following it to the variable. There is however a gotcha here, as can be seen with the NOW variable that gets a value assigned, but due to the PIC format is turned into a formatted date (04/10/2034).
Within the procedure division these variables are subjected to addition (ADD A TO B GIVING C.), subtraction with rounding (SUBTRACT A FROM B GIVING C ROUNDED.), multiplication (MULTIPLY A BY CMP.) and division (DIVIDE CMP BY 20 GIVING ST.).
Finally, there are a few different internal formats, as defined by USAGE: these are computational (COMP) and display (the default). Here COMP stores the data as binary, with a variable number of bytes occupied, somewhat similar to char, short and int types in C. These internal formats are mostly useful to save space and to speed up calculations.
Hello Business
In a previous article I went over the reasons why a domain specific language like COBOL cannot be realistically replaced by a general language. In that same article I discussed the Hello Business project that I had written in COBOL as a way to gain some familiarity with the language. That particular project should be somewhat easy to follow with the information provided so far. New are mostly file I/O, loops, the use of perform and of course the Report Writer, which is probably best understood by reading the IBM Report Writer Programmer’s Manual (PDF).
Going over the entire code line by line would take a whole article by itself, so I will leave it as an exercise for the reader unless there is somehow a strong demand by our esteemed readers for additional COBOL tutorial articles.
Suffice it to say that there is a lot more functionality in COBOL beyond these basics. The IBM ILE COBOL reference (PDF), the IBM Mainframer COBOL tutorial, the Wikipedia entry and others give a pretty good overview of many of these features, which includes object-oriented COBOL, database access, heap allocation, interaction with other languages and so on.
Despite being only a novice COBOL programmer at this point, I have found this DSL to be very easy to pick up once I understood some of the oddities about the syntax, such as the use of data levels and the PIC formats. It is my hope that with this article I was able to share some of the knowledge and experiences I gained over the past weeks during my COBOL crash course, and maybe inspire others to also give it a shot. Let us know if you do!
Buon World Password Day! Tra MIT, Hacker, Infostealer e MFA. Perchè le Password sono vulnerabili
Domani celebreremo uno degli elementi più iconici – e al tempo stesso vulnerabili – della nostra vita digitale: la password. Da semplice chiave d’accesso inventata negli anni ’60 per proteggere i primi sistemi informatici multiutente, la password è diventata un simbolo universale della sicurezza online. Ma se una volta bastava una parola segreta per sentirsi al sicuro, oggi non è più così: viviamo in un’epoca in cuihacker, malware, botnet e infostealerpossono violare anche gli account più protetti in pochi secondi.
In questo articolo ripercorreremo le origini delle password – a partire dal lavoro pionieristico di Fernando Corbatò – e racconteremo come si è evoluto (e in molti casi sgretolato) il loro ruolo nella cybersicurezza moderna. Analizzeremo il fenomeno delle credenziali rubate, il mercato nero che le alimenta, l’ascesa degli infostealer, il ruolo delle GPU nel cracking degli hash, e l’apparente “ultima speranza”: l’autenticazione multifattore.
Ma anche questa, oggi, ha i suoi punti deboli. Preparati a scoprire perché la password potrebbe non essere più il tuo scudo, ma il tuo punto debole.
Le origini delle password: Fernando Corbatò e il primo sistema multiutente
Le password, come le conosciamo oggi, hanno una storia che affonda le radici nei primi esperimenti di elaborazione condivisa degli anni ’60. A introdurle fu Fernando J. Corbatò, un informatico del MIT, considerato uno dei padri fondatori della moderna sicurezza informatica.
Corbatò guidava lo sviluppo del CTSS (Compatible Time-Sharing System), uno dei primi sistemi operativi che permetteva a più utenti di lavorare contemporaneamente sullo stesso mainframe. Era una rivoluzione per l’epoca: ogni utente aveva un account personale, accessibile tramite terminale, e necessitava di un modo per proteggere i propri file dagli altri utenti. La soluzione? Un semplice meccanismo d’accesso: la password.
All’epoca, le password venivano archiviate in un file di testo non cifrato, accessibile da amministratori e tecnici. Questo dettaglio si rivelò presto problematico: nel 1966, un giovane programmatore riuscì a stampare il file contenente tutte le password degli utenti del CTSS (Compatible Time-Sharing System), semplicemente sfruttando un errore di permessi.
Era il primo data breach della storia documentato, e metteva già in luce una delle debolezze strutturali del sistema.
La filosofia di Stallman e la “password blank”
In quegli stessi ambienti del MIT, anni dopo, emerse una figura che avrebbe portato avanti un’idea radicalmente opposta alla protezione tramite password: Richard Stallman, padre del movimento del software libero. Stallman lavorava al progetto GNU e frequentava gli stessi laboratori dove Corbatò aveva sviluppato il CTSS.
Quando le password furono implementate anche sui sistemi ITS (Incompatible Timesharing System), Stallman rifiutò apertamente l’idea. Trovava le restrizioni d’accesso una violazione della cultura collaborativa e aperta della comunità hacker originaria. Per protesta, lasciò il campo della password vuoto, permettendo l’accesso diretto al suo account — un gesto che divenne noto come “password blank”.
Non solo: Stallman arrivò a scrivere uno script che disabilitava le password e lo condivise tra i colleghi. L’idea era: “Se disabiliti la tua password, chiunque potrà accedere al tuo account. Ma se tutti lo fanno, nessuno potrà abusare del sistema, perché nessuno ha più il controllo esclusivo”.
Un’eredità che ci ha segnato
Sebbene oggi quella visione libertaria sia impraticabile in un mondo digitale pieno di minacce, il dibattito tra apertura e sicurezza è rimasto centrale. L’introduzione delle password è stata un passaggio cruciale nella storia dell’informatica, ma anche il primo segnale che la sicurezza informatica è sempre un compromesso tra accessibilità e protezione.
Oggi, guardando a quell’epoca pionieristica, possiamo apprezzare non solo l’ingegno tecnico di Corbatò, ma anche la tensione ideologica che ha accompagnato l’evoluzione della cybersicurezza sin dalle sue origini.
Crescita, complessità e caduta di efficacia
Nel corso degli anni, la password ha subito un’evoluzione dettata non tanto dall’innovazione, quanto dalla necessità di adattarsi a minacce sempre più sofisticate. Dai semplici codici alfanumerici iniziali si è passati a criteri di complessità crescenti: lettere maiuscole e minuscole, numeri, caratteri speciali, e lunghezze minime obbligatorie.
Ma questa escalation di requisiti ha portato con sé un problema non trascurabile: l’usabilità.
Password complesse… ma prevedibili
Il paradosso è evidente: più complesse sono le password, più l’utente tende a semplificarne la gestione. Questo ha portato alla nascita di pattern ricorrenti, come:
- Sostituzioni prevedibili:
P@ssw0rd,Admin123!,Estate2024 - Riutilizzo su più piattaforme: stessa password per email, social e banca (fenomeno del password reuse)
- Varianti incrementali:
Password1,Password2,Password3…
Le password iniziarono a essere definite “forti” solo sulla carta, ma in realtà venivano facilmente indovinate, pescate da leak precedenti o craccate offline. Il database di password comuni, come il celebre “rockyou.txt”, è oggi il punto di partenza per gran parte degli attacchi a dizionario.
Il tempo gioca contro le password
Con l’evoluzione dell’hardware, il brute forcing di password protette da hash non è più un processo lungo e inefficiente. Software come Hashcat e John the Ripper, abbinati a GPU potenti, permettono di testare milioni (o anche miliardi) di combinazioni al secondo.
Alcuni esempi pratici (con hardware consumer di fascia alta):
- Una password di 8 caratteri alfanumerica può essere craccata in meno di 1 ora
- Una password da 10 caratteri con simboli può essere craccata in giorni
- Se l’hash non ha salt o usa algoritmi deboli (es. MD5, SHA1), il tempo si riduce drasticamente
Gli algoritmi di hash sono diventati più resistenti (come bcrypt, scrypt, Argon2), ma spesso sono ancora usati con configurazioni deboli o non aggiornate, specialmente su sistemi legacy.
L’illusione della forza apparente
Un’altra trappola è la cosiddetta “entropia apparente”: una password può sembrare forte all’occhio umano perché contiene simboli e numeri, ma se segue una struttura comune (es. NomeCognome@Anno), è in realtà facile da prevedere per un attaccante che usa regole di mutazione nei propri attacchi con dizionario.
Questa evoluzione dimostra come la password, da strumento di protezione, sia diventata un tallone d’Achille: troppo debole se semplice, troppo complicata se sicura — ma in entrambi i casi spesso inefficace se non affiancata da altre misure.
Infostealer, botnet e il mercato nero delle credenziali rubate
Se il furto di password una volta avveniva principalmente tramite attacchi diretti ai server, oggi la vera minaccia arriva dai dispositivi degli utenti, tramite malware specializzati chiamati infostealer. Questi programmi malevoli sono progettati per rubare informazioni sensibili direttamente dai computer infetti, in particolare username, password, cookie di sessione, wallet di criptovalute, token di accesso e dati autofill dei browser.
Infostealer: il ladro silenzioso
Gli infostealer operano senza fare rumore, spesso nascosti in allegati e-mail, file craccati, software pirata, generatori di chiavi e strumenti “freemium” apparentemente legittimi. Una volta eseguiti, analizzano il sistema e inviano in tempo reale le informazioni raccolte a server remoti controllati dagli attaccanti.
I più noti e diffusi includono:
- RedLine
- Raccoon Stealer
- Vidar
- Lumma Stealer
- Aurora
Questi malware sono spesso venduti “as a service” nei canali underground, con pannelli di controllo semplici da usare anche per attori non tecnici.
Le botnet: reti di dispositivi compromessi
Molti infostealer vengono distribuiti attraverso botnet, ovvero reti di dispositivi infetti controllati da remoto. Una volta compromesso un dispositivo, viene “arruolato” e può essere utilizzato per:
- Diffondere ulteriormente malware
- Avviare attacchi DDoS
- Rubare altre credenziali e dati bancari
- Vendere accessi remoti (es. RDP, SSH) nel dark web
Botnet come Emotet, Trickbot e Qakbot hanno dominato per anni lo scenario mondiale, agendo come infrastrutture modulari che distribuiscono payload diversi in base agli interessi degli operatori.
Il mercato nero delle credenziali rubate
I dati raccolti da infostealer e botnet alimentano un fiorente mercato nero nei forum underground, nei marketplace onion e nei canali Telegram illegali. Le credenziali vengono vendute in blocco o consultate attraverso strumenti come:
- Logs markets: portali che permettono di cercare login rubati per sito o paese
- Botshop: piattaforme dove è possibile acquistare l’accesso completo a un profilo compromesso, inclusi cookie, fingerprint del browser e sessioni attive
- Access broker: attori specializzati nella vendita di accessi a reti aziendali compromesse, spesso poi rivenduti a gruppi ransomware
Un singolo cookie di sessione valido (es. di Google, Facebook, Instagram o servizi bancari) può valere più di 50$, perché consente l’accesso senza nemmeno conoscere la password.
Non si ruba solo la password: si ruba l’identità digitale
Questa nuova generazione di minacce dimostra che la password non è più l’unico bersaglio. Oggi vengono rubate intere identità digitali, fatte di token, fingerprint del browser, cronologia, geolocalizzazione, e molto altro.
L’infrastruttura criminale è altamente organizzata, con ruoli distinti tra chi sviluppa malware, chi lo diffonde, chi gestisce l’infrastruttura cloud per ricevere i dati, e chi li monetizza. Questo fenomeno si chiama MaasS (Malware as a service) è consente anche a persone alle prime armi di utilizzare soluzioni e strumenti altamente pervasivi pagando una quota di associazione.
Autenticazione MFA: la soluzione (quasi) obbligata
Con l’aumento vertiginoso dei furti di credenziali, la password – da sola – non è più sufficiente a proteggere gli accessi digitali. Da qui nasce l’esigenza di un secondo livello di difesa: l’autenticazione multifattoriale (MFA), oggi considerata una misura fondamentale, se non addirittura obbligatoria, per la sicurezza dei sistemi informativi.
La MFA prevede che, oltre alla password (qualcosa che sai), venga richiesto almeno un secondo fattore, come:
- Qualcosa che hai : smartphone, token hardware, chiave FIDO2/YubiKey, smartcard
- Qualcosa di biologico che possiedi: impronta digitale, riconoscimento facciale o vocale
Le combinazioni più comuni oggi includono:
- App di autenticazione (es. Google Authenticator, Microsoft Authenticator, Authy)
- Codici OTP via SMS o email (meno sicuri)
- Token hardware e soluzioni passwordless basate su FIDO2/WebAuthn
Perché è efficace?
La MFA, anche se imperfetta, riduce drasticamente il rischio di compromissione degli account:
- Anche se la password viene rubata, l’attaccante non può accedere senza il secondo fattore
- Rende inefficaci gran parte degli attacchi di phishing automatici
- Protegge dagli accessi non autorizzati da nuove geolocalizzazioni o dispositivi
Secondo Microsoft, l’MFA blocca oltre il 99% degli attacchi di account takeover se configurata correttamente.
Ma anche la MFA può essere aggirata
Nonostante i suoi benefici, la MFA non è invulnerabile. Oggi esistono strumenti e tecniche in grado di bypassarla, spesso sfruttando l’ingegneria sociale o la debolezza del fattore scelto.
Tecniche di bypass note:
- Attacchi di phishing in tempo reale: sfruttano reverse proxy come Evilginx2, Modlishka o EvilnoVNC per intercettare la sessione MFA al volo
- Richieste push “bombing”: invio ripetuto di notifiche di accesso finché l’utente approva per sfinimento (molto usato contro utenti Microsoft 365)
- SIM swap: clonazione della SIM per ricevere OTP via SMS
- Session hijacking: furto di cookie di sessione già autenticati tramite infostealer
- Malware kit venduti nei mercati underground che includono moduli per il bypass MFA (inclusi plugin Telegram, web panel e raccolta token)
“Oggi gli aggressori non si basano più su malware per violare le difese. Al contrario, sfruttano credenziali rubate e identità trusted per infiltrarsi silenziosamente nelle organizzazioni e muoversi lateralmente tra ambienti cloud, endpoint e di identità—spesso senza essere rilevati. Il Global Threat Report 2025 di CrowdStrike mette in evidenza questo cambiamento: il 79% degli attacchi di accesso iniziale avviene ormai senza l’uso di malware e l’attività degli access broker è aumentata del 50% su base annua. Il World Password Day è un promemoria puntuale per le organizzazioni affinché rivedano il proprio approccio alla sicurezza delle identità. Questo significa andare oltre la semplice igiene delle password tradizionali per adottare un approccio incentrato sull’identità—che applichi i principi dello Zero Trust, monitori continuamente utenti e accessi, rafforzi l’autenticazione con soluzioni MFA e passwordless e rimuova i privilegi non necessari. Integrare il rilevamento delle minacce all’identità basato sull’AI e unificare la visibilità tra endpoint, identità e cloud, aiuta a colmare le lacune su cui gli aggressori fanno affidamento” ha riportato Fabio Fratucello, Field CTO World Wide, CrowdStrike.
Se la MFA non basta è il turno del passkey e autenticazione passwordless
L’autenticazione multifattoriale non è la fine del problema, ma una componente di un approccio difensivo più ampio. Serve ad aumentare il costo dell’attacco, ma va combinata con:
- Monitoraggio continuo dei login e delle anomalie comportamentali (UEBA)
- Soluzioni di Zero Trust Architecture
- Difese contro infostealer (EDR, sandboxing, email security gateway)
- Educazione dell’utente su phishing e attacchi sociali
L’evoluzione naturale della MFA è l’abbandono della password. Le passkey – basate su WebAuthn – consentono di autenticarsi in modo sicuro usando biometria o PIN locali, senza mai inviare segreti al server. Apple, Google e Microsoft stanno già integrando attivamente questa tecnologia.
Conclusioni
Nel giorno del World Password Day, guardare al passato ci aiuta a comprendere quanto sia cambiato – e quanto debba ancora cambiare – il nostro rapporto con l’identità digitale.
Nate negli anni ’60 grazie al lavoro pionieristico di Fernando Corbatò, le password hanno rappresentato per decenni la chiave d’accesso alla dimensione informatica. Ma ciò che un tempo bastava a difendere un sistema multiutente, oggi non è più sufficiente a garantire la sicurezza di individui, aziende e intere infrastrutture critiche.
Con l’aumentare della complessità informatica, delle minacce automatizzate, della potenza computazionale disponibile per il cracking, e la diffusione di infostealer e botnet, le password da sole sono diventate una difesa fragile e facilmente aggirabile.
Le nostre credenziali – sempre più riutilizzate e vulnerabili – non sono più solo password, ma identità digitali composte da token, cookie, fingerprint e sessioni. Un mercato nero multimilionario alimenta il furto di queste identità, rendendo urgente il passaggio a modelli più forti e resilienti.
In questo scenario, l’autenticazione multifattoriale non è più un’opzione: è una necessità minima, un livello di protezione che ogni utente e organizzazione dovrebbe adottare per difendersi. Ma anche la MFA ha limiti e vulnerabilità. Per questo il futuro della sicurezza punta verso modelli passwordless, autenticazione biometrica e architetture zero-trust, dove l’accesso non è mai dato per scontato.
Il messaggio finale è chiaro: Non è più tempo di “password123”. È tempo di cambiare… di evolvere!
E’ arrivato il momento di farlo.
L'articolo Buon World Password Day! Tra MIT, Hacker, Infostealer e MFA. Perchè le Password sono vulnerabili proviene da il blog della sicurezza informatica.
Terminal DAW Does it in Style
As any Linux chat room or forum will tell you, the most powerful tool to any Linux user is a terminal emulator. Just about every program under the sun has a command line alternative, be it CAD, note taking, or web browsing. Likewise, the digital audio workstation (DAW) is the single most important tool to anyone making music. Therefore, [unspeaker] decided the two should, at last, be combined with a terminal based DAW called Tek.
Tek functions similarly to other DAWs, albeit with keyboard only input. For anyone used to working in Vim or Emacs (we ask you keep the inevitable text editor comment war civil), Tek will be very intuitive. Currently, the feature set is fairly spartan, but plans exist to add keybinds for save/load, help, and more. The program features several modes including a multi-track sequencer/sampler called the “arranger.” Each track in the arranger is color coded with a gradient of colors generated randomly at start for a fresh look every time.
Modern audio workflows often span across numerous programs, and Tek was built with this in mind. It can take MIDI input and output from the JACK Audio Connection Kit, and plans also exist to create a plugin server so Tek could be used with other DAWs like Ardor or Zrythm. Moreover, being a terminal program opens possibilities for complicated shell scripting and other such Linux-fu.
Maybe a terminal DAW is not your thing, so make sure to check out this physical one instead!
Benvenuti su Mist Market: dove con un click compri droga, identità e banconote false
Ci sono luoghi nel web dove la normalità cede il passo all’illecito, dove l’apparenza di un marketplace moderno e funzionale si trasforma in una vetrina globale per ogni tipo di reato. Sono spazi accessibili solo attraverso la rete TOR, lontani dagli occhi dei motori di ricerca e delle forze dell’ordine. Uno di questi luoghi, nuovo e già particolarmente attivo, si chiama Mist Market.
Lanciato nell’aprile del 2025, Mist Market è un esempio perfetto di come il crimine digitale abbia ormai abbracciato logiche da e-commerce avanzato. A segnalarne la presenza e analizzarne le dinamiche è stato l’Insikt Group, il team di ricerca e threat intelligence di Recorded Future, che ne ha descritto la struttura e l’offerta con la consueta precisione investigativa.
Siamo quindi andati a guardare con il team di DarkLab questo nuovo market per comprenderne il funzionamento. E dopo una registrazione senza la richiesta di email, siamo dentro.
Una vetrina elegante per beni e servizi illeciti
Navigando tra le pagine del sito (accessibile solo tramite onion link su TOR), ci si trova di fronte a un’interfaccia ben organizzata: prodotti suddivisi per categoria, schede dettagliate, immagini, descrizioni e persino recensioni – proprio come su Amazon o eBay. Ma qui non si vendono gadget o elettronica di consumo. Qui si commercia droga, denaro falso, documenti clonati, account compromessi e servizi di hacking personalizzati.
Tra i tanti elementi che colpiscono nella segnalazione di Insikt Group, c’è soprattutto l’offerta di banconote false di alta qualità, descritte come “highly undetectable”. Non stiamo parlando di brutte copie stampate in cantina, ma di falsi professionali che, secondo quanto dichiarato dal venditore, riescono a superare indisturbati i test di verifica nei negozi, nei ristoranti, nelle stazioni ferroviarie e perfino nelle banche. Un’affermazione inquietante, che apre scenari di rischio sistemico per l’economia fisica di intere città.
Droghe da laboratorio e stupefacenti di vecchia data
Ma Mist Market non si limita al denaro contraffatto. In catalogo si trovano sostanze stupefacenti di ogni tipo. Particolarmente degna di nota è la presenza di metanfetamina cristallina, descritta nei dettagli come “polvere bianca cristallina o cristalli bianchi-bluastri”, con uno stock disponibile di ben 2.500 grammi.
Accanto a essa, spunta un nome che sembrava ormai appartenere al passato: Quaalude, in compresse da 300mg, dichiarate come “pharma grade”, ovvero di qualità farmaceutica. Un sedativo ipnotico diventato famoso negli anni ’70 (e poi bandito nella maggior parte dei Paesi), oggi torna a circolare grazie a circuiti paralleli come questo.
L’hacking come servizio
Tra le “offerte digitali”, invece, si fa notare una crescente richiesta e disponibilità di servizi di hacking su commissione. Gli annunci parlano chiaramente: sblocco di account WhatsApp, manipolazione del punteggio di credito (credit score), recupero di wallet Bitcoin e perfino accesso a carte “live” – cioè carte di credito con saldo ancora attivo e utilizzabili online.
Chi le vende, garantisce la validità per un’ora, tempo entro il quale l’acquirente deve verificarne l’effettivo funzionamento. Dopodiché, nessuna garanzia sarà più offerta, né su eventuali fondi residui, né su rimborsi. Un vero e proprio commercio “usa e getta” su cui nessuno risponde mai davvero.
Di seguito un esempio dei servizi offerti:
- Hacker for WhatsApp
- Hacker to Track Live GPS Location
- Hacker for Phone Monitoring Services
- Cheating Partner Monitoring
- Cryptocurrency Transaction Reversal
- Hacker to Hack Social Media Passwords
- Grade Change Hack
- Credit Score Hacker
- Online Exam Hack
- Cryptocurrency Mining Hack
- Change Criminal Record
- Western Union Transfers
Un’economia parallela regolata dalla Monero-economy
Tutte le transazioni su Mist Market avvengono rigorosamente in Monero (XMR), criptovaluta nota per il suo focus sulla privacy e la totale opacità dei flussi. A differenza di Bitcoin, Monero non consente il tracciamento delle transazioni, rendendo di fatto impossibile qualunque tentativo di indagine basata sull’analisi della blockchain. Per questo, è diventata la valuta preferita nei mercati darknet più avanzati.
E anche qui, la piattaforma non si limita a vendere. Offre anche canali di supporto, contatti diretti tramite Jabber, forum di riferimento (come Pitch Forum), e persino una politica commerciale che, almeno in apparenza, assicura “soddisfazione o sostituzione” – almeno entro determinati limiti e condizioni.
Conclusioni: una minaccia invisibile, ma concreta
L’analisi fornita da Insikt Group su Mist Market ci restituisce un quadro molto chiaro: il cybercrime non è più un fenomeno limitato a intrusioni o ransomware. È diventato una macchina commerciale complessa, che fonde criminalità finanziaria, traffico di droga, falsificazione, hacking e truffe digitali in un unico punto di accesso.
La capacità con cui questi venditori sanno creare e gestire “vetrine” funzionali, promozioni, sconti per acquisti all’ingrosso e customer care in stile business-to-business ci dice che siamo di fronte a vere e proprie aziende criminali, con livelli di efficienza e organizzazione allarmanti.
Ed è proprio questo il punto più preoccupante: non si tratta più di singoli attori improvvisati, ma di ecosistemi completi, resilienti, replicabili. In grado di riemergere sotto nuovi nomi anche se chiusi o smantellati. Un mercato nero digitale, che funziona meglio di quello legale.
E ogni giorno, mentre navighiamo tra le pagine di un e-commerce per acquistare un libro o un paio di scarpe, qualcun altro – da un’altra parte del mondo – acquista una banconota falsa, una dose di metanfetamina o un servizio per rubare un’identità. E lo fa con un click.
L'articolo Benvenuti su Mist Market: dove con un click compri droga, identità e banconote false proviene da il blog della sicurezza informatica.
Building an nRF52840 and Battery-Powered Zigbee Gate Sensor
Recently [Glen Akins] reported on Bluesky that the Zigbee-based sensor he had made for his garden’s rear gate was still going strong after a Summer and Winter on the original 2450 lithium coin cell. The construction plans and design for the unit are detailed in a blog post. At the core is the MS88SF2 SoM by Minew, which features a Nordic Semiconductor nRF52840 SoC that provides the Zigbee RF feature as well as the usual MCU shenanigans.
Previously [Glen] had created a similar system that featured buttons to turn the garden lights on or off, as nobody likes stumbling blindly through a dark garden after returning home. Rather than having to fumble around for a button, the system should detect when said rear gate is opened. This would send a notification to [Glen]’s phone as well as activate the garden lights if it’s dark outside.
Although using a reed relay switch seemed like an obvious solution to replace the buttons, holding it closed turned out to require too much power. After looking at a few commercial examples, he settled for a Hall effect sensor solution with the Ti DRV5032FB in a TO-92 package.
Whereas the average person would just have put in a PIR sensor-based solution, this Zigbee solution does come with a lot more smart home creds, and does not require fumbling around with a smartphone or yelling at a voice assistant to turn the garden lights on.
La Cina Accusa la NSA di aver usato Backdoor Native su Windows per hackerare i Giochi Asiatici
Le backdoor come sappiamo sono ovunque e qualora presenti possono essere utilizzate sia da chi le ha richieste ma anche a vantaggio di chi le ha scoperte e questo potrebbe essere un caso emblematico su questo argomento.
Durante i Giochi Asiatici Invernali del 2025 a Harbin, in Cina, si è verificato un grave incidente di cybersicurezza: le autorità cinesi hanno accusato la National Security Agency (NSA) degli Stati Uniti di aver orchestrato una serie di attacchi informatici mirati contro i sistemi informativi dell’evento e le infrastrutture critiche della provincia di Heilongjiang.
Secondo quanto riportato da MyDrivers, l’NSA avrebbe utilizzato tecniche avanzate per infiltrarsi nei sistemi basati su Windows, inviando pacchetti di dati criptati per attivare presunte backdoor preinstallate nei sistemi operativi Microsoft .
Le indagini, condotte dal Centro Nazionale per la Risposta alle Emergenze di Virus Informatici e da esperti di sicurezza informatica, hanno rivelato che gli attacchi si sono concentrati su applicazioni specifiche, infrastrutture critiche e settori sensibili. Le tecniche impiegate includevano l’uso di vulnerabilità sconosciute, attacchi di forza bruta e scansioni mirate per individuare file sensibili. In totale, si sono registrati oltre 270.000 tentativi di intrusione, colpendo sistemi cruciali come quelli per la gestione delle informazioni dell’evento, la logistica e la comunicazione .
Un aspetto particolarmente preoccupante è stato l’invio di dati criptati a dispositivi Windows nella regione, presumibilmente per attivare backdoor integrate nel sistema operativo. Questa scoperta solleva interrogativi sulla sicurezza dei sistemi informatici e sulla possibilità che esistano vulnerabilità intenzionalmente lasciate aperte nei software commerciali.
Le autorità cinesi hanno identificato tre agenti della NSA e due istituzioni accademiche statunitensi come responsabili degli attacchi, emettendo mandati di cattura internazionali. Questo episodio ha intensificato le tensioni tra Cina e Stati Uniti nel campo della cybersicurezza, evidenziando la crescente importanza della protezione delle infrastrutture digitali in eventi di rilevanza internazionale.
La comunità internazionale è ora chiamata a riflettere sulla necessità di stabilire norme e accordi per prevenire simili attacchi in futuro. La cooperazione tra nazioni e la trasparenza nello sviluppo e nella gestione dei sistemi informatici diventano fondamentali per garantire la sicurezza e la fiducia nel cyberspazio.
In conclusione, l’incidente di Harbin rappresenta un campanello d’allarme sulla vulnerabilità delle infrastrutture digitali e sull’urgenza di affrontare le minacce cibernetiche con strategie coordinate e proattive a livello globale.
L'articolo La Cina Accusa la NSA di aver usato Backdoor Native su Windows per hackerare i Giochi Asiatici proviene da il blog della sicurezza informatica.
Back to Reality with the Time Brick
There are a lot of distractions in daily life, especially with all the different forms of technology and their accompanying algorithms vying for our attention in the modern world. [mar1ash] makes the same observation about our shared experiences fighting to stay sane with all these push notifications and alerts, and wanted something a little simpler that can just tell time and perhaps a few other things. Enter the time brick.
The time brick is a simple way of keeping track of the most basic of things in the real world: time and weather. The device has no buttons and only a small OLED display. Based on an ESP-01 module and housed in a LEGO-like enclosure, the USB-powered clock sits quietly by a bed or computer with no need for any user interaction at all. It gets its information over a Wi-Fi connection configured in the code running on the device, and cycles through not only time, date, and weather but also a series of pre-programmed quotes of a surreal nature, since part of [mar1ash]’s goals for this project was to do something just a little bit outside the norm.
There are a few other quirks in this tiny device as well, including animations for the weather display, a “night mode” that’s automatically activated to account for low-light conditions, and the ability to easily handle WiFi drops and other errors without crashing. All of the project’s code is also available on its GitHub page. As far as design goes, it’s an excellent demonstration that successful projects have to avoid feature creep, and that doing one thing well is often a better design philosophy than adding needless complications.