Salta al contenuto principale

Expensive Camera, Cheap 3D-Printed Lens


If you’re a photography enthusiast, you probably own quite a few cameras, but the chances are your “good” one will have interchangeable lenses. Once you’ve exhausted the possibilities of the kit lens, you can try different focal lengths and effects, but you’ll soon find out that good glass isn’t cheap. Can you solve this problem by making your own lenses? [Billt] has done just that.

Given some CAD skills, it’s possible to replicate the mount on an existing lens, but he takes a shortcut by using a readily available camera cap project. There are two lenses detailed in the video below the break; the first is a plastic lens from a disposable camera, while the second takes one from a Holga toy camera. The plastic lens is inserted mid-print, giving the colour aberrations and soft focus you’d expect, while the Holga lens is mounted on a slide for focusing. There may be some room for improvement there, but the result is a pair of fun lenses for experimentation for not much outlay. Given the number of broken older cameras out there, it should be relatively easy for anyone wanting to try this for themselves to have a go.

The video is below the break, but while you’re on this path, take a look at a previous project using disposable camera lenses. Or, consider printing an entire camera.

youtube.com/embed/S5-6ZxoWP7Q?…


hackaday.com/2025/03/08/expens…


Transceiver Reveals Unusual Components


[MSylvain59] likes to tear down old surplus, and in the video below, he takes apart a German transceiver known as a U-600M. From the outside, it looks like an unremarkable gray box, especially since it is supposed to work with a remote unit, so there’s very little on the outside other than connectors. Inside, though, there’s plenty to see and even a few surprises.

Inside is a neatly built RF circuit with obviously shielded compartments. In addition to a configurable power supply, the radio has modules that allow configuration to different frequencies. One of the odder components is a large metal cylinder marked MF450-1900. This appears to be a mechanical filter. There are also a number of unusual parts like dogbone capacitors and tons of trimmer capacitors.

The plug-in modules are especially dense and interesting. In particular, some of the boards are different from some of the others. It is an interesting design from a time predating broadband digital synthesis techniques.

While this transceiver is stuffed with parts, it probably performs quite well. However, transceivers can be simple. Even more so if you throw in an SDR chip.

youtube.com/embed/tw9qxqWB9SM?…


hackaday.com/2025/03/08/transc…


Physical Computing Used to be a Thing


In the early 2000s, the idea that you could write programs on microcontrollers that did things in the physical world, like run motors or light up LEDs, was kind of new. At the time, most people thought of coding as stuff that stayed on the screen, or in cyberspace. This idea of writing code for physical gadgets was uncommon enough that it had a buzzword of its own: “physical computing”.

You never hear much about “physical computing” these days, but that’s not because the concept went away. Rather, it’s probably because it’s almost become the norm. I realized this as Tom Nardi and I were talking on the podcast about a number of apparently different trends that all point in the same direction.

We started off talking about the early days of the Arduino revolution. Sure, folks have been building hobby projects with microcontrollers built in before Arduino, but the combination of a standardized board, a wide-ranging software library, and abundant examples to learn from brought embedded programming to a much wider audience. And particularly, it brought this to an audience of beginners who were not only blinking an LED for the first time, but maybe even taking their first steps into coding. For many, the Arduino hello world was their coding hello world as well. These folks are “physical computing” natives.

Now, it’s to the point that when Arya goes to visit FOSDEM, an open-source software convention, there is hardware everywhere. Why? Because many successful software projects support open hardware, and many others run on it. People port their favorite programming languages to microcontroller platforms, and as they become more powerful, the lines between the “big” computers and the “micro” ones starts to blur.

And I think this is awesome. For one, it’s somehow more rewarding, when you’re just starting to learn to code, to see the letters you type cause something in the physical world to happen, even if it’s just blinking an LED. At the same time, everything has a microcontroller in it these days, and hacking on these devices is also another flavor of physical computing – there’s code in everything that you might think of as hardware. And with open licenses, everything being under version control, and more openness in open hardware than we’ve ever seen before, the open-source hardware world reflects the open-source software ethos.

Are we getting past the point where the hardware / software distinction is even worth making? And was “physical computing” just the buzzword for the final stages of blurring out those lines?

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!


hackaday.com/2025/03/08/physic…


The Pentium Processor’s Innovative (and Complicated) Method of Multiplying by Three, Fast


[Ken Shirriff] has been sharing a really low-level look at Intel’s Pentium (1993) processor. The Pentium’s architecture was highly innovative in many ways, and one of [Ken]’s most recent discoveries is that it contains a complex circuit — containing around 9,000 transistors — whose sole purpose is to multiply specifically by three. Why does such an apparently simple operation require such a complex circuit? And why this particular operation, and not something else?

Let’s back up a little to put this all into context. One of the feathers in the Pentium’s cap was its Floating Point Unit (FPU) which was capable of much faster floating point operations than any of its predecessors. [Ken] dove into reverse-engineering the FPU earlier this year and a close-up look at the Pentium’s silicon die shows that the FPU occupies a significant chunk of it. Of the FPU, nearly half is dedicated to performing multiplications and a comparatively small but quite significant section of that is specifically for multiplying a number by three. [Ken] calls it the x3 circuit.
The “x3 circuit”, a nontrivial portion of the Pentium processor, is dedicated to multiplying a number by exactly three and contains more transistors than an entire Z80 microprocessor.
Why does the multiplier section of the FPU in the Pentium processor have such specialized (and complex) functionality for such an apparently simple operation? It comes down to how the Pentium multiplies numbers.

Multiplying two 64-bit numbers is done in base-8 (octal), which ultimately requires fewer operations than doing so in base-2 (binary). Instead of handling each bit separately (as in binary multiplication), three bits of the multiplier get handled at a time, requiring fewer shifts and additions overall. But the downside is that multiplying by three must be handled as a special case.

[Ken] gives an excellent explanation of exactly how all that works (which is also an explanation of the radix-8 Booth’s algorithm) but it boils down to this: there are numerous shortcuts for multiplying numbers (multiplying by two is the same as shifting left by 1 bit, for example) but multiplying by three is the only one that doesn’t have a tidy shortcut. In addition, because the result of multiplying by three is involved in numerous other shortcuts (x5 is really x8 minus x3 for example) it must also be done very quickly to avoid dragging down those other operations. Straightforward binary multiplication is too slow. Hence the reason for giving it so much dedicated attention.

[Ken] goes into considerable detail on how exactly this is done, and it involves carry lookaheads as a key element to saving time. He also points out that this specific piece of functionality used more transistors than an entire Z80 microprocessor. And if that is not a wild enough idea for you, then how about the fact that the Z80 has a new OS available?


hackaday.com/2025/03/08/the-pe…


Get Into Meshtastic On the Cheap With This Tiny Node Kit


There’s been a lot of buzz about Meshtastic lately, and with good reason. The low-power LoRa-based network has a ton of interesting use cases, and as with any mesh network, the more nodes there are, the better it works for everyone. That’s why we’re excited by this super-affordable Meshtastic kit that lets you get a node on the air for about ten bucks.

The diminutive kit, which consists of a microcontroller and a LoRa module, has actually been available from the usual outlets for a while. But [concretedog] has been deep in the Meshtastic weeds lately, and decided to review its pros and cons. Setup starts with flashing Meshtastic to the XIAO ESP32-S3 microcontroller and connecting the included BLE antenna. After that, the Wio-SX1262 LoRa module is snapped to the microcontroller board via surface-mount connectors, and a separate LoRa antenna is connected. Flash the firmware (this combo is supported by the official web flasher), and you’re good to go.

What do you do with your new node? That’s largely up to you, of course. Most Meshtastic users seem content to send encrypted text messages back and forth, but as our own [Jonathan Bennett] notes, a Meshtastic network could be extremely useful for emergency preparedness. Build a few of these nodes, slap them in a 3D printed box, distribute them to willing neighbors, and suddenly you’ve got a way to keep connected in an emergency, no license required.


hackaday.com/2025/03/08/get-in…


Hacker criminali per Hacker etici: il mercato nero delle certificazioni falsificate


Un utente con il nickname adispystore ha pubblicato un annuncio su un noto forum underground, offrendo presunti servizi remoti e report d’esame per diverse certificazioni di sicurezza informatica, tra cui OSCP, OSEP, OSWE, CRTP e CRTE.

L’inserzione offre i seguenti servizi:

  • OSCP: Servizi di supporto remoto durante l’esame con un metodo dichiarato “non rilevabile”.
  • HTB CPTS e CBBH: Report d’esame e assistenza remota.
  • CRTE e CRTP: Supporto su Discord durante l’esame.
  • CRTO: Servizi di esame remoto.
  • OSWE Exam Report: Fornitura del codice sorgente, exploit RCE e report dettagliato sugli ambienti Akount e Soapbx.
  • OSEP Exam Writeup (14 flag) – Febbraio 2025: Disponibilità di prove a supporto.

L’utente dichiara di trattare esclusivamente su Discord con il nome adispy e avverte di non essere responsabile per eventuali transazioni effettuate con contatti che si spacciano per lui.

Le certificazioni coinvolte


Le certificazioni offerte in questo annuncio sono altamente tecniche e riconosciute nel settore della cybersecurity. Ecco una panoramica:

  • OSCP+ (Offensive Security Certified Professional Plus) attesta non solo l’esperienza in sicurezza informatica, ma indica anche che il professionista è aggiornato con gli ultimi standard e pratiche del settore. La designazione “+” sottolinea l’impegno per l’apprendimento continuo. Se non si mantiene il “+” attraverso formazione continua, il titolare conserva comunque l’OSCP, una certificazione pratica e tecnica che richiede di attaccare e penetrare macchine live in un ambiente controllato, utilizzando gli strumenti di Kali Linux.
  • HTB CPTS (Hack The Box Certified Penetration Testing Specialist): Certificazione di Hack The Box che valida competenze intermedie nel penetration testing, incluse tecniche avanzate di exploitation, privilege escalation e reportistica.
  • HTB CBBH (Hack The Box Certified Bug Bounty Hunter): Certificazione di Hack The Box specializzata nel bug bounty hunting e sicurezza web, con enfasi su vulnerabilità complesse in applicazioni e API.’esame testa la capacità di individuare e sfruttare vulnerabilità complesse in applicazioni web e API.
  • OSEP (OffSec Experienced Penetration Tester): Certificazione avanzata di Offensive Security che attesta competenze elevate nel penetration testing contro ambienti protetti. Copre tecniche di evasione di sicurezza, bypass di antivirus ed EDR, attacchi avanzati a reti Windows e Active Directory. L’ottenimento della OSEP distingue i professionisti esperti nella simulazione di attacchi sofisticati, rendendoli altamente ricercati nella cybersecurity offensiva.
  • OSWE (Offensive Security Web Expert): Certificazione di OffSec focalizzata sulla sicurezza avanzata delle applicazioni web. Valida le competenze nel test di penetrazione web, nell’elusione delle difese e nella creazione di exploit personalizzati per vulnerabilità critiche. I professionisti certificati OSWE sono altamente qualificati nella protezione delle organizzazioni dalle minacce web.
  • CRTP (Certified Red Team Professional): Certificazione focalizzata su tecniche di Red Teaming per principianti, che copre attacchi su infrastrutture Windows Active Directory, come privilege escalation e lateral movement, emulando le tattiche di attori APT.
  • CRTE (Certified Red Team Expert): Certificazione avanzata per professionisti esperti nel Red Teaming. Si concentra su simulazioni di attacchi complessi e avanzati contro infrastrutture aziendali, emulando le TTP (Tactics, Techniques, and Procedures) di attori APT, con enfasi su attacchi sofisticati e la gestione di ambienti complessi.
  • CRTO (Certified Red Team Operator): Certificazione che insegna strategie avanzate di Red Teaming. Focalizzata sulla simulazione di minacce persistenti avanzate (APTs), l’operatore acquisisce competenze nella valutazione delle difese organizzative e nell’utilizzo di strumenti e metodologie per esercizi di Red Teaming efficaci. Inoltre, enfatizza la collaborazione con i Blue Team per migliorare la postura di sicurezza complessiva.


Metodi di cheating avanzati


L’annuncio menziona l’utilizzo di metodi “non rilevabili” per il supporto remoto agli esami. Questo potrebbe indicare l’impiego di tecniche sofisticate come:

  • Remote Access Trojan (RAT): Malware per controllare a distanza il sistema dell’esaminando senza essere rilevato.
  • Virtual Machine Escaping: Uso di ambienti virtuali per eludere i controlli di sicurezza.
  • Obfuscation e Anti-Detection: Tecniche per nascondere attività sospette e sfuggire ai sistemi di monitoraggio.
  • e altro ancora

Questo caso rappresenta un tentativo di frode accademica su larga scala. L’acquisto di report d’esame o l’uso di assistenza remota durante i test non solo viola le regole delle certificazioni, ma comporta anche rischi come:

  • Compromissione dell’integrità professionale: Chi ottiene una certificazione in modo fraudolento potrebbe non avere le competenze richieste, creando problemi nel settore della sicurezza informatica.
  • Rischi legali: Essere scoperti nell’uso di questi servizi può portare alla revoca della certificazione e conseguenze legali.
  • Esposizione a truffe: Molti venditori su forum underground potrebbero essere truffatori, rubando denaro senza fornire alcun servizio.


Conclusioni e monitoraggio


Attualmente, non possiamo confermare l’autenticità della notizia. Le informazioni riportate provengono da fonti pubbliche accessibili su forum underground e vanno interpretate come una fonte di intelligence, non come una conferma definitiva.

RHC monitorerà l’evoluzione della vicenda per fornire eventuali aggiornamenti sul blog. Chiunque abbia informazioni aggiuntive può contattarci in forma anonima tramite la nostra mail crittografata per whistleblower.

L'articolo Hacker criminali per Hacker etici: il mercato nero delle certificazioni falsificate proviene da il blog della sicurezza informatica.


The Road to Lucid Dreaming Might be Paved With VR


Lucid dreaming is the state of becoming aware one is dreaming while still being within the dream. To what end? That awareness may allow one to influence the dream itself, and the possibilities of that are obvious and compelling enough that plenty of clever and curious people have formed some sort of interest in this direction. Now there are some indications that VR might be a useful tool in helping people achieve lucid dreaming.

The research paper (Virtual reality training of lucid dreaming) is far from laying out a conclusive roadmap, but there’s enough there to make the case that VR is at least worth a look as a serious tool in the quest for lucid dreaming.

One method of using VR in this way hinges on the idea that engaging in immersive VR content can create mild dissociative experiences, and this can help guide and encourage users to perform “reality checks”. VR can help such reality checks become second nature (or at least more familiar and natural), which may help one to become aware of a dream state when it occurs.

Another method uses VR as a way to induce a mental state that is more conducive to lucid dreaming. As mentioned, engaging in immersive VR can induce mild dissociative experiences, so VR slowly guides one into a more receptive state before falling asleep. Since sleeping in VR is absolutely a thing, perhaps an enterprising hacker with a healthy curiosity in lucid dreaming might be inspired to experiment with combining them.

We’ve covered plenty of lucid dreaming hacks over the years and there’s even been serious effort at enabling communication from within a dreaming state. If you ask us, that’s something just begging to be combined with VR.


hackaday.com/2025/03/07/the-ro…


This Laser Knows about Gasses


What’s that smell? If you can’t tell, maybe a new laser system from CU Bolder and NIST can help. The device is simple and sensitive enough to detect gasses at concentrations down to parts per trillion.

The laser at the system’s heart is a frequency comb laser, originally made for optical atomic clocks. The laser has multiple optical frequencies in its output. The gas molecules absorb light of different wavelengths differently, giving each type of molecule a unique fingerprint.

Unlike traditional lasers, which emit a single frequency, a frequency comb laser can emit thousands or millions of colors at once. The inventor picked up the Nobel prize in 2005 for that work.

The gas is placed between two highly-reflective mirrors. The beam bounces in this optical cavity, although previous attempts were difficult because the cavity has a particular affinity for frequencies. The answer was to jiggle the mirrors to change the size of the cavity during measurments.

This is one of those things that doesn’t seem very complicated except — whoops — you need an exotic comb laser. But if those ever become widely available, you could probably figure out how to replicate this.

This could revolutionize air quality instruments. Small quantities of hydrogen sulfide can be detected easily (although, paradoxically, too much is hard to smell).


hackaday.com/2025/03/07/this-l…


Tearing Down a Vintage Word Processor


There was a time when the line between typewriters and word processing software was a bit fuzzy. [Poking Technology] found a Xerox 6040 which can’t decide what it is. It looks like a typewriter but has a monitor and a floppy drive, along with some extra buttons. You can watch him tear it down in the video below.

The old device uses a daisywheel type element, which, back then, was state of the art. A wheel had many spokes with letters and the printer would spin the wheel and then strike the plastic spoke.

Inside there is a computer of sorts. Like a lot of gear from those days, there is a huge linear power supply. The video is a couple of hours long, so you’ll have plenty of chances to see the inside. There is an 8031 on the first logic board and some odd connections for external devices. As it turns out, that board wasn’t the main wordprocessing board which is under the keyboard.

On that board, there is another small CPU and some very large gate arrays. Under an odd-looking socket, however, lives an 80188, which is sort of an 8086/8088 variant.

The video is a very long deep dive into the internals, including reverse engineering of some of the ROM chips and even a surprise or two.

These machines always look retro-chic to us. Even then, though, we preferred WordStar.

youtube.com/embed/ZQoFgrJaHu0?…


hackaday.com/2025/03/07/tearin…


Trio of Mods Makes Delta Printer More Responsive, Easier to Use


Just about any 3D printer can be satisfying to watch as it works, but delta-style printers are especially hypnotic. There’s just something about the way that three linear motions add up to all kinds of complex shapes; it’s mesmerizing. Deltas aren’t without their problems, though, which led [Bruno Schwander] to undertake a trio of interesting mods on his Anycubic Kossel.

First up was an effort to reduce the mass of the business end of the printer, which can help positional accuracy and repeatability. This started with replacing the stock hot-end with a smaller, lighter MQ Mozzie, but that led to cooling problems that [Bruno] addressed with a ridiculously overpowered brushless hairdryer fan. The fan expects a 0 to 5-VDC signal for the BLDC controller, which meant he had to build an adapter to allow Marlin’s 12-volt PWM signal to control the fan.

Once the beast of a fan was tamed, [Bruno] came up with a clever remote mount for it. A 3D-printed shroud allowed him to mount the fan and adapter to the frame of the printer, with a flexible duct connecting it to the hot-end. The duct is made from lightweight nylon fabric with elastic material sewn into it to keep it from taut as the printhead moves around, looking a bit like an elephant’s trunk.

Finally, to solve his pet peeve of setting up and using the stock Z-probe, [Bruno] turned the entire print bed into a strain-gauge sensor. This took some doing, which the blog post details nicely, but it required building a composite spacer ring for the glass print bed to mount twelve strain gauges that are read by the venerable HX711 amplifier and an Arduino, which sends a signal to Marlin when the head touches the bed. The video below shows it and the remote fan in action.

youtube.com/embed/b32DKuH9-Ho?…


hackaday.com/2025/03/07/trio-o…


Run Xbox 360 Games on Your PC With XenonDecomp


Inspired by the N64: Recompiled project, XenonRecomp does something similar, except for the PowerPC-equipped Microsoft Xbox 360 game console. Based around the triple-core IBM CPU codenamed ‘Xenon‘, the Xbox 360 was released in 2005 and generally quite successful over its lifespan despite its Red Ring of Death issues. Although the current Xbox Series X supports running a number of Xbox 360 games, this is done via emulation and only 632 games out of 2,155 are supported.

This is where XenonRecomp not only promises turning the games into native (x86) software, but also allowing for a range of graphical improvements. Best of all, it allows for Xbox 360 games to be preserved instead of linked to an obsolete console. That said, much like with N64Recomp, it’s not a simple matter of running a tool over the PPC binary. You’re expected to have in-depth systems knowledge, with the tools in XenonRecomp assisting with the decompilation (into C++) and the recompilation into x86 binaries, but support for PPC instructions, VMX (vector instructions) and aspects like jump table conversion and (currently missing) MMIO support are likely to present an enterprising developer with hours of fun to implement and debug when issues arise.

After recompilation into an x86 binary, the required assets are then expected to be copied in from a (legal) copy of the original game. As a proof of concept the game Sonic Unleashed has been ported in this manner, with [Modern Vintage Gamer] running through this port and the improvements made over the original game, as well as some issues you may encounter:

youtube.com/embed/hqpw-QPsdCg?…


hackaday.com/2025/03/07/run-xb…


Open Source Hardware, How Open Do You Want It To Be?


In our wider community we are all familiar with the idea of open source software. Many of us run it as our everyday tools, a lot of us release our work under an open source licence, and we have a pretty good idea of the merits of one such document over another. A piece of open source software has all of its code released under a permissive licence that explicitly allows it to be freely reproduced and modified, and though some people with longer beards take it a little too seriously at times and different flavours of open source work under slightly different rules, by and large we’re all happy with that.

When it comes to open hardware though, is it so clear cut? I’ve had more than one rant from my friends over the years about pieces of hardware which claim to be open-source but aren’t really, that I think this bears some discussion.

Open Source Hardware As It Should Be Done


To explore this, we’ll need to consider a couple of open source hardware projects, and I’ll start close to home with one of my own. My Single 8 home movie cartridge is a 3D printable film cartridge for a defunct format, and I’ve put everything necessary to create one yourself in a GitHub repository under the CERN OHL. If you download the file and load it into OpenSCAD you can quickly create an STL file for your slicer, or fiddle with the code and make an entirely new object. Open source at its most efficient, and everyone’s happy. I’ve even generated STLs ready to go for each of the supported ISO values.
A hexagonal printed circuit board event badge on a table top in the dark, illuminated by coloured LEDs around its edge.The beautiful EMF2024 Tildagon. CC-BY-4.0
For the second example project it’s necessary instead of a single OpenSCAD file, to consider a more complex design with multiple files. The Tildagon was the badge at the Electromagnetic Field 2024 hacker camp, and there are repositories for its hardware under the CERN OHL, and its software under an MIT licence. Using the contents of these repositories, you can make your own Tildagon in its entirety, or rework any part of it under the terms of the licence.

Of these, the film cartridge is a simple repository. Whether you download the OpenSCAD file or the STLs, there’s only one type of file and it’s unambiguous what the project comprises. But the Tildagon is much more complex device, that has many different files describing its various parts, all of which come together to make the whole. Everything required is present, and the terms of use for it all are clearly defined. For me, it’s a great example of how a complex open-source hardware project should be presented.

Open Source Hardware As It Shouldn’t Be Done


Now, imagine that instead of the EMF folks, I was the developer of the Tildagon. Imagine that I started taking files away from the repositories. The BOM first perhaps, then the KiCAD files. If I were left with just the Gerbers and the PNG schematic, I’ve in theory provided just enough resources to make a Tildagon, and with an appropriate open-source licence I could call it an open-source hardware project.

But even though I’ve granted people the right to use and modify the files in an open-source manner, can I really claim it’s as open-source as if I had released the full set of resources? Hand-editing the source of a Gerber doesn’t really count, and I agree with a point made by some of those friends I mentioned earlier. Providing as little as possible in that way is the equivalent of releasing a compiled binary, as when the convergence factor with free-as-in-beer approaches one, maybe it’s not open-source hardware after all.

Of course, the astute among you will have gathered by now that this isn’t about the Tildagon, instead I’m using it as a metaphor for something else. Though it’s tempting to do so I am not going to name and shame, but there have been a series of high-profile commercial open source hardware projects over the years that do to a greater or lesser extent just what I have described. I even have one of them on my bench, perhaps you do too. It’s not a problem if all you want is the product, but pushing the limits of open source in this way as an empty marketing ploy is not appropriate. Either something is fully open, or it should not, in my opinion at least, be allowed to describe itself as such. There’s nothing at all wrong with a closed source product, after all.

So. What’s To Be Done?


There’s a key phrase in the CERN OHL that I think is pertinent here; the idea of the “Complete source”. It’s mentioned in clause 1.8 of the text, which goes as follows:
1.8 'Complete Source' means the set of all Source necessary to Make
a Product, in the preferred form for making modifications,
including necessary installation and interfacing information
both for the Product, and for any included Available Components.
If the format is proprietary, it must also be made available in
a format (if the proprietary tool can create it) which is
viewable with a tool available to potential licensees and
licensed under a licence approved by the Free Software
Foundation or the Open Source Initiative. Complete Source need
not include the Source of any Available Component, provided that
You include in the Complete Source sufficient information to
enable a recipient to Make or source and use the Available
Component to Make the Product.
This clause encapsulates perfectly how the release of all project files should be necessary for a project that wants to be called open-source. It’s important, because open source goes beyond mere ability to copy, and extends into modifying and extending the project. Without those extra files, as with my Tildagon-as-Gerbers example above, this becomes next-to-impossible. Perhaps it’s time as a community to take a slightly harder line with anything less, and instead of welcoming every shiny new toy at face value, probing a little to find out just how deep that open source hardware logo goes.

Otherwise, calling something open source hardware will inevitably lose its meaning. Is this what we want, in exchange for a few flashy commercial projects?

Open source hardware logo on PCB: Altzone, CC BY-SA 3.0.


hackaday.com/2025/03/07/open-s…


Hackaday Podcast Episode 311: AirTag Hack, GPS Rollover, and a Flat-Pack Toaster


This week, Elliot Williams and Tom Nardi start off the episode by announcing Arduino co-founder David Cuartielles will be taking the stage as the keynote speaker at Hackaday Europe. In his talk, we’ll hear about a vision of the future where consumer electronics can be tossed in the garden and turned into compost instead of sitting in a landfill for the next 1,000 years or so.

You’ll also hear about a particularly clever manipulation of Apple’s AirTag infrastructure, how a classic kid’s toy was turned into a unique display with the help of computer vision, and the workarounds required to keep older Global Positioning System (GPS) hardware up and running. They’ll also cover DIY toasters, extracting your data from a smart ring before the manufacturer can sell it, a LEGO interferometer, and a new feature added to the Bus Pirate 5’s already impressive list of capabilities.

Capping off the episode there’s a discussion about the surprising (or depending on how you think about it, unsurprising) amount of hardware that was on display at FOSDEM this year, and the history of one of man’s most infernal creations, the shopping cart wheel lock.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

Download in DRM-free MP3 and listen from the comfort of your shopping cart.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:



Episode 311 Show Notes:

News:



What’s that Sound?



Interesting Hacks of the Week:



Quick Hacks:



Can’t-Miss Articles:



hackaday.com/2025/03/07/hackad…


GNSS Signals Tracked on the Moon By LuGRE


As part of the payloads on the Firefly Blue Ghost Mission 1 (BGM1) that recently touched down on the Moon, the Lunar GNNS Receiver Experiment (LuGRE) has become the first practical demonstration of acquiring and tracking Earth orbital GNSS satellites. LuGRE consists of a weak-signal GNSS receiver, a high-gain L-band patch antenna the requisite amplification and filter circuits, designed to track a number of GPS and Galileo signals.

Designed by NASA and the Italian Space Agency (ISA), the LuGRE payload’s goal was to demonstrate GNSS-based positioning, navigation and timing at the Moon. This successful demonstration makes it plausible that future lunar missions, whether in orbit or on the surface, could use Earth’s GNSS satellites to navigate and position themselves with. On the way to the lunar surface, LuGRE confirmed being able track GNSS at various distances from the Earth.

Both LuGRE and BGM1 are part of NASA’s Commercial Lunar Payload Services (CLPS) program, with BGM1 delivering a total of ten payloads to the Moon, each designed to study a different aspect of the lunar environment, as well as hardware and technologies relevant to future missions.


hackaday.com/2025/03/07/gnss-s…


Squidoor: un’analisi della backdoor cinese che minaccia le organizzazioni globali


Dal marzo 2023, un sospetto gruppo APT (Advanced Persistent Threat) di origine cinese ha iniziato a prendere di mira vari settori critici a livello globale, con particolare attenzione a governi, difesa, telecomunicazioni, aviazione ed educazione nel Sud-Est asiatico e in Sud America. Questo attore malevolo ha dimostrato capacità avanzate di attacco grazie all’impiego di Squidoor, una backdoor sofisticata e modulare progettata per operare in modo furtivo su sistemi Windows e Linux.

L’attacco, come evidenziato dalla mappatura delle connessioni di Threat Intelligence (vedi immagine allegata), mostra un’infrastruttura articolata, con l’uso di molteplici tecniche di persistenza e di esfiltrazione dei dati. Un’analisi dettagliata su questa minaccia è disponibile nel report pubblicato da Palo Alto Networks Unit 42, consultabile al seguente link: Unit 42 – Advanced Backdoor Squidoor. In questo articolo analizzeremo in dettaglio il funzionamento di Squidoor, le sue tecniche di evasione, i vettori di infezione e le contromisure necessarie per difendersi da questa minaccia.

Le caratteristiche tecniche di Squidoor


Squidoor non è una semplice backdoor, ma un sistema modulare avanzato che sfrutta diversi protocolli di comunicazione per mantenere l’accesso ai sistemi compromessi senza destare sospetti. Tra questi protocolli troviamo:

  • Outlook API: Il malware utilizza l’API di Outlook per trasmettere comandi e dati al server di comando e controllo (C2). Questo approccio rende difficile il rilevamento, poiché il traffico appare come normale comunicazione email.
  • Tunneling DNS: Squidoor può sfruttare richieste DNS per inviare dati ai server C2, eludendo firewall e sistemi di monitoraggio del traffico.
  • Tunneling ICMP: L’uso di pacchetti ICMP (tipicamente impiegati per il ping) consente al malware di stabilire canali di comunicazione nascosti, complicando ulteriormente il rilevamento.

Oltre a queste capacità, Squidoor implementa sofisticate tecniche di offuscamento del codice (MITRE ATT&CK T1027), rendendo difficile la sua analisi e individuazione da parte dei sistemi di difesa tradizionali.

Le tecniche di infezione e persistenza


L’attacco inizia con la compromissione di server Microsoft Internet Information Services (IIS). Gli aggressori sfruttano vulnerabilità note per ottenere accesso iniziale e poi installano web shell offuscate, che garantiscono un accesso persistente ai sistemi infetti.

Queste web shell si caratterizzano per l’uso di chiavi di decrittazione simili e una struttura del codice che suggerisce una matrice comune. L’obiettivo è mantenere il controllo della macchina infetta, consentendo l’esecuzione di comandi remoti e l’esfiltrazione di dati sensibili.

Dalla mappatura delle connessioni di Threat Intelligence (vedi immagine), emergono diversi indirizzi IP e domini malevoli associati alla campagna, tra cui:

  • 104.244.72.123
  • update.hciiter.com
  • support.vmphere.com
  • microsoft-beta.com
  • zimbra-beta.info

Questi domini vengono utilizzati per le comunicazioni C2, permettendo agli attori della minaccia di eseguire operazioni di controllo e gestione dei dispositivi compromessi.

Le implicazioni per la sicurezza e le contromisure


L’uso di Squidoor rappresenta una minaccia significativa per le organizzazioni colpite, sia per la sua capacità di operare sotto traccia sia per la varietà di vettori di attacco impiegati. La capacità del malware di sfruttare protocolli legittimi come l’Outlook API e il DNS tunneling rende difficile il rilevamento mediante strumenti di sicurezza tradizionali.

Per proteggersi da questa minaccia, le organizzazioni devono adottare un approccio proattivo che includa:

  • Aggiornamento e patching: Garantire che i sistemi, in particolare i server IIS, siano sempre aggiornati con le ultime patch di sicurezza per ridurre le superfici di attacco disponibili.
  • Monitoraggio del traffico: Implementare soluzioni avanzate di monitoraggio in grado di individuare anomalie nel traffico di rete, soprattutto per quanto riguarda l’uso non convenzionale di DNS e ICMP.
  • Analisi delle email: Monitorare le API di Outlook per identificare possibili abusi da parte di malware.
  • Threat Intelligence e Response: Integrare strumenti di Threat Intelligence per individuare in anticipo gli indicatori di compromissione (IoC) associati a Squidoor e attivare contromisure adeguate.

L’attacco Squidoor dimostra l’evoluzione delle minacce APT e la necessità di difese avanzate per contrastarle. L’adozione di protocolli legittimi per scopi malevoli, unita alla capacità di operare su sistemi multipiattaforma, evidenzia l’importanza di strategie di sicurezza multilivello.

Le aziende e gli enti governativi devono essere consapevoli dei rischi e implementare misure di sicurezza avanzate per prevenire, rilevare e mitigare attacchi come questo. Solo attraverso un approccio basato su intelligence, monitoraggio continuo e aggiornamenti costanti è possibile contrastare minacce sofisticate come Squidoor e proteggere dati e infrastrutture critiche.

Resta aggiornato sulle ultime minacce di cybersecurity seguendo Red Hot Cyber.

L'articolo Squidoor: un’analisi della backdoor cinese che minaccia le organizzazioni globali proviene da il blog della sicurezza informatica.


Akira ransomware: la nuova minaccia che usa le webcam come porte d’ingresso


Akira rappresenta una delle più recenti minacce ransomware in grado di aggirare i tradizionali strumenti di difesa delle organizzazioni. Un recente caso analizzato dal team di S-RM ha evidenziato come questo gruppo abbia utilizzato una webcam non protetta per distribuire il proprio payload, eludendo le difese di un sistema EDR (Endpoint Detection and Response).
Catena di attacco

Il modus operandi iniziale


L’attacco ha avuto inizio con la compromissione della rete della vittima attraverso una soluzione di accesso remoto esposta a internet. Dopo l’accesso, Akira ha implementato AnyDesk.exe, uno strumento di gestione remota, per mantenere il controllo dell’ambiente e procedere con l’esfiltrazione dei dati.

Durante la fase avanzata dell’attacco, gli aggressori hanno utilizzato il protocollo RDP (Remote Desktop Protocol) per spostarsi lateralmente all’interno della rete. Hanno poi tentato di distribuire il ransomware su un server Windows inviando un file ZIP protetto da password contenente l’eseguibile dannoso. Tuttavia, l’EDR implementato dall’organizzazione ha rilevato e bloccato la minaccia prima che potesse essere eseguita.

Il pivot sulla webcam


Dopo aver realizzato che l’EDR ostacolava la diffusione del ransomware, gli attaccanti hanno modificato la loro strategia. Un’analisi della rete interna ha rivelato la presenza di dispositivi IoT vulnerabili, tra cui webcam e scanner biometrici. In particolare, una webcam risultava esposta con le seguenti criticità:

  • Presenza di vulnerabilità critiche che consentivano l’accesso remoto e l’esecuzione di comandi.
  • Sistema operativo basato su Linux, compatibile con la variante ransomware per Linux di Akira.
  • Assenza di protezione da parte dell’EDR o di altri strumenti di sicurezza.

Gli attaccanti hanno quindi utilizzato la webcam compromessa come punto di ingresso per distribuire il ransomware sulla rete della vittima. Il traffico SMB (Server Message Block) generato dal dispositivo per trasmettere il payload è passato inosservato, permettendo ad Akira di cifrare con successo i file sui sistemi aziendali.

Lessons learned


L’incidente ha messo in evidenza tre aspetti cruciali della sicurezza informatica:

  1. Priorità nelle patch: Le strategie di gestione delle patch spesso si concentrano sui sistemi critici per il business, tralasciando dispositivi IoT che possono diventare punti di ingresso per gli attaccanti.
  2. Evoluzione degli attaccanti: Akira ha dimostrato una notevole capacità di adattamento, passando da implementazioni in Rust a versioni in C++ e supportando sia ambienti Windows che Linux.
  3. Limitazioni dell’EDR: L’EDR è uno strumento essenziale, ma la sua efficacia dipende dalla copertura, dalla configurazione e dal monitoraggio continuo. Dispositivi IoT spesso non sono compatibili con EDR, rendendoli vulnerabili agli attacchi.


Contromisure di sicurezza


Per mitigare minacce simili, le organizzazioni dovrebbero adottare le seguenti misure:

  • Segmentazione della rete: Gli IoT dovrebbero essere isolati dai server e dai sistemi critici, limitando la loro connettività a porte e indirizzi IP specifici.
  • Audit della rete interna: Controlli regolari sui dispositivi connessi possono identificare vulnerabilità e dispositivi non autorizzati.
  • Gestione delle patch e delle credenziali: Aggiornare regolarmente il firmware dei dispositivi e sostituire le password di default con credenziali robuste.
  • Spegnere i dispositivi non in uso: Se un dispositivo IoT non è necessario, dovrebbe essere disattivato per ridurre la superficie d’attacco.


Conclusioni


Il caso Akira evidenzia come gli attori delle minacce siano in grado di aggirare le misure di sicurezza tradizionali sfruttando punti deboli spesso trascurati, come i dispositivi IoT. Un’adeguata strategia di sicurezza che includa segmentazione di rete, monitoraggio continuo e aggiornamenti costanti è essenziale per ridurre il rischio di attacchi di questo tipo.

L'articolo Akira ransomware: la nuova minaccia che usa le webcam come porte d’ingresso proviene da il blog della sicurezza informatica.


This Week in Security: Zen Jailbreak, Telegram Exploit, and VMware Hyperjack


The fine researchers at Google have released the juicy details on EntrySign, the AMD Zen microcode issue we first covered about a month ago. And to give away the punchline: cryptography is hard. It’s hard in lots of ways, but the AMD problem here is all about keeping track of the guarantees provided by cryptographic primitives.

The vulnerability is in the verification of microcode updates for AMD’s Zen processor family. To understand microcode, you have to understand that X86-64 processors are actually built out of proprietary Reduced Instruction Set Computer (RISC) cores, that then emulate the more complex X86-64 complex instruction set computer (CISC) cores. Microcode is the firmware that controls that emulation step. For the security guarantees of modern computing, it’s rather important that CPUs only run signed microcode from the CPUs vendor. AMD has a pretty straightforward system to sign and then verify microcode patches.

Each patch includes a 2048-bit RSA public key and signature, verifying that the microcode was actually signed by the holder of the corresponding private key. The CPU hashes that public key, and compares it to a 128-bit value that was burned into the CPU at manufacture time. The intent is that if the hash matches, the public key must be the same. The problem was the hashing algorithm used for this step.

For this scheme to work, it would need a collision resistant cryptographic hashing function. The security of the scheme relies on the idea that it’s effectively impossible to find another public key that results in the same hash output. Finding a collision on that output value completely breaks the scheme.

AMD chose the AES Cipher Message Authentication Code (AES-CMAC) hash algorithm. AES-CMAC takes a message and key, and generates a Message Authentication Code (MAC). That MAC can then be used to verify that the message has not been tampered with. It can be thought of as a keyed hash with conditional collision resistance. But most importantly, if the secret key is known, none of those guarantees are valid. If the key is known, AES-CMAC fails to provide effective collision resistance in its output. And of course, the specific AES-CMAC key used in AMD Zen processors could be extracted, and turned out to be a NIST example key. To be clear, there is nothing wrong with AES-CMAC itself, it’s just the wrong algorithm for this use.

There’s one more clever trick that was needed to pull this together. The AES-CMAC collision only generates a public RSA key. How would an attacker take this arbitrary public key and produce the private key needed to sign these microcode updates? Isn’t one of the primary guarantees of RSA itself, that the private key can’t be derived from the public key? Only if the keypair is actually based on large prime numbers. After generating a few of these candidate public keys, one was discovered that was relatively easy to factor, as it was the product of more than just two primes. AMD’s fix replaces this hashing function with an appropriate cryptographic hash, preventing any microcode tampering.

Telegram and EvilLoader


The Telegram app has a weird problem deciding what to do with a .htm file sent as a video using the telegram API. Telegram tries to treat it as a video, and offers to open an external program to play the video. Because it’s actually HTML content, the “video” is opened in the browser, potentially running malicious JavaScript in that context.

This can be further used to trick an unsuspecting user into downloading a fake video player APK, to try to play this video, potentially leading to device compromise. This vulnerability is still unpatched as of time of writing, but has been widely known in the expected places. It may not be a 0-click RCE, but this one still has the potential for misuse.

More Info on The Heist


Last week we told you about the biggest heist in history, with Bybit getting hacked for cryptocurrency worth $1.5 billion. We know a bit more now, as the Bybit CEO has published the preliminary security report. The short story is that the North Korean Lazarus Group compromised a Safe{Wallet} developer workstation and gained access to an AWS or CloudFront API key. This was used to serve malicious JavaScript to Bybit, and that JavaScript disguised a malicious transaction, leading to the loss.

In retrospect there’s a glaring security problem with the Safe{Wallet} system that Bybit used: The reliance on JavaScript served from an outside server. It should take more than simple access to an AWS account to pull off a $1.5 billion heist.

Hyperjack


What happens when a process in a Virtual Machine (VM) can escape the virtual environment and take over the hypervisor? Nothing good. It’s known as hyperjacking, and VMware has a trio of vulnerabilities that makes it possible, across every version of ESXi, Workstation, Fusion, and Telco platforms — everything containing the ESX hypervisor.

And VMware says the vulnerabilities are being used in-the-wild. Patches are available, and this seems like a definite hair on fire scenario for anyone that may have untrusted tenants on VMware powered VMs.

Bits and Bytes


Have you ever wondered if a Stingray was operating in your area? That’s the cell tower simulator used to capture and analyze cell traffic, potentially breaking cell phone call encryption. EFF has released Rayhunter, and open source tool that captures cellular traffic and tries to detect Stingray-style traffic manipulation. The best part is that it runs on the Orbic RC400L mobile hotspot, a $20 piece of hardware.

How long does it take for your infrastructure to be probed after accidentally posting an AWS key online? As little as 10 hours, according to tests done by Clutch Security. Some forums are a bit friendlier, with Reddit users pointing out the leaked key and the post eventually getting deleted for the same reason.

And finally we have the four horsemen of WordPress Backdoors. About a thousand WordPress sites were infected with a JavaScript file, and this campaign spared no expense with adding backdoors to the sites. The infection added a malicious plugin, code into wp-config.php, new SSH keys, and what looks like a reverse shell. Somebody really wants to maintain access to those WordPress sites.


hackaday.com/2025/03/07/this-w…


The Long Goodbye: More Instruments Shut Down on the Voyagers as End Nears


Saying farewell is hard, and in the case of the Voyager 1 & 2 spacecraft doubly so, seeing as how they have been with us for more than 47 years. From the highs of the 1970s and 1980s during their primary mission in our Solar System, to their journey into the unknown of Deep Space, every bit of information which their instruments record and send back is something unique that we could not obtain any other way. Yet with the shutting down of two more instruments, both spacecraft are now getting awfully close to the end of their extended missions.

Last February 25 the cosmic ray system (CRS) on Voyager 1 was disabled, with the Low Energy Charged Particle Instrument (LECP) on Voyager 2 to follow on March 24. With each spacecraft losing about 4 watts of available power per year from their RTGs, the next few instruments to be turned off are already known. Voyager 1’s LECP will be turned off next year, with that same year Voyager 2’s CRS also getting disabled.

This would leave both spacecraft with only their magnetometer (MAG) and plasma wave subsystem (PWS). These provide data on the local magnetic field and electron density, respectively, with at least one of these instruments on each spacecraft likely to remain active until the end of this decade, possibly into the next. With some luck both spacecraft will see their 50th birthday before humanity’s only presence in Deep Space falls silent.

Thanks to [Mark Stevens] for the tip.


hackaday.com/2025/03/07/the-lo…


Open Safety In The Auto Business: Renault Shares Its Battery Fire Suppression Tech


As consumers worldwide slowly make the switch from internal combustion vehicles to lower-carbon equivalents, a few concerns have appeared about electric vehicles. Range anxiety is ebbing away as batteries become bigger and chargers become more frequent, but a few well-publicized incidents have raised worries over fire safety.

Lithium-ion batteries can ignite in the wrong circumstances, and when they do so they are extremely difficult to extinguish. Renault has a solution, and in a rare moment for the car industry, they are sharing it freely for all manufacturers to use.

The innovation in question is their Fireman Access Port, a standardized means for a fire crew to connect up their hoses directly to the battery pack and attack the fire at its source. An opening is covered by an adhesive disk designed to protect the cells, but breaks under a jet of high-pressure water. Thermal runaway can then be halted much more easily.

The licensing terms not only allow use of the access port itself, but also require any enhancements be shared with the rest of the community of automakers using the system. This was the part which caught our interest, because even if it doesn’t come from the same place as the licences we’re used to, it sounds a lot like open source to us.

Oddly, this is not the first time Renault have open-sourced their technology, in the past they’ve shared an entire car.


hackaday.com/2025/03/07/open-s…


Un Nuovo Attore Oscuro entra nell’Underground Criminale. Alla scoperta di Skira ransomware


elle ricognizioni nel mondo dell’underground e dei gruppi criminali svolte dal laboratorio di intelligence delle minacce DarkLab di Red Hot Cyber, ci siamo imbattuti all’interno di un Data Leak Site di una cyber gang mai monitorata prima: Skira.

I gruppi ransomware operano generalmente secondo la logica del “doppio ricatto” (double extortion): dopo aver ottenuto un accesso non autorizzato ai sistemi informatici di un’organizzazione, cifrano i dati e al contempo ne sottraggono una copia. Se la vittima non paga il riscatto, i cybercriminali minacciano sia di lasciare i sistemi inaccessibili sia di pubblicare i dati esfiltrati.

Skira si inserisce in questo quadro come nuovo gruppo emergente che, come molti suoi “colleghi” (es. LockBit, BlackCat/ALPHV, ecc.), dispone di un proprio sito Tor dove rivendica gli attacchi e mette in mostra l’elenco delle vittime.

Nel contesto delle lingue scandinave, “skir” (o forme molto simili, come l’islandese “skír” o l’antico norvegese “skírr”) significa generalmente “puro”, “trasparente” o “chiaro”. In svedese moderno, ad esempio, l’aggettivo “skir” viene usato per indicare qualcosa di “sottile”, “delicato” o “trasparente”. Queste radici germaniche potrebbero dunque aver ispirato il nome “Skira”, sebbene non ci siano conferme certe che il gruppo ransomware abbia attinto a questa etimologia.

Struttura del DLS


La homepage del Data Leak Site (DLS) di Skira, accessibile esclusivamente tramite la rete Tor, si presenta in modo estremamente essenziale. L’interfaccia è composta da pochi elementi testuali: un messaggio di benvenuto, un collegamento a una sezione chiamata Hacking News (dedicata alle vittime) e le istruzioni per contattare il gruppo tramite Session. L’assenza di elementi grafici elaborati e l’impostazione scarna suggeriscono la volontà di puntare tutto sui contenuti, fornendo solo le informazioni strettamente necessarie a negoziare un eventuale pagamento o a mettere in mostra i dati rubati.

  • Una homepage con un messaggio di benvenuto, un link denominato Hacking News (che conduce al “blog delle vittime”) e le istruzioni per contattarli tramite Session.



  • Una pagina dedicata alle vittime (la sezione Hacking News) dove vengono elencate diverse organizzazioni prese di mira: aziende e persino un ente governativo di una città turca.


Metodi di Contatto


  • Oltre al tradizionale “portale di pagamento” talvolta integrato (non sempre mostrato pubblicamente), Skira incoraggia l’uso di Session per negoziare il pagamento del riscatto.

Nella pagina “Hacking News” di Skira vengono elencati nomi di:

  • Aziende del settore immobiliare (India).
  • Produttori di beni di largo consumo (India).
  • Società di consulenza in ambito normativo (USA).
  • Un ufficio governativo di una municipalità in Turchia.

L’elenco indica che Skira potrebbe mirare a realtà eterogenee senza una particolare preferenza di settore, ma puntando a organizzazioni con un livello di sicurezza insufficiente o a target ritenuti in grado di pagare un riscatto per evitare l’esposizione di dati sensibili.

Conclusioni


Il gruppo Skira rappresenta una nuova minaccia ransomware, chiaramente orientata al modello di “doppia estorsione” con tanto di Data Leak Site su rete Tor. Sebbene al momento le informazioni tecniche sul loro payload ransomware siano ancora scarse, la presenza di un elenco di vittime reali, le potenziali richieste di riscatto e l’uso di un canale di comunicazione sicuro (Session) mostrano che il gruppo è determinato a operare in modo strutturato.

Come per altre campagne ransomware, la prevenzione e la tempestiva rilevazione sono fondamentali per limitare i danni. L’adozione di buone pratiche di sicurezza, un monitoraggio continuo dell’infrastruttura e procedure di incident response ben definite restano i pilastri per ridurre il rischio di attacchi simili.

L'articolo Un Nuovo Attore Oscuro entra nell’Underground Criminale. Alla scoperta di Skira ransomware proviene da il blog della sicurezza informatica.


La Terza Capture The Flag (CTF) di RHC è Pronta! Tra AI, Reti 4G e Stati Nazionali. Sei pronto?


Red Hot Cyber, come ogni anno all’interno della RHC Conference, ospiterà la nuova Capture The Flag realizzata in collaborazione con CyberSecurityUP e Hackmageddon e Fondazione Bruno Kessler. Si tratta dell’arena della Cyber Warfare Ibrida, dove solo i più astuti e determinati hacker etici riusciranno ad emergere.

Questa volta, la sfida sarà più realistica e coinvolgente che mai.

Sarai all’interno di una operazione militare orchestrata da uno stato ostile ai danni dello stato MINZHONG, una tranquilla repubblica orientale che basa la sua prosperità sul commercio di beni alimentari e agricoli. La tua operazione inizierà da una semplice parola: Supply Chain.

Il tuo obiettivo: come di consueto prendere il controllo di tutto, un pezzo alla volta!

La Supply Chain: lo scenario più temuto nella Cybersecurity di oggi


Sì, avete capito bene: questa volta il protagonista è il tanto discusso attacco alla supply chain realizzato in collaborazione con CyberSecurityUP. Una tecnica che negli scenari attuali rappresenta una delle minacce più insidiose per le grandi aziende. Gli attaccanti non colpiscono direttamente il bersaglio principale, ma sfruttano fornitori e partner connessi alla rete per ottenere un primo accesso. Da qui, con tecniche di pivoting e movimenti laterali, è possibile infiltrarsi progressivamente in infrastrutture critiche, eludendo controlli di sicurezza e aumentando il raggio d’azione dell’attacco.

Tutto inizia con un punto di accesso apparentemente marginale: una terza parte, un piccolo fornitore, magari un’azienda di supporto IT o un partner logistico, connesso alla rete del bersaglio. Basta un errore umano, una configurazione errata o una credenziale esposta per fornire agli attaccanti il foothold necessario. Da quel momento, l’obiettivo non è solo mantenere la persistenza, ma esplorare la rete interna, comprendere la struttura dell’infrastruttura e identificare asset sensibili da compromettere.

Il vero gioco inizia quando si passa all’azione: l’escalation dei privilegi, l’uso di tunnel cifrati per evitare il rilevamento, il movimento tra sistemi governativi e servizi critici. Gli attaccanti si muovono silenziosamente, sfruttando connessioni fidate per propagarsi senza destare sospetti. La supply chain diventa così il tallone d’Achille delle organizzazioni, dimostrando come una singola vulnerabilità esterna possa compromettere un’intera infrastruttura.

Gli obiettivi della Capture The Flag 2025


Come ogni anno, le infrastrutture della capture the flag sono realizzate interamente da Red Hot Cyber e i suoi partner tecnologici. Questo anno gli obiettivi strategici in questa nuova capture the flag, saranno i seguenti:

  • Suppy Chain: Viola il fornitore di terze parti colpevole di una bassa postura cyber
  • Siti governativi: Viola i portali ufficiali e i sistemi ministeriali.
  • Infrastrutture critiche: Viola la rete telefonica 4G, La banca, la Rete Idrica, L’ospedale e altro ancora.
  • Social Engineering: Crea email ed effettua Spear Phishing per convincere il CEO dell’azienda energetica a fornirvi dati di intelligence

Ogni flag conquistata sarà un passo in più verso la vittoria.

Ma non tutto potrà essere fatto online


La sfida si fa sempre più reale di fronte all’operatore nazionale telefonico, una rete 4G radiomobile che andremo a dispiegare presso il teatro italia che dovrà essere violata per conquistare flag fisiche. Ma non sarà solo un gioco di codice e exploit. Per prendere flag fisiche, dovrete anche violare telecamere, reti telefoniche, lucchetti e disinnescare bombe e sfruttare i punti deboli della sicurezza fisica.

  • Location per le operazioni cibernetiche standard : Online
  • Location per le operazioni cibernetiche in prossimità: Teatro Italia (Secondo Piano)



Quest’anno, gli scenari fisici saranno differenti rispetto alle edizioni precedenti, offrendo nuove sfide e ambientazioni inedite. Per questa edizione, stiamo lavorando su una serie di prove esclusive, progettate per mettere alla prova le capacità dei partecipanti in un contesto realistico e immersivo.

Tutte le sfide saranno disponibili esclusivamente presso il Teatro Italia, che, a differenza dello scorso anno, metterà a disposizione non solo la terza balconata, ma anche l’intera sala al secondo piano per tutta la durata della Capture The Flag. Questo garantirà spazi più ampi rispetto alla scorsa edizione e un’esperienza di gioco ancora più coinvolgente. Alcune delle challenge in prossimità saranno:

  • Disinnesca la bomba
  • Viola la rete 4G
  • Tre metri sopra al cielo
  • Accedi alla banca di stato


L’operatore radiomobile 4G di MINZHONG


All’interno degli scenari fisici, quest’anno porteremo una vera rete radiomobile 4G, offrendo un ambiente realistico e avanzato per test di sicurezza sulle telecomunicazioni. I partecipanti avranno l’opportunità di interagire con una infrastruttura di rete, mettendo alla prova le proprie competenze nell’analisi e nell’attacco di sistemi di telecomunicazione in un contesto controllato e altamente tecnico.

L’accesso all’IMS di fonia e a internet sarà una componente chiave di questa esperienza, permettendo ai partecipanti di sperimentare in prima persona le vulnerabilità e le criticità delle reti mobili. L’obiettivo è quello di esplorare i potenziali punti deboli delle reti LTE, comprendere i meccanismi di autenticazione e propagazione del segnale, e individuare eventuali falle di sicurezza che potrebbero essere sfruttate da un attaccante reale.

Porteremo una rete 4G dedicata, fornendo ai partecipanti delle apposite SIM per connettersi al nostro operatore e testare direttamente la sicurezza della rete. Durante la challenge, sarà possibile raccogliere le flag violando la Radio Access Network (RAN) e propagarsi verso la core network e gli elementi di rete. Questo scenario offrirà un’esperienza unica e immersiva, con la possibilità di mettere in pratica tecniche avanzate di attacco e difesa in un ambiente realistico.

Nota Bene: L’irradiazione della rete radiomobile avverrà in prossimità, con un raggio indicativo di circa 7/10 metri, garantendo un’area di sperimentazione sicura e controllata.

Intelligenza artificiale e phishing


All’interno della competizione dovrete anche affinare le vostre abilità di social engineering. Non sempre è necessario un exploit o una vulnerabilità, potrebbe bastare convincere qualcuno a cliccare sul link sbagliato. Avrete infatti la possibilità di hackerare un fornitore di energia nazionale tramite vere e proprie campagne di phishing mirate a rubare dati sensibili per lo svolgimento delle operazioni statali.

A differenza delle altre sfide non dovrete fare affidamento su delle vulnerabilità o mancate configurazioni, bensì vi sarà richiesto di recuperare informazioni e indizi per creare delle mail convincenti. All’interno delle mail potrete includere domande, link o allegati malevoli, ma il risultato finale dipenderà dalle vostre abilità nel rendere la mail credibile. Per recuperare tutte le flag nascoste nell’infrastruttura sarà fondamentale anche la capacità di interpretare le informazioni recuperate dai vari dipendenti, ciascuno con la propria personalità e con i propri dispositivi aziendali.

Questa parte sarà gestita da un sistema automatizzato basato su Intelligenza Artificiale generativa sviluppato dal Centro per la Sicurezza Informatica della Fondazione Bruno Kessler (FBK) di Trento, in collaborazione con l’Università degli Studi di Trento. L’uso dell’IA non si limita solo a rispondere alle mail ricevute, ma alla totalità dell’interazione con il contenuto dei messaggi ricevuti. Tutte le parti dell’infrastruttura saranno create e gestite attraverso un sistema di Infrastructure as a Code (IaaC). Questo sistema sarà reso disponibile tramite un dominio pubblico, in modo da consentire la partecipazione sia ai team fisicamente al Teatro Italia che a quelli remoti. I dati raccolti dalla CTF saranno utilizzati in maniera aggregata e anonima per scopi di ricerca.

Nota bene: Per la durata della competizione sarà messa a disposizione una VPN al fine di rendere possibile l’uso di dispositivi personali come “server malevoli”: ciascun team avrà a disposizione un singolo utente per l’autenticazione.

Il testing della soluzione è stato svolto tra la Fondazione Bruno Kessler (FBK) di Trento e il team di HackerHood di Red Hot Cyber.

Iscrizioni alla Capture The Flag


La CTF avrà inizio con l’accoglienza presso il teatro Italia alle 15:00 dell’8 di Maggio e terminerà orientativamente alle 17:00 del giorno 9 Maggio. Le «Flag Fisiche» questo anno saranno disponibili presso il Teatro Italia per entrambe le giornate.

Tutti i partecipanti dovranno registrarsi all’indirizzo redhotcyber.com/ctf.redhotcybe… (al momento non ancora disponibile) e per accedere al teatro Italia per le flag fisiche, dovranno effettuare la registrazione all’evento dell’8 Maggio su eventbrite: rhc-conference-2025-workshop.e…. Di seguito il programma dell’evento ospitato all’interno della Red Hot Cyber Conference 2025:

  • Giovedì 8 Maggio ore 15:00 : Per i partecipanti alle «flag fisiche», Check-in presso il teatro Italia (necessaria la registrazione su Eventbrite)
  • Giovedì 8 Maggio ore 15:20 : Check in presso la sala adibita alla Capture the Flag al secondo piano entrando sulla destra (Necessaria la registrazione su CTFD)
  • Giovedì 8 Maggio ore 15:30 : Avvio della CTF
  • Giovedì 8 Maggio ore 15:30 : Avvio delle «flag fisiche» in collaborazione con CyberSecurityUp e Hackmageddon.world;
  • Venerdì 9 maggio ore 17:00 : Chiusura della Capture The Flag

Gli organizzatori dell’evento accoglieranno i team e forniranno informazioni e supporto tecnico-organizzativo. Una chat Discord sarà inoltre disponibile sin dall’avvio della competizione sul sito della CTF per dialogare con gli organizzatori.

Il supporto on-site e on-line sarà attivo dalle 15:30 alle 20:00 del 9 Maggio e dalle 10:00 alle 17:00 del 9 Maggio.

Cosa occorre portare per le flag fisiche


Si raccomanda ai partecipanti che verranno presso il teatro Italia di dotarsi di:

  • laptop e cavo di alimentazione (inclusi adattatori se necessari);
  • ciabatta multi-presa;
  • Prolunga di 5 metri;
  • Smartphone connesso ad internet;
  • Dongle Bluetooth (se non supportato dal computer portatile);
  • Dongle Wi-Fi (se non supportato dal computer portatile);
  • Dispositivo NFC;
  • SDR solo in modalità RX.
  • Smartphone 4G rottato compatibile con VoLTE (consigliata distribuzione lineageos)

I partecipanti sono liberi di utilizzare qualsiasi software o attrezzatura a loro scelta (ad esempio disassemblatori, Kali, macchine virtuali, schede SD, proxmark…) purché non danneggino i target, l’infrastruttura o gli altri partecipanti (vedi sezione Norme di comportamento).

Il Regolamento


Per ulteriori informazioni vi rimandiamo alla lettura del regolamento della capture the flag che trovate a questo indirizzo online

Buona caccia a tutti!

L'articolo La Terza Capture The Flag (CTF) di RHC è Pronta! Tra AI, Reti 4G e Stati Nazionali. Sei pronto? proviene da il blog della sicurezza informatica.


Quale Azienda Italiana Verrà Violata? In Vendita Accessi VPN e firewall aziendali nelle underground


Su BreachForum un utente dallo pseudonimo BoZar45, con un post pubblicato il 6 marzo 2025, proporne in vendita accessi VPN e amministrativi a firewall di aziende, enti governativi e militari. I prezzi variano da 100 a 1000 dollari, la discriminante? la geolocalizzazione e il tipo di accesso che si vuole acquisire.

Lo screenshot pubblicato nel post fa chiaramente riferimento ad un firewall Fortinet 600D.

Aziende in allerta


L’accesso non autorizzato a firewall e VPN aziendali rappresenta una minaccia critica per la sicurezza informatica, poiché consente agli attaccanti di aggirare i meccanismi di protezione perimetrale e accedere direttamente alle risorse interne di un’organizzazione. Una VPN compromessa può permettere ai criminali informatici di muoversi lateralmente all’interno della rete, esfiltrare dati sensibili, distribuire malware o lanciare attacchi ransomware senza essere facilmente rilevati. Nel caso di firewall compromessi, un attaccante con privilegi amministrativi può disattivare le regole di sicurezza, reindirizzare il traffico o creare backdoor persistenti per garantire un accesso continuo alla rete bersaglio.

Questi accessi vengono spesso commercializzati dagli Initial Access Broker (IAB), figure chiave nell’ecosistema del cybercrimine. Gli IAB sono hacker specializzati nell’individuare e vendere punti di ingresso nelle reti aziendali, sfruttando vulnerabilità, credenziali compromesse o exploit zero-day. In molti casi, i loro clienti sono gruppi ransomware, che utilizzano questi accessi per distribuire il proprio malware all’interno delle infrastrutture vittime. Questo modello di business consente una netta separazione tra chi viola le reti e chi esegue gli attacchi finali, rendendo ancora più complessa l’attribuzione degli attacchi e l’interruzione delle attività malevole.

Si tratta di informazioni di prima mano?


È possibile che i dati di accesso in vendita siano un subset di altre liste proposte gratuitamente di recente sempre su BreachForum? Un lavoro di verifica, catalogazione e suddivisione per nazione? Il dubbio sorge spontaneo ricostruendo alcuni post apparsi nell’ultimo periodo su BreachForum, in particolare:

  • 26 febbraio 2025: un utente con lo pseudonimo JohnFury ha pubblicato un post intitolato Black Basta – Leaked Access”. Il file “sottratto” a BlackBasta contiene centinaia di accessi a portali VPN molti dei quali ospitati da firewall Fortinet.
  • 14 gennaio 2025: BelsenGroup regala un archivio contenete 15.000 configurazioni di firewall Fortinet e accessi VPN con relative password.



Un altro scenario possibile potrebbe essere quello di una nuova collezione di accessi guadagnati scannerizzando la rete in cerca di target non aggiornati e vulnerabili alle recenti CVE riconosciute e documentate da Fortinet.

Per concludere è importante capire che ruolo giocano gli IAB (Initial Access Broker) nel panorama dell’underground, aprendo le porte a gruppi hacker che poi sfruttano questi accessi per portare a segno attacchi più importanti e potenzialmente devastanti.

L'articolo Quale Azienda Italiana Verrà Violata? In Vendita Accessi VPN e firewall aziendali nelle underground proviene da il blog della sicurezza informatica.


Possibile violazione al Ministero degli Affari Esteri dell’Ucraina: il gruppo Qilin Ransomware rivendica l’attacco


Il gruppo Qilin Ransomware sostiene di aver compromesso i sistemi del Ministero degli Affari Esteri dell’Ucraina, sottraendo corrispondenza privata, informazioni personali e decreti ufficiali. Secondo quanto dichiarato dagli attaccanti, parte di questi dati sarebbe già stata venduta a terzi.

Al momento, non è possibile confermare la veridicità di queste affermazioni poiché l’organizzazione non ha ancora pubblicato alcun comunicato stampa ufficiale sul proprio sito web in merito all’incidente. Di conseguenza, quanto riportato in questo articolo deve essere trattato esclusivamente come fonte di intelligence.

Dettagli della presunta violazione


  • Corrispondenza privata: potrebbe includere email riservate e documenti di comunicazione interna.
  • Informazioni personali: dati di contatto, informazioni sensibili sul personale o su altri soggetti coinvolti.
  • Decreti ufficiali: documenti governativi potenzialmente classificati o di rilevanza strategica.

Stato delle indagini

  • L’assenza di un comunicato stampa ufficiale impedisce di confermare o negare la notizia.
  • Il gruppo Qilin Ransomware dichiara di aver già monetizzato parte delle informazioni ottenute, vendendole a soggetti terzi.
  • Nessuna evidenza è stata pubblicata per comprovare la vendita o l’effettivo contenuto dei dati sottratti.


Conclusioni


Al momento, la presunta violazione rivendicata dal gruppo Qilin Ransomware rimane non confermata da fonti istituzionali. Tuttavia, la potenziale gravità della questione — vista la natura strategica dei dati che sarebbero stati sottratti — richiede un’attenta valutazione dei rischi e delle contromisure da parte delle autorità competenti.

RHC continuerà a monitorare la situazione e pubblicherà eventuali ulteriori aggiornamenti qualora emergessero informazioni significative. Invitiamo chiunque sia a conoscenza di dettagli rilevanti a contattarci attraverso la mail crittografata del whistleblower, garantendo la possibilità di rimanere anonimi.

L'articolo Possibile violazione al Ministero degli Affari Esteri dell’Ucraina: il gruppo Qilin Ransomware rivendica l’attacco proviene da il blog della sicurezza informatica.


Analisi dettagliata dell’attacco “Fast Propagating Fake Captcha” e la distribuzione di LummaStealer


Negli ultimi anni, il panorama delle minacce informatiche è mutato radicalmente, grazie anche all’evoluzione delle tecniche di attacco e alla crescente diffusione di malware disponibili come Malware-as-a-Service (MaaS). Uno degli esempi più recenti di questa tendenza è LummaStealer, un malware progettato per sottrarre informazioni sensibili dagli endpoint compromessi, in particolare credenziali memorizzate nei browser e portafogli di criptovalute.

Tra ottobre 2024 e febbraio 2025, LummaStealer è stato distribuito attraverso un ingegnoso stratagemma che ha fatto leva su pagine di verifica CAPTCHA false, inducendo le vittime a compiere azioni che hanno portato all’infezione del sistema. Questo articolo analizza in dettaglio il funzionamento dell’attacco, la struttura della minaccia e le misure per mitigarne l’impatto.

Il vettore d’attacco: pagine CAPTCHA fasulle


L’attacco ha preso di mira utenti che navigano su siti web infetti o compromessi da campagne di malvertising (pubblicità malevole). La strategia sfrutta un comportamento ormai consolidato: le persone sono abituate a superare CAPTCHAs per dimostrare di non essere bot, rendendo questa tecnica particolarmente efficace.

Fasi dell’attacco:


  1. Esposizione della vittima
    • L’utente accede a un sito web compromesso o viene reindirizzato tramite pubblicità malevole a una pagina fasulla che richiede la verifica tramite CAPTCHA.
    • Il sito può essere stato manipolato tramite attacchi di watering hole o distribuzione di pubblicità dannose attraverso reti pubblicitarie.


  2. Induzione della fiducia
    • La pagina appare del tutto legittima: utilizza lo stesso stile grafico e il comportamento di un CAPTCHA reale.
    • L’utente, fidandosi della richiesta, interagisce con il CAPTCHA senza sospettare nulla.


  3. Esecuzione dello script malevolo
    • Una volta completato il CAPTCHA, viene eseguito in background uno script offuscato che avvia il download di un payload malevolo.
    • Lo script può sfruttare tecniche di evasione per eludere il rilevamento da parte degli antivirus e dei sistemi EDR (Endpoint Detection and Response).


  4. Download e installazione di LummaStealer
    • Il payload scaricato avvia l’installazione di LummaStealer, spesso senza richiedere interazione diretta dell’utente.
    • Il malware si insedia nel sistema, sfruttando meccanismi di persistenza per rimanere attivo anche dopo un riavvio.


  5. Esfiltrazione dei dati sensibili
    • LummaStealer inizia a sottrarre informazioni salvate nel browser, tra cui password, cookie di sessione, dati delle carte di credito e credenziali di accesso ai servizi online.
    • Vengono prese di mira anche le applicazioni di gestione delle criptovalute, compromettendo i portafogli digitali e consentendo il furto di asset finanziari.


  6. Connessione al server C2 e monetizzazione
    • I dati raccolti vengono inviati a un server di comando e controllo (C2), dove gli attaccanti possono analizzarli e rivenderli nel dark web o utilizzarli direttamente per frodi e accessi non autorizzati.



Indicatori di compromissione (IoC) e infrastruttura della minaccia


L’attacco è stato tracciato attraverso una serie di domini malevoli, utilizzati sia per distribuire il malware sia per l’esfiltrazione dei dati:

  • h3.errantrefrainundocked.shop
  • googlesearchings.art
  • amazon-ny-gifts.com
  • writerspzm.shop
  • celebratioopz.shop
  • futureddospzmvq.shop
  • dealersopfosu.shop
  • complaintspzzx.shop
  • languageedscie.shop

Grazie al monitoraggio DNS Early Detection di Infoblox, è stato possibile individuare questi domini in media 46,8 giorni prima della loro segnalazione pubblica, consentendo di bloccare molte infezioni prima che avvenissero.

Impatto degli Stealer: perché sono una minaccia così grave?


I malware della categoria Stealer rappresentano una delle minacce più insidiose, poiché rubano informazioni in modo silenzioso e mirato, con impatti devastanti:

  • Compromissione di account sensibili, inclusi quelli aziendali, bancari e amministrativi.
  • Furto di identità digitale e uso fraudolento delle credenziali rubate.
  • Esfiltrazione di criptovalute, con perdite economiche dirette per le vittime.
  • Uso dei cookie di sessione per bypassare l’autenticazione e ottenere accesso a servizi senza necessità di password.


Tecniche MITRE ATT&CK impiegate


L’attacco LummaStealer sfrutta diverse tecniche del framework MITRE ATT&CK, tra cui:

  • T1078 – Uso di credenziali compromesse
  • T1566Phishing
  • T1204 – Esecuzione utente ingannevole
  • T1027 – Offuscamento del codice per eludere i controlli
  • T1134 – Escalation di privilegi tramite manipolazione dei token
  • T1059 – Esecuzione di comandi remoti tramite script dannosi
  • T1102 – Comunicazione con servizi C2 tramite infrastrutture pubblicitarie


Come proteggersi da questa minaccia


Affrontare gli Stealer come LummaStealer richiede un approccio multi-strato che combini prevenzione, rilevamento e risposta rapida.

Strategie di mitigazione:


  1. Monitoraggio DNS: adottare soluzioni che rilevino e blocchino i domini malevoli in fase precoce.
  2. Educazione e consapevolezza: formare gli utenti a riconoscere CAPTCHA sospetti e siti fasulli.
  3. Threat Intelligence: integrare gli Indicatori di Compromissione (IoC) nei sistemi SIEM/SOC per prevenire infezioni.
  4. Autenticazione multi-fattore (MFA): per mitigare il rischio legato al furto di credenziali.
  5. Bloccare gli script non necessari: limitare l’esecuzione di script offuscati può ridurre l’efficacia dell’attacco.
  6. Monitoraggio delle transazioni crypto: implementare alert per attività sospette nei portafogli digitali.

L’attacco Fake CAPTCHA – LummaStealer è un esempio concreto di come i cybercriminali innovino costantemente le loro tattiche per ingannare gli utenti e superare le difese tradizionali. La combinazione di tecniche di ingegneria sociale, adtech malevolo e automazione rende questi attacchi particolarmente difficili da contrastare.

L’adozione di strumenti di threat intelligence avanzati e la collaborazione tra aziende di cybersecurity sono essenziali per fermare queste minacce prima che causino danni significativi.

Per ulteriori dettagli, consulta il report completo su Infoblox Blog.

L'articolo Analisi dettagliata dell’attacco “Fast Propagating Fake Captcha” e la distribuzione di LummaStealer proviene da il blog della sicurezza informatica.


Repairing a 1955 Classic Radio


We used to say that fixing something was easier than bringing up a design for the first time. After all, the thing you are fixing, presumably, worked at one time or another. These days, that’s not always true as fixing modern gear can be quite a challenge. Watching [Ken’s] repair of an old 1955 Silvertone radio reminded us of a simpler time. You can watch the action on the video below.

If you’ve never had the pleasure of working on an AM radio, you should definitely try it. Some people would use an amplifier to find where the signal dies out. Others will inject a signal into the radio to find where it stops. A good strategy is to start at the volume control and decide if it is before or after that. Then split the apparently bad section roughly in half and test that portion—sort of a hardware binary search. Of course, your first step should probably be to verify power, but after that, the hunt is on.

There’s something very satisfying about taking a dead radio and then hearing it come to life on your bench. In this case, some of the problems were from a previous repair.

Troubleshooting is an art all by itself. Restoring old radios is also great fun.

youtube.com/embed/h8jnQ_7Yp2g?…


hackaday.com/2025/03/06/repair…


Combined Crypto, Anglo-American Style


If you think about military crypto machines, you probably think about the infamous Enigma machine. However, as [Christos T.] reminds us, there were many others and, in particular, the production of a “combined cipher” machine for the US and the UK to use for a variety of purposes.

The story opens in 1941 when ships from the United States and the United Kingdom were crossing the Atlantic together in convoys. The US wanted to use the M-138A and M-209 machines, but the British were unimpressed. They were interested in the M-134C, but it was too secret to share, so they reached a compromise.

Starting with a British Typex, a US Navy officer developed an attachment with additional rotors and converted the Typex into a CCM or Combined Cipher Machine. Two earlier verisons of the attachment worked with the M-134C. However the CSP 1800 (or CCM Mark III) was essentially the same unit made to attach to the Typex. Development cost about $6 million — a huge sum for the middle of last century.

By the end of 1943, there were enough machines to work with the North Atlantic convoys. [Christos] says at least 8,631 machines left the factory line. While the machine was a marvel, it did have a problem. With certain settings, the machine had a very low cipher period (338 compared to 16,900 for Enigma). This wasn’t just theoretical, either. A study showed that bad settings showed up seven times in about two months on just one secure circuit.

This led to operational changes to forbid certain settings and restrict the maximum message length. The machine saw service at the Department of State until 1959. There were several variations in use within NATO as late as 1962. It appears the Germans didn’t break CCM during the war, but the Soviets may have been able to decode traffic from it in the post-war period.

You can see a CCM/Typex combo in the video below from the Cryptomuseum. Of course, the Enigma is perhaps the most famous of these machines. These days, you can reproduce one easily.


hackaday.com/2025/03/06/combin…


The Strange Afterlife of the Xbox Kinect


The tale of the Microsoft Xbox Kinect is one of those sad situations where a great product was used in an application that turned out to be a bit of a flop and was discontinued because of it, despite its usefulness in other areas. This article from the Guardian is a quick read on how this handy depth camera has found other uses in somewhat niche areas, with not a computer game in sight.

It’s rather obvious that a camera that can generate a 3D depth map, in parallel with a 2D reference image, could have many applications beyond gaming, especially in the hands of us hackers. Potential uses include autonomous roving robots, 3D scanning, and complex user interfaces—there are endless possibilities. Artists producing interactive art exhibits would sit firmly in that last category, with the Kinect used in countless installations worldwide.

Apparently, the Kinect also has quite the following in ghost-hunting circles, which as many a dubious TV show would demonstrate, seem almost entirely filmed under IR light conditions. The Kinect’s IR-based structured light system is well-suited for these environments. Since its processing core runs a machine learning application specifically trained to track human figures, it’s no surprise that the device can pick up those invisible, pesky spirits hiding in the noise. Anyway, all of these applications depend on the used-market supply of Kinect devices, over a decade old, that can be found online and in car boot sales, which means one day, the Kinect really will die off, only to be replaced with specialist devices that cost orders of magnitude more to acquire.

In the unlikely event you’ve not encountered non-gaming applications for the Kinect, here’s an old project to scan an entire room to get you started. Just to be perverse, here’s a gaming application that Microsoft didn’t think of, and to round out, the bad news that Microsoft has really has abandoned the product.


hackaday.com/2025/03/06/the-st…


Plastic Gear Repair


We’ve seen several methods of repairing plastic gears. After all, a gear is usually the same all the way around, so it is very tempting to duplicate a good part to replace a damaged part. That’s exactly what [repairman 101] does in the video below. He uses hot glue to form a temporary mold and casts a resin replacement in place with a part of a common staple as a metal reinforcement.

The process starts with using a hobby tool to remove even more of the damaged gear, making a V-shaped slot to accept the repair. The next step is to create a mold. To do that, he takes a piece of plastic and uses hot glue to secure it near a good part of the gear. Then, he fills the area with more hot glue and carefully removes it.

He uses WD-40 as a mold release. He moves the mold to the damaged area and cuts a bit of wire to serve as a support, using a soldering iron to melt it into the gear’s body. Some resin fills the mold, and once it is cured, the gear requires a little rework, but then it seems to work fine.

We would be tempted to use some 3D printing resin with UV curing, since we have it on hand. Then again, you could easily scan the gear, repair it digitally on the computer and just print a new one. That would work, too.

We’ve seen the same process using candle wax and epoxy. If you want to see an example of just printing an entire replacement, we’ve seen that, too.

youtube.com/embed/iNdAn-Fnc_Y?…


hackaday.com/2025/03/06/plasti…


Custom Touchpad PCBs Without The Pain


Many of us use touch pads daily on our laptops, but rarely do we give much thought about what they really do. In fact they are a PCB matrix of conductive pads, with a controller chip addressing it and sensing the area of contact. Such a complex and repetitive pattern can be annoying to create by hand in an EDA package, so [Timonsku] has written a script to take away the work.

It starts with an OpenSCAD script (originally written by Texas Instruments, and released as open source) that creates a diamond grid, which can be edited to the required dimensions and resolution. This is then exported as a DXF file, and the magic begins in a Python script. After adjustment of variables to suit, it finishes with an Eagle-compatible board file which should be importable into other EDA packages.

We’ve never made a touchpad ourselves, but having dome other such repetitive PCB tasks we feel the pain of anyone who has. Looking at this project we’re struck by the thought that its approach could be adapted for other uses, so it’s one to file away for later.

This isn’t the first home-made touchpad project we’ve brought you.


hackaday.com/2025/03/06/custom…


Hackaday Europe 2025 Welcomes David Cuartielles, Announces Friday Night Bring-a-Hack


If you’re coming to Hackaday Europe 2025, you’ve got just over a week to get your bags packed and head on out to Berlin. Of course you have tickets already, right? And if you were still on the fence, let us tempt you with our keynote talk and some news about the Friday night meetup, sponsored by Crowd Supply.

But first, the keynote! You might know David Cuartielles as one of the four founders of Arduino. As a telecommunications engineer and doctor in design, he has devoted the last 25 years to experimenting with different educational models centered on the creation of interactive artifacts and platforms.

His talk, “What if the future (of electronics) was compostable?”, asks the question of whether or not we can take our physical projects and make them more ecologically friendly, and looking at Arduino’s approach of bio-degradable electronics and AI-enabled industrial technologies.

Bring a Hack


Come join us for informal Bring-a-Hack drinks starting up at 18:00 Friday night, May 14th, at the Jockel Biergarten, Ratiborstraße 14C. It’s always a great time to hang out a little bit while there are no presentations to feel like you’re missing out on. If you’ve got a project that fits in your backpack, brink it along and show us all. And if you just feel like relaxing over a beverage and some Biergarten fare, that’s great too! We’ll see you there.


hackaday.com/2025/03/06/hackad…


Hacking Digital Calipers for Automated Measurements and Sorta-Micron Accuracy


We’ll take a guess that most readers have a set of digital calipers somewhere close to hand right now. The cheapest ones tend to be a little unsatisfying in the hand, a bit crusty and crunchy to use. But as [Matthias Wandel] shows us, these budget tools are quite hackable and a lot more precise than they appear to be.

[Matthias] is perhaps best known around these parts for making machine tools using mainly wood. It’s an unconventional material for things like the CNC router he loves to hate, but he makes it work through a combination of clever engineering and a willingness to work within the limits of the machine. To assess those limits, he connected some cheap digital calipers to a Raspberry Pi by hacking the serial interface that seems to be built into all of these tools. His particular calipers output a pair of 24-bit words over a synchronous serial connection a couple of times per second, but at a level too low to be read by the Pi. He solved this with a clever resistor ladder to shift the signals to straddle the 1.8 volt transition on the Pi, and after solving some noise problems with a few strategically placed capacitors and some software debouncing, he was gathering data on his Pi.

Although his setup was fine for the measurements he needed to make, [Matthias] couldn’t help falling down the rabbit hole of trying to milk better resolution from the calipers. On paper, the 24-bit output should provide micron-ish resolution, but sadly, the readings seem to fluctuate rapidly between two levels, making it difficult to obtain an average quickly enough to be useful. Still, it’s a good exercise, and overall, these hacks should prove handy for anyone who wants to dip a toe into automated metrology on a budget.

youtube.com/embed/0PA-KvnAwJM?…

Thanks to [Dragan] for the tip.


hackaday.com/2025/03/06/hackin…


Why 56k Modems Relied On Digital Phone Lines You Didn’t Know We Had


If you came of age in the 1990s, you’ll remember the unmistakable auditory handshake of an analog modem negotiating its connection via the plain old telephone system. That cacophony of screeches and hisses was the result of careful engineering. They allowed digital data to travel down phone lines that were only ever built to carry audio—and pretty crummy audio, at that.

Speeds crept up over the years, eventually reaching 33.6 kbps—thought to be the practical limit for audio modems running over the telephone network. Yet, hindsight tells us that 56k modems eventually became the norm! It was all thanks to some lateral thinking which made the most of the what the 1990s phone network had to offer.

Breaking the Sound Barrier

The V.34 standard enabled transmission at up to 33.6 kbps, though many modems topped out at the lower level of 28.8 kpbs in the mid-1990s. Credit: Raimond Spekking, CC BY-SA 4.0
When traditional dial-up modems communicate, they encode digital bits as screechy analog tones that would then be carried over phone lines originally designed for human voices. It’s an imperfect way of doing things, but it was the most practical way of networking computers in the olden days. There was already a telephone line in just about every house and business, so it made sense to use them as a conduit to get computers online.

For years, speeds ticked up as modem manufacturers ratified new, faster modulation schemes. Speeds eventually reached 33.6 kbps which was believed to be near the theoretical maximum speed possible over standard telephone lines. This largely came down to the Shannon limit of typical phone lines—basically, with the amount of noise on a given line, and viable error correcting methods, there was a maximum speed at which data could reliably be transferred.

In the late 1990s, though, everything changed. 56 kbps modems started flooding the market as rival manufacturers vied to have the fastest, most capable product on offer. The speed limits had been smashed. The answer lay not in breaking Shannon’s Law, but in exploiting a fundamental change that had quietly transformed the telephone network without the public ever noticing.

Multiplexing Madness

Linecards in phone exchanges were responsible for turning analog signals into digital signals for further transmission through the phone network. Credit: Pdesousa359, CC BY-SA 3.0
In the late 1990s, most home users still connected to the telephone network through analog phone lines that used simple copper wires running to their houses, serving as the critical “last mile” connection. However, by this time, the rest of the telephone network had undergone a massive digital transformation. Telephone companies had replaced most of their long-distance trunks and switching equipment with digital technology. Once a home user’s phone line hit a central office, it was usually immediately turned into a digital signal for easier handling and long-distance transmission. Using the Digital Signal 0 (DS0) encoding, phone calls became digital with an 8 kHz sample rate using 8-bit pulse code modulation, working out to a maximum data rate of 64 kbps per phone line.

Traditionally, your ISP would communicate over the phone network much like you. Their modems would turn digital signals into analog audio, and pipe them into a regular phone line. That analog audio would then get converted to a DS0 digital signal again as it moved around the back-end of the phone network, and then back to analog for the last mile to the customer. Finally, the customer’s modem would take the analog signal and turn it back into digital data for the attached computer.

This fell apart at higher speeds. Modem manufacturers couldn’t find a way to modulate digital data into audio at 56 kbps in a way that would survive the DS0 encoding. It had largely been designed to transmit human voices successfully, and relied on non-linear encoding schemes that weren’t friendly to digital signals.

The breakthrough came when modem manufacturers realized that ISPs could operate differently from end users. By virtue of their position, they could work with telephone companies to directly access the phone network in a digital manner. Thus, the ISP would simply pipe a digital data directly into the phone network, rather than modulating it into audio first. The signal remained digital all the way until it reached the local exchange, where it would be converted into audio and sent down the phone line into the customer’s home. This eliminated a whole set of digital-to-analog and analog-to-digital conversions which were capping speeds, and let ISPs shoot data straight at customers at up to 56 kbps.
The basic concept behind 56 kbps operation. So-called “digital modems” on the ISP side would squirt digital signals directly into the digital part of the phone network. These would then be modulated to analog just once at the exchange level to travel the last mile over the customer’s copper phone line. Credit: ITU, V.90 standard
This technique only worked in one direction, however. End users still had to use regular modems, which would have their analog audio output converted through DS0 at some point on its way back to the ISP. This kept upload speeds limited to 33.6 kbps.
USRobotics was one of the innovators in the 56k modem space. Note the x2 branding on this SPORTSTER modem, denoing the company’s proprietary modulation method. Credit: Xiaowei, CC BY 3.0
The race to exploit this insight led to a minor format war. US Robotics developed its x2 standard, so named for being double the speed of 28k modems. Rival manufacturer Rockwell soon dropped the K56Flex standard, which levied the same trick to up speeds. ISPs quickly began upgrading to work with the faster modems, but consumers were confused with the competing standards.

The standoff ended in 1998 when the International Telecommnication Union (ITU) stepped in to create the V.90 standard. It was incompatible with both x2 and K56Flex, but soon became the industry norm.. This standardization finally allowed for interoperable 56K communications across vendors and ISPs. It was soon supplanted by the updated V.92 standard in 2000, which increased upload speeds to 48 kbps with some special upstream encoding tricks, while also adding new call-waiting and quick-connect features.

Final Hurrah


Despite the theoretical 56 kbps limit, actual connection speeds rarely reached such heights. Line quality and a user’s distance from the central office could degrade performance, and power limits mandated by government regulations made 53 kbps a more realistic peak speed in practice. The connection negotiation process users experienced – that distinctive modem “handshake” – often involved the modems testing line conditions and stepping down to the highest reliable speed. Despite the limitations, 56k modems soon became the norm as customers hoped to achieve a healthy speed boost over the older 33.6k and 28k modems of years past.

The 56K modem represents an elegant solution for a brief period in telecommunications history, when analog modems still ruled and broadband was still obscure and expensive. It was a technology born when modem manufacturers realized the phone network they were now working with was not the one they started with so many decades before. The average consumer may never have appreciated the nifty tricks that made the 56k modem work, but it was a smart piece of engineering that made the Internet ever so slightly more usable in those final years before DSL and cable began to dominate all.


hackaday.com/2025/03/06/why-56…


Ministero dell’Interno Italiano sotto attacco? Accessi email in vendita nei forum underground!


Negli ultimi giorni, un utente del forum underground “BreachForums” ha pubblicato un annuncio riguardante la presunta vendita di accessi a caselle di posta elettronica appartenenti al Ministero dell’Interno italiano (dominio “@interno.it”).

La notizia, al momento non confermata da fonti istituzionali, desta particolare preoccupazione poiché, qualora fosse fondata, potrebbe comportare serie implicazioni a livello di sicurezza nazionale.

Dettagli del Possibile Breach


  • Origine del Post: L’inserzione compare su un popolare forum underground in cui spesso circolano dati sottratti a enti governativi o aziende di rilievo. L’autore si identifica con il nickname “DataSec” e risulta avere un discreto livello di “reputazione” sulla piattaforma.
  • Data di Pubblicazione: Il post è stato pubblicato il 3 marzo 2025 e, secondo i metadati del forum, è stato modificato una volta nella mattinata del 4 marzo.
  • Oggetto della Vendita: “DataSec” asserisce di possedere credenziali e accessi interni a varie caselle di posta riconducibili al Ministero dell’Interno italiano (dominio “@interno.it”). Vengono offerte dietro compenso in criptovaluta, secondo un metodo di pagamento ricorrente nel panorama cybercriminale.


Attendibilità della Fonte


BreachForums è noto per ospitare annunci di compravendita di dati sottratti, spesso veritieri, ma non mancano casi di “fake listing” finalizzati a truffare possibili acquirenti. Attualmente, non risultano prove tangibili (come dump di dati o screenshot comprovanti la compromissione) che confermino la reale esistenza di tali credenziali.

Red Hot Cyber (RHC) continuerà a monitorare la situazione, prestando particolare attenzione a eventuali evoluzioni della discussione su BreachForums o alla comparsa di ulteriori elementi di prova in altri ambienti sotterranei e canali Telegram di settore.

  • Pubblicazioni Future: Se il Ministero dell’Interno o altre istituzioni rilasceranno comunicati ufficiali, RHC ne darà tempestivo riscontro, dedicando un articolo specifico alle dichiarazioni e alle evidenze emergenti.
  • Segnalazioni Anonymous: Chiunque fosse a conoscenza di dettagli aggiuntivi o potesse fornire riscontri utili, può contattarci attraverso la nostra mail crittografata, garantendo il massimo livello di riservatezza.


Conclusioni


La presunta vendita di accessi email legati al Ministero dell’Interno italiano costituisce un potenziale campanello d’allarme per la sicurezza istituzionale. Sebbene al momento le informazioni disponibili non permettano di confermare l’effettiva compromissione, è fondamentale mantenere un alto grado di vigilanza e procedere, se necessario, con verifiche tecniche e legali approfondite.

La prudenza e la trasparenza sono elementi essenziali in circostanze in cui anche solo il dubbio di una violazione può minare la fiducia dei cittadini e la credibilità delle istituzioni coinvolte. RHC resta a disposizione per ospitare eventuali comunicazioni ufficiali e fornire aggiornamenti, qualora emergano sviluppi significativi.

Questo articolo è stato redatto attraverso l’utilizzo della piattaforma Recorded Future, partner strategico di Red Hot Cyber e leader nell’intelligence sulle minacce informatiche, che fornisce analisi avanzate per identificare e contrastare le attività malevole nel cyberspazio.

L'articolo Ministero dell’Interno Italiano sotto attacco? Accessi email in vendita nei forum underground! proviene da il blog della sicurezza informatica.


The Future We Never Got, Running a Future We Got


If you’re familiar with Java here in 2025, the programming language you know is a world away from what Sun Microsystems planned for it in the mid-1990s. Back then it was key to a bright coffee-themed future of write-once-run-anywhere software, and aside from your web browser using it to run applications, your computer would be a diskless workstation running Java bytecode natively on the silicon.

What we got was slow and disappointing Java applets in web pages, and a line of cut-down SPARC-based JavaStations which did nothing to change the world. [FatSquirrel] has one of these machines, and a quarter century later, has it running NetBSD. It’s an interesting journey both into 1990s tech, and some modern-day networking tricks to make it happen.

These machines suffer as might be expected, from exhausted memory backup batteries. Fortunately once the serial port has been figured out they drop you into an OpenBoot prompt, which, in common with Apple machines in the ’90s, gives you a Forth interpreter. There’s enough info online to load the NVRAM with a config, and the machine stuttered into life. To do anything useful takes a network with RARP and NFS to serve an IP address and disk image respectively, which a modern Linux machine is quite happy to do. The resulting NetBSD machine maybe isn’t as useful as it could be, but at risk of angering any Java enthusiasts, perhaps it’s more useful than the original JavaOS.

We remember the promise of a Java-based future too, and tasted the bitter disappointment of stuttering Java applets in our web pages. However, given that so much of what we use now quietly runs Java in the background without our noticing it, perhaps the shade of Sun Microsystems had the last laugh after all. This isn’t the first ’90s machine that’s been taught new tricks here, some of them have received Java for the first time.


hackaday.com/2025/03/06/the-fu…


Trojans disguised as AI: Cybercriminals exploit DeepSeek’s popularity



Introduction


Among the most significant events in the AI world in early 2025 was the release of DeepSeek-R1 – a powerful reasoning large language model (LLM) with open weights. It’s available both for local use and as a free service. Since DeepSeek was the first service to offer access to a reasoning LLM to a wide audience, it quickly gained popularity, mirroring the success of ChatGPT. Naturally, this surge in interest also attracted cybercriminals.

While analyzing our internal threat intelligence data, we discovered several groups of websites mimicking the official DeepSeek chatbot site and distributing malicious code disguised as a client for the popular service.

Screenshot of the official DeepSeek website (February 2025)
Screenshot of the official DeepSeek website (February 2025)

Scheme 1: Python stealer and non-existent DeepSeek client


The first group of websites was hosted on domains whose names included DeepSeek model versions (V3 and R1):

  • r1-deepseek[.]net;
  • v3-deepseek[.]com.

As shown in the screenshot, the fake website lacks the option to start a chat – you can only download an application. However, the real DeepSeek doesn’t have an official Windows client.

Screenshot of the fake website
Screenshot of the fake website

Clicking the “Get DeepSeek App” button downloads a small archive,
deep-seek-installation.zip. The archive contains the DeepSeek Installation.lnk file, which holds a URL.
At the time of publishing this research, the attackers had modified the fake page hosted on the
v3-deepseek[.]com domain. It now prompts users to download a client for the Grok model developed by xAI. We’re observing similar activity on the v3-grok[.]com domain as well. Disguised as a client is an archive named grok-ai-installation.zip, containing the same shortcut.
Executing the .lnk file runs a script located at the URL inside the shortcut:

This script downloads and unpacks an archive named
f.zip.
Contents of the unpacked archive
Contents of the unpacked archive

Next, the script runs the
1.bat file from the unpacked archive.
Contents of the BAT file
Contents of the BAT file

The downloaded archive also contains the
svchost.exe and python.py files. The first one is a legitimate file python.exe, renamed to mimic a Windows process to mislead users checking running applications in Task Manager.

It is used to launch
python.py, which contains the malicious payload (we’ve also seen this file named code.py). This is a stealer script written in Python that we haven’t seen in attacks before. If it’s executed successfully, the attackers obtain a wealth of data from the victim’s computer: cookies and session tokens from various browsers, login credentials for email, gaming, and other accounts, files with certain extensions, cryptocurrency wallet information, and more.

After collecting the necessary data, the script generates an archive and then either sends it to the stealer’s operators using a Telegram bot or uploads it to the Gofile file-sharing service. Thus, attempting to use the chatbot could result in the victim losing social media access, personal data, and even cryptocurrency. If corporate credentials are stored on the compromised device, entire organizations could also be at risk, leading to far more severe consequences.

Scheme 2: Malicious script and a million views


In another case, fake DeepSeek websites were found on the following domains:

  • deepseek-pc-ai[.]com
  • deepseek-ai-soft[.]com

We discovered the first domain back in early February, hosting the default Apache web server page with no content. Later, this domain displayed a new web page closely resembling the DeepSeek website. Notably, the fake site uses geofencing: when requests come from certain IP addresses, such as Russian ones, it returns a placeholder page filled with generic SEO text about DeepSeek (we believe this text may have been LLM-generated):

If the IP address and other request parameters meet the specified criteria, the server returns a page resembling DeepSeek. Users are prompted to download a client or start the chatbot, but either action results in downloading a malicious installer created using Inno Setup. Kaspersky products detect it as
Trojan-Downloader.Win32.TookPS.*.

When executed, this installer contacts malicious URLs to receive a command that will be executed using cmd. The most common command launches
powershell.exe with a Base64-encoded script as an argument. This script accesses an encoded URL to download another PowerShell script, which activates the built-in SSH service and modifies its configuration using the attacker’s keys, allowing remote access to the victim’s computer.
Part of the malicious PowerShell script
Part of the malicious PowerShell script

This case is notable because we managed to identify the primary vector for spreading the malicious links – posts on the social network X (formerly Twitter):

This post, directing users to
deepseek-pc-ai[.]com, was made from an account belonging to an Australian company. The post gained 1.2 million views and over a hundred reposts, most of which were probably made by bots – note the similar usernames and identifiers in their bios:

Some users in the comments dutifully point out the malicious nature of the link.

Links to
deepseek-ai-soft[.]com were also distributed through X posts, but at the time of investigation, they were only available in Google’s cache:

Scheme 3: Backdoors and attacks on Chinese users


We also encountered sites that directly distributed malicious executable files. One such file was associated with the following domains:

  • app.delpaseek[.]com;
  • app.deapseek[.]com;
  • dpsk.dghjwd[.]cn.

These attacks target more technically advanced users – the downloaded malicious payload mimics Ollama, a framework for running LLMs such as DeepSeek on local hardware. This tactic reduces suspicion among potential victims. Kaspersky solutions detect this payload as
Backdoor.Win32.Xkcp.a.

The victim only needed to launch the “DeepSeek client” on their device to trigger the malware, which creates a KCP tunnel with predefined parameters.

Additionally, we observed attacks where a victim’s device downloaded the
deep_windows_Setup.zip archive, containing a malicious executable. The archive was downloaded from the following domains:

  • deep-seek[.]bar;
  • deep-seek[.]rest.

The malware in the archive is detected by Kaspersky solutions as
Trojan.Win32.Agent.xbwfho. This is an installer created with Inno Setup that uses DLL sideloading to load a malicious library. The DLL in turn extracts and loads into memory a payload hidden using steganography — a Farfli backdoor modification — and injects it into a process.
Both of these campaigns, judging by the language of the bait pages, are targeting Chinese-speaking users.

Conclusion


The nature of the fake websites described in this article suggests these campaigns are widespread and not aimed at specific users.

Cybercriminals use various schemes to lure victims to malicious resources. Typically, links to such sites are distributed through messengers and social networks, as seen in the example with the X post. Attackers may also use typosquatting or purchase ad traffic to malicious sites through numerous affiliate programs.

We strongly advise users to carefully check the addresses of websites they visit, especially if links come from unverified sources. This is especially important for highly popular services. In this case, it’s particularly noteworthy that DeepSeek doesn’t have a native Windows client. This isn’t the first time that cybercriminals have exploited the popularity of chatbots to distribute malware: they’ve previously targeted regular users with Trojans disguised as ChatGPT clients and developers with malicious packages in PyPI. Simple digital hygiene practices, combined with a cutting-edge security solution, can significantly reduce the risk of device infection and personal data loss.

Indicators of compromise

MD5


4ef18b2748a8f499ed99e986b4087518
155bdb53d0bf520e3ae9b47f35212f16
6d097e9ef389bbe62365a3ce3cbaf62d
3e5c2097ffb0cb3a6901e731cdf7223b
e1ea1b600f218c265d09e7240b7ea819
7cb0ca44516968735e40f4fac8c615ce
7088986a8d8fa3ed3d3ddb1f5759ec5d

Malicious domains


r1-deepseek[.]net
v3-deepseek[.]com
deepseek-pc-ai[.]com
deepseek-ai-soft[.]com
app.delpaseek[.]com
app.deapseek[.]com
dpsk.dghjwd[.]cn
deep-seek[.]bar
deep-seek[.]rest
v3-grok[.]com


securelist.com/backdoors-and-s…


Rackmount all the Things, Hi-Fi Edition


Closeup of a rackmounted custom HiFi setup

For those who love systems and structure, owning a 19-inch rack with just one slot filled is just not it. But what if the rest of your gear isn’t 19-inch? Well, then you go out and make it so, just like [Cal Bryant] did recently.

The goal was to consolidate multiple devices — DAC, input selector, streamer, and power routing — into a single 2U rackmount unit. His first attempts involved drilling 1U panels to attach gear with removable faceplates. That worked, but not all devices played nice. So his next step became a fully custom enclosure with CAD-modeled brackets and front panels.

OpenSCAD turned out to be a lifesaver, letting [Cal] design modular mounting solutions. Exporting proper circles for CNC turret punching however appeared to be a nightmare. It was FreeCAD to the rescue for post-processing. After some sanding and auto-shop painting, the final faceplate looked factory-made.

Custom switch boxes for power and audio routing keep things tidy, housing everything from USB to XLR inputs. A 4-pole switch even allows seamless swapping between his DAC and DJ controller, while UV-printed graphics bring the finishing touch to this project. For those looking to clean up their Hi-Fi setup (or just love modding for the sake of it), there’s a lot to learn from this build.

If buying a rack is not within your budget, you could start with well-known IKEA LACK furniture.


hackaday.com/2025/03/06/rackmo…


A TV With Contrast You Haven’t Seen For Years


It’s something of a surprise, should you own a CRT TV to go with your retrocomputers, when you use it to view a film or a TV show. The resolution may be old-fashioned, but the colors jump out at you, in a way you’d forgotten CRTs could do. You’re seeing black levels that LCD screens can’t match, and which you’ll only find comparable on a modern OLED TVs. Can an LCD screen achieve decent black levels? [DIY Perks] is here with a modified screen that does just that.

LCD screens work by placing a set of electronic polarizing filters in front of a bright light. Bright pixels let through the light, while black pixels, well, they do their best, but a bit of light gets through. As a result, they have washed-out blacks, and their images aren’t as crisp and high contrast as they should be. More modern LCDs use an array of LEDs as the backlight which they illuminate as a low resolution version of the image, an approach which improves matters but leaves a “halo” round bright spots.

The TV in the video below the break is an older LCD set, from which he removes the backlight and places the electronics in a stand. He can show an image on it by placing a lamp behind it, but he does something much cleverer. An old DLP projector with its color wheel removed projects a high-res luminance map onto the back of the screen, resulting in the coveted high contrast image. The final result uses a somewhat unwieldy mirror arrangement to shorten the distance for the projector, but we love this hack. It’s not the first backlight hack we’ve seen, but perhaps it give the best result.

youtube.com/embed/qXrn4MqY1Wo?…

Thanks [Keith Olson] for the tip!


hackaday.com/2025/03/05/a-tv-w…


Ptychography for High Resolution Microscopy


Nowadays, if you have a microscope, you probably have a camera of some sort attached. [Applied Science] shows how you can add an array of tiny LEDs and some compute power to produce high-resolution images — higher than you can get with the microscope on its own. The idea is to illuminate each LED in the array individually and take a picture. Then, an algorithm constructs a higher-resolution image from the collected images. You can see the results and an explanation in the video below.

You’d think you could use this to enhance a cheap microscope, but the truth is you need a high-quality microscope to start with. In addition, color cameras may not be usable, so you may have to find or create a monochrome camera.

The code for the project is on GitHub. The LEDs need to be close to a point source, so smaller is better, and that determines what kind of LEDs are usable. Of course, the LEDs go through the sample, so this is suitable for transmissive microscopes, not metallurgical ones, at least in the current incarnation.

You can pull the same stunt with electrons. Or blood.

youtube.com/embed/9KJLWwbs_cQ?…


hackaday.com/2025/03/05/ptycho…


Designing a Toy Conveyor Belt For Fun and Profit


A 3D-printed, hand-cranked, toy conveyor belt designed after the transporter belts in Factorio.

[Hope This Works] wants to someday build a tiny factory line in the garage, with the intent of producing some simple widget down the line. But what is a tiny factory without tiny conveyor belts? Not a very productive one, that’s for sure.

As you may have noticed, this is designed after the transporter belts from the game Factorio. [Hope This Works] ultimately wants something functional that’s small enough to fit in one hand and has that transporter belt aesthetic going. He also saw this as a way to level up his CAD skills from approximately 1, and as you’ll see in the comprehensive video after the break, that definitely happened.

And so [Hope This Works] started by designing the all-important sprockets. He found a little eight-toothed number on McMaster-Carr and used the drawing for reference. From there, he designed the rest of the parts around the sprockets, adding a base so that it can sit on the desk or be held in the hand.

For now, this proof-of-concept is hand-cranked. We especially love that [Hope This Works] included a square hole for the crank handle to stand in when not in use. Be sure to check out the design/build video after the break to see it in action.

How happy would you be to see Factorio come up in a job interview?

youtube.com/embed/uJ_CC4abBj0?…

Thanks for the tip, [foamyguy]!


hackaday.com/2025/03/05/design…


Piggyback Board Brings Touch Sensing to USB Soldering Iron


The current generation of USB-powered soldering irons have a lot going for them, chief among them being portability and automatic start and stop. But an iron that turns off in the middle of soldering a joint is a problem, one that this capacitive-touch replacement control module aims to fix.

The iron in question is an SJ1 from Awgem, which [DoganM95] picked up on Ali Express. It seems well-built, with a sturdy aluminum handle, a nice OLED display, and fast heat-up and cool-down. The problem is that the iron is triggered by motion, so if you leave it still for more than a second or two, such as when you’re soldering a big joint, it turns itself off. To fix that,[DoganM95] designed a piggyback board for the OEM controller with a TTP223 capacitive touch sensor. The board is carefully shaped to allow clearance for the existing PCB components and the heater cartridge terminals, and has castellated connections so it can connect to pads on the main board. You have to remove one MOSFET from the main board, but that’s about it for modifications. A nickel strip makes contact with the inside of the iron’s shell, turning it into the sensor plate for the TTP223.

[DoganM95] says that the BA6 variant of the chip is the one you want, as others have a 10-second timeout, which would defeat the purpose of the mod. It’s a very nice bit of design work, and we especially like how the mod board nests so nicely onto the OEM controller. It reminds us a little of those Quansheng handy-talkie all-band mods.


hackaday.com/2025/03/05/piggyb…