Why Cheap Digital Microscopes are Pretty Terrible
We have all seen those cheap digital microscopes, whether in USB format or with its own screen, all of them promising super-clear images of everything from butterfly wings to electronics at amazing magnification levels. In response to this, we have to paraphrase The Simpsons: in this Universe, we obey the laws of physics. This applies doubly so for image sensors and optics, which is where fundamental physics can only be dodged so far by heavy post-processing. In a recent video, the [Outdoors55] YouTube channel goes over these exact details, comparing a Tomlov DM9 digital microscope from Amazon to a quality macro lens on an APS-C format Sony Alpha a6400.
First of all, the magnification levels listed are effectively meaningless, as you are comparing a very tiny image sensor to something like an APS-C sensor, which itself is smaller than a full-frame sensor (i.e., 35 mm). As demonstrated in the video, the much larger sensor already gives you the ability to see many more details even before cranking the optical zoom levels up to something like 5 times, never mind the 1,500x claimed for the DM9.
On the optics side, the lack of significant depth of field is problematic. Although the workarounds suggested in the video work, such as focus stacking and diffusing the light projected onto the subject, it is essential to be aware of the limitations of these microscopes. That said, since we’re comparing a $150 digital microscope with a $1,500 Sony digital camera with macro lens, there’s some leeway here to say that the former will be ‘good enough’ for many tasks, but so might a simple jeweler’s loupe for even less.
There are some reasonable hobby-grade USB microscopes. There are also some hard-to-use toys.
youtube.com/embed/_K8CtSgXREk?…
Keyboard Hero: A Barebones Alternative To The Guitar Version
Guitar Hero was all the rage for a few years, before the entire world apparently got sick of it overnight. Some diehards still remember the charms of rhythm games, though. Among them you might count [Joseph Valenti] and [Daniel Rodriguez], who built a Keyboard Hero game for their ECE 4760 class at Cornell.
Keyboard Hero differs quite fundamentally from Guitar Hero in one major way. Rather than having the player tackle a preset series of “notes,” the buttons to press are instead procedurally generated by the game based on incoming audio input. It only works with simple single-instrument piano music, but it does indeed work. A Raspberry Pi Pico is charged with analyzing incoming audio and assigning the proper notes. Another Pi Pico generates the VGA video output with the game graphics, which is kept in sync with the audio pumped out from the first Pico so the user can play the notes in time with the music. Rather than a guitar controller, Keyboard Hero instead relies on five plastic buttons assembled on a piece of wood. It works.
It’s obviously not as refined as the game that inspired it, but the procedural generation of “notes” reminds us of old-school rhythm game Audiosurf. Video after the break.
youtube.com/embed/DWg6Y2udlpU?…
Rebuilt Batteries for the Cutest Clamshell at the Cafe
Keeping retrocomputers going can be tricky enough, but when you’re talking retro laptops, the battery packs add an extra challenge. While one could simply live without the battery, that’s not going to give you the full retro experience. Replacement batteries are long out of stock, so what can one do? Well, one can check out this excellent tutorial by [lazd] on rebuilding an iBook G3 Clamshell battery.
Even if you don’t have this particular laptop, the general process is likely to be similar for PC laptops of similar vintage. (Which we still can’t believe is a whole quarter-century ago.) Luckily for retrocomputer enthusiasts, even Apple used standard 18650 cells in those bygone, halcyon days when computers were allowed to be more than a few atoms thick. They do need to be unprotected, flat-top cells, but that’s easy enough to source.
So it’s really a matter of carefully prying apart the casing (apparently it needs to be Apple-branded; aftermarket cases can’t survive being opened), removing the old batteries, and welding nickel tabs onto the new cells in the proper configuration. One thing that surprised us is that, apparently, Apple did not go in for balancing in those days — so make sure your cells are all in perfect condition and all equally charged before you start, or things won’t end nicely.
Assuming you can pull it off (and your battery pack’s control chip has lasted the 300 moons since its manufacture), you’ll get a not-insignificant 5-hour battery run out of what’s sure to be the cutest clamshell computer at the cafe.
If you are repairing an iBook, while you’re at it, why not upgrade the RAM? You might even be able to fix the screen if it’s succumbing to the sadly-too-common vinegar syndrome.
A DIY Fermenter for Flavorful Brews
Fermentation is a culinary art where tiny organisms transform simple ingredients into complex flavors — but they’re finicky about temperature. To keep his brewing setup at the perfect conditions, [Ken] engineered the Fermenter, a DIY insulated chamber controlled by Home Assistant for precision and remote monitoring.
The Fermenter build starts with an insulated chamber constructed from thick, rigid foam board, foil tape, weather strips, and a clever use of magnets to secure the front and top panels, allowing quick access to monitor the fermentation process. The chamber is divided into two sections: a larger compartment housing the fermentation vessel and a smaller one containing frozen water bottles. A fan, triggered by the system, circulates cool air from the bottle chamber to regulate temperature when things get too warm.
The electronics are powered by an ESP8266 running ESPHome firmware, which exposes its GPIO pins for seamless integration with Home Assistant, an open-source home automation platform. A DS18B20 temperature sensor provides accurate readings from the fermentation chamber, while a relay controls the fan for cooling. By leveraging Home Assistant, [Ken] can monitor and adjust the Fermenter remotely, with the flexibility to integrate additional devices without rewiring. For instance, he added a heater using a heat mat and a smart outlet that operates independently of the ESP8266 but is still controlled via Home Assistant.
Thanks [Ken] for sending us the tip on this ingenious project he’s been brewing. If you’re using Home Assistant in a unique way, be sure to send in your project for us to share. Don’t forget to check out some of the other Home Assistant projects we’ve published over the years. Like a wind gauge, maybe. Or something Fallout-inspired.
youtube.com/embed/nyE2-FArnkc?…
Squishy Beyblades Made With 3D Printer Fail To Compete In The Arena
When Beyblades first came out a couple of decades ago, they quickly became a fad across Japan and several Western countries. There was a whole ecosystem of parts that you could buy and use to build competitive fighting spinning tops. These days, though — 3D printers are ubiquitous. There’s very little stopping you from printing whatever Beyblade-compatible parts your heart desires, as [JettKuso] demonstrates.
For [JettKuso], the rubber attack tips were a personal favorite. They had high grip on the plastic arena floor and would allow a top to make rapid, aggressive moves that would knock other tops out of the arena. Not desiring to import specific Beyblade parts at great expense, he decided to print some rubber tips and associated parts instead. The result? Squishy Beyblades!
[JettKuso] built various tops with official and custom TPU parts, and put them in battles to see what worked and what didn’t. In many cases, the TPU replacement parts didn’t make a big difference or proved worse than the standard parts. However, when [JettKuso] got crazy, he found one thing that kind of worked. A mega-heavy TPU top blade, which weighed as much as the standard metal rings, was able to successfully win battles against less competitive standard builds.
Ultimately, the video serves as a testament to the developers of the original toys themselves. It’s not so simple to just print up some parts and have them be competitive with the tried-and-tested gear that comes off the store shelves. The experience ultimately gave [JettKuso] a greater appreciation for all the thought that went into the commercial toys. Video after the break.
youtube.com/embed/2X2Xjc4tsfI?…
An Ode to the Aesthetic of Light in 1024 Pixels
Sometimes, brilliant perspectives need a bit of an introduction first, and this is clearly one. This video essay by [Cleggy] delivers what it promises: an ode to the aesthetic of light. But he goes further, materializing his way of viewing things into a beautiful physical build — and the full explanation of how to do it at home.
What’s outstanding here is not just the visual result, but the path to it. We’ve covered tons of different LED matrices, and while they’re all functional, their eventual purpose is left up to the builder, like coasters or earknobs. [Cleggy] provides both. He captured a vision in the streets and then built an LED matrix from scratch.
The matrix consists of 1024 hand-soldered diodes. They’re driven by a Raspberry Pi Pico and a symphony of square waves. It’s not exactly a WS2812 plug-and-play job. It’s engineered from the silicon up, with D-latches and demultiplexers orchestrating a mesmerizing grayscale visual.
Pulse-width modulation (PWM) is the secret ingredient of this hack. [Cleggy] dims each white pixel separately, by varying the duty cycle of its light signal. The grayscale video data, compressed into CSV files, is parsed line-by-line by the Pico, translating intensity values into shimmering time slices.
It transforms the way you see and perceive things. All that, with a 1000 LED monochrome display. Light shows are all highly personal, and each one is a little different. Some of them are really kid stuff.
youtube.com/embed/cWpT_prTC54?…
Exploring VersaLOGIC pre-LSI Logic Cards With the Data/620
Before the era of large-scale integration (LSI) semiconductor circuits, discrete logic circuits using the common diode-transistor logic (DTL) were still necessary and available in a format that was modular and reusable. [David Lovett] over at the Usagi Electric farm has two great examples that date back to the 1950s and 1960s, showing the jump in technology over the course of a mere decade.
The newer Varian Data Machines 620 from 1966 uses germanium diodes and transistors, while the 1956 Bendix G-15 uses germanium diodes with vacuum tubes, the latter effectively fulfilling the same purpose as the transistors. The main difference between the modules is the density, with a decade of technological improvements allowing for more than double the logic on similarly sized cards and a similarly impressive reduction in power usage.
Currently, [David] is working on reverse-engineering these so-called VersaLogic modules to be able to troubleshoot the Data/620 machine in his possession. The results of these efforts are being published on GitHub. Although you can think of these modules as more or less big versions of the 7400-logic ICs — which began to replace them in the Data/620I from 1967 — some of the circuits on the cards get pretty complex.
With hundreds of these VersaLogic cards in one Data/620 computer, finding a few dodgy germanium diodes and transistors on them is quite the struggle. Whereas the Bendix G-15 helpfully provided a semi-automatic tester for the modules, no such option appears to be exist for these VersaLogic cards, leaving [David] to make his own version if he ever wants to see this 1960s machine that was once used at NASA roar back to life, and possibly read out what’s stored in the magic core memory.
This debugging process is complicated by the fact that these aren’t your basic 5V TTL-style logic cards, but rather use -12- and 0V-based high-threshold logic (HTL). Developing testing logic and hardware for these cards, which also takes into account the bidirectional nature of some of these cards, is a bit of a challenge. Fortunately, the Usagi Electric community is on the job, and you’re cordially invited to hop over to the official Discord channel to pitch in if that’s your thing.
We always enjoy thinking of different ways to implement logic. Even the really bizarre ones.
youtube.com/embed/9wE1WbcfxtI?…
2025 One Hertz Challenge: Learn Morse Code One Second at a Time
Learning Morse Code is no longer a requirement for HAMs in many jurisdictions, but it’s still a nice skill to have. [I_void(warranties)] wanted to learn, but couldn’t find a trainer that fit his style. What to do but build it yourself? Since we’re in the midst of a challenge, he took up the gauntlet and turned his need to learn Morse into a 1 hertz Morse code game.
In concept it is quite simple: a message beeps out in Morse, with a corresponding LED flash, all in one second. The player then has one second to type think they heard. Get it done fast enough, and a character LCD will tell you if you scored.
The project is based around an Arduino Nano; thanks to easily-available libraries, a PS/2 keyboard can serve as input and a 2×16 LCD as feedback with no real effort expended. For the audible component of the Morse challenge, an 8-ohm speaker is driven right off a pin on the Arduino. We won’t claim this efficient design only took one second to put together, but it probably didn’t take too long.
Of course this trainer, unlike some we’ve seen, only helps you learn to listen to the stream of dots and dashes. None of the others ever tried to fit a One Hertz theme, or [I_void(warranties)]’s particular learning style. For some, decoupling send and receive might be just the ticket to finally learning Morse one second at a time.
This Plane Flies Slow Because Its Wings Really Blow
The key to Short Takeoff and Landing (STOL) operations is the ability to fly slow– really slow. That’s how you get up fast without a long takeoff roll to build up speed. Usually, this involves layers of large flaps and/or leading edge slots, but [rctestflight] on YouTube decided he wanted to take a more active approach with a fully blown wing.
The airplane in question is R/C, of course, and good thing: these wings would be a safety nightmare for a manned aircraft. With a blown wing, air is blown out of a slot on the top end of the wing, producing a high-speed, high-pressure zone that keeps the wing flying when it would otherwise be completely stalled out. As long as everything works, that’s great! If an engine fails, well, suddenly you aren’t flying anymore — and you’re going too slow to glide. It ends badly.
[rctestflight] doesn’t have to worry about that, though, because this foamboard and pink styro R/C aircraft carries nothing that can’t survive a crash. (A couple of electric ducted fans (EDCs), an Ardupilot, a radio, and a battery are all pretty shock-resistant.) The EDCs sit midway down the chord of the wings, and blow air into a plenum carved into the foam. On each wing, the exhaust from the fans is driven rearward from a slot created by a piece of carbon fiber. This air serves not only as a lift-enhancement but also as the plane’s sole propulsion and a component of its control system.
Propulsion makes sense: all that air washing back of the wing was bound to create thrust, but control? Well, if you run the EDCs at different speeds, you’re going to create a different amount of thrust on each side of the aircraft. Differential thrust on a twin-engined aircraft can usually control yaw, but on this plane, it will also speak to pitch as the wing with more thrust will experience greater lift, causing that wing to rise and forcing the other to drop. It’s an interesting control scheme, but ultimately [rctestflight] decided he did not trust it enough not to add in ailerons.
The blown wing does work, however, with the plane having a very, very impressively short takeoff distance– doubly so for a seaplane. We shouldn’t be surprised, though. [rctestflight] has been at this a long time; we’ve seen everything from human-carrying hydrofoils to a series of solar soarers, to a 3D-printed rover-tank from the prolific YouTuber.
We still wouldn’t ride in it, though.
youtube.com/embed/o6FMjOl0TRA?…
Thanks, Tamiya-san
We’re saddened to report the passing of Shunsaku Tamiya, the man behind the Tamiya line of models. What was surprising about this, though, is how many of our readers and writers alike felt touched by the Tamiya model company. I mean, they made great models, and they’re definitely a quality outfit, but the outpouring of fond memories across a broad spectrum was striking.
For example, we originally ran the story as breaking news, but our art director Joe Kim spent a good part of his childhood putting together Tamiya kits, and felt like he absolutely had to do a portrait of Mr. Tamiya to pay his respects. I presume Joe is more on the painting-the-models end of the spectrum of Tamiya customers, given his artistic bent. Jenny’s writeup is absolutely touching, and her fond remembrances of the kits shines through her writing.
Indeed, the Tamiya line included a whole series of educational models and components that were just perfect for the budding robot builder. I’m sure I have a set of their tank treads or a slip clutch in a box somewhere, even today.
It’s nice to think of how many people’s lives were touched by their kits, and to get even a small glimpse of that, you just need to read our comment section. We hope the company holds on to Mr. Tamiya’s love for quality kits that inspire future generations, whether they end up becoming artists, engineers, or simply hackers.
This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!
An ATTiny GPU Fan Controller That Sticks
When your GPU fan goes rogue with an unholy screech, you either shell out for a new one or you go full hacker mode. Well, [ashafq] did the latter. The result is a delightfully nerdy fan controller powered by an ATTiny85 and governed by a DS18B20 temperature sensor. We all know a silent workstation is golden, and there’s no fun in throwing money at an off-the-shelf solution. [ashafq]’s custom build transforms a whiny Radeon RX 550 into a cool, quiet operator. Best of all: it’s built from bits likely already in your junk drawer.
To challenge himself a bit, [ashafq] rolled his own temperature-triggered PWM logic using 1-wire protocol on an ATtiny85, all without libraries or bloated firmware. The fan’s speed only ramps up when the GPU gets toasty, just like it should. It’s efficient and clever, and that makes it a fine hack. The entire system runs off a scavenged 12V fan. He could have used a 3D printer, but decided to stick onto the card with double-sided tape. McGyver would approve.
The results don’t lie: idle temps at 40 °C, load peaking at 60 °C. Quieter than stock, smarter than stock, and way cheaper too. The double-sided tape may not last, but that leaves room for improvement. In case you want to start on it yourself, read the full write-up and feel inspired to build your own. Hackaday.io is ready for the documentation of your take on it.
Modifying fans is a tradition around here. Does it always take a processor? Nope.
Microsoft Edge lancia la modalità Copilot seguendo quanto fatto da Chrome
Dopo due anni di piccole modifiche alle funzionalità di intelligenza artificiale del browser Edge, recentemente Microsoft ha aggiunto la modalità Copilot al browser Edge, entrando ufficialmente nel mercato dei browser con intelligenza artificiale.
Nello specifico, la funzione AI nel browser Edge non è più solo una barra laterale di chat come in precedenza. La nuova modalità Copilot consente all’AI di leggere e comprendere il contenuto delle pagine web, ad esempio aiutando a interpretare una pagina di documentazione tecnica o a fornire una panoramica di visualizzazione per un video di YouTube.
Può anche navigare contemporaneamente su tutte le pagine web aperte e, quando hai difficoltà a passare da una pagina all’altra di un prodotto o di un hotel, può aiutarti a creare una tabella di confronto per aiutarti a prendere una decisione. Microsoft ha anche aggiunto funzionalità di chat vocale, che ti consentono di comprendere le pagine web e di comunicare con l’intelligenza artificiale in tempo reale.
Queste funzionalità potrebbero sembrare simili a quelle dei browser AI attualmente sul mercato, ma il CEO di Microsoft Satya Nadella le ha elogiate molto, affermando: “Questo è il primo passo per ridefinire il browser per l’era dell’intelligenza artificiale”.
Questa funzionalità è attualmente in fase sperimentale e Microsoft afferma che aggiungerà gradualmente nuove funzionalità alla modalità Copilot. Un’altra implicazione di questa sperimentazione è che la modalità Copilot è attualmente “gratuita per un periodo di tempo limitato”. Considerando che Copilot si basa ancora sui modelli di base di OpenAI, ciò significa che è possibile utilizzare gratuitamente molte delle funzionalità a pagamento di ChatGPT.
Ad esempio, è possibile utilizzare la funzionalità a pagamento DeepResearch di ChatGPT in modalità Copilot. Nadella ha anche rivelato che lancerà una funzionalità di task agent, che consentirà agli utenti di delegare attività a Copilot durante la navigazione sul web. Un imprenditore nel campo dell’intelligenza artificiale l’ha definita un’alternativa gratuita a ChatGPT Agent. ChatGPT Agent è attualmente disponibile solo per gli utenti Plus e superiori, con una quota mensile minima di 20 dollari.
Questa è probabilmente la maggiore attrattiva di Edge rispetto ad altri browser basati su intelligenza artificiale. Prima che OpenAI lanci ufficialmente il proprio browser, è possibile utilizzare la versione alternativa di ChatGPT in Edge, il che fornisce a Sam Altman un’ulteriore scusa per lasciare Microsoft.
L'articolo Microsoft Edge lancia la modalità Copilot seguendo quanto fatto da Chrome proviene da il blog della sicurezza informatica.
Vibe Coding fuori controllo. L’IA Genera codice vulnerabile, ma tutti se ne fregano
L’intelligenza artificiale sta diventando sempre più un assistente per i programmatori, ma uno studio di Veracode ha dimostrato che la praticità comporta un rischio per la sicurezza. Un’analisi di 100 modelli linguistici principali (LLM) ha rivelato uno schema allarmante: in quasi la metà dei casi, i modelli generano codice vulnerabile.
Secondo un rapporto di Veracode, il 45% del codice generato dalle attività conteneva vulnerabilità note. E questo vale anche per i modelli più nuovi e potenti. La situazione non è cambiata molto negli ultimi due anni, nonostante il progresso tecnologico.
Sono stati condotti test su 80 task in quattro linguaggi di programmazione: Java, JavaScript, C# e Python. Sono state verificate le vulnerabilità più comuni: SQL injection, XSS, log injection e utilizzo di crittografia non sicura.
Java ha mostrato i risultati peggiori: solo il 28,5% delle soluzioni era sicuro. I migliori sono stati Python (61,7%) e JavaScript (57%). Gli sviluppatori attribuiscono questo risultato alla qualità dei dati di training: Java era spesso utilizzato prima dello studio attivo delle SQL injection e i modelli erano in grado di “imparare” i cattivi esempi.
Gli LLM sono particolarmente scarsi nel gestire XSS e log injection, con un punteggio di superamento non superiore al 13%. La situazione è migliore con SQL injection ed errori crittografici, con un livello di sicurezza del codice che raggiunge l’80-85%.
La dimensione del modello non ha praticamente alcun effetto sul risultato. Anche i modelli LLM con più di 100 miliardi di parametri mostrano lo stesso tasso di successo del 50% dei modelli più piccoli con meno di 20 miliardi.
I ricercatori sottolineano che gli LLM generalmente non sono efficaci nel sanificare i dati di input, soprattutto senza contesto. Il problema è aggravato dal fatto che la maggior parte dei modelli è stata addestrata su codice disponibile pubblicamente su GitHub e altri siti, che spesso contengono esempi non sicuri, a volte anche intenzionalmente, come in progetti educativi come WebGoat.
Veracode avverte che le aziende che stanno già implementando l’intelligenza artificiale nella fase di sviluppo, sia tramite piattaforme open source, appaltatori o low-code, potrebbero aumentare inconsapevolmente il rischio di violazioni dei dati e attacchi.
Il CEO di Val Town, Steve Kraus, chiama questo codice “vibe code” nel suo blog: è instabile, si rompe continuamente e richiede molto debug. Secondo lui, il “vibe coding” crea debito tecnico alla stessa velocità con cui l’intelligenza artificiale genera righe di codice. Può andare bene per i prototipi, ma non per progetti seri.
L'articolo Vibe Coding fuori controllo. L’IA Genera codice vulnerabile, ma tutti se ne fregano proviene da il blog della sicurezza informatica.
Custom Bedroom Lighting Controlled By Alexa
[Arkandas] had a problem. They liked reading in bed, but their bedroom lamps weren’t cutting it—either too bright and direct, or too dim and diffuse. The solution was custom lighting, and a new project began.
The concept was simple—build a custom controller for a set of addressable LED lighting strips that would be installed in the bedroom. Specifically, in the headboard of the bed, providing controllable light directly where it was needed. The strips themselves were installed in aluminum channel with plastic diffusers to give a nice smooth light. [Arkandas] then tasked an ESP32 to control the strips, using the FastLED library to work with WS2812B LEDs, and also the Adafruit NeoPixel library for using SK6812 LEDs and their extra white channel. The ESP32 was set up to provide a web interface for direct control over the local network. [Arkandas] also made good use of the FauxmoESP library to enable the device to be controlled via Amazon Alexa, which fit nicely into their existing smarthome setup. Files are on Github for the curious.
The final build works well, creating a soft light in the habitable area of the bed that can also be readily controlled via voice commands or via web. We’ve seen the ESP32 do other great feats in this arena before, too, albeit of the more colorful variety. Meanwhile, if you’re cooking up your own smart lighting solutions, don’t hesitate to tell the tipsline!
Le Chat con ChatGPT condivise su Google! Minaccia per la privacy o opportunità SEO?
Google ha iniziato a indicizzare le conversazioni di ChatGPT che gli utenti condividono tramite il pulsante “Share“. Il problema è venuto alla luce per la prima volta grazie a un’inchiesta giornalistica di Fast Company, che ha rivelato – attraverso l’utilizzo delle Google Dorks – che nei risultati di ricerca di Google apparivano circa 4.500 conversazioni ChatGPT.
A prima vista (come riporta un post su linkedin di Jean Bonnenfant), per molti questa novità suona come un incubo per la privacy: le proprie domande, riflessioni o perfino idee di business rischiano di diventare pubbliche e ritrovarsi visibili nei risultati di ricerca. Tuttavia, guardando più in profondità, questa mossa potrebbe trasformarsi in una rivoluzione per il mondo del digital marketing, offrendo opportunità senza precedenti in ottica SEO e content marketing.
Chiunque abbia mai lavorato nel marketing digitale conosce l’importanza della search intent: capire cosa cercano davvero gli utenti, quali problemi vogliono risolvere e quali domande si pongono. Fino a ieri, per scoprirlo si utilizzavano strumenti di keyword research, forum, social media e interviste dirette.
Ora, grazie a questa indicizzazione, basta cercare su Google usando la formula site:chatgpt.com/share seguita da una parola chiave per scoprire le domande reali che le persone stanno ponendo a un’intelligenza artificiale su un determinato tema.
Questo è un vero e proprio tesoro nascosto di ricerche di mercato gratuite: centinaia, migliaia o addirittura milioni di conversazioni che rivelano dubbi, paure e curiosità del pubblico. È come accedere direttamente alla parte più spontanea e intima dei processi di ricerca, senza filtri e senza la timidezza che talvolta blocca gli utenti sui social o nei forum pubblici.
Ma non finisce qui. Per chi crea contenuti, queste conversazioni sono una miniera d’oro: domande che nessuno ha ancora trattato, problemi troppo specifici per emergere dai tradizionali tool SEO, o curiosità che le persone non osano chiedere apertamente in pubblico. Tutto questo materiale può diventare fonte di articoli, video, podcast e post social estremamente mirati e utili per il proprio pubblico.
In pratica, si sta creando una sorta di database pubblico di conversazioni AI-utente: un nuovo tipo di contenuto generato dagli utenti (UGC) che racconta in modo diretto le esigenze reali delle persone. Le aziende e i brand che sapranno sfruttare per primi questa risorsa potranno ottenere un vantaggio competitivo notevole, anticipando trend, rispondendo a domande non ancora coperte e intercettando nuovi segmenti di pubblico.
Naturalmente, resta il tema della privacy: molti non si rendono conto che, condividendo una conversazione, questa diventa potenzialmente pubblica e indicizzabile. La buona notizia è che OpenAI offre un’opzione per disattivare questa condivisione pubblica semplicemente deselezionando la casella “Share” al momento della condivisione. In ogni caso, questo cambiamento segna l’inizio di una nuova era per il content marketing, dove la voce autentica delle persone che dialogano con l’IA diventa parte integrante del web che tutti possiamo esplorare.
L'articolo Le Chat con ChatGPT condivise su Google! Minaccia per la privacy o opportunità SEO? proviene da il blog della sicurezza informatica.
Universal Control for the Last Mac You’d Ever Expect
Universal control is a neat feature on Macintosh computers, allowing you to slide your mouse seamlessly from device to device. Of course you need a relatively recent version of MacOS to make it work, right? Not necessarily– thanks to [Bart Jackobs] MacFriends, universal control has come to the Macintosh Classic.
Well, not exactly universal control, but similar functionality at any rate. [Bart] can slide his mouse from one side of his retina display over onto the glorious 512 x 342, 1-bit display of his Macintosh Classic, just as if the 68k powered antique was a modern device. As you might expect, the Motorola 68000 in that old Mac is getting a teensy bit of help– though sadly for our love of puns, from an Arduino Nano and not any kind of Teensy.
The Arduino is emulating a mouse and keyboard on the Apple Desktop Bus using code based on the abduino by [akuker]. [Bart]’s custom software on the modern Mac captures the mouse and keyboard inputs to pipe to the Arduino via USB serial. Apple’s Universal control doesn’t require a wired connection between the two machines, of course, but then, it doesn’t work on the Classic. One could imagine redoing this project for Bluetooth communication to have that a same Clarkian feeling of technological Apple has always wanted to convey– but nothing was wireless in 1990 except for telegrams and a handful of telephones, so the project is appropriate as-is.
As much as we might resent that micro-controller for ruining a pun, if you want to hook into the ADB– perhaps to use old peripherals with an emulated Macintosh— an Arduino will do the job. So would a Teensy, though, and then we’d have our pun.
Our thanks to [Bart Jakobs] for the tip. Don’t forget to send in your own: the endless maw of the tipsline is always hungry.
AI Code Review the Right Way
Do you use a spell checker? We’ll guess you do. Would you use a button that just said “correct all spelling errors in document?” Hopefully not. Your word processor probably doesn’t even offer that as an option. Why? Because a spellchecker will reject things not in its dictionary (like Hackaday, maybe). It may guess the wrong word as the correct word. Of course, it also may miss things like “too” vs. “two.” So why would you just blindly accept AI code review? You wouldn’t, and that’s [Bill Mill’s] point with his recent tool made to help him do better code reviews.
He points out that he ignores most of the suggestions the tool outputs, but that it has saved him from some errors. Like a spellcheck, sometimes you just hit ignore. But at least you don’t have to check every single word.
The basic use case is to evaluate PRs (pull requests) before sending them or when receiving them. He does mention that it would be rude to simply dump the tool’s comments into your comments on a PR. This really just flags places a human should look at with more discernment.
The program uses a command-line interface to your choice of LLM. You can use local models or select among remote models if you have a key. For example, you can get a free key for Google Gemini and set it up according to the instructions for the llm program. Of course, many people will be more interested in running it locally so you don’t share your code with the AI’s corporate overlords. Of course, too, if you don’t mind sharing, there are plenty of tools like GitHub Copilot that will happily do the same thing for you.
The review tool is just a bash script, so it is easy to change, including the system prompt, which you could tweak to your liking:
Please review this PR as if you were a senior engineer.## Focus Areas
– Architecture and design decisions
– Potential bugs and edge cases
– Performance considerations
– Security implications
– Code maintainability and best practices
– Test coverage## Review Format
– Start with a brief summary of the PR purpose and changes
– List strengths of the implementation
– Identify issues and improvement opportunities (ordered by priority)
– Provide specific code examples for suggested changes where applicablePlease be specific, constructive, and actionable in your feedback. Output the review in markdown format.
Will you use a tool like this? Will you change the prompt? Let us know in the comments. If you want to play more with local LLMs (and you have a big graphics card), check out msty.
You Can Make Your Own Floppy Drive Cleaning Disks
Once upon a time, you could buy floppy drive cleaning disks at just about any stationary or computer store. These days, they’re harder to find. If you want to build one yourself, though, you might do well to follow [Gammitin]’s fine example.
[Gammitin] has been down this road before, having built head cleaning disks before. This time, a US patent was the inspiration. It basically indicated that the spinning cleaning disc inside should be made of spunbonded polyester or spunbonded olefin (such as Dupont Tyvek)—so those materials were sought out.
The project began with [Gammitin] disassembling a standard floppy disk down to its bare components. The spindle was then separated from the magnetic platter, and refitted with a disc of Tyvek material using super glue. The disk housing was then glued back together with more super glue, and labelled as a “Floppy Cleaning Disk.” Using the disk is as simple as putting a few drops of isopropyl alcohol on the Tyvek material, and inserting it into a drive. [Gammitin] tested it with an old Olivetti machine, and found it cleaned up the heads nicely.
Sometimes, when a commercial product ceases to exist, you can just make your own at home. This is a great example of that ethos. If you’re cooking up your own tools and accessories to keep your old machines running, we’d love to hear all about it on the tipsline!
Digital Guitar of the Future has no strings
Electric guitars are great, but they’re just so 20th century. You’d think decades of musicians riffing on the instrument would mean there are no hacks left in the humble axe. You’d think so, but you’d be wrong. [Michael], for one, has taken it upon himself to reinvent the electric guitar for the digital era.
Gone are the strings, and the frets have vanished as well. The neck of this guitar is one long custom PCB, looking very sleek with black solder mask. Gold pads serve as touch sensors to give tone data over i2c (from unspecified touch sensing chips) to the Amtel Mega 32u4 at the heart of the build.
With no strings, strumming won’t work, so a laptop-style touchpad serves instead. That means every user interaction with this guitar is with capacitive touch sensors talking i2c. The X and Y coordinates of the touch, along with pressure are sent to the processor over the i2c bus, triggering an interrupt and offering quite a bit of opportunity for sound control.
Said sound control is, of course, done in MIDI. This lets the guitar control a whole variety of synths and/or software, and of course [Michael] is using more futuristic-sounding synths than a pack of guitar samples. That said, what exactly goes on with the MIDI controls is left frustratingly vague. Obviously fretting provides note selection, but does the touchpad just send a “note start” command, or are the X, Y and pressure data used in interesting ways? Is there multitouch support? The video doesn’t say.
How, exactly, the obviously-plastic body of the guitar was manufactured is also left unsaid. Is it a large resin print? SLS? It looks injection-molded, but that makes no sense for a one-off prototype. On the other hand, it looks like he’s selling these, so it may very well be an injection-molded production case we’re seeing being assembled here, and not a prototype at all.
For all the video leaves us wanting more information, we can’t help but admit the end product both looks and sounds very cool. (Skip to the 4:50 mark in the embedded video to hear it in action.) The only thing that would improve it would be a hurdy-gurdy mode. Thanks to [Michael] for the tip, and remember we want to hear tips about all the weird and wonderful hacked-together instruments you make or find on the web.
youtube.com/embed/YTp3YmfvtcU?…
Exploit RCE 0day/0click su iOS in vendita. Scopriamo il mercato delle armi cibernetiche per lo spionaggio
Un annuncio apparso su un forum online, datato 26 luglio 2025, ha catturato la nostra attenzione: un utente di nome “Bucad” pubblicizza la vendita di un “iOS RCE Exploit 0day | ZeroClick/1Click”. L’exploit, apparentemente in grado di compromettere completamente un dispositivo iOS 18.5, inclusa l’acquisizione di privilegi di root, senza visibili crash o interazioni utente significative, e con capacità di persistenza, rappresenta una potenziale minaccia di proporzioni significative.
Sebbene la veridicità di tali affermazioni sia sempre da dimostrare in contesti come questi, l’annuncio solleva questioni cruciali sul funzionamento e le implicazioni del mercato degli exploit 0-day e degli spyware che vogliamo nuovamente riportare all’attenzione.
Cos’è un Exploit RCE 0-day?
Un Exploit RCE (Remote Code Execution) 0-day è una vulnerabilità software critica che permette a un attaccante di eseguire codice arbitrario su un sistema remoto (RCE) senza che il fornitore del software (in questo caso, Apple) ne sia a conoscenza o abbia avuto il tempo di rilasciare una patch (0-day).
Le caratteristiche chiave di un RCE 0-day, come quelle descritte nell’annuncio, lo rendono estremamente pericoloso:
- ZeroClick / 1Click: Indica che l’attacco richiede nessuna o minima interazione da parte dell’utente. Un attacco “ZeroClick” può compromettere un dispositivo semplicemente inviando un messaggio o una chiamata non risposta, rendendolo quasi impossibile da rilevare per la vittima. Un “1Click” richiede una singola azione, come l’apertura di un link.
- Compromissione completa del dispositivo con root: Significa che l’attaccante ottiene il massimo livello di controllo sul sistema, potendo accedere a tutti i dati, installare software, modificare impostazioni e monitorare l’attività dell’utente.
- Stealth (Nessun utente, nessun crash): L’exploit opera in modo invisibile, senza generare messaggi di errore o comportamenti anomali che possano allertare l’utente.
- Estensibilità e Persistenza: Capacità di mantenere l’accesso al dispositivo anche dopo riavvii, facilitando lo spionaggio a lungo termine.
Nel caso specifico, un exploit di questo livello su un sistema operativo come iOS, sarebbe estremamente prezioso. Se le affermazioni fossero vere, un bug simile, che colpisce l’ultima versione di iOS (18.5) e supporta futuri aggiornamenti, potrebbe valere milioni di euro sul mercato nero, riflettendo la sua rarità e l’enorme potenziale di sfruttamento.
A Cosa Serve un Exploit di Questo Calibro?
Un exploit RCE 0-day, specialmente per piattaforme così diffuse come iOS, può essere utilizzato per svariati scopi, la maggior parte dei quali illeciti o eticamente discutibili:
- Spionaggio governativo: Stati e agenzie di intelligence lo utilizzano per monitorare dissidenti, giornalisti, attivisti, funzionari governativi stranieri o bersagli di alto valore.
- Cibercriminalità: Gruppi criminali potrebbero usarlo per rubare dati sensibili, credenziali bancarie, installare ransomware o condurre frodi su larga scala.
- Spionaggio industriale: Aziende o stati possono impiegarli per sottrarre segreti commerciali o informazioni strategiche a competitor.
- Sabotaggio: In scenari estremi, un controllo completo del dispositivo potrebbe permettere anche azioni di sabotaggio o disinformazione.
Il Mercato dei Broker 0-day
Esiste un mercato, in gran parte sotterraneo e altamente specializzato, dove gli exploit 0-day vengono acquistati e rivenduti anche in aste private. I principali attori includono:
- Ricercatori di Sicurezza Indipendenti: Alcuni esperti di cybersecurity, dopo aver scoperto una vulnerabilità, decidono di venderla al miglior offerente anziché divulgarla al vendor (processo noto come “disclosure responsabile”).
- Broker di Vulnerabilità (Vulnerability Brokers): Sono intermediari che fungono da “mercato” per gli 0-day. Aziende come Zerodium, Exodus Intelligence o Crowdfense sono tra le più note. Offrono ingenti somme di denaro per exploit verificati, in particolare quelli che colpiscono sistemi operativi e applicazioni molto diffusi, come iOS, Android, o browser web. Le somme possono raggiungere cifre esorbitanti, fino a diversi milioni di dollari per exploit “full chain” (che combinano più vulnerabilità per ottenere un controllo totale senza interazione dell’utente).
- Governi e Agenzie di Intelligence: Sono tra i principali acquirenti, disposti a pagare cifre astronomiche per acquisire capacità offensive uniche.
- Venditori di Spyware: Aziende che sviluppano e vendono software di spionaggio avanzato, le quali utilizzano questi preziosi 0day per infettare gli smartphone delle vittime e ottenere la completa compromissione e quindi la sorveglianza.
Il Mercato degli Spyware e le Sue Polemiche (Pegasus, Paragon, ecc.)
Il mercato degli 0-day è strettamente legato all’industria degli spyware commerciali, che utilizza spesso questi exploit per operare. Aziende come NSO Group (con il suo celebre spyware Pegasus), Candiru, Paragon, Gamma Group (con FinFisher) e altre, sviluppano software di sorveglianza sofisticati che possono intercettare chiamate, leggere messaggi, accedere a microfono e fotocamera, tracciare la posizione e rubare dati da un dispositivo bersaglio.
Questi spyware vengono venduti a governi e forze dell’ordine con la giustificazione di combattere terrorismo, criminalità organizzata e pedofilia. Tuttavia, il loro utilizzo è diventato oggetto di accesi dibattiti e aspre polemiche per diversi motivi:
- Abusi dei Diritti Umani: Numerose indagini giornalistiche (come il “Pegasus Project”) e rapporti di organizzazioni per i diritti umani hanno documentato l’uso di questi spyware per spiare giornalisti, avvocati, attivisti per i diritti umani, oppositori politici e anche capi di stato. Questo solleva gravi preoccupazioni sulla violazione della privacy, della libertà di espressione e del diritto a un processo equo.
- Mancanza di Trasparenza e Responsabilità: Le aziende produttrici di spyware operano spesso con poca trasparenza, sostenendo di vendere solo a governi “legittimi” e di avere “kill switch” per impedire abusi. Tuttavia, i casi di abuso continuano a emergere, e i meccanismi di controllo e responsabilità sembrano insufficienti.
- Rischio di Diffusione: Una volta che uno spyware, alimentato da un 0-day, viene utilizzato, l’exploit sottostante può essere scoperto e potenzialmente riutilizzato da altri attori malevoli, come accaduto con EternalBlue della NSA, che fu poi utilizzato per WannaCry e NotPetya.
- Impatto sulla Fiducia Digitale: L’esistenza di strumenti così potenti e il loro uso improprio minano la fiducia nelle tecnologie digitali e nella sicurezza delle comunicazioni online.
Conclusione
La comunità internazionale è divisa su come gestire questo mercato. Alcuni sostengono la necessità di un divieto totale sulla vendita di spyware a entità non statali e di una regolamentazione più stringente a livello globale. Altri evidenziano la necessità di tali strumenti per la sicurezza nazionale e la lotta contro minacce reali, pur riconoscendo il problema degli abusi.
In conclusione, l’annuncio di un exploit 0-day per iOS, sebbene la sua autenticità sia da verificare, ci ricorda la continua minaccia rappresentata dalle vulnerabilità software e l’esistenza di un mercato sotterraneo altamente sofisticato. Questo ecosistema, alimentato da broker e aziende di spyware, pone sfide etiche e di sicurezza globali che richiedono un’attenzione e una regolamentazione sempre maggiori per proteggere i diritti e la privacy degli individui nell’era digitale.
L'articolo Exploit RCE 0day/0click su iOS in vendita. Scopriamo il mercato delle armi cibernetiche per lo spionaggio proviene da il blog della sicurezza informatica.
2025 One-Hertz Challenge: The Flip Disc Clock
Do you like buses, or do you just like the flippy-flappy displays they use to show route information? Either way, you’ll probably love the flip-disc clock created by [David Plass].
The build is based around four seven-segment flip disc displays. The modules in question are from Flipo.io. They use a hefty 0.5 amp pulse to create a magnetic field strong enough to flip the discs from one side to the other with coils placed underneath the fluro/black flipdots themselves. The modules are controlled by a Wemos D1, which uses Wi-Fi to query a NTP server to keep accurate time. It then drives the necessary segments to display the current time. The whole thing is assembled in what appears to be some kind of kitchen storage tub.
Notably, the clock flips a couple dots once every second to meet the requirements of our One-Hertz Challenge. This also makes it obvious that the clock is working when it would otherwise be static. However, [David] notes commenting out that part of the code at times, as it can be quite loud!
This clock has got fluro dots, it’s well-executed, and it’s a fine entry to the 2025 One-Hertz Challenge. We’ve also previously explored how these beautiful displays work in detail, too. Meanwhile, if you’re busy repurposing some other kind of mechanical display technology, don’t hesitate to let us know!
Two For The Price Of One: BornHack 2024 And 2025 Badges
BornHack is a week-long summer hacker camp in a forest on the Danish island of Fyn, that consistently delivers a very pleasant experience for those prepared to make the journey. This year’s version was the tenth iteration of the camp and it finished a week ago, and having returned exhausted and dried my camping gear after a Biblical rainstorm on the last day, it’s time to take a look at the badges. In case you are surprised by the plural, indeed, this event had not one badge but two. Last year’s badge suffered some logistical issues and arrived too late for the camp, so as a special treat it was there alongside the 2025 badge for holders of BornHack 2024 tickets. So without further ado, it’s time to open the pack for Hackaday and see what fun awaits us.
Two Very Elegant Badges
Both badges are the work of [Thomas Flummer], someone who has appeared here more than once over the years with an array of beautifully designed badges and SAOs. First out is the 2024 one, and it’s a slim rectangular board around 140 by 45 mm with a row of addressable LEDs and a BornHack logo on the front, and the electronics and LiPo battery on the rear. It’s elegant in its simplicity, with an ESP32-C3 Mini module, battery charger and power supply circuit, and an NT3H2x11 addressable NFC chip and associated antenna. There are also the usual SAO and QWiC connectors flus some GPIO pads for expandability.
The LEDs on the front can display pretty colours of course, but their intended use is for persistence-of-vision displays. On its GitHub repository are several firmwares should you wish to play around with this. Meanwhile the NFC chip is interesting in itself, as it’s both a passive tag that can be read when the badge is turned off, and a tag that can be addressed by the ESP32. It was intended for an NFC game at BornHack 2024, but it remains a part worth investigating.
Having given some attention to the 2024 badge it’s time to pick up the 2025 model, which is a large white PCB in the shape of an Ø character. On the front is a BornHack logo and a row of backlit status icons on the left hand side, while on the back you’ll find the electronics and a pair of AA batteries. It’s a LoRa experimentation board, so alongside another ESP32-C3 Mini there’s a European 868 MHz LoRa Module. There’s a PCB antenna on the board but this module has one of those tiny co-axial connectors and was supplied with a Molex stick-on antenna. Full design details can be found in its GitHub repository.
A Real World LoRa Propagation Test
Out-of-the-box, this badge came with a Meshtastic node firmware, which for a hacker camp badge worked very well indeed. It’s easy enough to connect to the Meshtastic app on your smartphone, and soon a plethora of nodes sprang up. Most of you will be familiar with Meshtastic networks so it’s not worth going into too much detail on that front, but the site offered an interesting opportunity to test both those Molex antennas, and 868 MHz propagation in a real-world setting.
The BornHack site is not the least challenging location from a UHF radio perspective, being a series of former gravel pits interspersed with dense forest over a large area. Thus instead of line-of-sight it offers earth banks and dense foliage, neither ideal for radio propagation. I tested it by going to the far corners of the site and sending messages to my friends, and I was pleased to find I could cover the whole terrain with no more than a single intermediate badge providing a relay. This is as much to do with the clever tech behind LoRa as it is the Molex antennas, but I was still pleasantly surprised that they worked that well. In use it makes far more sense to take power from a USB-C source than those batteries, and I fond it didn’t appreciably accelerate my phone’s power drain.
So at the camp with two badges there was plenty to do with both of them, and it’s pleasing to see a design very much focused around life after the camp. I particularly like the “10” they form together as a reference to the tenth BornHack. The 2024 badge provides a fun light show and a chance to experiment with an interesting NFC chip, while there’s every chance you’ll encounter one of the 2025 badges providing Meshtastic service in a European hackerspace over the next few years, or being carried around as a personal node.
The two official badges weren’t entirely the end of the badge story for me at BornHack, because along the way I also picked up a sporklogic.com EMF Explorer badge from its creator [Darcy Neal]. It’s an analogue circuit for listening to ambient electric fields in glorious stereo which is enough fun, but the party piece is the UFO design backlit by a green LED. One of the most effective uses of unclad PCB I have seen on a badge.
Microsoft stila la lista dei 40 lavori che scompariranno grazie all’AI. I lavori “pratici” resistono
Un nuovo studio di Microsoft offre uno sguardo sorprendente (e inquietante) su come l’intelligenza artificiale generativa stia rimodellando la forza lavoro globale. Contrariamente a quanto si pensa, non sono solo i professionisti del settore high-tech a percepire il cambiamento: anche venditori, giornalisti, correttori di bozze e traduttori sono nel mirino dell’intelligenza artificiale.
E queste non sono solo previsioni, ma si basano su dati di utilizzo reali che stanno ridisegnando la mappa dell’occupazione. In cima alla lista dei “più colpiti” ci sono i lavori incentrati sull’informazione, la comunicazione e la creazione di contenuti, come traduttori, storici e scrittori. Si tratta di ruoli in cui i modelli linguistici eccellono, assistendo gli utenti in attività quali la riscrittura, la sintesi o la traduzione con precisione e velocità.
Al contrario, i ruoli pratici o fisicamente impegnativi difficilmente si intersecano con ciò che i chatbot sono in grado di fare. Tra questi rientrano lavori come elettricisti, idraulici, addetti alla rimozione di materiali pericolosi. In parole povere: l’intelligenza artificiale può imitare il lavoro intellettuale, ma non il lavoro manuale.
Tuttavia, lo studio di Microsoft sull’intelligenza artificiale ha evitato di fare affermazioni generali sulla perdita o la creazione di posti di lavoro. Non si è ancora arrivati a dire se la tecnologia sostituirà posti di lavoro o semplicemente li rimodellerà. Questa questione è al centro di un acceso dibattito nel settore tecnologico. Intanto il CEO di Anthropic, Dario Amodei, ha recentemente lanciato un monito all’opinione pubblica: entro cinque anni potrebbe scomparire fino alla metà di tutti i posti di lavoro impiegatizi di livello base.
Il responsabile del design della Mercedes-Benz si è spinto oltre, affermando che l’intelligenza artificiale lo sostituirà tra 10 anni e che sarà anche molto più economica. Altri, come il miliardario Mark Cuban, sostengono che la tecnologia finirà per creare nuovi posti di lavoro. Kiran Tomlinson, ricercatore capo di Microsoft, ha sottolineato che i risultati indicano un supporto a livello di attività piuttosto che un’automazione completa del lavoro.
Tuttavia, alcuni temono che sia solo questione di tempo prima che la robotica e l’intelligenza artificiale inizino a insinuarsi anche in questi ambiti. Lo studio solleva interrogativi più ampi su come le società e i governi intendono gestire i cambiamenti che l’intelligenza artificiale porterà con sé. Mentre alcuni esperti sperano che l’intelligenza artificiale liberi le persone da compiti noiosi o contribuisca a risolvere grandi problemi come malattie o povertà, altri temono l’aumento della disoccupazione, delle disuguaglianze e dei disordini sociali.
In altre parole, l’intelligenza artificiale potrà aiutarti a semplificare il lavoro, ma è ancora improbabile che possa prenderne completamente il controllo. Un’altra importante avvertenza: lo studio ha valutato solo l’impatto di grandi modelli linguistici, ma non di altri tipi di intelligenza artificiale. Quindi, anche se oggi i chatbot non stanno sostituendo gli autisti di camion, i progressi nella robotica o nella guida autonoma potrebbero avere un impatto su questi settori in futuro.
Tuttavia, lo studio rafforza il crescente consenso sul fatto che questa rivoluzione colpisca innanzitutto i lavori d’ufficio.
L'articolo Microsoft stila la lista dei 40 lavori che scompariranno grazie all’AI. I lavori “pratici” resistono proviene da il blog della sicurezza informatica.
Hackaday Podcast Ep 331: Clever Machine Tools, Storing Data in Birds, and the Ultimate Cyberdeck
Another week, another Hackaday podcast, and for this one Elliot is joined by Jenny List, fresh from the BornHack hacker camp in Denmark.
There’s a definite metal working flavour to this week’s picks, with new and exciting CNC techniques and a selective electroplater that can transfer bitmaps to metal. But worry not, there’s plenty more to tease the ear, with one of the nicest cyberdecks we’ve ever seen, and a bird that can store images in its song.
Standout quick hacks are a synth that makes sounds from Ethernet packets, and the revelation that the original PlayStation is now old enough to need replacement motherboards. Finally we take a closer look at the huge effort that goes in to monitoring America’s high voltage power infrastructure, and some concerning privacy news from the UK. Have a listen!
frame for podcast
And/or download your own freshly-baked MP3, full of unadulterated hacky goodness.
Where to Follow Hackaday Podcast
Places to follow Hackaday podcasts:
Episode 331 Show Notes:
News:
- We’ve reache the halfway point: Announcing The 2025 Hackaday One Hertz Challenge
What’s that Sound?
- If you know what this week’s sound is, enter your best guess here.
Interesting Hacks of the Week:
- Painting In Metal With Selective Electroplating
- A Dual-Screen Cyberdeck To Rule Them All
- Human In The Loop: Compass CNC Redefines Workspace Limits
- AVIF: The Avian Image Format
- Skateboard Wheels Add Capabilities To Plasma Cutter
- Engrave A Cylinder Without A Rotary Attachment? No Problem!
- The LumenPnP Pasting Utility: Never Buy Solder Stencils Again?
Quick Hacks:
- Elliot’s Picks:
- Transparent PCBs Trigger 90s Nostalgia
- Listening To Ethernet Via Eurorack
- Read QR Codes On The Cheap
- 2025 One-Hertz Challenge: A Clock Sans Silicon
- Jenny’s Picks:
- A Non-Sony Playstation Motherboard Replacement
- A Cable Modem, The Way All Network Gear Should Be Mounted
- A Very Tidy Handheld Pi Terminal Indeed
Can’t-Miss Articles:
- Power Line Patrols: The Grid’s Eye In The Sky
- When Online Safety Means Surrendering Your ID, What Can You Do?
A Proper Computer For a Dollar?
When a tipster came to us with the line “One dollar BASIC computer”, it intrigued us enough to have a good look at [Stan6314]’s TinyBasRV computer. It’s a small PCB that forms a computer running BASIC. Not simply a microcontroller with a serial header, this machine is a fully functioning BASIC desktop computer that takes a PS/2 keyboard and a VGA monitor. Would that cheap price stand up?
The board uses a CH32 microcontroller, a RISC-V part that’s certainly very cheap indeed and pretty powerful, paired with an I2C memory chip for storage. The software is TinyBASIC. There’s some GPIO expandability and an I2C bus, and it’s claimed it can run in headless mode for a BASIC program to control things.
We haven’t added up all the parts in the BoM to check, but even if it’s not a one dollar computer it must come pretty close. We can see it could make a fun project for anyone. It’s certainly not the only small BASIC board out there, it’s got some competition.
Thanks [Metan] for the tip.
This Week in Security: Spilling Tea, Rooting AIs, and Accusing of Backdoors
The Tea app has had a rough week. It’s not an unfamiliar story: Unsecured Firebase databases were left exposed to the Internet without any authentication. What makes this story particularly troubling is the nature of the app, and the resulting data that was spilled.
Tea is a “dating safety” application strictly for women. To enforce this, creating an account requires an ID verification process where prospective users share their government issued photo IDs with the platform. And that brings us to the first Firebase leak. 59 GB of photo IDs and other photos for a large subset of users. This was not the only problem.
There was a second database discovered, and this one contains private messages between users. As one might imagine, given the topic matter of the app, many of these DMs contain sensitive details. This may not have been an unsecured Firebase database, but a separate problem where any API key could access any DM from any user.
This is the sort of security failing that is difficult for a company to recover from. And while it should be a lesson to users, not to trust their sensitive messages to closed-source apps with questionable security guarantees, history suggests that few will learn the lesson, and we’ll be covering yet another train-wreck of similar magnitude in another few months.
The Pi-hole (And Many Others’) Donor Leaks
The folks at Pi-hole are leading the charge in reporting on the leaks of the name and email addresses of donors to that and many other projects. The problem was actually in version 4.6.0 of GiveWP, a popular WordPress plugin.
Well this sucks: @The_Pi_Hole, my favourite maker of network-level blocker of nasty things, has inadvertently been caught up in a data breach by virtue of a WordPress plugin they use for donations: t.co/ANSMIA5u5G— Troy Hunt (@troyhunt) July 30, 2025
The details of what happened aren’t pretty. The plugin had a bug where it was injecting the entire donor list into the source code of the site using the plugin. The only redeeming element here is that those leaks were strictly limited to name and email address. But of course, that’s enough for bad actors to scrape the lists and start sending spearphishing emails, which has already happened.
One more thing to cover regarding this issue is the response from Impress.org, the makers of the plugin. The problem was fixed within hours of the report on GitHub. This turn-around is great, but the vulnerable plugin was out for a full week before it was disclosed to the authors. The official comments from Impress.org on the GitHub issue linked above fall just a bit short on recognizing the severity of the issue, and taking responsibility. At the same time, it’s extremely challenging to strike the right note when writing up a response to an issue like this.
Pi in the Bank
We’ve covered a case or two where a mysterious Raspberry Pi was discovered on the network, but this one is a bit different. First off, the network in question belongs to a bank. And second, this Pi had a 4G cellular modem strapped to it.
It turns out, this device was dropped as part of a scheme by the cyber crime group tracked as UNC2891. This attack has been reported to have taken place in Asia, with not much more details about the target. It’s believed that this was an attempt to infiltrate the bank’s ATM network, and eventually compromise a Hardware Security Module (HSM), and ultimately steal money from the bank.
This attack was quite sophisticated, with a new technique demonstrated, to hide malicious processes via Linux Bind mounts. This works by bind mounting an existing processes /proc/ folder over that of the process to hide. Many utilities won’t catch the switcherwoo, as the kernel file handling will follow the bind mount over the real files. Though we do take some issue with the write-up referring to a bind mount as an “obscure Linux feature”.
And since we’re talking about banking, do you know how wire transfers actually work? It turns out, it’s an ASCII file just under 1k, sent using SFTP. There are some very old quirks to these files, like the insistence that the number of lines in the file be a multiple of 10, and the padding with 9s.
When you make a Bank ACH transaction, it’s literally just an SFTP upload.Sent as a NACHA file, it's 940 bytes of ASCII text.
Bank-to-Bank transactions cost ~0.2 cents. As long as it travels via encrypted tunnel; it’s compliant!
Here’s how the quirky system works: pic.twitter.com/NHewY8Ojgn
— LaurieWired (@lauriewired) July 29, 2025
Rooting the Root AIs
There have been a rash of stories recently about what can happen when an agentic AI has too much power and ineffective guard rails. This week is no different, with the first story being about prompt injection in Gemini. This AI agent does have guardrails, in the form of a whitelist of commands that it is allowed to run on the system. The problem is that it’s not always apparent to users what commands have security implications.
Then there is Copilot Enterprise, which gained a Python sandbox and Jupyter Notebook earlier this year. And Copilot is perfectly happy to help the user troubleshoot how to run commands using the %command syntax. That gives just enough purchase to get root access in the Jupyter container, but that’s where this exploitation ends. It is interesting, how often the key to compromising an AI is simply to ask nicely.
Zero-Trust Falls to CSRF
We don’t know the start-up that this penetration test tested, but we do know that they were building a zero-trust platform for secure VPN-like access. The entire stack was defeated by an attack as simple as a Cross-Site Request Forgery (CSRF) and an improper Cross-Origin Resource Sharing (CORS) configuration. JavaScript running on a malicious web page could use these two weaknesses to access an SSH key generation utility on the target infrastructure, and smuggle the key out. This lead to a complete AWS identity takeover and more. It was a complete win for the red team, and immensely valuable to the client to find this vulnerability chain this way, rather than in production.
Nvidia Backdoors?
The other big news this week is what sounds like an accusation from Chinese officials that Nvidia has put a backdoor in its new H20 device. These Enterprise GPUs are engineered specifically for export to China, to meet the current US export restrictions around AI hardware. It’s unclear what exactly is going on here, but it’s not very likely that Nvidia actually put backdoors in their hardware, regardless of the intended market.
Bits and Bytes
CISA has released a new security tool as Open Source. Thorium is a new file analysis tool designed to safely investigate binaries.
CrushFTP has an RCE because of missed authentication check on an endpoint. It allows an XML-RPC call to request the use of system.exec, which does exactly what it says it does. This manages a 9.8 CVSS as it’s unauthenticated, simple to pull off, accessible from the network, and grants RCE.
And finally, what certainly wins the simplest hack of the week award, [Mahmoud El Manzalawy] was looking at a CRM solution, and discovered an HTTP POST call that was replying with a 201 status, indicating it was successfully inserting a record into the remote database. What happens if that POST was changed to a GET and resent? The application responds with a full dump of the user database. It’s not supposed to do that. Which seems to sum up everything we cover in this column.
Turning Waste Plastic into Spools of Filament
Despite being a readily-available source of useful plastic, massive numbers of disposable bottles go to waste every day. To remedy this problem (or take advantage of this situation, depending on your perspective) [Igor Tylman] created the PETmachine, an extruder to make 3D printer filament from PET plastic bottles.
The design of the extruder is fairly standard for such machines: a knife mounted to the frame slices the bottle into one long strip, which feeds through a heated extruder onto a spool which pulls the plastic strand through the system. This design stands out, though, in its documentation and ease of assembly. The detailed assembly guides, diagrams, and the lack of crimped or soldered connections all make it evident that this was designed to be built in a classroom. The filament produced is of respectable quality: 1.75 mm diameter, usually within a tolerance of 0.05 mm, as long as the extruder’s temperature and the spool’s speed were properly calibrated. However, printing with the filament does require an all-metal hotend capable of 270 ℃, and a dual-drive extruder is recommended.
One issue with the extruder is that each bottle only produces a short strand of filament, which isn’t sufficient for printing larger objects. Thus, [Igor] also created a filament welder and a spooling machine. The welder uses an induction coil to heat up a steel tube, inside of which the ends of the filament sections are pressed together to create a bond. The filament winder, for its part, can wind with adjustable speed and tension, and uses a moving guide to distribute the filament evenly across the spool, avoiding tangles.
If you’re interested in this kind of extruder, we’ve covered a number of similar designs in the past. The variety of filament welders, however, is a bit more limited.
Thanks to [RomanMal] for the tip!
Lovense scrive a Red Hot Cyber. Il CEO manda dei chiarimenti sulle vulnerabilità sicurezza
In relazione al nostro precedente articolo relativo ai bug di sicurezza rilevati sui dispositivi Lovesense (azienda leader leader nel settore dei dispositivi tecnologici per l’intimità), l’azienda ha rilasciato a Red Hot Cyber una dichiarazione ufficiale.
Il comunicato risponde alle recenti preoccupazioni sollevate dalla stampa sui bug di sicurezza rilevati nei suoi prodotti.
Dan Liu, CEO di Lovense, ha voluto rassicurare clienti e partner sull’impegno costante per la tutela della privacy e della sicurezza degli utenti attraverso un comunicato stampa che condividiamo con i nostri lettori.
Le vulnerabilità individuate
Un ricercatore di sicurezza, tramite una piattaforma di bug bounty cui Lovense partecipa dal 2018, ha identificato due specifiche vulnerabilità:
- Esposizione di indirizzi email: un bug che poteva potenzialmente esporre gli indirizzi email associati agli account Lovense attraverso specifiche attività di rete.
- Rischio di takeover degli account: una vulnerabilità che avrebbe potuto consentire l’accesso non autorizzato agli account tramite indirizzi email, senza necessità di password.
Importante sottolineare che queste vulnerabilità sono state scoperte in condizioni controllate e non tramite attività dannose. Di seguito viene riportato il comunicato di Lovesense nella versione integrale fornito a Red Hot Cyber.
Statement Regarding Recent Lovense Security Vulnerabilities
Statement from the CEO of Lovense
At Lovense, maintaining the trust of our customers and partners is our highest priority. We are aware of the recent report regarding security vulnerabilities disclosed by a security researcher. We want to provide clarity on the situation and outline the steps we have taken to address these concerns.
Summary of the Issue
The security researcher identified two vulnerabilities in our systems:
1. Email Address Exposure: A bug that could potentially expose email addresses associated with Lovense accounts through specific network activity.
2. Account Takeover Risk: A vulnerability that may allow unauthorized access to accounts using email addresses without requiring passwords. These vulnerabilities were discovered under controlled conditions by the researcher, who is part of a bug bounty platform we joined in 2018, and not through malicious activity.
We want to reassure our customers that:
• All identified vulnerabilities have been fully addressed.
• As of today, there is no evidence suggesting that any user data, including email addresses or account information, has been compromised or misused.
Actions Taken
• The email address exposure vulnerability has been fully resolved, and updates have been deployed to all users. Users must upgrade to the latest version to properly access all functions that may be affected by this
vulnerability. While those who do not upgrade will not face security risks, certain features will become unavailable.
• The account takeover vulnerability has been fixed following verification by our team.
• In our commitment to privacy and security, we submitted these fixes to the bug bounty platform for further independent testing to ensure the robustness of our solutions. This is standard practice to safeguard user
privacy and security.
Response to Timeframe for Fixes
To illustrate our approach, consider Lovense as a complex machine, where each component must function harmoniously for overall safety and reliability. When a faulty gear is identified, we conduct immediate repairs while evaluating the entire system to ensure all parts work together seamlessly.
Although vulnerabilities relate to email addresses, the conditions triggering those are distinct, which requires tailored solutions and thorough testing. We adopted a dual-track strategy of emergency response and long-term optimization.
The originally scheduled long term 14-month system reconstruction plan was completed significantly ahead of schedule due to the team's dedicated efforts and increased resource allocation. Reducing this comprehensive project to a simple "fixable in two days" is not only misleading but also overlooks the immense work put forth by our team.
Ensuring user safety has always been our core mission, a commitment reflected in our decision to join the HackerOne program in 2018. We are proud to be one of the earliest sex toy companies to have joined this initiative, demonstrating our dedication to user safety. We value the insights provided in the vulnerability disclosure report and appreciate the researcher’s proactive approach. However, we must clarify that any accusations of neglect regarding user safety are unfounded.
Commitment to Data Security
We regret any concern this report may have caused and remain steadfast in protecting user privacy and security. To prevent similar issues in the future, we are:
• Conducting a comprehensive review of our security practices to proactively identify and resolve potential vulnerabilities.
• Strengthening collaboration with external security researchers and platforms to enhance detection and response times.
• Proactively communicating with users about security updates to maintain transparency and trust. We will also be rolling out a statement to users about these vulnerabilities.
In response to the numerous erroneous reports online, our legal team is investigating the possibility of legal action. Thank you for your understanding and continued trust in Lovense.
Kind Regards,
Dan Liu
CEO of Lovense
Interventi e sicurezza degli utenti
Lovense ha già risolto entrambe le problematiche. In particolare:
- La vulnerabilità relativa all’esposizione degli indirizzi email è stata corretta con un aggiornamento distribuito a tutti gli utenti. Per continuare a utilizzare tutte le funzionalità, è necessario aggiornare il dispositivo all’ultima versione software. Chi non aggiorna non corre rischi di sicurezza, ma alcune funzioni potrebbero non essere disponibili.
- Il problema di takeover degli account è stato sistemato dopo verifica del team interno.
Le soluzioni implementate sono state sottoposte a ulteriori test indipendenti tramite la piattaforma bug bounty, a garanzia della robustezza delle correzioni.
Tempistiche e processo di risoluzione
Il CEO Liu spiega che Lovense ha adottato un approccio dual-track: interventi urgenti per mitigare subito i rischi e una revisione di lungo termine per ottimizzare il sistema. Il piano di ricostruzione del sistema, previsto originariamente in 14 mesi, è stato completato in anticipo grazie a risorse dedicate.
Lovense evidenzia che semplificare il lavoro a una “riparazione in due giorni” è fuorviante e non riflette il lavoro complesso svolto dal team.
Impegno costante e futuro
Lovense si dichiara orgogliosa di essere tra le prime aziende di sex tech ad aver aderito al programma HackerOne, dimostrando un impegno storico verso la sicurezza degli utenti. L’azienda è impegnata a:
- Rivedere in modo completo le pratiche di sicurezza per prevenire future vulnerabilità.
- Rafforzare la collaborazione con ricercatori esterni e piattaforme di bug bounty.
- Comunicare in modo trasparente con gli utenti riguardo agli aggiornamenti di sicurezza.
Lovense ha inoltre annunciato che intende intraprendere azioni legali contro le numerose segnalazioni errate e fuorvianti apparse online.
Conclusioni
Il CEO Dan Liu conclude chiedendo comprensione e fiducia da parte degli utenti, riaffermando che la sicurezza e la privacy restano la priorità assoluta di Lovense. Concludiamo evidenziando che anche i migliori programmi di sicurezza informatica possono presentare vulnerabilità; tuttavia, l’implementazione di un programma di bug bounty testimonia l’impegno dell’azienda verso la community hacker e una costante dedizione alla sicurezza dei propri prodotti e clienti.
L'articolo Lovense scrive a Red Hot Cyber. Il CEO manda dei chiarimenti sulle vulnerabilità sicurezza proviene da il blog della sicurezza informatica.
DIY MP3 Player Inspired By The iPod
These days, the personal MP3 player has been largely replaced by the the smartphone. However, [Justinas Petkauskas] still appreciates the iPod for its tactility and portability, and wanted to bring that vibe back. Enter JPL.mp3
The build is based around the ESP32-S3 microcontroller. It’s hooked up with a PCM5102 DAC hooked up over I2S to provide quality audio, along with a micro SD card interface for music storage, and a small IPS LCD. The best feature, though? The mechanical click-wheel which provides a very tactile way to scroll and interact with the user interface. Everything is assembled into a neat 3D printed case, with a custom four-layer PCB lacing all the electronics together.
On the software side, [Justinas] cooked up some custom software for organizing music on the device using a SQLite database. As he primarily listens to classical music, the software features fields for composer/piece and conductor, orchestra, or performer.
[Justinas] calls the final build “chunky, but nevertheless functional” and notes it is “vaguely reminiscent of classic iPods.” We can definitely see the fun in building your own personalized version of a much-enjoyed commercial product, for sure. Meanwhile, if you’re cooking up your own similar hardware, we’d certainly love to hear about it.
McDonald’s Scam! 10.000 persone attirate da Instagram e Facebook con una falsa promo
Nel contesto della proliferazione di truffe online, la Romania ha assistito a una truffa particolarmente su larga scala mascherata da promozione di McDonald’s. Più di 10.000 persone sono state attirate in una truffa che inizialmente si presentava come un’offerta allettante: un hamburger, patatine fritte e bibite per soli 10 lei, l’equivalente di circa due dollari.
Su Instagram e Facebook, i truffatori hanno lanciato una serie di annunci pubblicitari per conto di un marchio inesistente, McDelight România. Con il pretesto di partecipare a una “tripla promozione”, agli utenti è stato chiesto di compilare un breve sondaggio e di partecipare a un semplice gioco. A tutti è stata promessa la possibilità di vincere un premio e, sorprendentemente, tutti hanno vinto.
A questo punto, le potenziali vittime si sono sentite come se avessero fatto jackpot, come confermato da immagini in stile McDonald’s e da recensioni apparentemente autentiche da parte dei “clienti”.
Il passo successivo era compilare un modulo con i dati personali, inclusa una carta di credito, presumibilmente per pagare una cifra simbolica. Tuttavia, le condizioni, scritte in caratteri minuscoli, nascondevano la vera essenza della truffa: un abbonamento con addebito automatico di 63,42 euro ogni due settimane. Questa somma iniziò a essere addebitata regolarmente sulle carte delle vittime, e il pranzo da due dollari pubblicizzato è rimasto presto un’illusione irrealizzabile.
Gli specialisti di Bitdefender hanno rivelato i dettagli del piano, sottolineando che la campagna fraudolenta è iniziata il 17 luglio e continua a guadagnare terreno. Secondo i loro dati, ci sono almeno sei varianti di tali annunci in rotazione su Meta e il piano stesso si è già diffuso oltre la Romania: azioni simili sono state registrate in Ungheria e nei Paesi Bassi.
La piattaforma fasulla non solo sfrutta elementi visivi che ispirano fiducia, ma gioca anche attivamente sui sentimenti di urgenza e scarsità, creando l’illusione di un’offerta limitata. Tali tattiche la rendono particolarmente pericolosa sui social media, dove l’attenzione degli utenti è discontinua e il comportamento è spesso impulsivo.
Bitdefender sottolinea: nessuna vera azienda addebiterà più di 60 euro ogni 14 giorni in cambio di un hamburger gratuito. Qualsiasi “promozione” con pagamento anticipato richiede una valutazione critica. Si consiglia agli utenti di non inserire i dati di pagamento su siti sospetti, di studiare attentamente i termini e le condizioni e di segnalare annunci fraudolenti al supporto di Meta. Se cadete in una trappola, contattate immediatamente la vostra banca per annullare gli addebiti non autorizzati.
L’incidente evidenzia ancora una volta quanto facilmente una pubblicità visivamente accurata possa trasformarsi in un costoso inganno, soprattutto se le clausole scritte in piccolo non vengono lette in tempo.
Ed inoltre evidenza quanto sia facile avviare una campagna di Advertising a nome di una grande azienda, superando le difese informatiche gestite dalle intelligenze artificiali, in questo caso di Meta.
L'articolo McDonald’s Scam! 10.000 persone attirate da Instagram e Facebook con una falsa promo proviene da il blog della sicurezza informatica.
Analisi della Campagna di Attacco con il Trojan Silver Fox che imita Google Translate
Secondo quanto riportato dal Knownsec 404 Advanced Threat Intelligence Team, di recente è stata osservata un’intensa attività di attacco legata al trojan Silver Fox, che imita strumenti diffusi come Google Translate. Questi attacchi, risalenti al 2024, prevedono che, al clic dell’utente su qualsiasi punto della pagina, compaia un messaggio relativo a una versione obsoleta di Flash, seguito da un reindirizzamento verso una pagina di download predisposta dagli aggressori.
Se l’utente scarica ed esegue il file, il sistema viene compromesso attraverso l’esecuzione di payload successivi.
Negli ultimi anni, diversi gruppi di hacker hanno distribuito il trojan Silver Fox utilizzando varie tecniche: dalla falsificazione di pagine di download di strumenti comuni, all’ottimizzazione SEO, fino alla creazione di copie di siti di istituzioni nazionali. Queste strategie hanno contribuito a compromettere sempre più l’ambiente di download dell’internet cinese.
Il gruppo Silver Fox è attivo almeno dal 2022, diffondendo i trojan tramite canali come e-mail, siti di phishing e software di messaggistica istantanea. In seguito alla diffusione del codice sorgente di trojan per il controllo remoto, come Winos 4.0, questa gang si è trasformata da singola organizzazione in una vera e propria famiglia di malware, riprogettata anche da altri gruppi criminali e persino da organizzazioni APT.
Un’analisi tecnica ha permesso di individuare diversi siti web di phishing usati per distribuire Silver Fox, tra cui copie fasulle di Google Translate, di un convertitore di valuta e persino del sito ufficiale di download di WPS. In questi siti, gli aggressori hanno inserito script di reindirizzamento direttamente nel codice sorgente, così da portare le vittime su pagine dannose.
Tra i pacchetti di installazione dannosi scoperti ci sono file MSI ed EXE che rilasciano il trojan Winos. Nel caso dei file MSI, l’esecuzione carica il file aicustact.dll per lanciare ulteriori componenti, mentre update.bat avvia sia il programma legittimo che il payload malevolo. Successivamente, javaw.exe scrive Microsoftdata.exe nel registro per garantirne la persistenza. Quest’ultimo, scritto in Golang, legge ed esegue un file Xps.dtd, che contiene shellcode destinato a caricare un modulo PE chiamato RexRat4.0.3, la cui componente centrale rimane winos.
Il trojan winos, che appartiene alla famiglia Silver Fox, dispone di numerose funzioni: può catturare schermate, registrare ciò che viene digitato sulla tastiera e ottenere dati dagli appunti. Oltre a questi, sono stati scoperti ulteriori programmi contraffatti usati per diffondere il malware, come pacchetti fake di Easy Translation, Youdao Translate, browser Bit e Letsvpn.
Negli ultimi anni, Silver Fox si è evoluto in un malware modulare e basato su strumenti, utilizzato e modificato anche da gruppi APT come Golden Eye Dog. Gli aggressori puntano soprattutto a migliorare le tecniche anti-rilevamento, come l’offuscamento del codice o la falsificazione delle firme, per rendere più efficace la diffusione. Questo aumenta i rischi per gli utenti che scaricano software da fonti non ufficiali, inducendoli con pop-up o siti clone.
Gli esperti, hanno riportato che Silver Fox rappresenta una seria minaccia per la sicurezza informatica in Cina. Per difendersi, si consiglia di mantenere alta l’attenzione su link, allegati e pacchetti provenienti da fonti sconosciute, scaricare software solo da siti ufficiali o app store affidabili e aggiornare costantemente sistemi operativi e antivirus. Solo così è possibile ridurre concretamente il rischio di infezioni.
L'articolo Analisi della Campagna di Attacco con il Trojan Silver Fox che imita Google Translate proviene da il blog della sicurezza informatica.
Raspberry Pi RP2350 A4 Stepping Addresses E9 Current Leakage Bug
When Raspberry Pi’s new RP2350 MCU was released in 2024, it had a slight issue in that its GPIO pins would leak a significant amount of current when a pin is configured as input with the input buffer enabled. Known as erratum 9 (E9), it has now been addressed per the July 29 Product Change Note from Raspberry Pi for the A4 stepping along with a host of other hardware and software issues.
Although the PCN is for stepping A4, it covers both steppings A3 and A4, with the hardware fixes in A3 and only software (bootrom) fixes present in A4, as confirmed by the updated RP2350 datasheet. It tells us that A3 was an internal development stepping, ergo we should only be seeing the A4 stepping in the wild alongside the original defective A2 stepping.
When we first reported on the E9 bug it was still quite unclear what this issue was about, but nearly a month later it was officially defined as an input mode current leakage issue due to an internal pull-up that was too weak. This silicon-level issue has now finally been addressed in the A3 and thus new public A4 stepping.
Although we still have to see whether this is the end of the E9 saga, this should at least offer a way forward to those who wish to use the RP2350 MCU, but who were balking at the workarounds required for E9 such as external pull-downs.
Railway Time: Why France’s Railways Ran Five Minutes Behind
With us chafing at time zones and daylight saving time (DST) these days, it can be easy to forget how much more confusing things were in the late 19th century. Back then few areas had synchronized their clocks to something like Greenwich Mean Time (GMT) or other standards like London time or Paris time, with everyone instead running on local time determined by as solar time. This created a massive headache for the railways, as they somehow had to make their time schedules work across what were effectively hundreds of tiny time zones while ensuring that passengers got on their train on time.
In a recent video [The Tim Traveller] explains how the creation of so-called Railway time sort-of solved this in France. As railroads massively expanded across the world by the 1850s and travel times dropped rapidly, this concept of Railway time was introduced from the US to Europe to India, creating effectively a railway-specific time zone synchronized to e.g. London time in the UK and Paris time in France. In addition to this, French railways also set the clocks inside the stations to run five minutes behind, to give travelers even more of a chance to get to their train on time when stuck in a long goodbye.
By 1911, across Europe GMT was adopted as the central time base, and the French five minute delay was eliminated as French travelers and trains were now running perfectly on time. If one wishes to experience what rail travel in the 1880s was like, travelers are invited to travel with Deutsche Bahn, who add a random delay to each actual arrival and departure time so that time becomes very relative indeed.
youtube.com/embed/PELruSTO3qI?…
2025 One Hertz Challenge: 4-Function Frequency Counter
Frequency! It’s an important thing to measure, which is why [Jacques Pelletier] built a frequency counter some time ago. The four-function unit is humble, capable, and also an entry into our 2025 One Hertz Challenge!
The build began “a long while ago when electronic parts were still available in local stores,” notes Jacques, dating the project somewhat. The manner of construction, too, is thoroughly old-school. The project case and the sweet red digits are both classic, but so is what’s inside. The counter is based around 4553 BCD counter chips and 4511 decoder ICs. Laced together, the logic both counts frequency in binary-coded decimal and then converts that into the right set of signals to drive the 7-segment displays. Sample time is either 1 Hz or 0.1 Hz, which is derived from an 8MHz oscillator. It can act as a frequency meter, period meter, chronometer, or a basic counter. The whole build is all raw logic chips, there are no microprocessors or microcontrollers involved.
It just goes to show, you can build plenty of useful things without relying on code and RAM and all that nonsense. You just need some CMOS chips and a bucket of smarts to get the job done!
Double the Sensors, Double the Fun, with 2-in-1 Panoramic Camera
When film all came in rolls, it was fairly easy to play with the frame of the image. Companies like Hasselblad (and many others) made camera backs that would expose longer strips of 35 mm film to create stunning panoramic images in one single shot. [snappiness] wanted to bring that style of camera into the digital age, and ended up with a 2-in-1 Sony-based frankencamera.
Sensors just aren’t readily available in the wide aspect ratio [snappiness] was looking for, and even if they were, bare sensors are hugely expensive compared to consumer cameras. Lacking the budget for high-res scientific CMOS, [snappiness] did what any of us would do, and hacked two Sony A7ii full-frame mirrorless cameras together to get a combined 24x72mm sensor frame.
Conceptually, the hack is really very simple: a 3D print acts like a T-fitting, with the two cameras held parallel off the arms of the T and the lens making the shaft. Inside, the only optics are a pair of mirrors serving as a beam splitter. Each camera sees half the FOV of the lens in its corresponding mirror, which means the images can be stitched together later to make the double-wide pictures [snappiness] is after.
Of course both cameras must be triggered at the same time, but with what looks like a headphone splitter and an aftermarket remote shutter button, that part works perfectly. The optics, not so much– as always with conceptually simple projects, the devil is in the details, and here it’s the mirror alignment where you’ll find Old Nick. [snappiness] made no provision for adjustments, so everything needed to be designed and built with very stringent tolerances. Somewhere along the way, those tolerances were exceeded; as a result, the two cameras don’t share a focal plane.
That means half the composite image will always be out of focus, or that the main lens needs to be refocused and two snaps taken, rather defeating the point the frankencamera. If [snappiness] attempts a version two, perhaps an adjustment mechanism to focus each sensor would be in order. Still, even if it didn’t work perfectly, he’s proven that the idea is sound, and we can’t imagine many people will see this and argue it isn’t a hack.
The world of film did make all of this easier, perhaps– we’ve seen large-format film cameras out of lego, and a panorama made from four full rolls of 35 mm film. If you know of any other great photography hacks– film or digital– don’t hesitate to send us a tip.
youtube.com/embed/60tAma9SN-4?…
2025 One Hertz Challenge: Op-Amp Madness
Sometimes, there are too many choices in this world. My benchtop function generator can output a sine, square, or saw wave anywhere from 0.01 Hz up to 60 MHz? Way too many choices. At least, that’s what we suspect [Phil Weasel] was thinking when he built this Analog 1 Hz Sinewave Generator.
Sometimes we make things much more complicated than we need to, just to see if we can. This is one of those times. Are there much simpler ways to generate a sine wave? Yes — but not exclusively using op-amps! This entry brings stiff competition to the “Ridiculous” category of the 2025 One Hertz Challenge.
When Online Safety Means Surrendering Your ID, What Can You Do?
A universal feature of traveling Europe as a Hackaday scribe is that when you sit in a hackerspace in another country and proclaim how nice a place it all is, the denizens will respond pessimistically with how dreadful their country really is. My stock response is to say “Hold my beer” and recount the antics of British politicians, but the truth is, the grass is always greener on the other side.
There’s one thing here in dear old Blighty that has me especially concerned at the moment though, and perhaps it’s time to talk about it here. The Online Safety Act has just come into force and is the UK government’s attempt to deal with what they perceive as the nasties on the Internet, and while some of its aspirations may be honourable, its effects are turning out to be a little chilling.
As might be expected, the Act requires providers to ensure their services are free of illegal material, and it creates some new offences surrounding sharing images without consent, and online stalking. Where the concern lies for me is in the requirement for age verification to ensure kids don’t see anything the government things they shouldn’t, which is being enforced through online ID verification. There are many reasons why this is of concern, but I’ll name the three at the top of my list.
As anyone who has helped their non technical friends secure their networks will tell you, nothing boosts technical expertise more than presenting a 13-year-old with an online restriction. It’s already been shown how a tech-savvy kid can use an AI generated fake ID to watch online smut, and I am thus certain that the Act just won’t work. Kids will trade ways to get round it just like they traded floppies full of dodgy JPGs in the playground back in the ’90s.
The scope of the Act extends way beyond merely the porn sites you might expect, so your average Brit is going to find themselves uploading their drivers’ licence or passport an awful lot. The probability of a data breach involving all that valuable data will approach one, and all those identities will be compromised. Making more laws won’t stop this happening, after all the very definition of a criminal is a person with a disregard for the law.
And finally, that broad scope is catching all manner of inoffensive and blameless online communities who don’t have the resources to put the age verification and other measures in place. Your classic car forum, a support group for people with mental health problems, even possibly Wikipedia. Of course it’s important to protect children from inappropriate content, but killing the British internet for everyone else shouldn’t be a side effect.
This issue is likely to rumble on for a while in the UK, as at the time of writing a petition for its reform stands around 350k signatures. Thus a further parliamentary debate seems very likely, and no doubt we’ll see a few of our overlords wriggling a little to avoid the inevitable repercussions. You can sign it if you’re a Brit, and meanwhile if you’d like to restore access to the internet that the rest of the world sees, you can join the hordes of Brits running to acquire VPN access.
Palace of Westminster header image: Diliff, CC BY-SA 2.5.
Hexagonal Lighting Brings a Touch of Elegance to the Workshop
Sometimes, we’re faced with what should be simple household tasks that we choose to make more difficult. Sure, you could buy a clock, hang it on your wall, and move on with your day, or could spend a week or two building the perfect one. [Nejc Koncan] was in one such situation recently when he needed some new overhead lighting. He wanted hexagonal lights — and since none of the off-the-shelf solutions met his exacting requirements, he built his own.
Unlike most of the cycling RGB hexagonal lighting solutions available on the market, [Nejc] wanted elegant white outlines that he could control via HomeAssistant. After some careful design and quite a bit of trial-and-error, he ended up with a highly modular and very professional-looking installation. The hexagons are constructed from LED strips set into aluminum extrusions, with junction PCBs at each intersection. To complete the look, all of the strips and wiring are hidden by diffusers that slot into the extrusions — and of course, the whole thing is open source.
We see lots of lighting projects here at Hackaday, and even other hexagonal lights — but this might just be one of the most refined. Sometimes it’s worth the extra effort to build a totally over-engineered custom solution.
Hands On: The Hacker Pager
It should come as no surprise that the hacker community has embraced the Meshtastic project. It’s got a little bit of everything we hold dear: high quality open source software, fantastic documentation, a roll-your-own hardware ethos, and just a dash of counterculture. An off-grid communications network cobbled together from cheap parts, some of which being strategically hidden within the urban sprawl by rogue operators, certainly sounds like the sort of thing you’d read about it in a William Gibson novel.
Quality hardware that offers a turn-key experience will be critical to elevating Meshtastic from a hobbyist’s pastime to something that could actually be fielded for applications such as search and rescue. Plus, let’s be honest, even those of us who like to put together our own gadgets can appreciate a more consumer-oriented piece of hardware from time to time. Especially if that hardware happens to be open source and designed to empower the user rather than hold them back.
Enter the Hacker Pager from exploitee.rs. As the name implies, it’s still very much a device intended for hackers — a piece of hardware designed for the halls of DEF CON rather than trekking through the wilderness. But it’s also an important step towards a new generation of Meshtastic hardware that meets the high standard of quality set by the software itself.
All in One, One For All
Before diving into the device itself, it would be helpful to take a moment to explain how users typically interact with Meshtastic, and what makes the Hacker Pager different.
Generally speaking, there are two types of Meshtastic devices: stationary nodes placed on rooftops and other vantage points to provide the infrastructure, and mobile nodes that a person would carry with them that allows access the network. This isn’t strictly accurate as each mobile device can also relay messages and contribute to the overall mesh network, but for the purposes of this discussion that’s not really an important distinction.
The mobile nodes are essentially radio modems that connect to your smartphone. You might have one strapped to your backpack, or mounted to the roof of your car. An app on your phone allows you to use the radio to tap into the Meshtastic network, and provides (among other features) an SMS-like interface for sending and receiving messages. This can be a little ungainly if you’re physically plugged into the mobile node, but Bluetooth is also an option.
Now, what makes the Hacker Pager different is that it not only works as gateway device to provide access to the Meshtastic network to a tethered smartphone, but it can also be used as a stand-alone communicator. This approach is truly the best of both worlds, as you get all the functionality of the smartphone application, while also giving you the freedom to subtract the phone from the equation entirely.
hackaday.com/wp-content/upload…
The Hacker Pager isn’t the first Meshtastic device to provide this capability, but at the time of this writing, it’s still one of only a handful of options that offer it. It is however the first one to come in the classic pager form factor, which brings with it a certain nostalgic appeal. The unique layout and interface of the Hacker Pager does come at a cost though; at least for now, it can’t run the mainline Meshtastic firmware and has its own independent fork. But we’ll get back to that in a minute.
Built By Hackers, For Hackers
I mentioned earlier that the Hacker Pager isn’t designed for a rugged environment, but that doesn’t mean it’s a wimp, either. It’s built like a brick, which I mean in the most positive way possible. But more than that, it’s built how a hacker would build it. Laser-cut acrylic panels, 3D printed body and buttons, you can still see how each component could be produced by a well-equipped home gamer should they need or want to.
That’s something we often see get inadvertently overlooked by open source hardware projects, and I’m happy to see that it seems to have remained a guiding principle for the Hacker Pager. It’s no mean feat either — we always release the design files for our annual Supercon badge, but that’s not to say they’ve always been easy to recreate for the hacker who couldn’t make it out to Pasadena. It’s not that we ever intentionally design the badge to be hard to replicate, it can just get away from you sometimes.
While going with a larger footprint for some of the components would have made DIY rework a little easier, there’s nothing about the Hacker Pager that would keep you from either building one yourself or using it as a basis for another design. That includes the license, as the hardware side of the project is available under the CERN Open Hardware Licence Version 2.
I could easily see the Hacker Pager becoming another Beepy — an OSHW project that resonates so strongly with the community that it inspires a whole line of clones.
A New Way to Mesh
The firmware for the Hacker Pager is forked from the upstream Meshtastic project, and as such, the device is fully compatible with all the infrastructure that’s already out there. Similarly, when used in conjunction with the official Meshtastic smartphone application, you’ll have all the features and functions you’re used to. But when you use the Hacker Pager on its own, it’s unlike any other Meshtastic device out there.
That’s largely due to the fact that the retro-inspired hardware of the Hacker Pager demands a different sort of user interface than any of the existing Meshtastic devices. The menu system makes excellent use of the vibrant 192×64 pixel monochrome LCD, and banging out messages using the on-screen keyboard and directional buttons is a breeze. Users from the younger generations may need some time to adapt, but for those of a certain age, it feels like home.
hackaday.com/wp-content/upload…
One of my favorite features doesn’t even kick in until you’ve put the Hacker Pager down for a bit. Once the device has hit the user-defined idle timeout, the screen backlight turns off and the screen shifts over to an ambient clock display that also shows critical status information such as battery level, number of nodes in the area, and a new message indicator.
It’s also got the features you’d expect from a modernized pager. You can be notified of incoming messages by the classic audible alert or vibration, naturally. But there’s also 36 addressable RGB LEDs and a dozen UV LEDs that are more than happy to put on a light show each time something hits your inbox.
More Than Idle Talk
Honestly, if everything I’ve just covered was all the Hacker Pager could do, I’d still have come away impressed. But the team at exploitee.rs took things a step further by adding in several tools that should prove useful for anyone who’s into hacking around on Meshtastic or other flavors of LoRa.
The Packet Capture mode (and matching Wireshark plugin) lets you explore the actual communication protocols at work, and the Spectrum Analyzer will visualize anything broadcasting between 850 to 950 MHz and optionally export the results. While there’s no official word on additional tools, it’s not hard to imagine how either exploitee.rs or the community could expand on these capabilities on the future with new functions such as a WiFi or Bluetooth scanner.
Joining the Pager Revolution
If you want your own Hacker Pager, it will set you back $200 for the standard Green/Black model shown here, or $250 for the Special Edition colors (Pink/Black, Orange/Black). Unfortunately, they’re currently out of stock.
We made every effort to time the release of this article to coincide with availability of the Hacker Pager, but folks have been chomping at the bit to pick one up since they were first unveiled last year, and demand was simply too great. Sorry about that.
But don’t worry, you haven’t missed your chance. We’re told that units will be available at DEF CON 33 next week if you’re making the trip out to Vegas, and if not, you can put your email down to be notified when the next batch of Hacker Pagers will be ready to go.
In the meantime, you can read up on the promise of the Meshtastic project and maybe even setup your first node.
Bug da Oscar per macOS/iOS! Un’email crittografata causa l’arresto anomalo del device
Un’e-mail crittografata può causare l’arresto anomalo immediato del sistema macOS/iOS? La risposta è SI!
Non si tratta di un complotto di fantascienza, ma di un attacco reale, come rivelano gli ultimi risultati delle ricerche di Alibaba Security. Per prevenire efficacemente questo tipo di attacco, Alibaba Security e l’Università dell’Indiana a Bloomington hanno esplorato e scoperto congiuntamente un vettore di attacco per rilevare potenziali problemi di sicurezza DoS (Denial-of-Service) nelle librerie di algoritmi crittografici: certificati X.509 malformati.
Hanno quindi condotto una serie di ricerche su problemi correlati nelle librerie di algoritmi crittografici basate su questo vettore. Questo risultato è stato reso pubblico alla conferenza USENIX Security’25 ed è stato candidato ai Pwnie Awards, gli “Oscar del mondo degli hacker”.
Utilizzando certificati X.509 malformati, i ricercatori hanno condotto esperimenti su sei librerie di algoritmi crittografici open source tradizionali: OpenSSL, Botan, Bouncy Castle, Crypto++, GnuTLS e phpseclib, nonché su una libreria crittografica Security progettata specificamente per l’ecosistema Apple.
Sono state scoperte 18 nuove vulnerabilità CVE e identificate 12 vulnerabilità CVE note .
I certificati digitali X.509 sono le “carte d’identità” del mondo online
Con l’ampia diffusione di Internet, le problematiche relative alla sicurezza delle reti stanno diventando sempre più importanti. Per garantire la sicurezza e l’affidabilità delle comunicazioni di rete, i certificati digitali sono diventati uno strumento fondamentale per garantire l’autenticazione dell’identità e la sicurezza dei dati.
Un certificato digitale è come una “carta d’identità” nel mondo online. Viene rilasciato da un’organizzazione terza affidabile (chiamata autorità di certificazione, CA) e viene utilizzato per verificare l’identità di entrambe le parti in comunicazione e garantire che le informazioni non vengano manomesse durante la trasmissione.
Attualmente, X.509 è uno degli standard di certificazione digitale più ampiamente adottati a livello internazionale. Definisce la struttura e il contenuto di base di un certificato, inclusi campi quali informazioni sul soggetto, chiave pubblica, algoritmo di firma e periodo di validità, e supporta meccanismi di verifica della catena di certificati, creando così un’infrastruttura a chiave pubblica (PKI) affidabile.
Inoltre, i certificati X.509 sono diventati una componente fondamentale della moderna sicurezza di rete, utilizzati in vari protocolli (come TLS e S/MIME) per garantire la sicurezza delle comunicazioni. Anche i sistemi operativi moderni (come macOS e iOS) utilizzano i certificati X.509 per la verifica delle firme, garantendo l’autenticità e l’integrità delle applicazioni.
Risoluzione dei problemi di tipo DoS con certificati X.509 non validi
Le API relative alla crittografia sono spesso complesse nella progettazione, e molti sviluppatori non hanno conoscenze specifiche in materia. La contraddizione tra i due aspetti porta a un frequente uso improprio delle API di crittografia nella pratica, il che ha spinto la ricerca esistente a concentrarsi su come contrastare al meglio l’uso improprio delle API di crittografia.
Tuttavia, anche se gli utenti rispettano rigorosamente le specifiche di utilizzo e chiamano correttamente l’API in una libreria crittografica, potrebbero comunque verificarsi rischi per la sicurezza dovuti a problemi di sicurezza nell’implementazione dell’API stessa.
La ricerca attuale sui problemi di sicurezza nelle implementazioni crittografiche si concentra principalmente sulla riservatezza (come gli attacchi side-channel) e sull’integrità (come le collisioni hash) nella tripletta CIA (riservatezza, integrità e disponibilità), mentre viene prestata meno attenzione ai problemi di disponibilità. Tuttavia, il team di ricerca ha notato che le librerie crittografiche sono spesso più vulnerabili agli attacchi DoS rispetto ad altri tipi di progetti a causa delle due caratteristiche seguenti:
- L’implementazione di librerie crittografiche spesso comporta operazioni su “grandi numeri” (ad esempio, operazioni su un campo finito che coinvolgono un numero primo a 1024 bit). Tali operazioni e i loro ordini di grandezza sono relativamente rari nei progetti non crittografici.
- L’implementazione di librerie crittografiche spesso comporta l’elaborazione di vari tipi di dati (come ASN.1) e regole di codifica (come la codifica DER). La progettazione di questi schemi è spesso complessa ed è facile commettere errori durante il processo di implementazione.
Per convalidare ulteriormente questa osservazione, il team di ricerca ha condotto un’analisi sistematica delle implementazioni di codice in diverse librerie crittografiche vulnerabili agli attacchi DoS. Nel processo, hanno dimostrato la fattibilità dell’utilizzo di certificati X.509 malformati come vettore di attacco per sfruttare e rilevare problematiche di tipo DoS nelle librerie crittografiche.
I principali contributi di questo lavoro includono i seguenti tre punti:
- Analisi sistematica e nuove scoperte : hanno condotto la prima analisi sistematica delle librerie di algoritmi crittografici vulnerabili agli attacchi DoS. Così facendo, hanno scoperto tre nuovi rischi per la sicurezza di tipo DoS e hanno rivelato un vettore di attacco comune, ovvero certificati X.509 malformati, per sfruttare le vulnerabilità DoS associate a dieci rischi tipici identificati in questo studio.
- Sviluppo di strumenti automatizzati + Individuazione e sfruttamento delle vulnerabilità : hanno sviluppato uno strumento automatizzato chiamato X.509DoSTool, che può essere utilizzato per generare rapidamente certificati malformati specifici e rilevare vulnerabilità DoS nelle corrispondenti implementazioni delle librerie crittografiche. Utilizzando questo strumento, hanno scoperto con successo 18 nuove vulnerabilità e identificato 12 vulnerabilità note. Hanno inoltre verificato queste vulnerabilità in scenari reali e scoperto nuovi metodi di sfruttamento remoto sulle piattaforme macOS e iOS.
- Modellazione delle minacce e strategie di mitigazione : attraverso la modellazione delle minacce e i risultati sperimentali, hanno dimostrato che l’attacco DoS X.509 è una minaccia diffusa, ma finora poco studiata, nel mondo reale. Sulla base di ciò, hanno ulteriormente analizzato le cause profonde degli attacchi DoS X.509 e proposto strategie di mitigazione praticabili per aiutare gli sviluppatori a migliorare la sicurezza dei loro sistemi.
Questa sezione è dettagliata nella Sezione 1 dell’articolo. Inoltre, per comprendere meglio il contenuto dei capitoli successivi, si consiglia ai lettori di fare riferimento all’introduzione alle conoscenze di base nella Sezione 2 dell’articolo per una maggiore comprensione degli aspetti matematici delle curve ellittiche, di ASN.1 e di X.509.
La ricerca di Alibaba Security
In questo lavoro, i ricercatori concentrandosi su questo attacco, hanno ulteriormente analizzato i meccanismi e i metodi di sfruttamento di una serie di vulnerabilità legate ai rischi DoS nelle librerie crittografiche. Utilizzando strumenti automatizzati, hanno scoperto 18 nuove vulnerabilità in sette importanti librerie crittografiche. Hanno poi dimostrato queste vulnerabilità in due scenari reali: l’handshake TLS reciproco sui siti web HTTPS e la verifica della firma sui sistemi macOS/iOS di Apple.
I risultati sperimentali dimostrano la fattibilità dei certificati X.509 malformati da loro creati nel rilevare e sfruttare le vulnerabilità DoS nelle librerie crittografiche. Rivelano inoltre che gli attacchi DoS X.509 rappresentano una minaccia alla sicurezza diffusa ma poco studiata, meritevole di maggiore attenzione. Discutono inoltre le cause profonde di questi attacchi e propongono una serie di possibili strategie di mitigazione.
In futuro, il team di ricerca spera che questo lavoro possa accrescere ulteriormente la consapevolezza della comunità della sicurezza in merito alle vulnerabilità crittografiche e ai metodi di attacco e ispirare più ricercatori a esplorare meccanismi efficaci di rilevamento e difesa, promuovendo congiuntamente la costruzione di sistemi crittografici e proteggendo la sicurezza degli utenti.
L'articolo Bug da Oscar per macOS/iOS! Un’email crittografata causa l’arresto anomalo del device proviene da il blog della sicurezza informatica.