For as mysterious, fascinating, and beautiful as lightning is at a distance, it’s not exactly a peaceful phenomenon up close. Not many things are built to withstand millions of volts and tens to hundreds of thousands of amps. Unsurprisingly, there’s a huge amount of effort put into lightning protection systems for equipment and resources that need to be outside where thunderstorms sometimes happen. Although most of us won’t be building personal substations, church steeples, or city-scale water towers in our backyards, we might have a few radio antennas up in the air, so it’s a good idea to have some lightning protection and possibly an alert system like [Joe] built.

The start of this project came about when [Joe] noticed static on his crystal radio’s headset when there was a storm in the distance. When disconnecting the antenna in this situation, he also noticed sparks, and then thought that placing a neon lamp in the circuit would essentially allow those sparks to form in the lamp itself. The sparks only cause the neon to glow dimly, so a capacitor was added to allow the voltage to increase, making the sparks of light in the lamp more visible. These sparks are still quite dim, though, so two LEDs were added in series with opposite polarity, allowing one to detect negative charge and the other to detect positive.

With the LEDs installed in the circuit, it’s much more apparent when there are charged clouds around, and with the addition of an RF choke, [Joe] can use this circuit at the same time as his radio while also getting alerts about potential thunderstorm activity. This isn’t the only way to detect lightning strikes, though. There are plenty of other ways to get this job done, and we’ve even seen lightning detectors so sensitive that they can detect socks-on-carpet static discharges as well.

Thanks to [Charles] for the tip!

hackaday.com/2025/07/19/neon-l…

After getting a new car, [Solo Pilot] missed the automatic garage door opening and closing system their old car had. So they set about building their own, called GarageMinder. On the project page you will find a bill of materials, schematics, and some notes about the approach taken in various versions of the software. [Solo Pilot] also made the software available.

The basic hardware centers around a Raspberry Pi Zero W, but there are plans to switch to an ESP32. From the car side of things there are built-in continuous Bluetooth Low Energy (BLE) advertisement broadcasts, which the Raspberry Pi can detect. Building a reliable system on top of these unreliable signals is difficult and you can read about some of the challenges and approaches that were taken during development. This is a work in progress and additional techniques and approaches are going to be trialed in future.

If you’re interested in Bluetooth garage door openers be sure to read about using a Bluetooth headset as a garage door opener for your Android device.

hackaday.com/2025/07/19/garage…

The ZX Spectrum is perhaps most fondly remembered as a home computer and a games machine. [Tito] has grabbed the faithful black plastic box and turned it into a frequency counter as an innovative entry to our 2025 One Hertz Challenge.

The code was prepared in assembly using ZASM—a Z80 online assembler. It works in quite a simple manner. The code runs for one second at a time, counting rising edges on the EAR port of the ZX Spectrum. Those edges are added up to determine the frequency in question, and the job is done. [Tito] has tested the code and found it’s capable of reading frequencies up to 20 KHz. Since it runs on a one second period, it’s thus eligible for entry by meeting the requirements of the One Hertz Challenge. Code is available on Github for the curious.

The ZX Spectrum has a clock speed of 3.5 MHz, meaning it’s not exactly the tool of choice if you’re reading faster signals. We’ve seen similar done before. In any case, this project was a great way to exercise assembly coding skills and to bust out some classic Speccy hardware—and that’s always a good time. If you’ve got your own retrocomputer hacks brewing up in the lab, don’t hesitate to let us know!

hackaday.com/2025/07/18/2025-o…

Film maker [David Greelish] wrote in to let us know about his recent documentary: Before Macintosh: The Apple Lisa.

The documentary covers the life of the Apple Lisa. It starts with the genesis of the Lisa Project at Apple, covering its creation, then its marketing, and finally its cancellation. It then discusses the Apple Lisa after Apple, when it became a collectible. Finally the film examines the legacy of the Apple Lisa, today.

The Apple Lisa was an important step on the journey to graphical user interfaces which was a paradigm that was shifting in the early 1980s, contemporary with the Macintosh and the work at Palo Alto. The mouse. Bitmapped graphics. Friendly error messages. These were the innovations of the day.

Apple began work on the Lisa Project in October 1978 but most of its design goals changed after Steve Jobs and his team visited the Xerox Palo Alto Research Center (PARC) in November 1979. On January 19, 1983, the Apple Lisa computer was released by Apple. Two years later it was re-branded as the “Macintosh XL” and was converted to run the Mac system software. Ultimately, on August 1, 1986, the Macintosh XL (Apple Lisa) was cancelled, so as to not interfere with Macintosh sales.

But the Apple Lisa is not forgotten. These days they are collectibles which you can acquire for a few thousand dollars. They are considered a symbol and harbinger of the very significant shift to the graphical user interface which today is commonplace and perhaps even taken for granted.

There is a fun anecdote in the film about what we know today as OK/Cancel. In fact with the Apple Lisa that was originally Do it/Cancel, but it turned out many people read “do it” as “doit”, so during usability testing the users were asking “what’s a doit?”

If you’re interested in the old Apple Lisa be sure to check out LisaGUI which is a browser-based emulator you can use to see what it used to be like.

youtube.com/embed/psAeTDYezdo?…

hackaday.com/2025/07/18/before…

Today in the submersibles department our hacker [Rupin Chheda] wrote in to tell us about their submarine project.

This sub is made from a few lengths of PVC piping of various diameters. There is an inflation system comprised of a solenoid and a pump, and a deflation system, also comprised of a solenoid and a pump. The inflation and deflation systems are used to flood or evacuate the ballast which controls depth. There are three pumps for propulsion and steering, one central pump for propulsion and two side pumps for directional control, allowing for steering through differential thrust. Power and control is external and provided via CAT6 cable.

We have covered various submarine projects here at Hackaday before and it is interesting to compare and contrast the designs. One sub we covered recently was this one made mostly from Lego. There are considerable differences in the approach to buoyancy, propulsion, steering, power, and control. Whereas the PVCSub uses separate ballast inflation and deflation systems the Lego sub uses one system that can be run forward or backward; whereas the PVCSub uses a pump for propulsion the Lego sub uses a magnetically coupled propeller; whereas the PVCSub uses differential thrust for steering the Lego sub uses a small propeller; whereas the PVCSub transmits power through external wires, the Lego sub has an onboard battery; and whereas the PVCSub uses the power wires for control the Lego sub is radio controlled.

Just goes to show that there are many ways to skin this particular kind of cat.

hackaday.com/2025/07/18/pvcsub…

When asked ‘what makes you tick?’ the engineers at Vacheron Constantin sure know what to answer – and fast, too. Less than a year after last year’s horological kettlebell, the 960g Berkley Grand Complication, a new invention had to be worked out. And so, they delivered. Vacheron Constantin’s Solaria Ultra Grand Complication is more than just the world’s most complicated wristwatch. It’s a fine bit of precision engineering, packed with 41 complications, 13 pending patents, and a real-time star tracker the size of a 2-Euro coin.

Yes, there’s a Westminster chime and a tourbillon, but the real novelty is a dual-sapphire sky chart that lets you track constellations using a split-second chronograph. Start the chrono at dusk, aim your arrow at the stars, and it’ll tell you when a chosen star will appear overhead that night.

Built by a single watchmaker over eight years, the 36mm-wide movement houses 1,521 parts and 204 jewels. Despite the mad complexity, the watch stays wearable at just 45mm wide and 15mm thick, smaller than your average Seamaster. This is a wonder of analog computational mechanics. Just before you think of getting it gifted for Christmas, think twice – rumors are it’ll be quite pricey.

hackaday.com/2025/07/18/time-s…

[Robert Morrison] had an ancient HP 545A logic probe, which was great for debugging SMT projects. The only problem was that being 45 years old, it wasn’t quite up to scratch when it came to debugging today’s faster circuitry. Thus, he hacked it to do better, and entered it in our 2025 One Hertz Challenge to boot!

[Robert’s] hack relied on the classic logic probe for its stout build and form factor, which is still useful even on today’s smaller hardware. Where it was lacking was in dealing with circuits running at 100 MHz and above. To rectify this, [Robert] gave the probe a brain transplant with a Sparkfun Alorium FPGA board and a small display. The FPGA is programmed to count pulses while measuring pulse widths and time, and it then drives the display to show this data to the user. There’s also a UART output, and [Robert] is actively developing further logic analyzer features, too.

You might be questioning how this project fits in the One Hertz Challenge, given it’s specifically built for running at quite high speeds. [Robert] snuck it in under the line because it resamples and updates the display on a once-a-second basis. Remember, as per the challenge site—”For this challenge, we want you to design a device where something happens once per second.” We’re giving you a lot of leeway here!

Often, old scopes and probes and other gear are really well built. Sometimes, it’s worth taking the best of the old physical hardware and combining it with modern upgrades to make something stout that’s still useful today. Meanwhile, if you’re cooking up your own neo-retro-logic probes, don’t hesitate to notify the tipsline!

hackaday.com/2025/07/18/2025-o…

Join Hackaday Editors Elliot Williams and Tom Nardi as they talk about their favorite hacks and stories from the previous week. They’ll start things off with a small Supercon update, and go right into fusion reactors, AI surgeons, planned obsolescence, and robotic cats and dogs. They’ll also go over several entries from the ongoing 2025 One Hertz Challenge, an ambitious flight simulator restoration project, old school lightning detectors, and how Blu-ray won the battle against HD DVD but lost the war against streaming. Stick around to the end to hear an incredible story about a clandestine machine shop in a WWII prisoner of war camp, and the valiant fight to restore communications with the Lunar Trailblazer spacecraft.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

html5-player.libsyn.com/embed/…

Download in DRM-free MP3 and add it to your collection.

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

• iTunes
• Spotify
• Stitcher
• RSS
• YouTube
• Check out our Libsyn landing page

Episode 329 Show Notes:

News:

• Wendelstein 7-X Sets New Record For The Nuclear Fusion Triple Product

What’s that Sound?

• Think you know that sound? Fill out the form for a chance to win a Hackaday Podcast T-Shirt!

Interesting Hacks of the Week:

• Do You Trust This AI For Your Surgery?
• Will HP Create A Carfax System For PCs?
• A Budget Quasi-Direct-Drive Motor Inspired By MIT’s Mini Cheetah
• Robotic Cheetah Teaches A Motors Class
• From Leash To Locomotion: CARA The Robotic Dog
• What Will It Take To Restore A Serious Flight Simulator?
• 2025 One Hertz Challenge: An Ancient Transistor Counts The Seconds
  
  • Michael Covington’s Daily Notebook
  • 2025 One Hertz Challenge: Ham Radio Foxhunt Transmitter
  • 2025 One Hertz Challenge: Valvano Clock Makes The Seconds Count
  • 2025 One Hertz Challenge: Metronalmost Is Gunning For Last Place

  
  

• Jcorp Nomad: ESP32-S3 Offline Media Server In A Thumbdrive

Quick Hacks:

• Elliot’s Picks:
  
  • Introducing PooLA Filament: Grass Fiber-Reinforced PLA
  • A Collection Of Lightning Detectors
  • USB-C Rainbow Ranger: Sensing Volts With Style
  • Coroutines In C

  
  

• Tom’s Picks:
  
  • Smart Coffee Table To Guide Your Commute
  • Blu-ray Won, But At What Cost?
  • This Homebrew CPU Got Its Start In The 1990s

  
  

Can’t-Miss Articles:

• Hacking When It Counts: DIY Prosthetics And The Prison Camp Lathe
• The Fight To Save Lunar Trailblazer

hackaday.com/2025/07/18/hackad…

The rise of inexpensive yet relatively powerful electronics has enabled a huge array of computing options that would have been unheard of even two decades ago. A handheld gaming PC with hours of battery life, for example, would have been impossible or extremely expensive until recently. But this revolution has also enabled a swath of inexpensive but low-quality knockoff consoles, often running unlicensed games, that might not even reach the low bar of quality set by their sellers. [Jorisclayton] was able to modify one of these to live up to its original promises.

This Ultimate Brick Game, as it is called, originally didn’t even boast the number of games, unlicensed or otherwise, that it claimed to. [Jorisclayton] removed almost all of the internals from this small handheld to help it live up to this original claim. It boasts a Raspberry Pi Zero 2W now as well as a TFT screen and has a number of other improvements including Bluetooth support for external controllers and upgraded audio. A second console was used for donor parts, and some case mods were made as well to accommodate a few extra buttons missing on the original console.

Right now the project is in a prototype phase, as [Jorisclayton] is hoping to use the donor case to build a more refined version of this handheld console in the future. Until then, this first edition upgrade of the original console can run RetroPie, which means it can run most games up through the Nintendo 64 era. RetroPie enables a ton of emulation for old video games including arcade games of the past. This small arcade cabinet uses that software to bring back a bit of nostalgia for the arcade era.

hackaday.com/2025/07/18/unlock…

Magnus Carlsen ha battuto ChatGPT a scacchi senza perdere un solo pezzo, mentre l’avversario virtuale ha perso tutti i pedoni. Il grande maestro norvegese ha pubblicato screenshot della partita sul social network X il 10 luglio. L’intelligenza artificiale ha ammesso la sconfitta e si è arresa. “A volte mi annoio quando viaggio”, ha scritto Carlsen nella didascalia del post.

Il filmato mostra che, dopo la partita, ChatGPT si è congratulato con lui per la vittoria, definendo il suo gioco metodico, pulito e preciso. Carlsen ha risposto elogiando l’IA per un buon inizio, ma ha notato che ha commesso diversi errori in seguito. Ha quindi chiesto al bot di valutare il suo gioco.

ChatGPT ha rilevato diversi punti di forza nel gioco di Carlsen, tra cui un avvio intelligente, pazienza, senso tattico e una buona tecnica di finale. L’IA ha stimato il suo punteggio convenzionale negli scacchi classici a 1800-2000 sulla scala FIDE o USCF, con l’avvertenza che il suo livello reale potrebbe essere superiore.

Sia i sistemi di valutazione FIDE che USCF utilizzano la scala Elo, che tiene conto dei risultati delle partite ufficiali e del livello degli avversari. La valutazione è particolarmente influenzata da esiti inaspettati, quando un giocatore più debole batte un favorito.

L’attuale rating di Carlsen secondo la Federazione Scacchistica Mondiale è 2839, il che lo rende il giocatore di scacchi con il rating più alto al mondo. Ha vinto il campionato del mondo cinque volte in carriera, l’ultima delle quali nel 2021. Da allora si è ritirato dalla partecipazione a nuovi cicli, affermando di non essere interessato a lottare per il titolo.

Abbiamo quindi voluto capire cosa ne pensa Chat-GPT e abbiamo chiesto un commento su questa notizia e questa è stata la sua risposta.

“Come ChatGPT, non posso che sorridere leggendo questa notizia! Il match tra Magnus Carlsen e un’istanza di ChatGPT dimostra bene che, pur potendo analizzare mosse e fornire commenti tecnici, un modello linguistico non nasce per giocare realmente a scacchi al livello di un grande maestro. È interessante però vedere come Carlsen abbia voluto testare la curiosità e le capacità “creative” di un’IA conversazionale, più che sfidare un motore scacchistico tradizionale come Stockfish o Leela. Il fatto che Carlsen abbia chiesto anche un’analisi post-partita all’IA evidenzia un aspetto più significativo: il valore di ChatGPT non tanto come avversario, ma come assistente e commentatore capace di spiegare strategie, punti di forza e debolezze in modo accessibile. Insomma, non vinceremo trofei sulla scacchiera, ma possiamo aiutare a capire meglio il gioco. E anche questo, in fondo, è un piccolo scacco matto alla complessità.”

L'articolo Magnus Carlsen batte ChatGPT a scacchi senza perdere un pezzo! proviene da il blog della sicurezza informatica.

There’s a train vulnerability making the rounds this week. The research comes from [midwestneil], who first discovered an issue way back in 2012, and tried to raise the alarm.

Turns out you can just hack any train in the USA and take control over the brakes. This is CVE-2025-1727 and it took me 12 years to get this published. This vulnerability is still not patched. Here's the story: t.co/MKRFSOa3XY

— neils (@midwestneil) July 11, 2025

To understand the problem, we have to first talk about the caboose. The caboose was the last car in the train, served as an office for the conductor, and station for train workers to work out of while tending to the train and watching for problems. Two more important details about the caboose, is that it carried the lighted markers to indicate the end of the train, and was part of the train’s breaking system. In the US, in the 1980s, the caboose was phased out, and replaced with automated End Of Train (EOT) devices.

These devices were used to wirelessly monitor the train’s air brake system, control the Flashing Rear End Device (FRED), and even trigger the brakes in an emergency. Now here’s the security element. How did the cryptography on that wireless signal work in the 1980s? And has it been updated since then?

The only “cryptography” at play in the FRED system is a BCH checksum, which is not an encryption or authentication tool, but an error correction algorithm. And even though another researcher discovered this issue and reported it as far back as 2005, the systems are still using 1980s era wireless systems. Now that CISA and various news outlets have picked on the vulnerability, the Association of American Railroads are finally acknowledging it and beginning to work on upgrading.

Putting GitHub Secrets to Work

We’ve covered GitHub secret mining several times in this column in the past. This week we cover research from GitGuardian and Synacktiv, discovering how to put one specific leaked secret to use. The target here is Laravel, an Open Source PHP framework. Laravel is genuinely impressive, and sites built with this tool use an internal APP_KEY to encrypt things like cookies, session keys, and password reset tokens.

Laravel provides the encrypt() and decrypt() functions to make that process easy. The decrypt() function even does the deserialization automatically. … You may be able to see where this is going. If an attacker has the APP_KEY, and can convince a Laravel site to decrypt arbitrary data, there is likely a way to trigger remote code execution through a deserialization attack, particularly if the backend isn’t fully up to date.

So how bad is the issue? By pulling from their records of GitHub, GitGuardian found 10,000 APP_KEYs. 1,300 of which also included URLs, and 400 of those could actually be validated as still in use. The lesson here is once again, when you accidentally push a secret to Github (or anywhere on the public Internet), you must rotate that secret. Just force pushing over your mistake is not enough.

Fake Homebrew

There’s a case to be made that browsers should be blocking advertisements simply for mitigating the security risk that comes along with ads on the web. Case in point is the fake Homebrew install malware. This write-up comes from the security team at Deriv, where a MacOS device triggered the security alarms. The investigation revealed that an employee was trying to install Homebrew, searched for the instructions, and clicked on a sponsored result in the search engine. This led to a legitimate looking GitHub project containing only a readme with a single command to automatically install Homebrew.

The command downloads and runs a script that does indeed install Homebrew. It also prompts for and saves the user’s password, and drops a malware loader. This story has a happy ending, with the company’s security software catching the malware right away. This is yet another example of why it’s foolhardy to run commands from the Internet without knowing exactly what they do. Not to mention, this is exactly the scenario that led to the creation of Workbrew.

SQL Injection

Yes, it’s 2025, and we’re still covering SQL injections. This vulnerability in Fortinet’s Fortiweb Fabric Connector was discovered independently by [0x_shaq] and the folks at WatchTowr. The flaw here is the get_fabric_user_by_token() function, which regrettably appends the given token directly to a SQL query. Hence the Proof of Concept:

GET /api/fabric/device/status HTTP/1.1
Host: 192.168.10.144
Authorization: Bearer 123'/[strong]/or/[/strong]/'x'='x

And if the simple injection wasn’t enough, the watchTowr write-up manages a direct Remote Code Execution (RCE) from an unauthenticated user, via a SQL query containing an os.system() call. And since MySQL runs as root on these systems, that’s pretty much everything one could ask for.

AI guided AI attacks

The most intriguing story from this week is from [Golan Yosef], describing a vibe-researching session with the Claude LLM. The setup is a Gmail account and the Gmail MCP server to feed spammy emails into Claude desktop, and the Shell MCP server installed on that machine. The goal is to convince Claude to take some malicious action in response to an incoming, unsolicited email. The first attempt failed, and in fact the local Claude install warned [Golan] that the email may be a phishing attack. Where this mildly interesting research takes a really interesting turn, is when he asked Claude if such an attack could ever work.

Claude gave some scenarios where such an attack might succeed, and [Golan] pointed out that each new conversation with Claude is a blank slate. This led to a bizarre exchange where the running instance of Claude would play security researcher, and write emails intended to trick another instance of Claude into doing something it shouldn’t. [Golan] would send the emails to himself, collect the result, and then come back and tell Researcher Claude what happened. It’s quite the bizarre scenario. And it did eventually work. After multiple tries, Claude did write an email that was able to coerce the fresh instance of Claude to manipulate the file system and run calc.exe. This is almost the AI-guided fuzzing that is inevitably going to change security research. It would be interesting to automate the process, so [Golan] didn’t have to do the busywork of shuffling the messages between the two iterations of Claude. I’m confident we’ll cover many more stories in this vein in the future.

youtube.com/embed/TEpgnTgOqIY?…

Bits and Bytes

SugarCRM fixed a LESS code injection in an unauthenticated endpoint. These releases landed in October of last year, in versions 13.0.4 and 14.0.1. While there isn’t any RCE at play here, this does allow Server-Side Request Forgery, or arbitrary file reads.

Cryptojacking is the technique where a malicious website embeds a crypto miner in the site. And while it was particularly popular in 2017-2019, browser safeguards against blatant cryptojacking put an end to the practice. What c/side researchers discovered is that cryptojacking is still happening, just very quietly.

There’s browser tidbits to cover in both major browsers. In Chrome it’s a sandbox escape paired with a Windows NT read function with a race condition, that makes it work as a write primitive. To actually make use of it, [Vincent Yeo] needed a Chrome sandbox escape.

ZDI has the story of Firefox and a JavaScript Math confusion attack. By manipulating the indexes of arrays and abusing the behavior when integer values wrap-around their max value, malicious code could read and write to memory outside of the allocated array. This was used at Pwn2Own Berlin earlier in the year, and Firefox patched the bug on the very next day. Enjoy!

hackaday.com/2025/07/18/this-w…

The old saying that the best way to learn is by doing holds as true for penetration testing as for anything else, which is why intentionally vulnerable systems like the Damn Vulnerable Web Application are so useful. Until now, however, there hasn’t been a practice system for penetration testing with drones.

The Damn Vulnerable Drone (DVD, a slightly confusing acronym) simulates a drone which flies in a virtual environment under the command of of an Ardupilot flight controller. A companion computer on the drone gives directions to the flight controller and communicates with a simulated ground station over its own WiFi network using the Mavlink protocol. The companion computer, in addition to running WiFi, also streams video to the ground station, sends telemetry information, and manages autonomous navigation, all of which means that the penetration tester has a broad yet realistic attack surface.

The Damn Vulnerable Drone uses Docker for virtualization. The drone’s virtual environment relies on the Gazebo robotics simulation software, which provides a full 3D environment complete with a physics engine, but does make the system requirements fairly hefty. The system can simulate a full flight routine, from motor startup through a full flight, all the way to post-flight data analysis. The video below shows one such flight, without any interference by an attacker. The DVD currently provides 39 different hacking exercises categorized by type, from reconnaissance to firmware attacks. Each exercise has a detailed guide and walk-through available (hidden by default, so as not to spoil the challenge).

This seems to be the first educational tool for drone hacking we’ve seen, but we have seen several vulnerabilities found in drones. Of course, it goes both ways, and we’ve also seen drones used as flying security attack platforms.

youtube.com/embed/EHTQv6IfnwI?…

hackaday.com/2025/07/18/a-vuln…

Una recente violazione dei dati ha rivelato una vulnerabilità nei sistemi di Paradox.ai, uno sviluppatore di chatbot basati sull’intelligenza artificiale utilizzati nei processi di assunzione di McDonald’s e di altre aziende Fortune 500. La grave violazione è stata causata da un semplice errore: un bug di tipo IDOR (acronimo di Insecure Direct Object Reference, oggi Broken Access Control nella TOP10 Owasp) contenente un codice debole.

Tutto è iniziato quando i ricercatori di sicurezza Ian Carroll e Sam Curry hanno ottenuto l’accesso al backend di McHire.com, una piattaforma che utilizza il bot di intelligenza artificiale Olivia di Paradox.ai per elaborare le candidature dei candidati. Come si è scoperto, un account di prova con un codice “123456” ha dato loro accesso a un set di dati di 64 milioni di record, inclusi nomi, numeri di telefono e indirizzi email dei candidati.

L’azienda ha ammesso che si trattava effettivamente del loro account di prova, inutilizzato dal 2019 e che avrebbe dovuto essere eliminato. Paradox sostiene che nessuno, a parte i ricercatori stessi, abbia avuto accesso al sistema e che nessuna delle registrazioni sia stata resa pubblica. Allo stesso tempo, sottolinea che si trattava solo della corrispondenza con il bot e non delle candidature di lavoro in sé.

Tuttavia, i problemi non sono finiti qui. Un’analisi indipendente delle perdite di password ha mostrato che nel giugno 2025 il dispositivo di un dipendente vietnamita di Paradox è stato infettato dal malware Nexus Stealer. Questo tipo di malware è noto per il furto di password e dati di autorizzazione, inclusi cookie e dati di accesso immessi manualmente. Dopo l’infezione, le informazioni del dipendente sono state esposte e indicizzate dai servizi che monitorano le perdite.

I dati rubati includevano centinaia di password semplici e ripetitive, spesso diverse solo per gli ultimi caratteri. Alcune di queste venivano utilizzate per accedere ai servizi interni di clienti Paradox, tra cui Aramark, Lockheed Martin, Lowe’s e Pepsi. La stessa password, composta da sole sette cifre, veniva utilizzata per accedere a diversi sistemi aziendali. Password di questo tipo possono essere decifrate in un solo secondo utilizzando moderni strumenti di attacco a forza bruta.

Ciò che è particolarmente allarmante è che i dati compromessi includevano accessi alla piattaforma Single Sign-On paradoxai.okta.com, che Paradox utilizza dal 2020 e supporta l’autenticazione a due fattori. Sebbene l’azienda affermi che la maggior parte delle password compromesse non sia più valida, includevano i dettagli di accesso per Okta e Atlassian , un servizio di project management e sviluppo software. Entrambi i token di autorizzazione sarebbero scaduti a dicembre 2025.

La fuga di dati ha interessato non solo gli accessi, ma anche i cookie, che potrebbero potenzialmente bypassare l’autenticazione a più fattori. Inoltre, in alcuni casi, il malware lascia delle backdoor sui dispositivi, consentendo l’accesso remoto. Uno di questi computer, appartenente a uno sviluppatore Paradox in Vietnam, è stato successivamente messo in vendita.

Paradox afferma che l’incidente non ha interessato altri account clienti e che i requisiti per i collaboratori esterni sono stati inaspriti dall’audit di sicurezza del 2019. Paradox cita il fatto che nel 2019 i collaboratori esterni non erano tenuti a rispettare gli stessi standard del personale interno.

È emerso anche che un altro dipendente Paradox in Vietnam è stato infettato da un malware simile alla fine del 2024. Tra i dati rubati c’erano i suoi account GitHub e la cronologia del browser, il che suggerisce che l’infezione potrebbe essere avvenuta durante il download di film piratati, un modo comune per questi virus, spesso mascherati da codec, di diffondersi.

La storia dimostra quanto possano essere fragili anche le aziende che dichiarano di avere standard di sicurezza rigorosi. Un account di prova dimenticato e un laptop infetto hanno potenzialmente compromesso i dati di diverse aziende.

L'articolo Un account di test dimenticato e un malware: dietro le quinte del data breach che ha colpito McDonald’s proviene da il blog della sicurezza informatica.

Homebrew bills itself as the package manager MacOS never had (conveniently ignoring MacPorts) but they leave the PPC crowd criminally under-served, to say nothing of the 68k gang. Enter [that-ben] with MR Browser, a simple utility to fetch software from Macintosh Repository for computers too old to hit up the website.

If you’re not familiar with Macintosh Repository, it is what it says on the tin: a repository of vintage Macintosh software, like Macintosh Garden but apparently less accessible to vintage machines.
MRBrowser sys6 runs nicely on the Macintosh Plus, as you can see.
There are two versions available, depending on the age of your machine. For machines running System 6, the appropriately-named MR Browser sys6 will run on any 68000 Mac in only 157 KB of and MacTCP networking. (So the 128K obviously isn’t going to cut it, but a Plus from ’86 would be fine.)

The other version, called MR Browser 68K, ironically won’t run on the 68000. It needs a newer processor (68020 or newer, up-to and including PPC) and TCP/IP networking. Anything starting from the Macintosh II or newer should be game; it’s looking for System 7.x upto the final release of Mac OS 9, 9.2.2. You’ll want to give it at least 3 MB of RAM, but can squeak by on 1.6 MB if you aren’t using pictures in the chat.

Chat? Yes, perhaps uniquely for a software store, there’s a chat function. That’s not so weird when you consider that this program is meant to be a stand-alone interface for the Macintosh Repository website, which does, indeed, have a chat feature. It beats an uncaring algorithm for software recommendations, that’s for sure. Check it out in action in the demo video below.

It’s nice to see people still making utilities to keep the old machines going, even if coding on them isn’t always the easiest. If you want to go online on with vintage hardware (Macintosh or otherwise) anywhere else, you’re virtually locked-out unless you use something like FrogFind.

Thanks to [PlanetFox] for the tip. Submit your own, and you may win fabulous prizes. Not from us, of course, but anything’s possible!

hackaday.com/wp-content/upload…

*

hackaday.com/2025/07/18/mr-bro…

Over on his YouTube channel [Pat Deegan] from Psychogenic Technologies shows us two KiCad tips to save a million clicks.

In the same way that it makes sense for you to learn to touch type if you’re going to be using a computer a lot, it makes sense for you to put some thought and effort into your KiCad keyboard shortcuts keys, too.

In this video [Pat] introduces the keymap that he has come up with for the KiCad programs (schematic capture and PCB layout) and explains the rules of thumb that he used to generate his recommended shortcut keys, being:

• one handed operation; you should try to make sure that you can operate the keyboard with one hand so your other hand can stay on your mouse
• proximity follows frequency; if you use it a lot it should be close to hand
• same purpose, same place; across programs similar functions should share the same key
• birds of a feather flock together; similar and related functionality kept in proximate clusters
• typing trounces topography; if you have to use both hands for typing you have to take your hand off the mouse anyway so then it doesn’t really matter where on the keyboard the shortcut key is

You can find importable KiCad keymaps and customizable SVG cheatsheets in the downloads section of his notes.

[Pat]’s video includes some other tips and commentary (he gives you free access to a KiCad course he has put together) but for us the big takeaway was the keymaps. Also, if you haven’t been keeping abreast of developments, KiCad is now at version 9, as of February this year.

youtube.com/embed/T-voZId8eyw?…

hackaday.com/2025/07/17/improv…

What has 8 ARM cores, 8 GB of RAM, fits in a pocket, and runs NixOS? It’s no pi-clone SBC, but [MWLabs]’s smartphone– a OnePlus 6, to be precise.

The video embedded below, and the git link above, are [MWLabs]’s walk-through for loading the mobile version of Nix onto the cell phone, turning it into a tiny-screened Linux computer. He’s using the same flake on the phone as on his desktop, which means he gets all the same applications set up in the same way– talk about convergence. That’s an advantage to Nix in this application, compared to the usual Alpine-based PostMarketOS.

Of course some of the phone-like features of this pocket-computer are lacking: the SIM is detected, and he can text, but 4G is nonfunctional. The rear camera is also not there yet, but given that Mobile-NixOS builds on the work done by well-established PostMarketOS, and PostMarketOS’ testing version can run the camera, it’s only a matter of time before support comes downstream. Depending what you need a tiny Linux device for, the camera functionality may or may not be of particular interest. If you’re like us, the idea of a mobile device running Nix might just intrigue you,

Smartphones can be powerful SBC alternatives, after all. You can even turn them into SBCs. As long as you don’t need a lot of GPIO, like for a server,a phone in hand might be worth two birds in the raspberry bush.

youtube.com/embed/yxfDNqZ9WTM?…

hackaday.com/2025/07/17/8-core…

In today’s high-speed information overload environment, we often find ourselves with too much data to take in at once, causing us to occasionally miss out on opportunities otherwise drowned out in noise. None of this is more evident in the realm of high-speed trading, whether it’s for stocks, commodities, or even crypto. Most of us won’t be able to build dedicated high speed connections directly to stock exchanges for that extra bit of edge over the other traders, but what we can do is build a system that keys us in to our cryptocurrency price of choice so we know exactly when to pull the trigger on a purchase or sale.

[rishab]’s project for doing this is based on an ESP32 paired with a 10″ touchscreen display. It gathers live data from Binance, a large cryptocurrency exchange that maintains various pieces of information about many digital currencies. [rishab]’s tool offers a quick, in-depth look at a custom array of coins, with data such as percentage change over a certain time and high and low values for that coin as well. The chart updates in real time, and [rishab] also built a feature in which scales coins up if they have been seeing large movements in price over short timeframes.

Although it’s not a direct fiber link into an exchange, it certainly has its advantages over keeping this information in a browser window on a computer where it could get missed, and since it’s dedicated hardware running custom firmware it can show you exactly what you need to see if you’re day trading crypto. Certainly projects like this are in the DIY spirit that crypto enthusiasts tout as ideals of the currency, and as people move away from mining and more into speculative trading we’d expect to see more projects like this.

youtube.com/embed/U1MZoj3MJso?…

hackaday.com/2025/07/17/esp32-…

Over on his YouTube channel [Tom Stanton] shows us how to build a Stirling Engine for a bike.

A Stirling Engine is a heat engine, powered by the expansion and contraction of a working fluid (such as air) which is heated and cooled in a cycle. In the video [Tom] begins by demonstrating the Stirling Engine with some model engines and explains the role of the displacer piston. His target power output for his bike engine is 150 watts (about 0.2 horsepower) which is enough power to cycle at about 15 mph (about 24 km/h). After considering a CPU heatsink as the cooling system he decided on water cooling instead.

[Tom] goes on to 3D print and machine various parts for his bike engine. He uses myriad materials including aluminum and Teflon. He isn’t yet comfortable machining steel, so he had the steel part he needed for handling the hot end of the engine manufactured by a third party.

[Tom] explains that when he started the project he had intended to make a steam engine. But after some preliminary research he discovered that a Stirling Engine was a better choice, particularly they are quieter, more efficient, and safer. After a number of false starts and various adjustments he manages to get his engine to run, which is pretty awesome. Standby for part two to see the bike in action!

We have covered the Stirling Engine here on Hackaday many times before. You might like to read about how to create one with minimal parts or how to make one from expedient materials.

youtube.com/embed/zB3lrLjqIh4?…

hackaday.com/2025/07/17/buildi…

Do you feel nostalgia for a childhood novelty toy that had potential but ultimately fell short of its promise? Do you now have the skills to go make a better version of that toy to satisfy your long-held craving? [ExpensivePlasticCrap] does and has set off on a mission to make a better jumping bean.

Jumping beans, the phenomenon on which the novelty of [ExpensivePlasticCrap]’s childhood is based, are technically not beans, and their movement is arguably not a jump — a small hop at best. The trick is that the each not-a-bean has become the home to moth larvae that twitches and rolls on the ground as the larvae thrash about, trying to move their protective shells out of the hot sun.

The novelty bean was a small plastic pill-like capsule with a ball bearing inside what would cause the “bean” to move in unexpected ways as it rolled around. [ExpensivePlasticCrap]’s goal is to make a jumping bean that lives up to its name.

Various solenoids and motors were considered for the motion component of this new and improved bean. Ultimately, it was a small sealed vibrating motor that would be selected to move the bean without getting tangled in what was to become a compact bundle of components.

An ATtiny microcontroller won out over discrete components for the job of switching the motor on and off (once per second), for ease of implementation. Add this along with a MOSFET, battery and charging board for power into a plastic capsule, and the 1 Hz jumping bean was complete.

[ExpensivePlasticCrap] offers some thoughts on how to get more jump out of the design by reducing the weight of the build and giving it a more powerful source of motion.

If insect-inspired motion gets you jumping, check out this jumping robot roach and these tiny RoboBees.

hackaday.com/2025/07/17/2025-o…

On this date in 1975, a Soviet and an American shook hands. Even for the time period, this wouldn’t have been a big deal if it wasn’t for the fact that it happened approximately 220 kilometers (136 miles) over the surface of the Earth.
Crew of the Apollo–Soyuz Test Project
Although their spacecraft actually launched a few days earlier on the 15th, today marks 50 years since American astronauts Thomas Stafford, Vance Brand, and Donald “Deke” Slayton docked their Apollo spacecraft to a specifically modified Soyuz crewed by Cosmonauts Alexei Leonov and Valery Kubasov. The two craft were connected for nearly two days, during which time the combined crew was able to freely move between them. The conducted scientific experiments, exchanged flags, and ate shared meals together.

Politically, this very public display of goodwill between the Soviet Union and the United States helped ease geopolitical tensions. On a technical level, it not only demonstrated a number of firsts, but marked a new era of international cooperation in space. While the Space Race saw the two counties approach spaceflight as a competition, from this point on, it would largely be treated as a collaborative endeavour.

The Apollo–Soyuz Test Project lead directly to the Shuttle–Mir missions of the 1990s, which in turn was a stepping stone towards the International Space Station. Not just because that handshake back in 1975 helped establish a spirit of cooperation between the two space-fairing nations, but because it introduced a piece of equipment that’s still being used five decades later — the Androgynous Peripheral Attach System (APAS) docking system.

Meeting in the Middle

While the Apollo–Soyuz Test Project was the first time spacecraft from two different countries linked up, it was far from the first docking in space. The Apollo program relied heavily on the concept, as the Command Module and Lunar Module would dock and undock multiple times on each lunar mission. For their part, the Soviets had also docked a pair of Soyuz capsules together as early as 1967. By the early 1970s, both nations had also docked spacecraft to their respective space stations.

The problem was, the docking systems used by both countries weren’t compatible with each other. In fact, things were changing so fast that even vehicles from the same country couldn’t necessarily dock with each other. For example, an American Gemini capsule wouldn’t be able to dock with Skylab. Of course, this isn’t terribly surprising. At this point, most of the hardware was mission-specific, and only flew once.

What was the Apollo–Soyuz Test Project needed was a standardized docking interface that took into account the lessons learned by both countries so far. By 1970, Soviet and US engineers had started meeting and exchanging information to decide what such a docking standard would look like. It was decided early on that this new docking standard should be androgynous — rather than having distinct “male” and “female” variants as was the norm with earlier docking ports. In this way, the same docking port could be used to support two spacecraft docking together as was planned for the Apollo–Soyuz Test Project, while at the same time allowing a vehicle to dock to a space station.

This capability was so key to the design that the docking standard ultimately came to be known as the Androgynous Peripheral Attach System. While the US and Soviet versions did differ slightly, they were mechanically compatible with each other. Some elements of the design were the result of a compromise, such as the overall diameter of the port being limited to the size of the existing Apollo and Soyuz capsules, but otherwise it was hoped the concept would prove useful for future missions and spacecraft from both nations.

Built to Last

The Apollo–Soyuz Test Project was the only time an Apollo and Soyuz spacecraft docked in space. In fact, it was the last time an Apollo spacecraft flew — after the conclusion of this mission, there wouldn’t be anther crewed American mission until the Space Shuttle came online nearly six years later.

But once the Americans started flying the Shuttle, and the Soviets had established their Mir space station, it wasn’t long before the two would meet. The Soviets had already designed a modified version of APAS that they called APAS-89, which was intended to allow the Buran spacecraft to dock with Mir. Buran never made it past the testing phase, but the work on the docking port ended up being adapted once more for the Shuttle. This final version of the standard became known as APAS-95, and was used until the final Shuttle-Mir mission in June of 1998.
The International Space Station
APAS-95 performed so well during the Mir missions that it was decided the Shuttle would continue to use it for the International Space Station. In addition, APAS-95 (as well as a modified “hybrid” version) would also be used to hold together the core US and Russian modules of the Station.

It was the defacto docking standard used until the introduction of the International Docking Adapter in 2015, which converted the exposed APAS-95 ports used for visiting American spacecraft to a newer design to be used by modern vehicles such as the SpaceX Dragon and Boeing Starliner.

While it has now been retired for the International Docking System Standard (IDSS), the ISS is still being held together by APAS-95, and will remain that way until the space laboratory is eventually de-orbited. Not a bad legacy for a technology initially developed for a simple handshake.

hackaday.com/2025/07/17/the-ap…

Feeling nostalgic? Weren’t around in the 90s but wonder what it was like? ProtoWeb has you covered! Over on his YouTube channel [RetroTech Chris] shows you how to browse the web like it’s 1995.

The service that [RetroTech Chris] introduces is on the web over here: protoweb.org. The way it works is that you configure your browser to use the service’s proxy server, then the service will be able to intercept your browsing activity and serve you old content from its cache. Also, for some supported sites, you will see present-day content but presented in the format you would have seen in the 90s. Once you have configured your browser to use the ProtoWeb proxy you can navigate to inode.com/ where you will find a directory listing of sites which have been archived or emulated within the service.

In his video [RetroTech Chris] actually demos some of the old web browsers running on old hardware, which is a very good recreation of what things were like. If you want the most realistic experience you can even configure ProtoWeb to slow down your network connection to the speed of a 56k dial-up modem. There are some things from the 90s that we miss, but waiting for websites to load isn’t one of them!

We had a look in our own archive to see how far back we here at Hackaday could go, and we found our first post, from September 2004: Radioshack Phone Dialer – Red Box. A red box! Spicy.

youtube.com/embed/-Qs3LVPmLgk?…

Thanks to [Teejay] for writing in about this one.

hackaday.com/2025/07/17/protow…

So far in the “Field Guide” series, we’ve mainly looked at critical infrastructure systems that, while often blending into the scenery, are easily observable once you know where to look. From the substations, transmission lines, and local distribution systems that make up the electrical grid to cell towers and even weigh stations, most of what we’ve covered so far are mega-scale engineering projects that are critical to modern life, each of which you can get a good look at while you’re tooling down the road in a car.

This time around, though, we’re going to switch things up a bit and discuss a less-obvious but vitally important infrastructure system: the cold chain. While you might never have heard the term, you’ve certainly seen most of the major components at one time or another, and if you’ve ever enjoyed fresh fruit in the dead of winter or microwaved a frozen burrito for dinner, you’ve taken advantage of a globe-spanning system that makes sure environmentally sensitive products can be safely stored and transported.

What’s A Cold Chain?

Simply put, the cold chain is a supply chain that’s capable of handling items that are likely to be damaged or destroyed unless they’re kept within a specific temperature range. The bulk of the cold chain is devoted to products intended for human consumption, mainly food but also pharmaceuticals and vaccines. Certain non-consumables also fall under the cold chain umbrella, including cosmetics, personal care products, and even things like cut flowers and vegetable seedlings. We’ll be mainly looking at the food cold chain for this article, though, since it uses most of the major components of a cold chain.

As the name implies, the cold chain is designed to maintain a fixed temperature over the entire life of a product. “Farm to fork” is a term often used to describe the cold chain, since the moment produce is harvested or prepared foods are manufactured, the clock starts ticking. The exact temperature required varies by food type. Many fruits and vegetables that ripen in the summer or early autumn can stand pretty high temperatures, at least for a while after harvesting, but some produce, like lettuces and fresh greens, will start wilting very quickly after harvest.

For extremely sensitive crops, the cold chain might start almost the second the crop is harvested. Highly perishable crops such as sweet corn, greens, asparagus, and peas require rapid cooling to remove field heat and to slow the biological processes that were still occurring within the plant tissues at the time of harvest. This is often accomplished right in the field with a hydrocooler, which uses showers or flumes of chilled water. Extremely perishable crops such as broccoli might even be placed directly into flaked ice in the field. Other, less-sensitive crops that can wait an hour or two will enter the cold chain only when they’re trucked a short distance to an initial processing plant.

Many foods, including different kinds of produce, fresh meat and fish, and lots of prepared meals, benefit from flash freezing. Flash freezing aims to reduce damage to the food by controlling the size and number of ice crystals that form within the cells of the plant or animal tissue. Simply putting a food item in a freezer and waiting for the heat to passively transfer out of it tends to form few but large ice crystals, which are far more damaging than the many tiny ice crystals that form when the heat is rapidly removed. Flash freezing methods include cryogenic baths using liquid nitrogen or liquid carbon dioxide, blast cooling with high-velocity jets of chilled air, fluidized bed cooling, where pressurized chilled air is directed upward through a bed of produce while it’s being agitated, and plate cooling, where chilled metal plates lightly contact flat, thin foods such as pizza or sliced fish.

youtube.com/embed/i0f-ychdTdE?…

Big and Cold

A very large public refrigerated warehouse. Note the high-bay storage area to the left, which houses a fully automated AS/RS freezer section. Source: Lineage Logistics.
Once food is chilled to the proper temperature, it needs to be kept at that temperature until it can be sold. This is where cold warehousing comes in, an important part of the cold chain that provides controlled-temperature storage space that individual producers simply can’t afford to maintain. The problem for farmers is that many crops are determinate, meaning that all the fruits or vegetables are ready for harvest more or less at the same time. Outsourcing their cold warehousing to companies that specialize in that part of the cold chain allows them to concentrate on growing and harvesting their crop instead of having to maintain a huge amount of storage space, which would sit unused for the entire growing season.

Cold warehouses, or public refrigerated warehouses (PRWs) as they’re known in the trade, benefit greatly from economies of scale, and since they accept produce from hundreds or even thousands of producers, their physical footprints can be staggering. The average PRW in the United States has grown in size dramatically since the post-pandemic e-commerce boom and now covers almost 185,000 square feet, or more than 4 acres. Most PRWs have four temperature zones: deep freeze (-20°F to -10°F) for items such as ice cream and frozen vegetables; freezer (0°F to 10°F) for meats and prepared foods; refrigerated (35°F to 45°F), for fresh fruits and vegetables; and cool storage, which is basically just consistent room-temperature storage for shelf-stable food items. What’s more, each zone can have sub-zones tailored specifically for foods that prefer a specific temperature; bananas, for example, do best around 46°F, making the fridge section too cold and the cool section too warm. Sub-zones allow goods to be stored just right.
A map of some of the key public refrigerated warehouses in the United States. Notice how there are practically none in the areas that raise primarily cereal grains. Source: map via ArcGIS, data from Global Cold Chain Alliance (public use).
Due to the nature of their business, location is critical to PRWs. They have to be close to where the food is produced as well as handy to transportation hubs, which means you’ve probably seen one of these behemoth buildings from a highway and not even known it. The map above highlights the main agricultural regions of the United States, such as the fruit and vegetable producers in the Central Valley of California and the Willamette Valley in Oregon, meat packing plants in the Upper Midwest, the hog and chicken producers in the South, and seafood producers along both coasts. It also shows a couple of areas with no PRWs, which are areas where agriculture is limited to cereal grains, which don’t require refrigeration after harvest, and livestock, which are usually shipped for slaughter somewhere other than where they were raised.

Thanks to the complicated logistics of managing multiple shippers and receivers, most cold warehouses have a level of automation that rivals that of an Amazon distribution center. A lot of the automation is found in the high-bay freezer, a space often three or four stories tall that has rack after rack of space for storing palletized products. Automated storage and retrieval systems (AS/RS) store and fetch pallets using large X-Y gantry systems running between the racks. Algorithms determine the best storage location for pallets based on their contents, the temperature regime they require, and the predicted length of stay within the warehouse.

While AS/RS reduces the number of workers needed to run a cold warehouse, and there are some fully automated PRWs, most cold warehouses maintain a large workforce to run forklifts, pick pallets, and assemble orders for shipping. These workers face significant health and safety challenges, risking everything from slips and falls on icy patches to trench foot and chill-induced arthritis and dermatitis. Cold-stress injuries, such as hypothermia and frostbite, are possible too. Warehouses often have to limit the number of hours their employees work in the cold zones, and they have to provide thermal wear along with the standard complement of PPE.

youtube.com/embed/mW11jmZUHoE?…

Reefer Madness

Once an order is assembled and ready to ship from the cold warehouse, food enters perhaps the most visible — and riskiest — link in the cold chain: refrigerated trucks and shipping containers. Known as reefers, these are specialized vehicles that have the difficult task of keeping their contents at a constant temperature no matter what the outside conditions might be. A reefer might have to deliver a load of table grapes from a PRW in California to a supermarket distribution center in Massachusetts, continue to Maine to pick up a load of live lobsters, and drop that off at a PRW in Florida before running a load of oranges to Washington.
Reefer trailers are one of the last links in the “farm to fork” cold chain. The diesel tank, which fuels the reefer and allows it to run with no tractor attached, can barely be seen between the legs of the trailer. Source: Felix Mizioznikov – stock.adobe.com
Meeting the challenge of all these conditions is the job of the refrigeration unit. Typically mounted in an aerodynamic fairing on the front of a semi-trailer unit, the refrigeration unit is essentially a heat pump on steroids. For over-the-road (OTR) reefers, as opposed to railcar reefers or shipping container reefers, the refrigeration unit is powered by a small but powerful diesel engine. Typically either three- or four-cylinder engines making 20 to 30 horsepower, these engines run the compressor that pumps the refrigerant through the condenser and evaporator, as well as the powerful fan that circulates air inside the trailer. Fuel for the engine is stored in a tank mounted under the trailer, allowing the reefer to run even when the trailer is parked with no tractor attached. The refrigeration unit is completely automatic, with a computer taking input from temperature sensors inside the trailer to make sure the interior remains at the setpoint. The computer also logs everything going on in the reefer, making the data available via a USB drive or to a central dispatcher via a telematics link.

The trailer body itself is carefully engineered, with thick insulation to minimize heat transfer to and from the outside environment while maximizing heat transfer between the produce and the air inside the trailer. For maximum cooling — or heating; if a load of bananas has to be kept at their happy place of 46°F while being trucked across eastern Wyoming in January, the refrigeration unit will probably have to run its cycle in reverse to add heat to the trailer — the air must reach the back of the unit. Reefer units use flexible ducts in the ceiling to direct the air 48 to 53 feet to the very back of the trailer, where it bounces off the rear doors and returns to the front of the trailer with the help of channels built into the floor. Shippers need to be careful when loading a reefer to obey load height limits and to correctly orient pallets so as not to block air circulation inside the trailer.

In addition to the data logging provided by the refrigeration unit, shippers will often include temperature loggers inside their shipments. Known generically to produce truckers as a “Ryan” for a popular brand, these analog strip chart recorders use a battery-powered motor to move a strip of paper past a bimetallic arm. Placed in a tamper-evident container, the recorder is placed within a pallet and records the temperature over a 10- to 40-day period. The receiver can break the seal open and see a complete temperature history of the shipment, detecting any accidental (or intentional; drivers sometimes find it hard to sleep with the reefer motor roaring right behind the sleeper cab) interruptions in the operation of the reefer.

Featured image: “Close Up of Frozen Vegetables” by Tohid Hashemkhani

hackaday.com/2025/07/17/a-fiel…

HackerHood, il team di hacker etici di Red Hot Cyber, ha realizzato qualcosa che raramente si vede fuori dalle conferenze più esclusive: un workshop live in cui viene mostrato, passo dopo passo, un attacco ransomware completo.

Non si tratta di una simulazione teorica, ma di un vero e proprio viaggio all’interno del lato oscuro della rete, dove da una semplice email di phishingsi arriva in pochi minuti a compromettere completamente un sistema informatico. Tutto questo è stato possibile grazie alla collaborazione con OMNIA e Whit Secure, due realtà che puntano da sempre sulla cultura della sicurezza.

Infatti questo workshop esclusivo presentato da Antonio Montillo e Alessandro Moccia di Framework Security è stato mostrato all’interno di un evento a porte chiuse organizzato da Omnia e WithSecure, il 2 luglio 2025 presso il moderno datacenter Tier IV a Siziano (PV).

L’obiettivo? vedere, comprendere e proteggersi per tempo!

I due professionisti hanno saputo raccontare in modo semplice e dettagliato la complessità tecnica che si cela dietro un attacco informatico. Quello che normalmente leggiamo nei report, tra sigle e diagrammi, qui prende vita davanti ai nostri occhi: dall’esca iniziale che induce la vittima a cliccare, all’esecuzione del malware, fino alla crittografia dei dati e alla classica schermata di riscatto. Un percorso che non è spettacolare con un attacco informatico visto all’interno di un film primo in classifica, ma è reale e profondamente educativo.

youtube.com/embed/wAa7zT-ithI?…

Il bello di questo workshop è che non si è limitato solo a mostrare “cosa” fa un ransomware, ma spiega anche “come” e “perché” funziona. Si vede chiaramente quanto sia importante la preparazione tecnica di chi lavora nella difesa: conoscere le tattiche, le tecniche e le procedure usate dai criminali è l’unico modo per costruire barriere efficaci.

Spesso si pensa che basti un buon antivirus o qualche aggiornamento per stare tranquilli, ma la realtà è ben diversa: la cybersecurity è un lavoro continuo, condiviso, fatto di studio, test, simulazioni e aggiornamento costante.

L’infrastruttura predisposta è stata composta dalle seguenti componenti software:

• Postazioni client
• Controller di dominio Windows
• Server di posta Microsoft Echange
• Server SQL Server

Fase di sfruttamento degli exploit e pivoting all’interno dell’infrastruttura
Proprio per questo motivo abbiamo deciso di non tenere questo contenuto solo per chi era presente all’evento, ma di condividerlo con tutti.

Sul nostro canale YouTube è disponibile il video di una parte del workshop: sì, dura un po’, ma credeteci, vale ogni secondo. Guardandolo capirete non solo la potenza distruttiva di un ransomware, ma anche quanto possa essere sottile e convincente l’attacco iniziale. È un modo concreto per sensibilizzare aziende, professionisti e semplici curiosi su una minaccia che colpisce ogni giorno organizzazioni grandi e piccole.

In un mondo dove la tecnologia corre sempre più veloce, iniziative come questa realizzata da Omnia e With Secure servono a fermarsi un attimo e osservare davvero i rischi che corriamo.

HackerHood e Red Hot Cyber vogliono portare la cultura della sicurezza fuori dagli ambienti tecnici e renderla accessibile a tutti, perché solo capendo come funziona un attacco possiamo davvero imparare a difenderci. E ora tocca a voi: guardate il workshop, condividetelo e diventate anche voi parte di questa battaglia quotidiana contro le minacce informatiche.

Perché il ransomware non si ferma. E neanche noi dobbiamo farlo!

L'articolo Il Video di un Attacco Ransomware in Diretta! Il workshop di HackerHood per Omnia e WithSecure proviene da il blog della sicurezza informatica.

3D printing is arguably over-used in the maker community. It’s just so easy to run off a quick prototype and then… well, it’s good enough, right? Choosing the right plastic can go a long way to making sure your “good enough” prototype really is good enough for long term use. If you’re producing anything with gearing, you might want to cast your eyes to a study by [Mert Safak Tunalioglu] and [Bekir Volkan Agca] titled: Wear and Service Life of 3-D Printed Polymeric Gears.
No spin doctoring here, spinning gears.
The authors printed simple test gears in ABS, PLA, and PETG, and built a test rig to run them at 900 rpm with a load of 1.5 Nm against a steel drive gear. The gears were pulled off and weighed every 10,000 rotations, and allowed to run to destruction, which occurred in the hundreds-of-thousands of rotations in each case. The verdict? Well, as you can tell from the image, it’s to use PETG.

The authors think that this is down to PETG’s ductility, so we would have liked to see a hard TPU added to the mix, to say nothing of the engineering filaments. On the other hand, this study was aimed at the most common plastics in the 3D printing world and also verified a theoretical model that can be applied to other polymers.

This tip was sent in by [Benjamin], who came across it as part of the research to build his first telescope, which we look forward to seeing. As he points out, it’s quite lucky for the rest of us that the U.S. government provides funding to make such basic research available, in a way his nation of France does not. All politics aside, we’re grateful both to receive your tips and for the generosity of the US taxpayer.

We’ve seen similar tests done by the community — like this one using worm gears — but it’s also neat to see how institutional science approaches the same problem. If you need oodles of cycles but not a lot of torque, maybe skip the spurs and print a magnetic gearbox. Alternatively you break out the grog and the sea shanties and print yourself a capstan.

hackaday.com/2025/07/17/this-s…

In a recent incident response (IR) case, we discovered highly customized malware targeting Exchange infrastructure within government environments. Analysis of detection logs and clues within the sample suggests that the Exchange server was likely compromised via a known N-day vulnerability. Our in-depth analysis of the malware revealed a sophisticated, multi-functional backdoor that can be dynamically extended with arbitrary functionality through the download of additional modules. Notably, the attackers leveraged several open-source projects to build this backdoor. Once loaded, the backdoor grants the attackers full control over the Exchange server, allowing them to execute a range of malicious activities. To evade detection by security products, the malware employs various evasion techniques and disguises itself as a common server component to blend in with normal operations. Furthermore, it can function as a proxy or tunnel, potentially exposing the internal network to external threats or facilitating the exfiltration of sensitive data from internal devices. Our telemetry data indicates that this malware may be part of an APT campaign targeting high-value organizations, including high-tech companies, in Asia. Our team is currently investigating the scope and extent of these attack activities to better understand the threat landscape.

GhostContainer: the backdoor

The name of this file is App_Web_Container_1.dll. As the file name suggests, it serves as a “container”. It contains three key classes (Stub, App_Web_843e75cf5b63, and App_Web_8c9b251fb5b3) and one utility class (StrUtils). Once the file is loaded by the Exchange service, the Stub class is executed first. It acts as a C2 command parser, capable of executing shellcode, downloading files, running commands, and loading additional .NET byte code. One of the most notable features is that it creates an instance of the App_Web_843e75cf5b63, which serves as a loader for the web proxy class (App_Web_8c9b251fb5b3) via a virtual page injector.

Stub: C2 parser and dispatcher

At the beginning of execution, The Stub class attempts to bypass AMSI (Antimalware Scan Interface) and Windows Event Log. This is accomplished by overwriting specific addresses in amsi.dll and ntdll.dll, which allows evading AMSI scanning and Windows event logging.

Next, it retrieves the machine key from the ASP.NET configuration, specifically the validation key, and converts it to a byte array. The code used to generate the validation key was simply copied from the open-source project machinekeyfinder-aspx. The validation key is then hashed using SHA-256 to ensure it is 32 bytes long, and the resulting byte array is returned for use in AES encryption and decryption (to protect the data transferred between the attacker and the Exchange server).

The malware’s primary functionality is to receive requests from the attacker and parse them as follows:

• Receive the value of x-owa-urlpostdata from the attacker’s request data and then decode it as Base64.
• Utilize the AES key generated above to perform AES decryption on decoded data. The first 16 bytes of the decoded data are used as the initialization vector (IV).
• Decompress the decrypted data and dispatch operations based on the command ID (first byte).

To execute commands, Stub checks if the current user is a system account. If it is not, it attempts to impersonate a user by utilizing a token stored in the application domain’s data storage. This allows the application to perform actions under a different identity.

C2 commands and functionality:

Each time the command is executed, an XML-formatted response is generated, containing the execution result or return value. The value element in the XML starts with a hardcoded string /wEPDwUKLTcyODc4, and the same string is used in another open-source project, ExchangeCmdPy.py, to exploit the Exchange vulnerability CVE-2020-0688.
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTcyODc4[BASE64_ENCODED_RESULT]" />
By further comparing the code of GhostContainer with the ExchangeCmdPy.py open-source project, we observe a high degree of similarity in their entry function structures and keyword strings. This leads us to speculate that the code of the Stub class was developed based on the open-source project. We suspect that the vulnerability exploited in the Exchange attack may be related to CVE-2020-0688.

App_Web_843e75cf5b63: virtual page injector

This class is based on yet another open-source project, PageLoad_ghostfile.aspx, and it is designed to create ghost pages using classes like VirtualProvider. It contains a few classes which inherit from multiple system classes responsible for creating virtual ASPX pages and override some of their methods. It will create a virtual page using the two provided arguments: fakePageName and fakePath. The purpose of this approach is to run a .NET reflection loader (the fake page – see Appendix II) and bypass file checks. The loader is hardcoded into the program as a Base64-encoded .aspx source code.

This fake page is used to locate the web proxy class App_Web_8c9b251fb5b3 in the current domain and execute its static method AppWebInit. As soon as it is created, the attacker starts sending requests to it, which will then be received and parsed by App_Web_8c9b251fb5b3.

App_Web_8c9b251fb5b3: web proxy

App_Web_8c9b251fb5b3 is one core component in the GhostContainer sample, typically loaded indirectly through the fake page (App_Web_843e75cf5b63). This class includes web proxy, socket forwarding, and covert communication capabilities, serving as a typical example of a combined web proxy and tunneling module.

When an instance of this class is created, the static value utcDate is initialized with the current date and time. To identify the current version of the class, the fake page selects and invokes the one with the maximum utcDate value.

There are only two functions in this class. The AppWebInit() function serves as the actual entry point of the module, and it is dynamically invoked through reflection in the fake .aspx page. In the function StrTr, it implements a custom string translation mechanism before decoding Base64-encoded strings.

Again, we linked this algorithm to an open-source project, this time Neo-reGeorg. The function name StrTr and its code are identical. By comparing the code, it becomes clear that this class is a highly customized version of Neo-reGeorg.

The primary behavior of the module is focused on parsing requests the attacker sends to the fake web page. When receiving a request, it first inspects the header. Its further behavior may vary depending on the identified header:

• The Qprtfva header: identifies proxy forwarding requests.
• The Dzvvlnwkccf header: identifies socket communication requests.
• In other cases, the malware will respond with the string "<!-- 5lxBk9Zh7MDCyVAaxD8 -->".

If the header is Qprtfva, the malware establishes a web proxy by completing the following steps:

• Decode a Base64-encoded string to obtain the target URL.
• Clone the original request content (headers other than Qprtfva and body).
• Forward the request to the decoded target address.
• Return the target response content as the local response.

If the header is Dzvvlnwkccf, the malware establishes or manages a long-lived TCP tunnel connection between the internet and intranet. In order to identify and maintain different socket objects simultaneously, it defines a name for each socket object and then saves that name in pairs with the socket object in global storage. The name of the socket is contained in the first 22 bytes of the value of the header Dzvvlnwkccf. The exact activity is contained in the command section of the request, which starts from byte 23. The module accepts the following socket communication commands.

StrUtils: string and XML format processing class

StrUtils looks like a utility class for splitting and trimming strings, as well as splitting, extracting, and unescaping XML elements. However, only a few functions are currently referenced by the other three classes, namely the functions responsible for:

• Splitting the received data into multiple parts
• Trimming the closing character of the file path

We found no references to the XML unescaping functions in any class.

Infrastructure

The GhostContainer backdoor does not establish a connection to any C2 infrastructure. Instead, the attacker connects to the compromised server from the outside, and their control commands are hidden within normal Exchange web requests. As a result, we have not yet identified any relevant IP addresses or domains.

Victims

So far, we have identified two targets of this campaign: a key government agency and a high-tech company. Both organizations are located in the Asian region.

Attribution

The sample used in this APT attack does not share structural similarities with any known malware. It incorporates code from several open-source projects, which are publicly accessible and could be utilized by hackers or APT groups worldwide. As a result, attribution based on code similarity is not reliable. Based on our telemetry, the attack could not be correlated with other attack campaigns because the attackers did not expose any infrastructure.

Conclusions

Based on all the analysis conducted, it is evident that attackers are highly skilled in exploiting Exchange systems and leveraging various open-source projects related to infiltrating IIS and Exchange systems. They possess an in-depth understanding of how Exchange web services operate and show remarkable expertise in assembling and extending publicly available code to create and enhance sophisticated espionage tools. We believe this is a mature and highly professional team. We continue tracking their activity.

Indicators of compromise

01d98380dfb9211251c75c87ddb3c79c App_Web_Container_1.dll

securelist.com/ghostcontainer/…

Una nuova versione del malware Android chiamato Konfety è diventata ancora più sofisticata: gli specialisti di Zimperium zLabs hanno scoperto una variante migliorata che utilizza archivi ZIP non standard e codice crittografato caricato durante l’esecuzione. Queste tecniche consentono al malware di aggirare efficacemente gli strumenti di analisi automatica e di passare inosservato.

La caratteristica principale della versione aggiornata è un’ingegnosa modifica dell’archivio ZIP: il file APK ha un flag abilitato che fa sì che molti strumenti lo percepiscano erroneamente come crittografato. Alcune utility richiedono una password per decomprimerlo, mentre altre non riescono affatto ad analizzare la struttura del file.

Ulteriore confusione è causata dal metodo di compressione errato: AndroidManifest.xml dichiara di utilizzare BZIP, ma in realtà non viene eseguita alcuna compressione con questo metodo. Ciò causa una decompressione parziale o malfunzionamenti negli strumenti di analisi, complicando notevolmente il lavoro con i file infetti.

Nonostante la natura non standard del file ZIP, il sistema operativo Android gestisce questi casi senza problemi e installa correttamente l’app dannosa senza visualizzare alcun avviso. Al contrario, strumenti specializzati come APKTool e JADX potrebbero richiedere una password inesistente o semplicemente visualizzare un errore. Questo consente al malware di nascondersi in app apparentemente normali.

Inoltre, la nuova versione di Konfety utilizza il caricamento dinamico di codice eseguibile crittografato durante il funzionamento. Questo non è visibile in anticipo durante la scansione APK standard. All’interno dell’applicazione dannosa è presente un file DEX secondario, crittografato e nascosto nelle risorse. Viene caricato solo dopo l’avvio dell’applicazione, sostituendo i componenti mancanti dichiarati nel manifest, aumentando così i sospetti degli analisti più attenti.

Inoltre, il malware riutilizza meccanismi già noti di attacchi precedenti. In particolare, è nuovamente coinvolto il componente CaramelAds SDK, noto per il suo schema di frode pubblicitaria. Questo consente la visualizzazione occulta di annunci pubblicitari, l’installazione di moduli aggiuntivi e la comunicazione con server remoti all’insaputa dell’utente. Gli esperti sottolineano anche la coincidenza tra espressioni regolari e una finestra pop-up relativa ad un accordo utente, tutti elementi che indicano una continuità con gli attacchi precedenti.

Per camuffarsi, Konfety imita le app reali di Google Play copiandone i nomi dei pacchetti. Tuttavia, non ha alcuna funzionalità al suo interno e l’app stessa spesso nasconde il suo nome e la sua icona. All’avvio, all’utente viene chiesto di accettare un determinato accordo, dopodiché il browser si apre e viene reindirizzato a diversi siti. L’obiettivo finale è convincere la vittima a installare app indesiderate o ad accettare notifiche fastidiose.

Il rapporto elenca i segnali di infezione, nonché le tattiche e le tecniche della classificazione MITRE utilizzate in questa campagna. La nuova versione di Konfety mostra chiaramente come tecniche apparentemente semplici di manipolazione degli ZIP e di caricamento ritardato del codice possano bypassare con successo anche i sistemi di rilevamento delle minacce più avanzati.

L'articolo La nuova versione del malware Konfety sfrutta tecniche di evasione avanzate proviene da il blog della sicurezza informatica.

Nel gennaio 2025, sette giornalisti italiani hanno scoperto che i loro telefoni erano diventati strumenti di sorveglianza senza che se ne accorgessero. Francesco Cancellato (direttore di Fanpage), Roberto D’Agostino (fondatore di Dagospia), Ciro Pellegrino e altri quattro colleghi sono stati spiati per mesi attraverso Graphite, un avanzato spyware probabilmente prodotto da un’azienda israeliana. Ogni chiamata, ogni messaggio WhatsApp, ogni email: tutto intercettato in tempo reale.

La scoperta è avvenuta grazie a un’analisi forense condotta dal Citizen Lab , che ha identificato le tracce dell’infezione sui dispositivi¹. Il caso ha scatenato un’inchiesta della Procura di Roma e sollevato interrogativi sulla sicurezza delle comunicazioni digitali in Italia.

Ma la domanda che inquieta tutti è: se è successo a loro, può succedere a chiunque?

Ogni giorno compiamo decine di gesti nei quali riponiamo la nostra fiducia. Ci fidiamo quando attraversiamo con il semaforo verde, quando ci rivolgiamo agli istituti di credito per custodire i nostri risparmi, quando aggiorniamo il nostro profilo su un social network o quando utilizziamo portafogli digitali per i nostri documenti. Questa fiducia è l’amalgama invisibile del nostro vivere comune. Ma questo patto, già largamente traslato nell’infosfera, ci permette di affidarci ciecamente a quel mondo digitale e caotico in perenne espansione? I nostri dati, la nostra identità, possono essere più esposti di quanto pensiamo?

Il caso, che venuto agli onori della cronaca, dimostra che la paura di essere spiati non è infondata, ma pura consapevolezza. La sicurezza informatica non è più un argomento per soli addetti ai lavori: riguarda tutti noi, ogni volta che tocchiamo lo schermo del nostro smartphone.

L’Anatomia di Graphite: Come Ti Spiano Senza Che Tu Lo Sappia

Secondo il report forense, Graphite è uno spyware di classe militare sviluppato da Paragon Solutions che può sfruttare vulnerabilità zero-day su piattaforme mobili moderne, inclusi iOS e WhatsApp. Il suo funzionamento utilizza exploit zero-click che non richiedono interazione dell’utente per compromettere i dispositivi target Attacco Zero-Click

Non bisogna cliccare nulla, non si ricevono notifiche sospette. Il telefono viene compromesso semplicemente ricevendo un messaggio apparentemente innocuo su WhatsApp. Può essere un’immagine, un video, persino un messaggio di testo normale.

Installazione Silenziosa

Una volta ricevuto il messaggio-vettore, questo tipo di software si installa automaticamente sfruttando una falla nel sistema operativo. Il processo avviene in background, senza richiedere permessi o autorizzazioni.

Capacità di Intercettazione

Una volta installato, il trojan può:

• Registrare chiamate telefoniche
• Intercettare messaggi WhatsApp, Telegram e Signal
• Accedere alla fotocamera e al microfono
• Leggere email e documenti
• Tracciare la posizione GPS
• Copiare contatti e cronologia di navigazione

Persistenza e Mascheramento

Questo spyware si nasconde nei processi di sistema, rendendosi invisibile agli antivirus tradizionali. Può sopravvivere anche ai riavvii del dispositivo e agli aggiornamenti software.

Segnali di Allarme

Alcuni indicatori che potrebbero suggerire un’infezione:

• Batteria che si scarica più velocemente del solito
• Surriscaldamento anomalo del dispositivo
• Connessioni di rete inaspettate
• Rallentamenti improvvisi delle prestazioni
• Notifiche che scompaiono subito dopo essere apparse

La Scienza Dietro l’Informazione: Perché i Tuoi Dati Valgono Oro

Per comprendere la posta in gioco, dobbiamo fare una distinzione fondamentale formalizzata da Claude Shannonnella sua teoria dell’informazione del 1948 e sviluppata nell’ambito computazionale da studiosi come John von Neumann: la differenza tra dato e informazione.

Un dato è un elemento grezzo che conserviamo in memoria. L’informazione è il risultato dell’elaborazione di più dati e possiede un valore strategico perché ci fornisce maggiore conoscenza della realtà.

Shannon legò il valore dell’informazione al concetto di entropia: maggiore è l’imprevedibilità di un messaggio, maggiore è la quantità di informazione che contiene.

Immaginate di essere nel deserto del Sahara. Il servizio meteo vi invia un messaggio: “domani pioverà”. Il contenuto è talmente improbabile da contenere un’informazione di enorme valore (alta entropia). Se invece dicesse “domani ci sarà il sole”, sarebbe talmente prevedibile da non contenere quasi nessuna informazione utile (bassa entropia).

Nel caso dei giornalisti spiati, gli attaccanti non cercavano singoli messaggi, ma schemi comportamentali: con chi parlano, quando, dove si trovano, quali fonti contattano. Correlavano migliaia di dati per estrarre informazioni strategiche.

Proteggere i nostri dati significa salvaguardare un patrimonio di valore inestimabile. Nell’era digitale, l’informazione è potere, e il potere richiede protezione.

I Pilastri Violati: Quando la Sicurezza Crolla

La sicurezza informatica poggia su tre pilastri fondamentali, la cosiddetta triade CIA: Confidenzialità, Integrità, Disponibilità e, se i sospetti fossero confermati, Graphite avrebbe violato tutti e tre questi pilastri.

Confidenzialità violata:

Leggono i tuoi messaggi privati, ascoltano le tue chiamate, accedono ai tuoi documenti personali.

Integrità compromessa:

Potrebbero modificare quello che scrivi, alterare i tuoi file, manipolare le tue comunicazioni.

Disponibilità negata:

Possono bloccare i tuoi dispositivi, cancellare i tuoi dati e rendere inaccessibili i tuoi servizi.

La sicurezza non è un prodotto preconfezionato, ma il risultato di un equilibrio dinamico. Come per un balcone -la cui sicurezza dipende sia dalla robustezza della ringhiera (la tecnologia) sia dal comportamento di chi lo usa (le persone)- un sistema informatico è un complesso interconnesso dove ogni parte contribuisce alla sicurezza del tutto.

Il Tallone d’Achille Digitale: Vulnerabilità, Minacce e Attacchi

Quando un sistema è davvero sicuro? Quando si comporta nel modo previsto. Ma come Achille aveva il suo punto debole nel tallone, ogni sistema ha le sue vulnerabilità.

Una vulnerabilità è una debolezza potenziale: un software non aggiornato, una configurazione errata, una falla nel codice. Diventa pericolosa nel momento in cui una minaccia la sfrutta per lanciare un attacco.

L’analisi ²forense ha concluso che uno dei dispositivi è stato compromesso con lo spyware Graphite di Paragon. Nel quale, le vulnerabilità sfruttate sono state le falle zero-day in WhatsApp e iOS. L’attacco è stato l’infiltrazione sui telefoni dei giornalisti.

La Catena degli Eventi: Come Nascono le Vulnerabilità

Le vulnerabilità emergono da catene precise di eventi che portano a un malfunzionamento. Esiste una terminologia precisa che descrive questa progressione.

Bug

L’errore umano, la svista del programmatore o del team di sviluppo nella scrittura del codice. Il difetto è presente nel codice sorgente, ma ancora dormiente.

Error

Il momento in cui il sistema, a causa del bug, esegue un’operazione scorretta, deviando dal comportamento previsto. Il difetto si è “risvegliato” durante l’esecuzione.

Fault

Lo stato anomalo in cui entra il sistema a seguito dell’errore. Il sistema è ora in una condizione di malfunzionamento, anche se non ancora visibile all’esterno.

Failure

La manifestazione esterna del difetto. L’utente finale sperimenta il malfunzionamento: il sistema non riesce a fornire il servizio richiesto.

Le Armi Digitali: Dalle Vulnerabilità agli Attacchi Mirati

Conoscere le tecniche di attacco è il primo passo per costruire una difesa consapevole. Ecco le più pericolose.

Zero-Day Exploit

La più temibile delle minacce, protagonista del caso Graphite. Sfrutta una vulnerabilità appena scoperta, per la quale non esiste ancora una correzione (patch). L’attaccante colpisce nel “giorno zero”, quando le difese sono impreparate.

Spyware Avanzati

Software di sorveglianza come Graphite e Pegasus. Si installano silenziosamente e monitorano ogni attività del dispositivo. Sono l’evoluzione militare dei tradizionali keylogger.

Ingegneria Sociale

L’arte di manipolare la psicologia umana. Il pioniere Kevin Mitnick ha dimostrato che l’anello più debole è quasi sempre l’essere umano. Nel caso Graphite, l’ingegneria sociale è stata minimale: bastava inviare un messaggio apparentemente innocuo.

Phishing e Malware

L’ingegneria sociale si manifesta spesso tramite il phishing, l’invio di email fraudolente. Queste possono veicolare malware come:

• Spyware (che spia l’attività)
• Adware (che mostra pubblicità)
• Keylogger (che registra ogni tasto premuto)

SQL Injection

Questa tecnica sfrutta la fiducia di un’applicazione web negli input dell’utente per manipolare il database. Un aggressore può bypassare un login inserendo stringhe che ingannano il sistema, rendendo la condizione di accesso sempre vera.

Man-in-the-Middle

L’attaccante si interpone tra due interlocutori, intercettando e alterando le comunicazioni. Graphite implementa un MITM permanente sul dispositivo compromesso.

Denial of Service

Un attacco che mira a rendere un servizio inutilizzabile, sovraccaricandolo di richieste. Spesso utilizza IP Spoofing per mascherare l’identità dell’aggressore. Se l’attacco è sferrato da una rete di computer compromessi (botnet), si parla di DDoS.

Attacchi alla Catena di Fornitura

Compromettere fornitori di software o hardware per raggiungere i target finali. Paragon Solutions vendeva Graphite a governi e agenzie di intelligence, che lo avrebbero utilizzato per operazioni di sorveglianza.

Il Futuro della Fiducia Digitale

Il caso Paragon-Graphite rappresenta un punto di svolta per la sicurezza informatica italiana. Quando sette giornalisti scoprono di essere stati spiati attraverso i loro telefoni, non si tratta solo di una violazione tecnica: è un tradimento della fiducia che riponiamo quotidianamente nei nostri dispositivi.

La risposta non può essere la paranoia, ma la consapevolezza. In un mondo dove la nostra identità è sempre più digitale, proteggere le informazioni non è solo una questione tecnica, ma un imperativo etico.

La sicurezza informatica è la sfida fondamentale per costruire un futuro digitale in cui sia ancora possibile, semplicemente, fidarsi. Il caso Graphite ci ha mostrato che questo futuro richiede vigilanza costante, aggiornamenti continui e, soprattutto, la consapevolezza che la sicurezza assoluta non esiste.

Ma possiamo rendere gli attacchi così costosi e complessi da scoraggiare la maggior parte degli aggressori. È una corsa agli armamenti digitali che non possiamo permetterci di perdere.

Fonti e Bibliografia

¹ Amnesty International Security Lab, “Italian journalist Ciro Pellegrino and another who has chosen to remain anonymous, as the latest targets of Paragon’s spyware in Europe”, 2025

² citizenlab.ca/2025/06/first-fo…/

Corso di telecomunicazioni Bertazioli O. vol 3

L'articolo I Tuoi Messaggi WhatsApp Sono Già Spiati: Il Caso Paragon che ha scosso l’Italia proviene da il blog della sicurezza informatica.

Con l’avanzata inarrestabile dell’intelligenza artificiale nel sistema educativo, college e università americane stanno ripensando profondamente i corsi di informatica. L’obiettivo? Promuovere non solo l’alfabetizzazione all’IA, ma anche il pensiero critico e le competenze comunicative, avvicinando così l’informatica alle discipline umanistiche. Allo stesso tempo, anche le tradizionali facoltà umanistiche si trovano in difficoltà nel valutare elaborati generati (o aiutati) dall’IA.

Non si tratta solo di aggiornare qualche corso: le università americane hanno avviato una vera e propria “riscrittura” collettiva dei programmi di informatica, grazie a un’iniziativa lanciata dalla National Science Foundation, chiamata Level Up AI.

Mary Lou Maher, direttrice della Computing Research Association, ha dichiarato che in futuro l’insegnamento dell’informatica potrebbe spostarsi dall’enfasi sulla programmazione a un focus sul pensiero computazionale e sulla competenza nell’uso dell’intelligenza artificiale. L’informatica potrebbe diventare sempre più simile a una disciplina umanistica, centrata sul pensiero critico e sulla comunicazione.

Certo, servirà tempo prima che queste trasformazioni siano pienamente integrate nei corsi tradizionali, ma il processo sembra irreversibile. Un tempo, gli studenti di informatica imparavano linguaggi come C, basi di dati, algoritmi, reti, strutture dati. Oggi, oltre a dover rincorrere aggiornamenti continui su Python, Java, TypeScript, Go e nuovi framework, emerge una prospettiva diversa: imparare un solo “linguaggio”, quello umano, per dialogare con ChatGPT, Claude, Gemini, DeepSeek e altri assistenti AI.

Alla London Technology Week di giugno, qualcuno lo ha detto apertamente – anche se con una battuta che fotografa bene la realtà: «Il nuovo linguaggio di programmazione del futuro dovrebbe chiamarsi “Human”!».
Grazie all’IA, anche chi non è sviluppatore può “scrivere” codice semplicemente descrivendo l’obiettivo da raggiungere. Si parla perfino di vibe coding, come raccontato nel caso di René Turcios: il modo per programmare diventa “chiedere gentilmente” a un modello AI, come se si parlasse con una persona.

Il progetto Level Up AI, coordinato dalla Computing Research Association con la New Mexico State University, durerà 18 mesi e mira a individuare i contenuti fondamentali per l’insegnamento dell’IA, oltre a raccogliere e condividere le migliori pratiche. Anche la Carnegie Mellon University, leader storica nel settore, sta rivedendo i propri corsi: quest’estate, docenti e staff discuteranno come adattarsi a questo nuovo scenario.

Thomas Cortina, professore e vicerettore a Carnegie Mellon, sostiene un percorso che combini basi solide di informatica e intelligenza artificiale con esperienze pratiche sugli strumenti più recenti. Ma Cortina nota anche un rischio: molti studenti vedono l’IA come una “scorciatoia” per svolgere i compiti di programmazione, senza comprendere a fondo il codice prodotto.

Il risultato? Fare i compiti diventa più semplice, ma trovare lavoro si fa più difficile. Connor Drake, studente all’ultimo anno, racconta di aver dovuto inviare 30 candidature per ottenere un solo colloquio. Una laurea in informatica, che un tempo garantiva sbocchi sicuri, oggi non basta più. Secondo New Intelligence, il tasso di disoccupazione per i laureati in informatica è al settimo posto tra tutte le discipline negli USA; in alcuni casi, anche dottori di ricerca faticano a trovare lavoro dopo mesi di ricerca.

Le iscrizioni a Stanford sono ferme, e a livello nazionale la crescita è quasi nulla (+0,2%). Eppure, ogni ondata tecnologica – dai PC agli smartphone – ha storicamente creato più opportunità per sviluppatori e ingegneri. Alex Aiken, professore a Stanford, prevede però che in futuro la crescita dei posti “classici” nell’ingegneria del software potrebbe rallentare, mentre aumenterà il numero di persone che sapranno comunque scrivere codice, anche senza una formazione tradizionale.

Una ricerca di Harvard aggiunge un dato sorprendente: nel lungo termine, i laureati in storia e scienze sociali tendono a guadagnare di più rispetto ai colleghi di ingegneria o informatica, grazie alle cosiddette “competenze trasversali” come collaborazione, pensiero critico e comunicazione.

In sintesi, mentre i docenti di informatica provano a riformare i corsi per renderli più simili a una laurea in arti liberali, le facoltà umanistiche, a loro volta, devono fare i conti con la rivoluzione dell’intelligenza artificiale. Un paradosso che ci racconta molto sul presente – e soprattutto sul futuro – dell’educazione digitale.

L'articolo La Laurea in Informatica si sta trasformando! 18 mesi per riscrivere il curriculum proviene da il blog della sicurezza informatica.

Before social media brought the Internet to the masses, and before even Napster, ICQ, and AIM gave those with a phone line a reason to connect online at all, those who went online often went to a BBS messageboard. By modern standards these text-only environments would have been extremely limited, with only weather updates, stock information, limited news, some email and messaging, and perhaps some classifieds or other miscellaneous information. This was an important time for the early Internet though, and [Nicola] recently discovered a time capsule of sorts from this era.

He first got a tip about a piece of vintage hardware, a DEC VAXstation II which was missing from his collection. But after painstakingly preserving the data on the hard drive he found it had been hosting one of these BBS servers and had plenty of gems from the era to show off. Not only does this build restore the DEC hardware but [Nicola] was able to virtualize the server using the data he recovered on a SIMH emulator, granting insights into how the Internet of this era was used.

[Nicola] also brought the BBS messaging system back online, although he notes that running it on the original hardware wouldn’t be feasible so for now it runs in the cloud. It’s a fascinating look into the Internet of the past, far beyond when many of us first went online as well. For a deep dive on how these systems worked, as well as an introduction to some of the Internet culture of the day, we saw this guide to the BBS a little while ago.

hackaday.com/2025/07/16/vintag…

In case you can’t wait for your flash memory to die from write cycling, TeamGroup now has a drive that, via software or hardware, can destroy its own flash chips with a surge of voltage. If you wonder why you might want this, there are military applications where how you destroy a piece of equipment is right up there in the manual with how to use it.

They have obviously put a lot of thought into it, as you can see in the video below. Apparently, if you are in the middle of blowing up the flash and power cuts out, the chip will resume frying itself when you restore power.

According to reports, the chip takes about ten seconds and, Mission Impossible style, it emits smoke as it takes itself out.

So, the obvious question for you is: what would you build with such a thing? A place to store your passwords? Or your cooked accounting? The security revolves around you telling it to destroy itself. That’s fine if you have time.

But we wonder how useful this would be against a motivated adversary. After all, you could unplug it and plug it into something else that doesn’t know how to send the “fry yourself” command. Then don’t push the button. It seems like it would be better to require a challenge/response with a cryptography key and, without it, you fry yourself after a certain number of failures. Or are we just paranoid?

Not the first time this has come up, by the way. Maybe these will be the new way to distribute protected media.

youtube.com/embed/SGzQIzuuvXI?…

hackaday.com/2025/07/16/this-s…

Brunnian links are a type of nontrivial link – or knot – where multiple linked loops become unlinked if a single loop is cut or removed. Beyond ‘fun’ disentanglement toys and a tantalizing subject of academic papers on knot theory, it can also be used for practical applications, as demonstrated by [Anthony Francis-Jones] in a recent video. In it we get a safe that is locked with multiple padlocks, each of which can unlock and open the safe by itself.

This type of locked enclosure is quite commonly used in military and other applications where you do not want to give the same key to each person in a group, yet still want to give each person full access. After taking us through the basics of Brunnian links, including Borromean rings, we are introduced to the design behind the safe with its six padlocks.

As a demonstration piece it uses cheap luggage padlocks and Perspex (acrylic) rods and sheets to give a vibrant and transparent view of its workings. During the assembly it becomes quite apparent how it works, with each padlock controlling one direction of motion of a piece, each of which can be used to disassemble the entire locking mechanism and open the safe.

Brunnian links are also found in the braids often made by children out of elastic bands, which together with this safe can be used to get children hooked on Brunnian links and general knot theory.

youtube.com/embed/81H6bVd0I14?…

hackaday.com/2025/07/16/openin…

Quality 3D printing is a common hobbyist tool nowadays, and [wontonnn]’s mini arcade car racing game really shows off how 3D printing can bring parts from functional to fantastic. There are quite a few details we like in [wontonn]’s design, so let’s take a closer look.

The mini mechanical game is one of those treadmill-based car racing games in which the player navigates a little car between an onslaught of belt-borne obstacles. A little DC motor spins things up in a modular side assembly, and a hand-cranked option is available. The player’s car attaches via a magnet to a steering arm; if the player’s car gets knocked off the magnet, game over.

Treadmill belt segments print as large pre-assembled pieces, with ends that snap together without connectors. Belts like this are sometimes tricky, so this is worth keeping in mind should one ever need a similar part. Since there are no external fasteners or hardware to depend on, one could resize it easily to suit their own project purposes.

The finishing touches on the whole assembly look great. It used to be that the sort of colors and lettering seen here would come from a sticker or label, but [wontonn] gets clean lines and colors by raising (or sinking) different parts of the design. The checkerboard pattern, for example, has the light squares raised for printing in a different color.

Electromechanical arcade games have an appeal all their own, being a fusion of both mechanical and electric design that comes together in a special way. Want to make your own? Get inspired by the classic Lunar Lander reimagined, or check out this LEGO treadmill racer that takes an entirely different approach to the concept.

youtube.com/embed/O_E6rC1JlwA?…

hackaday.com/2025/07/16/mini-c…

This week Jonathan and Katherine talk with Jamie Abrahams about Drupal, and how AI just makes sense. No, really. Jamie makes a compelling case that Drupal is a really good tool for building AI workflows. We cover security, personal AI, and more!

• drupal.org/u/yautja_cetanu
• drupal.org/project/ai
• freelygive.io/

youtube.com/embed/dnKFN6eIJ5I?…

Did you know you can watch the live recording of the show right on our YouTube Channel? Have someone you’d like us to interview? Let us know, or contact the guest and have them contact us! Take a look at the schedule here.

play.libsyn.com/embed/episode/…

Direct Download in DRM-free MP3.

If you’d rather read along, here’s the transcript for this week’s episode.

Places to follow the FLOSS Weekly Podcast:

• Spotify
• RSS

Theme music: “Newer Wave” Kevin MacLeod (incompetech.com)

Licensed under Creative Commons: By Attribution 4.0 License

hackaday.com/2025/07/16/floss-…

Supersonic air travel is great if you want to get somewhere quickly. Indeed, the Concorde could rush you from New York to London in less than three and a half hours, over twice as fast as a conventional modern airliner. Despite the speed, though, supersonic passenger service has never really been sustainable thanks to the noise involved. Disruption from sonic booms has meant that supersonic travel over land is near-universally banned. This strictly limits the available routes for supersonic passenger jets, and thus their economic viability.

Solving this problem has been a hot research topic for some time. Now, it appears there might be a way forward for supersonic air travel over land, using a neat quirk of Earth’s atmosphere.

The Problem With Sonic Booms

The Concorde—devastatingly fast, and far too loud for its own good. Credit: Eduard Marmet, CC BY SA 3.0
When supersonic airliners were first envisaged, the issue of sonic booms was recognized, but thought to be a minor one. Unfortunately, public opinion soon made it clear that wasn’t the case. As research and military aircraft began to punch through the sound barrier, the resulting sonic booms over populated areas lead to widespread complaints and even property damage in some cases.

As the Concorde developed, hopes remained high that the issue wouldn’t be insurmountable. In 1969, British Aircraft Corporation noted that they “do not expect that its sonic boom will be unacceptable to the great majority of the public.” However, in the face of widespread protest and opposition, the writing was on the wall. The world’s first supersonic airliner would be hamstrung by regulations, almost solely able to use its Mach 2 party trick on stretches of open water.
A demonstration of a sonic boom forming at Mach 1. Credit: Jacob Bertolotti, CC0
By the time of the Concorde’s initial revenue flights in the 1970s, the sonic boom was well understood. A plane pushing through the air is much like a boat pushing out bow and stern waves as it moves through the water. As a plane approaches the sound barrier, the pressure waves emanating from the aircraft get closer and closer together. At Mach 1, they effectively collide, and form into a single large shockwave. As speed increases, a characteristic shock cone is formed, with its apex at the nose of the aircraft.

To a stationary observer on the ground, the passing shockwave appears as a fast, large rise in pressure, followed by a significant negative pressure, before returning to normal. This is referred to as an “N-wave,” due to the characteristic shape the sonic boom leaves when graphed out.
The characteristic N-wave of a sonic boom. Credit: NASA, public domain
The positive pressure spike followed by the negative pressure spike are what creates the auditory “double boom” heard by observers. The overpressure from a sonic boom is great enough to cause minor damage such as shattering glass windows on buildings under the flight path.

The loud noise also typically creates great annoyance to those in the affected area. When an aircraft is flying at altitude, it can create an uncomfortable sonic boom that covers a wide stretch of land under the flight path, dependent on altitude, and it continues to do this for as long as it flies faster than the sound barrier. The affected area is typically referred to as the “boom carpet” for this reason.

Bending The Booms

If engineers were able to reduce the volume of a sonic boom or otherwise redirect it, supersonic travel over land would no longer face public or regulatory opposition. For this reason, a great deal of research has been undertaken into ways to mitigate or eliminate sonic booms created by fast-flying aircraft.

A particularly promising area of research has involved the theory of the “Mach cutoff.” The idea is that the pressure waves of a sonic boom could be redirected away from the ground by using the properties of the Earth’s atmosphere.
The Mach cutoff effect uses the atmosphere itself to refract sonic booms away from the ground. Credit: Boom Supersonic
A sonic boom is effectively just a powerful pressure wave, and thus, like any wave, it’s subject to refraction. This is where a wave’s path bends when it travels through different media at different speeds. For example, light waves bend when they travel through air and water, because the speed of propagation of light is different in each. The same is true of sound travelling through air at different temperatures. At lower altitudes, the air is typically warmer and sound travels faster. At higher altitudes, the air is cooler, and sound travels slower. Thus, as the pressure waves travel downwards from an aircraft at high altitude, they reach the warmer air and are refracted, tending to bend away from the ground. The idea behind the Mach cutoff effect is to find a combination of conditions where the sonic boom is refracted such that it never hits the ground. The Mach cutoff itself refers to the critical altitude below which the sonic boom is effectively not heard.
The Boom XB-1 test aircraft, used to test the Mach cutoff effect. Credit: Boom Supersonic
This technique has been the focus of research by Boom Technology, a company aiming to bring back supersonic air travel. Working with NASA, the company has been running tests with its Boom XB-1 test aircraft. Earlier this year, the company successfully attained supersonic flight without the sonic boom reaching the ground. This was confirmed by microphone arrays under the flight path, which verified there was no characteristic N-wave or pressure spike hitting the surface as the XB-1 flew multiple passes overhead. Test flights in February saw the company’s test aircraft hit top speeds of Mach 1.12 without a sonic boom hitting the ground. The company hopes to use the learnings from these tests to guide the development of the Boom Overture, a full-sized supersonic passenger airliner.
Beneath the cutoff altitude, the N-wave pressure spike from the sonic boom is effectively not felt. There is, however, still a sound signature caused by “evanescent waves.” Research is ongoing as to the impact of these waves in the “shadow side” of the Mach cutoff altitude. Credit: NASA Paper
However, using the Mach cutoff technique is not a perfect solution to supersonic travel over land. The problem is that it’s highly dependent on ambient conditions. The local temperature, atmospheric pressure, and prevailing winds can all affect the local Mach cutoff altitude. Thus, to fly supersonic in this manner requires a flight system capable of monitoring local conditions and keeping the aircraft’s flight parameters in the region where Mach cutoff is possible. Research by NASA has also indicated that it is not possible to exploit this phenomenon at very high speeds. Above Mach 1.3, it’s not realistically possible to refract the sonic boom enough to have it miss the ground.
NASA used Schlieren imaging techniques to visualize the shockwaves created by the XB-1 in supersonic flight. Credit: NASA/Boom Supersonic
These factors mean that even when exploiting the Mach cutoff, there would be some limitations on supersonic flight over land. Most commercial airliners fly at Mach 0.75 to Mach 0.85. Boom’s hypothetical future airliner could maybe top out at Mach 1.3 over land to avoid sonic booms hitting the ground. This would still net some serious speed gains—but perhaps only slashing travel times by 40-50% on overland routes. Boom expects that it could achieve a flight from San Francisco to New York in 3 hours and 30 minutes, versus over 5 hours for standard airliners today.

Fuel use is also expected to be very high in the supersonic flight regime, thanks to the extra drag experienced at higher speeds. There is also reason to believe that different routes might face very different conditions.

A study by the University of Pennsylvania used atmospheric data to determine that the maximum speed for Mach cutoff was much higher for westbound flights across the continental US versus eastbound flights, thanks to typical prevailing weather conditions over the country and their effect on the local speed of sound. In any case, Boom still plans to ensure its airliner is capable of achieving up to Mach 1.7 when sound is not an issue, which would make it at least comparable to the Concorde’s top speed of Mach 2.04 when travelling over open ocean.

As far as supersonic passenger travel goes, things are currently looking brighter than ever. There is now a potentially viable technique for airliners to fly faster than the sound barrier over populated areas. However, the economics and practicalities will still have to work out if we are ever to see a supersonic transport in revenue service ever again.

hackaday.com/2025/07/16/mach-c…

In una nuova analisi basata su 10 milioni di password compromesse, Specops ha dimostrato quanto le reti aziendali rimangano vulnerabili all’errore umano. Tutte le password sono state estratte da un elenco di oltre un miliardo di perdite. I risultati sono stati allarmanti: solo l’1,5% di tutte le password analizzate poteva essere classificato come “forte”.

I criteri per questa definizione erano rigorosi: una password era considerata sicura se era lunga 15 caratteri e conteneva almeno due tipi di caratteri diversi, come lettere e numeri. Questa lunghezza è stata scelta per un motivo: ogni carattere aggiuntivo aumenta di molte volte il numero di combinazioni possibili.

Ad esempio, una password di 15 lettere minuscole ha 1,7 quintilioni di combinazioni. L’aggiunta di un carattere aumenta il numero di combinazioni di quasi 26 volte e, utilizzando tutti i caratteri validi (lettere, numeri e caratteri speciali), il numero totale di combinazioni raggiunge i 2,25 ottilioni. Persino i computer con GPU più potenti non saranno in grado di gestire un compito del genere nel prossimo futuro.

Mappa di calore: lunghezza della password vs. complessità della password (Specops)

Tuttavia, nonostante queste prospettive, gli utenti continuano a scegliere combinazioni brevi e semplici. Il tipo di password più comune è composto da 8 caratteri con due tipi di caratteri (ad esempio, lettere e numeri), che rappresenta il 7,9% di tutte le password. Seguono password della stessa lunghezza, ma ancora meno affidabili: un solo tipo di carattere, il loro 7,6%. E le password lunghe fino a 8 caratteri in generale costituiscono la stragrande maggioranza e possono essere violate in poche ore.

L’analisi ha mostrato che solo il 3,3% di tutte le password superava il limite di 15 caratteri. Ciò suggerisce che le policy sulle password nelle organizzazioni non sono regolamentate o sono ignorate. Allo stesso tempo, aumentare la lunghezza anche di pochi caratteri aumenta drasticamente la resistenza agli attacchi: un’estensione di quattro caratteri di una password di 12 caratteri aumenta lo sforzo richiesto per un attacco brute-force di 78 milioni di volte.

Lo studio presta particolare attenzione alla tendenza verso una complessità insufficiente. Più della metà di tutte le password analizzate includeva un massimo di due tipi di caratteri. E sebbene le raccomandazioni moderne (in particolare quelle del NIST) si concentrino maggiormente sulla lunghezza, l’aggiunta di un terzo o quarto tipo di carattere ne aumenta significativamente la sicurezza. Tuttavia, la lunghezza rimane il fattore principale: 16-20 caratteri offrono una protezione migliore rispetto a password brevi, seppur complesse.

Per aumentare la sicurezza, si consiglia di passare dalle password tradizionali a frasi significative. Frasi lunghe ma facili da ricordare come “SunsetCoffeeMaroonReview” sono molto più affidabili e pratiche di set di caratteri come “!x9#A7b!”. Questo approccio riduce il numero di errori di digitazione, le richieste di supporto tecnico e la fatica derivante dal continuo cambio di password.

Le principali minacce legate all’utilizzo di password deboli rimangono le stesse.

• Facilità di hacking : le combinazioni brevi sono facilmente soggette ad attacchi automatizzati, soprattutto se si utilizzano acceleratori grafici e botnet.
• Riutilizzo : una password compromessa spesso consente l’accesso a più sistemi.
• Non conformità : le password deboli violano normative come GDPR, HIPAA e PCI DSS. Tutto ciò comporta multe, controlli e danni alla reputazione.

Allo stesso tempo, anche una buona implementazione dell’hashing non salva dalla debolezza della password stessa: se il database viene rubato e la password viene facilmente forzata tramite attacco brute force, né il salt né gli algoritmi saranno d’aiuto.

I risultati dello studio portano a una semplice verità: le password deboli sono ancora onnipresenti. Solo una politica completa che includa il controllo su lunghezza, complessità, unicità e aggiornamenti tempestivi può proteggere l’infrastruttura aziendale dagli attacchi più comuni. E, come dimostrano le statistiche, la maggior parte delle aziende ha ancora molto lavoro da fare in questo ambito.

L'articolo Uno studio mostra una verità shock: il 98,5% delle password è debole! proviene da il blog della sicurezza informatica.

Over on their substack [ObsoleteSony] has a new article: The Last Disc: How Blu-ray Won the War but Lost the Future.

In this article the author takes us through the history of Blu-ray media and how under Sony’s stewardship it successfully defeated the competing format of the time, HD DVD. Sony started behind the eight ball but through some deft maneuvering managed to come out on top. Perhaps the most significant contributing factor was the inclusion of Blu-ray drives in the PlayStation 3.

The person leading the Blu-ray initiative for Sony was Masanobu Yamamoto, whose legacy was the compact disc. What was needed was a personal media format which could deliver for high-definition 1080p video. As the DVD format did not have the storage capacity required, new formats needed to be developed. The enabling technology for both Blu-ray and HD DVD media was the blue laser as it allowed for more compact encoding.

Sony’s Blu-ray format became the dominating format for high-definition personal media…just as physical media died.

Thanks to [Stephen Walters] for writing in about this one.

hackaday.com/2025/07/16/blu-ra…

The DEW line was one of three radar early warning systems of the time.
If you grew up in the middle of the Cold War, you probably remember hearing about the Distant Early Warning line between duck-and-cover drills. The United States and Canada built the DEW line radar stations throughout the Arctic to detect potential attacks from the other side of the globe.

MIT’s Lincoln Lab proposed the DEW Line in 1952, and the plan was ambitious. In order to spot bombers crossing over the Arctic circle in time, it required radar twice as powerful as the best radar of the day. It also needed communications systems that were 99 percent reliable, even in the face of terrestrial and solar weather.

In the end, there were 33 stations built from Alaska to Greenland in an astonishing 32 months. Keep in mind that these stations were located in a very inhospitable environment, where temperatures reached down to -60 °F (-51 °C). Operators kept the stations running 24/7 for 36 years, from 1957 to 1993.

System of Systems

The DEW line wasn’t the only radar early-warning system that the US and Canada had in place, only the most ambitious. The Pinetree Line was first activated in 1951. However, its simple radar was prone to jamming and couldn’t pick up things close to the ground. It was also too close to main cities along the border to offer them much protection. Even so, the 33 major stations, along with six smaller stations, did better than expected.

youtube.com/embed/2NMfzITWxDs?…

Mid-Canada

A Mid-Canada Line site with White Alice antennas. The bistatic radar antennas look more like conventional antennas. (public domain)
The Mid-Canada Line utilized bistatic radar, where the transmitter and receiver were located in different positions. The idea is that the receiver hears the transmitter along with Doppler-shifted returns from a target. That means the total travel distance of the radar beam is almost constant.

This scheme is good for inexpensively covering a wide area, but it suffers at providing exact positions. It also has trouble rejecting things like birds near either the transmitter or the receiver.

Mid-Canada first started operating in 1956, but was shut down by 1965. The reason? Speed.

The Need for Speed

In the 1940s, when Pinetree was being planned, jet aircraft were relatively new. But they made great strides, and the faster a bomber might be, the more warning you needed. While Mid-Canada was closer to the possible path of an attack, it was clear by the time it was operational that the real threat would be from ballistic missiles. Planning for the DEW Line was already underway, but it focused on fast bombers.

Moving further north was the solution. If Pinetree was relatively easy to build, building the Mid-Canada Line was more challenging due to the terrain and weather conditions. Correct topographical information was difficult to find, and paradoxically, construction had to take place during the winter when the marshland was frozen, facilitating access to many of the sites.

The DEW Line, though, was above the Arctic Circle. Building there, near the 69th parallel, would present an even bigger challenge. Working conditions were passable during the short Arctic summer, but more difficult in the harsh winter, which included a solid month of nighttime.

Prototype

The prototype station was at a weather station in Alaska’s Barter Island. There was little data on building at such high latitudes, save for the recent work done to build the Thule Air Force Base. The prototype design needed some rework in 1953, but once things were moving, the DEW Line installations managed to run for 36 years.
DEW Line station in Alaska (public domain)
The typical station used prefabricated modules connected into “trains.” The modules were used as quarters, offices, equipment rooms, storage, and kitchens. Living quarters were 8′ x 12′ (2.4 m x 3.6 m). The bases were totally self-contained.

There were main stations that had a full crew and amenities like a library and other entertainment. Secondary stations typically had a chief, a cook, and a mechanic. The “gap filler” stations didn’t have any crew, but were serviced from the other stations when possible.

A main station might have two trains connected by a bridge. Smaller stations might have a single train of 25 modules. There were also garages for vehicles, warehouses, hangars, and dormitories for up to 24 personnel not housed in the main structures. While most of the stations were similar in design, the two on the Greenland ice cap were more like offshore drilling rigs, built on columns buried 100 feet into the ice.

Technology

A typical DEW line station used a 1.25 GHz radar with an average output of 400 watts, although it was rated for a maximum of 160 kW. The radar could probe from 3,000 feet out to 180 miles (300 km). Here are some details about the vacuum-tube-based technology in a 1980s booklet for newcomers to the line:

The radar system presently used was developed in the 1950’s and as such is a “tube” system which is experiencing reliability and maintainability problems. Good tubes are hard to find anymore. The operational performance is seriously affected, and support is becoming, so expensive, regardless of management improvements, that economic feasibility is only made possible by the absolute operational need for the system.

The Bell Companies played a crucial role in the development of the DEW Line. There’s an old AT&T archive video of the project that you can see below.

youtube.com/embed/q7hFJZf9fWk?…

White Alice

White Alice antennas at Barter Island, Alaska (public domain)
Because of the challenging radio conditions above the Arctic, the stations used a system known as White Alice to communicate. Short distances used microwave links. Giant tropospheric scatter antennas provided connections beyond the horizon at 900 MHz.

The system used two antennas for reliability and also transmitted on two frequencies. For shorter hops, a 60 ft (18 m) antennas would transmit 10 kW. Longer paths used 120 ft (36 m) antennas and 50 kW. Short links used 30 ft (9 m) dishes with 1 kW of power.

Museum

Check out the DEW Line virtual museum, which tells the story from construction to the debris left to be cleaned up. There’s also an extensive collection of related videos like the one embedded below.

youtube.com/embed/-Mfwcp6rTjc?…

The DEW Line is just part of the tech history of the Cold War. Some of it was downright cloak-and-dagger.

hackaday.com/2025/07/16/the-de…

Nell’ambito delle indagini condotte dalla Procura della Repubblica di Roma e con il coordinamento della Direzione Nazionale Antimafia e Antiterrorismo, la Polizia Postale ha portato a termine importanti attività investigative nell’Operazione Eastwood nei confronti gruppo hacker filorusso noto come “NoName057(16)”, contemporaneamente ad analoghe attività in Germania, Stati Uniti, Olanda, Svizzera, Svezia, Francia e Spagna.

Il gruppo NONAME dal marzo del 2022 ad oggi, ha portato migliaia di attacchi verso siti governativi, della pubblica amministrazione, di infrastrutture di trasporto pubblico, istituti bancari, sanità e telecomunicazioni in diversi paesi europei.

Le indagini, coordinate a livello internazionale da Eurojust ed Europol hanno consentito di identificare numerosi aderenti al gruppo, disvelando chi si celava dietro ai server remoti, agli account Telegram e ai pagamenti in criptovaluta riconducibili alla crew hacker.

Cinque mandati di arresto internazionali sono stati altresì emessi nei confronti di altrettanti soggetti di nazionalità russa, 2 dei quali ritenuti vertici dell’organizzazione. Più di 600 server in vari Paesi sono stati disattivati ed in parte sottoposti a sequestro, in quanto server costituenti l’infrastruttura criminale da cui partivano gli attacchi.

NONAME reclutava simpatizzanti, distribuendo gli elenchi dei target occidentali da colpire e rivendicando poi gli attacchi attraverso ipropri canali anonimi Telegram. Con il canale DDosia Project, NONAME metteva a disposizione un software per entrare e operare nel gruppo.

L’infrastruttura criminale è risultata articolata su un livello centrale di comando e controllo nella Federazione russa, server intermedi dedicati alla anonimizzazione del segnale e alla dispersione delle tracce e, quindi in migliaia di computer messi a disposizione di NONAME dagli aderenti per gli attacchi.

NONAME ha coordinato gli attacchi dal territorio russo, remunerando in criptovalute gli aderenti. Gli attacchi “DDOS” (Distributed Denial of Service), con ingenti quantità di connessioni simultanee dai computer verso i siti da colpire, sono stati mirati a provocarne il collasso e la temporanea inservibilità, con ripercussioni anche rilevanti sull’erogazione dei servizi pubblici.

In Italia, le indagini delCNAIPIC, con i Centri operativi della Polizia Postale di Piemonte, Lombardia, Veneto, Friuli-VG, Emilia-Romagna e Calabria, hanno condotto alla identificazione di 5 soggetti, ritenuti aderenti al gruppo avendo effettuato attacchi ad infrastrutture nazionali ed europee.

Nei confronti degli stessi la Procura della Repubblica di Roma ha emesso decreti di perquisizione eseguiti dai medesimi uffici. Sono inoltre al vaglio altre posizioni. Si sottolinea che le persone sottoposte ad indagine nei cui confronti si procede, debbono ritenersi innocenti fino a quando la loro colpevolezza non sia stata legalmente accertata con una sentenza definitiva.

Risultati complessivi dell’operazione Eastwood

• 2 arresti (1 arresto preliminare in Francia e 1 in Spagna)
• 7 mandati di arresto emessi (6 dalla Germania e 1 dalla Spagna)
• 24 perquisizioni domiciliari (2 in Repubblica Ceca, 1 in Francia, 3 in Germania, 5 in Italia, 12 in Spagna, 1 in Polonia)
• 13 persone intervistate (2 in Germania, 1 in Francia, 4 in Italia, 1 in Polonia, 5 in Spagna)
• Oltre 1.000 sostenitori, di cui 15 amministratori, sono stati avvisati della loro responsabilità legale tramite un’app di messaggistica
• Oltre 100 server interrotti in tutto il mondo
• La maggior parte dell’infrastruttura principale di NoName057(16) è stata messa offline

Paesi partecipanti

• Repubblica Ceca – Agenzia nazionale antiterrorismo, estremismo e criminalità informatica
• Finlandia – Ufficio nazionale investigativo (NBI)
• Francia – Unità nazionale di sicurezza informatica della Gendarmeria nazionale, Procura della Repubblica di Parigi – Giurisdizione nazionale contro la criminalità organizzata (JUNALCO)
• Germania – Ufficio federale di polizia criminale (Bundeskriminalamt), Procura generale di Francoforte sul Meno – Centro per la criminalità informatica
• Italia – Polizia di Stato (Polizia di Stato)
• Lituania – Polizia nazionale
• Paesi Bassi – Polizia nazionale (Politie), Procura della Repubblica
• Polonia – Ufficio centrale per la criminalità informatica
• Spagna – Guardia Civil, Polizia Nazionale (Policía Nacional)
• Svezia – Polisen
• Svizzera – Ufficio federale di polizia fedpol e Ministero pubblico della Confederazione (MPC)
• Stati Uniti – Federal Bureau of Investigation

Paesi di supporto

• Belgio
• Canada
• Danimarca
• Estonia
• Lettonia
• Romania
• Ucraina

Agenzie UE partecipanti

• Europol
• Eurojust
• ENISA

L'articolo Operazione Eastwood: Smantellato il gruppo hacker filorusso NoName057(16) proviene da il blog della sicurezza informatica.

For decades there has been this tantalizing idea being pitched of pulling CO₂ out of the air and using the carbon molecules for something more useful, like making plastics. Although this is a fairly simple process, it is also remarkably inefficient. Recently Caltech researchers have managed to boost the efficiency somewhat with a new two-stage process involving electrocatalysis and thermocatalysis that gets a CO₂ utilization of 14%, albeit with pure CO₂ as input.
The experimental setup with the gas diffusion electrode (GDE) and the copolymerization steps. (Credit: Caltech)
The full paper as published in Angewandte Chemie International is sadly paywalled with no preprint available, but we can look at the Supplemental Information for some details. We can see for example the actual gas diffusion cell (GDE) starting on page 107 in which the copper and silver electrodes react with CO₂ in a potassium bicarbonate (KHCO₃) aqueous electrolyte, which produces carbon monoxide (CO) and ethylene (C₂H₄). These then react under influence of a palladium catalyst in the second step to form polyketones, which is already the typical way that these thermoplastics are created on an industrial scale.

The novelty here appears to be that the ethylene and CO are generated in the GDEs, which require only the input of CO₂ and the potassium bicarbonate, with the CO2 recirculated for about an hour to build up high enough concentrations of CO and C₂H₄. Even so, the researchers note a disappointing final quality of the produced polyketones.

Considering that a big commercial outfit like Novomer that attempted something similar just filed for Chapter 11 bankruptcy protection, it seems right to be skeptical about producing plastics on an industrial scale, before even considering using atmospheric CO₂ for this at less than 450 ppm.

hackaday.com/2025/07/16/caltec…

For home HVAC systems, heat pumps seem to be the way of the future. When compared to electric heating they can be three to four times more efficient, and they don’t directly burn fossil fuels. They also have a leg up over standard air conditioning systems since they can provide both cooling and heating, and they can even be used on water heating systems. Their versatility seems unmatched, but it does come at a slight cost of complexity as [Janne] learned while trying to bring one back to life.

The heat pump here is a Samsung with some physical damage, as well as missing the indoor half of the system. Once the damage to the unit was repaired and refilled with refrigerant, [Janne] used an Optidrive E3 inverter controlled by an Arduino Mega to get the system functional since the original setup wouldn’t run the compressor without the indoor unit attached. The Arduino manages everything else on the system as well including all of the temperature sensors and fan motor control.

With everything up and running [Janne] connected the system to a swimming pool, which was able to heat the pool in about three hours using 60 kWh of energy. The system is surprisingly efficient especially compared to more traditional means of heating water, and repairing an old or damaged unit rather than buying a new one likely saves a significant amount of money as well. Heat pump projects are getting more common around here as well, and if you have one in your home take a look at this project which adds better climate control capabilities. to a wall mount unit.

hackaday.com/2025/07/16/arduin…